perf(oidc): optimize client verification (#6999)

* fix some spelling errors * client credential auth * implementation of client auth * improve error handling * unit test command package * unit test database package * unit test query package * cleanup unused tracing func * fix integration tests * errz to zerrors * fix linting and import issues * fix another linting error * integration test with client secret * Revert "integration test with client secret" This reverts commit 0814ba522f. * add integration tests * client credentials integration test * resolve comments * pin oidc v3.5.0
2025-08-11 21:17:32 +00:00 · 2023-12-05 19:01:03 +02:00
parent 51cfb9564a
commit ec03340b67
46 changed files with 1666 additions and 781 deletions
--- a/internal/query/oidc_client.go
+++ b/internal/query/oidc_client.go
@@ -0,0 +1,61 @@
+package query
+
+import (
+	"context"
+	"database/sql"
+	_ "embed"
+	"errors"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/crypto"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	zerrors "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/telemetry/tracing"
+)
+
+type OIDCClient struct {
+	InstanceID               string                     `json:"instance_id,omitempty"`
+	AppID                    string                     `json:"app_id,omitempty"`
+	State                    domain.AppState            `json:"state,omitempty"`
+	ClientID                 string                     `json:"client_id,omitempty"`
+	ClientSecret             *crypto.CryptoValue        `json:"client_secret,omitempty"`
+	RedirectURIs             []string                   `json:"redirect_uris,omitempty"`
+	ResponseTypes            []domain.OIDCResponseType  `json:"response_types,omitempty"`
+	GrantTypes               []domain.OIDCGrantType     `json:"grant_types,omitempty"`
+	ApplicationType          domain.OIDCApplicationType `json:"application_type,omitempty"`
+	AuthMethodType           domain.OIDCAuthMethodType  `json:"auth_method_type,omitempty"`
+	PostLogoutRedirectURIs   []string                   `json:"post_logout_redirect_uris,omitempty"`
+	IsDevMode                bool                       `json:"is_dev_mode,omitempty"`
+	AccessTokenType          domain.OIDCTokenType       `json:"access_token_type,omitempty"`
+	AccessTokenRoleAssertion bool                       `json:"access_token_role_assertion,omitempty"`
+	IDTokenRoleAssertion     bool                       `json:"id_token_role_assertion,omitempty"`
+	IDTokenUserinfoAssertion bool                       `json:"id_token_userinfo_assertion,omitempty"`
+	ClockSkew                time.Duration              `json:"clock_skew,omitempty"`
+	AdditionalOrigins        []string                   `json:"additional_origins,omitempty"`
+	PublicKeys               map[string][]byte          `json:"public_keys,omitempty"`
+	ProjectID                string                     `json:"project_id,omitempty"`
+	ProjectRoleKeys          []string                   `json:"project_role_keys,omitempty"`
+	AccessTokenLifetime      time.Duration              `json:"access_token_lifetime,omitempty"`
+	IDTokenLifetime          time.Duration              `json:"id_token_lifetime,omitempty"`
+}
+
+//go:embed embed/oidc_client_by_id.sql
+var oidcClientQuery string
+
+func (q *Queries) GetOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client *OIDCClient, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	client, err = database.QueryJSONObject[OIDCClient](ctx, q.client, oidcClientQuery,
+		authz.GetInstance(ctx).InstanceID(), clientID, getKeys,
+	)
+	if errors.Is(err, sql.ErrNoRows) {
+		return nil, zerrors.ThrowNotFound(err, "QUERY-wu6Ee", "Errors.App.NotFound")
+	}
+	if err != nil {
+		return nil, zerrors.ThrowInternal(err, "QUERY-ieR7R", "Errors.Internal")
+	}
+	return client, err
+}