fix: consider oidc session events for authN milestones (#8089)

# Which Problems Are Solved After migrating the access token events in #7822, milestones based on authentication, resp. theses events would not be reached. # How the Problems Are Solved Additionally use the `oidc_session.Added` event to check for `milestone.AuthenticationSucceededOnInstance` and `milestone.AuthenticationSucceededOnApplication`. # Additional Changes None. # Additional Context - relates to #7822 - noticed internally
2025-08-12 04:57:33 +00:00 · 2024-06-12 06:49:14 +02:00
parent b42a3ad309
commit b6c10c4c83
12 changed files with 213 additions and 33 deletions
--- a/internal/query/projection/milestones.go
+++ b/internal/query/projection/milestones.go
@@ -10,6 +10,7 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 	"github.com/zitadel/zitadel/internal/repository/milestone"
+	"github.com/zitadel/zitadel/internal/repository/oidcsession"
 	"github.com/zitadel/zitadel/internal/repository/project"
 	"github.com/zitadel/zitadel/internal/repository/user"
 )
@@ -104,6 +105,15 @@ func (p *milestoneProjection) Reducers() []handler.AggregateReducer {
 				},
 			},
 		},
+		{
+			Aggregate: oidcsession.AggregateType,
+			EventReducers: []handler.EventReducer{
+				{
+					Event:  oidcsession.AddedType,
+					Reduce: p.reduceOIDCSessionAdded,
+				},
+			},
+		},
 		{
 			Aggregate: milestone.AggregateType,
 			EventReducers: []handler.EventReducer{
@@ -217,6 +227,40 @@ func (p *milestoneProjection) reduceUserTokenAdded(event eventstore.Event) (*han
 	return handler.NewMultiStatement(e, statements...), nil
 }

+func (p *milestoneProjection) reduceOIDCSessionAdded(event eventstore.Event) (*handler.Statement, error) {
+	e, err := assertEvent[*oidcsession.AddedEvent](event)
+	if err != nil {
+		return nil, err
+	}
+	statements := []func(eventstore.Event) handler.Exec{
+		handler.AddUpdateStatement(
+			[]handler.Column{
+				handler.NewCol(MilestoneColumnReachedDate, event.CreatedAt()),
+			},
+			[]handler.Condition{
+				handler.NewCond(MilestoneColumnInstanceID, event.Aggregate().InstanceID),
+				handler.NewCond(MilestoneColumnType, milestone.AuthenticationSucceededOnInstance),
+				handler.NewIsNullCond(MilestoneColumnReachedDate),
+			},
+		),
+	}
+	// We ignore authentications without app, for example JWT profile or PAT
+	if e.ClientID != "" {
+		statements = append(statements, handler.AddUpdateStatement(
+			[]handler.Column{
+				handler.NewCol(MilestoneColumnReachedDate, event.CreatedAt()),
+			},
+			[]handler.Condition{
+				handler.NewCond(MilestoneColumnInstanceID, event.Aggregate().InstanceID),
+				handler.NewCond(MilestoneColumnType, milestone.AuthenticationSucceededOnApplication),
+				handler.Not(handler.NewTextArrayContainsCond(MilestoneColumnIgnoreClientIDs, e.ClientID)),
+				handler.NewIsNullCond(MilestoneColumnReachedDate),
+			},
+		))
+	}
+	return handler.NewMultiStatement(e, statements...), nil
+}
+
 func (p *milestoneProjection) reduceInstanceRemoved(event eventstore.Event) (*handler.Statement, error) {
 	if _, err := assertEvent[*instance.InstanceRemovedEvent](event); err != nil {
 		return nil, err