zitadel/internal/api/oidc
Tim Möhlmann e879f90f38
fix(oidc): do not return access token for response type id_token (#8777)
# Which Problems Are Solved

Do not return an access token for implicit flow from v1 login, if the
`response_type` is `id_token`

# How the Problems Are Solved

Do not create the access token event if if the `response_type` is
`id_token`.

# Additional Changes

Token endpoint calls without auth request, such as machine users, token
exchange and refresh token, do not have a `response_type`. For such
calls the `OIDCResponseTypeUnspecified` enum is added at a `-1` offset,
in order not to break existing client configs.

# Additional Context

- https://discord.com/channels/927474939156643850/1294001717725237298
- Fixes https://github.com/zitadel/zitadel/issues/8776

(cherry picked from commit 778b4041ca)
2024-11-15 09:33:18 +01:00
..
integration_test chore: improve integration tests (#8727) 2024-10-17 21:20:57 +00:00
access_token.go feat(oidc): use web keys for token signing and verification (#8449) 2024-08-23 14:43:46 +02:00
amr_test.go feat(oidc): token exchange impersonation (#7516) 2024-03-20 10:18:46 +00:00
amr.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
auth_request_converter_test.go fix(oidc): store requested response_mode (#8145) 2024-06-17 09:50:12 +00:00
auth_request_converter_v2.go fix(oidc): store requested response_mode (#8145) 2024-06-17 09:50:12 +00:00
auth_request_converter.go fix(oidc): store requested response_mode (#8145) 2024-06-17 09:50:12 +00:00
auth_request.go fix(oidc): do not return access token for response type id_token (#8777) 2024-11-15 09:33:18 +01:00
client_converter.go feat(oidc): allow returning of parent errors to client (#8376) 2024-08-20 06:45:24 +00:00
client_credentials.go perf(oidc): remove get user by ID from jwt profile grant (#8580) 2024-09-11 12:04:09 +03:00
client.go fix: correctly check user state (#8631) 2024-09-17 13:21:49 +00:00
device_auth.go fix: provide device auth config (#8419) 2024-08-12 12:55:07 +03:00
error_test.go fix: uniform oidc errors (#7237) 2024-01-18 07:10:49 +01:00
error.go fix(oidc): return bad request for base64 errors (#7730) 2024-04-09 08:42:59 +02:00
introspect.go fix: correctly check app state on authentication (#8630) 2024-09-17 11:34:14 +00:00
jwt-profile.go fix: uniform oidc errors (#7237) 2024-01-18 07:10:49 +01:00
key_test.go feat(oidc): use web keys for token signing and verification (#8449) 2024-08-23 14:43:46 +02:00
key.go feat(OIDC): add back channel logout (#8837) 2024-10-31 15:57:17 +01:00
op.go feat(OIDC): add back channel logout (#8837) 2024-10-31 15:57:17 +01:00
server_test.go chore(tests): use a coverage server binary (#8407) 2024-09-06 14:47:57 +02:00
server.go feat(OIDC): add back channel logout (#8837) 2024-10-31 15:57:17 +01:00
token_client_credentials.go fix(oidc): do not return access token for response type id_token (#8777) 2024-11-15 09:33:18 +01:00
token_code.go fix(oidc): do not return access token for response type id_token (#8777) 2024-11-15 09:33:18 +01:00
token_device.go feat(oidc): allow returning of parent errors to client (#8376) 2024-08-20 06:45:24 +00:00
token_exchange_converter.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
token_exchange.go fix(oidc): do not return access token for response type id_token (#8777) 2024-11-15 09:33:18 +01:00
token_jwt_profile.go fix(oidc): do not return access token for response type id_token (#8777) 2024-11-15 09:33:18 +01:00
token_refresh.go fix(oidc): do not return access token for response type id_token (#8777) 2024-11-15 09:33:18 +01:00
token.go feat(OIDC): add back channel logout (#8837) 2024-10-31 15:57:17 +01:00
userinfo_test.go fix(oidc): always set sub claim (#8598) 2024-09-12 12:36:33 +00:00
userinfo.go fix: correctly check user state (#8631) 2024-09-17 13:21:49 +00:00