zitadel/internal/api/oidc/token_refresh.go
Tim Möhlmann e879f90f38
fix(oidc): do not return access token for response type id_token (#8777)
# Which Problems Are Solved

Do not return an access token for implicit flow from v1 login, if the
`response_type` is `id_token`

# How the Problems Are Solved

Do not create the access token event if if the `response_type` is
`id_token`.

# Additional Changes

Token endpoint calls without auth request, such as machine users, token
exchange and refresh token, do not have a `response_type`. For such
calls the `OIDCResponseTypeUnspecified` enum is added at a `-1` offset,
in order not to break existing client configs.

# Additional Context

- https://discord.com/channels/927474939156643850/1294001717725237298
- Fixes https://github.com/zitadel/zitadel/issues/8776

(cherry picked from commit 778b4041ca)
2024-11-15 09:33:18 +01:00

105 lines
3.7 KiB
Go

package oidc
import (
"context"
"errors"
"slices"
"github.com/zitadel/oidc/v3/pkg/oidc"
"github.com/zitadel/oidc/v3/pkg/op"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
"github.com/zitadel/zitadel/internal/zerrors"
)
func (s *Server) RefreshToken(ctx context.Context, r *op.ClientRequest[oidc.RefreshTokenRequest]) (_ *op.Response, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() {
span.EndWithError(err)
err = oidcError(err)
}()
client, ok := r.Client.(*Client)
if !ok {
return nil, zerrors.ThrowInternal(nil, "OIDC-ga0EP", "Error.Internal")
}
session, err := s.command.ExchangeOIDCSessionRefreshAndAccessToken(ctx, r.Data.RefreshToken, r.Data.Scopes, refreshTokenComplianceChecker())
if err == nil {
return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
} else if errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "OIDCS-JOI23", "Errors.OIDCSession.RefreshTokenInvalid")) {
// We try again for v1 tokens when we encountered specific parsing error
return s.refreshTokenV1(ctx, client, r)
}
return nil, err
}
// refreshTokenV1 verifies a v1 refresh token.
// When valid a v2 OIDC session is created and v2 tokens are returned.
// This "upgrades" existing v1 sessions to v2 session without requiring users to re-login.
//
// This function can be removed when we retire the v1 token repo.
func (s *Server) refreshTokenV1(ctx context.Context, client *Client, r *op.ClientRequest[oidc.RefreshTokenRequest]) (_ *op.Response, err error) {
refreshToken, err := s.repo.RefreshTokenByToken(ctx, r.Data.RefreshToken)
if err != nil {
return nil, err
}
scope, err := validateRefreshTokenScopes(refreshToken.Scopes, r.Data.Scopes)
if err != nil {
return nil, err
}
session, err := s.command.CreateOIDCSession(ctx,
refreshToken.UserID,
refreshToken.ResourceOwner,
refreshToken.ClientID,
"", // backChannelLogoutURI is not in refresh token view
scope,
refreshToken.Audience,
AMRToAuthMethodTypes(refreshToken.AuthMethodsReferences),
refreshToken.AuthTime,
"",
nil, // Preferred language not in refresh token view
&domain.UserAgent{
FingerprintID: &refreshToken.UserAgentID,
Description: &refreshToken.UserAgentID,
},
domain.TokenReasonRefresh,
refreshToken.Actor,
true,
"",
domain.OIDCResponseTypeUnspecified,
)
if err != nil {
return nil, err
}
// make sure the v1 refresh token can't be reused.
_, err = s.command.RevokeRefreshToken(ctx, refreshToken.UserID, refreshToken.ResourceOwner, refreshToken.ID)
if err != nil {
return nil, err
}
return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
}
// refreshTokenComplianceChecker validates that the requested scope is a subset of the original auth request scope.
func refreshTokenComplianceChecker() command.RefreshTokenComplianceChecker {
return func(_ context.Context, model *command.OIDCSessionWriteModel, requestedScope []string) ([]string, error) {
return validateRefreshTokenScopes(model.Scope, requestedScope)
}
}
func validateRefreshTokenScopes(currentScope, requestedScope []string) ([]string, error) {
if len(requestedScope) == 0 {
return currentScope, nil
}
for _, s := range requestedScope {
if !slices.Contains(currentScope, s) {
return nil, oidc.ErrInvalidScope()
}
}
return requestedScope, nil
}