mirror of
https://github.com/zitadel/zitadel.git
synced 2025-03-01 14:17:23 +00:00
8f88c4cf5b
# Which Problems Are Solved Some OAuth2 and OIDC providers require the use of PKCE for all their clients. While ZITADEL already recommended the same for its clients, it did not yet support the option on the IdP configuration. # How the Problems Are Solved - A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC endpoints. - A new checkbox is added to the generic OAuth and OIDC provider templates. - The `rp.WithPKCE` option is added to the provider if the use of PKCE has been set. - The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added to the OIDC/Auth BeginAuth and CodeExchange function. - Store verifier or any other persistent argument in the intent or auth request. - Create corresponding session object before creating the intent, to be able to store the information. - (refactored session structs to use a constructor for unified creation and better overview of actual usage) Here's a screenshot showing the URI including the PKCE params:  # Additional Changes None. # Additional Context - Closes #6449 - This PR replaces the existing PR (#8228) of @doncicuto. The base he did was cherry picked. Thank you very much for that! --------- Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
191 lines
5.4 KiB
Go
191 lines
5.4 KiB
Go
package oidc
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/client/rp"
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
"golang.org/x/oauth2"
|
|
|
|
"github.com/zitadel/zitadel/internal/idp"
|
|
)
|
|
|
|
var _ idp.Provider = (*Provider)(nil)
|
|
|
|
// Provider is the [idp.Provider] implementation for a generic OIDC provider
|
|
type Provider struct {
|
|
rp.RelyingParty
|
|
options []rp.Option
|
|
name string
|
|
isLinkingAllowed bool
|
|
isCreationAllowed bool
|
|
isAutoCreation bool
|
|
isAutoUpdate bool
|
|
useIDToken bool
|
|
userInfoMapper func(info *oidc.UserInfo) idp.User
|
|
authOptions []func(bool) rp.AuthURLOpt
|
|
generateVerifier func() string
|
|
}
|
|
|
|
type ProviderOpts func(provider *Provider)
|
|
|
|
// WithLinkingAllowed allows end users to link the federated user to an existing one.
|
|
func WithLinkingAllowed() ProviderOpts {
|
|
return func(p *Provider) {
|
|
p.isLinkingAllowed = true
|
|
}
|
|
}
|
|
|
|
// WithCreationAllowed allows end users to create a new user using the federated information.
|
|
func WithCreationAllowed() ProviderOpts {
|
|
return func(p *Provider) {
|
|
p.isCreationAllowed = true
|
|
}
|
|
}
|
|
|
|
// WithAutoCreation enables that federated users are automatically created if not already existing.
|
|
func WithAutoCreation() ProviderOpts {
|
|
return func(p *Provider) {
|
|
p.isAutoCreation = true
|
|
}
|
|
}
|
|
|
|
// WithAutoUpdate enables that information retrieved from the provider is automatically used to update
|
|
// the existing user on each authentication.
|
|
func WithAutoUpdate() ProviderOpts {
|
|
return func(p *Provider) {
|
|
p.isAutoUpdate = true
|
|
}
|
|
}
|
|
|
|
// WithIDTokenMapping enables that information to map the user is retrieved from the id_token and not the userinfo endpoint.
|
|
func WithIDTokenMapping() ProviderOpts {
|
|
return func(p *Provider) {
|
|
p.useIDToken = true
|
|
}
|
|
}
|
|
|
|
// WithRelyingPartyOption allows to set an additional [rp.Option] like [rp.WithPKCE].
|
|
func WithRelyingPartyOption(option rp.Option) ProviderOpts {
|
|
return func(p *Provider) {
|
|
p.options = append(p.options, option)
|
|
}
|
|
}
|
|
|
|
// WithSelectAccount adds the select_account prompt to the auth request (if no login_hint is set)
|
|
func WithSelectAccount() ProviderOpts {
|
|
return func(p *Provider) {
|
|
p.authOptions = append(p.authOptions, func(loginHintSet bool) rp.AuthURLOpt {
|
|
if loginHintSet {
|
|
return nil
|
|
}
|
|
return rp.WithPrompt(oidc.PromptSelectAccount)
|
|
})
|
|
}
|
|
}
|
|
|
|
// WithResponseMode sets the `response_mode` params in the auth request
|
|
func WithResponseMode(mode oidc.ResponseMode) ProviderOpts {
|
|
return func(p *Provider) {
|
|
paramOpt := rp.WithResponseModeURLParam(mode)
|
|
p.authOptions = append(p.authOptions, func(_ bool) rp.AuthURLOpt {
|
|
return rp.AuthURLOpt(paramOpt)
|
|
})
|
|
}
|
|
}
|
|
|
|
type UserInfoMapper func(info *oidc.UserInfo) idp.User
|
|
|
|
var DefaultMapper UserInfoMapper = func(info *oidc.UserInfo) idp.User {
|
|
return NewUser(info)
|
|
}
|
|
|
|
// New creates a generic OIDC provider
|
|
func New(name, issuer, clientID, clientSecret, redirectURI string, scopes []string, userInfoMapper UserInfoMapper, options ...ProviderOpts) (provider *Provider, err error) {
|
|
provider = &Provider{
|
|
name: name,
|
|
userInfoMapper: userInfoMapper,
|
|
generateVerifier: oauth2.GenerateVerifier,
|
|
}
|
|
for _, option := range options {
|
|
option(provider)
|
|
}
|
|
provider.RelyingParty, err = rp.NewRelyingPartyOIDC(context.TODO(), issuer, clientID, clientSecret, redirectURI, setDefaultScope(scopes), provider.options...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return provider, nil
|
|
}
|
|
|
|
// setDefaultScope ensures that at least openid ist set
|
|
// if none is provided it will request `openid profile email phone`
|
|
func setDefaultScope(scopes []string) []string {
|
|
if len(scopes) == 0 {
|
|
return []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone}
|
|
}
|
|
for _, scope := range scopes {
|
|
if scope == oidc.ScopeOpenID {
|
|
return scopes
|
|
}
|
|
}
|
|
return append(scopes, oidc.ScopeOpenID)
|
|
}
|
|
|
|
// Name implements the [idp.Provider] interface
|
|
func (p *Provider) Name() string {
|
|
return p.name
|
|
}
|
|
|
|
// BeginAuth implements the [idp.Provider] interface.
|
|
// It will create a [Session] with an OIDC authorization request as AuthURL.
|
|
func (p *Provider) BeginAuth(ctx context.Context, state string, params ...idp.Parameter) (idp.Session, error) {
|
|
opts := make([]rp.AuthURLOpt, 0)
|
|
var loginHintSet bool
|
|
for _, param := range params {
|
|
if username, ok := param.(idp.LoginHintParam); ok {
|
|
loginHintSet = true
|
|
opts = append(opts, loginHint(string(username)))
|
|
}
|
|
}
|
|
for _, option := range p.authOptions {
|
|
if opt := option(loginHintSet); opt != nil {
|
|
opts = append(opts, opt)
|
|
}
|
|
}
|
|
|
|
var codeVerifier string
|
|
if p.RelyingParty.IsPKCE() {
|
|
codeVerifier = p.generateVerifier()
|
|
opts = append(opts, rp.WithCodeChallenge(oidc.NewSHACodeChallenge(codeVerifier)))
|
|
}
|
|
|
|
url := rp.AuthURL(state, p.RelyingParty, opts...)
|
|
return &Session{AuthURL: url, Provider: p, CodeVerifier: codeVerifier}, nil
|
|
}
|
|
|
|
func loginHint(hint string) rp.AuthURLOpt {
|
|
return func() []oauth2.AuthCodeOption {
|
|
return []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("login_hint", hint)}
|
|
}
|
|
}
|
|
|
|
// IsLinkingAllowed implements the [idp.Provider] interface.
|
|
func (p *Provider) IsLinkingAllowed() bool {
|
|
return p.isLinkingAllowed
|
|
}
|
|
|
|
// IsCreationAllowed implements the [idp.Provider] interface.
|
|
func (p *Provider) IsCreationAllowed() bool {
|
|
return p.isCreationAllowed
|
|
}
|
|
|
|
// IsAutoCreation implements the [idp.Provider] interface.
|
|
func (p *Provider) IsAutoCreation() bool {
|
|
return p.isAutoCreation
|
|
}
|
|
|
|
// IsAutoUpdate implements the [idp.Provider] interface.
|
|
func (p *Provider) IsAutoUpdate() bool {
|
|
return p.isAutoUpdate
|
|
}
|