feat(oidc): use the new oidc server interface (#6779)

* feat(oidc): use the new oidc server interface * rename from provider to server * pin logging and oidc packages * use oidc introspection fix branch * add overloaded methods with tracing * cleanup unused code * include latest oidc fixes --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 07:47:32 +00:00 · 2023-10-25 18:44:05 +03:00
parent 4980cd6a0c
commit 94cf30c547
7 changed files with 233 additions and 86 deletions
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -9,6 +9,7 @@ import (
 	"github.com/rakyll/statik/fs"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/oidc/v3/pkg/op"
+	"golang.org/x/exp/slog"
 	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/api/assets"
@@ -80,7 +81,7 @@ type OPStorage struct {
 	assetAPIPrefix                    func(ctx context.Context) string
 }

-func NewProvider(
+func NewServer(
 	config Config,
 	defaultLogoutRedirectURI string,
 	externalSecure bool,
@@ -93,19 +94,17 @@ func NewProvider(
 	projections *database.DB,
 	userAgentCookie, instanceHandler func(http.Handler) http.Handler,
 	accessHandler *middleware.AccessInterceptor,
-) (op.OpenIDProvider, error) {
+	fallbackLogger *slog.Logger,
+) (*Server, error) {
 	opConfig, err := createOPConfig(config, defaultLogoutRedirectURI, cryptoKey)
 	if err != nil {
 		return nil, caos_errs.ThrowInternal(err, "OIDC-EGrqd", "cannot create op config: %w")
 	}
 	storage := newStorage(config, command, query, repo, encryptionAlg, es, projections, externalSecure)
-	options, err := createOptions(
-		config,
-		externalSecure,
-		userAgentCookie,
-		instanceHandler,
-		accessHandler.HandleIgnorePathPrefixes(ignoredQuotaLimitEndpoint(config.CustomEndpoints)),
-	)
+	var options []op.Option
+	if !externalSecure {
+		options = append(options, op.WithAllowInsecure())
+	}
 	if err != nil {
 		return nil, caos_errs.ThrowInternal(err, "OIDC-D3gq1", "cannot create options: %w")
 	}
@@ -118,7 +117,22 @@ func NewProvider(
 	if err != nil {
 		return nil, caos_errs.ThrowInternal(err, "OIDC-DAtg3", "cannot create provider")
 	}
-	return provider, nil
+
+	server := &Server{
+		LegacyServer: op.NewLegacyServer(provider, endpoints(config.CustomEndpoints)),
+	}
+	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
+	server.Handler = op.RegisterLegacyServer(server, op.WithHTTPMiddleware(
+		middleware.MetricsHandler(metricTypes),
+		middleware.TelemetryHandler(),
+		middleware.NoCacheInterceptor().Handler,
+		instanceHandler,
+		userAgentCookie,
+		http_utils.CopyHeadersToContext,
+		accessHandler.HandleIgnorePathPrefixes(ignoredQuotaLimitEndpoint(config.CustomEndpoints)),
+	))
+
+	return server, nil
 }

 func ignoredQuotaLimitEndpoint(endpoints *EndpointConfig) []string {
@@ -158,61 +172,6 @@ func createOPConfig(config Config, defaultLogoutRedirectURI string, cryptoKey []
 	return opConfig, nil
 }

-func createOptions(config Config, externalSecure bool, userAgentCookie, instanceHandler, accessHandler func(http.Handler) http.Handler) ([]op.Option, error) {
-	metricTypes := []metrics.MetricType{metrics.MetricTypeRequestCount, metrics.MetricTypeStatusCode, metrics.MetricTypeTotalCount}
-	options := []op.Option{
-		op.WithHttpInterceptors(
-			middleware.MetricsHandler(metricTypes),
-			middleware.TelemetryHandler(),
-			middleware.NoCacheInterceptor().Handler,
-			instanceHandler,
-			userAgentCookie,
-			http_utils.CopyHeadersToContext,
-			accessHandler,
-		),
-	}
-	if !externalSecure {
-		options = append(options, op.WithAllowInsecure())
-	}
-	endpoints := customEndpoints(config.CustomEndpoints)
-	if len(endpoints) != 0 {
-		options = append(options, endpoints...)
-	}
-	return options, nil
-}
-
-func customEndpoints(endpointConfig *EndpointConfig) []op.Option {
-	if endpointConfig == nil {
-		return nil
-	}
-	options := []op.Option{}
-	if endpointConfig.Auth != nil {
-		options = append(options, op.WithCustomAuthEndpoint(op.NewEndpointWithURL(endpointConfig.Auth.Path, endpointConfig.Auth.URL)))
-	}
-	if endpointConfig.Token != nil {
-		options = append(options, op.WithCustomTokenEndpoint(op.NewEndpointWithURL(endpointConfig.Token.Path, endpointConfig.Token.URL)))
-	}
-	if endpointConfig.Introspection != nil {
-		options = append(options, op.WithCustomIntrospectionEndpoint(op.NewEndpointWithURL(endpointConfig.Introspection.Path, endpointConfig.Introspection.URL)))
-	}
-	if endpointConfig.Userinfo != nil {
-		options = append(options, op.WithCustomUserinfoEndpoint(op.NewEndpointWithURL(endpointConfig.Userinfo.Path, endpointConfig.Userinfo.URL)))
-	}
-	if endpointConfig.Revocation != nil {
-		options = append(options, op.WithCustomRevocationEndpoint(op.NewEndpointWithURL(endpointConfig.Revocation.Path, endpointConfig.Revocation.URL)))
-	}
-	if endpointConfig.EndSession != nil {
-		options = append(options, op.WithCustomEndSessionEndpoint(op.NewEndpointWithURL(endpointConfig.EndSession.Path, endpointConfig.EndSession.URL)))
-	}
-	if endpointConfig.Keys != nil {
-		options = append(options, op.WithCustomKeysEndpoint(op.NewEndpointWithURL(endpointConfig.Keys.Path, endpointConfig.Keys.URL)))
-	}
-	if endpointConfig.DeviceAuth != nil {
-		options = append(options, op.WithCustomDeviceAuthorizationEndpoint(op.NewEndpointWithURL(endpointConfig.DeviceAuth.Path, endpointConfig.DeviceAuth.URL)))
-	}
-	return options
-}
-
 func newStorage(config Config, command *command.Commands, query *query.Queries, repo repository.Repository, encAlg crypto.EncryptionAlgorithm, es *eventstore.Eventstore, db *database.DB, externalSecure bool) *OPStorage {
 	return &OPStorage{
 		repo:                              repo,