TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 18:07:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373)

Browse Source 
# Which Problems Are Solved

Some OAuth2 and OIDC providers require the use of PKCE for all their
clients. While ZITADEL already recommended the same for its clients, it
did not yet support the option on the IdP configuration.

# How the Problems Are Solved

- A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC
endpoints.
- A new checkbox is added to the generic OAuth and OIDC provider
templates.
- The `rp.WithPKCE` option is added to the provider if the use of PKCE
has been set.
- The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added
to the OIDC/Auth BeginAuth and CodeExchange function.
- Store verifier or any other persistent argument in the intent or auth
request.
- Create corresponding session object before creating the intent, to be
able to store the information.
- (refactored session structs to use a constructor for unified creation
and better overview of actual usage)

Here's a screenshot showing the URI including the PKCE params:


![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169)

# Additional Changes

None.

# Additional Context

- Closes #6449
- This PR replaces the existing PR (#8228) of @doncicuto. The base he
did was cherry picked. Thank you very much for that!

---------

Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
This commit is contained in:
Livio Spring
2025-02-26 13:20:47 +01:00
committed by GitHub
parent 32ec7d0aa9
commit 8f88c4cf5b
79 changed files with 801 additions and 169 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/command/idp.go
View File

@@ -20,6 +20,7 @@ type GenericOAuthProvider struct {
UserEndpoint string
Scopes []string
IDAttribute string
UsePKCE bool
IDPOptions idp.Options
}
@@ -30,6 +31,7 @@ type GenericOIDCProvider struct {
ClientSecret string
Scopes []string
IsIDTokenMapping bool
UsePKCE bool
IDPOptions idp.Options
}

38
internal/command/idp_intent.go
View File

@@ -25,7 +25,7 @@ import (
"github.com/zitadel/zitadel/internal/zerrors"
)
func (c *Commands) prepareCreateIntent(writeModel *IDPIntentWriteModel, idpID, successURL, failureURL string) preparation.Validation {
func (c *Commands) prepareCreateIntent(writeModel *IDPIntentWriteModel, idpID, successURL, failureURL string, idpArguments map[string]any) preparation.Validation {
return func() (_ preparation.CreateCommands, err error) {
if idpID == "" {
return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-x8j2bk", "Errors.Intent.IDPMissing")
@@ -53,24 +53,25 @@ func (c *Commands) prepareCreateIntent(writeModel *IDPIntentWriteModel, idpID, s
successURL,
failureURL,
idpID,
idpArguments,
),
}, nil
}, nil
}
}
func (c *Commands) CreateIntent(ctx context.Context, idpID, successURL, failureURL, resourceOwner string) (*IDPIntentWriteModel, *domain.ObjectDetails, error) {
id, err := c.idGenerator.Next()
if err != nil {
return nil, nil, err
}
writeModel := NewIDPIntentWriteModel(id, resourceOwner)
if err != nil {
return nil, nil, err
func (c *Commands) CreateIntent(ctx context.Context, intentID, idpID, successURL, failureURL, resourceOwner string, idpArguments map[string]any) (*IDPIntentWriteModel, *domain.ObjectDetails, error) {
if intentID == "" {
var err error
intentID, err = c.idGenerator.Next()
if err != nil {
return nil, nil, err
}
}
writeModel := NewIDPIntentWriteModel(intentID, resourceOwner)
//nolint: staticcheck
cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, c.prepareCreateIntent(writeModel, idpID, successURL, failureURL))
cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, c.prepareCreateIntent(writeModel, idpID, successURL, failureURL, idpArguments))
if err != nil {
return nil, nil, err
}
@@ -132,18 +133,17 @@ func (c *Commands) GetActiveIntent(ctx context.Context, intentID string) (*IDPIn
return intent, nil
}
func (c *Commands) AuthFromProvider(ctx context.Context, idpID, state string, idpCallback, samlRootURL string) (string, bool, error) {
func (c *Commands) AuthFromProvider(ctx context.Context, idpID, idpCallback, samlRootURL string) (state string, session idp.Session, err error) {
state, err = c.idGenerator.Next()
if err != nil {
return "", nil, err
}
provider, err := c.GetProvider(ctx, idpID, idpCallback, samlRootURL)
if err != nil {
return "", false, err
return "", nil, err
}
session, err := provider.BeginAuth(ctx, state)
if err != nil {
return "", false, err
}
content, redirect := session.GetAuth(ctx)
return content, redirect, nil
session, err = provider.BeginAuth(ctx, state)
return state, session, err
}
func getIDPIntentWriteModel(ctx context.Context, writeModel *IDPIntentWriteModel, filter preparation.FilterToQueryReducer) error {

16
internal/command/idp_intent_model.go
View File

@@ -12,13 +12,14 @@ import (
type IDPIntentWriteModel struct {
eventstore.WriteModel
SuccessURL *url.URL
FailureURL *url.URL
IDPID string
IDPUser []byte
IDPUserID string
IDPUserName string
UserID string
SuccessURL *url.URL
FailureURL *url.URL
IDPID string
IDPArguments map[string]any
IDPUser []byte
IDPUserID string
IDPUserName string
UserID string
IDPAccessToken *crypto.CryptoValue
IDPIDToken string
@@ -81,6 +82,7 @@ func (wm *IDPIntentWriteModel) reduceStartedEvent(e *idpintent.StartedEvent) {
wm.SuccessURL = e.SuccessURL
wm.FailureURL = e.FailureURL
wm.IDPID = e.IDPID
wm.IDPArguments = e.IDPArguments
wm.State = domain.IDPIntentStateStarted
}

143
internal/command/idp_intent_test.go
View File

@@ -39,11 +39,13 @@ func TestCommands_CreateIntent(t *testing.T) {
idGenerator id.Generator
}
type args struct {
ctx context.Context
idpID string
successURL string
failureURL string
instanceID string
ctx context.Context
intentID string
idpID string
successURL string
failureURL string
instanceID string
idpArguments map[string]any
}
type res struct {
intentID string
@@ -182,6 +184,7 @@ func TestCommands_CreateIntent(t *testing.T) {
"user",
"idAttribute",
nil,
true,
rep_idp.Options{},
)),
),
@@ -195,6 +198,7 @@ func TestCommands_CreateIntent(t *testing.T) {
success,
failure,
"idp",
nil,
)
}(),
),
@@ -235,6 +239,7 @@ func TestCommands_CreateIntent(t *testing.T) {
"user",
"idAttribute",
nil,
true,
rep_idp.Options{},
)),
),
@@ -248,6 +253,9 @@ func TestCommands_CreateIntent(t *testing.T) {
success,
failure,
"idp",
map[string]interface{}{
"verifier": "pkceOAuthVerifier",
},
)
}(),
),
@@ -260,6 +268,9 @@ func TestCommands_CreateIntent(t *testing.T) {
idpID: "idp",
successURL: "https://success.url",
failureURL: "https://failure.url",
idpArguments: map[string]interface{}{
"verifier": "pkceOAuthVerifier",
},
},
res{
intentID: "id",
@@ -288,6 +299,7 @@ func TestCommands_CreateIntent(t *testing.T) {
"user",
"idAttribute",
nil,
true,
rep_idp.Options{},
)),
),
@@ -301,6 +313,9 @@ func TestCommands_CreateIntent(t *testing.T) {
success,
failure,
"idp",
map[string]interface{}{
"verifier": "pkceOAuthVerifier",
},
)
}(),
),
@@ -313,6 +328,69 @@ func TestCommands_CreateIntent(t *testing.T) {
idpID: "idp",
successURL: "https://success.url",
failureURL: "https://failure.url",
idpArguments: map[string]interface{}{
"verifier": "pkceOAuthVerifier",
},
},
res{
intentID: "id",
details: &domain.ObjectDetails{ResourceOwner: "instance"},
},
},
{
"push, with id",
fields{
eventstore: expectEventstore(
expectFilter(),
expectFilter(
eventFromEventPusher(
instance.NewOAuthIDPAddedEvent(context.Background(), &instance.NewAggregate("instance").Aggregate,
"idp",
"name",
"clientID",
&crypto.CryptoValue{
CryptoType: crypto.TypeEncryption,
Algorithm: "enc",
KeyID: "id",
Crypted: []byte("clientSecret"),
},
"auth",
"token",
"user",
"idAttribute",
nil,
true,
rep_idp.Options{},
)),
),
expectPush(
func() eventstore.Command {
success, _ := url.Parse("https://success.url")
failure, _ := url.Parse("https://failure.url")
return idpintent.NewStartedEvent(
context.Background(),
&idpintent.NewAggregate("id", "instance").Aggregate,
success,
failure,
"idp",
map[string]interface{}{
"verifier": "pkceOAuthVerifier",
},
)
}(),
),
),
},
args{
ctx: context.Background(),
instanceID: "instance",
intentID: "id",
idpID: "idp",
successURL: "https://success.url",
failureURL: "https://failure.url",
idpArguments: map[string]interface{}{
"verifier": "pkceOAuthVerifier",
},
},
res{
intentID: "id",
@@ -326,7 +404,7 @@ func TestCommands_CreateIntent(t *testing.T) {
eventstore: tt.fields.eventstore(t),
idGenerator: tt.fields.idGenerator,
}
intentWriteModel, details, err := c.CreateIntent(tt.args.ctx, tt.args.idpID, tt.args.successURL, tt.args.failureURL, tt.args.instanceID)
intentWriteModel, details, err := c.CreateIntent(tt.args.ctx, tt.args.intentID, tt.args.idpID, tt.args.successURL, tt.args.failureURL, tt.args.instanceID, tt.args.idpArguments)
require.ErrorIs(t, err, tt.res.err)
if intentWriteModel != nil {
assert.Equal(t, tt.res.intentID, intentWriteModel.AggregateID)
@@ -342,11 +420,11 @@ func TestCommands_AuthFromProvider(t *testing.T) {
type fields struct {
eventstore func(t *testing.T) *eventstore.Eventstore
secretCrypto crypto.EncryptionAlgorithm
idGenerator id.Generator
}
type args struct {
ctx context.Context
idpID string
state string
callbackURL string
samlRootURL string
}
@@ -361,6 +439,22 @@ func TestCommands_AuthFromProvider(t *testing.T) {
args args
res res
}{
{
"error no id generator",
fields{
secretCrypto: crypto.CreateMockEncryptionAlg(gomock.NewController(t)),
eventstore: expectEventstore(),
idGenerator: mock.NewIDGeneratorExpectError(t, zerrors.ThrowInternal(nil, "", "error id")),
},
args{
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
idpID: "idp",
callbackURL: "url",
},
res{
err: zerrors.ThrowInternal(nil, "", "error id"),
},
},
{
"idp not existing",
fields{
@@ -368,11 +462,11 @@ func TestCommands_AuthFromProvider(t *testing.T) {
eventstore: expectEventstore(
expectFilter(),
),
idGenerator: mock.ExpectID(t, "id"),
},
args{
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
idpID: "idp",
state: "state",
callbackURL: "url",
},
res{
@@ -402,6 +496,7 @@ func TestCommands_AuthFromProvider(t *testing.T) {
"user",
"idAttribute",
nil,
true,
rep_idp.Options{},
)),
eventFromEventPusherWithInstanceID(
@@ -412,11 +507,11 @@ func TestCommands_AuthFromProvider(t *testing.T) {
),
),
),
idGenerator: mock.ExpectID(t, "id"),
},
args{
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
idpID: "idp",
state: "state",
callbackURL: "url",
},
res{
@@ -446,6 +541,7 @@ func TestCommands_AuthFromProvider(t *testing.T) {
"user",
"idAttribute",
nil,
true,
rep_idp.Options{},
)),
),
@@ -467,19 +563,20 @@ func TestCommands_AuthFromProvider(t *testing.T) {
"user",
"idAttribute",
nil,
true,
rep_idp.Options{},
)),
),
),
idGenerator: mock.ExpectID(t, "id"),
},
args{
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
idpID: "idp",
state: "state",
callbackURL: "url",
},
res{
content: "auth?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&state=state",
content: "auth?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&state=id",
redirect: true,
},
},
@@ -504,6 +601,7 @@ func TestCommands_AuthFromProvider(t *testing.T) {
},
[]string{"openid", "profile", "User.Read"},
false,
true,
rep_idp.Options{},
)),
eventFromEventPusherWithInstanceID(
@@ -540,6 +638,7 @@ func TestCommands_AuthFromProvider(t *testing.T) {
},
[]string{"openid", "profile", "User.Read"},
false,
true,
rep_idp.Options{},
)),
eventFromEventPusherWithInstanceID(
@@ -561,15 +660,15 @@ func TestCommands_AuthFromProvider(t *testing.T) {
)),
),
),
idGenerator: mock.ExpectID(t, "id"),
},
args{
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
idpID: "idp",
state: "state",
callbackURL: "url",
},
res{
content: "https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&scope=openid+profile+User.Read&state=state",
content: "https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize?client_id=clientID&prompt=select_account&redirect_uri=url&response_type=code&scope=openid+profile+User.Read&state=id",
redirect: true,
},
},
@@ -579,9 +678,16 @@ func TestCommands_AuthFromProvider(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore(t),
idpConfigEncryption: tt.fields.secretCrypto,
idGenerator: tt.fields.idGenerator,
}
content, redirect, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.state, tt.args.callbackURL, tt.args.samlRootURL)
_, session, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.callbackURL, tt.args.samlRootURL)
require.ErrorIs(t, err, tt.res.err)
var content string
var redirect bool
if err == nil {
content, redirect = session.GetAuth(tt.args.ctx)
}
assert.Equal(t, tt.res.redirect, redirect)
assert.Equal(t, tt.res.content, content)
})
@@ -592,11 +698,11 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
type fields struct {
eventstore func(t *testing.T) *eventstore.Eventstore
secretCrypto crypto.EncryptionAlgorithm
idGenerator id.Generator
}
type args struct {
ctx context.Context
idpID string
state string
callbackURL string
samlRootURL string
}
@@ -669,6 +775,7 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
success,
failure,
"idp",
nil,
)
}(),
),
@@ -683,11 +790,11 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
},
),
),
idGenerator: mock.ExpectID(t, "id"),
},
args{
ctx: authz.SetCtxData(context.Background(), authz.CtxData{OrgID: "ro"}),
idpID: "idp",
state: "id",
callbackURL: "url",
samlRootURL: "samlurl",
},
@@ -705,10 +812,12 @@ func TestCommands_AuthFromProvider_SAML(t *testing.T) {
c := &Commands{
eventstore: tt.fields.eventstore(t),
idpConfigEncryption: tt.fields.secretCrypto,
idGenerator: tt.fields.idGenerator,
}
content, _, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.state, tt.args.callbackURL, tt.args.samlRootURL)
_, session, err := c.AuthFromProvider(tt.args.ctx, tt.args.idpID, tt.args.callbackURL, tt.args.samlRootURL)
require.ErrorIs(t, err, tt.res.err)
content, _ := session.GetAuth(tt.args.ctx)
authURL, err := url.Parse(content)
require.NoError(t, err)

19
internal/command/idp_model.go
View File

@@ -45,6 +45,7 @@ type OAuthIDPWriteModel struct {
UserEndpoint string
Scopes []string
IDAttribute string
UsePKCE bool
idp.Options
State domain.IDPState
@@ -73,6 +74,7 @@ func (wm *OAuthIDPWriteModel) reduceAddedEvent(e *idp.OAuthIDPAddedEvent) {
wm.UserEndpoint = e.UserEndpoint
wm.Scopes = e.Scopes
wm.IDAttribute = e.IDAttribute
wm.UsePKCE = e.UsePKCE
wm.Options = e.Options
wm.State = domain.IDPStateActive
}
@@ -102,6 +104,9 @@ func (wm *OAuthIDPWriteModel) reduceChangedEvent(e *idp.OAuthIDPChangedEvent) {
if e.IDAttribute != nil {
wm.IDAttribute = *e.IDAttribute
}
if e.UsePKCE != nil {
wm.UsePKCE = *e.UsePKCE
}
wm.Options.ReduceChanges(e.OptionChanges)
}
@@ -115,6 +120,7 @@ func (wm *OAuthIDPWriteModel) NewChanges(
userEndpoint,
idAttribute string,
scopes []string,
usePKCE bool,
options idp.Options,
) ([]idp.OAuthIDPChanges, error) {
changes := make([]idp.OAuthIDPChanges, 0)
@@ -148,6 +154,9 @@ func (wm *OAuthIDPWriteModel) NewChanges(
if wm.IDAttribute != idAttribute {
changes = append(changes, idp.ChangeOAuthIDAttribute(idAttribute))
}
if wm.UsePKCE != usePKCE {
changes = append(changes, idp.ChangeOAuthUsePKCE(usePKCE))
}
opts := wm.Options.Changes(options)
if !opts.IsZero() {
changes = append(changes, idp.ChangeOAuthOptions(opts))
@@ -208,6 +217,7 @@ type OIDCIDPWriteModel struct {
ClientSecret *crypto.CryptoValue
Scopes []string
IsIDTokenMapping bool
UsePKCE bool
idp.Options
State domain.IDPState
@@ -248,6 +258,7 @@ func (wm *OIDCIDPWriteModel) reduceAddedEvent(e *idp.OIDCIDPAddedEvent) {
wm.ClientSecret = e.ClientSecret
wm.Scopes = e.Scopes
wm.IsIDTokenMapping = e.IsIDTokenMapping
wm.UsePKCE = e.UsePKCE
wm.Options = e.Options
wm.State = domain.IDPStateActive
}
@@ -271,6 +282,9 @@ func (wm *OIDCIDPWriteModel) reduceChangedEvent(e *idp.OIDCIDPChangedEvent) {
if e.IsIDTokenMapping != nil {
wm.IsIDTokenMapping = *e.IsIDTokenMapping
}
if e.UsePKCE != nil {
wm.UsePKCE = *e.UsePKCE
}
wm.Options.ReduceChanges(e.OptionChanges)
}
@@ -281,7 +295,7 @@ func (wm *OIDCIDPWriteModel) NewChanges(
clientSecretString string,
secretCrypto crypto.EncryptionAlgorithm,
scopes []string,
idTokenMapping bool,
idTokenMapping, usePKCE bool,
options idp.Options,
) ([]idp.OIDCIDPChanges, error) {
changes := make([]idp.OIDCIDPChanges, 0)
@@ -309,6 +323,9 @@ func (wm *OIDCIDPWriteModel) NewChanges(
if wm.IsIDTokenMapping != idTokenMapping {
changes = append(changes, idp.ChangeOIDCIsIDTokenMapping(idTokenMapping))
}
if wm.UsePKCE != usePKCE {
changes = append(changes, idp.ChangeOIDCUsePKCE(usePKCE))
}
opts := wm.Options.Changes(options)
if !opts.IsZero() {
changes = append(changes, idp.ChangeOIDCOptions(opts))

4
internal/command/instance_idp.go
View File

@@ -656,6 +656,7 @@ func (c *Commands) prepareAddInstanceOAuthProvider(a *instance.Aggregate, writeM
provider.UserEndpoint,
provider.IDAttribute,
provider.Scopes,
provider.UsePKCE,
provider.IDPOptions,
),
}, nil
@@ -711,6 +712,7 @@ func (c *Commands) prepareUpdateInstanceOAuthProvider(a *instance.Aggregate, wri
provider.UserEndpoint,
provider.IDAttribute,
provider.Scopes,
provider.UsePKCE,
provider.IDPOptions,
)
if err != nil || event == nil {
@@ -759,6 +761,7 @@ func (c *Commands) prepareAddInstanceOIDCProvider(a *instance.Aggregate, writeMo
secret,
provider.Scopes,
provider.IsIDTokenMapping,
provider.UsePKCE,
provider.IDPOptions,
),
}, nil
@@ -803,6 +806,7 @@ func (c *Commands) prepareUpdateInstanceOIDCProvider(a *instance.Aggregate, writ
c.idpConfigEncryption,
provider.Scopes,
provider.IsIDTokenMapping,
provider.UsePKCE,
provider.IDPOptions,
)
if err != nil || event == nil {

5
internal/command/instance_idp_model.go
View File

@@ -68,6 +68,7 @@ func (wm *InstanceOAuthIDPWriteModel) NewChangedEvent(
userEndpoint,
idAttribute string,
scopes []string,
usePKCE bool,
options idp.Options,
) (*instance.OAuthIDPChangedEvent, error) {
@@ -81,6 +82,7 @@ func (wm *InstanceOAuthIDPWriteModel) NewChangedEvent(
userEndpoint,
idAttribute,
scopes,
usePKCE,
options,
)
if err != nil || len(changes) == 0 {
@@ -174,7 +176,7 @@ func (wm *InstanceOIDCIDPWriteModel) NewChangedEvent(
clientSecretString string,
secretCrypto crypto.EncryptionAlgorithm,
scopes []string,
idTokenMapping bool,
idTokenMapping, usePKCE bool,
options idp.Options,
) (*instance.OIDCIDPChangedEvent, error) {
@@ -186,6 +188,7 @@ func (wm *InstanceOIDCIDPWriteModel) NewChangedEvent(
secretCrypto,
scopes,
idTokenMapping,
usePKCE,
options,
)
if err != nil || len(changes) == 0 {

21
internal/command/instance_idp_test.go
View File

@@ -270,6 +270,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) {
"user",
"idAttribute",
nil,
true,
idp.Options{},
),
),
@@ -287,6 +288,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) {
TokenEndpoint: "token",
UserEndpoint: "user",
IDAttribute: "idAttribute",
UsePKCE: true,
},
},
res: res{
@@ -315,6 +317,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) {
"user",
"idAttribute",
[]string{"user"},
true,
idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -338,6 +341,7 @@ func TestCommandSide_AddInstanceGenericOAuthIDP(t *testing.T) {
UserEndpoint: "user",
Scopes: []string{"user"},
IDAttribute: "idAttribute",
UsePKCE: true,
IDPOptions: idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -569,6 +573,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
"user",
"idAttribute",
nil,
true,
idp.Options{},
)),
),
@@ -584,6 +589,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
TokenEndpoint: "token",
UserEndpoint: "user",
IDAttribute: "idAttribute",
UsePKCE: true,
},
},
res: res{
@@ -611,6 +617,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
"user",
"idAttribute",
nil,
false,
idp.Options{},
)),
),
@@ -633,6 +640,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
idp.ChangeOAuthUserEndpoint("new user"),
idp.ChangeOAuthScopes([]string{"openid", "profile"}),
idp.ChangeOAuthIDAttribute("newAttribute"),
idp.ChangeOAuthUsePKCE(true),
idp.ChangeOAuthOptions(idp.OptionChanges{
IsCreationAllowed: &t,
IsLinkingAllowed: &t,
@@ -659,6 +667,7 @@ func TestCommandSide_UpdateInstanceGenericOAuthIDP(t *testing.T) {
UserEndpoint: "new user",
Scopes: []string{"openid", "profile"},
IDAttribute: "newAttribute",
UsePKCE: true,
IDPOptions: idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -805,6 +814,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) {
},
nil,
false,
true,
idp.Options{},
),
),
@@ -819,6 +829,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) {
Issuer: "issuer",
ClientID: "clientID",
ClientSecret: "clientSecret",
UsePKCE: true,
},
},
res: res{
@@ -845,6 +856,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) {
},
[]string{openid.ScopeOpenID},
true,
true,
idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -866,6 +878,7 @@ func TestCommandSide_AddInstanceGenericOIDCIDP(t *testing.T) {
ClientSecret: "clientSecret",
Scopes: []string{openid.ScopeOpenID},
IsIDTokenMapping: true,
UsePKCE: true,
IDPOptions: idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -1029,6 +1042,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1066,6 +1080,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1086,6 +1101,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) {
}),
idp.ChangeOIDCScopes([]string{"openid", "profile"}),
idp.ChangeOIDCIsIDTokenMapping(true),
idp.ChangeOIDCUsePKCE(true),
idp.ChangeOIDCOptions(idp.OptionChanges{
IsCreationAllowed: &t,
IsLinkingAllowed: &t,
@@ -1110,6 +1126,7 @@ func TestCommandSide_UpdateInstanceGenericOIDCIDP(t *testing.T) {
ClientSecret: "newSecret",
Scopes: []string{"openid", "profile"},
IsIDTokenMapping: true,
UsePKCE: true,
IDPOptions: idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -1253,6 +1270,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1311,6 +1329,7 @@ func TestCommandSide_MigrateInstanceGenericOIDCToAzureADProvider(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1475,6 +1494,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1527,6 +1547,7 @@ func TestCommandSide_MigrateInstanceOIDCToGoogleIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),

4
internal/command/org_idp.go
View File

@@ -628,6 +628,7 @@ func (c *Commands) prepareAddOrgOAuthProvider(a *org.Aggregate, writeModel *OrgO
provider.UserEndpoint,
provider.IDAttribute,
provider.Scopes,
provider.UsePKCE,
provider.IDPOptions,
),
}, nil
@@ -683,6 +684,7 @@ func (c *Commands) prepareUpdateOrgOAuthProvider(a *org.Aggregate, writeModel *O
provider.UserEndpoint,
provider.IDAttribute,
provider.Scopes,
provider.UsePKCE,
provider.IDPOptions,
)
if err != nil || event == nil {
@@ -731,6 +733,7 @@ func (c *Commands) prepareAddOrgOIDCProvider(a *org.Aggregate, writeModel *OrgOI
secret,
provider.Scopes,
provider.IsIDTokenMapping,
provider.UsePKCE,
provider.IDPOptions,
),
}, nil
@@ -775,6 +778,7 @@ func (c *Commands) prepareUpdateOrgOIDCProvider(a *org.Aggregate, writeModel *Or
c.idpConfigEncryption,
provider.Scopes,
provider.IsIDTokenMapping,
provider.UsePKCE,
provider.IDPOptions,
)
if err != nil || event == nil {

5
internal/command/org_idp_model.go
View File

@@ -70,6 +70,7 @@ func (wm *OrgOAuthIDPWriteModel) NewChangedEvent(
userEndpoint,
idAttribute string,
scopes []string,
usePKCE bool,
options idp.Options,
) (*org.OAuthIDPChangedEvent, error) {
@@ -83,6 +84,7 @@ func (wm *OrgOAuthIDPWriteModel) NewChangedEvent(
userEndpoint,
idAttribute,
scopes,
usePKCE,
options,
)
if err != nil || len(changes) == 0 {
@@ -176,7 +178,7 @@ func (wm *OrgOIDCIDPWriteModel) NewChangedEvent(
clientSecretString string,
secretCrypto crypto.EncryptionAlgorithm,
scopes []string,
idTokenMapping bool,
idTokenMapping, usePKCE bool,
options idp.Options,
) (*org.OIDCIDPChangedEvent, error) {
@@ -188,6 +190,7 @@ func (wm *OrgOIDCIDPWriteModel) NewChangedEvent(
secretCrypto,
scopes,
idTokenMapping,
usePKCE,
options,
)
if err != nil || len(changes) == 0 {

19
internal/command/org_idp_test.go
View File

@@ -210,6 +210,7 @@ func TestCommandSide_AddOrgGenericOAuthProvider(t *testing.T) {
"user",
"idAttribute",
nil,
false,
idp.Options{},
),
),
@@ -256,6 +257,7 @@ func TestCommandSide_AddOrgGenericOAuthProvider(t *testing.T) {
"user",
"idAttribute",
[]string{"user"},
true,
idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -280,6 +282,7 @@ func TestCommandSide_AddOrgGenericOAuthProvider(t *testing.T) {
UserEndpoint: "user",
Scopes: []string{"user"},
IDAttribute: "idAttribute",
UsePKCE: true,
IDPOptions: idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -520,6 +523,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
"user",
"idAttribute",
nil,
false,
idp.Options{},
)),
),
@@ -536,6 +540,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
TokenEndpoint: "token",
UserEndpoint: "user",
IDAttribute: "idAttribute",
UsePKCE: false,
},
},
res: res{
@@ -563,6 +568,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
"user",
"idAttribute",
nil,
false,
idp.Options{},
)),
),
@@ -585,6 +591,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
idp.ChangeOAuthUserEndpoint("new user"),
idp.ChangeOAuthScopes([]string{"openid", "profile"}),
idp.ChangeOAuthIDAttribute("newAttribute"),
idp.ChangeOAuthUsePKCE(true),
idp.ChangeOAuthOptions(idp.OptionChanges{
IsCreationAllowed: &t,
IsLinkingAllowed: &t,
@@ -612,6 +619,7 @@ func TestCommandSide_UpdateOrgGenericOAuthIDP(t *testing.T) {
UserEndpoint: "new user",
Scopes: []string{"openid", "profile"},
IDAttribute: "newAttribute",
UsePKCE: true,
IDPOptions: idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -763,6 +771,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
),
),
@@ -804,6 +813,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) {
},
[]string{openid.ScopeOpenID},
true,
true,
idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -826,6 +836,7 @@ func TestCommandSide_AddOrgGenericOIDCIDP(t *testing.T) {
ClientSecret: "clientSecret",
Scopes: []string{openid.ScopeOpenID},
IsIDTokenMapping: true,
UsePKCE: true,
IDPOptions: idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -995,6 +1006,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1033,6 +1045,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1053,6 +1066,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) {
}),
idp.ChangeOIDCScopes([]string{"openid", "profile"}),
idp.ChangeOIDCIsIDTokenMapping(true),
idp.ChangeOIDCUsePKCE(true),
idp.ChangeOIDCOptions(idp.OptionChanges{
IsCreationAllowed: &t,
IsLinkingAllowed: &t,
@@ -1078,6 +1092,7 @@ func TestCommandSide_UpdateOrgGenericOIDCIDP(t *testing.T) {
ClientSecret: "newSecret",
Scopes: []string{"openid", "profile"},
IsIDTokenMapping: true,
UsePKCE: true,
IDPOptions: idp.Options{
IsCreationAllowed: true,
IsLinkingAllowed: true,
@@ -1225,6 +1240,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1284,6 +1300,7 @@ func TestCommandSide_MigrateOrgGenericOIDCToAzureADProvider(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1452,6 +1469,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),
@@ -1505,6 +1523,7 @@ func TestCommandSide_MigrateOrgOIDCToGoogleIDP(t *testing.T) {
},
nil,
false,
false,
idp.Options{},
)),
),

1
internal/command/session_test.go
View File

@@ -837,6 +837,7 @@ func TestCommands_updateSession(t *testing.T) {
nil,
nil,
"idpID",
nil,
),
),
eventFromEventPusher(