feat: token revocation and OP certification (#2594)

* fix: try using only user session if no user is set (id_token_hint) on prompt none * fix caos errors As implementation * implement request mode * return explicit error on invalid refresh token use * begin token revocation * token revocation * tests * tests * cleanup * set op config * add revocation endpoint to config * add revocation endpoint to config * migration version * error handling in token revocation * migration version * update oidc lib to 1.0.0
2025-08-12 11:07:32 +00:00 · 2021-11-03 08:35:24 +01:00
parent 8df5614e4d
commit fc6154cffc
25 changed files with 638 additions and 236 deletions
--- a/internal/auth/repository/eventsourcing/handler/token.go
+++ b/internal/auth/repository/eventsourcing/handler/token.go
@@ -7,7 +7,7 @@ import (
 	"github.com/caos/logging"

 	caos_errs "github.com/caos/zitadel/internal/errors"
-	"github.com/caos/zitadel/internal/eventstore/v1"
+	v1 "github.com/caos/zitadel/internal/eventstore/v1"
 	es_models "github.com/caos/zitadel/internal/eventstore/v1/models"
 	"github.com/caos/zitadel/internal/eventstore/v1/query"
 	es_sdk "github.com/caos/zitadel/internal/eventstore/v1/sdk"
@@ -15,6 +15,7 @@ import (
 	proj_model "github.com/caos/zitadel/internal/project/model"
 	project_es_model "github.com/caos/zitadel/internal/project/repository/eventsourcing/model"
 	proj_view "github.com/caos/zitadel/internal/project/repository/view"
+	user_repo "github.com/caos/zitadel/internal/repository/user"
 	user_es_model "github.com/caos/zitadel/internal/user/repository/eventsourcing/model"
 	view_model "github.com/caos/zitadel/internal/user/repository/view/model"
 )
@@ -111,6 +112,18 @@ func (t *Token) Reduce(event *es_models.Event) (err error) {
 		user_es_model.UserDeactivated,
 		user_es_model.UserRemoved:
 		return t.view.DeleteUserTokens(event.AggregateID, event)
+	case es_models.EventType(user_repo.UserTokenRemovedType):
+		id, err := tokenIDFromRemovedEvent(event)
+		if err != nil {
+			return err
+		}
+		return t.view.DeleteToken(id, event)
+	case es_models.EventType(user_repo.HumanRefreshTokenRemovedType):
+		id, err := refreshTokenIDFromRemovedEvent(event)
+		if err != nil {
+			return err
+		}
+		return t.view.DeleteTokensFromRefreshToken(id, event)
 	case project_es_model.ApplicationDeactivated,
 		project_es_model.ApplicationRemoved:
 		application, err := applicationFromSession(event)
@@ -157,6 +170,24 @@ func applicationFromSession(event *es_models.Event) (*project_es_model.Applicati
 	return application, nil
 }

+func tokenIDFromRemovedEvent(event *es_models.Event) (string, error) {
+	removed := make(map[string]interface{})
+	if err := json.Unmarshal(event.Data, &removed); err != nil {
+		logging.Log("EVEN-Sdff3").WithError(err).Error("could not unmarshal event data")
+		return "", caos_errs.ThrowInternal(nil, "MODEL-Sff32", "could not unmarshal data")
+	}
+	return removed["tokenId"].(string), nil
+}
+
+func refreshTokenIDFromRemovedEvent(event *es_models.Event) (string, error) {
+	removed := make(map[string]interface{})
+	if err := json.Unmarshal(event.Data, &removed); err != nil {
+		logging.Log("EVEN-Ff23g").WithError(err).Error("could not unmarshal event data")
+		return "", caos_errs.ThrowInternal(nil, "MODEL-Dfb3w", "could not unmarshal data")
+	}
+	return removed["tokenId"].(string), nil
+}
+
 func (t *Token) OnSuccess() error {
 	return spooler.HandleSuccess(t.view.UpdateTokenSpoolerRunTimestamp)
 }