fix: consider oidc session events for authN milestones (#8089)

# Which Problems Are Solved After migrating the access token events in #7822, milestones based on authentication, resp. theses events would not be reached. # How the Problems Are Solved Additionally use the `oidc_session.Added` event to check for `milestone.AuthenticationSucceededOnInstance` and `milestone.AuthenticationSucceededOnApplication`. # Additional Changes None. # Additional Context - relates to #7822 - noticed internally
2025-08-12 01:47:33 +00:00 · 2024-06-12 06:49:14 +02:00
parent b42a3ad309
commit b6c10c4c83
12 changed files with 213 additions and 33 deletions
--- a/internal/query/projection/milestones.go
+++ b/internal/query/projection/milestones.go
@@ -10,6 +10,7 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/milestone"
+	"github.com/zitadel/zitadel/internal/repository/oidcsession"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/user"
 )
@@ -104,6 +105,15 @@ func (p *milestoneProjection) Reducers() []handler.AggregateReducer {
 				},
 			},
 		},
+		{
+			Aggregate: oidcsession.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  oidcsession.AddedType,
+					Reduce: p.reduceOIDCSessionAdded,
+				},
+			},
+		},
 		{
 			Aggregate: milestone.AggregateType,
 			EventReducers: []handler.EventReducer{
@@ -217,6 +227,40 @@ func (p *milestoneProjection) reduceUserTokenAdded(event eventstore.Event) (*han
 	return handler.NewMultiStatement(e, statements...), nil
 }

+func (p *milestoneProjection) reduceOIDCSessionAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, err := assertEvent[*oidcsession.AddedEvent](event)
+	if err != nil {
+		return nil, err
+	}
+	statements := []func(eventstore.Event) handler.Exec{
+		handler.AddUpdateStatement(
+			[]handler.Column{
+				handler.NewCol(MilestoneColumnReachedDate, event.CreatedAt()),
+			},
+			[]handler.Condition{
+				handler.NewCond(MilestoneColumnInstanceID, event.Aggregate().InstanceID),
+				handler.NewCond(MilestoneColumnType, milestone.AuthenticationSucceededOnInstance),
+				handler.NewIsNullCond(MilestoneColumnReachedDate),
+			},
+		),
+	}
+	// We ignore authentications without app, for example JWT profile or PAT
+	if e.ClientID != "" {
+		statements = append(statements, handler.AddUpdateStatement(
+			[]handler.Column{
+				handler.NewCol(MilestoneColumnReachedDate, event.CreatedAt()),
+			},
+			[]handler.Condition{
+				handler.NewCond(MilestoneColumnInstanceID, event.Aggregate().InstanceID),
+				handler.NewCond(MilestoneColumnType, milestone.AuthenticationSucceededOnApplication),
+				handler.Not(handler.NewTextArrayContainsCond(MilestoneColumnIgnoreClientIDs, e.ClientID)),
+				handler.NewIsNullCond(MilestoneColumnReachedDate),
+			},
+		))
+	}
+	return handler.NewMultiStatement(e, statements...), nil
+}
+
 func (p *milestoneProjection) reduceInstanceRemoved(event eventstore.Event) (*handler.Statement, error) {
 	if _, err := assertEvent[*instance.InstanceRemovedEvent](event); err != nil {
 		return nil, err
--- a/internal/query/projection/milestones_test.go
+++ b/internal/query/projection/milestones_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/milestone"
+	"github.com/zitadel/zitadel/internal/repository/oidcsession"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/user"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -294,6 +295,43 @@ func TestMilestonesProjection_reduces(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "reduceOIDCSessionAdded",
+			args: args{
+				event: getEvent(timedTestEvent(
+					oidcsession.AddedType,
+					oidcsession.AggregateType,
+					[]byte(`{"clientID": "client-id"}`),
+					now,
+				), eventstore.GenericEventMapper[oidcsession.AddedEvent]),
+			},
+			reduce: (&milestoneProjection{}).reduceOIDCSessionAdded,
+			want: wantReduce{
+				aggregateType: eventstore.AggregateType("oidc_session"),
+				sequence:      15,
+				executer: &testExecuter{
+					executions: []execution{
+						{
+							expectedStmt: "UPDATE projections.milestones SET reached_date = $1 WHERE (instance_id = $2) AND (type = $3) AND (reached_date IS NULL)",
+							expectedArgs: []interface{}{
+								now,
+								"instance-id",
+								milestone.AuthenticationSucceededOnInstance,
+							},
+						},
+						{
+							expectedStmt: "UPDATE projections.milestones SET reached_date = $1 WHERE (instance_id = $2) AND (type = $3) AND (NOT (ignore_client_ids @> $4)) AND (reached_date IS NULL)",
+							expectedArgs: []interface{}{
+								now,
+								"instance-id",
+								milestone.AuthenticationSucceededOnApplication,
+								database.TextArray[string]{"client-id"},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "reduceInstanceRemoved",
 			args: args{