Commit Graph

247 Commits

Author SHA1 Message Date
Livio Spring
fb162a7d75
fix(login): improve auth handlers (#7969)
# Which Problems Are Solved

During the implementation of #7486 it was noticed, that projections in
the `auth` database schema could be blocked.
Investigations suggested, that this is due to the use of
[GORM](https://gorm.io/index.html) and it's inability to use an existing
(sql) transaction.
With the improved / simplified handling (see below) there should also be
a minimal improvement in performance, resp. reduced database update
statements.

# How the Problems Are Solved

The handlers in `auth` are exchanged to proper (sql) statements and gorm
usage is removed for any writing part.
To further improve / simplify the handling of the users, a new
`auth.users3` table is created, where only attributes are handled, which
are not yet available from the `projections.users`,
`projections.login_name` and `projections.user_auth_methods` do not
provide. This reduces the events handled in that specific handler by a
lot.

# Additional Changes

None

# Additional Context

relates to #7486
2024-05-22 15:26:02 +00:00
Livio Spring
07f91e4f16
fix(login): ignore select_account in case there aren't any session to choose (#7981)
# Which Problems Are Solved

When poviding `select_account` in an OIDC auth request, ZITADEL would
always show the account selection page even if there aren't any user
sessions to choose and the user would then need to click the `Other
User` button to be presented the login page.

# How the Problems Are Solved

This PR changes the behavior and ignores the `select_account` prompt in
case there aren't any existing user sessions and will directly present
the login page.

# Additional Changes

None

# Additional Context

Closes #7213
2024-05-21 12:53:31 +00:00
Tim Möhlmann
8e0c8393e9
perf(oidc): optimize token creation (#7822)
* implement code exchange

* port tokenexchange to v2 tokens

* implement refresh token

* implement client credentials

* implement jwt profile

* implement device token

* cleanup unused code

* fix current unit tests

* add user agent unit test

* unit test domain package

* need refresh token as argument

* test commands create oidc session

* test commands device auth

* fix device auth build error

* implicit for oidc session API

* implement authorize callback handler for legacy implicit mode

* upgrade oidc module to working draft

* add missing auth methods and time

* handle all errors in defer

* do not fail auth request on error

the oauth2 Go client automagically retries on any error. If we fail the auth request on the first error, the next attempt will always fail with the Errors.AuthRequest.NoCode, because the auth request state is already set to failed.
The original error is then already lost and the oauth2 library does not return the original error.

Therefore we should not fail the auth request.

Might be worth discussing and perhaps send a bug report to Oauth2?

* fix code flow tests by explicitly setting code exchanged

* fix unit tests in command package

* return allowed scope from client credential client

* add device auth done reducer

* carry nonce thru session into ID token

* fix token exchange integration tests

* allow project role scope prefix in client credentials client

* gci formatting

* do not return refresh token in client credentials and jwt profile

* check org scope

* solve linting issue on authorize callback error

* end session based on v2 session ID

* use preferred language and user agent ID for v2 access tokens

* pin oidc v3.23.2

* add integration test for jwt profile and client credentials with org scopes

* refresh token v1 to v2

* add user token v2 audit event

* add activity trigger

* cleanup and set panics for unused methods

* use the encrypted code for v1 auth request get by code

* add missing event translation

* fix pipeline errors (hopefully)

* fix another test

* revert pointer usage of preferred language

* solve browser info panic in device auth

* remove duplicate entries in AMRToAuthMethodTypes to prevent future `mfa` claim

* revoke v1 refresh token to prevent reuse

* fix terminate oidc session

* always return a new refresh toke in refresh token grant

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-16 07:07:56 +02:00
Miguel Cabrerizo
15d5338b91
feat(cnsl): docs link can be customized and custom button is available (#7840)
* feat: customize doc link and additional custom link

* feat: add e2e tests

* fix: update docs

* fix: add @peintnermax changes about cache

* fix: golangci-lint complains preparation.PrepareCommands

---------

Co-authored-by: Max Peintner <max@caos.ch>
2024-05-13 16:01:50 +02:00
Livio Spring
5bf195d374
fix: allow other users to set up MFAs (#7914)
* fix: allow other users to set up MFAs

* update tests

* update integration tests
2024-05-07 05:38:26 +00:00
Livio Spring
900894161f
fix(login): prevent init mail on idp registration (#7895) 2024-05-03 07:23:40 +00:00
Livio Spring
d016379e2a
feat: pass and handle auth request context for email links (#7815)
* pass and handle auth request context

* tests and cleanup

* cleanup
2024-04-24 17:50:58 +02:00
Livio Spring
ac985e2dfb
fix(login): correctly reload policies on auth request (#7839) 2024-04-24 08:44:55 +00:00
Silvan
25030c69b9
perf: cache auth request in memory (#7824)
* perf: cache auth request in memory
2024-04-23 11:23:50 +00:00
Livio Spring
dcfa2f7955
feat(idp): provide option to auto link user (#7734)
* init auto linking

* prompt handling

* working

* translations

* console

* fixes

* unify

* custom texts

* fix tests

* linting

* fix check of existing user

* fix bg translation

* set unspecified as default in the form
2024-04-10 15:46:30 +00:00
Tim Möhlmann
b3e3239d76
chore(oidc): add additional spans to userinfo code paths (#7749) 2024-04-10 17:05:13 +02:00
Livio Spring
153df2e12f
feat: provide option to limit (T)OTP checks (#7693)
* feat: provide option to limit (T)OTP checks

* fix requests in console

* update errors pkg

* cleanup

* cleanup

* improve naming of existing config
2024-04-10 09:14:55 +00:00
Silvan
56df515e5f
chore: use pgx v5 (#7577)
* chore: use pgx v5

* chore: update go version

* remove direct pq dependency

* remove unnecessary type

* scan test

* map scanner

* converter

* uint8 number array

* duration

* most unit tests work

* unit tests work

* chore: coverage

* go 1.21

* linting

* int64 gopfertammi

* retry go 1.22

* retry go 1.22

* revert to go v1.21.5

* update go toolchain to 1.21.8

* go 1.21.8

* remove test flag

* go 1.21.5

* linting

* update toolchain

* use correct array

* use correct array

* add byte array

* correct value

* correct error message

* go 1.21 compatible
2024-03-27 15:48:22 +02:00
Tim Möhlmann
9d5cd12cd4
fix(oidc): define audience inside auth request instead of token creation (#7610)
fix(oidc): define audience inside auth request instead off token creation

When using the v1 OIDC Code flow, tokens would not carry the correct audience when returned as JWT. This applies to access tokens as JWT and ID tokens.
Introspection would still show the correct audience.
This happened because project audience was appended at token creation time. This stored the appended audience, used later in introspection or token refresh. However, the OIDC library still only had a view of the original auth request with the original audience.
When signing JWTs it would use this outdated information.

This change moves audience modifications to the auth request creation. This is was already the way it was done for v2 login and now v1 follows the same method.

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-03-21 19:42:44 +02:00
Livio Spring
b2d7352a5a
fix(login): display username after registration with idp (#7598)
It was noticed multiple time (incl. customers) that the loginname is sometimes not rendered in the UI.

This PR fixes such an issue after registration of a new user from an IdP.
2024-03-20 15:02:57 +01:00
Livio Spring
68af4f59c9
fix(api): handle user disabling events correctly in session API (#7380)
This PR makes sure that user disabling events (deactivate, locked, ...) are correctly checked for sessions.
2024-02-28 09:30:05 +00:00
Tim Möhlmann
26d1563643
feat(api): feature flags (#7356)
* feat(api): feature API proto definitions

* update proto based on discussion with @livio-a

* cleanup old feature flag stuff

* authz instance queries

* align defaults

* projection definitions

* define commands and event reducers

* implement system and instance setter APIs

* api getter implementation

* unit test repository package

* command unit tests

* unit test Get queries

* grpc converter unit tests

* migrate the V1 features

* migrate oidc to dynamic features

* projection unit test

* fix instance by host

* fix instance by id data type in sql

* fix linting errors

* add system projection test

* fix behavior inversion

* resolve proto file comments

* rename SystemDefaultLoginInstanceEventType to SystemLoginDefaultOrgEventType so it's consistent with the instance level event

* use write models and conditional set events

* system features integration tests

* instance features integration tests

* error on empty request

* documentation entry

* typo in feature.proto

* fix start unit tests

* solve linting error on key case switch

* remove system defaults after discussion with @eliobischof

* fix system feature projection

* resolve comments in defaults.yaml

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-02-28 10:55:54 +02:00
Livio Spring
b877abd7a2
fix(login): ignore domain suffix for email / phone check (#7446)
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-02-26 14:05:18 +00:00
Tim Möhlmann
af4e0484d0
fix: uniform oidc errors (#7237)
* fix: uniform oidc errors

sanitize oidc error reporting when passing package boundary towards oidc.

* add should TriggerBulk in get audiences for auth request

* upgrade to oidc 3.10.1

* provisional oidc upgrade to error branch

* pin oidc 3.10.2
2024-01-18 07:10:49 +01:00
Silvan
9892fd92b6
refactor: cleanup unused code (#7130)
* refactor: drop unused code

* refactor: drop unused code
2024-01-02 14:26:31 +00:00
Livio Spring
19d9b8ad41
fix: reduce eventual consistency (#7075)
* fix: reduce eventual consistency

* fix tests

* fix linting
2023-12-14 11:07:47 +01:00
Tim Möhlmann
f680dd934d
refactor: rename package errors to zerrors (#7039)
* chore: rename package errors to zerrors

* rename package errors to gerrors

* fix error related linting issues

* fix zitadel error assertion

* fix gosimple linting issues

* fix deprecated linting issues

* resolve gci linting issues

* fix import structure

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2023-12-08 15:30:55 +01:00
Tim Möhlmann
2f91679623
chore(Makefile): add go generate target (#6944)
This change adds a core_generate_all make target.
It installs the required tools and runs generate on the complete project.

`golang/mock` is no longer maintained and a fork is available
from the Uber folks. So the latter is used as tool.
All the mock files have been regenerated and are part of the PR.

The obsolete `tools` directory has been removed,
as all the tools are now part of specific make targets.

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-11-22 10:56:43 +00:00
Tim Möhlmann
ba9b807854
perf(oidc): optimize the introspection endpoint (#6909)
* get key by id and cache them

* userinfo from events for v2 tokens

* improve keyset caching

* concurrent token and client checks

* client and project in single query

* logging and otel

* drop owner_removed column on apps and authN tables

* userinfo and project roles in go routines

* get  oidc user info from projections and add actions

* add avatar URL

* some cleanup

* pull oidc work branch

* remove storage from server

* add config flag for experimental introspection

* legacy introspection flag

* drop owner_removed column on user projections

* drop owner_removed column on useer_metadata

* query userinfo unit test

* query introspection client test

* add user_grants to the userinfo query

* handle PAT scopes

* bring triggers back

* test instance keys query

* add userinfo unit tests

* unit test keys

* go mod tidy

* solve some bugs

* fix missing preferred login name

* do not run triggers in go routines, they seem to deadlock

* initialize the trigger handlers late with a sync.OnceValue

* Revert "do not run triggers in go routines, they seem to deadlock"

This reverts commit 2a03da2127.

* add missing translations

* chore: update go version for linting

* pin oidc version

* parse a global time location for query test

* fix linter complains

* upgrade go lint

* fix more linting issues

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2023-11-21 13:11:38 +01:00
Stefan Benz
0ec7a74877
perf: remove owner removed columns from projections for oidc (#6925)
* fix: remove owner removed columns from login names projection

* fix: remove owner removed columns from flow projection

* fix: remove owner removed columns from project, projectgrant and member projections

* fix: correct unit tests for session projection

* fix: correct unit tests for session projection
2023-11-20 17:21:08 +02:00
Stefan Benz
d874628f77
fix: use username with external idp linking (#6846)
Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-11-02 11:28:59 +00:00
Stefan Benz
cb7b50b513
feat: add attribute to only enable specific themes (#6798)
* feat: enable only specific themes in label policy

* feat: enable only specific themes in label policy

* feat: enable only specific themes in label policy

* feat: enable only specific themes in label policy

* add management in console

* pass enabledTheme

* render login ui based on enabled theme

* add in branding / settings service and name consistently

* update console to latest proto state

* fix console linting

* fix linting

* cleanup

* add translations

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2023-10-26 05:54:09 +00:00
Silvan
b5564572bc
feat(eventstore): increase parallel write capabilities (#5940)
This implementation increases parallel write capabilities of the eventstore.
Please have a look at the technical advisories: [05](https://zitadel.com/docs/support/advisory/a10005) and  [06](https://zitadel.com/docs/support/advisory/a10006).
The implementation of eventstore.push is rewritten and stored events are migrated to a new table `eventstore.events2`.
If you are using cockroach: make sure that the database user of ZITADEL has `VIEWACTIVITY` grant. This is used to query events.
2023-10-19 12:19:10 +02:00
Livio Spring
907a1611ac
fix(login): error case for unknown usernames correctly (#6689)
(cherry picked from commit 8549dd7a3d)
2023-10-10 07:41:16 +02:00
Stefan Benz
15fd3045e0
feat: add SAML as identity provider (#6454)
* feat: first implementation for saml sp

* fix: add command side instance and org for saml provider

* fix: add query side instance and org for saml provider

* fix: request handling in event and retrieval of finished intent

* fix: add review changes and integration tests

* fix: add integration tests for saml idp

* fix: correct unit tests with review changes

* fix: add saml session unit test

* fix: add saml session unit test

* fix: add saml session unit test

* fix: changes from review

* fix: changes from review

* fix: proto build error

* fix: proto build error

* fix: proto build error

* fix: proto require metadata oneof

* fix: login with saml provider

* fix: integration test for saml assertion

* lint client.go

* fix json tag

* fix: linting

* fix import

* fix: linting

* fix saml idp query

* fix: linting

* lint: try all issues

* revert linting config

* fix: add regenerate endpoints

* fix: translations

* fix mk.yaml

* ignore acs path for user agent cookie

* fix: add AuthFromProvider test for saml

* fix: integration test for saml retrieve information

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-09-29 11:26:14 +02:00
Livio Spring
68bfab2fb3
feat(login): use default org for login without provided org context (#6625)
* start feature flags

* base feature events on domain const

* setup default features

* allow setting feature in system api

* allow setting feature in admin api

* set settings in login based on feature

* fix rebasing

* unit tests

* i18n

* update policy after domain discovery

* some changes from review

* check feature and value type

* check feature and value type
2023-09-29 08:21:32 +00:00
Livio Spring
593d1605ab
fix: only reuse active session and use correct policies (from user org) (#6603) 2023-09-21 16:45:41 +02:00
Silvan
6672dcd87d
fix: add spans in auth requests (#6368)
Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-08-18 07:21:31 +00:00
Livio Spring
7c494fd219
feat(login): add OTP (email and sms) (#6353)
* feat: login with otp

* fix(i18n): japanese translation

* add missing files

* fix provider change

* add event types translations to en

* add tests

* resourceOwner

* remove unused handler

* fix: secret generators and add comments

* add setup step

* rename

* linting

* fix setup

* improve otp handling

* fix autocomplete

* translations for login and notifications

* translations for event types

* changes from review

* check selected mfa type
2023-08-15 12:47:05 +00:00
Miguel Cabrerizo
85423b73e9
fix: avatar missing on login after going back (#6238)
* fix: avatar missing on login after going back

* fix: apply @livio-a suggestion

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-08-10 14:19:39 +00:00
Livio Spring
57857b8d30
fix: check if session is reused on reauthentication (#6322)
* fix: check if session is reused on reauth steps

* add nolint directive

---------

Co-authored-by: Silvan <silvan.reusser@gmail.com>
2023-08-07 08:01:24 +00:00
Livio Spring
45262e6829
fix: migrate external id of federated users (#6312)
* feat: migrate external id

* implement tests and some renaming

* fix projection

* cleanup

* i18n

* fix event type

* handle migration for new services as well

* typo
2023-08-04 11:35:36 +02:00
Livio Spring
a1942ecdaa
feat(api): add and remove OTP (SMS and email) (#6295)
* refactor: rename otp to totp

* feat: add otp sms and email

* implement tests
2023-08-02 18:57:53 +02:00
Livio Spring
dd480f8a8d
feat(login): reuse existing session if no prompt is provided and only single session exists (#6272)
* feat: reuse existing session if no prompt is provided and only single session exists

* fix tests
2023-08-01 11:21:44 +00:00
Elio Bischof
31ec1d83b9
feat: enable otp email and sms (#6260)
* feat: enable otp email and sms

* feat: enable otp factors in login settings

* remove tests without value

* translate second factors

* don't add new factors yet

* add comment

* add factors to docs

* backward compatible settings api

* compile tests

* add available 2fa types

* test: add mapping tests

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-07-28 07:39:30 +02:00
Livio Spring
d3e403f645
perf: reduce events read from eventstore (#6280)
* fix: events query user

* fix: events query user

* user events query

* fix tests

* fix query

* cleanup

---------

Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com>
2023-07-27 12:10:19 +00:00
Livio Spring
fed15574f6
feat: allow to force MFA local only (#6234)
This PR adds an option to the LoginPolicy to "Force MFA for local users", so that users authenticated through an IDP must not configure (and verify) an MFA.
2023-07-20 04:06:16 +00:00
Miguel Cabrerizo
78eae6f62b
fix: domain discovery should be case insensitive (#6134)
Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-07-12 13:02:16 +00:00
Livio Spring
84085478ec
fix(login): ensure auth request information is up-to-date in external user check (#6060) 2023-06-21 05:00:03 +00:00
Stefan Benz
2d13d412a2
fix: update linking users if action changed values (#6024)
Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-06-15 07:02:53 +00:00
Livio Spring
458a383de2
fix: use current sequence for refetching of events (#5772)
* fix: use current sequence for refetching of events

* fix: use client ids
2023-04-28 16:28:13 +02:00
Tim Möhlmann
5819924275
feat: device authorization RFC 8628 (#5646)
* device auth: implement the write events

* add grant type device code

* fix(init): check if default value implements stringer

---------

Co-authored-by: adlerhurst <silvan.reusser@gmail.com>
2023-04-19 08:46:02 +00:00
Livio Spring
8bf36301ed
feat: allow skip of success page for native apps (#5627)
add possibility to return to callback directly after login without rendering the successful login page
2023-04-11 15:07:32 +00:00
Elio Bischof
8141d902b8
fix: delete org project mapping by grant id (#5607)
* fix: delete org project mapping by grant id

* fix: check for project on authentication using projections

* fix tests

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2023-04-06 05:46:12 +00:00
Silvan
dd84b93ac3
fix(token): filter users by instance id (#5596)
* fix(token): filter users by instance id
2023-04-03 12:56:37 +00:00