TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-13 11:34:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
42bd636d21
zitadel/internal/repository/oidcsession/oidc_session.go
Tim Möhlmann 6398349c24
feat(oidc): token exchange impersonation (#7516) 
* add token exchange feature flag

* allow setting reason and actor to access tokens

* impersonation

* set token types and scopes in response

* upgrade oidc to working draft state

* fix tests

* audience and scope validation

* id toke and jwt as input

* return id tokens

* add grant type  token exchange to app config

* add integration tests

* check and deny actors in api calls

* fix instance setting tests by triggering projection on write and cleanup

* insert sleep statements again

* solve linting issues

* add translations

* pin oidc v3.15.0

* resolve comments, add event translation

* fix refreshtoken test

* use ValidateAuthReqScopes from oidc

* apparently the linter can't make up its mind

* persist actor thru refresh tokens and check in tests

* remove unneeded triggers
2024-03-20 10:18:46 +00:00

248 lines
5.7 KiB
Go
Raw Blame History

package oidcsession
import (
"context"
"time"
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/eventstore"
)
const (
oidcSessionEventPrefix = "oidc_session."
AddedType = oidcSessionEventPrefix + "added"
AccessTokenAddedType = oidcSessionEventPrefix + "access_token.added"
AccessTokenRevokedType = oidcSessionEventPrefix + "access_token.revoked"
RefreshTokenAddedType = oidcSessionEventPrefix + "refresh_token.added"
RefreshTokenRenewedType = oidcSessionEventPrefix + "refresh_token.renewed"
RefreshTokenRevokedType = oidcSessionEventPrefix + "refresh_token.revoked"
)
type AddedEvent struct {
eventstore.BaseEvent `json:"-"`
UserID string `json:"userID"`
SessionID string `json:"sessionID"`
ClientID string `json:"clientID"`
Audience []string `json:"audience"`
Scope []string `json:"scope"`
AuthMethods []domain.UserAuthMethodType `json:"authMethods"`
AuthTime time.Time `json:"authTime"`
}
func (e *AddedEvent) Payload() interface{} {
return e
}
func (e *AddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
return nil
}
func (e *AddedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
e.BaseEvent = *event
}
func NewAddedEvent(ctx context.Context,
aggregate *eventstore.Aggregate,
userID,
sessionID,
clientID string,
audience,
scope []string,
authMethods []domain.UserAuthMethodType,
authTime time.Time,
) *AddedEvent {
return &AddedEvent{
BaseEvent: *eventstore.NewBaseEventForPush(
ctx,
aggregate,
AddedType,
),
UserID: userID,
SessionID: sessionID,
ClientID: clientID,
Audience: audience,
Scope: scope,
AuthMethods: authMethods,
AuthTime: authTime,
}
}
type AccessTokenAddedEvent struct {
eventstore.BaseEvent `json:"-"`
ID string `json:"id,omitempty"`
Scope []string `json:"scope,omitempty"`
Lifetime time.Duration `json:"lifetime,omitempty"`
Reason domain.TokenReason `json:"reason,omitempty"`
Actor *domain.TokenActor `json:"actor,omitempty"`
}
func (e *AccessTokenAddedEvent) Payload() interface{} {
return e
}
func (e *AccessTokenAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
return nil
}
func (e *AccessTokenAddedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
e.BaseEvent = *event
}
func NewAccessTokenAddedEvent(
ctx context.Context,
aggregate *eventstore.Aggregate,
id string,
scope []string,
lifetime time.Duration,
reason domain.TokenReason,
actor *domain.TokenActor,
) *AccessTokenAddedEvent {
return &AccessTokenAddedEvent{
BaseEvent: *eventstore.NewBaseEventForPush(
ctx,
aggregate,
AccessTokenAddedType,
),
ID: id,
Scope: scope,
Lifetime: lifetime,
Reason: reason,
Actor: actor,
}
}
type AccessTokenRevokedEvent struct {
eventstore.BaseEvent `json:"-"`
}
func (e *AccessTokenRevokedEvent) Payload() interface{} {
return e
}
func (e *AccessTokenRevokedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
return nil
}
func (e *AccessTokenRevokedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
e.BaseEvent = *event
}
func NewAccessTokenRevokedEvent(
ctx context.Context,
aggregate *eventstore.Aggregate,
) *AccessTokenAddedEvent {
return &AccessTokenAddedEvent{
BaseEvent: *eventstore.NewBaseEventForPush(
ctx,
aggregate,
AccessTokenRevokedType,
),
}
}
type RefreshTokenAddedEvent struct {
eventstore.BaseEvent `json:"-"`
ID string `json:"id"`
Lifetime time.Duration `json:"lifetime"`
IdleLifetime time.Duration `json:"idleLifetime"`
}
func (e *RefreshTokenAddedEvent) Payload() interface{} {
return e
}
func (e *RefreshTokenAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
return nil
}
func (e *RefreshTokenAddedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
e.BaseEvent = *event
}
func NewRefreshTokenAddedEvent(
ctx context.Context,
aggregate *eventstore.Aggregate,
id string,
lifetime,
idleLifetime time.Duration,
) *RefreshTokenAddedEvent {
return &RefreshTokenAddedEvent{
BaseEvent: *eventstore.NewBaseEventForPush(
ctx,
aggregate,
RefreshTokenAddedType,
),
ID: id,
Lifetime: lifetime,
IdleLifetime: idleLifetime,
}
}
type RefreshTokenRenewedEvent struct {
eventstore.BaseEvent `json:"-"`
ID string `json:"id"`
IdleLifetime time.Duration `json:"idleLifetime"`
}
func (e *RefreshTokenRenewedEvent) Payload() interface{} {
return e
}
func (e *RefreshTokenRenewedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
return nil
}
func (e *RefreshTokenRenewedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
e.BaseEvent = *event
}
func NewRefreshTokenRenewedEvent(
ctx context.Context,
aggregate *eventstore.Aggregate,
id string,
idleLifetime time.Duration,
) *RefreshTokenRenewedEvent {
return &RefreshTokenRenewedEvent{
BaseEvent: *eventstore.NewBaseEventForPush(
ctx,
aggregate,
RefreshTokenRenewedType,
),
ID: id,
IdleLifetime: idleLifetime,
}
}
type RefreshTokenRevokedEvent struct {
eventstore.BaseEvent `json:"-"`
}
func (e *RefreshTokenRevokedEvent) Payload() interface{} {
return e
}
func (e *RefreshTokenRevokedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
return nil
}
func (e *RefreshTokenRevokedEvent) SetBaseEvent(event *eventstore.BaseEvent) {
e.BaseEvent = *event
}
func NewRefreshTokenRevokedEvent(
ctx context.Context,
aggregate *eventstore.Aggregate,
) *RefreshTokenRevokedEvent {
return &RefreshTokenRevokedEvent{
BaseEvent: *eventstore.NewBaseEventForPush(
ctx,
aggregate,
RefreshTokenRevokedType,
),
}
}
Reference in New Issue View Git Blame Copy Permalink