merge main into next

2025-08-12 04:07:31 +00:00 · 2023-10-19 12:34:00 +02:00
parent b5564572bc
commit bd23a7a56f
107 changed files with 1321 additions and 554 deletions
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -7,8 +7,8 @@ import (
 	"time"

 	"github.com/zitadel/logging"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"github.com/zitadel/oidc/v2/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
--- a/internal/api/oidc/auth_request_converter.go
+++ b/internal/api/oidc/auth_request_converter.go
@@ -6,8 +6,8 @@ import (
 	"strings"
 	"time"

-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"github.com/zitadel/oidc/v2/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/api/authz"
--- a/internal/api/oidc/auth_request_converter_v2.go
+++ b/internal/api/oidc/auth_request_converter_v2.go
@@ -3,7 +3,7 @@ package oidc
 import (
 	"time"

-	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/oidc"

 	"github.com/zitadel/zitadel/internal/command"
 )
--- a/internal/api/oidc/auth_request_integration_test.go
+++ b/internal/api/oidc/auth_request_integration_test.go
@@ -11,8 +11,8 @@ import (
 	"github.com/muhlemmer/gu"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v2/pkg/client/rp"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/oidc"

 	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	oidc_api "github.com/zitadel/zitadel/internal/api/oidc"
@@ -103,7 +103,7 @@ func TestOPStorage_CreateAccessToken_implicit(t *testing.T) {
 	assert.Equal(t, "state", values.Get("state"))

 	// check id_token / claims
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURIImplicit)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURIImplicit)
 	require.NoError(t, err)
 	claims, err := rp.VerifyTokens[*oidc.IDTokenClaims](context.Background(), accessToken, idToken, provider.IDTokenVerifier())
 	require.NoError(t, err)
@@ -147,7 +147,7 @@ func TestOPStorage_CreateAccessAndRefreshTokens_code(t *testing.T) {

 func TestOPStorage_CreateAccessAndRefreshTokens_refresh(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -177,13 +177,13 @@ func TestOPStorage_CreateAccessAndRefreshTokens_refresh(t *testing.T) {
 	assertIDTokenClaims(t, newTokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// refresh with an old refresh_token must fail
-	_, err = rp.RefreshAccessToken(provider, tokens.RefreshToken, "", "")
+	_, err = rp.RefreshTokens[*oidc.IDTokenClaims](CTX, provider, tokens.RefreshToken, "", "")
 	require.Error(t, err)
 }

 func TestOPStorage_RevokeToken_access_token(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -206,11 +206,11 @@ func TestOPStorage_RevokeToken_access_token(t *testing.T) {
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// revoke access token
-	err = rp.RevokeToken(provider, tokens.AccessToken, "access_token")
+	err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "access_token")
 	require.NoError(t, err)

 	// userinfo must fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.Error(t, err)

 	// refresh grant must still work
@@ -218,15 +218,15 @@ func TestOPStorage_RevokeToken_access_token(t *testing.T) {
 	require.NoError(t, err)

 	// revocation with the same access token must not fail (with or without hint)
-	err = rp.RevokeToken(provider, tokens.AccessToken, "access_token")
+	err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "access_token")
 	require.NoError(t, err)
-	err = rp.RevokeToken(provider, tokens.AccessToken, "")
+	err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "")
 	require.NoError(t, err)
 }

 func TestOPStorage_RevokeToken_access_token_invalid_token_hint_type(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -249,11 +249,11 @@ func TestOPStorage_RevokeToken_access_token_invalid_token_hint_type(t *testing.T
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// revoke access token
-	err = rp.RevokeToken(provider, tokens.AccessToken, "refresh_token")
+	err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "refresh_token")
 	require.NoError(t, err)

 	// userinfo must fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.Error(t, err)

 	// refresh grant must still work
@@ -263,7 +263,7 @@ func TestOPStorage_RevokeToken_access_token_invalid_token_hint_type(t *testing.T

 func TestOPStorage_RevokeToken_refresh_token(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -286,11 +286,11 @@ func TestOPStorage_RevokeToken_refresh_token(t *testing.T) {
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// revoke refresh token -> invalidates also access token
-	err = rp.RevokeToken(provider, tokens.RefreshToken, "refresh_token")
+	err = rp.RevokeToken(CTX, provider, tokens.RefreshToken, "refresh_token")
 	require.NoError(t, err)

 	// userinfo must fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.Error(t, err)

 	// refresh must fail
@@ -298,15 +298,15 @@ func TestOPStorage_RevokeToken_refresh_token(t *testing.T) {
 	require.Error(t, err)

 	// revocation with the same refresh token must not fail (with or without hint)
-	err = rp.RevokeToken(provider, tokens.RefreshToken, "refresh_token")
+	err = rp.RevokeToken(CTX, provider, tokens.RefreshToken, "refresh_token")
 	require.NoError(t, err)
-	err = rp.RevokeToken(provider, tokens.RefreshToken, "")
+	err = rp.RevokeToken(CTX, provider, tokens.RefreshToken, "")
 	require.NoError(t, err)
 }

 func TestOPStorage_RevokeToken_refresh_token_invalid_token_type_hint(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -329,11 +329,11 @@ func TestOPStorage_RevokeToken_refresh_token_invalid_token_type_hint(t *testing.
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// revoke refresh token even with a wrong hint
-	err = rp.RevokeToken(provider, tokens.RefreshToken, "access_token")
+	err = rp.RevokeToken(CTX, provider, tokens.RefreshToken, "access_token")
 	require.NoError(t, err)

 	// userinfo must fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.Error(t, err)

 	// refresh must fail
@@ -365,15 +365,15 @@ func TestOPStorage_RevokeToken_invalid_client(t *testing.T) {

 	// simulate second client (not part of the audience) trying to revoke the token
 	otherClientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(otherClientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, otherClientID, redirectURI)
 	require.NoError(t, err)
-	err = rp.RevokeToken(provider, tokens.AccessToken, "")
+	err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "")
 	require.Error(t, err)
 }

 func TestOPStorage_TerminateSession(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -396,21 +396,21 @@ func TestOPStorage_TerminateSession(t *testing.T) {
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// userinfo must not fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.NoError(t, err)

-	postLogoutRedirect, err := rp.EndSession(provider, tokens.IDToken, logoutRedirectURI, "state")
+	postLogoutRedirect, err := rp.EndSession(CTX, provider, tokens.IDToken, logoutRedirectURI, "state")
 	require.NoError(t, err)
 	assert.Equal(t, logoutRedirectURI+"?state=state", postLogoutRedirect.String())

 	// userinfo must fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.Error(t, err)
 }

 func TestOPStorage_TerminateSession_refresh_grant(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -433,28 +433,28 @@ func TestOPStorage_TerminateSession_refresh_grant(t *testing.T) {
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// userinfo must not fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.NoError(t, err)

-	postLogoutRedirect, err := rp.EndSession(provider, tokens.IDToken, logoutRedirectURI, "state")
+	postLogoutRedirect, err := rp.EndSession(CTX, provider, tokens.IDToken, logoutRedirectURI, "state")
 	require.NoError(t, err)
 	assert.Equal(t, logoutRedirectURI+"?state=state", postLogoutRedirect.String())

 	// userinfo must fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.Error(t, err)

 	refreshedTokens, err := refreshTokens(t, clientID, tokens.RefreshToken)
 	require.NoError(t, err)

 	// userinfo must not fail
-	_, err = rp.Userinfo(refreshedTokens.AccessToken, refreshedTokens.TokenType, refreshedTokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, refreshedTokens.AccessToken, refreshedTokens.TokenType, refreshedTokens.IDTokenClaims.Subject, provider)
 	require.NoError(t, err)
 }

 func TestOPStorage_TerminateSession_empty_id_token_hint(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -476,12 +476,12 @@ func TestOPStorage_TerminateSession_empty_id_token_hint(t *testing.T) {
 	assertTokens(t, tokens, false)
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

-	postLogoutRedirect, err := rp.EndSession(provider, "", logoutRedirectURI, "state")
+	postLogoutRedirect, err := rp.EndSession(CTX, provider, "", logoutRedirectURI, "state")
 	require.NoError(t, err)
 	assert.Equal(t, http_utils.BuildOrigin(Tester.Host(), Tester.Config.ExternalSecure)+Tester.Config.OIDC.DefaultLogoutURLV2+logoutRedirectURI+"?state=state", postLogoutRedirect.String())

 	// userinfo must not fail until login UI terminated session
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.NoError(t, err)

 	// simulate termination by login UI
@@ -492,12 +492,12 @@ func TestOPStorage_TerminateSession_empty_id_token_hint(t *testing.T) {
 	require.NoError(t, err)

 	// userinfo must fail
-	_, err = rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.Error(t, err)
 }

 func exchangeTokens(t testing.TB, clientID, code string) (*oidc.Tokens[*oidc.IDTokenClaims], error) {
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)

 	codeVerifier := "codeVerifier"
@@ -505,23 +505,10 @@ func exchangeTokens(t testing.TB, clientID, code string) (*oidc.Tokens[*oidc.IDT
 }

 func refreshTokens(t testing.TB, clientID, refreshToken string) (*oidc.Tokens[*oidc.IDTokenClaims], error) {
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)

-	tokens, err := rp.RefreshAccessToken(provider, refreshToken, "", "")
-	if err != nil {
-		return nil, err
-	}
-	idToken, _ := tokens.Extra("id_token").(string)
-	claims, err := rp.VerifyTokens[*oidc.IDTokenClaims](context.Background(), tokens.AccessToken, idToken, provider.IDTokenVerifier())
-	if err != nil {
-		return nil, err
-	}
-	return &oidc.Tokens[*oidc.IDTokenClaims]{
-		Token:         tokens,
-		IDToken:       idToken,
-		IDTokenClaims: claims,
-	}, nil
+	return rp.RefreshTokens[*oidc.IDTokenClaims](CTX, provider, refreshToken, "", "")
 }

 func assertCodeResponse(t *testing.T, callback string) string {
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -9,10 +9,10 @@ import (
 	"time"

 	"github.com/dop251/goja"
+	"github.com/go-jose/go-jose/v3"
 	"github.com/zitadel/logging"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"github.com/zitadel/oidc/v2/pkg/op"
-	"gopkg.in/square/go-jose.v2"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"

 	"github.com/zitadel/zitadel/internal/actions"
 	"github.com/zitadel/zitadel/internal/actions/object"
@@ -564,7 +564,7 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra
 			apiFields,
 			action.Script,
 			action.Name,
-			append(actions.ActionToOptions(action), actions.WithHTTP(actionCtx))...,
+			append(actions.ActionToOptions(action), actions.WithHTTP(actionCtx), actions.WithUUID(actionCtx))...,
 		)
 		cancel()
 		if err != nil {
@@ -745,7 +745,7 @@ func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, userG
 			apiFields,
 			action.Script,
 			action.Name,
-			append(actions.ActionToOptions(action), actions.WithHTTP(actionCtx))...,
+			append(actions.ActionToOptions(action), actions.WithHTTP(actionCtx), actions.WithUUID(actionCtx))...,
 		)
 		cancel()
 		if err != nil {
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -4,8 +4,8 @@ import (
 	"strings"
 	"time"

-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"github.com/zitadel/oidc/v2/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"

 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
--- a/internal/api/oidc/client_credentials.go
+++ b/internal/api/oidc/client_credentials.go
@@ -3,8 +3,8 @@ package oidc
 import (
 	"time"

-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"github.com/zitadel/oidc/v2/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 )

 type clientCredentialsRequest struct {
--- a/internal/api/oidc/client_integration_test.go
+++ b/internal/api/oidc/client_integration_test.go
@@ -9,9 +9,9 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v2/pkg/client/rp"
-	"github.com/zitadel/oidc/v2/pkg/client/rs"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/client/rs"
+	"github.com/zitadel/oidc/v3/pkg/oidc"

 	"github.com/zitadel/zitadel/pkg/grpc/authn"
 	"github.com/zitadel/zitadel/pkg/grpc/management"
@@ -41,9 +41,9 @@ func TestOPStorage_SetUserinfoFromToken(t *testing.T) {
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// test actual userinfo
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
-	userinfo, err := rp.Userinfo(tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+	userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
 	require.NoError(t, err)
 	assertUserinfo(t, userinfo)
 }
@@ -62,7 +62,7 @@ func TestOPStorage_SetIntrospectionFromToken(t *testing.T) {
 		ExpirationDate: nil,
 	})
 	require.NoError(t, err)
-	resourceServer, err := Tester.CreateResourceServer(keyResp.GetKeyDetails())
+	resourceServer, err := Tester.CreateResourceServer(CTX, keyResp.GetKeyDetails())
 	require.NoError(t, err)

 	scope := []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopeOfflineAccess}
@@ -87,7 +87,7 @@ func TestOPStorage_SetIntrospectionFromToken(t *testing.T) {
 	assertIDTokenClaims(t, tokens.IDTokenClaims, armPasskey, startTime, changeTime)

 	// test actual introspection
-	introspection, err := rs.Introspect(context.Background(), resourceServer, tokens.AccessToken)
+	introspection, err := rs.Introspect[*oidc.IntrospectionResponse](context.Background(), resourceServer, tokens.AccessToken)
 	require.NoError(t, err)
 	assertIntrospection(t, introspection,
 		Tester.OIDCIssuer(), app.GetClientId(),
--- a/internal/api/oidc/device_auth.go
+++ b/internal/api/oidc/device_auth.go
@@ -5,8 +5,8 @@ import (
 	"time"

 	"github.com/zitadel/logging"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"github.com/zitadel/oidc/v2/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"

 	"github.com/zitadel/zitadel/internal/api/ui/login"
 	"github.com/zitadel/zitadel/internal/domain"
--- a/internal/api/oidc/jwt-profile.go
+++ b/internal/api/oidc/jwt-profile.go
@@ -3,8 +3,8 @@ package oidc
 import (
 	"context"

-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"github.com/zitadel/oidc/v2/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"

 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
--- a/internal/api/oidc/key.go
+++ b/internal/api/oidc/key.go
@@ -5,9 +5,9 @@ import (
 	"fmt"
 	"time"

+	"github.com/go-jose/go-jose/v3"
 	"github.com/zitadel/logging"
-	"github.com/zitadel/oidc/v2/pkg/op"
-	"gopkg.in/square/go-jose.v2"
+	"github.com/zitadel/oidc/v3/pkg/op"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/crypto"
--- a/internal/api/oidc/oidc_integration_test.go
+++ b/internal/api/oidc/oidc_integration_test.go
@@ -11,8 +11,8 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"github.com/zitadel/oidc/v2/pkg/client/rp"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"google.golang.org/grpc/metadata"

 	"github.com/zitadel/zitadel/internal/domain"
@@ -216,7 +216,7 @@ func Test_ZITADEL_API_inactive_access_token(t *testing.T) {

 func Test_ZITADEL_API_terminated_session(t *testing.T) {
 	clientID := createClient(t)
-	provider, err := Tester.CreateRelyingParty(clientID, redirectURI)
+	provider, err := Tester.CreateRelyingParty(CTX, clientID, redirectURI)
 	require.NoError(t, err)
 	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess, zitadelAudienceScope)
 	sessionID, sessionToken, startTime, changeTime := Tester.CreateVerfiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
@@ -245,7 +245,7 @@ func Test_ZITADEL_API_terminated_session(t *testing.T) {
 	require.Equal(t, User.GetUserId(), myUserResp.GetUser().GetId())

 	// refresh token
-	postLogoutRedirect, err := rp.EndSession(provider, tokens.IDToken, logoutRedirectURI, "state")
+	postLogoutRedirect, err := rp.EndSession(CTX, provider, tokens.IDToken, logoutRedirectURI, "state")
 	require.NoError(t, err)
 	assert.Equal(t, logoutRedirectURI+"?state=state", postLogoutRedirect.String())

@@ -271,13 +271,13 @@ func createImplicitClient(t testing.TB) string {
 }

 func createAuthRequest(t testing.TB, clientID, redirectURI string, scope ...string) string {
-	redURL, err := Tester.CreateOIDCAuthRequest(clientID, Tester.Users[integration.FirstInstanceUsersKey][integration.Login].ID, redirectURI, scope...)
+	redURL, err := Tester.CreateOIDCAuthRequest(CTX, clientID, Tester.Users[integration.FirstInstanceUsersKey][integration.Login].ID, redirectURI, scope...)
 	require.NoError(t, err)
 	return redURL
 }

 func createAuthRequestImplicit(t testing.TB, clientID, redirectURI string, scope ...string) string {
-	redURL, err := Tester.CreateOIDCAuthRequestImplicit(clientID, Tester.Users[integration.FirstInstanceUsersKey][integration.Login].ID, redirectURI, scope...)
+	redURL, err := Tester.CreateOIDCAuthRequestImplicit(CTX, clientID, Tester.Users[integration.FirstInstanceUsersKey][integration.Login].ID, redirectURI, scope...)
 	require.NoError(t, err)
 	return redURL
 }
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -7,8 +7,8 @@ import (
 	"time"

 	"github.com/rakyll/statik/fs"
-	"github.com/zitadel/oidc/v2/pkg/oidc"
-	"github.com/zitadel/oidc/v2/pkg/op"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/op"
 	"golang.org/x/text/language"

 	"github.com/zitadel/zitadel/internal/api/assets"