feat(oidc): id token for device authorization (#7088)

* cleanup todo

* pass id token details to oidc

* feat(oidc): id token for device authorization

This changes updates to the newest oidc version,
so the Device Authorization grant can return ID tokens when
the scope `openid` is set.
There is also some refactoring done, so that the eventstore can be
queried directly when polling for state.
The projection is cleaned up to a minimum with only data required for the login UI.

* try to be explicit wit hthe timezone to fix github

* pin oidc v3.8.0

* remove TBD entry

internal/query/device_auth_test.go

@@ -6,82 +6,188 @@ import (
 	"database/sql/driver"
 	"errors"
 	"fmt"
+	"io"
 	"regexp"
 	"testing"
+	"time"
 
 	"github.com/DATA-DOG/go-sqlmock"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/database"
 	"github.com/zitadel/zitadel/internal/domain"
-	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
-)
-
-const (
-	expectedDeviceAuthQueryC = `SELECT` +
-		` projections.device_authorizations.id,` +
-		` projections.device_authorizations.client_id,` +
-		` projections.device_authorizations.scopes,` +
-		` projections.device_authorizations.expires,` +
-		` projections.device_authorizations.state,` +
-		` projections.device_authorizations.subject` +
-		` FROM projections.device_authorizations`
-	expectedDeviceAuthWhereDeviceCodeQueryC = expectedDeviceAuthQueryC +
-		` WHERE projections.device_authorizations.client_id = $1` +
-		` AND projections.device_authorizations.device_code = $2` +
-		` AND projections.device_authorizations.instance_id = $3`
-	expectedDeviceAuthWhereUserCodeQueryC = expectedDeviceAuthQueryC +
-		` WHERE projections.device_authorizations.instance_id = $1` +
-		` AND projections.device_authorizations.user_code = $2`
-)
-
-var (
-	expectedDeviceAuthQuery                = regexp.QuoteMeta(expectedDeviceAuthQueryC)
-	expectedDeviceAuthWhereDeviceCodeQuery = regexp.QuoteMeta(expectedDeviceAuthWhereDeviceCodeQueryC)
-	expectedDeviceAuthWhereUserCodeQuery   = regexp.QuoteMeta(expectedDeviceAuthWhereUserCodeQueryC)
-	expectedDeviceAuthValues               = []driver.Value{
-		"primary-id",
-		"client-id",
-		database.TextArray[string]{"a", "b", "c"},
-		testNow,
-		domain.DeviceAuthStateApproved,
-		"subject",
-	}
-	expectedDeviceAuth = &domain.DeviceAuth{
-		ObjectRoot: models.ObjectRoot{
-			AggregateID: "primary-id",
-		},
-		ClientID: "client-id",
-		Scopes:   []string{"a", "b", "c"},
-		Expires:  testNow,
-		State:    domain.DeviceAuthStateApproved,
-		Subject:  "subject",
-	}
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/deviceauth"
+	"github.com/zitadel/zitadel/internal/zerrors"
 )
 
 func TestQueries_DeviceAuthByDeviceCode(t *testing.T) {
-	client, mock, err := sqlmock.New()
-	if err != nil {
-		t.Fatalf("failed to build mock client: %v", err)
+	ctx := authz.NewMockContext("inst1", "org1", "user1")
+	timestamp := time.Date(2015, 12, 15, 22, 13, 45, 0, time.UTC)
+	tests := []struct {
+		name       string
+		eventstore func(t *testing.T) *eventstore.Eventstore
+		want       *DeviceAuth
+		wantErr    error
+	}{
+		{
+			name: "filter error",
+			eventstore: expectEventstore(
+				expectFilterError(io.ErrClosedPipe),
+			),
+			wantErr: io.ErrClosedPipe,
+		},
+		{
+			name: "not found",
+			eventstore: expectEventstore(
+				expectFilter(),
+			),
+			wantErr: zerrors.ThrowNotFound(nil, "QUERY-eeR0e", "Errors.DeviceAuth.NotExisting"),
+		},
+		{
+			name: "ok, initiated",
+			eventstore: expectEventstore(
+				expectFilter(
+					eventFromEventPusher(deviceauth.NewAddedEvent(
+						ctx,
+						deviceauth.NewAggregate("device1", "instance1"),
+						"client1", "device1", "user-code", timestamp, []string{"foo", "bar"},
+					)),
+				),
+			),
+			want: &DeviceAuth{
+				ClientID:   "client1",
+				DeviceCode: "device1",
+				UserCode:   "user-code",
+				Expires:    timestamp,
+				Scopes:     []string{"foo", "bar"},
+				State:      domain.DeviceAuthStateInitiated,
+			},
+		},
+		{
+			name: "ok, approved",
+			eventstore: expectEventstore(
+				expectFilter(
+					eventFromEventPusher(deviceauth.NewAddedEvent(
+						ctx,
+						deviceauth.NewAggregate("device1", "instance1"),
+						"client1", "device1", "user-code", timestamp, []string{"foo", "bar"},
+					)),
+					eventFromEventPusher(deviceauth.NewApprovedEvent(
+						ctx,
+						deviceauth.NewAggregate("device1", "instance1"),
+						"user1", []domain.UserAuthMethodType{domain.UserAuthMethodTypePasswordless},
+						timestamp,
+					)),
+				),
+			),
+			want: &DeviceAuth{
+				ClientID:        "client1",
+				DeviceCode:      "device1",
+				UserCode:        "user-code",
+				Expires:         timestamp,
+				Scopes:          []string{"foo", "bar"},
+				State:           domain.DeviceAuthStateApproved,
+				Subject:         "user1",
+				UserAuthMethods: []domain.UserAuthMethodType{domain.UserAuthMethodTypePasswordless},
+				AuthTime:        timestamp,
+			},
+		},
+		{
+			name: "ok, denied",
+			eventstore: expectEventstore(
+				expectFilter(
+					eventFromEventPusher(deviceauth.NewAddedEvent(
+						ctx,
+						deviceauth.NewAggregate("device1", "instance1"),
+						"client1", "device1", "user-code", timestamp, []string{"foo", "bar"},
+					)),
+					eventFromEventPusher(deviceauth.NewCanceledEvent(
+						ctx,
+						deviceauth.NewAggregate("device1", "instance1"),
+						domain.DeviceAuthCanceledDenied,
+					)),
+				),
+			),
+			want: &DeviceAuth{
+				ClientID:   "client1",
+				DeviceCode: "device1",
+				UserCode:   "user-code",
+				Expires:    timestamp,
+				Scopes:     []string{"foo", "bar"},
+				State:      domain.DeviceAuthStateDenied,
+			},
+		},
+		{
+			name: "ok, expired",
+			eventstore: expectEventstore(
+				expectFilter(
+					eventFromEventPusher(deviceauth.NewAddedEvent(
+						ctx,
+						deviceauth.NewAggregate("device1", "instance1"),
+						"client1", "device1", "user-code", timestamp, []string{"foo", "bar"},
+					)),
+					eventFromEventPusher(deviceauth.NewCanceledEvent(
+						ctx,
+						deviceauth.NewAggregate("device1", "instance1"),
+						domain.DeviceAuthCanceledExpired,
+					)),
+				),
+			),
+			want: &DeviceAuth{
+				ClientID:   "client1",
+				DeviceCode: "device1",
+				UserCode:   "user-code",
+				Expires:    timestamp,
+				Scopes:     []string{"foo", "bar"},
+				State:      domain.DeviceAuthStateExpired,
+			},
+		},
 	}
-	defer client.Close()
-
-	mock.ExpectBegin()
-	mock.ExpectQuery(expectedDeviceAuthWhereDeviceCodeQuery).WillReturnRows(
-		sqlmock.NewRows(deviceAuthSelectColumns).AddRow(expectedDeviceAuthValues...),
-	)
-	mock.ExpectCommit()
-	q := Queries{
-		client: &database.DB{DB: client},
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			q := &Queries{
+				eventstore: tt.eventstore(t),
+			}
+			got, err := q.DeviceAuthByDeviceCode(ctx, "device1")
+			require.ErrorIs(t, err, tt.wantErr)
+			assert.Equal(t, tt.want, got)
+		})
 	}
-	got, err := q.DeviceAuthByDeviceCode(context.TODO(), "123", "456")
-	require.NoError(t, err)
-	assert.Equal(t, expectedDeviceAuth, got)
-	require.NoError(t, mock.ExpectationsWereMet())
 }
 
-func TestQueries_DeviceAuthByUserCode(t *testing.T) {
+const (
+	expectedDeviceAuthQueryC = `SELECT` +
+		` projections.device_auth_requests.client_id,` +
+		` projections.device_auth_requests.device_code,` +
+		` projections.device_auth_requests.user_code,` +
+		` projections.device_auth_requests.scopes` +
+		` FROM projections.device_auth_requests`
+	expectedDeviceAuthWhereUserCodeQueryC = expectedDeviceAuthQueryC +
+		` WHERE projections.device_auth_requests.instance_id = $1` +
+		` AND projections.device_auth_requests.user_code = $2`
+)
+
+var (
+	expectedDeviceAuthQuery              = regexp.QuoteMeta(expectedDeviceAuthQueryC)
+	expectedDeviceAuthWhereUserCodeQuery = regexp.QuoteMeta(expectedDeviceAuthWhereUserCodeQueryC)
+	expectedDeviceAuthValues             = []driver.Value{
+		"client-id",
+		"device1",
+		"user-code",
+		database.TextArray[string]{"a", "b", "c"},
+	}
+	expectedDeviceAuth = &domain.AuthRequestDevice{
+		ClientID:   "client-id",
+		DeviceCode: "device1",
+		UserCode:   "user-code",
+		Scopes:     []string{"a", "b", "c"},
+	}
+)
+
+func TestQueries_DeviceAuthRequestByUserCode(t *testing.T) {
 	client, mock, err := sqlmock.New()
 	if err != nil {
 		t.Fatalf("failed to build mock client: %v", err)
@@ -96,7 +202,7 @@ func TestQueries_DeviceAuthByUserCode(t *testing.T) {
 	q := Queries{
 		client: &database.DB{DB: client},
 	}
-	got, err := q.DeviceAuthByUserCode(context.TODO(), "789")
+	got, err := q.DeviceAuthRequestByUserCode(context.TODO(), "789")
 	require.NoError(t, err)
 	assert.Equal(t, expectedDeviceAuth, got)
 	require.NoError(t, mock.ExpectationsWereMet())
@@ -110,7 +216,7 @@ func Test_prepareDeviceAuthQuery(t *testing.T) {
 	tests := []struct {
 		name   string
 		want   want
-		object any
+		object *domain.AuthRequestDevice
 	}{
 		{
 			name: "success",
@@ -137,7 +243,7 @@ func Test_prepareDeviceAuthQuery(t *testing.T) {
 					return nil, true
 				},
 			},
-			object: (*domain.DeviceAuth)(nil),
+			object: nil,
 		},
 		{
 			name: "other error",
@@ -153,7 +259,7 @@ func Test_prepareDeviceAuthQuery(t *testing.T) {
 					return nil, true
 				},
 			},
-			object: (*domain.DeviceAuth)(nil),
+			object: nil,
 		},
 	}
 	for _, tt := range tests {