feat: Extend oidc idp with oauth endpoints (#1980)

* feat: add oauth attributes to oidc idp configuration * feat: return idpconfig id on create idp * feat: tests * feat: descriptions * feat: docs * feat: tests
2025-08-12 03:47:33 +00:00 · 2021-07-06 16:39:48 +02:00
parent 5349d96ce4
commit ff9af1704f
39 changed files with 419 additions and 156 deletions
--- a/internal/command/iam_converter.go
+++ b/internal/command/iam_converter.go
@@ -145,6 +145,8 @@ func writeModelToIDPOIDCConfig(wm *OIDCConfigWriteModel) *domain.OIDCIDPConfig {
 		IDPConfigID:           wm.IDPConfigID,
 		IDPDisplayNameMapping: wm.IDPDisplayNameMapping,
 		Issuer:                wm.Issuer,
+		AuthorizationEndpoint: wm.AuthorizationEndpoint,
+		TokenEndpoint:         wm.TokenEndpoint,
 		Scopes:                wm.Scopes,
 		UsernameMapping:       wm.UserNameMapping,
 	}
--- a/internal/command/iam_idp_config.go
+++ b/internal/command/iam_idp_config.go
@@ -44,6 +44,8 @@ func (c *Commands) AddDefaultIDPConfig(ctx context.Context, config *domain.IDPCo
 			config.OIDCConfig.ClientID,
 			idpConfigID,
 			config.OIDCConfig.Issuer,
+			config.OIDCConfig.AuthorizationEndpoint,
+			config.OIDCConfig.TokenEndpoint,
 			clientSecret,
 			config.OIDCConfig.IDPDisplayNameMapping,
 			config.OIDCConfig.UsernameMapping,
--- a/internal/command/iam_idp_config_test.go
+++ b/internal/command/iam_idp_config_test.go
@@ -76,6 +76,8 @@ func TestCommandSide_AddDefaultIDPConfig(t *testing.T) {
 									"clientid1",
 									"config1",
 									"issuer",
+									"authorization-endpoint",
+									"token-endpoint",
 									&crypto.CryptoValue{
 										CryptoType: crypto.TypeEncryption,
 										Algorithm:  "enc",
@@ -102,6 +104,8 @@ func TestCommandSide_AddDefaultIDPConfig(t *testing.T) {
 					OIDCConfig: &domain.OIDCIDPConfig{
 						ClientID:              "clientid1",
 						Issuer:                "issuer",
+						AuthorizationEndpoint: "authorization-endpoint",
+						TokenEndpoint:         "token-endpoint",
 						ClientSecretString:    "secret",
 						Scopes:                []string{"scope"},
 						IDPDisplayNameMapping: domain.OIDCMappingFieldEmail,
@@ -216,6 +220,8 @@ func TestCommandSide_ChangeDefaultIDPConfig(t *testing.T) {
 								"clientid1",
 								"config1",
 								"issuer",
+								"authorization-endpoint",
+								"token-endpoint",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
--- a/internal/command/iam_idp_oidc_config.go
+++ b/internal/command/iam_idp_oidc_config.go
@@ -27,6 +27,8 @@ func (c *Commands) ChangeDefaultIDPOIDCConfig(ctx context.Context, config *domai
 		config.IDPConfigID,
 		config.ClientID,
 		config.Issuer,
+		config.AuthorizationEndpoint,
+		config.TokenEndpoint,
 		config.ClientSecretString,
 		c.idpConfigSecretCrypto,
 		config.IDPDisplayNameMapping,
--- a/internal/command/iam_idp_oidc_config_model.go
+++ b/internal/command/iam_idp_oidc_config_model.go
@@ -90,6 +90,8 @@ func (wm *IAMIDPOIDCConfigWriteModel) NewChangedEvent(
 	idpConfigID,
 	clientID,
 	issuer,
+	authorizationEndpoint,
+	tokenEndpoint,
 	clientSecretString string,
 	secretCrypto crypto.Crypto,
 	idpDisplayNameMapping,
@@ -113,6 +115,12 @@ func (wm *IAMIDPOIDCConfigWriteModel) NewChangedEvent(
 	if wm.Issuer != issuer {
 		changes = append(changes, idpconfig.ChangeIssuer(issuer))
 	}
+	if wm.AuthorizationEndpoint != authorizationEndpoint {
+		changes = append(changes, idpconfig.ChangeAuthorizationEndpoint(authorizationEndpoint))
+	}
+	if wm.TokenEndpoint != tokenEndpoint {
+		changes = append(changes, idpconfig.ChangeTokenEndpoint(tokenEndpoint))
+	}
 	if idpDisplayNameMapping.Valid() && wm.IDPDisplayNameMapping != idpDisplayNameMapping {
 		changes = append(changes, idpconfig.ChangeIDPDisplayNameMapping(idpDisplayNameMapping))
 	}
--- a/internal/command/iam_idp_oidc_config_test.go
+++ b/internal/command/iam_idp_oidc_config_test.go
@@ -92,6 +92,8 @@ func TestCommandSide_ChangeDefaultIDPOIDCConfig(t *testing.T) {
 								"clientid1",
 								"config1",
 								"issuer",
+								"authorization-endpoint",
+								"token-endpoint",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
@@ -144,6 +146,8 @@ func TestCommandSide_ChangeDefaultIDPOIDCConfig(t *testing.T) {
 								"clientid1",
 								"config1",
 								"issuer",
+								"authorization-endpoint",
+								"token-endpoint",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
@@ -165,6 +169,8 @@ func TestCommandSide_ChangeDefaultIDPOIDCConfig(t *testing.T) {
 					IDPConfigID:           "config1",
 					ClientID:              "clientid1",
 					Issuer:                "issuer",
+					AuthorizationEndpoint: "authorization-endpoint",
+					TokenEndpoint:         "token-endpoint",
 					Scopes:                []string{"scope"},
 					IDPDisplayNameMapping: domain.OIDCMappingFieldEmail,
 					UsernameMapping:       domain.OIDCMappingFieldEmail,
@@ -195,6 +201,8 @@ func TestCommandSide_ChangeDefaultIDPOIDCConfig(t *testing.T) {
 								"clientid1",
 								"config1",
 								"issuer",
+								"authorization-endpoint",
+								"token-endpoint",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
@@ -214,6 +222,8 @@ func TestCommandSide_ChangeDefaultIDPOIDCConfig(t *testing.T) {
 									"config1",
 									"clientid-changed",
 									"issuer-changed",
+									"authorization-endpoint-changed",
+									"token-endpoint-changed",
 									&crypto.CryptoValue{
 										CryptoType: crypto.TypeEncryption,
 										Algorithm:  "enc",
@@ -236,6 +246,8 @@ func TestCommandSide_ChangeDefaultIDPOIDCConfig(t *testing.T) {
 					IDPConfigID:           "config1",
 					ClientID:              "clientid-changed",
 					Issuer:                "issuer-changed",
+					AuthorizationEndpoint: "authorization-endpoint-changed",
+					TokenEndpoint:         "token-endpoint-changed",
 					ClientSecretString:    "secret-changed",
 					Scopes:                []string{"scope", "scope2"},
 					IDPDisplayNameMapping: domain.OIDCMappingFieldPreferredLoginName,
@@ -251,6 +263,8 @@ func TestCommandSide_ChangeDefaultIDPOIDCConfig(t *testing.T) {
 					IDPConfigID:           "config1",
 					ClientID:              "clientid-changed",
 					Issuer:                "issuer-changed",
+					AuthorizationEndpoint: "authorization-endpoint-changed",
+					TokenEndpoint:         "token-endpoint-changed",
 					Scopes:                []string{"scope", "scope2"},
 					IDPDisplayNameMapping: domain.OIDCMappingFieldPreferredLoginName,
 					UsernameMapping:       domain.OIDCMappingFieldPreferredLoginName,
@@ -278,13 +292,15 @@ func TestCommandSide_ChangeDefaultIDPOIDCConfig(t *testing.T) {
 	}
 }

-func newDefaultIDPOIDCConfigChangedEvent(ctx context.Context, configID, clientID, issuer string, secret *crypto.CryptoValue, displayMapping, usernameMapping domain.OIDCMappingField, scopes []string) *iam.IDPOIDCConfigChangedEvent {
+func newDefaultIDPOIDCConfigChangedEvent(ctx context.Context, configID, clientID, issuer, authorizationEndpoint, tokenEndpoint string, secret *crypto.CryptoValue, displayMapping, usernameMapping domain.OIDCMappingField, scopes []string) *iam.IDPOIDCConfigChangedEvent {
 	event, _ := iam.NewIDPOIDCConfigChangedEvent(ctx,
 		&iam.NewAggregate().Aggregate,
 		configID,
 		[]idpconfig.OIDCConfigChanges{
 			idpconfig.ChangeClientID(clientID),
 			idpconfig.ChangeIssuer(issuer),
+			idpconfig.ChangeAuthorizationEndpoint(authorizationEndpoint),
+			idpconfig.ChangeTokenEndpoint(tokenEndpoint),
 			idpconfig.ChangeClientSecret(secret),
 			idpconfig.ChangeIDPDisplayNameMapping(displayMapping),
 			idpconfig.ChangeUserNameMapping(usernameMapping),
--- a/internal/command/oidc_config_model.go
+++ b/internal/command/oidc_config_model.go
@@ -10,11 +10,13 @@ import (
 type OIDCConfigWriteModel struct {
 	eventstore.WriteModel

-	IDPConfigID  string
-	ClientID     string
-	ClientSecret *crypto.CryptoValue
-	Issuer       string
-	Scopes       []string
+	IDPConfigID           string
+	ClientID              string
+	ClientSecret          *crypto.CryptoValue
+	Issuer                string
+	AuthorizationEndpoint string
+	TokenEndpoint         string
+	Scopes                []string

 	IDPDisplayNameMapping domain.OIDCMappingField
 	UserNameMapping       domain.OIDCMappingField
@@ -45,6 +47,8 @@ func (wm *OIDCConfigWriteModel) reduceConfigAddedEvent(e *idpconfig.OIDCConfigAd
 	wm.ClientID = e.ClientID
 	wm.ClientSecret = e.ClientSecret
 	wm.Issuer = e.Issuer
+	wm.AuthorizationEndpoint = e.AuthorizationEndpoint
+	wm.TokenEndpoint = e.TokenEndpoint
 	wm.Scopes = e.Scopes
 	wm.IDPDisplayNameMapping = e.IDPDisplayNameMapping
 	wm.UserNameMapping = e.UserNameMapping
@@ -58,6 +62,12 @@ func (wm *OIDCConfigWriteModel) reduceConfigChangedEvent(e *idpconfig.OIDCConfig
 	if e.Issuer != nil {
 		wm.Issuer = *e.Issuer
 	}
+	if e.AuthorizationEndpoint != nil {
+		wm.AuthorizationEndpoint = *e.AuthorizationEndpoint
+	}
+	if e.TokenEndpoint != nil {
+		wm.TokenEndpoint = *e.TokenEndpoint
+	}
 	if len(e.Scopes) > 0 {
 		wm.Scopes = e.Scopes
 	}
--- a/internal/command/org_idp_config.go
+++ b/internal/command/org_idp_config.go
@@ -47,6 +47,8 @@ func (c *Commands) AddIDPConfig(ctx context.Context, config *domain.IDPConfig, r
 			config.OIDCConfig.ClientID,
 			idpConfigID,
 			config.OIDCConfig.Issuer,
+			config.OIDCConfig.AuthorizationEndpoint,
+			config.OIDCConfig.TokenEndpoint,
 			clientSecret,
 			config.OIDCConfig.IDPDisplayNameMapping,
 			config.OIDCConfig.UsernameMapping,
--- a/internal/command/org_idp_config_test.go
+++ b/internal/command/org_idp_config_test.go
@@ -104,6 +104,8 @@ func TestCommandSide_AddIDPConfig(t *testing.T) {
 									"clientid1",
 									"config1",
 									"issuer",
+									"authorization-endpoint",
+									"token-endpoint",
 									&crypto.CryptoValue{
 										CryptoType: crypto.TypeEncryption,
 										Algorithm:  "enc",
@@ -131,6 +133,8 @@ func TestCommandSide_AddIDPConfig(t *testing.T) {
 					OIDCConfig: &domain.OIDCIDPConfig{
 						ClientID:              "clientid1",
 						Issuer:                "issuer",
+						AuthorizationEndpoint: "authorization-endpoint",
+						TokenEndpoint:         "token-endpoint",
 						ClientSecretString:    "secret",
 						Scopes:                []string{"scope"},
 						IDPDisplayNameMapping: domain.OIDCMappingFieldEmail,
@@ -264,6 +268,8 @@ func TestCommandSide_ChangeIDPConfig(t *testing.T) {
 								"clientid1",
 								"config1",
 								"issuer",
+								"authorization-endpoint",
+								"token-endpoint",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
--- a/internal/command/org_idp_oidc_config.go
+++ b/internal/command/org_idp_oidc_config.go
@@ -30,6 +30,8 @@ func (c *Commands) ChangeIDPOIDCConfig(ctx context.Context, config *domain.OIDCI
 		config.IDPConfigID,
 		config.ClientID,
 		config.Issuer,
+		config.AuthorizationEndpoint,
+		config.TokenEndpoint,
 		config.ClientSecretString,
 		c.idpConfigSecretCrypto,
 		config.IDPDisplayNameMapping,
--- a/internal/command/org_idp_oidc_config_model.go
+++ b/internal/command/org_idp_oidc_config_model.go
@@ -90,6 +90,8 @@ func (wm *IDPOIDCConfigWriteModel) NewChangedEvent(
 	idpConfigID,
 	clientID,
 	issuer,
+	authorizationEndpoint,
+	tokenEndpoint,
 	clientSecretString string,
 	secretCrypto crypto.Crypto,
 	idpDisplayNameMapping,
@@ -113,6 +115,12 @@ func (wm *IDPOIDCConfigWriteModel) NewChangedEvent(
 	if wm.Issuer != issuer {
 		changes = append(changes, idpconfig.ChangeIssuer(issuer))
 	}
+	if wm.AuthorizationEndpoint != authorizationEndpoint {
+		changes = append(changes, idpconfig.ChangeAuthorizationEndpoint(authorizationEndpoint))
+	}
+	if wm.TokenEndpoint != tokenEndpoint {
+		changes = append(changes, idpconfig.ChangeTokenEndpoint(tokenEndpoint))
+	}
 	if idpDisplayNameMapping.Valid() && wm.IDPDisplayNameMapping != idpDisplayNameMapping {
 		changes = append(changes, idpconfig.ChangeIDPDisplayNameMapping(idpDisplayNameMapping))
 	}
--- a/internal/command/org_idp_oidc_config_test.go
+++ b/internal/command/org_idp_oidc_config_test.go
@@ -112,6 +112,8 @@ func TestCommandSide_ChangeIDPOIDCConfig(t *testing.T) {
 								"clientid1",
 								"config1",
 								"issuer",
+								"authorization-endpoint",
+								"token-endpoint",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
@@ -165,6 +167,8 @@ func TestCommandSide_ChangeIDPOIDCConfig(t *testing.T) {
 								"clientid1",
 								"config1",
 								"issuer",
+								"authorization-endpoint",
+								"token-endpoint",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
@@ -186,6 +190,8 @@ func TestCommandSide_ChangeIDPOIDCConfig(t *testing.T) {
 					IDPConfigID:           "config1",
 					ClientID:              "clientid1",
 					Issuer:                "issuer",
+					AuthorizationEndpoint: "authorization-endpoint",
+					TokenEndpoint:         "token-endpoint",
 					Scopes:                []string{"scope"},
 					IDPDisplayNameMapping: domain.OIDCMappingFieldEmail,
 					UsernameMapping:       domain.OIDCMappingFieldEmail,
@@ -217,6 +223,8 @@ func TestCommandSide_ChangeIDPOIDCConfig(t *testing.T) {
 								"clientid1",
 								"config1",
 								"issuer",
+								"authorization-endpoint",
+								"token-endpoint",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
@@ -237,6 +245,8 @@ func TestCommandSide_ChangeIDPOIDCConfig(t *testing.T) {
 									"config1",
 									"clientid-changed",
 									"issuer-changed",
+									"authorization-endpoint-changed",
+									"token-endpoint-changed",
 									&crypto.CryptoValue{
 										CryptoType: crypto.TypeEncryption,
 										Algorithm:  "enc",
@@ -259,6 +269,8 @@ func TestCommandSide_ChangeIDPOIDCConfig(t *testing.T) {
 					IDPConfigID:           "config1",
 					ClientID:              "clientid-changed",
 					Issuer:                "issuer-changed",
+					AuthorizationEndpoint: "authorization-endpoint-changed",
+					TokenEndpoint:         "token-endpoint-changed",
 					ClientSecretString:    "secret-changed",
 					Scopes:                []string{"scope", "scope2"},
 					IDPDisplayNameMapping: domain.OIDCMappingFieldPreferredLoginName,
@@ -275,6 +287,8 @@ func TestCommandSide_ChangeIDPOIDCConfig(t *testing.T) {
 					IDPConfigID:           "config1",
 					ClientID:              "clientid-changed",
 					Issuer:                "issuer-changed",
+					AuthorizationEndpoint: "authorization-endpoint-changed",
+					TokenEndpoint:         "token-endpoint-changed",
 					Scopes:                []string{"scope", "scope2"},
 					IDPDisplayNameMapping: domain.OIDCMappingFieldPreferredLoginName,
 					UsernameMapping:       domain.OIDCMappingFieldPreferredLoginName,
@@ -302,13 +316,15 @@ func TestCommandSide_ChangeIDPOIDCConfig(t *testing.T) {
 	}
 }

-func newIDPOIDCConfigChangedEvent(ctx context.Context, orgID, configID, clientID, issuer string, secret *crypto.CryptoValue, displayMapping, usernameMapping domain.OIDCMappingField, scopes []string) *org.IDPOIDCConfigChangedEvent {
+func newIDPOIDCConfigChangedEvent(ctx context.Context, orgID, configID, clientID, issuer, authorizationEndpoint, tokenEndpoint string, secret *crypto.CryptoValue, displayMapping, usernameMapping domain.OIDCMappingField, scopes []string) *org.IDPOIDCConfigChangedEvent {
 	event, _ := org.NewIDPOIDCConfigChangedEvent(ctx,
 		&org.NewAggregate(orgID, orgID).Aggregate,
 		configID,
 		[]idpconfig.OIDCConfigChanges{
 			idpconfig.ChangeClientID(clientID),
 			idpconfig.ChangeIssuer(issuer),
+			idpconfig.ChangeAuthorizationEndpoint(authorizationEndpoint),
+			idpconfig.ChangeTokenEndpoint(tokenEndpoint),
 			idpconfig.ChangeClientSecret(secret),
 			idpconfig.ChangeIDPDisplayNameMapping(displayMapping),
 			idpconfig.ChangeUserNameMapping(usernameMapping),