zitadel/internal/query/oidc_client.go

package query

import (
	"context"
	"database/sql"
	_ "embed"
	"encoding/json"
	"errors"
	"net/url"
	"time"

	"github.com/zitadel/zitadel/internal/api/authz"
	http_util "github.com/zitadel/zitadel/internal/api/http"
	"github.com/zitadel/zitadel/internal/api/ui/console/path"
	"github.com/zitadel/zitadel/internal/database"
	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/telemetry/tracing"
	"github.com/zitadel/zitadel/internal/zerrors"
)

type OIDCClient struct {
	InstanceID               string                     `json:"instance_id,omitempty"`
	AppID                    string                     `json:"app_id,omitempty"`
	State                    domain.AppState            `json:"state,omitempty"`
	ClientID                 string                     `json:"client_id,omitempty"`
	BackChannelLogoutURI     string                     `json:"back_channel_logout_uri,omitempty"`
	HashedSecret             string                     `json:"client_secret,omitempty"`
	RedirectURIs             []string                   `json:"redirect_uris,omitempty"`
	ResponseTypes            []domain.OIDCResponseType  `json:"response_types,omitempty"`
	GrantTypes               []domain.OIDCGrantType     `json:"grant_types,omitempty"`
	ApplicationType          domain.OIDCApplicationType `json:"application_type,omitempty"`
	AuthMethodType           domain.OIDCAuthMethodType  `json:"auth_method_type,omitempty"`
	PostLogoutRedirectURIs   []string                   `json:"post_logout_redirect_uris,omitempty"`
	IsDevMode                bool                       `json:"is_dev_mode,omitempty"`
	AccessTokenType          domain.OIDCTokenType       `json:"access_token_type,omitempty"`
	AccessTokenRoleAssertion bool                       `json:"access_token_role_assertion,omitempty"`
	IDTokenRoleAssertion     bool                       `json:"id_token_role_assertion,omitempty"`
	IDTokenUserinfoAssertion bool                       `json:"id_token_userinfo_assertion,omitempty"`
	ClockSkew                time.Duration              `json:"clock_skew,omitempty"`
	AdditionalOrigins        []string                   `json:"additional_origins,omitempty"`
	PublicKeys               map[string][]byte          `json:"public_keys,omitempty"`
	ProjectID                string                     `json:"project_id,omitempty"`
	ProjectRoleAssertion     bool                       `json:"project_role_assertion,omitempty"`
	LoginVersion             domain.LoginVersion        `json:"login_version,omitempty"`
	LoginBaseURI             *URL                       `json:"login_base_uri,omitempty"`
	ProjectRoleKeys          []string                   `json:"project_role_keys,omitempty"`
	Settings                 *OIDCSettings              `json:"settings,omitempty"`
}

type URL url.URL

func (c *URL) URL() *url.URL {
	return (*url.URL)(c)
}

func (c *URL) UnmarshalJSON(src []byte) error {
	var s string
	err := json.Unmarshal(src, &s)
	if err != nil {
		return err
	}
	u, err := url.Parse(s)
	if err != nil {
		return err
	}
	*c = URL(*u)
	return nil
}

//go:embed oidc_client_by_id.sql
var oidcClientQuery string

func (q *Queries) ActiveOIDCClientByID(ctx context.Context, clientID string, getKeys bool) (client *OIDCClient, err error) {
	ctx, span := tracing.NewSpan(ctx)
	defer func() { span.EndWithError(err) }()

	client, err = database.QueryJSONObject[OIDCClient](ctx, q.client, oidcClientQuery,
		authz.GetInstance(ctx).InstanceID(), clientID, getKeys,
	)
	if errors.Is(err, sql.ErrNoRows) {
		return nil, zerrors.ThrowNotFound(err, "QUERY-wu6Ee", "Errors.App.NotFound")
	}
	if err != nil {
		return nil, zerrors.ThrowInternal(err, "QUERY-ieR7R", "Errors.Internal")
	}
	instance := authz.GetInstance(ctx)
	loginV2 := instance.Features().LoginV2
	if loginV2.Required {
		client.LoginVersion = domain.LoginVersion2
		client.LoginBaseURI = (*URL)(loginV2.BaseURI)
	}
	if instance.ConsoleClientID() == clientID {
		client.RedirectURIs = append(client.RedirectURIs, http_util.DomainContext(ctx).Origin()+path.RedirectPath)
		client.PostLogoutRedirectURIs = append(client.PostLogoutRedirectURIs, http_util.DomainContext(ctx).Origin()+path.PostLogoutPath)
	}
	return client, err
}