perf(oidc): optimize the introspection endpoint (#6909)

* get key by id and cache them

* userinfo from events for v2 tokens

* improve keyset caching

* concurrent token and client checks

* client and project in single query

* logging and otel

* drop owner_removed column on apps and authN tables

* userinfo and project roles in go routines

* get  oidc user info from projections and add actions

* add avatar URL

* some cleanup

* pull oidc work branch

* remove storage from server

* add config flag for experimental introspection

* legacy introspection flag

* drop owner_removed column on user projections

* drop owner_removed column on useer_metadata

* query userinfo unit test

* query introspection client test

* add user_grants to the userinfo query

* handle PAT scopes

* bring triggers back

* test instance keys query

* add userinfo unit tests

* unit test keys

* go mod tidy

* solve some bugs

* fix missing preferred login name

* do not run triggers in go routines, they seem to deadlock

* initialize the trigger handlers late with a sync.OnceValue

* Revert "do not run triggers in go routines, they seem to deadlock"

This reverts commit 2a03da2127.

* add missing translations

* chore: update go version for linting

* pin oidc version

* parse a global time location for query test

* fix linter complains

* upgrade go lint

* fix more linting issues

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>

internal/notification/handlers/mock/queries.mock.go

@@ -6,37 +6,38 @@ package mock
 
 import (
 	context "context"
+	reflect "reflect"
+
 	gomock "github.com/golang/mock/gomock"
 	domain "github.com/zitadel/zitadel/internal/domain"
 	query "github.com/zitadel/zitadel/internal/query"
 	language "golang.org/x/text/language"
-	reflect "reflect"
 )
 
-// MockQueries is a mock of Queries interface
+// MockQueries is a mock of Queries interface.
 type MockQueries struct {
 	ctrl     *gomock.Controller
 	recorder *MockQueriesMockRecorder
 }
 
-// MockQueriesMockRecorder is the mock recorder for MockQueries
+// MockQueriesMockRecorder is the mock recorder for MockQueries.
 type MockQueriesMockRecorder struct {
 	mock *MockQueries
 }
 
-// NewMockQueries creates a new mock instance
+// NewMockQueries creates a new mock instance.
 func NewMockQueries(ctrl *gomock.Controller) *MockQueries {
 	mock := &MockQueries{ctrl: ctrl}
 	mock.recorder = &MockQueriesMockRecorder{mock}
 	return mock
 }
 
-// EXPECT returns an object that allows the caller to indicate expected use
+// EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockQueries) EXPECT() *MockQueriesMockRecorder {
 	return m.recorder
 }
 
-// ActiveLabelPolicyByOrg mocks base method
+// ActiveLabelPolicyByOrg mocks base method.
 func (m *MockQueries) ActiveLabelPolicyByOrg(arg0 context.Context, arg1 string, arg2 bool) (*query.LabelPolicy, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "ActiveLabelPolicyByOrg", arg0, arg1, arg2)
@@ -45,13 +46,13 @@ func (m *MockQueries) ActiveLabelPolicyByOrg(arg0 context.Context, arg1 string,
 	return ret0, ret1
 }
 
-// ActiveLabelPolicyByOrg indicates an expected call of ActiveLabelPolicyByOrg
+// ActiveLabelPolicyByOrg indicates an expected call of ActiveLabelPolicyByOrg.
 func (mr *MockQueriesMockRecorder) ActiveLabelPolicyByOrg(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ActiveLabelPolicyByOrg", reflect.TypeOf((*MockQueries)(nil).ActiveLabelPolicyByOrg), arg0, arg1, arg2)
 }
 
-// CustomTextListByTemplate mocks base method
+// CustomTextListByTemplate mocks base method.
 func (m *MockQueries) CustomTextListByTemplate(arg0 context.Context, arg1, arg2 string, arg3 bool) (*query.CustomTexts, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "CustomTextListByTemplate", arg0, arg1, arg2, arg3)
@@ -60,13 +61,13 @@ func (m *MockQueries) CustomTextListByTemplate(arg0 context.Context, arg1, arg2
 	return ret0, ret1
 }
 
-// CustomTextListByTemplate indicates an expected call of CustomTextListByTemplate
+// CustomTextListByTemplate indicates an expected call of CustomTextListByTemplate.
 func (mr *MockQueriesMockRecorder) CustomTextListByTemplate(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CustomTextListByTemplate", reflect.TypeOf((*MockQueries)(nil).CustomTextListByTemplate), arg0, arg1, arg2, arg3)
 }
 
-// GetDefaultLanguage mocks base method
+// GetDefaultLanguage mocks base method.
 func (m *MockQueries) GetDefaultLanguage(arg0 context.Context) language.Tag {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "GetDefaultLanguage", arg0)
@@ -74,17 +75,17 @@ func (m *MockQueries) GetDefaultLanguage(arg0 context.Context) language.Tag {
 	return ret0
 }
 
-// GetDefaultLanguage indicates an expected call of GetDefaultLanguage
+// GetDefaultLanguage indicates an expected call of GetDefaultLanguage.
 func (mr *MockQueriesMockRecorder) GetDefaultLanguage(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetDefaultLanguage", reflect.TypeOf((*MockQueries)(nil).GetDefaultLanguage), arg0)
 }
 
-// GetNotifyUserByID mocks base method
-func (m *MockQueries) GetNotifyUserByID(arg0 context.Context, arg1 bool, arg2 string, arg3 bool, arg4 ...query.SearchQuery) (*query.NotifyUser, error) {
+// GetNotifyUserByID mocks base method.
+func (m *MockQueries) GetNotifyUserByID(arg0 context.Context, arg1 bool, arg2 string, arg3 ...query.SearchQuery) (*query.NotifyUser, error) {
 	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1, arg2, arg3}
-	for _, a := range arg4 {
+	varargs := []interface{}{arg0, arg1, arg2}
+	for _, a := range arg3 {
 		varargs = append(varargs, a)
 	}
 	ret := m.ctrl.Call(m, "GetNotifyUserByID", varargs...)
@@ -93,14 +94,14 @@ func (m *MockQueries) GetNotifyUserByID(arg0 context.Context, arg1 bool, arg2 st
 	return ret0, ret1
 }
 
-// GetNotifyUserByID indicates an expected call of GetNotifyUserByID
-func (mr *MockQueriesMockRecorder) GetNotifyUserByID(arg0, arg1, arg2, arg3 interface{}, arg4 ...interface{}) *gomock.Call {
+// GetNotifyUserByID indicates an expected call of GetNotifyUserByID.
+func (mr *MockQueriesMockRecorder) GetNotifyUserByID(arg0, arg1, arg2 interface{}, arg3 ...interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1, arg2, arg3}, arg4...)
+	varargs := append([]interface{}{arg0, arg1, arg2}, arg3...)
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetNotifyUserByID", reflect.TypeOf((*MockQueries)(nil).GetNotifyUserByID), varargs...)
 }
 
-// MailTemplateByOrg mocks base method
+// MailTemplateByOrg mocks base method.
 func (m *MockQueries) MailTemplateByOrg(arg0 context.Context, arg1 string, arg2 bool) (*query.MailTemplate, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "MailTemplateByOrg", arg0, arg1, arg2)
@@ -109,13 +110,13 @@ func (m *MockQueries) MailTemplateByOrg(arg0 context.Context, arg1 string, arg2
 	return ret0, ret1
 }
 
-// MailTemplateByOrg indicates an expected call of MailTemplateByOrg
+// MailTemplateByOrg indicates an expected call of MailTemplateByOrg.
 func (mr *MockQueriesMockRecorder) MailTemplateByOrg(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "MailTemplateByOrg", reflect.TypeOf((*MockQueries)(nil).MailTemplateByOrg), arg0, arg1, arg2)
 }
 
-// NotificationPolicyByOrg mocks base method
+// NotificationPolicyByOrg mocks base method.
 func (m *MockQueries) NotificationPolicyByOrg(arg0 context.Context, arg1 bool, arg2 string, arg3 bool) (*query.NotificationPolicy, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "NotificationPolicyByOrg", arg0, arg1, arg2, arg3)
@@ -124,13 +125,13 @@ func (m *MockQueries) NotificationPolicyByOrg(arg0 context.Context, arg1 bool, a
 	return ret0, ret1
 }
 
-// NotificationPolicyByOrg indicates an expected call of NotificationPolicyByOrg
+// NotificationPolicyByOrg indicates an expected call of NotificationPolicyByOrg.
 func (mr *MockQueriesMockRecorder) NotificationPolicyByOrg(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NotificationPolicyByOrg", reflect.TypeOf((*MockQueries)(nil).NotificationPolicyByOrg), arg0, arg1, arg2, arg3)
 }
 
-// NotificationProviderByIDAndType mocks base method
+// NotificationProviderByIDAndType mocks base method.
 func (m *MockQueries) NotificationProviderByIDAndType(arg0 context.Context, arg1 string, arg2 domain.NotificationProviderType) (*query.DebugNotificationProvider, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "NotificationProviderByIDAndType", arg0, arg1, arg2)
@@ -139,13 +140,13 @@ func (m *MockQueries) NotificationProviderByIDAndType(arg0 context.Context, arg1
 	return ret0, ret1
 }
 
-// NotificationProviderByIDAndType indicates an expected call of NotificationProviderByIDAndType
+// NotificationProviderByIDAndType indicates an expected call of NotificationProviderByIDAndType.
 func (mr *MockQueriesMockRecorder) NotificationProviderByIDAndType(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NotificationProviderByIDAndType", reflect.TypeOf((*MockQueries)(nil).NotificationProviderByIDAndType), arg0, arg1, arg2)
 }
 
-// SMSProviderConfig mocks base method
+// SMSProviderConfig mocks base method.
 func (m *MockQueries) SMSProviderConfig(arg0 context.Context, arg1 ...query.SearchQuery) (*query.SMSConfig, error) {
 	m.ctrl.T.Helper()
 	varargs := []interface{}{arg0}
@@ -158,14 +159,14 @@ func (m *MockQueries) SMSProviderConfig(arg0 context.Context, arg1 ...query.Sear
 	return ret0, ret1
 }
 
-// SMSProviderConfig indicates an expected call of SMSProviderConfig
+// SMSProviderConfig indicates an expected call of SMSProviderConfig.
 func (mr *MockQueriesMockRecorder) SMSProviderConfig(arg0 interface{}, arg1 ...interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	varargs := append([]interface{}{arg0}, arg1...)
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SMSProviderConfig", reflect.TypeOf((*MockQueries)(nil).SMSProviderConfig), varargs...)
 }
 
-// SMTPConfigByAggregateID mocks base method
+// SMTPConfigByAggregateID mocks base method.
 func (m *MockQueries) SMTPConfigByAggregateID(arg0 context.Context, arg1 string) (*query.SMTPConfig, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SMTPConfigByAggregateID", arg0, arg1)
@@ -174,13 +175,13 @@ func (m *MockQueries) SMTPConfigByAggregateID(arg0 context.Context, arg1 string)
 	return ret0, ret1
 }
 
-// SMTPConfigByAggregateID indicates an expected call of SMTPConfigByAggregateID
+// SMTPConfigByAggregateID indicates an expected call of SMTPConfigByAggregateID.
 func (mr *MockQueriesMockRecorder) SMTPConfigByAggregateID(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SMTPConfigByAggregateID", reflect.TypeOf((*MockQueries)(nil).SMTPConfigByAggregateID), arg0, arg1)
 }
 
-// SearchInstanceDomains mocks base method
+// SearchInstanceDomains mocks base method.
 func (m *MockQueries) SearchInstanceDomains(arg0 context.Context, arg1 *query.InstanceDomainSearchQueries) (*query.InstanceDomains, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SearchInstanceDomains", arg0, arg1)
@@ -189,13 +190,13 @@ func (m *MockQueries) SearchInstanceDomains(arg0 context.Context, arg1 *query.In
 	return ret0, ret1
 }
 
-// SearchInstanceDomains indicates an expected call of SearchInstanceDomains
+// SearchInstanceDomains indicates an expected call of SearchInstanceDomains.
 func (mr *MockQueriesMockRecorder) SearchInstanceDomains(arg0, arg1 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchInstanceDomains", reflect.TypeOf((*MockQueries)(nil).SearchInstanceDomains), arg0, arg1)
 }
 
-// SearchMilestones mocks base method
+// SearchMilestones mocks base method.
 func (m *MockQueries) SearchMilestones(arg0 context.Context, arg1 []string, arg2 *query.MilestonesSearchQueries) (*query.Milestones, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SearchMilestones", arg0, arg1, arg2)
@@ -204,13 +205,13 @@ func (m *MockQueries) SearchMilestones(arg0 context.Context, arg1 []string, arg2
 	return ret0, ret1
 }
 
-// SearchMilestones indicates an expected call of SearchMilestones
+// SearchMilestones indicates an expected call of SearchMilestones.
 func (mr *MockQueriesMockRecorder) SearchMilestones(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchMilestones", reflect.TypeOf((*MockQueries)(nil).SearchMilestones), arg0, arg1, arg2)
 }
 
-// SessionByID mocks base method
+// SessionByID mocks base method.
 func (m *MockQueries) SessionByID(arg0 context.Context, arg1 bool, arg2, arg3 string) (*query.Session, error) {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "SessionByID", arg0, arg1, arg2, arg3)
@@ -219,7 +220,7 @@ func (m *MockQueries) SessionByID(arg0 context.Context, arg1 bool, arg2, arg3 st
 	return ret0, ret1
 }
 
-// SessionByID indicates an expected call of SessionByID
+// SessionByID indicates an expected call of SessionByID.
 func (mr *MockQueriesMockRecorder) SessionByID(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SessionByID", reflect.TypeOf((*MockQueries)(nil).SessionByID), arg0, arg1, arg2, arg3)

internal/notification/handlers/queries.go

@@ -15,7 +15,7 @@ import (
 type Queries interface {
 	ActiveLabelPolicyByOrg(ctx context.Context, orgID string, withOwnerRemoved bool) (*query.LabelPolicy, error)
 	MailTemplateByOrg(ctx context.Context, orgID string, withOwnerRemoved bool) (*query.MailTemplate, error)
-	GetNotifyUserByID(ctx context.Context, shouldTriggered bool, userID string, withOwnerRemoved bool, queries ...query.SearchQuery) (*query.NotifyUser, error)
+	GetNotifyUserByID(ctx context.Context, shouldTriggered bool, userID string, queries ...query.SearchQuery) (*query.NotifyUser, error)
 	CustomTextListByTemplate(ctx context.Context, aggregateID, template string, withOwnerRemoved bool) (*query.CustomTexts, error)
 	SearchInstanceDomains(ctx context.Context, queries *query.InstanceDomainSearchQueries) (*query.InstanceDomains, error)
 	SessionByID(ctx context.Context, shouldTriggerBulk bool, id, sessionToken string) (*query.Session, error)

internal/notification/handlers/user_notifier.go

@@ -155,7 +155,7 @@ func (u *userNotifier) reduceInitCodeAdded(event eventstore.Event) (*handler.Sta
 			return err
 		}
 
-		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID)
 		if err != nil {
 			return err
 		}
@@ -212,7 +212,7 @@ func (u *userNotifier) reduceEmailCodeAdded(event eventstore.Event) (*handler.St
 			return err
 		}
 
-		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID)
 		if err != nil {
 			return err
 		}
@@ -268,7 +268,7 @@ func (u *userNotifier) reducePasswordCodeAdded(event eventstore.Event) (*handler
 			return err
 		}
 
-		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID)
 		if err != nil {
 			return err
 		}
@@ -361,7 +361,7 @@ func (u *userNotifier) reduceOTPSMS(
 		return nil, err
 	}
 
-	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, userID, false)
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -479,7 +479,7 @@ func (u *userNotifier) reduceOTPEmail(
 		return nil, err
 	}
 
-	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, userID, false)
+	notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, userID)
 	if err != nil {
 		return nil, err
 	}
@@ -532,7 +532,7 @@ func (u *userNotifier) reduceDomainClaimed(event eventstore.Event) (*handler.Sta
 			return err
 		}
 
-		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID)
 		if err != nil {
 			return err
 		}
@@ -586,7 +586,7 @@ func (u *userNotifier) reducePasswordlessCodeRequested(event eventstore.Event) (
 			return err
 		}
 
-		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID)
 		if err != nil {
 			return err
 		}
@@ -646,7 +646,7 @@ func (u *userNotifier) reducePasswordChanged(event eventstore.Event) (*handler.S
 			return err
 		}
 
-		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID)
 		if err != nil {
 			return err
 		}
@@ -696,7 +696,7 @@ func (u *userNotifier) reducePhoneCodeAdded(event eventstore.Event) (*handler.St
 			return err
 		}
 
-		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID, false)
+		notifyUser, err := u.queries.GetNotifyUserByID(ctx, true, e.Aggregate().ID)
 		if err != nil {
 			return err
 		}

internal/notification/handlers/user_notifier_test.go

@@ -1373,7 +1373,7 @@ func expectTemplateQueries(queries *mock.MockQueries, template string) {
 		},
 	}, nil)
 	queries.EXPECT().MailTemplateByOrg(gomock.Any(), gomock.Any(), gomock.Any()).Return(&query.MailTemplate{Template: []byte(template)}, nil)
-	queries.EXPECT().GetNotifyUserByID(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).Return(&query.NotifyUser{
+	queries.EXPECT().GetNotifyUserByID(gomock.Any(), gomock.Any(), gomock.Any()).Return(&query.NotifyUser{
 		ID:                 userID,
 		ResourceOwner:      orgID,
 		LastEmail:          lastEmail,