TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-01-07 23:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: remove oauth endpoints from oidc config proto (#2014)

Browse Source
This commit is contained in:
Fabi 2021-07-13 16:06:17 +02:00 committed by GitHub
parent 87ef8f454a
commit e630555a2a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 70 additions and 188 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/docs/apis/proto/admin.md
View File

@ -1144,12 +1144,10 @@ This is an empty request
| styling_type | zitadel.idp.v1.IDPStylingType | - | enum.defined_only: true<br /> | | styling_type | zitadel.idp.v1.IDPStylingType | - | enum.defined_only: true<br /> |
| client_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> | | client_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| client_secret | string | - | string.min_len: 1<br /> string.max_len: 200<br /> | | client_secret | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| issuer | string | Fill the issuer if the identity provider is oidc discovery compliant If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead | string.max_len: 200<br /> | | issuer | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| scopes | repeated string | - | | | scopes | repeated string | - | |
| display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> | | display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> |
| username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> | | username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> |
| authorization_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500<br /> |
| token_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500<br /> |
@ -2699,14 +2697,12 @@ This is an empty request
| Field | Type | Description | Validation | | Field | Type | Description | Validation |
| ----- | ---- | ----------- | ----------- | | ----- | ---- | ----------- | ----------- |
| idp_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> | | idp_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| issuer | string | Fill the issuer if the identity provider is oidc discovery compliant If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead | string.min_len: 1<br /> string.max_len: 200<br /> | | issuer | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| client_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> | | client_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| client_secret | string | - | string.max_len: 200<br /> | | client_secret | string | - | string.max_len: 200<br /> |
| scopes | repeated string | - | | | scopes | repeated string | - | |
| display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> | | display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> |
| username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> | | username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> |
| authorization_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500<br /> |
| token_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500<br /> |

2
docs/docs/apis/proto/idp.md
View File

@ -100,8 +100,6 @@ title: zitadel/idp.proto
| scopes | repeated string | - | | | scopes | repeated string | - | |
| display_name_mapping | OIDCMappingField | - | | | display_name_mapping | OIDCMappingField | - | |
| username_mapping | OIDCMappingField | - | | | username_mapping | OIDCMappingField | - | |
| authorization_endpoint | string | - | string.max_len: 500<br /> |
| token_endpoint | string | - | string.max_len: 500<br /> |

8
docs/docs/apis/proto/management.md
View File

@ -3019,12 +3019,10 @@ This is an empty request
| styling_type | zitadel.idp.v1.IDPStylingType | - | enum.defined_only: true<br /> | | styling_type | zitadel.idp.v1.IDPStylingType | - | enum.defined_only: true<br /> |
| client_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> | | client_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| client_secret | string | - | string.min_len: 1<br /> string.max_len: 200<br /> | | client_secret | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| issuer | string | Fill the issuer if the identity provider is oidc discovery compliant If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead | string.max_len: 200<br /> | | issuer | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| scopes | repeated string | - | | | scopes | repeated string | - | |
| display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> | | display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> |
| username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> | | username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> |
| authorization_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500<br /> |
| token_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500<br /> |
@ -6932,12 +6930,10 @@ This is an empty request
| idp_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> | | idp_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| client_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> | | client_id | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| client_secret | string | - | string.max_len: 200<br /> | | client_secret | string | - | string.max_len: 200<br /> |
| issuer | string | Fill the issuer if the identity provider is oidc discovery compliant If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead | string.min_len: 1<br /> string.max_len: 200<br /> | | issuer | string | - | string.min_len: 1<br /> string.max_len: 200<br /> |
| scopes | repeated string | - | | | scopes | repeated string | - | |
| display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> | | display_name_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> |
| username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> | | username_mapping | zitadel.idp.v1.OIDCMappingField | - | enum.defined_only: true<br /> |
| authorization_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500<br /> |
| token_endpoint | string | If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer | string.max_len: 500<br /> |

4
internal/api/grpc/admin/idp_converter.go
View File

@ -24,8 +24,6 @@ func addOIDCIDPRequestToDomainOIDCIDPConfig(req *admin_pb.AddOIDCIDPRequest) *do
ClientID: req.ClientId, ClientID: req.ClientId,
ClientSecretString: req.ClientSecret, ClientSecretString: req.ClientSecret,
Issuer: req.Issuer, Issuer: req.Issuer,
AuthorizationEndpoint: req.AuthorizationEndpoint,
TokenEndpoint: req.TokenEndpoint,
Scopes: req.Scopes, Scopes: req.Scopes,
IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping), IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping), UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping),
@ -46,8 +44,6 @@ func updateOIDCConfigToDomain(req *admin_pb.UpdateIDPOIDCConfigRequest) *domain.
ClientID: req.ClientId, ClientID: req.ClientId,
ClientSecretString: req.ClientSecret, ClientSecretString: req.ClientSecret,
Issuer: req.Issuer, Issuer: req.Issuer,
AuthorizationEndpoint: req.AuthorizationEndpoint,
TokenEndpoint: req.TokenEndpoint,
Scopes: req.Scopes, Scopes: req.Scopes,
IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping), IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping), UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping),

54
internal/api/grpc/admin/idp_converter_test.go
View File

@ -20,16 +20,14 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
name: "all fields filled", name: "all fields filled",
args: args{ args: args{
req: &admin_pb.AddOIDCIDPRequest{ req: &admin_pb.AddOIDCIDPRequest{
Name: "ZITADEL", Name: "ZITADEL",
StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE, StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE,
ClientId: "test1234", ClientId: "test1234",
ClientSecret: "test4321", ClientSecret: "test4321",
Issuer: "zitadel.ch", Issuer: "zitadel.ch",
AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize", Scopes: []string{"email", "profile"},
TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token", DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
Scopes: []string{"email", "profile"}, UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
}, },
}, },
}, },
@ -44,6 +42,8 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
"OIDCConfig.IDPConfigID", "OIDCConfig.IDPConfigID",
"IDPConfigID", "IDPConfigID",
"State", "State",
"OIDCConfig.AuthorizationEndpoint",
"OIDCConfig.TokenEndpoint",
"Type", //TODO: default (0) is oidc "Type", //TODO: default (0) is oidc
) )
}) })
@ -62,14 +62,12 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
name: "all fields filled", name: "all fields filled",
args: args{ args: args{
req: &admin_pb.AddOIDCIDPRequest{ req: &admin_pb.AddOIDCIDPRequest{
ClientId: "test1234", ClientId: "test1234",
ClientSecret: "test4321", ClientSecret: "test4321",
Issuer: "zitadel.ch", Issuer: "zitadel.ch",
AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize", Scopes: []string{"email", "profile"},
TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token", DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
Scopes: []string{"email", "profile"}, UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
}, },
}, },
}, },
@ -81,6 +79,8 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
"ObjectRoot", "ObjectRoot",
"ClientSecret", //TODO: is client secret string enough for backend? "ClientSecret", //TODO: is client secret string enough for backend?
"IDPConfigID", "IDPConfigID",
"AuthorizationEndpoint",
"TokenEndpoint",
) )
}) })
} }
@ -130,15 +130,13 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
name: "all fields filled", name: "all fields filled",
args: args{ args: args{
req: &admin_pb.UpdateIDPOIDCConfigRequest{ req: &admin_pb.UpdateIDPOIDCConfigRequest{
IdpId: "4208", IdpId: "4208",
Issuer: "zitadel.ch", Issuer: "zitadel.ch",
AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize", ClientId: "ZITEADEL",
TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token", ClientSecret: "i'm so secret",
ClientId: "ZITEADEL", Scopes: []string{"profile"},
ClientSecret: "i'm so secret", DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
Scopes: []string{"profile"}, UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
}, },
}, },
}, },
@ -149,6 +147,8 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
test.AssertFieldsMapped(t, got, test.AssertFieldsMapped(t, got,
"ObjectRoot", "ObjectRoot",
"ClientSecret", "ClientSecret",
"AuthorizationEndpoint",
"TokenEndpoint",
) )
}) })
} }

24
internal/api/grpc/idp/converter.go
View File

@ -133,13 +133,11 @@ func IDPStylingTypeToPb(stylingType domain.IDPConfigStylingType) idp_pb.IDPStyli
func ModelIDPViewToConfigPb(config *iam_model.IDPConfigView) *idp_pb.IDP_OidcConfig { func ModelIDPViewToConfigPb(config *iam_model.IDPConfigView) *idp_pb.IDP_OidcConfig {
return &idp_pb.IDP_OidcConfig{ return &idp_pb.IDP_OidcConfig{
OidcConfig: &idp_pb.OIDCConfig{ OidcConfig: &idp_pb.OIDCConfig{
ClientId: config.OIDCClientID, ClientId: config.OIDCClientID,
Issuer: config.OIDCIssuer, Issuer: config.OIDCIssuer,
Scopes: config.OIDCScopes, Scopes: config.OIDCScopes,
DisplayNameMapping: ModelMappingFieldToPb(config.OIDCIDPDisplayNameMapping), DisplayNameMapping: ModelMappingFieldToPb(config.OIDCIDPDisplayNameMapping),
UsernameMapping: ModelMappingFieldToPb(config.OIDCUsernameMapping), UsernameMapping: ModelMappingFieldToPb(config.OIDCUsernameMapping),
AuthorizationEndpoint: config.OAuthAuthorizationEndpoint,
TokenEndpoint: config.OAuthTokenEndpoint,
}, },
} }
} }
@ -147,13 +145,11 @@ func ModelIDPViewToConfigPb(config *iam_model.IDPConfigView) *idp_pb.IDP_OidcCon
func IDPViewToConfigPb(config *domain.IDPConfigView) *idp_pb.IDP_OidcConfig { func IDPViewToConfigPb(config *domain.IDPConfigView) *idp_pb.IDP_OidcConfig {
return &idp_pb.IDP_OidcConfig{ return &idp_pb.IDP_OidcConfig{
OidcConfig: &idp_pb.OIDCConfig{ OidcConfig: &idp_pb.OIDCConfig{
ClientId: config.OIDCClientID, ClientId: config.OIDCClientID,
Issuer: config.OIDCIssuer, Issuer: config.OIDCIssuer,
AuthorizationEndpoint: config.OAuthAuthorizationEndpoint, Scopes: config.OIDCScopes,
TokenEndpoint: config.OAuthTokenEndpoint, DisplayNameMapping: MappingFieldToPb(config.OIDCIDPDisplayNameMapping),
Scopes: config.OIDCScopes, UsernameMapping: MappingFieldToPb(config.OIDCUsernameMapping),
DisplayNameMapping: MappingFieldToPb(config.OIDCIDPDisplayNameMapping),
UsernameMapping: MappingFieldToPb(config.OIDCUsernameMapping),
}, },
} }
} }

4
internal/api/grpc/management/idp_converter.go
View File

@ -24,8 +24,6 @@ func addOIDCIDPRequestToDomainOIDCIDPConfig(req *mgmt_pb.AddOrgOIDCIDPRequest) *
ClientID: req.ClientId, ClientID: req.ClientId,
ClientSecretString: req.ClientSecret, ClientSecretString: req.ClientSecret,
Issuer: req.Issuer, Issuer: req.Issuer,
AuthorizationEndpoint: req.AuthorizationEndpoint,
TokenEndpoint: req.TokenEndpoint,
Scopes: req.Scopes, Scopes: req.Scopes,
IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping), IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping), UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping),
@ -46,8 +44,6 @@ func updateOIDCConfigToDomain(req *mgmt_pb.UpdateOrgIDPOIDCConfigRequest) *domai
ClientID: req.ClientId, ClientID: req.ClientId,
ClientSecretString: req.ClientSecret, ClientSecretString: req.ClientSecret,
Issuer: req.Issuer, Issuer: req.Issuer,
AuthorizationEndpoint: req.AuthorizationEndpoint,
TokenEndpoint: req.TokenEndpoint,
Scopes: req.Scopes, Scopes: req.Scopes,
IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping), IDPDisplayNameMapping: idp_grpc.MappingFieldToDomain(req.DisplayNameMapping),
UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping), UsernameMapping: idp_grpc.MappingFieldToDomain(req.UsernameMapping),

54
internal/api/grpc/management/idp_converter_test.go
View File

@ -20,16 +20,14 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
name: "all fields filled", name: "all fields filled",
args: args{ args: args{
req: &mgmt_pb.AddOrgOIDCIDPRequest{ req: &mgmt_pb.AddOrgOIDCIDPRequest{
Name: "ZITADEL", Name: "ZITADEL",
StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE, StylingType: idp.IDPStylingType_STYLING_TYPE_GOOGLE,
ClientId: "test1234", ClientId: "test1234",
ClientSecret: "test4321", ClientSecret: "test4321",
Issuer: "zitadel.ch", Issuer: "zitadel.ch",
AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize", Scopes: []string{"email", "profile"},
TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token", DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
Scopes: []string{"email", "profile"}, UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
}, },
}, },
}, },
@ -44,6 +42,8 @@ func Test_addOIDCIDPRequestToDomain(t *testing.T) {
"OIDCConfig.IDPConfigID", "OIDCConfig.IDPConfigID",
"IDPConfigID", "IDPConfigID",
"State", "State",
"OIDCConfig.AuthorizationEndpoint",
"OIDCConfig.TokenEndpoint",
"Type", //TODO: default (0) is oidc "Type", //TODO: default (0) is oidc
) )
}) })
@ -62,14 +62,12 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
name: "all fields filled", name: "all fields filled",
args: args{ args: args{
req: &mgmt_pb.AddOrgOIDCIDPRequest{ req: &mgmt_pb.AddOrgOIDCIDPRequest{
ClientId: "test1234", ClientId: "test1234",
ClientSecret: "test4321", ClientSecret: "test4321",
Issuer: "zitadel.ch", Issuer: "zitadel.ch",
AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize", Scopes: []string{"email", "profile"},
TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token", DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
Scopes: []string{"email", "profile"}, UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
}, },
}, },
}, },
@ -81,6 +79,8 @@ func Test_addOIDCIDPRequestToDomainOIDCIDPConfig(t *testing.T) {
"ObjectRoot", "ObjectRoot",
"ClientSecret", //TODO: is client secret string enough for backend? "ClientSecret", //TODO: is client secret string enough for backend?
"IDPConfigID", "IDPConfigID",
"AuthorizationEndpoint",
"TokenEndpoint",
) )
}) })
} }
@ -130,15 +130,13 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
name: "all fields filled", name: "all fields filled",
args: args{ args: args{
req: &mgmt_pb.UpdateOrgIDPOIDCConfigRequest{ req: &mgmt_pb.UpdateOrgIDPOIDCConfigRequest{
IdpId: "4208", IdpId: "4208",
Issuer: "zitadel.ch", Issuer: "zitadel.ch",
AuthorizationEndpoint: "https://accounts.zitadel.ch/oauth/v2/authorize", ClientId: "ZITEADEL",
TokenEndpoint: "https://api.zitadel.ch/oauth/v2/token", ClientSecret: "i'm so secret",
ClientId: "ZITEADEL", Scopes: []string{"profile"},
ClientSecret: "i'm so secret", DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
Scopes: []string{"profile"}, UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
DisplayNameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_EMAIL,
UsernameMapping: idp.OIDCMappingField_OIDC_MAPPING_FIELD_PREFERRED_USERNAME,
}, },
}, },
}, },
@ -149,6 +147,8 @@ func Test_updateOIDCConfigToDomain(t *testing.T) {
test.AssertFieldsMapped(t, got, test.AssertFieldsMapped(t, got,
"ObjectRoot", "ObjectRoot",
"ClientSecret", "ClientSecret",
"AuthorizationEndpoint",
"TokenEndpoint",
) )
}) })
} }

42
proto/zitadel/admin.proto
View File

@ -2353,10 +2353,8 @@ message AddOIDCIDPRequest {
max_length: 200; max_length: 200;
} }
]; ];
// Fill the issuer if the identity provider is oidc discovery compliant
// If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead
string issuer = 5 [ string issuer = 5 [
(validate.rules).string = {max_len: 200}, (validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com\""; example: "\"https://accounts.google.com\"";
description: "the oidc issuer of the identity provider"; description: "the oidc issuer of the identity provider";
@ -2381,24 +2379,6 @@ message AddOIDCIDPRequest {
description: "definition which field is mapped to the email of the user"; description: "definition which field is mapped to the email of the user";
} }
]; ];
// If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
string authorization_endpoint = 9 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
description: "the oauth2 authorization endpoint of the identity provider";
max_length: 500;
}
];
// If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
string token_endpoint = 10 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://oauth2.googleapis.com/token\"";
description: "the oauth2 token endpoint of the identity provider";
max_length: 500;
}
];
} }
message AddOIDCIDPResponse { message AddOIDCIDPResponse {
@ -2511,8 +2491,6 @@ message UpdateIDPOIDCConfigRequest {
max_length: 200; max_length: 200;
} }
]; ];
// Fill the issuer if the identity provider is oidc discovery compliant
// If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead
string issuer = 2 [ string issuer = 2 [
(validate.rules).string = {min_len: 1, max_len: 200}, (validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@ -2555,24 +2533,6 @@ message UpdateIDPOIDCConfigRequest {
description: "definition which field is mapped to the email of the user"; description: "definition which field is mapped to the email of the user";
} }
]; ];
// If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
string authorization_endpoint = 8 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
description: "the oauth2 authorization endpoint of the identity provider";
max_length: 500;
}
];
// If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
string token_endpoint = 9 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://oauth2.googleapis.com/token\"";
description: "the oauth2 token endpoint of the identity provider";
max_length: 500;
}
];
} }
message UpdateIDPOIDCConfigResponse { message UpdateIDPOIDCConfigResponse {

16
proto/zitadel/idp.proto
View File

@ -153,22 +153,6 @@ message OIDCConfig {
description: "definition which field is mapped to the email of the user"; description: "definition which field is mapped to the email of the user";
} }
]; ];
string authorization_endpoint = 6 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
description: "the oauth2 authorization endpoint of the identity provider";
max_length: 500;
}
];
string token_endpoint = 7 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://oauth2.googleapis.com/token\"";
description: "the oauth2 token endpoint of the identity provider";
max_length: 500;
}
];
} }
enum OIDCMappingField { enum OIDCMappingField {

42
proto/zitadel/management.proto
View File

@ -4603,10 +4603,8 @@ message AddOrgOIDCIDPRequest {
description: "client secret generated by the identity provider"; description: "client secret generated by the identity provider";
} }
]; ];
// Fill the issuer if the identity provider is oidc discovery compliant
// If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead
string issuer = 5 [ string issuer = 5 [
(validate.rules).string = {max_len: 200}, (validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com\""; example: "\"https://accounts.google.com\"";
description: "the oidc issuer of the identity provider"; description: "the oidc issuer of the identity provider";
@ -4630,24 +4628,6 @@ message AddOrgOIDCIDPRequest {
description: "definition which field is mapped to the email of the user"; description: "definition which field is mapped to the email of the user";
} }
]; ];
// If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
string authorization_endpoint = 9 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
description: "the oauth2 authorization endpoint of the identity provider";
max_length: 500;
}
];
// If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
string token_endpoint = 10 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://oauth2.googleapis.com/token\"";
description: "the oauth2 token endpoint of the identity provider";
max_length: 500;
}
];
} }
message AddOrgOIDCIDPResponse { message AddOrgOIDCIDPResponse {
@ -4718,8 +4698,6 @@ message UpdateOrgIDPOIDCConfigRequest {
description: "client secret generated by the identity provider. If empty the secret is not overwritten"; description: "client secret generated by the identity provider. If empty the secret is not overwritten";
} }
]; ];
// Fill the issuer if the identity provider is oidc discovery compliant
// If the identity provider is only oauth2 compliant or does not serve a openid configuration, fill the authorization and token endpoint instead
string issuer = 4 [ string issuer = 4 [
(validate.rules).string = {min_len: 1, max_len: 200}, (validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@ -4745,24 +4723,6 @@ message UpdateOrgIDPOIDCConfigRequest {
description: "definition which field is mapped to the email of the user"; description: "definition which field is mapped to the email of the user";
} }
]; ];
// If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
string authorization_endpoint = 8 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
description: "the oauth2 authorization endpoint of the identity provider";
max_length: 500;
}
];
// If the identity provider does not serve an openid configuration, fill the authorization and token endpoint instead of the issuer
string token_endpoint = 9 [
(validate.rules).string = {max_len: 500},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://oauth2.googleapis.com/token\"";
description: "the oauth2 token endpoint of the identity provider";
max_length: 500;
}
];
} }
message UpdateOrgIDPOIDCConfigResponse { message UpdateOrgIDPOIDCConfigResponse {