feat: refresh token (#1728)

* begin refresh tokens * refresh tokens * list and revoke refresh tokens * handle remove * tests for refresh tokens * uniqueness and default expiration * rename oidc token methods * cleanup * migration version * Update internal/static/i18n/en.yaml Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> * fixes * feat: update oidc pkg for refresh tokens Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-12-09 05:35:17 +00:00 · 2021-05-20 13:33:35 +02:00
parent bc21eeb114
commit ec5020bebc
36 changed files with 2732 additions and 55 deletions
--- a/proto/zitadel/user.proto
+++ b/proto/zitadel/user.proto
@@ -2,6 +2,7 @@ syntax = "proto3";

 import "zitadel/object.proto";
 import "validate/validate.proto";
+import "google/protobuf/timestamp.proto";

 import "protoc-gen-openapiv2/options/annotations.proto";

@@ -516,6 +517,48 @@ enum SessionState {
    SESSION_STATE_TERMINATED = 2;
 }

+message RefreshToken {
+    string id = 1 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"69629023906489455\""
+        }
+    ];
+    zitadel.v1.ObjectDetails details = 2;
+    string client_id = 3 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"69629023906488334@ZITADEL\"";
+            description: "oauth2/oidc client_id of the authorized application";
+        }
+    ];
+    google.protobuf.Timestamp auth_time = 4 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "\"time when the user authenticated, does not have to be the same time the token was created\""
+        }
+    ];
+    google.protobuf.Timestamp idle_expiration = 5 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "\"time the refresh token will expire if not used, the user will have to reauthenticate\""
+        }
+    ];
+    google.protobuf.Timestamp expiration = 6 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "\"time the refresh token will expire, the user will have to reauthenticate\""
+        }
+    ];
+    repeated string scopes = 7 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "[\"openid\",\"email\",\"profile\",\"offline_access\"]";
+            description: "scopes of the initial auth request, access tokens created by this refresh token can have a subset of these scopes";
+        }
+    ];
+    repeated string audience = 8 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "[\"69629023906488334@ZITADEL\", \"69629023906481256\"]"
+            description: "audience of the initial auth request and of all access tokens created by this refresh token";
+        }
+    ];
+}
+
 message UserGrant {
    string id = 1 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {