perf(oidc): optimize the introspection endpoint (#6909)

* get key by id and cache them * userinfo from events for v2 tokens * improve keyset caching * concurrent token and client checks * client and project in single query * logging and otel * drop owner_removed column on apps and authN tables * userinfo and project roles in go routines * get oidc user info from projections and add actions * add avatar URL * some cleanup * pull oidc work branch * remove storage from server * add config flag for experimental introspection * legacy introspection flag * drop owner_removed column on user projections * drop owner_removed column on useer_metadata * query userinfo unit test * query introspection client test * add user_grants to the userinfo query * handle PAT scopes * bring triggers back * test instance keys query * add userinfo unit tests * unit test keys * go mod tidy * solve some bugs * fix missing preferred login name * do not run triggers in go routines, they seem to deadlock * initialize the trigger handlers late with a sync.OnceValue * Revert "do not run triggers in go routines, they seem to deadlock" This reverts commit 2a03da2127. * add missing translations * chore: update go version for linting * pin oidc version * parse a global time location for query test * fix linter complains * upgrade go lint * fix more linting issues --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 19:07:30 +00:00 · 2023-11-21 14:11:38 +02:00
parent ad3563d58b
commit ba9b807854
103 changed files with 3528 additions and 808 deletions
--- a/internal/query/introspection_test.go
+++ b/internal/query/introspection_test.go
@@ -0,0 +1,108 @@
+package query
+
+import (
+	"database/sql"
+	"database/sql/driver"
+	_ "embed"
+	"encoding/json"
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+func TestQueries_GetIntrospectionClientByID(t *testing.T) {
+	secret := &crypto.CryptoValue{
+		CryptoType: crypto.TypeHash,
+		Algorithm:  "alg",
+		KeyID:      "keyID",
+		Crypted:    []byte("secret"),
+	}
+	encSecret, err := json.Marshal(secret)
+	require.NoError(t, err)
+
+	pubkeys := database.Map[[]byte]{
+		"key1": {1, 2, 3},
+		"key2": {4, 5, 6},
+	}
+	encPubkeys, err := pubkeys.Value()
+	require.NoError(t, err)
+
+	expQuery := regexp.QuoteMeta(introspectionClientByIDQuery)
+	type args struct {
+		clientID string
+		getKeys  bool
+	}
+	tests := []struct {
+		name    string
+		args    args
+		mock    sqlExpectation
+		want    *IntrospectionClient
+		wantErr error
+	}{
+		{
+			name: "query error",
+			args: args{
+				clientID: "clientID",
+				getKeys:  false,
+			},
+			mock:    mockQueryErr(expQuery, sql.ErrConnDone, "instanceID", "clientID", false),
+			wantErr: sql.ErrConnDone,
+		},
+		{
+			name: "success, secret",
+			args: args{
+				clientID: "clientID",
+				getKeys:  false,
+			},
+			mock: mockQuery(expQuery,
+				[]string{"client_id", "client_secret", "project_id", "public_keys"},
+				[]driver.Value{"clientID", encSecret, "projectID", nil},
+				"instanceID", "clientID", false),
+			want: &IntrospectionClient{
+				ClientID:     "clientID",
+				ClientSecret: secret,
+				ProjectID:    "projectID",
+				PublicKeys:   nil,
+			},
+		},
+		{
+			name: "success, keys",
+			args: args{
+				clientID: "clientID",
+				getKeys:  true,
+			},
+			mock: mockQuery(expQuery,
+				[]string{"client_id", "client_secret", "project_id", "public_keys"},
+				[]driver.Value{"clientID", nil, "projectID", encPubkeys},
+				"instanceID", "clientID", true),
+			want: &IntrospectionClient{
+				ClientID:     "clientID",
+				ClientSecret: nil,
+				ProjectID:    "projectID",
+				PublicKeys:   pubkeys,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			execMock(t, tt.mock, func(db *sql.DB) {
+				q := &Queries{
+					client: &database.DB{
+						DB:       db,
+						Database: &prepareDB{},
+					},
+				}
+				ctx := authz.NewMockContext("instanceID", "orgID", "userID")
+				got, err := q.GetIntrospectionClientByID(ctx, tt.args.clientID, tt.args.getKeys)
+				require.ErrorIs(t, err, tt.wantErr)
+				assert.Equal(t, tt.want, got)
+			})
+		})
+	}
+}