Merge commit from fork

* fix: prevent intent token reuse and add expiry * fix duplicate * fix expiration
2025-08-11 21:47:32 +00:00 · 2025-05-02 13:44:24 +02:00
parent bb56b362a7
commit b1e60e7398
48 changed files with 673 additions and 123 deletions
--- a/internal/idp/providers/apple/session.go
+++ b/internal/idp/providers/apple/session.go
@@ -10,6 +10,8 @@ import (
 	"github.com/zitadel/zitadel/internal/idp/providers/oidc"
 )

+var _ idp.Session = (*Session)(nil)
+
 // Session extends the [oidc.Session] with the formValues returned from the callback.
 // This enables to parse the user (name and email), which Apple only returns as form params on registration
 type Session struct {
--- a/internal/idp/providers/azuread/session.go
+++ b/internal/idp/providers/azuread/session.go
@@ -3,6 +3,7 @@ package azuread
 import (
 	"context"
 	"net/http"
+	"time"

 	"github.com/zitadel/oidc/v3/pkg/client/rp"
 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
@@ -12,6 +13,8 @@ import (
 	"github.com/zitadel/zitadel/internal/idp/providers/oauth"
 )

+var _ idp.Session = (*Session)(nil)
+
 // Session extends the [oauth.Session] to be able to handle the id_token and to implement the [idp.SessionSupportsMigration] functionality
 type Session struct {
 	*Provider
@@ -79,6 +82,13 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 	return user, nil
 }

+func (s *Session) ExpiresAt() time.Time {
+	if s.OAuthSession == nil {
+		return time.Time{}
+	}
+	return s.OAuthSession.ExpiresAt()
+}
+
 // Tokens returns the [oidc.Tokens] of the underlying [oauth.Session].
 func (s *Session) Tokens() *oidc.Tokens[*oidc.IDTokenClaims] {
 	return s.oauth().Tokens
--- a/internal/idp/providers/jwt/session.go
+++ b/internal/idp/providers/jwt/session.go
@@ -57,6 +57,13 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 	return &User{s.Tokens.IDTokenClaims}, nil
 }

+func (s *Session) ExpiresAt() time.Time {
+	if s.Tokens == nil || s.Tokens.IDTokenClaims == nil {
+		return time.Time{}
+	}
+	return s.Tokens.IDTokenClaims.GetExpiration()
+}
+
 func (s *Session) validateToken(ctx context.Context, token string) (*oidc.IDTokenClaims, error) {
 	logging.Debug("begin token validation")
 	// TODO: be able to specify them in the template: https://github.com/zitadel/zitadel/issues/5322
--- a/internal/idp/providers/ldap/session.go
+++ b/internal/idp/providers/ldap/session.go
@@ -96,6 +96,10 @@ func (s *Session) FetchUser(_ context.Context) (_ idp.User, err error) {
 	)
 }

+func (s *Session) ExpiresAt() time.Time {
+	return time.Time{} // falls back to the default expiration time
+}
+
 func tryBind(
 	server string,
 	startTLS bool,
--- a/internal/idp/providers/oauth/session.go
+++ b/internal/idp/providers/oauth/session.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"net/http"
+	"time"

 	"github.com/zitadel/oidc/v3/pkg/client/rp"
 	httphelper "github.com/zitadel/oidc/v3/pkg/http"
@@ -69,6 +70,13 @@ func (s *Session) FetchUser(ctx context.Context) (_ idp.User, err error) {
 	return user, nil
 }

+func (s *Session) ExpiresAt() time.Time {
+	if s.Tokens == nil {
+		return time.Time{}
+	}
+	return s.Tokens.Expiry
+}
+
 func (s *Session) authorize(ctx context.Context) (err error) {
 	if s.Code == "" {
 		return ErrCodeMissing
--- a/internal/idp/providers/oidc/session.go
+++ b/internal/idp/providers/oidc/session.go
@@ -3,6 +3,7 @@ package oidc
 import (
 	"context"
 	"errors"
+	"time"

 	"github.com/zitadel/oidc/v3/pkg/client/rp"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
@@ -72,6 +73,13 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 	return u, nil
 }

+func (s *Session) ExpiresAt() time.Time {
+	if s.Tokens == nil {
+		return time.Time{}
+	}
+	return s.Tokens.Expiry
+}
+
 func (s *Session) Authorize(ctx context.Context) (err error) {
 	if s.Code == "" {
 		return ErrCodeMissing
--- a/internal/idp/providers/saml/session.go
+++ b/internal/idp/providers/saml/session.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"net/http"
 	"net/url"
+	"time"

 	"github.com/crewjam/saml"
 	"github.com/crewjam/saml/samlsp"
@@ -107,6 +108,13 @@ func (s *Session) FetchUser(ctx context.Context) (user idp.User, err error) {
 	return userMapper, nil
 }

+func (s *Session) ExpiresAt() time.Time {
+	if s.Assertion == nil || s.Assertion.Conditions == nil {
+		return time.Time{}
+	}
+	return s.Assertion.Conditions.NotOnOrAfter
+}
+
 func (s *Session) transientMappingID() (string, error) {
 	for _, statement := range s.Assertion.AttributeStatements {
 		for _, attribute := range statement.Attributes {
--- a/internal/idp/session.go
+++ b/internal/idp/session.go
@@ -2,6 +2,7 @@ package idp

 import (
 	"context"
+	"time"
 )

 // Session is the minimal implementation for a session of a 3rd party authentication [Provider]
@@ -9,6 +10,7 @@ type Session interface {
 	GetAuth(ctx context.Context) (content string, redirect bool)
 	PersistentParameters() map[string]any
 	FetchUser(ctx context.Context) (User, error)
+	ExpiresAt() time.Time
 }

 // SessionSupportsMigration is an optional extension to the Session interface.