From e630555a2adaed40ffbc58c8e7a56418362194d8 Mon Sep 17 00:00:00 2001
From: Fabi <38692350+fgerschwiler@users.noreply.github.com>
Date: Tue, 13 Jul 2021 16:06:17 +0200
Subject: [PATCH] fix: remove oauth endpoints from oidc config proto (#2014)
---
docs/docs/apis/proto/admin.md | 8 +--
docs/docs/apis/proto/idp.md | 2 -
docs/docs/apis/proto/management.md | 8 +--
internal/api/grpc/admin/idp_converter.go | 4 --
internal/api/grpc/admin/idp_converter_test.go | 54 +++++++++----------
internal/api/grpc/idp/converter.go | 24 ++++-----
internal/api/grpc/management/idp_converter.go | 4 --
.../api/grpc/management/idp_converter_test.go | 54 +++++++++----------
proto/zitadel/admin.proto | 42 +--------------
proto/zitadel/idp.proto | 16 ------
proto/zitadel/management.proto | 42 +--------------
11 files changed, 70 insertions(+), 188 deletions(-)
diff --git a/docs/docs/apis/proto/admin.md b/docs/docs/apis/proto/admin.md
index 59b19c0199..d365002573 100644
--- a/docs/docs/apis/proto/admin.md
+++ b/docs/docs/apis/proto/admin.md
@@ -1144,12 +1144,10 @@ This is an empty request
| styling_type | zitadel.idp.v1.IDPStylingType | - | enum.defined_only: true
|
| client_id | string | - | string.min_len: 1
string.max_len: 200
|
| client_secret | string | - | string.min_len: 1
string.max_len: 200
|
-| issuer | string | Fill the issuer if the identity provider is oidc discovery compliant If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead | string.max_len: 200
|
+| issuer | string | - | string.min_len: 1
string.max_len: 200
|
| scopes | repeated string | - | |
| display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true
|
| username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true
|
-| authorization_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500
|
-| token_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500
|
@@ -2699,14 +2697,12 @@ This is an empty request
| Field | Type | Description | Validation |
| ----- | ---- | ----------- | ----------- |
| idp_id | string | - | string.min_len: 1
string.max_len: 200
|
-| issuer | string | Fill the issuer if the identity provider is oidc discovery compliant If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead | string.min_len: 1
string.max_len: 200
|
+| issuer | string | - | string.min_len: 1
string.max_len: 200
|
| client_id | string | - | string.min_len: 1
string.max_len: 200
|
| client_secret | string | - | string.max_len: 200
|
| scopes | repeated string | - | |
| display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true
|
| username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true
|
-| authorization_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500
|
-| token_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500
|
diff --git a/docs/docs/apis/proto/idp.md b/docs/docs/apis/proto/idp.md
index 28e95ca36e..de646c8879 100644
--- a/docs/docs/apis/proto/idp.md
+++ b/docs/docs/apis/proto/idp.md
@@ -100,8 +100,6 @@ title: zitadel/idp.proto
| scopes | repeated string | - | |
| display_name_mapping | OIDCMappingField | - | |
| username_mapping | OIDCMappingField | - | |
-| authorization_endpoint | string | - | string.max_len: 500
|
-| token_endpoint | string | - | string.max_len: 500
|
diff --git a/docs/docs/apis/proto/management.md b/docs/docs/apis/proto/management.md
index e314bca3ce..5ab662c423 100644
--- a/docs/docs/apis/proto/management.md
+++ b/docs/docs/apis/proto/management.md
@@ -3019,12 +3019,10 @@ This is an empty request
| styling_type | zitadel.idp.v1.IDPStylingType | - | enum.defined_only: true
|
| client_id | string | - | string.min_len: 1
string.max_len: 200
|
| client_secret | string | - | string.min_len: 1
string.max_len: 200
|
-| issuer | string | Fill the issuer if the identity provider is oidc discovery compliant If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead | string.max_len: 200
|
+| issuer | string | - | string.min_len: 1
string.max_len: 200
|
| scopes | repeated string | - | |
| display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true
|
| username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true
|
-| authorization_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500
|
-| token_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500
|
@@ -6932,12 +6930,10 @@ This is an empty request
| idp_id | string | - | string.min_len: 1
string.max_len: 200
|
| client_id | string | - | string.min_len: 1
string.max_len: 200
|
| client_secret | string | - | string.max_len: 200
|
-| issuer | string | Fill the issuer if the identity provider is oidc discovery compliant If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead | string.min_len: 1
string.max_len: 200
|
+| issuer | string | - | string.min_len: 1
string.max_len: 200
|
| scopes | repeated string | - | |
| display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true
|
| username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true
|
-| authorization_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500
|
-| token_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500
|
diff --git a/internal/api/grpc/admin/idp_converter.go b/internal/api/grpc/admin/idp_converter.go
index 6e62e3a011..c74eff76d1 100644
--- a/internal/api/grpc/admin/idp_converter.go
+++ b/internal/api/grpc/admin/idp_converter.go
@@ -24,8 +24,6 @@ func addOIDCIDPRequestToDomainOIDCIDPConfig(req *admin_pb.AddOIDCIDPRequest) *do
ClientID: req.ClientId,
ClientSecretString: req.ClientSecret,
Issuer: req.Issuer,
- AuthorizationEndpoint: req.AuthorizationEndpoint,
- TokenEndpoint: req.TokenEndpoint,
Scopes: req.Scopes,
IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping),
@@ -46,8 +44,6 @@ func updateOIDCConfigToDomain(req *admin_pb.UpdateIDPOIDCConfigRequest) *domain.
ClientID: req.ClientId,
ClientSecretString: req.ClientSecret,
Issuer: req.Issuer,
- AuthorizationEndpoint: req.AuthorizationEndpoint,
- TokenEndpoint: req.TokenEndpoint,
Scopes: req.Scopes,
IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping),
diff --git a/internal/api/grpc/admin/idp_converter_test.go b/internal/api/grpc/admin/idp_converter_test.go
index a716e55c12..19b990dc10 100644
--- a/internal/api/grpc/admin/idp_converter_test.go
+++ b/internal/api/grpc/admin/idp_converter_test.go
@@ -20,16 +20,14 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
name: "all fields filled",
args: args{
req: &admin_pb.AddOIDCIDPRequest{
- Name: "ZITADEL",
- StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE,
- ClientId: "test1234",
- ClientSecret: "test4321",
- Issuer: "zitadel.ch",
- AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize",
- TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token",
- Scopes: []string{"email", "profile"},
- DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
- UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+ Name: "ZITADEL",
+ StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE,
+ ClientId: "test1234",
+ ClientSecret: "test4321",
+ Issuer: "zitadel.ch",
+ Scopes: []string{"email", "profile"},
+ DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+ UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
},
},
},
@@ -44,6 +42,8 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
"OIDCConfig.IDPConfigID",
"IDPConfigID",
"State",
+ "OIDCConfig.AuthorizationEndpoint",
+ "OIDCConfig.TokenEndpoint",
"Type", //TODO: default (0) is oidc
)
})
@@ -62,14 +62,12 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
name: "all fields filled",
args: args{
req: &admin_pb.AddOIDCIDPRequest{
- ClientId: "test1234",
- ClientSecret: "test4321",
- Issuer: "zitadel.ch",
- AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize",
- TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token",
- Scopes: []string{"email", "profile"},
- DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
- UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+ ClientId: "test1234",
+ ClientSecret: "test4321",
+ Issuer: "zitadel.ch",
+ Scopes: []string{"email", "profile"},
+ DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+ UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
},
},
},
@@ -81,6 +79,8 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
"ObjectRoot",
"ClientSecret", //TODO: is client secret string enough for backend?
"IDPConfigID",
+ "AuthorizationEndpoint",
+ "TokenEndpoint",
)
})
}
@@ -130,15 +130,13 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
name: "all fields filled",
args: args{
req: &admin_pb.UpdateIDPOIDCConfigRequest{
- IdpId: "4208",
- Issuer: "zitadel.ch",
- AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize",
- TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token",
- ClientId: "ZITEADEL",
- ClientSecret: "i'm so secret",
- Scopes: []string{"profile"},
- DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
- UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+ IdpId: "4208",
+ Issuer: "zitadel.ch",
+ ClientId: "ZITEADEL",
+ ClientSecret: "i'm so secret",
+ Scopes: []string{"profile"},
+ DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+ UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
},
},
},
@@ -149,6 +147,8 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
test.AssertFieldsMapped(t, got,
"ObjectRoot",
"ClientSecret",
+ "AuthorizationEndpoint",
+ "TokenEndpoint",
)
})
}
diff --git a/internal/api/grpc/idp/converter.go b/internal/api/grpc/idp/converter.go
index d5232b6658..79778d6743 100644
--- a/internal/api/grpc/idp/converter.go
+++ b/internal/api/grpc/idp/converter.go
@@ -133,13 +133,11 @@ func IDPStylingTypeToPb(stylingType domain.IDPConfigStylingType) idp_pb.IDPStyli
func ModelIDPViewToConfigPb(config *iam_model.IDPConfigView) *idp_pb.IDP_OidcConfig {
return &idp_pb.IDP_OidcConfig{
OidcConfig: &idp_pb.OIDCConfig{
- ClientId: config.OIDCClientID,
- Issuer: config.OIDCIssuer,
- Scopes: config.OIDCScopes,
- DisplayNameMapping: ModelMappingFieldToPb(config.OIDCIDPDisplayNameMapping),
- UsernameMapping: ModelMappingFieldToPb(config.OIDCUsernameMapping),
- AuthorizationEndpoint: config.OAuthAuthorizationEndpoint,
- TokenEndpoint: config.OAuthTokenEndpoint,
+ ClientId: config.OIDCClientID,
+ Issuer: config.OIDCIssuer,
+ Scopes: config.OIDCScopes,
+ DisplayNameMapping: ModelMappingFieldToPb(config.OIDCIDPDisplayNameMapping),
+ UsernameMapping: ModelMappingFieldToPb(config.OIDCUsernameMapping),
},
}
}
@@ -147,13 +145,11 @@ func ModelIDPViewToConfigPb(config *iam_model.IDPConfigView) *idp_pb.IDP_OidcCon
func IDPViewToConfigPb(config *domain.IDPConfigView) *idp_pb.IDP_OidcConfig {
return &idp_pb.IDP_OidcConfig{
OidcConfig: &idp_pb.OIDCConfig{
- ClientId: config.OIDCClientID,
- Issuer: config.OIDCIssuer,
- AuthorizationEndpoint: config.OAuthAuthorizationEndpoint,
- TokenEndpoint: config.OAuthTokenEndpoint,
- Scopes: config.OIDCScopes,
- DisplayNameMapping: MappingFieldToPb(config.OIDCIDPDisplayNameMapping),
- UsernameMapping: MappingFieldToPb(config.OIDCUsernameMapping),
+ ClientId: config.OIDCClientID,
+ Issuer: config.OIDCIssuer,
+ Scopes: config.OIDCScopes,
+ DisplayNameMapping: MappingFieldToPb(config.OIDCIDPDisplayNameMapping),
+ UsernameMapping: MappingFieldToPb(config.OIDCUsernameMapping),
},
}
}
diff --git a/internal/api/grpc/management/idp_converter.go b/internal/api/grpc/management/idp_converter.go
index a3a8125c0d..241e3be779 100644
--- a/internal/api/grpc/management/idp_converter.go
+++ b/internal/api/grpc/management/idp_converter.go
@@ -24,8 +24,6 @@ func addOIDCIDPRequestToDomainOIDCIDPConfig(req *mgmt_pb.AddOrgOIDCIDPRequest) *
ClientID: req.ClientId,
ClientSecretString: req.ClientSecret,
Issuer: req.Issuer,
- AuthorizationEndpoint: req.AuthorizationEndpoint,
- TokenEndpoint: req.TokenEndpoint,
Scopes: req.Scopes,
IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping),
@@ -46,8 +44,6 @@ func updateOIDCConfigToDomain(req *mgmt_pb.UpdateOrgIDPOIDCConfigRequest) *domai
ClientID: req.ClientId,
ClientSecretString: req.ClientSecret,
Issuer: req.Issuer,
- AuthorizationEndpoint: req.AuthorizationEndpoint,
- TokenEndpoint: req.TokenEndpoint,
Scopes: req.Scopes,
IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping),
diff --git a/internal/api/grpc/management/idp_converter_test.go b/internal/api/grpc/management/idp_converter_test.go
index 9db7683d11..254808d74c 100644
--- a/internal/api/grpc/management/idp_converter_test.go
+++ b/internal/api/grpc/management/idp_converter_test.go
@@ -20,16 +20,14 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
name: "all fields filled",
args: args{
req: &mgmt_pb.AddOrgOIDCIDPRequest{
- Name: "ZITADEL",
- StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE,
- ClientId: "test1234",
- ClientSecret: "test4321",
- Issuer: "zitadel.ch",
- AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize",
- TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token",
- Scopes: []string{"email", "profile"},
- DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
- UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+ Name: "ZITADEL",
+ StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE,
+ ClientId: "test1234",
+ ClientSecret: "test4321",
+ Issuer: "zitadel.ch",
+ Scopes: []string{"email", "profile"},
+ DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+ UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
},
},
},
@@ -44,6 +42,8 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
"OIDCConfig.IDPConfigID",
"IDPConfigID",
"State",
+ "OIDCConfig.AuthorizationEndpoint",
+ "OIDCConfig.TokenEndpoint",
"Type", //TODO: default (0) is oidc
)
})
@@ -62,14 +62,12 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
name: "all fields filled",
args: args{
req: &mgmt_pb.AddOrgOIDCIDPRequest{
- ClientId: "test1234",
- ClientSecret: "test4321",
- Issuer: "zitadel.ch",
- AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize",
- TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token",
- Scopes: []string{"email", "profile"},
- DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
- UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+ ClientId: "test1234",
+ ClientSecret: "test4321",
+ Issuer: "zitadel.ch",
+ Scopes: []string{"email", "profile"},
+ DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+ UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
},
},
},
@@ -81,6 +79,8 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
"ObjectRoot",
"ClientSecret", //TODO: is client secret string enough for backend?
"IDPConfigID",
+ "AuthorizationEndpoint",
+ "TokenEndpoint",
)
})
}
@@ -130,15 +130,13 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
name: "all fields filled",
args: args{
req: &mgmt_pb.UpdateOrgIDPOIDCConfigRequest{
- IdpId: "4208",
- Issuer: "zitadel.ch",
- AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize",
- TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token",
- ClientId: "ZITEADEL",
- ClientSecret: "i'm so secret",
- Scopes: []string{"profile"},
- DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
- UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
+ IdpId: "4208",
+ Issuer: "zitadel.ch",
+ ClientId: "ZITEADEL",
+ ClientSecret: "i'm so secret",
+ Scopes: []string{"profile"},
+ DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
+ UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
},
},
},
@@ -149,6 +147,8 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
test.AssertFieldsMapped(t, got,
"ObjectRoot",
"ClientSecret",
+ "AuthorizationEndpoint",
+ "TokenEndpoint",
)
})
}
diff --git a/proto/zitadel/admin.proto b/proto/zitadel/admin.proto
index 908946a344..c7a041e08d 100644
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@@ -2353,10 +2353,8 @@ message AddOIDCIDPRequest {
max_length: 200;
}
];
- // Fill the issuer if the identity provider is oidc discovery compliant
- // If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead
string issuer = 5 [
- (validate.rules).string = {max_len: 200},
+ (validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com\"";
description: "the oidc issuer of the identity provider";
@@ -2381,24 +2379,6 @@ message AddOIDCIDPRequest {
description: "definition which field is mapped to the email of the user";
}
];
- // If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
- string authorization_endpoint = 9 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
- description: "the oauth2 authorization endpoint of the identity provider";
- max_length: 500;
- }
- ];
- // If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
- string token_endpoint = 10 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://oauth2.googleapis.com/token\"";
- description: "the oauth2 token endpoint of the identity provider";
- max_length: 500;
- }
- ];
}
message AddOIDCIDPResponse {
@@ -2511,8 +2491,6 @@ message UpdateIDPOIDCConfigRequest {
max_length: 200;
}
];
- // Fill the issuer if the identity provider is oidc discovery compliant
- // If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead
string issuer = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -2555,24 +2533,6 @@ message UpdateIDPOIDCConfigRequest {
description: "definition which field is mapped to the email of the user";
}
];
- // If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
- string authorization_endpoint = 8 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
- description: "the oauth2 authorization endpoint of the identity provider";
- max_length: 500;
- }
- ];
- // If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
- string token_endpoint = 9 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://oauth2.googleapis.com/token\"";
- description: "the oauth2 token endpoint of the identity provider";
- max_length: 500;
- }
- ];
}
message UpdateIDPOIDCConfigResponse {
diff --git a/proto/zitadel/idp.proto b/proto/zitadel/idp.proto
index dbdfc21caa..d6fb1a6884 100644
--- a/proto/zitadel/idp.proto
+++ b/proto/zitadel/idp.proto
@@ -153,22 +153,6 @@ message OIDCConfig {
description: "definition which field is mapped to the email of the user";
}
];
- string authorization_endpoint = 6 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
- description: "the oauth2 authorization endpoint of the identity provider";
- max_length: 500;
- }
- ];
- string token_endpoint = 7 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://oauth2.googleapis.com/token\"";
- description: "the oauth2 token endpoint of the identity provider";
- max_length: 500;
- }
- ];
}
enum OIDCMappingField {
diff --git a/proto/zitadel/management.proto b/proto/zitadel/management.proto
index 4f409457c5..ef8afd749f 100644
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -4603,10 +4603,8 @@ message AddOrgOIDCIDPRequest {
description: "client secret generated by the identity provider";
}
];
- // Fill the issuer if the identity provider is oidc discovery compliant
- // If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead
string issuer = 5 [
- (validate.rules).string = {max_len: 200},
+ (validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com\"";
description: "the oidc issuer of the identity provider";
@@ -4630,24 +4628,6 @@ message AddOrgOIDCIDPRequest {
description: "definition which field is mapped to the email of the user";
}
];
- // If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
- string authorization_endpoint = 9 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
- description: "the oauth2 authorization endpoint of the identity provider";
- max_length: 500;
- }
- ];
- // If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
- string token_endpoint = 10 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://oauth2.googleapis.com/token\"";
- description: "the oauth2 token endpoint of the identity provider";
- max_length: 500;
- }
- ];
}
message AddOrgOIDCIDPResponse {
@@ -4718,8 +4698,6 @@ message UpdateOrgIDPOIDCConfigRequest {
description: "client secret generated by the identity provider. If empty the secret is not overwritten";
}
];
- // Fill the issuer if the identity provider is oidc discovery compliant
- // If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead
string issuer = 4 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -4745,24 +4723,6 @@ message UpdateOrgIDPOIDCConfigRequest {
description: "definition which field is mapped to the email of the user";
}
];
- // If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
- string authorization_endpoint = 8 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
- description: "the oauth2 authorization endpoint of the identity provider";
- max_length: 500;
- }
- ];
- // If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
- string token_endpoint = 9 [
- (validate.rules).string = {max_len: 500},
- (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
- example: "\"https://oauth2.googleapis.com/token\"";
- description: "the oauth2 token endpoint of the identity provider";
- max_length: 500;
- }
- ];
}
message UpdateOrgIDPOIDCConfigResponse {