mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 09:13:41 +00:00
50d2b26a28
# Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702
276 lines
7.1 KiB
Go
276 lines
7.1 KiB
Go
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"slices"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
"github.com/zitadel/oidc/v3/pkg/op"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/command"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
)
|
|
|
|
const (
|
|
LoginAuthRequestParam = "authRequest"
|
|
)
|
|
|
|
type Client struct {
|
|
client *query.OIDCClient
|
|
defaultLoginURL string
|
|
defaultLoginURLV2 string
|
|
allowedScopes []string
|
|
}
|
|
|
|
func ClientFromBusiness(client *query.OIDCClient, defaultLoginURL, defaultLoginURLV2 string) op.Client {
|
|
allowedScopes := make([]string, len(client.ProjectRoleKeys))
|
|
for i, roleKey := range client.ProjectRoleKeys {
|
|
allowedScopes[i] = ScopeProjectRolePrefix + roleKey
|
|
}
|
|
|
|
return &Client{
|
|
client: client,
|
|
defaultLoginURL: defaultLoginURL,
|
|
defaultLoginURLV2: defaultLoginURLV2,
|
|
allowedScopes: allowedScopes,
|
|
}
|
|
}
|
|
|
|
func (c *Client) ApplicationType() op.ApplicationType {
|
|
return op.ApplicationType(c.client.ApplicationType)
|
|
}
|
|
|
|
func (c *Client) AuthMethod() oidc.AuthMethod {
|
|
return authMethodToOIDC(c.client.AuthMethodType)
|
|
}
|
|
|
|
func (c *Client) GetID() string {
|
|
return c.client.ClientID
|
|
}
|
|
|
|
func (c *Client) LoginURL(id string) string {
|
|
// if the authRequest does not have the v2 prefix, it was created for login V1
|
|
if !strings.HasPrefix(id, command.IDPrefixV2) {
|
|
return c.defaultLoginURL + id
|
|
}
|
|
// any v2 login without a specific base uri will be sent to the configured login v2 UI
|
|
// this way we're also backwards compatible
|
|
if c.client.LoginBaseURI == nil || c.client.LoginBaseURI.URL().String() == "" {
|
|
return c.defaultLoginURLV2 + id
|
|
}
|
|
// for clients with a specific URI (internal or external) we only need to add the auth request id
|
|
uri := c.client.LoginBaseURI.URL().JoinPath(LoginPath)
|
|
q := uri.Query()
|
|
q.Set(LoginAuthRequestParam, id)
|
|
uri.RawQuery = q.Encode()
|
|
return uri.String()
|
|
}
|
|
|
|
func (c *Client) RedirectURIs() []string {
|
|
return c.client.RedirectURIs
|
|
}
|
|
|
|
func (c *Client) PostLogoutRedirectURIs() []string {
|
|
return c.client.PostLogoutRedirectURIs
|
|
}
|
|
|
|
func (c *Client) ResponseTypes() []oidc.ResponseType {
|
|
return responseTypesToOIDC(c.client.ResponseTypes)
|
|
}
|
|
|
|
func (c *Client) GrantTypes() []oidc.GrantType {
|
|
return grantTypesToOIDC(c.client.GrantTypes)
|
|
}
|
|
|
|
func (c *Client) DevMode() bool {
|
|
return c.client.IsDevMode
|
|
}
|
|
|
|
func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
|
|
return func(scopes []string) []string {
|
|
if c.client.IDTokenRoleAssertion {
|
|
return scopes
|
|
}
|
|
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
|
|
}
|
|
}
|
|
|
|
func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string {
|
|
return func(scopes []string) []string {
|
|
if c.client.AccessTokenRoleAssertion {
|
|
return scopes
|
|
}
|
|
return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
|
|
}
|
|
}
|
|
|
|
func (c *Client) AccessTokenLifetime() time.Duration {
|
|
return c.client.Settings.AccessTokenLifetime
|
|
}
|
|
|
|
func (c *Client) IDTokenLifetime() time.Duration {
|
|
return c.client.Settings.IdTokenLifetime
|
|
}
|
|
|
|
func (c *Client) AccessTokenType() op.AccessTokenType {
|
|
return accessTokenTypeToOIDC(c.client.AccessTokenType)
|
|
}
|
|
|
|
func (c *Client) IsScopeAllowed(scope string) bool {
|
|
return isScopeAllowed(scope, c.allowedScopes...)
|
|
}
|
|
|
|
func (c *Client) ClockSkew() time.Duration {
|
|
return c.client.ClockSkew
|
|
}
|
|
|
|
func (c *Client) IDTokenUserinfoClaimsAssertion() bool {
|
|
return c.client.IDTokenUserinfoAssertion
|
|
}
|
|
|
|
func (c *Client) RedirectURIGlobs() []string {
|
|
if c.DevMode() {
|
|
return c.RedirectURIs()
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (c *Client) PostLogoutRedirectURIGlobs() []string {
|
|
if c.DevMode() {
|
|
return c.PostLogoutRedirectURIs()
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func accessTokenTypeToOIDC(tokenType domain.OIDCTokenType) op.AccessTokenType {
|
|
switch tokenType {
|
|
case domain.OIDCTokenTypeBearer:
|
|
return op.AccessTokenTypeBearer
|
|
case domain.OIDCTokenTypeJWT:
|
|
return op.AccessTokenTypeJWT
|
|
default:
|
|
return op.AccessTokenTypeBearer
|
|
}
|
|
}
|
|
|
|
func authMethodToOIDC(authType domain.OIDCAuthMethodType) oidc.AuthMethod {
|
|
switch authType {
|
|
case domain.OIDCAuthMethodTypeBasic:
|
|
return oidc.AuthMethodBasic
|
|
case domain.OIDCAuthMethodTypePost:
|
|
return oidc.AuthMethodPost
|
|
case domain.OIDCAuthMethodTypeNone:
|
|
return oidc.AuthMethodNone
|
|
case domain.OIDCAuthMethodTypePrivateKeyJWT:
|
|
return oidc.AuthMethodPrivateKeyJWT
|
|
default:
|
|
return oidc.AuthMethodBasic
|
|
}
|
|
}
|
|
|
|
func responseTypesToOIDC(responseTypes []domain.OIDCResponseType) []oidc.ResponseType {
|
|
oidcTypes := make([]oidc.ResponseType, len(responseTypes))
|
|
for i, t := range responseTypes {
|
|
oidcTypes[i] = responseTypeToOIDC(t)
|
|
}
|
|
return oidcTypes
|
|
}
|
|
|
|
func responseTypeToOIDC(responseType domain.OIDCResponseType) oidc.ResponseType {
|
|
switch responseType {
|
|
case domain.OIDCResponseTypeCode:
|
|
return oidc.ResponseTypeCode
|
|
case domain.OIDCResponseTypeIDTokenToken:
|
|
return oidc.ResponseTypeIDToken
|
|
case domain.OIDCResponseTypeIDToken:
|
|
return oidc.ResponseTypeIDTokenOnly
|
|
default:
|
|
return oidc.ResponseTypeCode
|
|
}
|
|
}
|
|
|
|
func grantTypesToOIDC(grantTypes []domain.OIDCGrantType) []oidc.GrantType {
|
|
oidcTypes := make([]oidc.GrantType, len(grantTypes))
|
|
for i, t := range grantTypes {
|
|
oidcTypes[i] = grantTypeToOIDC(t)
|
|
}
|
|
return oidcTypes
|
|
}
|
|
|
|
func grantTypeToOIDC(grantType domain.OIDCGrantType) oidc.GrantType {
|
|
switch grantType {
|
|
case domain.OIDCGrantTypeAuthorizationCode:
|
|
return oidc.GrantTypeCode
|
|
case domain.OIDCGrantTypeImplicit:
|
|
return oidc.GrantTypeImplicit
|
|
case domain.OIDCGrantTypeRefreshToken:
|
|
return oidc.GrantTypeRefreshToken
|
|
case domain.OIDCGrantTypeDeviceCode:
|
|
return oidc.GrantTypeDeviceCode
|
|
case domain.OIDCGrantTypeTokenExchange:
|
|
return oidc.GrantTypeTokenExchange
|
|
default:
|
|
return oidc.GrantTypeCode
|
|
}
|
|
}
|
|
|
|
func removeScopeWithPrefix(scopes []string, scopePrefix ...string) []string {
|
|
newScopeList := make([]string, 0)
|
|
for _, scope := range scopes {
|
|
hasPrefix := false
|
|
for _, prefix := range scopePrefix {
|
|
if strings.HasPrefix(scope, prefix) {
|
|
hasPrefix = true
|
|
continue
|
|
}
|
|
}
|
|
if !hasPrefix {
|
|
newScopeList = append(newScopeList, scope)
|
|
}
|
|
}
|
|
return newScopeList
|
|
}
|
|
|
|
func clientIDFromCredentials(ctx context.Context, cc *op.ClientCredentials) (clientID string, assertion bool, err error) {
|
|
if cc.ClientAssertion != "" {
|
|
claims := new(oidc.JWTTokenRequest)
|
|
if _, err := oidc.ParseToken(cc.ClientAssertion, claims); err != nil {
|
|
return "", false, oidc.ErrInvalidClient().WithParent(err).WithReturnParentToClient(authz.GetFeatures(ctx).DebugOIDCParentError)
|
|
}
|
|
return claims.Issuer, true, nil
|
|
}
|
|
return cc.ClientID, false, nil
|
|
}
|
|
|
|
func isScopeAllowed(scope string, allowedScopes ...string) bool {
|
|
if strings.HasPrefix(scope, domain.OrgDomainPrimaryScope) {
|
|
return true
|
|
}
|
|
if strings.HasPrefix(scope, domain.OrgIDScope) {
|
|
return true
|
|
}
|
|
if strings.HasPrefix(scope, domain.ProjectIDScope) {
|
|
return true
|
|
}
|
|
if strings.HasPrefix(scope, domain.SelectIDPScope) {
|
|
return true
|
|
}
|
|
if strings.HasPrefix(scope, domain.OrgRoleIDScope) {
|
|
return true
|
|
}
|
|
if scope == ScopeUserMetaData {
|
|
return true
|
|
}
|
|
if scope == ScopeResourceOwner {
|
|
return true
|
|
}
|
|
if scope == ScopeProjectsRoles {
|
|
return true
|
|
}
|
|
return slices.Contains(allowedScopes, scope)
|
|
}
|