feat: token revocation and OP certification (#2594)

* fix: try using only user session if no user is set (id_token_hint) on prompt none * fix caos errors As implementation * implement request mode * return explicit error on invalid refresh token use * begin token revocation * token revocation * tests * tests * cleanup * set op config * add revocation endpoint to config * add revocation endpoint to config * migration version * error handling in token revocation * migration version * update oidc lib to 1.0.0
2025-08-11 21:27:42 +00:00 · 2021-11-03 08:35:24 +01:00
parent 8df5614e4d
commit fc6154cffc
25 changed files with 638 additions and 236 deletions
--- a/internal/repository/user/user.go
+++ b/internal/repository/user/user.go
@@ -21,6 +21,7 @@ const (
 	UserReactivatedType       = userEventTypePrefix + "reactivated"
 	UserRemovedType           = userEventTypePrefix + "removed"
 	UserTokenAddedType        = userEventTypePrefix + "token.added"
+	UserTokenRemovedType      = userEventTypePrefix + "token.removed"
 	UserDomainClaimedType     = userEventTypePrefix + "domain.claimed"
 	UserDomainClaimedSentType = userEventTypePrefix + "domain.claimed.sent"
 	UserUserNameChangedType   = userEventTypePrefix + "username.changed"
@@ -213,6 +214,7 @@ type UserTokenAddedEvent struct {
 	TokenID           string    `json:"tokenId"`
 	ApplicationID     string    `json:"applicationId"`
 	UserAgentID       string    `json:"userAgentId"`
+	RefreshTokenID    string    `json:"refreshTokenID,omitempty"`
 	Audience          []string  `json:"audience"`
 	Scopes            []string  `json:"scopes"`
 	Expiration        time.Time `json:"expiration"`
@@ -233,7 +235,8 @@ func NewUserTokenAddedEvent(
 	tokenID,
 	applicationID,
 	userAgentID,
-	preferredLanguage string,
+	preferredLanguage,
+	refreshTokenID string,
 	audience,
 	scopes []string,
 	expiration time.Time,
@@ -247,6 +250,7 @@ func NewUserTokenAddedEvent(
 		TokenID:           tokenID,
 		ApplicationID:     applicationID,
 		UserAgentID:       userAgentID,
+		RefreshTokenID:    refreshTokenID,
 		Audience:          audience,
 		Scopes:            scopes,
 		Expiration:        expiration,
@@ -266,6 +270,47 @@ func UserTokenAddedEventMapper(event *repository.Event) (eventstore.EventReader,
 	return tokenAdded, nil
 }

+type UserTokenRemovedEvent struct {
+	eventstore.BaseEvent `json:"-"`
+
+	TokenID string `json:"tokenId"`
+}
+
+func (e *UserTokenRemovedEvent) Data() interface{} {
+	return e
+}
+
+func (e *UserTokenRemovedEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
+	return nil
+}
+
+func NewUserTokenRemovedEvent(
+	ctx context.Context,
+	aggregate *eventstore.Aggregate,
+	tokenID string,
+) *UserTokenRemovedEvent {
+	return &UserTokenRemovedEvent{
+		BaseEvent: *eventstore.NewBaseEventForPush(
+			ctx,
+			aggregate,
+			UserTokenRemovedType,
+		),
+		TokenID: tokenID,
+	}
+}
+
+func UserTokenRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	tokenRemoved := &UserTokenRemovedEvent{
+		BaseEvent: *eventstore.BaseEventFromRepo(event),
+	}
+	err := json.Unmarshal(event.Data, tokenRemoved)
+	if err != nil {
+		return nil, errors.ThrowInternal(err, "USER-7M9sd", "unable to unmarshal token added")
+	}
+
+	return tokenRemoved, nil
+}
+
 type DomainClaimedEvent struct {
 	eventstore.BaseEvent `json:"-"`