feat(oidc): allow additional audience based on scope in device auth

[muhlemmer]

This change in device authorization adds the ability to extend the audience based on the project IDs, using the reserved scope:

urn:zitadel:iam:org:project:id:{projectid}:aud

This unifies behavior with "regular" auth requests.

Closes zitadel/oidc#425

Definition of Ready

• I am happy with the code
• Short description of the feature/issue is added in the pr description
• PR is linked to the corresponding user story
• Acceptance criteria are met
• All open todos and follow ups are defined in a new ticket and justified
• Deviations from the acceptance criteria and design are agreed with the PO and documented.
• No debug or dead code
• My code has no repetitions
• Critical parts are tested automatically
• Where possible E2E tests are implemented
• Documentation/examples are up-to-date (no changes needed)
• All non-functional requirements are met
• Functionality of the acceptance criteria is checked manually on the dev system.

Tests

As there a no integration tests for device auth, I've tested it manually using the OIDC client example:

export ISSUER="http://localhost:9000" CLIENT_ID="257793310637228036@tests" SCOPES="email profile openid 	urn:zitadel:iam:org:project:id:259254020357488642:aud urn:zitadel:iam:org:project:id:259254317079330818:aud"
go run ./example/client/device

With the returned opaque access token I called introspection:

curl -L -X POST 'http://localhost:9000/oauth/v2/introspect' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -u '260838903370547202@tests:SNpRaExIEzr5F7OcYC1h1fDtQIRTNVaS13gAOh0bJxFAPAh0czw8yuKds47JnIlg' \
  -d token=35Lc_CD6QUB1BXYKOMQ4e4BN51eDbcssZyMiRv-qg1vteudPqoG54SBHzLOmsWndfYnX0Pg | jq

Result:

{
  "active": true,
  "scope": "email profile openid urn:zitadel:iam:org:project:id:259254020357488642:aud urn:zitadel:iam:org:project:id:259254317079330818:aud",
  "client_id": "257793310637228036@tests",
  "token_type": "Bearer",
  "exp": 1712090743,
  "iat": 1712047543,
  "nbf": 1712047543,
  "sub": "257786991247228932",
  "aud": [
    "257790446061813762@tests",
    "257793310637228036@tests",
    "259239924006453250@tests",
    "260838903370547202@tests",
    "257790403229515778",
    "259254020357488642",
    "259254317079330818"
  ],
  "iss": "http://localhost:9000",
  "jti": "260972184896274434",
  "username": "zitadel-admin@zitadel.localhost",
  "name": "ZITADEL Admin",
  "given_name": "ZITADEL",
  "family_name": "Admin",
  "locale": "en",
  "updated_at": 1710149020,
  "preferred_username": "zitadel-admin@zitadel.localhost",
  "email": "zitadel-admin@zitadel.localhost",
  "email_verified": true
}

And rerunning the above example with the application configured for JWT access token, gives the following access token claims:

{
  "iss": "http://localhost:9000",
  "sub": "257786991247228932",
  "aud": [
    "257790446061813762@tests",
    "257793310637228036@tests",
    "259239924006453250@tests",
    "260838903370547202@tests",
    "257790403229515778",
    "259254020357488642",
    "259254317079330818"
  ],
  "exp": 1712091031,
  "iat": 1712047831,
  "nbf": 1712047831,
  "jti": "260972668080095234"
}

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Apr 1, 2024 3:35pm

[github-actions]

🎉 This PR is included in version 2.50.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀