feat: jwt as idp (#2363)

* feat: jwt idp * feat: command side * feat: add tests * fill idp views with jwt idps and return apis * add jwtEndpoint to jwt idp * begin jwt request handling * merge * handle jwt idp * cleanup * fixes * autoregister * get token from specific header name * error handling * fix texts * handle renderExternalNotFoundOption Co-authored-by: fabi <fabienne.gerschwiler@gmail.com>
2025-08-11 18:33:28 +00:00 · 2021-09-14 15:15:01 +02:00
parent 4e1d42259c
commit b6b5b1b782
54 changed files with 2575 additions and 71 deletions
--- a/internal/iam/model/idp_config.go
+++ b/internal/iam/model/idp_config.go
@@ -7,12 +7,13 @@ import (

 type IDPConfig struct {
 	es_models.ObjectRoot
-	IDPConfigID string
-	Type        IdpConfigType
-	Name        string
-	StylingType IDPStylingType
-	State       IDPConfigState
-	OIDCConfig  *OIDCIDPConfig
+	IDPConfigID  string
+	Type         IdpConfigType
+	Name         string
+	StylingType  IDPStylingType
+	State        IDPConfigState
+	OIDCConfig   *OIDCIDPConfig
+	JWTIDPConfig *JWTIDPConfig
 }

 type OIDCIDPConfig struct {
@@ -27,11 +28,20 @@ type OIDCIDPConfig struct {
 	UsernameMapping       OIDCMappingField
 }

+type JWTIDPConfig struct {
+	es_models.ObjectRoot
+	IDPConfigID  string
+	JWTEndpoint  string
+	Issuer       string
+	KeysEndpoint string
+}
+
 type IdpConfigType int32

 const (
 	IDPConfigTypeOIDC IdpConfigType = iota
 	IDPConfigTypeSAML
+	IDPConfigTypeJWT
 )

 type IDPConfigState int32
--- a/internal/iam/model/idp_config_view.go
+++ b/internal/iam/model/idp_config_view.go
@@ -29,6 +29,10 @@ type IDPConfigView struct {
 	OIDCUsernameMapping        OIDCMappingField
 	OAuthAuthorizationEndpoint string
 	OAuthTokenEndpoint         string
+	JWTEndpoint                string
+	JWTIssuer                  string
+	JWTKeysEndpoint            string
+	JWTHeaderName              string
 }

 type IDPConfigSearchRequest struct {
--- a/internal/iam/model/idp_provider_view.go
+++ b/internal/iam/model/idp_provider_view.go
@@ -100,6 +100,8 @@ func idpConfigTypeToDomain(idpType IdpConfigType) domain.IDPConfigType {
 		return domain.IDPConfigTypeOIDC
 	case IDPConfigTypeSAML:
 		return domain.IDPConfigTypeSAML
+	case IDPConfigTypeJWT:
+		return domain.IDPConfigTypeJWT
 	default:
 		return domain.IDPConfigTypeOIDC
 	}
--- a/internal/iam/repository/view/model/idp_config.go
+++ b/internal/iam/repository/view/model/idp_config.go
@@ -5,6 +5,8 @@ import (
 	"time"

 	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/repository/iam"
+	"github.com/caos/zitadel/internal/repository/org"

 	es_model "github.com/caos/zitadel/internal/iam/repository/eventsourcing/model"
 	org_es_model "github.com/caos/zitadel/internal/org/repository/eventsourcing/model"
@@ -44,12 +46,15 @@ type IDPConfigView struct {
 	OIDCUsernameMapping        int32               `json:"usernameMapping" gorm:"column:oidc_idp_username_mapping"`
 	OAuthAuthorizationEndpoint string              `json:"authorizationEndpoint" gorm:"column:oauth_authorization_endpoint"`
 	OAuthTokenEndpoint         string              `json:"tokenEndpoint" gorm:"column:oauth_token_endpoint"`
+	JWTEndpoint                string              `json:"jwtEndpoint" gorm:"jwt_endpoint"`
+	JWTKeysEndpoint            string              `json:"keysEndpoint" gorm:"jwt_keys_endpoint"`
+	JWTHeaderName              string              `json:"headerName" gorm:"jwt_header_name"`

 	Sequence uint64 `json:"-" gorm:"column:sequence"`
 }

 func IDPConfigViewToModel(idp *IDPConfigView) *model.IDPConfigView {
-	return &model.IDPConfigView{
+	view := &model.IDPConfigView{
 		IDPConfigID:                idp.IDPConfigID,
 		AggregateID:                idp.AggregateID,
 		State:                      model.IDPConfigState(idp.IDPState),
@@ -63,13 +68,21 @@ func IDPConfigViewToModel(idp *IDPConfigView) *model.IDPConfigView {
 		IsOIDC:                     idp.IsOIDC,
 		OIDCClientID:               idp.OIDCClientID,
 		OIDCClientSecret:           idp.OIDCClientSecret,
-		OIDCIssuer:                 idp.OIDCIssuer,
 		OIDCScopes:                 idp.OIDCScopes,
 		OIDCIDPDisplayNameMapping:  model.OIDCMappingField(idp.OIDCIDPDisplayNameMapping),
 		OIDCUsernameMapping:        model.OIDCMappingField(idp.OIDCUsernameMapping),
 		OAuthAuthorizationEndpoint: idp.OAuthAuthorizationEndpoint,
 		OAuthTokenEndpoint:         idp.OAuthTokenEndpoint,
 	}
+	if idp.IsOIDC {
+		view.OIDCIssuer = idp.OIDCIssuer
+		return view
+	}
+	view.JWTEndpoint = idp.JWTEndpoint
+	view.JWTIssuer = idp.OIDCIssuer
+	view.JWTKeysEndpoint = idp.JWTKeysEndpoint
+	view.JWTHeaderName = idp.JWTHeaderName
+	return view
 }

 func IdpConfigViewsToModel(idps []*IDPConfigView) []*model.IDPConfigView {
@@ -93,7 +106,9 @@ func (i *IDPConfigView) AppendEvent(providerType model.IDPProviderType, event *m
 		i.IsOIDC = true
 		err = i.SetData(event)
 	case es_model.OIDCIDPConfigChanged, org_es_model.OIDCIDPConfigChanged,
-		es_model.IDPConfigChanged, org_es_model.IDPConfigChanged:
+		es_model.IDPConfigChanged, org_es_model.IDPConfigChanged,
+		models.EventType(org.IDPJWTConfigAddedEventType), models.EventType(iam.IDPJWTConfigAddedEventType),
+		models.EventType(org.IDPJWTConfigChangedEventType), models.EventType(iam.IDPJWTConfigChangedEventType):
 		err = i.SetData(event)
 	case es_model.IDPConfigDeactivated, org_es_model.IDPConfigDeactivated:
 		i.IDPState = int32(model.IDPConfigStateInactive)