mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 21:37:32 +00:00
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373)
# Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params:  # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
This commit is contained in:
Livio Spring
@@ -70,6 +70,7 @@ const (
|
||||
OAuthUserEndpointCol = "user_endpoint"
|
||||
OAuthScopesCol = "scopes"
|
||||
OAuthIDAttributeCol = "id_attribute"
|
||||
OAuthUsePKCECol = "use_pkce"
|
||||
|
||||
OIDCIDCol = "idp_id"
|
||||
OIDCInstanceIDCol = "instance_id"
|
||||
@@ -78,6 +79,7 @@ const (
|
||||
OIDCClientSecretCol = "client_secret"
|
||||
OIDCScopesCol = "scopes"
|
||||
OIDCIDTokenMappingCol = "id_token_mapping"
|
||||
OIDCUsePKCECol = "use_pkce"
|
||||
|
||||
JWTIDCol = "idp_id"
|
||||
JWTInstanceIDCol = "instance_id"
|
||||
@@ -217,6 +219,7 @@ func (*idpTemplateProjection) Init() *old_handler.Check {
|
||||
handler.NewColumn(OAuthUserEndpointCol, handler.ColumnTypeText),
|
||||
handler.NewColumn(OAuthScopesCol, handler.ColumnTypeTextArray, handler.Nullable()),
|
||||
handler.NewColumn(OAuthIDAttributeCol, handler.ColumnTypeText),
|
||||
handler.NewColumn(OAuthUsePKCECol, handler.ColumnTypeBool, handler.Default(false)),
|
||||
},
|
||||
handler.NewPrimaryKey(OAuthInstanceIDCol, OAuthIDCol),
|
||||
IDPTemplateOAuthSuffix,
|
||||
@@ -230,6 +233,7 @@ func (*idpTemplateProjection) Init() *old_handler.Check {
|
||||
handler.NewColumn(OIDCClientSecretCol, handler.ColumnTypeJSONB),
|
||||
handler.NewColumn(OIDCScopesCol, handler.ColumnTypeTextArray, handler.Nullable()),
|
||||
handler.NewColumn(OIDCIDTokenMappingCol, handler.ColumnTypeBool, handler.Default(false)),
|
||||
handler.NewColumn(OIDCUsePKCECol, handler.ColumnTypeBool, handler.Default(false)),
|
||||
},
|
||||
handler.NewPrimaryKey(OIDCInstanceIDCol, OIDCIDCol),
|
||||
IDPTemplateOIDCSuffix,
|
||||
@@ -722,6 +726,7 @@ func (p *idpTemplateProjection) reduceOAuthIDPAdded(event eventstore.Event) (*ha
|
||||
handler.NewCol(OAuthUserEndpointCol, idpEvent.UserEndpoint),
|
||||
handler.NewCol(OAuthScopesCol, database.TextArray[string](idpEvent.Scopes)),
|
||||
handler.NewCol(OAuthIDAttributeCol, idpEvent.IDAttribute),
|
||||
handler.NewCol(OAuthUsePKCECol, idpEvent.UsePKCE),
|
||||
},
|
||||
handler.WithTableSuffix(IDPTemplateOAuthSuffix),
|
||||
),
|
||||
@@ -813,6 +818,7 @@ func (p *idpTemplateProjection) reduceOIDCIDPAdded(event eventstore.Event) (*han
|
||||
handler.NewCol(OIDCClientSecretCol, idpEvent.ClientSecret),
|
||||
handler.NewCol(OIDCScopesCol, database.TextArray[string](idpEvent.Scopes)),
|
||||
handler.NewCol(OIDCIDTokenMappingCol, idpEvent.IsIDTokenMapping),
|
||||
handler.NewCol(OIDCUsePKCECol, idpEvent.UsePKCE),
|
||||
},
|
||||
handler.WithTableSuffix(IDPTemplateOIDCSuffix),
|
||||
),
|
||||
@@ -1154,6 +1160,7 @@ func (p *idpTemplateProjection) reduceOldOIDCConfigAdded(event eventstore.Event)
|
||||
handler.NewCol(OIDCClientSecretCol, idpEvent.ClientSecret),
|
||||
handler.NewCol(OIDCScopesCol, database.TextArray[string](idpEvent.Scopes)),
|
||||
handler.NewCol(OIDCIDTokenMappingCol, true),
|
||||
handler.NewCol(OIDCUsePKCECol, false),
|
||||
},
|
||||
handler.WithTableSuffix(IDPTemplateOIDCSuffix),
|
||||
),
|
||||
@@ -2253,6 +2260,9 @@ func reduceOAuthIDPChangedColumns(idpEvent idp.OAuthIDPChangedEvent) []handler.C
|
||||
if idpEvent.IDAttribute != nil {
|
||||
oauthCols = append(oauthCols, handler.NewCol(OAuthIDAttributeCol, *idpEvent.IDAttribute))
|
||||
}
|
||||
if idpEvent.UsePKCE != nil {
|
||||
oauthCols = append(oauthCols, handler.NewCol(OAuthUsePKCECol, *idpEvent.UsePKCE))
|
||||
}
|
||||
return oauthCols
|
||||
}
|
||||
|
||||
@@ -2273,6 +2283,9 @@ func reduceOIDCIDPChangedColumns(idpEvent idp.OIDCIDPChangedEvent) []handler.Col
|
||||
if idpEvent.IsIDTokenMapping != nil {
|
||||
oidcCols = append(oidcCols, handler.NewCol(OIDCIDTokenMappingCol, *idpEvent.IsIDTokenMapping))
|
||||
}
|
||||
if idpEvent.UsePKCE != nil {
|
||||
oidcCols = append(oidcCols, handler.NewCol(OIDCUsePKCECol, *idpEvent.UsePKCE))
|
||||
}
|
||||
return oidcCols
|
||||
}
|
||||
|
||||
|
||||
@@ -192,6 +192,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
"userEndpoint": "user",
|
||||
"scopes": ["profile"],
|
||||
"idAttribute": "id-attribute",
|
||||
"usePKCE": false,
|
||||
"isCreationAllowed": true,
|
||||
"isLinkingAllowed": true,
|
||||
"isAutoCreation": true,
|
||||
@@ -227,7 +228,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
|
||||
expectedArgs: []interface{}{
|
||||
"idp-id",
|
||||
"instance-id",
|
||||
@@ -238,6 +239,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
"user",
|
||||
database.TextArray[string]{"profile"},
|
||||
"id-attribute",
|
||||
false,
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -265,6 +267,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
"userEndpoint": "user",
|
||||
"scopes": ["profile"],
|
||||
"idAttribute": "id-attribute",
|
||||
"usePKCE": true,
|
||||
"isCreationAllowed": true,
|
||||
"isLinkingAllowed": true,
|
||||
"isAutoCreation": true,
|
||||
@@ -300,7 +303,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)",
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oauth2 (idp_id, instance_id, client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)",
|
||||
expectedArgs: []interface{}{
|
||||
"idp-id",
|
||||
"instance-id",
|
||||
@@ -311,6 +314,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
"user",
|
||||
database.TextArray[string]{"profile"},
|
||||
"id-attribute",
|
||||
true,
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -380,6 +384,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
"userEndpoint": "user",
|
||||
"scopes": ["profile"],
|
||||
"idAttribute": "id-attribute",
|
||||
"usePKCE": true,
|
||||
"isCreationAllowed": true,
|
||||
"isLinkingAllowed": true,
|
||||
"isAutoCreation": true,
|
||||
@@ -410,7 +415,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
expectedStmt: "UPDATE projections.idp_templates6_oauth2 SET (client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute) = ($1, $2, $3, $4, $5, $6, $7) WHERE (idp_id = $8) AND (instance_id = $9)",
|
||||
expectedStmt: "UPDATE projections.idp_templates6_oauth2 SET (client_id, client_secret, authorization_endpoint, token_endpoint, user_endpoint, scopes, id_attribute, use_pkce) = ($1, $2, $3, $4, $5, $6, $7, $8) WHERE (idp_id = $9) AND (instance_id = $10)",
|
||||
expectedArgs: []interface{}{
|
||||
"client_id",
|
||||
anyArg{},
|
||||
@@ -419,6 +424,7 @@ func TestIDPTemplateProjection_reducesOAuth(t *testing.T) {
|
||||
"user",
|
||||
database.TextArray[string]{"profile"},
|
||||
"id-attribute",
|
||||
true,
|
||||
"idp-id",
|
||||
"instance-id",
|
||||
},
|
||||
@@ -3081,6 +3087,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
|
||||
},
|
||||
"scopes": ["profile"],
|
||||
"idTokenMapping": true,
|
||||
"usePKCE": true,
|
||||
"isCreationAllowed": true,
|
||||
"isLinkingAllowed": true,
|
||||
"isAutoCreation": true,
|
||||
@@ -3116,7 +3123,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping) VALUES ($1, $2, $3, $4, $5, $6, $7)",
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
|
||||
expectedArgs: []interface{}{
|
||||
"idp-id",
|
||||
"instance-id",
|
||||
@@ -3125,6 +3132,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
|
||||
anyArg{},
|
||||
database.TextArray[string]{"profile"},
|
||||
true,
|
||||
true,
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -3149,6 +3157,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
|
||||
},
|
||||
"scopes": ["profile"],
|
||||
"idTokenMapping": true,
|
||||
"usePKCE": true,
|
||||
"isCreationAllowed": true,
|
||||
"isLinkingAllowed": true,
|
||||
"isAutoCreation": true,
|
||||
@@ -3184,7 +3193,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping) VALUES ($1, $2, $3, $4, $5, $6, $7)",
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
|
||||
expectedArgs: []interface{}{
|
||||
"idp-id",
|
||||
"instance-id",
|
||||
@@ -3193,6 +3202,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
|
||||
anyArg{},
|
||||
database.TextArray[string]{"profile"},
|
||||
true,
|
||||
true,
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -3260,6 +3270,7 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
|
||||
},
|
||||
"scopes": ["profile"],
|
||||
"idTokenMapping": true,
|
||||
"usePKCE": true,
|
||||
"isCreationAllowed": true,
|
||||
"isLinkingAllowed": true,
|
||||
"isAutoCreation": true,
|
||||
@@ -3290,13 +3301,14 @@ func TestIDPTemplateProjection_reducesOIDC(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
expectedStmt: "UPDATE projections.idp_templates6_oidc SET (client_id, client_secret, issuer, scopes, id_token_mapping) = ($1, $2, $3, $4, $5) WHERE (idp_id = $6) AND (instance_id = $7)",
|
||||
expectedStmt: "UPDATE projections.idp_templates6_oidc SET (client_id, client_secret, issuer, scopes, id_token_mapping, use_pkce) = ($1, $2, $3, $4, $5, $6) WHERE (idp_id = $7) AND (instance_id = $8)",
|
||||
expectedArgs: []interface{}{
|
||||
"client_id",
|
||||
anyArg{},
|
||||
"issuer",
|
||||
database.TextArray[string]{"profile"},
|
||||
true,
|
||||
true,
|
||||
"idp-id",
|
||||
"instance-id",
|
||||
},
|
||||
@@ -3810,7 +3822,7 @@ func TestIDPTemplateProjection_reducesOldConfig(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping) VALUES ($1, $2, $3, $4, $5, $6, $7)",
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
|
||||
expectedArgs: []interface{}{
|
||||
"idp-config-id",
|
||||
"instance-id",
|
||||
@@ -3819,6 +3831,7 @@ func TestIDPTemplateProjection_reducesOldConfig(t *testing.T) {
|
||||
anyArg{},
|
||||
database.TextArray[string]{"profile"},
|
||||
true,
|
||||
false,
|
||||
},
|
||||
},
|
||||
},
|
||||
@@ -3864,7 +3877,7 @@ func TestIDPTemplateProjection_reducesOldConfig(t *testing.T) {
|
||||
},
|
||||
},
|
||||
{
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping) VALUES ($1, $2, $3, $4, $5, $6, $7)",
|
||||
expectedStmt: "INSERT INTO projections.idp_templates6_oidc (idp_id, instance_id, issuer, client_id, client_secret, scopes, id_token_mapping, use_pkce) VALUES ($1, $2, $3, $4, $5, $6, $7, $8)",
|
||||
expectedArgs: []interface{}{
|
||||
"idp-config-id",
|
||||
"instance-id",
|
||||
@@ -3873,6 +3886,7 @@ func TestIDPTemplateProjection_reducesOldConfig(t *testing.T) {
|
||||
anyArg{},
|
||||
database.TextArray[string]{"profile"},
|
||||
true,
|
||||
false,
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
Reference in New Issue
Block a user