feat(oidc): id token for device authorization (#7088)

* cleanup todo * pass id token details to oidc * feat(oidc): id token for device authorization This changes updates to the newest oidc version, so the Device Authorization grant can return ID tokens when the scope `openid` is set. There is also some refactoring done, so that the eventstore can be queried directly when polling for state. The projection is cleaned up to a minimum with only data required for the login UI. * try to be explicit wit hthe timezone to fix github * pin oidc v3.8.0 * remove TBD entry
2025-08-12 00:07:36 +00:00 · 2023-12-20 14:21:08 +02:00
parent e15f6229cd
commit e22689c125
25 changed files with 629 additions and 621 deletions
--- a/internal/command/device_auth_model.go
+++ b/internal/command/device_auth_model.go
@@ -11,19 +11,21 @@ import (
 type DeviceAuthWriteModel struct {
 	eventstore.WriteModel

-	ClientID   string
-	DeviceCode string
-	UserCode   string
-	Expires    time.Time
-	Scopes     []string
-	Subject    string
-	State      domain.DeviceAuthState
+	ClientID        string
+	DeviceCode      string
+	UserCode        string
+	Expires         time.Time
+	Scopes          []string
+	State           domain.DeviceAuthState
+	Subject         string
+	UserAuthMethods []domain.UserAuthMethodType
+	AuthTime        time.Time
 }

-func NewDeviceAuthWriteModel(aggrID, resourceOwner string) *DeviceAuthWriteModel {
+func NewDeviceAuthWriteModel(deviceCode, resourceOwner string) *DeviceAuthWriteModel {
 	return &DeviceAuthWriteModel{
 		WriteModel: eventstore.WriteModel{
-			AggregateID:   aggrID,
+			AggregateID:   deviceCode,
 			ResourceOwner: resourceOwner,
 		},
 	}
@@ -40,12 +42,12 @@ func (m *DeviceAuthWriteModel) Reduce() error {
 			m.Scopes = e.Scopes
 			m.State = e.State
 		case *deviceauth.ApprovedEvent:
-			m.Subject = e.Subject
 			m.State = domain.DeviceAuthStateApproved
+			m.Subject = e.Subject
+			m.UserAuthMethods = e.UserAuthMethods
+			m.AuthTime = e.AuthTime
 		case *deviceauth.CanceledEvent:
 			m.State = e.Reason.State()
-		case *deviceauth.RemovedEvent:
-			m.State = domain.DeviceAuthStateRemoved
 		}
 	}

@@ -54,8 +56,14 @@ func (m *DeviceAuthWriteModel) Reduce() error {

 func (m *DeviceAuthWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		ResourceOwner(m.ResourceOwner).
 		AddQuery().
 		AggregateTypes(deviceauth.AggregateType).
 		AggregateIDs(m.AggregateID).
+		EventTypes(
+			deviceauth.AddedEventType,
+			deviceauth.ApprovedEventType,
+			deviceauth.CanceledEventType,
+		).
 		Builder()
 }