feat: refresh token (#1728)

* begin refresh tokens * refresh tokens * list and revoke refresh tokens * handle remove * tests for refresh tokens * uniqueness and default expiration * rename oidc token methods * cleanup * migration version * Update internal/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fixes * feat: update oidc pkg for refresh tokens Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-11 18:17:35 +00:00 · 2021-05-20 13:33:35 +02:00
parent bc21eeb114
commit ec5020bebc
36 changed files with 2732 additions and 55 deletions
--- a/proto/zitadel/auth.proto
+++ b/proto/zitadel/auth.proto
@@ -82,6 +82,39 @@ service AuthService {
        };
    }

+    // Returns the refresh tokens of the authorized user
+    rpc ListMyRefreshTokens(ListMyRefreshTokensRequest) returns (ListMyRefreshTokensResponse) {
+        option (google.api.http) = {
+            post: "/users/me/tokens/refresh/_search"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    // Revokes a single refresh token of the authorized user by its (token) id
+    rpc RevokeMyRefreshToken(RevokeMyRefreshTokenRequest) returns (RevokeMyRefreshTokenResponse) {
+        option (google.api.http) = {
+            delete: "/users/me/tokens/refresh/{id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
+    // Revokes all refresh tokens of the authorized user
+    rpc RevokeAllMyRefreshTokens(RevokeAllMyRefreshTokensRequest) returns (RevokeAllMyRefreshTokensResponse) {
+        option (google.api.http) = {
+            post: "/users/me/tokens/refresh/_revoke_all"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "authenticated"
+        };
+    }
+
    // Change the user name of the authorize user
    rpc UpdateMyUserName(UpdateMyUserNameRequest) returns (UpdateMyUserNameResponse) {
        option (google.api.http) = {
@@ -489,6 +522,28 @@ message ListMyUserSessionsResponse {
    repeated zitadel.user.v1.Session result = 1;
 }

+//This is an empty request
+message ListMyRefreshTokensRequest {}
+
+message ListMyRefreshTokensResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.user.v1.RefreshToken result = 2;
+}
+
+message RevokeMyRefreshTokenRequest {
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RevokeMyRefreshTokenResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
+//This is an empty request
+message RevokeAllMyRefreshTokensRequest {}
+
+//This is an empty response
+message RevokeAllMyRefreshTokensResponse {}
+
 message UpdateMyUserNameRequest {
    string user_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
 }
--- a/proto/zitadel/user.proto
+++ b/proto/zitadel/user.proto
@@ -2,6 +2,7 @@ syntax = "proto3";

 import "zitadel/object.proto";
 import "validate/validate.proto";
+import "google/protobuf/timestamp.proto";

 import "protoc-gen-openapiv2/options/annotations.proto";

@@ -516,6 +517,48 @@ enum SessionState {
    SESSION_STATE_TERMINATED = 2;
 }

+message RefreshToken {
+    string id = 1 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"69629023906489455\""
+        }
+    ];
+    zitadel.v1.ObjectDetails details = 2;
+    string client_id = 3 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"69629023906488334@ZITADEL\"";
+            description: "oauth2/oidc client_id of the authorized application";
+        }
+    ];
+    google.protobuf.Timestamp auth_time = 4 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "\"time when the user authenticated, does not have to be the same time the token was created\""
+        }
+    ];
+    google.protobuf.Timestamp idle_expiration = 5 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "\"time the refresh token will expire if not used, the user will have to reauthenticate\""
+        }
+    ];
+    google.protobuf.Timestamp expiration = 6 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "\"time the refresh token will expire, the user will have to reauthenticate\""
+        }
+    ];
+    repeated string scopes = 7 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "[\"openid\",\"email\",\"profile\",\"offline_access\"]";
+            description: "scopes of the initial auth request, access tokens created by this refresh token can have a subset of these scopes";
+        }
+    ];
+    repeated string audience = 8 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "[\"69629023906488334@ZITADEL\", \"69629023906481256\"]"
+            description: "audience of the initial auth request and of all access tokens created by this refresh token";
+        }
+    ];
+}
+
 message UserGrant {
    string id = 1 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {