Tags: zitadel/oidc
Tags
fix(rp): don't ignore JWKS parsing errors (#771) This safely ignores unknown key type errors on JWKS while returning all other errors. Returned errors are wrap to easily identify which key in the set is problematic if any. Jose v4.0.3 was handling this correctly according to spec, but it was reverted in v4.0.4 as the implementation was a breaking change due to the custom UnmarshalJSON on the key set. For details see: - go-jose/go-jose#136 - go-jose/go-jose#137 Jose v4.0.4 also provided a handy static error to check for unknown web key types. Sadly this was removed: a prefix match on the error message is the best option until Jose improves it's error handling. Hopefully, Jose will not change the error message in a patch or minor version release. But just in case, test cases have been added to detect it. Closes #541 ### Definition of Ready - [x] I am happy with the code - [x] Short description of the feature/issue is added in the pr description - [x] PR is linked to the corresponding user story - [ ] Acceptance criteria are met - [ ] All open todos and follow ups are defined in a new ticket and justified - [ ] Deviations from the acceptance criteria and design are agreed with the PO and documented. - [x] No debug or dead code - [x] My code has no repetitions - [x] Critical parts are tested automatically - [x] Where possible E2E tests are implemented - [x] Documentation/examples are up-to-date - [x] All non-functional requirements are met - [ ] Functionality of the acceptance criteria is checked manually on the dev system. Co-authored-by: Wim Van Laer <[email protected]>
feat(rp): add WithPKCEFromDisocvery (#776) Add the WithPKCEFromDiscovery option to create a relying party with PKCE enabled if it is supported when query the discovery endpoint as discussed in #506. This only works when creating an OIDC RP which performs a discovery call. With an OAuth2-only RP, an error is returned as no discovery call is performed. Closes #506 ### Definition of Ready - [x] I am happy with the code - [x] Short description of the feature/issue is added in the pr description - [x] PR is linked to the corresponding user story - [ ] Acceptance criteria are met - [ ] All open todos and follow ups are defined in a new ticket and justified - [ ] Deviations from the acceptance criteria and design are agreed with the PO and documented. - [x] No debug or dead code - [x] My code has no repetitions - [x] Critical parts are tested automatically - [x] Where possible E2E tests are implemented - [x] Documentation/examples are up-to-date - [x] All non-functional requirements are met - [ ] Functionality of the acceptance criteria is checked manually on the dev system.
feat: allow setting op.Crypto during provider setup (#778) Add a `op.WithCrypto` `op.Option` that allows developers to specify their custom `op.Crypto` implementations during setup. If the `op.Option` is used, it will override `op.Config.CryptoKey`. Closes #736. ### Definition of Ready - [x] I am happy with the code - [x] Short description of the feature/issue is added in the pr description - [x] PR is linked to the corresponding user story - [ ] Acceptance criteria are met - [ ] All open todos and follow ups are defined in a new ticket and justified - [ ] Deviations from the acceptance criteria and design are agreed with the PO and documented. - [x] No debug or dead code - [ ] My code has no repetitions - [ ] Critical parts are tested automatically - [ ] Where possible E2E tests are implemented - [x] Documentation/examples are up-to-date - [ ] All non-functional requirements are met - [ ] Functionality of the acceptance criteria is checked manually on the dev system. --------- Signed-off-by: mqf20 <[email protected]> Co-authored-by: Tim Möhlmann <[email protected]>
fix: add redirect_uri decoded (#775) ### Definition of Ready This PR introduces a redirect_uri decoding step (url.QueryUnescape) in the authorization request validation logic. Libraries such as [golang.org/x/oauth2](https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.30.0:oauth2.go;l=184) automatically encode the redirect_uri using url.Values.Encode(). This means the incoming URI is percent-encoded (e.g., https%3A%2F%2Fclient.example.com%2Fcallback), and the server must decode it before performing string comparisons. - [x] I am happy with the code - [x] Short description of the feature/issue is added in the pr description - [x] PR is linked to the corresponding user story - [x] Acceptance criteria are met - [x] All open todos and follow ups are defined in a new ticket and justified - [x] Deviations from the acceptance criteria and design are agreed with the PO and documented. - [x] No debug or dead code - [x] My code has no repetitions - [x] Critical parts are tested automatically - [x] Where possible E2E tests are implemented - [x] Documentation/examples are up-to-date - [x] All non-functional requirements are met - [x] Functionality of the acceptance criteria is checked manually on the dev system. Co-authored-by: sianao <[email protected]>
feat(rp): optional authorized party check (#752) This PR makes the default Authorized Party check in `rp.VerifyIDToken` optional by adding an options parameter for dynamic verification functions. This check is meant to be an optional validation requirement, so some providers (including GCP) do not adhere to it. See #405 for more context. Closes #405
feat: pass optional logout hint and ui locales to end session request (… …#774) ### Definition of Ready - [x] I am happy with the code - [x] Short description of the feature/issue is added in the pr description - [x] PR is linked to the corresponding user story - [x] Acceptance criteria are met - [x] All open todos and follow ups are defined in a new ticket and justified - [x] Deviations from the acceptance criteria and design are agreed with the PO and documented. - [x] No debug or dead code - [x] My code has no repetitions - [x] Critical parts are tested automatically - [x] Where possible E2E tests are implemented - [x] Documentation/examples are up-to-date - [x] All non-functional requirements are met - [x] Functionality of the acceptance criteria is checked manually on the dev system. # Context PR #754 has introduced the optional logout hint and UI locales to the end session request. However, while working on zitadel/zitadel#10039 , I have noticed that the integration tests on Zitadel side call `relying_party.EndSession()` without the possibility of specifying any logout hint nor ui locales. This PR adds these 2 parameters to `relying_party.EndSession()` function.
feat: Request aware cookie handling (#753) * pkg/http: Add `secureCookieFunc` field to CookieHandler. Signed-off-by: Mark Laing <[email protected]> * pkg/http: Add `IsRequestAware` method CookieHandler. Signed-off-by: Mark Laing <[email protected]> * pkg/http: Use `secureCookieFunc` when checking a cookie (if set). Signed-off-by: Mark Laing <[email protected]> * pkg/http: Error on `SetCookie` if cookie handler is request aware. Signed-off-by: Mark Laing <[email protected]> * pkg/http: Add method to set request aware cookies. Signed-off-by: Mark Laing <[email protected]> * pkg/http: Add function to create a new request aware cookie handler. Signed-off-by: Mark Laing <[email protected]> * pkg/client/rp: Update `trySetStateCookie` function signature. Use `SetRequestAwareCookie` if the cookie handle is request aware. This function signature can be updated because it is not exported. Signed-off-by: Mark Laing <[email protected]> * pkg/client/rp: Add `GenerateAndStoreCodeChallengeWithRequest` function. It's not possible to add a `http.Request` argument to `GenerateAndStoreCodeChallenge` as this would be a breaking change. Instead, add a new function that accepts a request argument and call `SetRequestAwareCookie` here. Signed-off-by: Mark Laing <[email protected]> * pkg/client/rp: Update PKCE logic to pass request if required by cookie handler. Signed-off-by: Mark Laing <[email protected]> * pkg/http: Don't set MaxAge if cookie handler is request aware. The securecookie field can be nil. Expect the caller to set max age on the securecookie returned by the secureCookieFunc. Signed-off-by: Mark Laing <[email protected]> * pkg/client: Add integration tests for request aware cookie handling. Adds a new type `cookieSpec` which is accepted as an argument to `RunAuthorizationCodeFlow`. `TestRelyingPartySession` now runs with `wrapServer` true/false and with two cookie handlers, one static and one request aware. The request aware handler extracts encryption keys from a secret using a salt from a "login_id" cookie. Signed-off-by: Mark Laing <[email protected]> --------- Signed-off-by: Mark Laing <[email protected]>
PreviousNext