feat(oidc): id token for device authorization (#7088)

* cleanup todo * pass id token details to oidc * feat(oidc): id token for device authorization This changes updates to the newest oidc version, so the Device Authorization grant can return ID tokens when the scope `openid` is set. There is also some refactoring done, so that the eventstore can be queried directly when polling for state. The projection is cleaned up to a minimum with only data required for the login UI. * try to be explicit wit hthe timezone to fix github * pin oidc v3.8.0 * remove TBD entry
2025-08-11 21:07:31 +00:00 · 2023-12-20 14:21:08 +02:00
parent e15f6229cd
commit e22689c125
25 changed files with 629 additions and 621 deletions
--- a/internal/repository/deviceauth/device_auth.go
+++ b/internal/repository/deviceauth/device_auth.go
@@ -13,7 +13,6 @@ const (
 	AddedEventType                         = eventTypePrefix + "added"
 	ApprovedEventType                      = eventTypePrefix + "approved"
 	CanceledEventType                      = eventTypePrefix + "canceled"
-	RemovedEventType                       = eventTypePrefix + "removed"
 )

 type AddedEvent struct {
@@ -36,7 +35,7 @@ func (e *AddedEvent) Payload() any {
 }

 func (e *AddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
-	return NewAddUniqueConstraints(e.ClientID, e.DeviceCode, e.UserCode)
+	return NewAddUniqueConstraints(e.DeviceCode, e.UserCode)
 }

 func NewAddedEvent(
@@ -58,7 +57,9 @@ func NewAddedEvent(
 type ApprovedEvent struct {
 	*eventstore.BaseEvent `json:"-"`

-	Subject string
+	Subject         string
+	UserAuthMethods []domain.UserAuthMethodType
+	AuthTime        time.Time
 }

 func (e *ApprovedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
@@ -77,12 +78,16 @@ func NewApprovedEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
 	subject string,
+	userAuthMethods []domain.UserAuthMethodType,
+	authTime time.Time,
 ) *ApprovedEvent {
 	return &ApprovedEvent{
 		eventstore.NewBaseEventForPush(
 			ctx, aggregate, ApprovedEventType,
 		),
 		subject,
+		userAuthMethods,
+		authTime,
 	}
 }

@@ -107,36 +112,3 @@ func (e *CanceledEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
 func NewCanceledEvent(ctx context.Context, aggregate *eventstore.Aggregate, reason domain.DeviceAuthCanceled) *CanceledEvent {
 	return &CanceledEvent{eventstore.NewBaseEventForPush(ctx, aggregate, CanceledEventType), reason}
 }
-
-type RemovedEvent struct {
-	*eventstore.BaseEvent `json:"-"`
-
-	ClientID   string
-	DeviceCode string
-	UserCode   string
-}
-
-func (e *RemovedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
-	e.BaseEvent = b
-}
-
-func (e *RemovedEvent) Payload() any {
-	return e
-}
-
-func (e *RemovedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
-	return NewRemoveUniqueConstraints(e.ClientID, e.DeviceCode, e.UserCode)
-}
-
-func NewRemovedEvent(
-	ctx context.Context,
-	aggregate *eventstore.Aggregate,
-	clientID, deviceCode, userCode string,
-) *RemovedEvent {
-	return &RemovedEvent{
-		eventstore.NewBaseEventForPush(
-			ctx, aggregate, RemovedEventType,
-		),
-		clientID, deviceCode, userCode,
-	}
-}