zitadel/site/docs/architecture/03-openidoauth.md
Max Peintner 27be460c07
feat: docs rehaul, fix missing context in console, quickstarts (#1212)
* onboarding components, routing, steps

* onboarding component, toc

* fix onboarding mixin

* header

* refactor docs

* fix layout

* cleanup routing

* docs routing

* fix conventions

* de en routing

* docs, guide contents, nav

* rem i18n support

* fix routing from docs

* rollup onwarn changes, preload

* update svelte plugin, update rollup config

* move docs

* revert img style, remove code table

* rem de completely

* rollup optim, template

* angular quickstart, quickstart overview page, update deps

* fix link

* pack, slug

* prefetch binding, hidden links

* export log

* guards route ch

* fix homepage

* angular docs

* docs

* resolve fsh

* overview

* docs

* docs

* packages fix race condition

* nav, home link

* add vue, aspnet

* doc optimizations

* embed status pal

* angular guide

* angular guide

* dotnet, angular guide

* viewbox

* typo

* block onboarding route for non iam writers

* set links from component data

* fix: fetch org context in guard, more main cnt (#1192)

* change get started guide, fix code blockquotes, typos

* flutter guide

* h2 spacing

* highlight strong

* plus

* rm start sublinks

* add proxy quickstart

* regex

* prevent outside click, fix project grant write

Co-authored-by: Florian Forster <florian@caos.ch>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2021-02-16 16:59:18 +01:00

22 KiB

title
OpenID Connect 1.0 & OAuth 2.0

Endpoints and Domains

This chapter documents the OpenID Connect 1.0 and OAuth 2.0 features provided by ZITADEL.

Under normal circumstances ZITADEL need four domain names to operate properly.

Domain Name Example Description
issuer issuer.zitadel.ch Provides the OpenID Connect 1.0 Discovery Endpoint
api api.zitadel.ch All ZITADEL API's are located under this domain see API explanation for details
login accounts.zitadel.ch The accounts.* page provides server renderer pages like login and register and as well the authorization_endpoint for OpenID Connect
console console.zitadel.ch With the console.* domain we serve the assets for the management gui

OpenID Connect 1.0 Discovery

The OpenID Connect Discovery Endpoint is located within the issuer domain. For example with zitadel.ch, issuer.zitadel.ch would be the domain. This would give us https://issuer.zitadel.ch/.well-known/openid-configuration.

Link to spec. OpenID Connect Discovery 1.0 incorporating errata set 1

authorization_endpoint

https://accounts.zitadel.ch/oauth/v2/authorize

The authorization_endpoint is located with the login page, due to the need of accessing the same cookie domain

token_endpoint

https://api.zitadel.ch/oauth/v2/token

userinfo_endpoint

https://api.zitadel.ch/oauth/v2/userinfo

end_session_endpoint

https://accounts.zitadel.ch/oauth/v2/endsession

The end_session_endpoint is located with the login page, due to the need of accessing the same cookie domain

jwks_uri

https://api.zitadel.ch/oauth/v2/keys

Be aware that these keys can be rotated without any prior notice. We will however make sure that a proper kid is set with each key!

OAuth 2.0 Metadata

ZITADEL does not yet provide a OAuth 2.0 Metadata endpoint but instead provides a OpenID Connect Discovery Endpoint.

Scopes

ZITADEL supports the usage of scopes as way of requesting information from the IAM and also instruct ZITADEL to do certain operations.

Standard Scopes

Scopes Example Description
openid openid When using openid connect this is a mandatory scope
profile profile Optional scope to request the profile of the subject
email email Optional scope to request the email of the subject
address address Optional scope to request the address of the subject

Custom Scopes

This feature is not yet released

Reserved Scopes

In addition to the standard compliant scopes we utilize the following scopes.

Scopes Example Description
urn:zitadel:iam:org:project:role:{rolename} urn:zitadel:iam:org:project:role:user By using this scope a client can request the claim urn:zitadel:iam:roles:rolename} to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the project a client belongs to. See details here
urn:zitadel:iam:org:domain:primary:{domainname} urn:zitadel:iam:org:domain:primary:acme.ch When requesting this scope ZITADEL will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed
urn:zitadel:iam:role:{rolename}
urn:zitadel:iam:org:project🆔{projectid}:aud ZITADEL's Project id is urn:zitadel:iam:org:project:id:69234237810729019:aud By adding this scope, the requested projectid will be added to the audience of the access and id token

If access to ZITADEL's API's is needed with a service user the scope urn:zitadel:iam:org:project:id:69234237810729019:aud needs to be used with the JWT Profile request

Claims

ZITADEL asserts claims on different places according to the corresponding specifications or project and clients settings. Please check below the matrix for an overview where which scope is asserted.

Claims Userinfo ID Token Access Token
acr Yes Yes No
address Yes when requested Yes only when response type id_token No
amr Yes Yes No
aud No Yes Yes when JWT
auth_time Yes Yes No
azp No Yes Yes when JWT
email Yes when requested Yes only when response type id_token No
email_verified Yes when requested Yes only when response type id_token No
exp No Yes Yes when JWT
family_name Yes when requested Yes when requested No
gender Yes when requested Yes when requested No
given_name Yes when requested Yes when requested No
iat No Yes Yes when JWT
iss No Yes Yes when JWT
locale Yes when requested Yes when requested No
name Yes when requested Yes when requested No
nonce No Yes No
phone Yes when requested Yes only when response type id_token No
preferred_username Yes when requested Yes No
sub Yes Yes Yes when JWT
urn:zitadel:iam:org:domain:primary:{domainname} Yes when requested Yes when requested Yes when JWT and requested
urn:zitadel:iam:org:project:roles:{rolename} Yes when requested Yes when requested or configured Yes when JWT and requested or configured

Standard Claims

Claims Example Description
acr TBA TBA
address Teufener Strasse 19, 9000 St. Gallen TBA
amr pwd mfa Authentication Method References as defined in RFC8176
aud 69234237810729019 By default all client id's and the project id is included
auth_time 1311280969 Unix time of the authentication
azp 69234237810729234 Client id of the client who requested the token
email road.runner@acme.ch Email Address of the subject
email_verified true Boolean if the email was verified by ZITADEL
exp 1311281970 Time the token expires as unix time
family_name Runner The subjects family name
gender other Gender of the subject
given_name Road Given name of the subject
iat 1311280970 Issued at time of the token as unix time
iss https://issuer.zitadel.ch Issuing domain of a token
locale en Language from the subject
name Road Runner The subjects full name
nonce blQtVEJHNTF0WHhFQmhqZ0RqeHJsdzdkd2d... The nonce provided by the client
phone +41 79 XXX XX XX Phone number provided by the user
preferred_username road.runner@acme.caos.ch ZITADEL's login name of the user. Consist of username@primarydomain
sub 77776025198584418 Subject ID of the user

Custom Claims

This feature is not yet released

Reserved Claims

ZITADEL reserves some claims to assert certain data.

Claims Example Description
urn:zitadel:iam:org:domain:primary:{domainname} {"urn:zitadel:iam:org:domain:primary": "acme.ch"} This claim represents the primary domain of the organization the user belongs to.
urn:zitadel:iam:org:project:roles:{rolename} {"urn:zitadel:iam:org:project:roles": [ {"user": {"id1": "acme.zitade.ch", "id2": "caos.ch"} } ] } When roles are asserted, ZITADEL does this by providing the id and primaryDomain below the role. This gives you the option to check in which organization a user has the role.
urn:zitadel:iam:roles:{rolename} TBA TBA

Grant Types

For a list of supported or unsupported Grant Types please have a look at the table below.

Grant Type Supported
Authorization Code yes
Authorization Code with PKCE yes
Client Credentials yes
Device Authorization under consideration
Implicit yes
JSON Web Token (JWT) Profile partially
Refresh Token work in progress
Resource Owner Password Credentials no
Security Assertion Markup Language (SAML) 2.0 Profile no
Token Exchange work in progress

Authorization Code

Link to spec. The OAuth 2.0 Authorization Framework Section 1.3.1

Proof Key for Code Exchange

Link to spec. Proof Key for Code Exchange by OAuth Public Clients

Implicit

Link to spec. The OAuth 2.0 Authorization Framework Section 1.3.2

Client Credentials

Link to spec. The OAuth 2.0 Authorization Framework Section 1.3.4

Refresh Token

Link to spec. The OAuth 2.0 Authorization Framework Section 1.5

JSON Web Token (JWT) Profile

Link to spec. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

Using JWTs as Authorization Grants

Our service user work with the JWT profile to authenticate them against ZITADEL.

  1. Create or use an existing service user
  2. Create a new key and download it
  3. Generate a JWT with the structure below and sing it with the downloaded key
  4. Send the JWT Base64 encoded to ZITADEL's token endpoint
  5. Use the received access token

Key JSON

Key Example Description
type "serviceaccount" The type of account, right now only serviceaccount is valid
keyId "81693565968772648" This is unique ID of the key
key "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----" The private key generated by ZITADEL, this can not be regenerated!
userId 78366401571647008 The service users ID, this is the same as the subject from tokens
{
	"type": "serviceaccount",
	"keyId": "81693565968772648",
	"key": "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----",
	"userId": "78366401571647008"
}

JWT

Claim Example Description
aud "https://issuer.zitadel.ch" String or Array of intended audiences MUST include ZITADEL's issuing domain
exp 1605183582 Unix timestamp of the expiry, MUST NOT be longer than 1h
iat 1605179982 Unix timestamp of the creation singing time of the JWT
iss "77479219772321307" String which represents the requesting party (owner of the key), normally the userId from the json key file
sub "77479219772321307" The subject ID of the service user, normally the userId from the json key file
{
	"iss": "77479219772321307",
	"sub": "77479219772321307",
	"aud": "https://issuer.zitadel.ch",
	"exp": 1605183582,
	"iat": 1605179982
}

Access Token Request

Parameter Example Description
Content-Type application/x-www-form-urlencoded
grant_type urn:ietf:params:oauth:grant-type:jwt-bearer Using JWTs as Authorization Grants
assertion eyJhbGciOiJSUzI1Ni... The base64 encoded JWT created above
scope openid profile email urn:zitadel:iam:org:project:id:69234237810729019:aud Scopes you would like to request from ZITADEL
curl --request POST \
  --url https://api.zitadel.ch/oauth/v2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
  --data assertion=eyJhbGciOiJSUzI1Ni...
  --data scope=openid profile email address
Using JWTs for Client Authentication

Not yet supported

Token Exchange

Link to spec. OAuth 2.0 Token Exchange

Device Authorization

Link to spec. OAuth 2.0 Device Authorization Grant

Not Supported Grant Types

Resource Owner Password Credentials

Due to growing security concerns we do not support this grant type. With OAuth 2.1 it looks like this grant will be removed.

Link to spec. OThe OAuth 2.0 Authorization Framework Section 1.3.3

Security Assertion Markup Language (SAML) 2.0 Profile

Link to spec. Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants