From ccde49b323829b11f26f22d6df8020297fbe49fe Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Mon, 25 Jul 2022 09:38:15 +0200 Subject: [PATCH] feat: extend claims of introspection response (#4018) * feat: extend claims of introspection response * update oidc lib --- docs/docs/apis/openidoauth/claims.md | 33 ++++++++++++++----------- docs/docs/apis/openidoauth/endpoints.md | 15 ++++++++--- go.mod | 2 +- go.sum | 9 ++----- internal/api/oidc/client.go | 7 ++++++ 5 files changed, 41 insertions(+), 25 deletions(-) diff --git a/docs/docs/apis/openidoauth/claims.md b/docs/docs/apis/openidoauth/claims.md index f63d694b98..4ebc9b2442 100644 --- a/docs/docs/apis/openidoauth/claims.md +++ b/docs/docs/apis/openidoauth/claims.md @@ -10,30 +10,32 @@ Please check below the matrix for an overview where which scope is asserted. | acr | No | No | Yes | No | | address | When requested | When requested | When requested amd response_type `id_token` | No | | amr | No | No | Yes | No | -| aud | No | No | Yes | When JWT | +| aud | No | Yes | Yes | When JWT | | auth_time | No | No | Yes | No | -| azp | No | No | Yes | When JWT | +| azp (client_id when Introspect) | No | Yes | Yes | When JWT | | email | When requested | When requested | When requested amd response_type `id_token` | No | | email_verified | When requested | When requested | When requested amd response_type `id_token` | No | -| exp | No | No | Yes | When JWT | +| exp | No | Yes | Yes | When JWT | | family_name | When requested | When requested | When requested amd response_type `id_token` | No | | gender | When requested | When requested | When requested amd response_type `id_token` | No | | given_name | When requested | When requested | When requested amd response_type `id_token` | No | -| iat | No | No | Yes | When JWT | -| iss | No | No | Yes | When JWT | +| iat | No | Yes | Yes | When JWT | +| iss | No | Yes | Yes | When JWT | +| jti | No | Yes | No | When JWT | | locale | When requested | When requested | When requested amd response_type `id_token` | No | | name | When requested | When requested | When requested amd response_type `id_token` | No | +| nbf | No | Yes | Yes | When JWT | | nonce | No | No | Yes | No | | phone | When requested | When requested | When requested amd response_type `id_token` | No | | phone_verified | When requested | When requested | When requested amd response_type `id_token` | No | -| preferred_username (username when Introspect ) | When requested | When requested | Yes | No | +| preferred_username (username when Introspect) | When requested | When requested | Yes | No | | sub | Yes | Yes | Yes | When JWT | | urn:zitadel:iam:org:domain:primary:{domainname} | When requested | When requested | When requested | When JWT and requested | | urn:zitadel:iam:org:project:roles:{rolename} | When requested | When requested | When requested or configured | When JWT and requested or configured | -| urn:zitadel:iam:user:metadata | When requested | When requested | When requested | When JWT and requested | -| urn:zitadel:iam:user:resourceowner:id | When requested | When requested | When requested | When JWT and requested | -| urn:zitadel:iam:user:resourceowner:name | When requested | When requested | When requested | When JWT and requested | -| urn:zitadel:iam:user:resourceowner:primary_domain | When requested | When requested | When requested | When JWT and requested | +| urn:zitadel:iam:user:metadata | When requested | When requested | When requested | When JWT and requested | +| urn:zitadel:iam:user:resourceowner:id | When requested | When requested | When requested | When JWT and requested | +| urn:zitadel:iam:user:resourceowner:name | When requested | When requested | When requested | When JWT and requested | +| urn:zitadel:iam:user:resourceowner:primary_domain | When requested | When requested | When requested | When JWT and requested | ## Standard Claims @@ -42,21 +44,24 @@ Please check below the matrix for an overview where which scope is asserted. | acr | TBA | TBA | | address | `Teufener Strasse 19, 9000 St. Gallen` | TBA | | amr | `pwd mfa` | Authentication Method References as defined in [RFC8176](https://tools.ietf.org/html/rfc8176) | -| aud | `69234237810729019` | By default all client id's and the project id is included | +| aud | `69234237810729019` | The audience of the token, by default all client id's and the project id are included | | auth_time | `1311280969` | Unix time of the authentication | | azp | `69234237810729234` | Client id of the client who requested the token | | email | `road.runner@acme.ch` | Email Address of the subject | | email_verified | `true` | Boolean if the email was verified by ZITADEL | -| exp | `1311281970` | Time the token expires as unix time | +| exp | `1311281970` | Time the token expires (as unix time) | | family_name | `Runner` | The subjects family name | | gender | `other` | Gender of the subject | | given_name | `Road` | Given name of the subject | -| iat | `1311280970` | Issued at time of the token as unix time | -| iss | `{your_domain}` | Issuing domain of a token | +| iat | `1311280970` | Time of the token was issued at (as unix time) | +| iss | `{your_domain}` | Issuing domain of a token | +| jti | `69234237813329048` | Unique id of the token | | locale | `en` | Language from the subject | | name | `Road Runner` | The subjects full name | +| nbf | `1311280970` | Time the token must not be used before (as unix time) | | nonce | `blQtVEJHNTF0WHhFQmhqZ0RqeHJsdzdkd2d...` | The nonce provided by the client | | phone | `+41 79 XXX XX XX` | Phone number provided by the user | +| phone_verified | `true` | Boolean if the phone was verified by ZITADEL | | preferred_username | `road.runner@acme.caos.ch` | ZITADEL's login name of the user. Consist of `username@primarydomain` | | sub | `77776025198584418` | Subject ID of the user | diff --git a/docs/docs/apis/openidoauth/endpoints.md b/docs/docs/apis/openidoauth/endpoints.md index 530a3a60c0..4723b8416e 100644 --- a/docs/docs/apis/openidoauth/endpoints.md +++ b/docs/docs/apis/openidoauth/endpoints.md @@ -382,9 +382,18 @@ is active and the requesting client is part of the token audience. If `active` is **true**, further information will be provided: -| Property | Description | -| --------- | ---------------------------------------------------- | -| scope | Space delimited list of scopes granted to the token. | +| Property | Description | +|------------|------------------------------------------------------------------------| +| aud | The audience of the token | +| client_id | The client_id of the application the token was issued to | +| exp | Time the token expires (as unix time) | +| iat | Time of the token was issued at (as unix time) | +| iss | Issuer of the token | +| jti | Unique id of the token | +| nbf | Time the token must not be used before (as unix time) | +| scope | Space delimited list of scopes granted to the token | +| token_type | Type of the inspected token. Value is always `Bearer` | +| username | ZITADEL's login name of the user. Consist of `username@primarydomain` | Additionally and depending on the granted scopes, information about the authorized user is provided. Check the [Claims](claims) page if a specific claims might be returned and for detailed description. diff --git a/go.mod b/go.mod index f445b14160..80c9649b6f 100644 --- a/go.mod +++ b/go.mod @@ -48,7 +48,7 @@ require ( github.com/superseriousbusiness/exifremove v0.0.0-20210330092427-6acd27eac203 github.com/ttacon/libphonenumber v1.2.1 github.com/zitadel/logging v0.3.4 - github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.3 + github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.4 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.27.0 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.27.0 go.opentelemetry.io/otel v1.2.0 diff --git a/go.sum b/go.sum index 0dd8a79643..1c77d75086 100644 --- a/go.sum +++ b/go.sum @@ -790,7 +790,6 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= -github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0= github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= @@ -864,12 +863,10 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q= -github.com/zitadel/logging v0.3.3 h1:/nAoki9HFJK+qMLBVY5Jhbfp/6o3YLK49Tw5j2oRhjM= -github.com/zitadel/logging v0.3.3/go.mod h1:aPpLQhE+v6ocNK0TWrBrd363hZ95KcI17Q1ixAQwZF0= github.com/zitadel/logging v0.3.4 h1:9hZsTjMMTE3X2LUi0xcF9Q9EdLo+FAezeu52ireBbHM= github.com/zitadel/logging v0.3.4/go.mod h1:aPpLQhE+v6ocNK0TWrBrd363hZ95KcI17Q1ixAQwZF0= -github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.3 h1:Z0WrhhjPLrbywD+6226Ca7Mvt9VKAU3J/ojYq24CUEY= -github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.3/go.mod h1:uoJw5Xc6HXfnQbNZiLbld9dED0/8UMu0M4gOipTRZBA= +github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.4 h1:llGVhiHOuI2SXF6yR9s5podxe8n7Md0lpo/9cr37AkU= +github.com/zitadel/oidc/v2 v2.0.0-dynamic-issuer.4/go.mod h1:uoJw5Xc6HXfnQbNZiLbld9dED0/8UMu0M4gOipTRZBA= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= @@ -1174,8 +1171,6 @@ golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20211210111614-af8b64212486/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220207234003-57398862261d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c= -golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8 h1:0A+M6Uqn+Eje4kHMK80dtF3JCXC4ykBgQG4Fe06QRhQ= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go index 7c0326b9af..f865e57869 100644 --- a/internal/api/oidc/client.go +++ b/internal/api/oidc/client.go @@ -176,6 +176,13 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection } introspection.SetScopes(token.Scopes) introspection.SetClientID(token.ApplicationID) + introspection.SetTokenType(oidc.BearerToken) + introspection.SetExpiration(token.Expiration) + introspection.SetIssuedAt(token.CreationDate) + introspection.SetNotBefore(token.CreationDate) + introspection.SetAudience(token.Audience) + introspection.SetIssuer(op.IssuerFromContext(ctx)) + introspection.SetJWTID(token.ID) return nil } }