feat(console): enable ID token mapping for generic OIDC provider (#6426)

* fix: use IsIdTokenMapping request property

* feat(console): oidc provider id token mapping

* fix scss

* reduce styles

* fix lint

---------

Co-authored-by: peintnermax <max@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 29fa3d417c)

console/src/app/modules/providers/provider-oidc/provider-oidc.component.html

@@ -78,6 +78,14 @@
             </cnsl-form-field>
           </div>
 
+          <div class="id-token-mapping">
+            <cnsl-info-section>
+              <div>
+                <p class="checkbox-desc">{{ 'IDP.ISIDTOKENMAPPING_DESC' | translate }}</p>
+                <mat-checkbox formControlName="isIdTokenMapping">{{ 'IDP.ISIDTOKENMAPPING' | translate }}</mat-checkbox>
+              </div>
+            </cnsl-info-section>
+          </div>
           <cnsl-provider-options
             [initialOptions]="provider?.config?.options"
             (optionsChanged)="options = $event"

console/src/app/modules/providers/provider-oidc/provider-oidc.component.scss

@@ -0,0 +1,8 @@
+.id-token-mapping {
+  max-width: 400px;
+
+  .checkbox-desc {
+    margin-top: 0;
+    margin-bottom: 0.5rem;
+  }
+}

console/src/app/modules/providers/provider-oidc/provider-oidc.component.ts

@@ -27,6 +27,7 @@ import { PolicyComponentServiceType } from '../../policies/policy-component-type
 @Component({
   selector: 'cnsl-provider-oidc',
   templateUrl: './provider-oidc.component.html',
+  styleUrls: ['./provider-oidc.component.scss'],
 })
 export class ProviderOIDCComponent {
   public showOptional: boolean = false;
@@ -56,6 +57,7 @@ export class ProviderOIDCComponent {
       clientSecret: new UntypedFormControl('', [requiredValidator]),
       issuer: new UntypedFormControl('', [requiredValidator]),
       scopesList: new UntypedFormControl(['openid', 'profile', 'email'], []),
+      isIdTokenMapping: new UntypedFormControl(),
     });
 
     this.route.data.pipe(take(1)).subscribe((data) => {
@@ -131,6 +133,7 @@ export class ProviderOIDCComponent {
     req.setIssuer(this.issuer?.value);
     req.setScopesList(this.scopesList?.value);
     req.setProviderOptions(this.options);
+    req.setIsIdTokenMapping(this.isIdTokenMapping?.value);
 
     this.loading = true;
     this.service
@@ -160,6 +163,7 @@ export class ProviderOIDCComponent {
       req.setIssuer(this.issuer?.value);
       req.setScopesList(this.scopesList?.value);
       req.setProviderOptions(this.options);
+      req.setIsIdTokenMapping(this.isIdTokenMapping?.value);
 
       this.loading = true;
       this.service
@@ -224,4 +228,8 @@ export class ProviderOIDCComponent {
   public get scopesList(): AbstractControl | null {
     return this.form.get('scopesList');
   }
+
+  public get isIdTokenMapping(): AbstractControl | null {
+    return this.form.get('isIdTokenMapping');
+  }
 }

console/src/assets/i18n/bg.json

@@ -1822,7 +1822,9 @@
       "DELETED": "Idp премахнат успешно!",
       "ADDED": "Добавено успешно.",
       "REMOVED": "Премахнато успешно."
-    }
+    },
+    "ISIDTOKENMAPPING": "Съответствие от ID токен",
+    "ISIDTOKENMAPPING_DESC": "Ако е избрано, информацията на доставчика се съответства от ID токена, а не от userinfo крайната точка."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/de.json

@@ -1831,7 +1831,9 @@
       "DELETED": "Idp erfolgreich gelöscht!",
       "ADDED": "Erfolgreich hinzugefügt.",
       "REMOVED": "Erfolgreich entfernt."
-    }
+    },
+    "ISIDTOKENMAPPING": "Zuordnung vom ID-Token",
+    "ISIDTOKENMAPPING_DESC": "Legt fest, ob für das Mapping der Provider Informationen das ID-Token verwendet werden soll, anstatt des Userinfo-Endpoints."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/en.json

@@ -1828,7 +1828,9 @@
       "DELETED": "Idp removed successfully!",
       "ADDED": "Added successfully.",
       "REMOVED": "Removed successfully."
-    }
+    },
+    "ISIDTOKENMAPPING": "Map from the ID token",
+    "ISIDTOKENMAPPING_DESC": "If selected, provider information gets mapped from the ID token, not from the userinfo endpoint."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/es.json

@@ -1828,7 +1828,9 @@
       "DELETED": "¡IDP eliminado con éxito!",
       "ADDED": "Añadido con éxito.",
       "REMOVED": "Eliminado con éxito."
-    }
+    },
+    "ISIDTOKENMAPPING": "Asignación del ID token",
+    "ISIDTOKENMAPPING_DESC": "Si se selecciona, la información del proveedor se asigna desde el ID token, no desde el punto final de userinfo."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/fr.json

@@ -1832,7 +1832,9 @@
       "DELETED": "Idp supprimé avec succès !",
       "ADDED": "Ajouté avec succès.",
       "REMOVED": "Suppression réussie."
-    }
+    },
+    "ISIDTOKENMAPPING": "Mappage depuis le jeton ID",
+    "ISIDTOKENMAPPING_DESC": "Si sélectionné, les informations du fournisseur sont mappées à partir du jeton ID, et non à partir du point d'extrémité userinfo."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/it.json

@@ -1832,7 +1832,9 @@
       "DELETED": "IDP rimosso con successo!",
       "ADDED": "Aggiunto con successo.",
       "REMOVED": "Rimosso con successo."
-    }
+    },
+    "ISIDTOKENMAPPING": "Mappatura dal token ID",
+    "ISIDTOKENMAPPING_DESC": "Se selezionato, le informazioni del provider vengono mappate dal token ID, non dal punto finale userinfo."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/ja.json

@@ -1823,7 +1823,9 @@
       "DELETED": "IDPは正常に削除されました！",
       "ADDED": "正常に追加されました。",
       "REMOVED": "正常に削除されました。"
-    }
+    },
+    "ISIDTOKENMAPPING": "IDトークンからのマッピング",
+    "ISIDTOKENMAPPING_DESC": "選択された場合、プロバイダ情報はIDトークンからマッピングされ、userinfoエンドポイントからではありません。"
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/mk.json

@@ -1828,7 +1828,9 @@
       "DELETED": "IDP успешно отстранет!",
       "ADDED": "Успешно додадено.",
       "REMOVED": "Успешно отстрането."
-    }
+    },
+    "ISIDTOKENMAPPING": "Совпаѓање од ID токен",
+    "ISIDTOKENMAPPING_DESC": "Ако е избрано, информациите од провајдерот се мапираат од ID токенот, а не од userinfo крајната точка."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/pl.json

@@ -1832,7 +1832,9 @@
       "DELETED": "Dostawca tożsamości usunięty pomyślnie!",
       "ADDED": "Dodano pomyślnie.",
       "REMOVED": "Usunięto pomyślnie."
-    }
+    },
+    "ISIDTOKENMAPPING": "Mapowanie z tokena ID",
+    "ISIDTOKENMAPPING_DESC": "Jeśli wybrane, informacje dostawcy są mapowane z tokena ID, a nie z punktu końcowego userinfo."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/pt.json

@@ -1826,7 +1826,9 @@
       "DELETED": "Provedor de identidade removido com sucesso!",
       "ADDED": "Adicionado com sucesso.",
       "REMOVED": "Removido com sucesso."
-    }
+    },
+    "ISIDTOKENMAPPING": "Mapeamento do token ID",
+    "ISIDTOKENMAPPING_DESC": "Se selecionado, as informações do provedor são mapeadas a partir do token ID, e não do ponto final userinfo."
   },
   "MFA": {
     "LIST": {

console/src/assets/i18n/zh.json

@@ -1831,7 +1831,9 @@
       "DELETED": "IDP 删除成功！",
       "ADDED": "添加成功。",
       "REMOVED": "成功删除。"
-    }
+    },
+    "ISIDTOKENMAPPING": "从ID令牌映射",
+    "ISIDTOKENMAPPING_DESC": "如果选中，提供商信息将从ID令牌映射，而不是从userinfo端点。"
   },
   "MFA": {
     "LIST": {

internal/api/grpc/management/idp_converter.go

@@ -248,12 +248,13 @@ func updateGenericOAuthProviderToCommand(req *mgmt_pb.UpdateGenericOAuthProvider
 
 func addGenericOIDCProviderToCommand(req *mgmt_pb.AddGenericOIDCProviderRequest) command.GenericOIDCProvider {
 	return command.GenericOIDCProvider{
-		Name:         req.Name,
-		Issuer:       req.Issuer,
-		ClientID:     req.ClientId,
-		ClientSecret: req.ClientSecret,
-		Scopes:       req.Scopes,
-		IDPOptions:   idp_grpc.OptionsToCommand(req.ProviderOptions),
+		Name:             req.Name,
+		Issuer:           req.Issuer,
+		ClientID:         req.ClientId,
+		ClientSecret:     req.ClientSecret,
+		Scopes:           req.Scopes,
+		IsIDTokenMapping: req.IsIdTokenMapping,
+		IDPOptions:       idp_grpc.OptionsToCommand(req.ProviderOptions),
 	}
 }
 

proto/zitadel/idp.proto

@@ -342,7 +342,12 @@ message GenericOIDCConfig {
             description: "the scopes requested by ZITADEL during the request on the identity provider";
         }
     ];
-    bool is_id_token_mapping = 4;
+    bool is_id_token_mapping = 4 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "true";
+            description: "if true, provider information get mapped from the id token, not from the userinfo endpoint";
+        }
+    ];
 }
 
 message GitHubConfig {