feat: token revocation and OP certification (#2594)

* fix: try using only user session if no user is set (id_token_hint) on prompt none * fix caos errors As implementation * implement request mode * return explicit error on invalid refresh token use * begin token revocation * token revocation * tests * tests * cleanup * set op config * add revocation endpoint to config * add revocation endpoint to config * migration version * error handling in token revocation * migration version * update oidc lib to 1.0.0
2025-08-11 20:57:31 +00:00 · 2021-11-03 08:35:24 +01:00
parent 8df5614e4d
commit fc6154cffc
25 changed files with 638 additions and 236 deletions
--- a/internal/command/user_human_access_token_model.go
+++ b/internal/command/user_human_access_token_model.go
@@ -0,0 +1,106 @@
+package command
+
+import (
+	"time"
+
+	"github.com/caos/zitadel/internal/eventstore"
+
+	"github.com/caos/zitadel/internal/domain"
+	"github.com/caos/zitadel/internal/repository/user"
+)
+
+type UserAccessTokenWriteModel struct {
+	eventstore.WriteModel
+
+	TokenID           string
+	ApplicationID     string
+	UserAgentID       string
+	Audience          []string
+	Scopes            []string
+	Expiration        time.Time
+	PreferredLanguage string
+
+	UserState domain.UserState
+}
+
+func NewUserAccessTokenWriteModel(userID, resourceOwner, tokenID string) *UserAccessTokenWriteModel {
+	return &UserAccessTokenWriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   userID,
+			ResourceOwner: resourceOwner,
+		},
+		TokenID: tokenID,
+	}
+}
+
+func (wm *UserAccessTokenWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *user.UserTokenAddedEvent:
+			if wm.TokenID != e.TokenID {
+				continue
+			}
+			wm.WriteModel.AppendEvents(e)
+		case *user.UserTokenRemovedEvent:
+			if wm.TokenID != e.TokenID {
+				continue
+			}
+			wm.WriteModel.AppendEvents(e)
+		case *user.HumanSignedOutEvent:
+			if wm.UserAgentID != e.UserAgentID {
+				continue
+			}
+			wm.WriteModel.AppendEvents(e)
+		case *user.UserLockedEvent,
+			*user.UserDeactivatedEvent,
+			*user.UserRemovedEvent:
+			wm.WriteModel.AppendEvents(e)
+		}
+	}
+}
+
+func (wm *UserAccessTokenWriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *user.UserTokenAddedEvent:
+			wm.TokenID = e.TokenID
+			wm.ApplicationID = e.ApplicationID
+			wm.UserAgentID = e.UserAgentID
+			wm.Audience = e.Audience
+			wm.Scopes = e.Scopes
+			wm.Expiration = e.Expiration
+			wm.PreferredLanguage = e.PreferredLanguage
+			wm.UserState = domain.UserStateActive
+			if e.Expiration.Before(time.Now()) {
+				wm.UserState = domain.UserStateDeleted
+			}
+		case *user.UserTokenRemovedEvent,
+			*user.HumanSignedOutEvent,
+			*user.UserLockedEvent,
+			*user.UserDeactivatedEvent,
+			*user.UserRemovedEvent:
+			wm.UserState = domain.UserStateDeleted
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *UserAccessTokenWriteModel) Query() *eventstore.SearchQueryBuilder {
+	query := eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		AddQuery().
+		AggregateTypes(user.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(
+			user.UserTokenAddedType,
+			user.UserTokenRemovedType,
+			user.HumanSignedOutType,
+			user.UserLockedType,
+			user.UserDeactivatedType,
+			user.UserRemovedType).
+		Builder()
+
+	if wm.ResourceOwner != "" {
+		query.ResourceOwner(wm.ResourceOwner)
+	}
+	return query
+}