fix(oidc): don't push introspection client events (#8481)

# Which Problems Are Solved Do not push secret succeeded and failed events for API and OIDC clients on the introspection endpoint. On instances where introspection was fequently called, the pushed events created issues on duplicate primary keys, due to collisions on the `sequence` column in the eventstore. As the event pusher retries on this collision and we pushed above mentioned events async, it would create a backpressure of concurrent pushers and effectively cripple an instance. We considered that pushing these events have little value with regards to the audit trail, as we do not push similar events when client assertion is used. Also, before #7657 the events were defined, but not pushed. # How the Problems Are Solved - Removed API secret check succeeded and faild event definitions - Removed OIDC secret check succeeded and faild event definitions - Push only Hash Updated event when needed # Additional Changes - None # Additional Context - Fixes https://github.com/zitadel/zitadel/issues/8479 - Closes https://github.com/zitadel/zitadel/issues/8430 - Intoduced in https://github.com/zitadel/zitadel/pull/7657
2025-08-11 21:47:32 +00:00 · 2024-08-28 20:19:50 +02:00
parent ca8f82423a
commit 90b908c361
9 changed files with 38 additions and 256 deletions
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -1035,10 +1035,11 @@ func (s *Server) verifyClientSecret(ctx context.Context, client *query.OIDCClien
 	updated, err := s.hasher.Verify(client.HashedSecret, secret)
 	spanPasswordComparison.EndWithError(err)
 	if err != nil {
-		s.command.OIDCSecretCheckFailed(ctx, client.AppID, client.ProjectID, client.Settings.ResourceOwner)
 		return oidc.ErrInvalidClient().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError).WithDescription("invalid secret")
 	}
-	s.command.OIDCSecretCheckSucceeded(ctx, client.AppID, client.ProjectID, client.Settings.ResourceOwner, updated)
+	if updated != "" {
+		s.command.OIDCUpdateSecret(ctx, client.AppID, client.ProjectID, client.Settings.ResourceOwner, updated)
+	}
 	return nil
 }

--- a/internal/api/oidc/introspect.go
+++ b/internal/api/oidc/introspect.go
@@ -183,17 +183,13 @@ func (s *Server) introspectionClientAuth(ctx context.Context, cc *op.ClientCrede
 var errNoAppType = errors.New("introspection client without app type")

 func (s *Server) introspectionClientSecretAuth(ctx context.Context, client *query.IntrospectionClient, secret string) error {
-	var (
-		successCommand func(ctx context.Context, appID, projectID, resourceOwner, updated string)
-		failedCommand  func(ctx context.Context, appID, projectID, resourceOwner string)
-	)
+	var updateCommand func(ctx context.Context, appID, projectID, resourceOwner, updated string)
+
 	switch client.AppType {
 	case query.AppTypeAPI:
-		successCommand = s.command.APISecretCheckSucceeded
-		failedCommand = s.command.APISecretCheckFailed
+		updateCommand = s.command.APIUpdateSecret
 	case query.AppTypeOIDC:
-		successCommand = s.command.OIDCSecretCheckSucceeded
-		failedCommand = s.command.OIDCSecretCheckFailed
+		updateCommand = s.command.OIDCUpdateSecret
 	default:
 		return zerrors.ThrowInternal(errNoAppType, "OIDC-ooD5Ot", "Errors.Internal")
 	}
@@ -202,10 +198,11 @@ func (s *Server) introspectionClientSecretAuth(ctx context.Context, client *quer
 	updated, err := s.hasher.Verify(client.HashedSecret, secret)
 	spanPasswordComparison.EndWithError(err)
 	if err != nil {
-		failedCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner)
 		return err
 	}
-	successCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner, updated)
+	if updated != "" {
+		updateCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner, updated)
+	}
 	return nil
 }