TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 19:07:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(oidc): sid claim for id_tokens issued through login V1 (#8525)

Browse Source 
# Which Problems Are Solved

id_tokens issued for auth requests created through the login UI
currently do not provide a sid claim.
This is due to the fact that (SSO) sessions for the login UI do not have
one and are only computed by the userAgent(ID), the user(ID) and the
authentication checks of the latter.

This prevents client to track sessions and terminate specific session on
the end_session_endpoint.

# How the Problems Are Solved

- An `id` column is added to the `auth.user_sessions` table.
- The `id` (prefixed with `V1_`) is set whenever a session is added or
updated to active (from terminated)
- The id is passed to the `oidc session` (as v2 sessionIDs), to expose
it as `sid` claim

# Additional Changes

- refactored `getUpdateCols` to handle different column value types and
add arguments for query

# Additional Context

- closes #8499 
- relates to #8501
This commit is contained in:
Livio Spring
2024-09-03 15:19:00 +02:00
committed by GitHub
parent 41b7bf976d
commit 9ec9ad4314
28 changed files with 336 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/command/device_auth.go
View File

@@ -50,6 +50,7 @@ func (c *Commands) ApproveDeviceAuth(
authTime time.Time,
preferredLanguage *language.Tag,
userAgent *domain.UserAgent,
sessionID string,
) (*domain.ObjectDetails, error) {
model, err := c.getDeviceAuthWriteModelByDeviceCode(ctx, deviceCode)
if err != nil {
@@ -58,7 +59,7 @@ func (c *Commands) ApproveDeviceAuth(
if !model.State.Exists() {
return nil, zerrors.ThrowNotFound(nil, "COMMAND-Hief9", "Errors.DeviceAuth.NotFound")
}
pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewApprovedEvent(ctx, model.aggregate, userID, userOrgID, authMethods, authTime, preferredLanguage, userAgent))
pushedEvents, err := c.eventstore.Push(ctx, deviceauth.NewApprovedEvent(ctx, model.aggregate, userID, userOrgID, authMethods, authTime, preferredLanguage, userAgent, sessionID))
if err != nil {
return nil, err
}
@@ -151,7 +152,7 @@ func (c *Commands) CreateOIDCSessionFromDeviceAuth(ctx context.Context, deviceCo
cmd.AddSession(ctx,
deviceAuthModel.UserID,
deviceAuthModel.UserOrgID,
"",
deviceAuthModel.SessionID,
deviceAuthModel.ClientID,
deviceAuthModel.Audience,
deviceAuthModel.Scopes,