mirror of
https://github.com/zitadel/zitadel.git
synced 2025-01-10 02:53:40 +00:00
50d2b26a28
# Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702
347 lines
10 KiB
Go
347 lines
10 KiB
Go
package command
|
|
|
|
import (
|
|
"context"
|
|
"reflect"
|
|
"time"
|
|
|
|
"github.com/zitadel/zitadel/internal/crypto"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/eventstore"
|
|
"github.com/zitadel/zitadel/internal/repository/project"
|
|
)
|
|
|
|
type OIDCApplicationWriteModel struct {
|
|
eventstore.WriteModel
|
|
|
|
AppID string
|
|
AppName string
|
|
ClientID string
|
|
HashedSecret string
|
|
ClientSecretString string
|
|
RedirectUris []string
|
|
ResponseTypes []domain.OIDCResponseType
|
|
GrantTypes []domain.OIDCGrantType
|
|
ApplicationType domain.OIDCApplicationType
|
|
AuthMethodType domain.OIDCAuthMethodType
|
|
PostLogoutRedirectUris []string
|
|
OIDCVersion domain.OIDCVersion
|
|
Compliance *domain.Compliance
|
|
DevMode bool
|
|
AccessTokenType domain.OIDCTokenType
|
|
AccessTokenRoleAssertion bool
|
|
IDTokenRoleAssertion bool
|
|
IDTokenUserinfoAssertion bool
|
|
ClockSkew time.Duration
|
|
State domain.AppState
|
|
AdditionalOrigins []string
|
|
SkipNativeAppSuccessPage bool
|
|
BackChannelLogoutURI string
|
|
LoginVersion domain.LoginVersion
|
|
LoginBaseURI string
|
|
oidc bool
|
|
}
|
|
|
|
func NewOIDCApplicationWriteModelWithAppID(projectID, appID, resourceOwner string) *OIDCApplicationWriteModel {
|
|
return &OIDCApplicationWriteModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: projectID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
AppID: appID,
|
|
}
|
|
}
|
|
|
|
func NewOIDCApplicationWriteModel(projectID, resourceOwner string) *OIDCApplicationWriteModel {
|
|
return &OIDCApplicationWriteModel{
|
|
WriteModel: eventstore.WriteModel{
|
|
AggregateID: projectID,
|
|
ResourceOwner: resourceOwner,
|
|
},
|
|
}
|
|
}
|
|
func (wm *OIDCApplicationWriteModel) AppendEvents(events ...eventstore.Event) {
|
|
for _, event := range events {
|
|
switch e := event.(type) {
|
|
case *project.ApplicationAddedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.ApplicationChangedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.ApplicationDeactivatedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.ApplicationReactivatedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.ApplicationRemovedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.OIDCConfigAddedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.OIDCConfigChangedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.OIDCConfigSecretChangedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.OIDCConfigSecretHashUpdatedEvent:
|
|
if e.AppID != wm.AppID {
|
|
continue
|
|
}
|
|
wm.WriteModel.AppendEvents(e)
|
|
case *project.ProjectRemovedEvent:
|
|
wm.WriteModel.AppendEvents(e)
|
|
}
|
|
}
|
|
}
|
|
|
|
func (wm *OIDCApplicationWriteModel) Reduce() error {
|
|
for _, event := range wm.Events {
|
|
switch e := event.(type) {
|
|
case *project.ApplicationAddedEvent:
|
|
wm.AppName = e.Name
|
|
wm.State = domain.AppStateActive
|
|
case *project.ApplicationChangedEvent:
|
|
wm.AppName = e.Name
|
|
case *project.ApplicationDeactivatedEvent:
|
|
if wm.State == domain.AppStateRemoved {
|
|
continue
|
|
}
|
|
wm.State = domain.AppStateInactive
|
|
case *project.ApplicationReactivatedEvent:
|
|
if wm.State == domain.AppStateRemoved {
|
|
continue
|
|
}
|
|
wm.State = domain.AppStateActive
|
|
case *project.ApplicationRemovedEvent:
|
|
wm.State = domain.AppStateRemoved
|
|
case *project.OIDCConfigAddedEvent:
|
|
wm.appendAddOIDCEvent(e)
|
|
case *project.OIDCConfigChangedEvent:
|
|
wm.appendChangeOIDCEvent(e)
|
|
case *project.OIDCConfigSecretChangedEvent:
|
|
wm.HashedSecret = crypto.SecretOrEncodedHash(e.ClientSecret, e.HashedSecret)
|
|
case *project.OIDCConfigSecretHashUpdatedEvent:
|
|
wm.HashedSecret = e.HashedSecret
|
|
case *project.ProjectRemovedEvent:
|
|
wm.State = domain.AppStateRemoved
|
|
}
|
|
}
|
|
return wm.WriteModel.Reduce()
|
|
}
|
|
|
|
func (wm *OIDCApplicationWriteModel) appendAddOIDCEvent(e *project.OIDCConfigAddedEvent) {
|
|
wm.oidc = true
|
|
wm.ClientID = e.ClientID
|
|
wm.HashedSecret = crypto.SecretOrEncodedHash(e.ClientSecret, e.HashedSecret)
|
|
wm.RedirectUris = e.RedirectUris
|
|
wm.ResponseTypes = e.ResponseTypes
|
|
wm.GrantTypes = e.GrantTypes
|
|
wm.ApplicationType = e.ApplicationType
|
|
wm.AuthMethodType = e.AuthMethodType
|
|
wm.PostLogoutRedirectUris = e.PostLogoutRedirectUris
|
|
wm.OIDCVersion = e.Version
|
|
wm.DevMode = e.DevMode
|
|
wm.AccessTokenType = e.AccessTokenType
|
|
wm.AccessTokenRoleAssertion = e.AccessTokenRoleAssertion
|
|
wm.IDTokenRoleAssertion = e.IDTokenRoleAssertion
|
|
wm.IDTokenUserinfoAssertion = e.IDTokenUserinfoAssertion
|
|
wm.ClockSkew = e.ClockSkew
|
|
wm.AdditionalOrigins = e.AdditionalOrigins
|
|
wm.SkipNativeAppSuccessPage = e.SkipNativeAppSuccessPage
|
|
wm.BackChannelLogoutURI = e.BackChannelLogoutURI
|
|
wm.LoginVersion = e.LoginVersion
|
|
wm.LoginBaseURI = e.LoginBaseURI
|
|
}
|
|
|
|
func (wm *OIDCApplicationWriteModel) appendChangeOIDCEvent(e *project.OIDCConfigChangedEvent) {
|
|
if e.RedirectUris != nil {
|
|
wm.RedirectUris = *e.RedirectUris
|
|
}
|
|
if e.ResponseTypes != nil {
|
|
wm.ResponseTypes = *e.ResponseTypes
|
|
}
|
|
if e.GrantTypes != nil {
|
|
wm.GrantTypes = *e.GrantTypes
|
|
}
|
|
if e.ApplicationType != nil {
|
|
wm.ApplicationType = *e.ApplicationType
|
|
}
|
|
if e.AuthMethodType != nil {
|
|
wm.AuthMethodType = *e.AuthMethodType
|
|
}
|
|
if e.PostLogoutRedirectUris != nil {
|
|
wm.PostLogoutRedirectUris = *e.PostLogoutRedirectUris
|
|
}
|
|
if e.Version != nil {
|
|
wm.OIDCVersion = *e.Version
|
|
}
|
|
if e.DevMode != nil {
|
|
wm.DevMode = *e.DevMode
|
|
}
|
|
if e.AccessTokenType != nil {
|
|
wm.AccessTokenType = *e.AccessTokenType
|
|
}
|
|
if e.AccessTokenRoleAssertion != nil {
|
|
wm.AccessTokenRoleAssertion = *e.AccessTokenRoleAssertion
|
|
}
|
|
if e.IDTokenRoleAssertion != nil {
|
|
wm.IDTokenRoleAssertion = *e.IDTokenRoleAssertion
|
|
}
|
|
if e.IDTokenUserinfoAssertion != nil {
|
|
wm.IDTokenUserinfoAssertion = *e.IDTokenUserinfoAssertion
|
|
}
|
|
if e.ClockSkew != nil {
|
|
wm.ClockSkew = *e.ClockSkew
|
|
}
|
|
if e.AdditionalOrigins != nil {
|
|
wm.AdditionalOrigins = *e.AdditionalOrigins
|
|
}
|
|
if e.SkipNativeAppSuccessPage != nil {
|
|
wm.SkipNativeAppSuccessPage = *e.SkipNativeAppSuccessPage
|
|
}
|
|
if e.BackChannelLogoutURI != nil {
|
|
wm.BackChannelLogoutURI = *e.BackChannelLogoutURI
|
|
}
|
|
if e.LoginVersion != nil {
|
|
wm.LoginVersion = *e.LoginVersion
|
|
}
|
|
if e.LoginBaseURI != nil {
|
|
wm.LoginBaseURI = *e.LoginBaseURI
|
|
}
|
|
}
|
|
|
|
func (wm *OIDCApplicationWriteModel) Query() *eventstore.SearchQueryBuilder {
|
|
return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
|
|
ResourceOwner(wm.ResourceOwner).
|
|
AddQuery().
|
|
AggregateTypes(project.AggregateType).
|
|
AggregateIDs(wm.AggregateID).
|
|
EventTypes(
|
|
project.ApplicationAddedType,
|
|
project.ApplicationChangedType,
|
|
project.ApplicationDeactivatedType,
|
|
project.ApplicationReactivatedType,
|
|
project.ApplicationRemovedType,
|
|
project.OIDCConfigAddedType,
|
|
project.OIDCConfigChangedType,
|
|
project.OIDCConfigSecretChangedType,
|
|
project.OIDCConfigSecretHashUpdatedType,
|
|
project.ProjectRemovedType,
|
|
).Builder()
|
|
}
|
|
|
|
func (wm *OIDCApplicationWriteModel) NewChangedEvent(
|
|
ctx context.Context,
|
|
aggregate *eventstore.Aggregate,
|
|
appID string,
|
|
redirectURIS,
|
|
postLogoutRedirectURIs []string,
|
|
responseTypes []domain.OIDCResponseType,
|
|
grantTypes []domain.OIDCGrantType,
|
|
appType domain.OIDCApplicationType,
|
|
authMethodType domain.OIDCAuthMethodType,
|
|
oidcVersion domain.OIDCVersion,
|
|
accessTokenType domain.OIDCTokenType,
|
|
devMode,
|
|
accessTokenRoleAssertion,
|
|
idTokenRoleAssertion,
|
|
idTokenUserinfoAssertion bool,
|
|
clockSkew time.Duration,
|
|
additionalOrigins []string,
|
|
skipNativeAppSuccessPage bool,
|
|
backChannelLogoutURI string,
|
|
loginVersion domain.LoginVersion,
|
|
loginBaseURI string,
|
|
) (*project.OIDCConfigChangedEvent, bool, error) {
|
|
changes := make([]project.OIDCConfigChanges, 0)
|
|
var err error
|
|
|
|
if !reflect.DeepEqual(wm.RedirectUris, redirectURIS) {
|
|
changes = append(changes, project.ChangeRedirectURIs(redirectURIS))
|
|
}
|
|
if !reflect.DeepEqual(wm.ResponseTypes, responseTypes) {
|
|
changes = append(changes, project.ChangeResponseTypes(responseTypes))
|
|
}
|
|
if !reflect.DeepEqual(wm.GrantTypes, grantTypes) {
|
|
changes = append(changes, project.ChangeGrantTypes(grantTypes))
|
|
}
|
|
if wm.ApplicationType != appType {
|
|
changes = append(changes, project.ChangeApplicationType(appType))
|
|
}
|
|
if wm.AuthMethodType != authMethodType {
|
|
changes = append(changes, project.ChangeAuthMethodType(authMethodType))
|
|
}
|
|
if !reflect.DeepEqual(wm.PostLogoutRedirectUris, postLogoutRedirectURIs) {
|
|
changes = append(changes, project.ChangePostLogoutRedirectURIs(postLogoutRedirectURIs))
|
|
}
|
|
if wm.OIDCVersion != oidcVersion {
|
|
changes = append(changes, project.ChangeVersion(oidcVersion))
|
|
}
|
|
if wm.DevMode != devMode {
|
|
changes = append(changes, project.ChangeDevMode(devMode))
|
|
}
|
|
if wm.AccessTokenType != accessTokenType {
|
|
changes = append(changes, project.ChangeAccessTokenType(accessTokenType))
|
|
}
|
|
if wm.AccessTokenRoleAssertion != accessTokenRoleAssertion {
|
|
changes = append(changes, project.ChangeAccessTokenRoleAssertion(accessTokenRoleAssertion))
|
|
}
|
|
if wm.IDTokenRoleAssertion != idTokenRoleAssertion {
|
|
changes = append(changes, project.ChangeIDTokenRoleAssertion(idTokenRoleAssertion))
|
|
}
|
|
if wm.IDTokenUserinfoAssertion != idTokenUserinfoAssertion {
|
|
changes = append(changes, project.ChangeIDTokenUserinfoAssertion(idTokenUserinfoAssertion))
|
|
}
|
|
if wm.ClockSkew != clockSkew {
|
|
changes = append(changes, project.ChangeClockSkew(clockSkew))
|
|
}
|
|
if !reflect.DeepEqual(wm.AdditionalOrigins, additionalOrigins) {
|
|
changes = append(changes, project.ChangeAdditionalOrigins(additionalOrigins))
|
|
}
|
|
if wm.SkipNativeAppSuccessPage != skipNativeAppSuccessPage {
|
|
changes = append(changes, project.ChangeSkipNativeAppSuccessPage(skipNativeAppSuccessPage))
|
|
}
|
|
if wm.BackChannelLogoutURI != backChannelLogoutURI {
|
|
changes = append(changes, project.ChangeBackChannelLogoutURI(backChannelLogoutURI))
|
|
}
|
|
if wm.LoginVersion != loginVersion {
|
|
changes = append(changes, project.ChangeLoginVersion(loginVersion))
|
|
}
|
|
if wm.LoginBaseURI != loginBaseURI {
|
|
changes = append(changes, project.ChangeLoginBaseURI(loginBaseURI))
|
|
}
|
|
|
|
if len(changes) == 0 {
|
|
return nil, false, nil
|
|
}
|
|
changeEvent, err := project.NewOIDCConfigChangedEvent(ctx, aggregate, appID, changes)
|
|
if err != nil {
|
|
return nil, false, err
|
|
}
|
|
return changeEvent, true, nil
|
|
}
|
|
|
|
func (wm *OIDCApplicationWriteModel) IsOIDC() bool {
|
|
return wm.oidc
|
|
}
|