zitadel/internal/api/oidc/client_converter.go
Tim Möhlmann 3bbcc3434a
chore(deps): upgrade to oidc v3 (#6737)
This pr upgrades oidc to v3 . Function signature changes have been migrated as well. Specifically there are more client calls that take a context now. Where feasable a context is added to those calls. Where a context is not (easily) available context.TODO() is used as a reminder for when it does.

Related to #6619
2023-10-17 15:19:51 +00:00

232 lines
6.0 KiB
Go

package oidc
import (
"strings"
"time"
"github.com/zitadel/oidc/v3/pkg/oidc"
"github.com/zitadel/oidc/v3/pkg/op"
"github.com/zitadel/zitadel/internal/command"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/errors"
"github.com/zitadel/zitadel/internal/query"
)
type Client struct {
app *query.App
defaultLoginURL string
defaultLoginURLV2 string
defaultAccessTokenLifetime time.Duration
defaultIdTokenLifetime time.Duration
allowedScopes []string
}
func ClientFromBusiness(app *query.App, defaultLoginURL, defaultLoginURLV2 string, defaultAccessTokenLifetime, defaultIdTokenLifetime time.Duration, allowedScopes []string) (op.Client, error) {
if app.OIDCConfig == nil {
return nil, errors.ThrowInvalidArgument(nil, "OIDC-d5bhD", "client is not a proper oidc application")
}
return &Client{
app: app,
defaultLoginURL: defaultLoginURL,
defaultLoginURLV2: defaultLoginURLV2,
defaultAccessTokenLifetime: defaultAccessTokenLifetime,
defaultIdTokenLifetime: defaultIdTokenLifetime,
allowedScopes: allowedScopes},
nil
}
func (c *Client) ApplicationType() op.ApplicationType {
return op.ApplicationType(c.app.OIDCConfig.AppType)
}
func (c *Client) AuthMethod() oidc.AuthMethod {
return authMethodToOIDC(c.app.OIDCConfig.AuthMethodType)
}
func (c *Client) GetID() string {
return c.app.OIDCConfig.ClientID
}
func (c *Client) LoginURL(id string) string {
if strings.HasPrefix(id, command.IDPrefixV2) {
return c.defaultLoginURLV2 + id
}
return c.defaultLoginURL + id
}
func (c *Client) RedirectURIs() []string {
return c.app.OIDCConfig.RedirectURIs
}
func (c *Client) PostLogoutRedirectURIs() []string {
return c.app.OIDCConfig.PostLogoutRedirectURIs
}
func (c *Client) ResponseTypes() []oidc.ResponseType {
return responseTypesToOIDC(c.app.OIDCConfig.ResponseTypes)
}
func (c *Client) GrantTypes() []oidc.GrantType {
return grantTypesToOIDC(c.app.OIDCConfig.GrantTypes)
}
func (c *Client) DevMode() bool {
return c.app.OIDCConfig.IsDevMode
}
func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
return func(scopes []string) []string {
if c.app.OIDCConfig.AssertIDTokenRole {
return scopes
}
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
}
}
func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string {
return func(scopes []string) []string {
if c.app.OIDCConfig.AssertAccessTokenRole {
return scopes
}
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
}
}
func (c *Client) AccessTokenLifetime() time.Duration {
return c.defaultAccessTokenLifetime //PLANNED: impl from real client
}
func (c *Client) IDTokenLifetime() time.Duration {
return c.defaultIdTokenLifetime //PLANNED: impl from real client
}
func (c *Client) AccessTokenType() op.AccessTokenType {
return accessTokenTypeToOIDC(c.app.OIDCConfig.AccessTokenType)
}
func (c *Client) IsScopeAllowed(scope string) bool {
if strings.HasPrefix(scope, domain.OrgDomainPrimaryScope) {
return true
}
if strings.HasPrefix(scope, domain.OrgIDScope) {
return true
}
if strings.HasPrefix(scope, domain.ProjectIDScope) {
return true
}
if strings.HasPrefix(scope, domain.SelectIDPScope) {
return true
}
if scope == ScopeUserMetaData {
return true
}
if scope == ScopeResourceOwner {
return true
}
if scope == ScopeProjectsRoles {
return true
}
for _, allowedScope := range c.allowedScopes {
if scope == allowedScope {
return true
}
}
return false
}
func (c *Client) ClockSkew() time.Duration {
return c.app.OIDCConfig.ClockSkew
}
func (c *Client) IDTokenUserinfoClaimsAssertion() bool {
return c.app.OIDCConfig.AssertIDTokenUserinfo
}
func accessTokenTypeToOIDC(tokenType domain.OIDCTokenType) op.AccessTokenType {
switch tokenType {
case domain.OIDCTokenTypeBearer:
return op.AccessTokenTypeBearer
case domain.OIDCTokenTypeJWT:
return op.AccessTokenTypeJWT
default:
return op.AccessTokenTypeBearer
}
}
func authMethodToOIDC(authType domain.OIDCAuthMethodType) oidc.AuthMethod {
switch authType {
case domain.OIDCAuthMethodTypeBasic:
return oidc.AuthMethodBasic
case domain.OIDCAuthMethodTypePost:
return oidc.AuthMethodPost
case domain.OIDCAuthMethodTypeNone:
return oidc.AuthMethodNone
case domain.OIDCAuthMethodTypePrivateKeyJWT:
return oidc.AuthMethodPrivateKeyJWT
default:
return oidc.AuthMethodBasic
}
}
func responseTypesToOIDC(responseTypes []domain.OIDCResponseType) []oidc.ResponseType {
oidcTypes := make([]oidc.ResponseType, len(responseTypes))
for i, t := range responseTypes {
oidcTypes[i] = responseTypeToOIDC(t)
}
return oidcTypes
}
func responseTypeToOIDC(responseType domain.OIDCResponseType) oidc.ResponseType {
switch responseType {
case domain.OIDCResponseTypeCode:
return oidc.ResponseTypeCode
case domain.OIDCResponseTypeIDTokenToken:
return oidc.ResponseTypeIDToken
case domain.OIDCResponseTypeIDToken:
return oidc.ResponseTypeIDTokenOnly
default:
return oidc.ResponseTypeCode
}
}
func grantTypesToOIDC(grantTypes []domain.OIDCGrantType) []oidc.GrantType {
oidcTypes := make([]oidc.GrantType, len(grantTypes))
for i, t := range grantTypes {
oidcTypes[i] = grantTypeToOIDC(t)
}
return oidcTypes
}
func grantTypeToOIDC(grantType domain.OIDCGrantType) oidc.GrantType {
switch grantType {
case domain.OIDCGrantTypeAuthorizationCode:
return oidc.GrantTypeCode
case domain.OIDCGrantTypeImplicit:
return oidc.GrantTypeImplicit
case domain.OIDCGrantTypeRefreshToken:
return oidc.GrantTypeRefreshToken
case domain.OIDCGrantTypeDeviceCode:
return oidc.GrantTypeDeviceCode
default:
return oidc.GrantTypeCode
}
}
func removeScopeWithPrefix(scopes []string, scopePrefix ...string) []string {
newScopeList := make([]string, 0)
for _, scope := range scopes {
hasPrefix := false
for _, prefix := range scopePrefix {
if strings.HasPrefix(scope, prefix) {
hasPrefix = true
continue
}
}
if !hasPrefix {
newScopeList = append(newScopeList, scope)
}
}
return newScopeList
}