This safely ignores unknown key type errors on JWKS while returning all
other errors. Returned errors are wrap to easily identify which key in
the set is problematic if any.
Jose v4.0.3 was handling this correctly according to spec, but it was
reverted in v4.0.4 as the implementation was a breaking change due to
the custom UnmarshalJSON on the key set. For details see:
- https://github.com/go-jose/go-jose/issues/136
- https://github.com/go-jose/go-jose/pull/137
Jose v4.0.4 also provided a handy static error to check for unknown web
key types. Sadly this was removed: a prefix match on the error message
is the best option until Jose improves it's error handling.
Hopefully, Jose will not change the error message in a patch or minor
version release. But just in case, test cases have been added to detect
it.
Closes#541
### Definition of Ready
- [x] I am happy with the code
- [x] Short description of the feature/issue is added in the pr
description
- [x] PR is linked to the corresponding user story
- [ ] Acceptance criteria are met
- [ ] All open todos and follow ups are defined in a new ticket and
justified
- [ ] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [x] No debug or dead code
- [x] My code has no repetitions
- [x] Critical parts are tested automatically
- [x] Where possible E2E tests are implemented
- [x] Documentation/examples are up-to-date
- [x] All non-functional requirements are met
- [ ] Functionality of the acceptance criteria is checked manually on
the dev system.
Co-authored-by: Wim Van Laer <wim07101993@users.noreply.github.com>
Add the WithPKCEFromDiscovery option to create a relying party with PKCE
enabled if it is supported when query the discovery endpoint as
discussed in #506.
This only works when creating an OIDC RP which performs a discovery
call. With an OAuth2-only RP, an error is returned as no discovery call
is performed.
Closes#506
### Definition of Ready
- [x] I am happy with the code
- [x] Short description of the feature/issue is added in the pr
description
- [x] PR is linked to the corresponding user story
- [ ] Acceptance criteria are met
- [ ] All open todos and follow ups are defined in a new ticket and
justified
- [ ] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [x] No debug or dead code
- [x] My code has no repetitions
- [x] Critical parts are tested automatically
- [x] Where possible E2E tests are implemented
- [x] Documentation/examples are up-to-date
- [x] All non-functional requirements are met
- [ ] Functionality of the acceptance criteria is checked manually on
the dev system.
While reviewing #750, we noticed that the `KeyFile` struct and
corresponding methods are proprietary to Zitadel and should have never
been part of the pure OIDC library.
This PR deprecates the corresponding parts. For users of Zitadel, the
corresponding code is moved to zitadel/zitadel-go#516
### Definition of Ready
- [x] I am happy with the code
- [x] Short description of the feature/issue is added in the pr
description
- [x] PR is linked to the corresponding user story
- [x] Acceptance criteria are met
- [ ] All open todos and follow ups are defined in a new ticket and
justified
- [ ] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [x] No debug or dead code
- [x] My code has no repetitions
- [x] Critical parts are tested automatically
- [ ] Where possible E2E tests are implemented
- [x] Documentation/examples are up-to-date
- [x] All non-functional requirements are met
- [x] Functionality of the acceptance criteria is checked manually on
the dev system.
This PR makes the default Authorized Party check in `rp.VerifyIDToken`
optional by adding an options parameter for dynamic verification
functions. This check is meant to be an optional validation requirement,
so some providers (including GCP) do not adhere to it.
See https://github.com/zitadel/oidc/issues/405 for more context.
Closes https://github.com/zitadel/oidc/issues/405
### Definition of Ready
- [x] I am happy with the code
- [x] Short description of the feature/issue is added in the pr
description
- [x] PR is linked to the corresponding user story
- [x] Acceptance criteria are met
- [x] All open todos and follow ups are defined in a new ticket and
justified
- [x] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [x] No debug or dead code
- [x] My code has no repetitions
- [x] Critical parts are tested automatically
- [x] Where possible E2E tests are implemented
- [x] Documentation/examples are up-to-date
- [x] All non-functional requirements are met
- [x] Functionality of the acceptance criteria is checked manually on
the dev system.
# Context
PR https://github.com/zitadel/oidc/pull/754 has introduced the optional
logout hint and UI locales to the end session request. However, while
working on https://github.com/zitadel/zitadel/pull/10039 , I have
noticed that the integration tests on Zitadel side call
`relying_party.EndSession()` without the possibility of specifying any
logout hint nor ui locales.
This PR adds these 2 parameters to `relying_party.EndSession()`
function.
* pkg/http: Add `secureCookieFunc` field to CookieHandler.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/http: Add `IsRequestAware` method CookieHandler.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/http: Use `secureCookieFunc` when checking a cookie (if set).
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/http: Error on `SetCookie` if cookie handler is request aware.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/http: Add method to set request aware cookies.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/http: Add function to create a new request aware cookie handler.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/client/rp: Update `trySetStateCookie` function signature.
Use `SetRequestAwareCookie` if the cookie handle is request aware.
This function signature can be updated because it is not exported.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/client/rp: Add `GenerateAndStoreCodeChallengeWithRequest` function.
It's not possible to add a `http.Request` argument to
`GenerateAndStoreCodeChallenge` as this would be a breaking change.
Instead, add a new function that accepts a request argument and call
`SetRequestAwareCookie` here.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/client/rp: Update PKCE logic to pass request if required by cookie handler.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/http: Don't set MaxAge if cookie handler is request aware.
The securecookie field can be nil. Expect the caller to set max age on
the securecookie returned by the secureCookieFunc.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* pkg/client: Add integration tests for request aware cookie handling.
Adds a new type `cookieSpec` which is accepted as an argument to
`RunAuthorizationCodeFlow`. `TestRelyingPartySession` now runs with
`wrapServer` true/false and with two cookie handlers, one static and one
request aware.
The request aware handler extracts encryption keys from a secret using a
salt from a "login_id" cookie.
Signed-off-by: Mark Laing <mark.laing@canonical.com>
---------
Signed-off-by: Mark Laing <mark.laing@canonical.com>
* feat(oidc): return defined error when discovery failed
* Use errors.Join() to join errors
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
* Remove unnecessary field
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
* Fix order and message
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
* Fix error order
* Simplify error assertion
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
---------
Co-authored-by: Tim Möhlmann <muhlemmer@gmail.com>
* feat(rp): to use signing algorithms from discovery configuration (#574)
* feat: WithSigningAlgsFromDiscovery to verify IDTokenVerifier() behavior in RP with
This change updates to go-jose v4, which was a new major release.
jose.ParseSigned now expects the supported signing algorithms to be passed, on which we previously did our own check. As they use a dedicated type for this, the slice of string needs to be converted. The returned error also need to be handled in a non-standard way in order to stay compatible.
For OIDC v4 we should use the jose.SignatureAlgorithm type directly and wrap errors, instead of returned static defined errors.
Closes#583
* feat: extend token exchange response
This change adds fields to the token exchange and token claims types.
The `act` claim has been added to describe the actor in case of impersonation or delegation. An actor can be nested in case an obtained token is used as actor token to obtain impersonation or delegation. This allows creating a chain of actors. See [RFC 8693, section 4.1](https://www.rfc-editor.org/rfc/rfc8693#name-act-actor-claim).
The `id_token` field has been added to the Token Exchange response so an ID Token can be returned along with an access token. This is not specified in RFC 8693, but it allows us be consistent with OpenID responses when the scope `openid` is set, while the requested token type may remain access token.
* allow jwt profile for token exchange client
* add invalid target error
* feat(op): Add response_mode: form_post
* Fix to parse the template ahead of time
* Fix to render the template in a buffer
* Remove unnecessary import
* Fix test
* Fix example client setting
* Make sure the client not to reuse the content of the response
* Fix error handling
* Add the response_mode param
* Allow implicit flow in the example app
* feat(rp): allow form_post in code exchange callback handler
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
This change adds Go 1.22 as a build target and drops support for Go 1.20 and older. The golang.org/x/exp/slog import is migrated to log/slog.
Slog has been part of the Go standard library since Go 1.21. Therefore we are dropping support for older Go versions. This is in line of our support policy of "the latest two Go versions".
This PR replaces all occurances of interface{} with any to be consistent and improve readability.
* example: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/client: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/crypto: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/http: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/oidc: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* pkg/op: Replace `interface{}` with `any`
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
---------
Signed-off-by: Thomas Hipp <thomashipp@gmail.com>
* first draft of a new server interface
* allow any response type
* complete interface docs
* refelct the format from the proposal
* intermediate commit with some methods implemented
* implement remaining token grant type methods
* implement remaining server methods
* error handling
* rewrite auth request validation
* define handlers, routes
* input validation and concrete handlers
* check if client credential client is authenticated
* copy and modify the routes test for the legacy server
* run integration tests against both Server and Provider
* remove unuse ValidateAuthRequestV2 function
* unit tests for error handling
* cleanup tokenHandler
* move server routest test
* unit test authorize
* handle client credentials in VerifyClient
* change code exchange route test
* finish http unit tests
* review server interface docs and spelling
* add withClient unit test
* server options
* cleanup unused GrantType method
* resolve typo comments
* make endpoints pointers to enable/disable them
* jwt profile base work
* jwt: correct the test expect
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
* feat(op): user slog for logging
integrate with golang.org/x/exp/slog for logging.
provide a middleware for request scoped logging.
BREAKING CHANGES:
1. OpenIDProvider and sub-interfaces get a Logger()
method to return the configured logger;
2. AuthRequestError now takes the complete Authorizer,
instead of only the encoder. So that it may use its Logger() method.
3. RequestError now takes a Logger as argument.
* use zitadel/logging
* finish op and testing
without middleware for now
* minimum go version 1.19
* update go mod
* log value testing only on go 1.20 or later
* finish the RP and example
* ping logging release
BREAKING CHANGE:
- rename RefreshAccessToken to RefreshToken
- RefreshToken returns *oidc.Tokens instead of *oauth2.Token
This change allows the return of the id_token in an explicit manner,
as part of the oidc.Tokens struct.
The return type is now consistent with the CodeExchange function.
When an id_token is returned, it is verified.
In case no id_token was received,
RefreshTokens will not return an error.
As per specifictation:
https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
Upon successful validation of the Refresh Token,
the response body is the Token Response of Section 3.1.3.3
except that it might not contain an id_token.
Closes#364
* reproduce #406
* fix: don't error on invalid i18n tags in discovery
This changes the use of `[]language.Tag` to
`oidc.Locales` in `DiscoveryConfig`.
This should be compatible with callers that use
the `[]language.Tag` .
Locales now implements the `json.Unmarshaler` interface.
With support for json arrays or space seperated strings.
The latter because `UnmarshalText` might have been implicetely called
by the json library before we added UnmarshalJSON.
Fixes: #406
This fixes an issue where, when using the device authorization flow, the
grant type would be set twice. Some OPs don't accept this, and fail when
polling.
With this fix the grant type is only set once, which will make some OPs
happy again.
Fixes#352
* feat: Allow modifying request to device authorization endpoint
This change enables the caller to set URL parameters when calling the
device authorization endpoint.
Fixes#354
* Update device authorization example
This fixes an issue where, when using the device authorization flow, the
grant type would be set twice. Some OPs don't accept this, and fail when
polling.
With this fix the grant type is only set once, which will make some OPs
happy again.
Fixes#352
