feat: token revocation and OP certification (#2594)

* fix: try using only user session if no user is set (id_token_hint) on prompt none * fix caos errors As implementation * implement request mode * return explicit error on invalid refresh token use * begin token revocation * token revocation * tests * tests * cleanup * set op config * add revocation endpoint to config * add revocation endpoint to config * migration version * error handling in token revocation * migration version * update oidc lib to 1.0.0
2025-08-11 21:37:32 +00:00 · 2021-11-03 08:35:24 +01:00
parent 8df5614e4d
commit fc6154cffc
25 changed files with 638 additions and 236 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -136,6 +136,10 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *dom
 		err = repo.checkLoginName(ctx, request, request.LoginHint)
 		logging.LogWithFields("EVENT-aG311", "login name", request.LoginHint, "id", request.ID, "applicationID", request.ApplicationID, "traceID", tracing.TraceIDFromCtx(ctx)).OnError(err).Debug("login hint invalid")
 	}
+	if request.UserID == "" && request.LoginHint == "" && domain.IsPrompt(request.Prompt, domain.PromptNone) {
+		err = repo.tryUsingOnlyUserSession(request)
+		logging.LogWithFields("EVENT-SDf3g", "id", request.ID, "applicationID", request.ApplicationID, "traceID", tracing.TraceIDFromCtx(ctx)).OnError(err).Debug("unable to select only user session")
+	}

 	err = repo.AuthRequests.SaveAuthRequest(ctx, request)
 	if err != nil {
@@ -567,6 +571,22 @@ func (repo *AuthRequestRepo) fillPolicies(ctx context.Context, request *domain.A
 	return nil
 }

+func (repo *AuthRequestRepo) tryUsingOnlyUserSession(request *domain.AuthRequest) error {
+	userSessions, err := userSessionsByUserAgentID(repo.UserSessionViewProvider, request.AgentID)
+	if err != nil {
+		return err
+	}
+	if len(userSessions) == 1 {
+		user := userSessions[0]
+		username := user.UserName
+		if request.RequestedOrgID == "" {
+			username = user.LoginName
+		}
+		request.SetUserInfo(user.UserID, username, user.LoginName, user.DisplayName, user.AvatarKey, user.ResourceOwner)
+	}
+	return nil
+}
+
 func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *domain.AuthRequest, loginName string) (err error) {
 	user := new(user_view_model.UserView)
 	if request.RequestedOrgID != "" {
--- a/internal/auth/repository/eventsourcing/handler/token.go
+++ b/internal/auth/repository/eventsourcing/handler/token.go
@@ -7,7 +7,7 @@ import (
 	"github.com/caos/logging"

 	caos_errs "github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v1"
+	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
 	"github.com/caos/zitadel/internal/eventstore/v1/query"
 	es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk"
@@ -15,6 +15,7 @@ import (
 	proj_model "github.com/caos/zitadel/internal/project/model"
 	project_es_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
 	proj_view "github.com/caos/zitadel/internal/project/repository/view"
+	user_repo "github.com/caos/zitadel/internal/repository/user"
 	user_es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
 	view_model "github.com/caos/zitadel/internal/user/repository/view/model"
 )
@@ -111,6 +112,18 @@ func (t *Token) Reduce(event *es_models.Event) (err error) {
 		user_es_model.UserDeactivated,
 		user_es_model.UserRemoved:
 		return t.view.DeleteUserTokens(event.AggregateID, event)
+	case es_models.EventType(user_repo.UserTokenRemovedType):
+		id, err := tokenIDFromRemovedEvent(event)
+		if err != nil {
+			return err
+		}
+		return t.view.DeleteToken(id, event)
+	case es_models.EventType(user_repo.HumanRefreshTokenRemovedType):
+		id, err := refreshTokenIDFromRemovedEvent(event)
+		if err != nil {
+			return err
+		}
+		return t.view.DeleteTokensFromRefreshToken(id, event)
 	case project_es_model.ApplicationDeactivated,
 		project_es_model.ApplicationRemoved:
 		application, err := applicationFromSession(event)
@@ -157,6 +170,24 @@ func applicationFromSession(event *es_models.Event) (*project_es_model.Applicati
 	return application, nil
 }

+func tokenIDFromRemovedEvent(event *es_models.Event) (string, error) {
+	removed := make(map[string]interface{})
+	if err := json.Unmarshal(event.Data, &removed); err != nil {
+		logging.Log("EVEN-Sdff3").WithError(err).Error("could not unmarshal event data")
+		return "", caos_errs.ThrowInternal(nil, "MODEL-Sff32", "could not unmarshal data")
+	}
+	return removed["tokenId"].(string), nil
+}
+
+func refreshTokenIDFromRemovedEvent(event *es_models.Event) (string, error) {
+	removed := make(map[string]interface{})
+	if err := json.Unmarshal(event.Data, &removed); err != nil {
+		logging.Log("EVEN-Ff23g").WithError(err).Error("could not unmarshal event data")
+		return "", caos_errs.ThrowInternal(nil, "MODEL-Dfb3w", "could not unmarshal data")
+	}
+	return removed["tokenId"].(string), nil
+}
+
 func (t *Token) OnSuccess() error {
 	return spooler.HandleSuccess(t.view.UpdateTokenSpoolerRunTimestamp)
 }
--- a/internal/auth/repository/eventsourcing/view/token.go
+++ b/internal/auth/repository/eventsourcing/view/token.go
@@ -68,6 +68,14 @@ func (v *View) DeleteApplicationTokens(event *models.Event, ids ...string) error
 	return v.ProcessedTokenSequence(event)
 }

+func (v *View) DeleteTokensFromRefreshToken(refreshTokenID string, event *models.Event) error {
+	err := usr_view.DeleteTokensFromRefreshToken(v.Db, tokenTable, refreshTokenID)
+	if err != nil && !errors.IsNotFound(err) {
+		return err
+	}
+	return v.ProcessedTokenSequence(event)
+}
+
 func (v *View) GetLatestTokenSequence() (*repository.CurrentSequence, error) {
 	return v.latestSequence(tokenTable)
 }