feat(oidc): id token for device authorization (#7088)

* cleanup todo * pass id token details to oidc * feat(oidc): id token for device authorization This changes updates to the newest oidc version, so the Device Authorization grant can return ID tokens when the scope `openid` is set. There is also some refactoring done, so that the eventstore can be queried directly when polling for state. The projection is cleaned up to a minimum with only data required for the login UI. * try to be explicit wit hthe timezone to fix github * pin oidc v3.8.0 * remove TBD entry
2025-12-24 11:27:07 +00:00 · 2023-12-20 14:21:08 +02:00
parent e15f6229cd
commit e22689c125
25 changed files with 629 additions and 621 deletions
--- a/internal/query/device_auth_model.go
+++ b/internal/query/device_auth_model.go
@@ -0,0 +1,58 @@
+package query
+
+import (
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/deviceauth"
+)
+
+type DeviceAuthReadModel struct {
+	eventstore.ReadModel
+	DeviceAuth
+}
+
+func NewDeviceAuthReadModel(deviceCode, resourceOwner string) *DeviceAuthReadModel {
+	return &DeviceAuthReadModel{
+		ReadModel: eventstore.ReadModel{
+			AggregateID:   deviceCode,
+			ResourceOwner: resourceOwner,
+		},
+	}
+}
+
+func (m *DeviceAuthReadModel) Reduce() error {
+	for _, event := range m.Events {
+		switch e := event.(type) {
+		case *deviceauth.AddedEvent:
+			m.ClientID = e.ClientID
+			m.DeviceCode = e.DeviceCode
+			m.UserCode = e.UserCode
+			m.Expires = e.Expires
+			m.Scopes = e.Scopes
+			m.State = e.State
+		case *deviceauth.ApprovedEvent:
+			m.State = domain.DeviceAuthStateApproved
+			m.Subject = e.Subject
+			m.UserAuthMethods = e.UserAuthMethods
+			m.AuthTime = e.AuthTime
+		case *deviceauth.CanceledEvent:
+			m.State = e.Reason.State()
+		}
+	}
+
+	return m.ReadModel.Reduce()
+}
+
+func (m *DeviceAuthReadModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		ResourceOwner(m.ResourceOwner).
+		AddQuery().
+		AggregateTypes(deviceauth.AggregateType).
+		AggregateIDs(m.AggregateID).
+		EventTypes(
+			deviceauth.AddedEventType,
+			deviceauth.ApprovedEventType,
+			deviceauth.CanceledEventType,
+		).
+		Builder()
+}