mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 14:43:49 +00:00
50d2b26a28
# Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702
484 lines
15 KiB
Go
484 lines
15 KiB
Go
package project
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
const (
|
|
OIDCConfigAddedType = applicationEventTypePrefix + "config.oidc.added"
|
|
OIDCConfigChangedType = applicationEventTypePrefix + "config.oidc.changed"
|
|
OIDCConfigSecretChangedType = applicationEventTypePrefix + "config.oidc.secret.changed"
|
|
OIDCConfigSecretHashUpdatedType = applicationEventTypePrefix + "config.oidc.secret.updated"
|
|
)
|
|
|
|
type OIDCConfigAddedEvent struct {
|
|
eventstore.BaseEvent `json:"-"`
|
|
|
|
Version domain.OIDCVersion `json:"oidcVersion,omitempty"`
|
|
AppID string `json:"appId"`
|
|
ClientID string `json:"clientId,omitempty"`
|
|
|
|
// New events only use EncodedHash. However, the ClientSecret field
|
|
// is preserved to handle events older than the switch to Passwap.
|
|
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
|
|
HashedSecret string `json:"hashedSecret,omitempty"`
|
|
|
|
RedirectUris []string `json:"redirectUris,omitempty"`
|
|
ResponseTypes []domain.OIDCResponseType `json:"responseTypes,omitempty"`
|
|
GrantTypes []domain.OIDCGrantType `json:"grantTypes,omitempty"`
|
|
ApplicationType domain.OIDCApplicationType `json:"applicationType,omitempty"`
|
|
AuthMethodType domain.OIDCAuthMethodType `json:"authMethodType,omitempty"`
|
|
PostLogoutRedirectUris []string `json:"postLogoutRedirectUris,omitempty"`
|
|
DevMode bool `json:"devMode,omitempty"`
|
|
AccessTokenType domain.OIDCTokenType `json:"accessTokenType,omitempty"`
|
|
AccessTokenRoleAssertion bool `json:"accessTokenRoleAssertion,omitempty"`
|
|
IDTokenRoleAssertion bool `json:"idTokenRoleAssertion,omitempty"`
|
|
IDTokenUserinfoAssertion bool `json:"idTokenUserinfoAssertion,omitempty"`
|
|
ClockSkew time.Duration `json:"clockSkew,omitempty"`
|
|
AdditionalOrigins []string `json:"additionalOrigins,omitempty"`
|
|
SkipNativeAppSuccessPage bool `json:"skipNativeAppSuccessPage,omitempty"`
|
|
BackChannelLogoutURI string `json:"backChannelLogoutURI,omitempty"`
|
|
LoginVersion domain.LoginVersion `json:"loginVersion,omitempty"`
|
|
LoginBaseURI string `json:"loginBaseURI,omitempty"`
|
|
}
|
|
|
|
func (e *OIDCConfigAddedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *OIDCConfigAddedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|
|
|
|
func NewOIDCConfigAddedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
version domain.OIDCVersion,
|
|
appID string,
|
|
clientID string,
|
|
hashedSecret string,
|
|
redirectUris []string,
|
|
responseTypes []domain.OIDCResponseType,
|
|
grantTypes []domain.OIDCGrantType,
|
|
applicationType domain.OIDCApplicationType,
|
|
authMethodType domain.OIDCAuthMethodType,
|
|
postLogoutRedirectUris []string,
|
|
devMode bool,
|
|
accessTokenType domain.OIDCTokenType,
|
|
accessTokenRoleAssertion bool,
|
|
idTokenRoleAssertion bool,
|
|
idTokenUserinfoAssertion bool,
|
|
clockSkew time.Duration,
|
|
additionalOrigins []string,
|
|
skipNativeAppSuccessPage bool,
|
|
backChannelLogoutURI string,
|
|
loginVersion domain.LoginVersion,
|
|
loginBaseURI string,
|
|
) *OIDCConfigAddedEvent {
|
|
return &OIDCConfigAddedEvent{
|
|
BaseEvent: *eventstore.NewBaseEventForPush(
|
|
ctx,
|
|
aggregate,
|
|
OIDCConfigAddedType,
|
|
),
|
|
Version: version,
|
|
AppID: appID,
|
|
ClientID: clientID,
|
|
HashedSecret: hashedSecret,
|
|
RedirectUris: redirectUris,
|
|
ResponseTypes: responseTypes,
|
|
GrantTypes: grantTypes,
|
|
ApplicationType: applicationType,
|
|
AuthMethodType: authMethodType,
|
|
PostLogoutRedirectUris: postLogoutRedirectUris,
|
|
DevMode: devMode,
|
|
AccessTokenType: accessTokenType,
|
|
AccessTokenRoleAssertion: accessTokenRoleAssertion,
|
|
IDTokenRoleAssertion: idTokenRoleAssertion,
|
|
IDTokenUserinfoAssertion: idTokenUserinfoAssertion,
|
|
ClockSkew: clockSkew,
|
|
AdditionalOrigins: additionalOrigins,
|
|
SkipNativeAppSuccessPage: skipNativeAppSuccessPage,
|
|
BackChannelLogoutURI: backChannelLogoutURI,
|
|
LoginVersion: loginVersion,
|
|
LoginBaseURI: loginBaseURI,
|
|
}
|
|
}
|
|
|
|
func (e *OIDCConfigAddedEvent) Validate(cmd eventstore.Command) bool {
|
|
c, ok := cmd.(*OIDCConfigAddedEvent)
|
|
if !ok {
|
|
return false
|
|
}
|
|
|
|
if e.Version != c.Version {
|
|
return false
|
|
}
|
|
if e.AppID != c.AppID {
|
|
return false
|
|
}
|
|
if e.ClientID != c.ClientID {
|
|
return false
|
|
}
|
|
if e.ClientSecret != c.ClientSecret {
|
|
return false
|
|
}
|
|
if len(e.RedirectUris) != len(c.RedirectUris) {
|
|
return false
|
|
}
|
|
for i, uri := range e.RedirectUris {
|
|
if uri != c.RedirectUris[i] {
|
|
return false
|
|
}
|
|
}
|
|
if len(e.ResponseTypes) != len(c.ResponseTypes) {
|
|
return false
|
|
}
|
|
for i, typ := range e.ResponseTypes {
|
|
if typ != c.ResponseTypes[i] {
|
|
return false
|
|
}
|
|
}
|
|
if len(e.GrantTypes) != len(c.GrantTypes) {
|
|
return false
|
|
}
|
|
for i, typ := range e.GrantTypes {
|
|
if typ != c.GrantTypes[i] {
|
|
return false
|
|
}
|
|
}
|
|
if e.ApplicationType != c.ApplicationType {
|
|
return false
|
|
}
|
|
if e.AuthMethodType != c.AuthMethodType {
|
|
return false
|
|
}
|
|
if len(e.PostLogoutRedirectUris) != len(c.PostLogoutRedirectUris) {
|
|
return false
|
|
}
|
|
for i, uri := range e.PostLogoutRedirectUris {
|
|
if uri != c.PostLogoutRedirectUris[i] {
|
|
return false
|
|
}
|
|
}
|
|
if e.DevMode != c.DevMode {
|
|
return false
|
|
}
|
|
if e.AccessTokenType != c.AccessTokenType {
|
|
return false
|
|
}
|
|
if e.AccessTokenRoleAssertion != c.AccessTokenRoleAssertion {
|
|
return false
|
|
}
|
|
if e.IDTokenRoleAssertion != c.IDTokenRoleAssertion {
|
|
return false
|
|
}
|
|
if e.IDTokenUserinfoAssertion != c.IDTokenUserinfoAssertion {
|
|
return false
|
|
}
|
|
if e.ClockSkew != c.ClockSkew {
|
|
return false
|
|
}
|
|
if len(e.AdditionalOrigins) != len(c.AdditionalOrigins) {
|
|
return false
|
|
}
|
|
for i, origin := range e.AdditionalOrigins {
|
|
if origin != c.AdditionalOrigins[i] {
|
|
return false
|
|
}
|
|
}
|
|
if e.SkipNativeAppSuccessPage != c.SkipNativeAppSuccessPage {
|
|
return false
|
|
}
|
|
if e.BackChannelLogoutURI != c.BackChannelLogoutURI {
|
|
return false
|
|
}
|
|
if e.LoginVersion != c.LoginVersion {
|
|
return false
|
|
}
|
|
return e.LoginBaseURI == c.LoginBaseURI
|
|
}
|
|
|
|
func OIDCConfigAddedEventMapper(event eventstore.Event) (eventstore.Event, error) {
|
|
e := &OIDCConfigAddedEvent{
|
|
BaseEvent: *eventstore.BaseEventFromRepo(event),
|
|
}
|
|
|
|
err := event.Unmarshal(e)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
|
|
}
|
|
|
|
return e, nil
|
|
}
|
|
|
|
type OIDCConfigChangedEvent struct {
|
|
eventstore.BaseEvent `json:"-"`
|
|
|
|
Version *domain.OIDCVersion `json:"oidcVersion,omitempty"`
|
|
AppID string `json:"appId"`
|
|
RedirectUris *[]string `json:"redirectUris,omitempty"`
|
|
ResponseTypes *[]domain.OIDCResponseType `json:"responseTypes,omitempty"`
|
|
GrantTypes *[]domain.OIDCGrantType `json:"grantTypes,omitempty"`
|
|
ApplicationType *domain.OIDCApplicationType `json:"applicationType,omitempty"`
|
|
AuthMethodType *domain.OIDCAuthMethodType `json:"authMethodType,omitempty"`
|
|
PostLogoutRedirectUris *[]string `json:"postLogoutRedirectUris,omitempty"`
|
|
DevMode *bool `json:"devMode,omitempty"`
|
|
AccessTokenType *domain.OIDCTokenType `json:"accessTokenType,omitempty"`
|
|
AccessTokenRoleAssertion *bool `json:"accessTokenRoleAssertion,omitempty"`
|
|
IDTokenRoleAssertion *bool `json:"idTokenRoleAssertion,omitempty"`
|
|
IDTokenUserinfoAssertion *bool `json:"idTokenUserinfoAssertion,omitempty"`
|
|
ClockSkew *time.Duration `json:"clockSkew,omitempty"`
|
|
AdditionalOrigins *[]string `json:"additionalOrigins,omitempty"`
|
|
SkipNativeAppSuccessPage *bool `json:"skipNativeAppSuccessPage,omitempty"`
|
|
BackChannelLogoutURI *string `json:"backChannelLogoutURI,omitempty"`
|
|
LoginVersion *domain.LoginVersion `json:"loginVersion,omitempty"`
|
|
LoginBaseURI *string `json:"loginBaseURI,omitempty"`
|
|
}
|
|
|
|
func (e *OIDCConfigChangedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *OIDCConfigChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|
|
|
|
func NewOIDCConfigChangedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
appID string,
|
|
changes []OIDCConfigChanges,
|
|
) (*OIDCConfigChangedEvent, error) {
|
|
if len(changes) == 0 {
|
|
return nil, zerrors.ThrowPreconditionFailed(nil, "OIDC-i8idç", "Errors.NoChangesFound")
|
|
}
|
|
|
|
changeEvent := &OIDCConfigChangedEvent{
|
|
BaseEvent: *eventstore.NewBaseEventForPush(
|
|
ctx,
|
|
aggregate,
|
|
OIDCConfigChangedType,
|
|
),
|
|
AppID: appID,
|
|
}
|
|
for _, change := range changes {
|
|
change(changeEvent)
|
|
}
|
|
return changeEvent, nil
|
|
}
|
|
|
|
type OIDCConfigChanges func(event *OIDCConfigChangedEvent)
|
|
|
|
func ChangeVersion(version domain.OIDCVersion) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.Version = &version
|
|
}
|
|
}
|
|
|
|
func ChangeRedirectURIs(uris []string) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.RedirectUris = &uris
|
|
}
|
|
}
|
|
|
|
func ChangeResponseTypes(responseTypes []domain.OIDCResponseType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.ResponseTypes = &responseTypes
|
|
}
|
|
}
|
|
|
|
func ChangeGrantTypes(grantTypes []domain.OIDCGrantType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.GrantTypes = &grantTypes
|
|
}
|
|
}
|
|
|
|
func ChangeApplicationType(appType domain.OIDCApplicationType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.ApplicationType = &appType
|
|
}
|
|
}
|
|
|
|
func ChangeAuthMethodType(authMethodType domain.OIDCAuthMethodType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.AuthMethodType = &authMethodType
|
|
}
|
|
}
|
|
|
|
func ChangePostLogoutRedirectURIs(logoutRedirects []string) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.PostLogoutRedirectUris = &logoutRedirects
|
|
}
|
|
}
|
|
|
|
func ChangeDevMode(devMode bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.DevMode = &devMode
|
|
}
|
|
}
|
|
|
|
func ChangeAccessTokenType(accessTokenType domain.OIDCTokenType) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.AccessTokenType = &accessTokenType
|
|
}
|
|
}
|
|
|
|
func ChangeAccessTokenRoleAssertion(accessTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.AccessTokenRoleAssertion = &accessTokenRoleAssertion
|
|
}
|
|
}
|
|
|
|
func ChangeIDTokenRoleAssertion(idTokenRoleAssertion bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.IDTokenRoleAssertion = &idTokenRoleAssertion
|
|
}
|
|
}
|
|
|
|
func ChangeIDTokenUserinfoAssertion(idTokenUserinfoAssertion bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.IDTokenUserinfoAssertion = &idTokenUserinfoAssertion
|
|
}
|
|
}
|
|
|
|
func ChangeClockSkew(clockSkew time.Duration) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.ClockSkew = &clockSkew
|
|
}
|
|
}
|
|
|
|
func ChangeAdditionalOrigins(additionalOrigins []string) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.AdditionalOrigins = &additionalOrigins
|
|
}
|
|
}
|
|
|
|
func ChangeSkipNativeAppSuccessPage(skipNativeAppSuccessPage bool) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.SkipNativeAppSuccessPage = &skipNativeAppSuccessPage
|
|
}
|
|
}
|
|
|
|
func ChangeBackChannelLogoutURI(backChannelLogoutURI string) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.BackChannelLogoutURI = &backChannelLogoutURI
|
|
}
|
|
}
|
|
|
|
func ChangeLoginVersion(loginVersion domain.LoginVersion) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.LoginVersion = &loginVersion
|
|
}
|
|
}
|
|
|
|
func ChangeLoginBaseURI(loginBaseURI string) func(event *OIDCConfigChangedEvent) {
|
|
return func(e *OIDCConfigChangedEvent) {
|
|
e.LoginBaseURI = &loginBaseURI
|
|
}
|
|
}
|
|
|
|
func OIDCConfigChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
|
|
e := &OIDCConfigChangedEvent{
|
|
BaseEvent: *eventstore.BaseEventFromRepo(event),
|
|
}
|
|
|
|
err := event.Unmarshal(e)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "OIDC-BFd15", "unable to unmarshal oidc config")
|
|
}
|
|
|
|
return e, nil
|
|
}
|
|
|
|
type OIDCConfigSecretChangedEvent struct {
|
|
eventstore.BaseEvent `json:"-"`
|
|
|
|
AppID string `json:"appId"`
|
|
|
|
// New events only use EncodedHash. However, the ClientSecret field
|
|
// is preserved to handle events older than the switch to Passwap.
|
|
ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
|
|
HashedSecret string `json:"hashedSecret,omitempty"`
|
|
}
|
|
|
|
func (e *OIDCConfigSecretChangedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *OIDCConfigSecretChangedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|
|
|
|
func NewOIDCConfigSecretChangedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
appID string,
|
|
hashedSecret string,
|
|
) *OIDCConfigSecretChangedEvent {
|
|
return &OIDCConfigSecretChangedEvent{
|
|
BaseEvent: *eventstore.NewBaseEventForPush(
|
|
ctx,
|
|
aggregate,
|
|
OIDCConfigSecretChangedType,
|
|
),
|
|
AppID: appID,
|
|
HashedSecret: hashedSecret,
|
|
}
|
|
}
|
|
|
|
func OIDCConfigSecretChangedEventMapper(event eventstore.Event) (eventstore.Event, error) {
|
|
e := &OIDCConfigSecretChangedEvent{
|
|
BaseEvent: *eventstore.BaseEventFromRepo(event),
|
|
}
|
|
|
|
err := event.Unmarshal(e)
|
|
if err != nil {
|
|
return nil, zerrors.ThrowInternal(err, "OIDC-M893d", "unable to unmarshal oidc config")
|
|
}
|
|
|
|
return e, nil
|
|
}
|
|
|
|
type OIDCConfigSecretHashUpdatedEvent struct {
|
|
*eventstore.BaseEvent `json:"-"`
|
|
|
|
AppID string `json:"appId"`
|
|
HashedSecret string `json:"hashedSecret,omitempty"`
|
|
}
|
|
|
|
func NewOIDCConfigSecretHashUpdatedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
appID string,
|
|
hashedSecret string,
|
|
) *OIDCConfigSecretHashUpdatedEvent {
|
|
return &OIDCConfigSecretHashUpdatedEvent{
|
|
BaseEvent: eventstore.NewBaseEventForPush(
|
|
ctx,
|
|
aggregate,
|
|
OIDCConfigSecretHashUpdatedType,
|
|
),
|
|
AppID: appID,
|
|
HashedSecret: hashedSecret,
|
|
}
|
|
}
|
|
|
|
func (e *OIDCConfigSecretHashUpdatedEvent) SetBaseEvent(b *eventstore.BaseEvent) {
|
|
e.BaseEvent = b
|
|
}
|
|
|
|
func (e *OIDCConfigSecretHashUpdatedEvent) Payload() interface{} {
|
|
return e
|
|
}
|
|
|
|
func (e *OIDCConfigSecretHashUpdatedEvent) UniqueConstraints() []*eventstore.UniqueConstraint {
|
|
return nil
|
|
}
|