Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(op): dynamic issuer depending on request / host #173

Closed
wants to merge 22 commits into from
Closed

feat(op): dynamic issuer depending on request / host #173

wants to merge 22 commits into from

Conversation

livio-a
Copy link
Member

@livio-a livio-a commented Apr 22, 2022

BREAKING CHANGE: The OpenID Provider package is now able to handle multiple issuers with a single storage implementation. The issuer will be selected from the host of the request and passed into the context, where every function can read it from if necessary. This results in some fundamental changes:

  • Configuration interface:
    • Issuer() string has been changed to IssuerFromRequest(r *http.Request) string
    • Insecure() bool has been added
  • OpenIDProvider interface and dependants:
    • Issuer has been removed from Config struct
    • NewOpenIDProvider now takes an additional parameter issuer and returns a pointer to the public/default implementation and not an OpenIDProvider interface:
      NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opOpts ...Option) (OpenIDProvider, error) changed to NewOpenIDProvider(ctx context.Context, issuer string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)
    • therefore the parameter type Option changed to the public type as well: Option func(o *Provider) error
    • AuthCallbackURL(o OpenIDProvider) func(string) string has been changed to AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string
    • IDTokenHintVerifier() IDTokenHintVerifier (Authorizer, OpenIDProvider, SessionEnder interfaces), AccessTokenVerifier() AccessTokenVerifier (Introspector, OpenIDProvider, Revoker, UserinfoProvider interfaces) and JWTProfileVerifier() JWTProfileVerifier (IntrospectorJWTProfile, JWTAuthorizationGrantExchanger, OpenIDProvider, RevokerJWTProfile interfaces) now take a context.Context parameter IDTokenHintVerifier(context.Context) IDTokenHintVerifier, AccessTokenVerifier(context.Context) AccessTokenVerifier and JWTProfileVerifier(context.Context) JWTProfileVerifier
    • OidcDevMode (CAOS_OIDC_DEV) environment variable check has been removed, use WithAllowInsecure() Option
  • Signing: the signer is not kept in memory anymore, but created on request from the loaded key:
    • Signer interface and func NewSigner have been removed
    • ReadySigner(s Signer) ProbesFn has been removed
    • CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfiguration has been changed to CreateDiscoveryConfig(r *http.Request, config Configuration, storage DiscoverStorage) *oidc.DiscoveryConfiguration
    • Storage interface:
      • GetSigningKey(context.Context, chan<- jose.SigningKey) has been changed to SigningKey(context.Context) (SigningKey, error)
      • KeySet(context.Context) ([]Key, error) has been added
      • GetKeySet(context.Context) (*jose.JSONWebKeySet, error) has been changed to KeySet(context.Context) ([]Key, error)
    • SigAlgorithms(s Signer) []string has been changed to SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string
    • KeyProvider interface: GetKeySet(context.Context) (*jose.JSONWebKeySet, error) has been changed to KeySet(context.Context) ([]Key, error)
    • CreateIDToken: the Signer parameter has been removed

livio-a added 4 commits April 22, 2022 14:23
@livio-a
feat(op): dynamic issuer depending on request / host
a27ba09 
BREAKING CHANGE: The OpenID Provider package is now able to handle multiple issuers with a single storage implementation. The issuer will be selected from the host of the request and passed into the context, where every function can read it from if necessary. This results in some fundamental changes:
 - `Configuration` interface:
   - `Issuer() string` has been changed to `IssuerFromRequest(r *http.Request) string`
   - `Insecure() bool` has been added
 - OpenIDProvider interface and dependants:
   - `Issuer` has been removed from Config struct
   - `NewOpenIDProvider` now takes an additional parameter `issuer` and returns a pointer to the public/default implementation and not an OpenIDProvider interface:
     `NewOpenIDProvider(ctx context.Context, config *Config, storage Storage, opOpts ...Option) (OpenIDProvider, error)` changed to `NewOpenIDProvider(ctx context.Context, issuer string, config *Config, storage Storage, opOpts ...Option) (*Provider, error)`
   - therefore the parameter type Option changed to the public type as well: `Option func(o *Provider) error`
   - `AuthCallbackURL(o OpenIDProvider) func(string) string` has been changed to `AuthCallbackURL(o OpenIDProvider) func(context.Context, string) string`
   - `IDTokenHintVerifier() IDTokenHintVerifier` (Authorizer, OpenIDProvider, SessionEnder interfaces), `AccessTokenVerifier() AccessTokenVerifier` (Introspector, OpenIDProvider, Revoker, UserinfoProvider interfaces) and `JWTProfileVerifier() JWTProfileVerifier` (IntrospectorJWTProfile, JWTAuthorizationGrantExchanger, OpenIDProvider, RevokerJWTProfile interfaces) now take a context.Context parameter `IDTokenHintVerifier(context.Context) IDTokenHintVerifier`, `AccessTokenVerifier(context.Context) AccessTokenVerifier` and `JWTProfileVerifier(context.Context) JWTProfileVerifier`
   - `OidcDevMode` (CAOS_OIDC_DEV) environment variable check has been removed, use `WithAllowInsecure()` Option
 - Signing: the signer is not kept in memory anymore, but created on request from the loaded key:
   - `Signer` interface and func `NewSigner` have been removed
   - `ReadySigner(s Signer) ProbesFn` has been removed
   - `CreateDiscoveryConfig(c Configuration, s Signer) *oidc.DiscoveryConfiguration` has been changed to `CreateDiscoveryConfig(r *http.Request, config Configuration, storage DiscoverStorage) *oidc.DiscoveryConfiguration`
   - `Storage` interface:
     - `GetSigningKey(context.Context, chan<- jose.SigningKey)` has been changed to `SigningKey(context.Context) (SigningKey, error)`
     - `KeySet(context.Context) ([]Key, error)` has been added
     - `GetKeySet(context.Context) (*jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)`
   - `SigAlgorithms(s Signer) []string` has been changed to `SigAlgorithms(ctx context.Context, storage DiscoverStorage) []string`
   - KeyProvider interface: `GetKeySet(context.Context) (*jose.JSONWebKeySet, error)` has been changed to `KeySet(context.Context) ([]Key, error)`
   - `CreateIDToken`: the Signer parameter has been removed
@livio-a
move example
3dd0d5f
@livio-a
fix examples
5c5d716
@livio-a
fix mocks
58e1e53
@codecov
Copy link

codecov bot commented Apr 22, 2022
edited
Loading

Codecov Report

Merging #173 (3e6ea03) into main (885fe0d) will increase coverage by 4.69%.
The diff coverage is 29.69%.

@@            Coverage Diff             @@
##             main     #173      +/-   ##
==========================================
+ Coverage   12.77%   17.47%   +4.69%     
==========================================
  Files          39       41       +2     
  Lines        2927     3119     +192     
==========================================
+ Hits          374      545     +171     
- Misses       2543     2561      +18     
- Partials       10       13       +3
Impacted Files Coverage Δ
pkg/http/http.go 0.00% <0.00%> (ø)
pkg/oidc/code_challenge.go 0.00% <ø> (ø)
pkg/oidc/introspection.go 0.00% <0.00%> (ø)
pkg/oidc/token.go 0.00% <ø> (ø)
pkg/oidc/token_request.go 0.00% <ø> (ø)
pkg/oidc/verifier.go 0.00% <ø> (ø)
pkg/op/client.go 100.00% <ø> (ø)
pkg/op/crypto.go 0.00% <ø> (ø)
pkg/op/error.go 0.00% <ø> (ø)
pkg/op/op.go 0.00% <0.00%> (ø)
... and 25 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@fforootd fforootd added enhancement New feature or request go Pull requests that update Go code labels Apr 22, 2022
@fforootd fforootd mentioned this pull request Apr 22, 2022
Closed
@adlerhurst adlerhurst self-assigned this Apr 25, 2022
@livio-a livio-a linked an issue Dec 6, 2022 that may be closed by this pull request
Multiple issuer support #146
Closed
3 tasks
livio-a and others added 2 commits February 6, 2023 11:09
@livio-a
cleanup
2832b76
@muhlemmer
Merge pull request #271 from zitadel/jwt-token
3e6ea03 
feat: allow to specify token type of JWT Profile Grant
@muhlemmer muhlemmer mentioned this pull request Feb 7, 2023
Merged
2 tasks
@muhlemmer
Copy link
Collaborator

Closing in favor of #278

@muhlemmer muhlemmer closed this Feb 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@muhlemmer muhlemmer muhlemmer left review comments

@hifabienne hifabienne hifabienne left review comments

@adlerhurst adlerhurst Awaiting requested review from adlerhurst

Assignees

@adlerhurst adlerhurst

Labels
enhancement New feature or request go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Multiple issuer support
6 participants
@livio-a @muhlemmer @hifabienne @fforootd @adlerhurst @stebenz