TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-13 19:44:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
0bcf136f6f
zitadel/internal/api/oidc/client_converter.go
Tim Möhlmann 5fd2061770
feat(oidc): allow returning of parent errors to client (#8376) 
# Which Problems Are Solved

Currently the OIDC API of ZITADEL only prints parent errors to the logs.
Where 4xx status are typically warn level and 5xx error level. This
makes it hard to debug certain errors for client in multi-instance
environments like ZITADEL cloud, where there is no direct access to
logs. In case of support requests we often can't correlate past
log-lines to the error that was reported.

This change adds the possibility to return the parent error in the
response to the OIDC client. For the moment this only applies to JSON
body responses, not error redirects to the RP.

# How the Problems Are Solved

- New instance-level feature flag: `debug_oidc_parent_error`
- Use the new `WithReturnParentToClient()` function from the oidc lib
introduced in https://github.com/zitadel/oidc/pull/629 for all cases
where `WithParent` was already used and the request context is
available.

# Additional Changes

none

# Additional Context

- Depends on: https://github.com/zitadel/oidc/pull/629
- Related to: https://github.com/zitadel/zitadel/issues/8362

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-08-20 06:45:24 +00:00

261 lines
6.5 KiB
Go
Raw Blame History

package oidc
import (
"context"
"slices"
"strings"
"time"
"github.com/zitadel/oidc/v3/pkg/oidc"
"github.com/zitadel/oidc/v3/pkg/op"
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
)
type Client struct {
client *query.OIDCClient
defaultLoginURL string
defaultLoginURLV2 string
allowedScopes []string
}
func ClientFromBusiness(client *query.OIDCClient, defaultLoginURL, defaultLoginURLV2 string) op.Client {
allowedScopes := make([]string, len(client.ProjectRoleKeys))
for i, roleKey := range client.ProjectRoleKeys {
allowedScopes[i] = ScopeProjectRolePrefix + roleKey
}
return &Client{
client: client,
defaultLoginURL: defaultLoginURL,
defaultLoginURLV2: defaultLoginURLV2,
allowedScopes: allowedScopes,
}
}
func (c *Client) ApplicationType() op.ApplicationType {
return op.ApplicationType(c.client.ApplicationType)
}
func (c *Client) AuthMethod() oidc.AuthMethod {
return authMethodToOIDC(c.client.AuthMethodType)
}
func (c *Client) GetID() string {
return c.client.ClientID
}
func (c *Client) LoginURL(id string) string {
if strings.HasPrefix(id, command.IDPrefixV2) {
return c.defaultLoginURLV2 + id
}
return c.defaultLoginURL + id
}
func (c *Client) RedirectURIs() []string {
return c.client.RedirectURIs
}
func (c *Client) PostLogoutRedirectURIs() []string {
return c.client.PostLogoutRedirectURIs
}
func (c *Client) ResponseTypes() []oidc.ResponseType {
return responseTypesToOIDC(c.client.ResponseTypes)
}
func (c *Client) GrantTypes() []oidc.GrantType {
return grantTypesToOIDC(c.client.GrantTypes)
}
func (c *Client) DevMode() bool {
return c.client.IsDevMode
}
func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
return func(scopes []string) []string {
if c.client.IDTokenRoleAssertion {
return scopes
}
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
}
}
func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string {
return func(scopes []string) []string {
if c.client.AccessTokenRoleAssertion {
return scopes
}
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
}
}
func (c *Client) AccessTokenLifetime() time.Duration {
return c.client.Settings.AccessTokenLifetime
}
func (c *Client) IDTokenLifetime() time.Duration {
return c.client.Settings.IdTokenLifetime
}
func (c *Client) AccessTokenType() op.AccessTokenType {
return accessTokenTypeToOIDC(c.client.AccessTokenType)
}
func (c *Client) IsScopeAllowed(scope string) bool {
return isScopeAllowed(scope, c.allowedScopes...)
}
func (c *Client) ClockSkew() time.Duration {
return c.client.ClockSkew
}
func (c *Client) IDTokenUserinfoClaimsAssertion() bool {
return c.client.IDTokenUserinfoAssertion
}
func (c *Client) RedirectURIGlobs() []string {
if c.DevMode() {
return c.RedirectURIs()
}
return nil
}
func (c *Client) PostLogoutRedirectURIGlobs() []string {
if c.DevMode() {
return c.PostLogoutRedirectURIs()
}
return nil
}
func accessTokenTypeToOIDC(tokenType domain.OIDCTokenType) op.AccessTokenType {
switch tokenType {
case domain.OIDCTokenTypeBearer:
return op.AccessTokenTypeBearer
case domain.OIDCTokenTypeJWT:
return op.AccessTokenTypeJWT
default:
return op.AccessTokenTypeBearer
}
}
func authMethodToOIDC(authType domain.OIDCAuthMethodType) oidc.AuthMethod {
switch authType {
case domain.OIDCAuthMethodTypeBasic:
return oidc.AuthMethodBasic
case domain.OIDCAuthMethodTypePost:
return oidc.AuthMethodPost
case domain.OIDCAuthMethodTypeNone:
return oidc.AuthMethodNone
case domain.OIDCAuthMethodTypePrivateKeyJWT:
return oidc.AuthMethodPrivateKeyJWT
default:
return oidc.AuthMethodBasic
}
}
func responseTypesToOIDC(responseTypes []domain.OIDCResponseType) []oidc.ResponseType {
oidcTypes := make([]oidc.ResponseType, len(responseTypes))
for i, t := range responseTypes {
oidcTypes[i] = responseTypeToOIDC(t)
}
return oidcTypes
}
func responseTypeToOIDC(responseType domain.OIDCResponseType) oidc.ResponseType {
switch responseType {
case domain.OIDCResponseTypeCode:
return oidc.ResponseTypeCode
case domain.OIDCResponseTypeIDTokenToken:
return oidc.ResponseTypeIDToken
case domain.OIDCResponseTypeIDToken:
return oidc.ResponseTypeIDTokenOnly
default:
return oidc.ResponseTypeCode
}
}
func grantTypesToOIDC(grantTypes []domain.OIDCGrantType) []oidc.GrantType {
oidcTypes := make([]oidc.GrantType, len(grantTypes))
for i, t := range grantTypes {
oidcTypes[i] = grantTypeToOIDC(t)
}
return oidcTypes
}
func grantTypeToOIDC(grantType domain.OIDCGrantType) oidc.GrantType {
switch grantType {
case domain.OIDCGrantTypeAuthorizationCode:
return oidc.GrantTypeCode
case domain.OIDCGrantTypeImplicit:
return oidc.GrantTypeImplicit
case domain.OIDCGrantTypeRefreshToken:
return oidc.GrantTypeRefreshToken
case domain.OIDCGrantTypeDeviceCode:
return oidc.GrantTypeDeviceCode
case domain.OIDCGrantTypeTokenExchange:
return oidc.GrantTypeTokenExchange
default:
return oidc.GrantTypeCode
}
}
func removeScopeWithPrefix(scopes []string, scopePrefix ...string) []string {
newScopeList := make([]string, 0)
for _, scope := range scopes {
hasPrefix := false
for _, prefix := range scopePrefix {
if strings.HasPrefix(scope, prefix) {
hasPrefix = true
continue
}
}
if !hasPrefix {
newScopeList = append(newScopeList, scope)
}
}
return newScopeList
}
func clientIDFromCredentials(ctx context.Context, cc *op.ClientCredentials) (clientID string, assertion bool, err error) {
if cc.ClientAssertion != "" {
claims := new(oidc.JWTTokenRequest)
if _, err := oidc.ParseToken(cc.ClientAssertion, claims); err != nil {
return "", false, oidc.ErrInvalidClient().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError)
}
return claims.Issuer, true, nil
}
return cc.ClientID, false, nil
}
func isScopeAllowed(scope string, allowedScopes ...string) bool {
if strings.HasPrefix(scope, domain.OrgDomainPrimaryScope) {
return true
}
if strings.HasPrefix(scope, domain.OrgIDScope) {
return true
}
if strings.HasPrefix(scope, domain.ProjectIDScope) {
return true
}
if strings.HasPrefix(scope, domain.SelectIDPScope) {
return true
}
if strings.HasPrefix(scope, domain.OrgRoleIDScope) {
return true
}
if scope == ScopeUserMetaData {
return true
}
if scope == ScopeResourceOwner {
return true
}
if scope == ScopeProjectsRoles {
return true
}
return slices.Contains(allowedScopes, scope)
}
Reference in New Issue View Git Blame Copy Permalink