feat(oidc): id token for device authorization (#7088)

* cleanup todo

* pass id token details to oidc

* feat(oidc): id token for device authorization

This changes updates to the newest oidc version,
so the Device Authorization grant can return ID tokens when
the scope `openid` is set.
There is also some refactoring done, so that the eventstore can be
queried directly when polling for state.
The projection is cleaned up to a minimum with only data required for the login UI.

* try to be explicit wit hthe timezone to fix github

* pin oidc v3.8.0

* remove TBD entry

internal/query/projection/device_auth.go

@@ -3,7 +3,6 @@ package projection
 import (
 	"context"
 
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	old_handler "github.com/zitadel/zitadel/internal/eventstore/handler"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/v2"
@@ -12,57 +11,51 @@ import (
 )
 
 const (
-	DeviceAuthProjectionTable = "projections.device_authorizations"
+	DeviceAuthRequestProjectionTable = "projections.device_auth_requests"
 
-	DeviceAuthColumnID         = "id"
-	DeviceAuthColumnClientID   = "client_id"
-	DeviceAuthColumnDeviceCode = "device_code"
-	DeviceAuthColumnUserCode   = "user_code"
-	DeviceAuthColumnExpires    = "expires"
-	DeviceAuthColumnScopes     = "scopes"
-	DeviceAuthColumnState      = "state"
-	DeviceAuthColumnSubject    = "subject"
-
-	DeviceAuthColumnCreationDate = "creation_date"
-	DeviceAuthColumnChangeDate   = "change_date"
-	DeviceAuthColumnSequence     = "sequence"
-	DeviceAuthColumnInstanceID   = "instance_id"
+	DeviceAuthRequestColumnClientID     = "client_id"
+	DeviceAuthRequestColumnDeviceCode   = "device_code"
+	DeviceAuthRequestColumnUserCode     = "user_code"
+	DeviceAuthRequestColumnScopes       = "scopes"
+	DeviceAuthRequestColumnCreationDate = "creation_date"
+	DeviceAuthRequestColumnChangeDate   = "change_date"
+	DeviceAuthRequestColumnSequence     = "sequence"
+	DeviceAuthRequestColumnInstanceID   = "instance_id"
 )
 
-type deviceAuthProjection struct{}
+// deviceAuthRequestProjection holds device authorization requests
+// and makes them search-able by User Code.
+// In principle the projected data is only needed during user login.
+// Device Token logic uses the eventstore directly.
+type deviceAuthRequestProjection struct{}
 
 func newDeviceAuthProjection(ctx context.Context, config handler.Config) *handler.Handler {
-	return handler.NewHandler(ctx, &config, new(deviceAuthProjection))
+	return handler.NewHandler(ctx, &config, new(deviceAuthRequestProjection))
 }
 
-func (*deviceAuthProjection) Name() string {
-	return DeviceAuthProjectionTable
+func (*deviceAuthRequestProjection) Name() string {
+	return DeviceAuthRequestProjectionTable
 }
 
-func (*deviceAuthProjection) Init() *old_handler.Check {
+func (*deviceAuthRequestProjection) Init() *old_handler.Check {
 	return handler.NewTableCheck(
 		handler.NewTable([]*handler.InitColumn{
-			handler.NewColumn(DeviceAuthColumnID, handler.ColumnTypeText),
-			handler.NewColumn(DeviceAuthColumnClientID, handler.ColumnTypeText),
-			handler.NewColumn(DeviceAuthColumnDeviceCode, handler.ColumnTypeText),
-			handler.NewColumn(DeviceAuthColumnUserCode, handler.ColumnTypeText),
-			handler.NewColumn(DeviceAuthColumnExpires, handler.ColumnTypeTimestamp),
-			handler.NewColumn(DeviceAuthColumnScopes, handler.ColumnTypeTextArray),
-			handler.NewColumn(DeviceAuthColumnState, handler.ColumnTypeEnum, handler.Default(domain.DeviceAuthStateInitiated)),
-			handler.NewColumn(DeviceAuthColumnSubject, handler.ColumnTypeText, handler.Default("")),
-			handler.NewColumn(DeviceAuthColumnCreationDate, handler.ColumnTypeTimestamp),
-			handler.NewColumn(DeviceAuthColumnChangeDate, handler.ColumnTypeTimestamp),
-			handler.NewColumn(DeviceAuthColumnSequence, handler.ColumnTypeInt64),
-			handler.NewColumn(DeviceAuthColumnInstanceID, handler.ColumnTypeText),
+			handler.NewColumn(DeviceAuthRequestColumnClientID, handler.ColumnTypeText),
+			handler.NewColumn(DeviceAuthRequestColumnDeviceCode, handler.ColumnTypeText),
+			handler.NewColumn(DeviceAuthRequestColumnUserCode, handler.ColumnTypeText),
+			handler.NewColumn(DeviceAuthRequestColumnScopes, handler.ColumnTypeTextArray),
+			handler.NewColumn(DeviceAuthRequestColumnCreationDate, handler.ColumnTypeTimestamp),
+			handler.NewColumn(DeviceAuthRequestColumnChangeDate, handler.ColumnTypeTimestamp),
+			handler.NewColumn(DeviceAuthRequestColumnSequence, handler.ColumnTypeInt64),
+			handler.NewColumn(DeviceAuthRequestColumnInstanceID, handler.ColumnTypeText),
 		},
-			handler.NewPrimaryKey(DeviceAuthColumnInstanceID, DeviceAuthColumnID),
-			handler.WithIndex(handler.NewIndex("user_code", []string{DeviceAuthColumnInstanceID, DeviceAuthColumnUserCode})),
-			handler.WithIndex(handler.NewIndex("device_code", []string{DeviceAuthColumnInstanceID, DeviceAuthColumnClientID, DeviceAuthColumnDeviceCode})),
+			handler.NewPrimaryKey(DeviceAuthRequestColumnInstanceID, DeviceAuthRequestColumnDeviceCode),
+			handler.WithIndex(handler.NewIndex("user_code", []string{DeviceAuthRequestColumnInstanceID, DeviceAuthRequestColumnUserCode})),
 		),
 	)
 }
 
-func (p *deviceAuthProjection) Reducers() []handler.AggregateReducer {
+func (p *deviceAuthRequestProjection) Reducers() []handler.AggregateReducer {
 	return []handler.AggregateReducer{
 		{
 			Aggregate: deviceauth.AggregateType,
@@ -73,22 +66,18 @@ func (p *deviceAuthProjection) Reducers() []handler.AggregateReducer {
 				},
 				{
 					Event:  deviceauth.ApprovedEventType,
-					Reduce: p.reduceAppoved,
+					Reduce: p.reduceDoneEvents,
 				},
 				{
 					Event:  deviceauth.CanceledEventType,
-					Reduce: p.reduceCanceled,
-				},
-				{
-					Event:  deviceauth.RemovedEventType,
-					Reduce: p.reduceRemoved,
+					Reduce: p.reduceDoneEvents,
 				},
 			},
 		},
 	}
 }
 
-func (p *deviceAuthProjection) reduceAdded(event eventstore.Event) (*handler.Statement, error) {
+func (p *deviceAuthRequestProjection) reduceAdded(event eventstore.Event) (*handler.Statement, error) {
 	e, ok := event.(*deviceauth.AddedEvent)
 	if !ok {
 		return nil, zerrors.ThrowInvalidArgumentf(nil, "HANDL-chu6O", "reduce.wrong.event.type %T != %s", event, deviceauth.AddedEventType)
@@ -96,66 +85,30 @@ func (p *deviceAuthProjection) reduceAdded(event eventstore.Event) (*handler.Sta
 	return handler.NewCreateStatement(
 		e,
 		[]handler.Column{
-			handler.NewCol(DeviceAuthColumnID, e.Aggregate().ID),
-			handler.NewCol(DeviceAuthColumnClientID, e.ClientID),
-			handler.NewCol(DeviceAuthColumnDeviceCode, e.DeviceCode),
-			handler.NewCol(DeviceAuthColumnUserCode, e.UserCode),
-			handler.NewCol(DeviceAuthColumnExpires, e.Expires),
-			handler.NewCol(DeviceAuthColumnScopes, e.Scopes),
-			handler.NewCol(DeviceAuthColumnCreationDate, e.CreationDate()),
-			handler.NewCol(DeviceAuthColumnChangeDate, e.CreationDate()),
-			handler.NewCol(DeviceAuthColumnSequence, e.Sequence()),
-			handler.NewCol(DeviceAuthColumnInstanceID, e.Aggregate().InstanceID),
+			handler.NewCol(DeviceAuthRequestColumnClientID, e.ClientID),
+			handler.NewCol(DeviceAuthRequestColumnDeviceCode, e.DeviceCode),
+			handler.NewCol(DeviceAuthRequestColumnUserCode, e.UserCode),
+			handler.NewCol(DeviceAuthRequestColumnScopes, e.Scopes),
+			handler.NewCol(DeviceAuthRequestColumnCreationDate, e.CreationDate()),
+			handler.NewCol(DeviceAuthRequestColumnChangeDate, e.CreationDate()),
+			handler.NewCol(DeviceAuthRequestColumnSequence, e.Sequence()),
+			handler.NewCol(DeviceAuthRequestColumnInstanceID, e.Aggregate().InstanceID),
 		},
 	), nil
 }
 
-func (p *deviceAuthProjection) reduceAppoved(event eventstore.Event) (*handler.Statement, error) {
-	e, ok := event.(*deviceauth.ApprovedEvent)
-	if !ok {
-		return nil, zerrors.ThrowInvalidArgumentf(nil, "HANDL-kei0A", "reduce.wrong.event.type %T != %s", event, deviceauth.ApprovedEventType)
-	}
-	return handler.NewUpdateStatement(e,
-		[]handler.Column{
-			handler.NewCol(DeviceAuthColumnState, domain.DeviceAuthStateApproved),
-			handler.NewCol(DeviceAuthColumnSubject, e.Subject),
-			handler.NewCol(DeviceAuthColumnChangeDate, e.CreationDate()),
-			handler.NewCol(DeviceAuthColumnSequence, e.Sequence()),
-		},
-		[]handler.Condition{
-			handler.NewCond(DeviceAuthColumnInstanceID, e.Aggregate().InstanceID),
-			handler.NewCond(DeviceAuthColumnID, e.Aggregate().ID),
-		},
-	), nil
-}
+// reduceDoneEvents removes the device auth request from the projection.
+func (p *deviceAuthRequestProjection) reduceDoneEvents(event eventstore.Event) (*handler.Statement, error) {
+	switch event.(type) {
+	case *deviceauth.ApprovedEvent, *deviceauth.CanceledEvent:
+		return handler.NewDeleteStatement(event,
+			[]handler.Condition{
+				handler.NewCond(DeviceAuthRequestColumnInstanceID, event.Aggregate().InstanceID),
+				handler.NewCond(DeviceAuthRequestColumnDeviceCode, event.Aggregate().ID),
+			},
+		), nil
 
-func (p *deviceAuthProjection) reduceCanceled(event eventstore.Event) (*handler.Statement, error) {
-	e, ok := event.(*deviceauth.CanceledEvent)
-	if !ok {
-		return nil, zerrors.ThrowInvalidArgumentf(nil, "HANDL-eeS8d", "reduce.wrong.event.type %T != %s", event, deviceauth.CanceledEventType)
+	default:
+		return nil, zerrors.ThrowInvalidArgumentf(nil, "HANDL-eeS8d", "reduce.wrong.event.type %T", event)
 	}
-	return handler.NewUpdateStatement(e,
-		[]handler.Column{
-			handler.NewCol(DeviceAuthColumnState, e.Reason.State()),
-			handler.NewCol(DeviceAuthColumnChangeDate, e.CreationDate()),
-			handler.NewCol(DeviceAuthColumnSequence, e.Sequence()),
-		},
-		[]handler.Condition{
-			handler.NewCond(DeviceAuthColumnInstanceID, e.Aggregate().InstanceID),
-			handler.NewCond(DeviceAuthColumnID, e.Aggregate().ID),
-		},
-	), nil
-}
-
-func (p *deviceAuthProjection) reduceRemoved(event eventstore.Event) (*handler.Statement, error) {
-	e, ok := event.(*deviceauth.RemovedEvent)
-	if !ok {
-		return nil, zerrors.ThrowInvalidArgumentf(nil, "HANDL-AJi1u", "reduce.wrong.event.type %T != %s", event, deviceauth.RemovedEventType)
-	}
-	return handler.NewDeleteStatement(e,
-		[]handler.Condition{
-			handler.NewCond(DeviceAuthColumnInstanceID, e.Aggregate().InstanceID),
-			handler.NewCond(DeviceAuthColumnID, e.Aggregate().ID),
-		},
-	), nil
 }