feat: Login, OP Support and Auth Queries (#177)

* fix: change oidc config

* fix: change oidc config secret

* begin models

* begin repo

* fix: implement grpc app funcs

* fix: add application requests

* fix: converter

* fix: converter

* fix: converter and generate clientid

* fix: tests

* feat: project grant aggregate

* feat: project grant

* fix: project grant check if role existing

* fix: project grant requests

* fix: project grant fixes

* fix: project grant member model

* fix: project grant member aggregate

* fix: project grant member eventstore

* fix: project grant member requests

* feat: user model

* begin repo

* repo models and more

* feat: user command side

* lots of functions

* user command side

* profile requests

* commit before rebase on user

* save

* local config with gopass and more

* begin new auth command (user centric)

* Update internal/user/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/address.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/address.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/email.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/mfa.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/mfa.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/password.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/phone.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/model/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/model/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/usergrant/repository/eventsourcing/user_grant.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/user_test.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* Update internal/user/repository/eventsourcing/eventstore_mock_test.go

Co-Authored-By: Livio Amstutz <livio.a@gmail.com>

* changes from mr review

* save files into basedir

* changes from mr review

* changes from mr review

* move to auth request

* Update internal/usergrant/repository/eventsourcing/cache.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/usergrant/repository/eventsourcing/cache.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* changes requested on mr

* fix generate codes

* fix return if no events

* password code

* email verification step

* more steps

* lot of mfa

* begin tests

* more next steps

* auth api

* auth api (user)

* auth api (user)

* auth api (user)

* differ requests

* merge

* tests

* fix compilation error

* mock for id generator

* Update internal/user/repository/eventsourcing/model/password.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* Update internal/user/repository/eventsourcing/model/user.go

Co-authored-by: Silvan <silvan.reusser@gmail.com>

* requests of mr

* check email

* begin separation of command and query

* otp

* change packages

* some cleanup and fixes

* tests for auth request / next steps

* add VerificationLifetimes to config and make it run

* tests

* fix code challenge validation

* cleanup

* fix merge

* begin view

* repackaging tests and configs

* fix startup config for auth

* add migration

* add PromptSelectAccount

* fix copy / paste

* remove user_agent files

* fixes

* fix sequences in user_session

* token commands

* token queries and signout

* fix

* fix set password test

* add token handler and table

* handle session init

* add session state

* add user view test cases

* change VerifyMyMfaOTP

* some fixes

* fix user repo in auth api

* cleanup

* add user session view test

* fix merge

* begin oidc

* user agent and more

* config

* keys

* key command and query

* add login statics

* key handler

* start login

* login handlers

* lot of fixes

* merge oidc

* add missing exports

* add missing exports

* fix some bugs

* authrequestid in htmls

* getrequest

* update auth request

* fix userid check

* add username to authrequest

* fix user session and auth request handling

* fix UserSessionsByAgentID

* fix auth request tests

* fix user session on UserPasswordChanged and MfaOtpRemoved

* fix MfaTypesSetupPossible

* handle mfa

* fill username

* auth request query checks new events

* fix userSessionByIDs

* fix tokens

* fix userSessionByIDs test

* add user selection

* init code

* user code creation date

* add init user step

* add verification failed types

* add verification failures

* verify init code

* user init code handle

* user init code handle

* fix userSessionByIDs

* update logging

* user agent cookie

* browserinfo from request

* add DeleteAuthRequest

* add static login files to binary

* add login statik to build

* move generate to separate file and remove statik.go files

* remove static dirs from startup.yaml

* generate into separate namespaces

* merge master

* auth request code

* auth request type mapping

* fix keys

* improve tokens

* improve register and basic styling

* fix ailerons font

* improve password reset

* add audience to token

* all oidc apps as audience

* fix test nextStep

* fix email texts

* remove "not set"

* lot of style changes

* improve copy to clipboard

* fix footer

* add cookie handler

* remove placeholders

* fix compilation after merge

* fix auth config

* remove comments

* typo

* use new secrets store

* change default pws to match default policy

* fixes

* add todo

* enable login

* fix db name

* Auth queries (#179)

* my usersession

* org structure/ auth handlers

* working user grant spooler

* auth internal user grants

* search my project orgs

* remove permissions file

* my zitadel permissions

* my zitadel permissions

* remove unused code

* authz

* app searches in view

* token verification

* fix user grant load

* fix tests

* fix tests

* read configs

* remove unused const

* remove todos

* env variables

* app_name

* working authz

* search projects

* global resourceowner

* Update internal/api/auth/permissions.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/api/auth/permissions.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* model2 rename

* at least it works

* check token expiry

* search my user grants

* remove token table from authz

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix test

* fix ports and enable console

Co-authored-by: Fabiennne <fabienne.gerschwiler@gmail.com>
Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Co-authored-by: Silvan <silvan.reusser@gmail.com>

cmd/zitadel/authz.yaml

@@ -1,4 +1,4 @@
-AuthZ:
+InternalAuthZ:
   RolePermissionMappings:
     - Role: 'IAM_OWNER'
       Permissions:

cmd/zitadel/caos_local.sh

@@ -1,7 +1,9 @@
 BASEDIR=$(dirname "$0")
 
+gopass sync --store zitadel-secrets
+
 # Tracing
-gopass citadel-secrets/citadel/developer/default/citadel-svc-account-eventstore-local | base64 -D > "$BASEDIR/local_svc-account-tracing.json"
+gopass zitadel-secrets/zitadel/developer/default/zitadel-svc-account-eventstore-local | base64 -D > "$BASEDIR/local_svc-account-tracing.json"
 export GOOGLE_APPLICATION_CREDENTIALS="$BASEDIR/local_svc-account-tracing.json"
 
 export ZITADEL_TRACING_PROJECT_ID=caos-citadel-test
@@ -15,24 +17,32 @@ export ZITADEL_EVENTSTORE_HOST=localhost
 export ZITADEL_EVENTSTORE_PORT=26257
 
 # Keys
-gopass citadel-secrets/citadel/developer/default/keys.yaml > "$BASEDIR/local_keys.yaml"
+gopass zitadel-secrets/zitadel/developer/default/keys.yaml > "$BASEDIR/local_keys.yaml"
 export ZITADEL_KEY_PATH="$BASEDIR/local_keys.yaml"
 
 export ZITADEL_USER_VERIFICATION_KEY=UserVerificationKey_1
 export ZITADEL_OTP_VERIFICATION_KEY=OTPVerificationKey_1
+export ZITADEL_OIDC_KEYS_ID=OIDCKey_1
+export ZITADEL_COOKIE_KEY=CookieKey_1
 
 # Notifications
 export DEBUG_MODE=TRUE
-export TWILIO_SERVICE_SID=$(gopass citadel-secrets/citadel/developer/default/twilio-sid)
-export TWILIO_TOKEN=$(gopass citadel-secrets/citadel/developer/default/twilio-auth-token)
+export TWILIO_SERVICE_SID=$(gopass zitadel-secrets/zitadel/dev/twilio-sid)
+export TWILIO_TOKEN=$(gopass zitadel-secrets/zitadel/dev/twilio-auth-token)
 export TWILIO_SENDER_NAME=CAOS AG
 export SMTP_HOST=smtp.gmail.com:465
 export SMTP_USER=zitadel@caos.ch
-export SMTP_PASSWORD=$(gopass citadel-secrets/citadel/google/emailappkey)
+export SMTP_PASSWORD=$(gopass zitadel-secrets/zitadel/google/emailappkey)
 export EMAIL_SENDER_ADDRESS=noreply@caos.ch
 export EMAIL_SENDER_NAME=CAOS AG
 export SMTP_TLS=TRUE
-export CHAT_URL=$(gopass citadel-secrets/citadel/developer/default/google-chat-url | base64 -D)
+export CHAT_URL=$(gopass zitadel-secrets/zitadel/dev/google-chat-url | base64 -D)
 
-# Zitadel
-export ZITADEL_ACCOUNTS=http://localhost:61121
+#OIDC
+export ZITADEL_ISSUER=http://localhost:50022
+export ZITADEL_ACCOUNTS=http://localhost:50031
+export ZITADEL_AUTHORIZE=http://localhost:50022
+export ZITADEL_OAUTH=http://localhost:50022
+export ZITADEL_CONSOLE=http://localhost:4200
+export CAOS_OIDC_DEV=true
+export ZITADEL_COOKIE_DOMAIN=localhost

cmd/zitadel/main.go

@@ -3,18 +3,20 @@ package main
 import (
 	"context"
 	"flag"
+	"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/authz"
 	sd "github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/login"
 
 	"github.com/caos/logging"
 
-	authz "github.com/caos/zitadel/internal/api/auth"
+	internal_authz "github.com/caos/zitadel/internal/api/auth"
 	"github.com/caos/zitadel/internal/config"
 	"github.com/caos/zitadel/internal/notification"
 	tracing "github.com/caos/zitadel/internal/tracing/config"
 	"github.com/caos/zitadel/pkg/admin"
 	"github.com/caos/zitadel/pkg/auth"
 	"github.com/caos/zitadel/pkg/console"
-	"github.com/caos/zitadel/pkg/login"
 	"github.com/caos/zitadel/pkg/management"
 )
 
@@ -22,13 +24,14 @@ type Config struct {
 	Mgmt         management.Config
 	Auth         auth.Config
 	Login        login.Config
+	AuthZ        authz.Config
 	Admin        admin.Config
 	Console      console.Config
 	Notification notification.Config
 
 	Log            logging.Config
 	Tracing        tracing.TracingConfig
-	AuthZ          authz.Config
+	InternalAuthZ  internal_authz.Config
 	SystemDefaults sd.SystemDefaults
 }
 
@@ -48,18 +51,25 @@ func main() {
 	logging.Log("MAIN-FaF2r").OnError(err).Fatal("cannot read config")
 
 	ctx := context.Background()
+	authZRepo, err := authz.Start(ctx, conf.AuthZ, conf.InternalAuthZ, conf.SystemDefaults)
+	logging.Log("MAIN-s9KOw").OnError(err).Fatal("error starting authz repo")
+
 	if *adminEnabled {
-		admin.Start(ctx, conf.Admin, conf.AuthZ, conf.SystemDefaults)
+		admin.Start(ctx, conf.Admin, authZRepo, conf.InternalAuthZ, conf.SystemDefaults)
 	}
 	if *managementEnabled {
-		management.Start(ctx, conf.Mgmt, conf.AuthZ, conf.SystemDefaults)
+		management.Start(ctx, conf.Mgmt, authZRepo, conf.InternalAuthZ, conf.SystemDefaults)
+	}
+	var authRepo *eventsourcing.EsRepository
+	if *authEnabled || *loginEnabled {
+		authRepo, err = eventsourcing.Start(conf.Auth.Repository, conf.InternalAuthZ, conf.SystemDefaults, authZRepo)
+		logging.Log("MAIN-9oRw6").OnError(err).Fatal("error starting auth repo")
 	}
 	if *authEnabled {
-		auth.Start(ctx, conf.Auth, conf.AuthZ, conf.SystemDefaults)
+		auth.Start(ctx, conf.Auth, authZRepo, conf.InternalAuthZ, conf.SystemDefaults, authRepo)
 	}
 	if *loginEnabled {
-		err = login.Start(ctx, conf.Login)
-		logging.Log("MAIN-53RF2").OnError(err).Fatal("error starting login ui")
+		login.Start(ctx, conf.Login, conf.SystemDefaults, authRepo)
 	}
 	if *notificationEnabled {
 		notification.Start(ctx, conf.Notification, conf.SystemDefaults)

cmd/zitadel/startup.yaml

@@ -50,6 +50,37 @@ Auth:
       GatewayPort: 50021
       CustomHeaders:
         - x-zitadel-
+    OIDC:
+      OPConfig:
+        Issuer: $ZITADEL_ISSUER
+        DefaultLogoutRedirectURI: $ZITADEL_ACCOUNTS/logout/done
+        Port: 50022
+      StorageConfig:
+        DefaultLoginURL: $ZITADEL_ACCOUNTS/login?authRequestID=
+        DefaultAccessTokenLifetime: 12h
+        DefaultIdTokenLifetime: 12h
+        SigningKeyAlgorithm: RS256
+      UserAgentCookieConfig:
+        Name: caos.zitadel.useragent
+        Domain: $ZITADEL_COOKIE_DOMAIN
+        Key:
+          EncryptionKeyID: $ZITADEL_COOKIE_KEY
+      Endpoints:
+        Auth:
+          Path: 'authorize'
+          URL: '$ZITADEL_AUTHORIZE/authorize'
+        Token:
+          Path: 'token'
+          URL: '$ZITADEL_OAUTH/token'
+        EndSession:
+          Path: 'endsession'
+          URL: '$ZITADEL_AUTHORIZE/endsession'
+        Userinfo:
+          Path: 'userinfo'
+          URL: '$ZITADEL_OAUTH/userinfo'
+        Keys:
+          Path: 'keys'
+          URL: '$ZITADEL_OAUTH/keys'
   Repository:
     SearchLimit: 100
     Eventstore:
@@ -66,11 +97,12 @@ Auth:
         Config:
           MaxCacheSizeInByte: 10485760 #10mb
     AuthRequest:
-      Host: $ZITADEL_EVENTSTORE_HOST
-      Port: $ZITADEL_EVENTSTORE_PORT
-      User: 'auth'
-      Database: 'auth'
-      SSLmode: disable
+      Connection:
+        Host: $ZITADEL_EVENTSTORE_HOST
+        Port: $ZITADEL_EVENTSTORE_PORT
+        User: 'auth'
+        Database: 'auth'
+        SSLmode: disable
     View:
       Host: $ZITADEL_EVENTSTORE_HOST
       Port: $ZITADEL_EVENTSTORE_PORT
@@ -81,9 +113,48 @@ Auth:
       ConcurrentTasks: 4
       BulkLimit: 100
       FailureCountUntilSkip: 5
+    KeyConfig:
+      Size: 2048
+      PrivateKeyLifetime: 6h
+      PublicKeyLifetime: 30h
+      EncryptionConfig:
+        EncryptionKeyID: $ZITADEL_OIDC_KEYS_ID
+      SigningKeyRotation: 10s
 
 Login:
-#  will get port range 5003x
+  Handler:
+    Port: 50031
+    OidcAuthCallbackURL: '$ZITADEL_AUTHORIZE/authorize/'
+    ZitadelURL: '$ZITADEL_CONSOLE'
+    LanguageCookieName: 'caos.zitadel.login.lang'
+    DefaultLanguage: 'de'
+
+
+AuthZ:
+  Repository:
+    Eventstore:
+      ServiceName: 'AuthZ'
+      Repository:
+        SQL:
+          Host: $ZITADEL_EVENTSTORE_HOST
+          Port: $ZITADEL_EVENTSTORE_PORT
+          User: 'authz'
+          Database: 'eventstore'
+          SSLmode: disable
+      Cache:
+        Type: 'fastcache'
+        Config:
+          MaxCacheSizeInByte: 10485760 #10mb
+    View:
+      Host: $ZITADEL_EVENTSTORE_HOST
+      Port: $ZITADEL_EVENTSTORE_PORT
+      User: 'authz'
+      Database: 'authz'
+      SSLmode: disable
+    Spooler:
+      ConcurrentTasks: 1
+      BulkLimit: 100
+      FailureCountUntilSkip: 5
 
 Admin:
   API:
@@ -120,7 +191,6 @@ Admin:
 
 Console:
   Port: 50050
-  StaticDir: /app/console/dist
 
 
 Notification:

cmd/zitadel/system-defaults.yaml

@@ -76,7 +76,7 @@ SystemDefaults:
             LastName: 'Administrator'
             UserName: 'zitadel-global-org-admin@caos.ch'
             Email: 'zitadel-global-org-admin@caos.ch'
-            Password: 'Password'
+            Password: 'Password1!'
         Owners:
           - 'zitadel-global-org-admin@caos.ch'
       - Name: 'CAOS AG'
@@ -86,7 +86,7 @@ SystemDefaults:
             LastName: 'Administrator'
             UserName: 'zitadel-admin@caos.ch'
             Email: 'zitadel-admin@caos.ch'
-            Password: 'Password'
+            Password: 'Password1!'
         Owners:
           - 'zitadel-admin@caos.ch'
         Projects:
@@ -97,9 +97,9 @@ SystemDefaults:
               - Name: 'Admin-API'
               - Name: 'Zitadel Console'
                 RedirectUris:
-                  - '$CITADEL_CONSOLE/auth/callback'
+                  - '$ZITADEL_CONSOLE/auth/callback'
                 PostLogoutRedirectUris:
-                  - '$CITADEL_CONSOLE/signedout'
+                  - '$ZITADEL_CONSOLE/signedout'
                 ResponseTypes:
                   - 'CODE'
                 GrantTypes:
@@ -133,9 +133,9 @@ SystemDefaults:
         From:  $TWILIO_SENDER_NAME
     TemplateData:
       InitCode:
-        Title: 'Zitadel - User Initialisieren'
-        PreHeader: 'User Initialisieren'
-        Subject: 'User Initialisieren'
+        Title: 'Zitadel - User initialisieren'
+        PreHeader: 'User initialisieren'
+        Subject: 'User initialisieren'
         Greeting: 'Hallo {{.FirstName}} {{.LastName}},'
         Text: 'Dieser Benutzer wurde soeben im Zitadel erstellt. Du kannst den Button unten verwenden, um die Initialisierung abzuschliesen. Falls du dieses Mail nicht angefordert hast, kannst du es einfach ignorieren.'
         ButtonText: 'Initialisierung abschliessen'
@@ -147,16 +147,16 @@ SystemDefaults:
         Text: 'Wir haben eine Anfrage für das Zurücksetzen deines Passwortes bekommen. Du kannst den untenstehenden Button verwenden, um dein Passwort zurückzusetzen. Falls du dieses Mail nicht angefordert hast, kannst du es ignorieren.'
         ButtonText: 'Passwort zurücksetzen'
       VerifyEmail:
-        Title: 'Zitadel - Email Verifizieren'
+        Title: 'Zitadel - Email verifizieren'
         PreHeader: 'Email verifizieren'
         Subject: 'Email verifizieren'
         Greeting: 'Hallo {{.FirstName}} {{.LastName}},'
         Text: 'Eine neue E-Mail Adresse wurde hinzugefügt. Bitte verwende den untenstehenden Button um diese zu verifizieren. Falls du deine E-Mail Adresse nicht selber hinzugefügt hast, kannst du dieses E-Mail ignorieren.'
-        ButtonText: 'Passwort zurücksetzen'
+        ButtonText: 'Email verifizieren'
       VerifyPhone:
-        Title: 'Zitadel - Telefonnummer Verifizieren'
-        PreHeader: 'Telefonnummer Verifizieren'
-        Subject: 'Telefonnummer Verifizieren'
+        Title: 'Zitadel - Telefonnummer verifizieren'
+        PreHeader: 'Telefonnummer verifizieren'
+        Subject: 'Telefonnummer verifizieren'
         Greeting: 'Hallo {{.FirstName}} {{.LastName}},'
         Text: 'Eine Telefonnummer wurde hinzugefügt. Bitte verifiziere diese in dem du folgenden Code eingibst: {{.Code}}'
         ButtonText: 'Telefon verifizieren'