feat: refresh token (#1728)

* begin refresh tokens * refresh tokens * list and revoke refresh tokens * handle remove * tests for refresh tokens * uniqueness and default expiration * rename oidc token methods * cleanup * migration version * Update internal/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fixes * feat: update oidc pkg for refresh tokens Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-12 01:37:31 +00:00 · 2021-05-20 13:33:35 +02:00
parent bc21eeb114
commit ec5020bebc
36 changed files with 2732 additions and 55 deletions
--- a/internal/domain/refresh_token.go
+++ b/internal/domain/refresh_token.go
@@ -0,0 +1,37 @@
+package domain
+
+import (
+	"encoding/base64"
+	"strings"
+
+	"github.com/caos/zitadel/internal/crypto"
+	caos_errors "github.com/caos/zitadel/internal/errors"
+)
+
+func NewRefreshToken(userID, tokenID string, algorithm crypto.EncryptionAlgorithm) (string, error) {
+	return RefreshToken(userID, tokenID, tokenID, algorithm)
+}
+
+func RefreshToken(userID, tokenID, token string, algorithm crypto.EncryptionAlgorithm) (string, error) {
+	encrypted, err := algorithm.Encrypt([]byte(userID + ":" + tokenID + ":" + token))
+	if err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(encrypted), nil
+}
+
+func FromRefreshToken(refreshToken string, algorithm crypto.EncryptionAlgorithm) (userID, tokenID, token string, err error) {
+	decoded, err := base64.RawURLEncoding.DecodeString(refreshToken)
+	if err != nil {
+		return "", "", "", err
+	}
+	decrypted, err := algorithm.Decrypt(decoded, algorithm.EncryptionKeyID())
+	if err != nil {
+		return "", "", "", err
+	}
+	split := strings.Split(string(decrypted), ":")
+	if len(split) != 3 {
+		return "", "", "", caos_errors.ThrowInternal(nil, "DOMAIN-BGDhn", "Errors.User.RefreshToken.Invalid")
+	}
+	return split[0], split[1], split[2], nil
+}