feat(oidc): id token for device authorization (#7088)

* cleanup todo * pass id token details to oidc * feat(oidc): id token for device authorization This changes updates to the newest oidc version, so the Device Authorization grant can return ID tokens when the scope `openid` is set. There is also some refactoring done, so that the eventstore can be queried directly when polling for state. The projection is cleaned up to a minimum with only data required for the login UI. * try to be explicit wit hthe timezone to fix github * pin oidc v3.8.0 * remove TBD entry
2025-08-11 19:07:30 +00:00 · 2023-12-20 14:21:08 +02:00
parent e15f6229cd
commit e22689c125
25 changed files with 629 additions and 621 deletions
--- a/internal/domain/auth_request_test.go
+++ b/internal/domain/auth_request_test.go
@@ -0,0 +1,108 @@
+package domain
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMFAType_UserAuthMethodType(t *testing.T) {
+	tests := []struct {
+		name string
+		m    MFAType
+		want UserAuthMethodType
+	}{
+		{
+			name: "totp",
+			m:    MFATypeTOTP,
+			want: UserAuthMethodTypeTOTP,
+		},
+		{
+			name: "u2f",
+			m:    MFATypeU2F,
+			want: UserAuthMethodTypeU2F,
+		},
+		{
+			name: "passwordless",
+			m:    MFATypeU2FUserVerification,
+			want: UserAuthMethodTypePasswordless,
+		},
+		{
+			name: "otp sms",
+			m:    MFATypeOTPSMS,
+			want: UserAuthMethodTypeOTPSMS,
+		},
+		{
+			name: "otp email",
+			m:    MFATypeOTPEmail,
+			want: UserAuthMethodTypeOTPEmail,
+		},
+		{
+			name: "unspecified",
+			m:    99,
+			want: UserAuthMethodTypeUnspecified,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := tt.m.UserAuthMethodType()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestAuthRequest_UserAuthMethodTypes(t *testing.T) {
+	type fields struct {
+		PasswordVerified bool
+		MFAsVerified     []MFAType
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   []UserAuthMethodType
+	}{
+		{
+			name: "no auth methods",
+			fields: fields{
+				PasswordVerified: false,
+				MFAsVerified:     nil,
+			},
+			want: []UserAuthMethodType{},
+		},
+		{
+			name: "only password",
+			fields: fields{
+				PasswordVerified: true,
+				MFAsVerified:     nil,
+			},
+			want: []UserAuthMethodType{
+				UserAuthMethodTypePassword,
+			},
+		},
+		{
+			name: "password, with mfa",
+			fields: fields{
+				PasswordVerified: true,
+				MFAsVerified: []MFAType{
+					MFATypeTOTP,
+					MFATypeU2F,
+				},
+			},
+			want: []UserAuthMethodType{
+				UserAuthMethodTypePassword,
+				UserAuthMethodTypeTOTP,
+				UserAuthMethodTypeU2F,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := &AuthRequest{
+				PasswordVerified: tt.fields.PasswordVerified,
+				MFAsVerified:     tt.fields.MFAsVerified,
+			}
+			got := a.UserAuthMethodTypes()
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}