perf(oidc): optimize client verification (#6999)

* fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2025-08-11 21:17:32 +00:00 · 2023-12-05 19:01:03 +02:00
parent 51cfb9564a
commit ec03340b67
46 changed files with 1666 additions and 781 deletions
--- a/internal/api/oidc/client_credentials.go
+++ b/internal/api/oidc/client_credentials.go
@@ -1,10 +1,15 @@
 package oidc

 import (
+	"context"
 	"time"

 	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/oidc/v3/pkg/op"
+
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query"
 )

 type clientCredentialsRequest struct {
@@ -28,15 +33,42 @@ func (c *clientCredentialsRequest) GetScopes() []string {
 	return c.scopes
 }

+func (s *Server) clientCredentialsAuth(ctx context.Context, clientID, clientSecret string) (op.Client, error) {
+	searchQuery, err := query.NewUserLoginNamesSearchQuery(clientID)
+	if err != nil {
+		return nil, err
+	}
+	user, err := s.query.GetUser(ctx, false, searchQuery)
+	if errors.IsNotFound(err) {
+		return nil, oidc.ErrInvalidClient().WithParent(err).WithDescription("client not found")
+	}
+	if err != nil {
+		return nil, err // defaults to server error
+	}
+	if user.Machine == nil || user.Machine.Secret == nil {
+		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-pieP8", "Errors.User.Machine.Secret.NotExisting")
+	}
+	if err = crypto.CompareHash(user.Machine.Secret, []byte(clientSecret), s.hashAlg); err != nil {
+		s.command.MachineSecretCheckFailed(ctx, user.ID, user.ResourceOwner)
+		return nil, errors.ThrowInvalidArgument(err, "OIDC-VoXo6", "Errors.User.Machine.Secret.Invalid")
+	}
+
+	s.command.MachineSecretCheckSucceeded(ctx, user.ID, user.ResourceOwner)
+	return &clientCredentialsClient{
+		id:   clientID,
+		user: user,
+	}, nil
+}
+
 type clientCredentialsClient struct {
-	id        string
-	tokenType op.AccessTokenType
+	id   string
+	user *query.User
 }

 // AccessTokenType returns the AccessTokenType for the token to be created because of the client credentials request
 // machine users currently only have opaque tokens ([op.AccessTokenTypeBearer])
 func (c *clientCredentialsClient) AccessTokenType() op.AccessTokenType {
-	return c.tokenType
+	return accessTokenTypeToOIDC(c.user.Machine.AccessTokenType)
 }

 // GetID returns the client_id (username of the machine user) for the token to be created because of the client credentials request