fix: set refresh token in the RetrieveIdentityIntentResponse (zitadel#11613)

# Which Problems Are Solved

This PR adds support for storing and retrieving refresh tokens from
external identity providers during the IDP intent flow.

# How the Problems Are Solved

* Updated `idp.proto` (v2 and v2beta): added an optional `refresh_token`
field to `IDPOAuthAccessInformation`, which, in turn, is used in
`RetrieveIdentityProviderIntentResponse`
* Added the `IDPRefreshToken` field to the IDP intent `SucceededEvent`
struct, and updated the corresponding constructor to set the refresh
token
* Added the `IDPRefreshToken` field to `IDPIntentWriteModel`, and
updated `reduceOAuthSucceededEvent` to populate refresh token from
events
* Updated `tokensForSucceededIDPIntent` function to extract and encrypt
the refresh token from IDP session, if set
* Updated `idpOAuthTokensToPb` function to decrypt refresh token before
returning to clients
* Updated unit and integration tests

# Additional Changes
Updated the link to the JWT IDP docs linked in the Console

# Additional Context
- Closes zitadel#11047

Author: grvijayan

console/src/app/modules/providers/provider-jwt/provider-jwt.component.html

@@ -21,7 +21,7 @@ <h1>{{ 'IDP.CREATE.JWT.TITLE' | translate }}</h1>
       [configureProvider]="(justCreated$ | async) === ''"
       [configureTitle]="'DESCRIPTIONS.SETTINGS.IDPS.JWT.TITLE' | translate"
       [configureDescription]="'DESCRIPTIONS.SETTINGS.IDPS.JWT.DESCRIPTION' | translate"
-      configureLink="https://zitadel.com/docs/guides/integrate/identity-providers/jwt-idp"
+      configureLink="https://zitadel.com/docs/guides/integrate/identity-providers/jwt_idp"
       [autofillLink]="autofillLink$ | async"
       [activateLink]="activateLink$ | async"
       [expanded]="!!(expandWhatNow$ | async)"

internal/api/grpc/user/v2/integration_test/intent_test.go

@@ -425,8 +425,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    oauthIdpID,
@@ -476,8 +477,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    oauthIdpID,
@@ -543,8 +545,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    azureIdpID,
@@ -601,8 +604,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    azureIdpID,
@@ -657,8 +661,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    oidcIdpID,
@@ -707,8 +712,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    oidcIdpID,

internal/api/grpc/user/v2/intent.go

@@ -250,7 +250,7 @@ func idpIntentToIDPIntentPb(intent *command.IDPIntentWriteModel, alg crypto.Encr
 	information.Details = intentToDetailsPb(intent)
 	// OAuth / OIDC
 	if intent.IDPIDToken != "" || intent.IDPAccessToken != nil {
-		information.IdpInformation.Access, err = idpOAuthTokensToPb(intent.IDPIDToken, intent.IDPAccessToken, alg)
+		information.IdpInformation.Access, err = idpOAuthTokensToPb(intent.IDPIDToken, intent.IDPAccessToken, intent.IDPRefreshToken, alg)
 		if err != nil {
 			return nil, err
 		}
@@ -274,7 +274,7 @@ func idpIntentToIDPIntentPb(intent *command.IDPIntentWriteModel, alg crypto.Encr
 	return information, nil
 }
 
-func idpOAuthTokensToPb(idpIDToken string, idpAccessToken *crypto.CryptoValue, alg crypto.EncryptionAlgorithm) (_ *user.IDPInformation_Oauth, err error) {
+func idpOAuthTokensToPb(idpIDToken string, idpAccessToken, idpRefreshToken *crypto.CryptoValue, alg crypto.EncryptionAlgorithm) (_ *user.IDPInformation_Oauth, err error) {
 	var idToken *string
 	if idpIDToken != "" {
 		idToken = &idpIDToken
@@ -286,10 +286,19 @@ func idpOAuthTokensToPb(idpIDToken string, idpAccessToken *crypto.CryptoValue, a
 			return nil, err
 		}
 	}
+	var refreshToken *string
+	if idpRefreshToken != nil {
+		decryptedRefreshToken, err := crypto.DecryptString(idpRefreshToken, alg)
+		if err != nil {
+			return nil, err
+		}
+		refreshToken = &decryptedRefreshToken
+	}
 	return &user.IDPInformation_Oauth{
 		Oauth: &user.IDPOAuthAccessInformation{
-			AccessToken: accessToken,
-			IdToken:     idToken,
+			AccessToken:  accessToken,
+			RefreshToken: refreshToken,
+			IdToken:      idToken,
 		},
 	}, nil
 }

internal/api/grpc/user/v2beta/integration_test/user_test.go

@@ -2299,8 +2299,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    oauthIdpID,
@@ -2339,8 +2340,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    oauthIdpID,
@@ -2401,8 +2403,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    oidcIdpID,
@@ -2439,8 +2442,9 @@ func TestServer_RetrieveIdentityProviderIntent(t *testing.T) {
 				IdpInformation: &user.IDPInformation{
 					Access: &user.IDPInformation_Oauth{
 						Oauth: &user.IDPOAuthAccessInformation{
-							AccessToken: "accessToken",
-							IdToken:     gu.Ptr("idToken"),
+							AccessToken:  "accessToken",
+							RefreshToken: gu.Ptr("refreshToken"),
+							IdToken:      gu.Ptr("idToken"),
 						},
 					},
 					IdpId:    oidcIdpID,

internal/api/grpc/user/v2beta/user.go

@@ -522,7 +522,7 @@ func idpIntentToIDPIntentPb(intent *command.IDPIntentWriteModel, alg crypto.Encr
 		UserId: intent.UserID,
 	}
 	if intent.IDPIDToken != "" || intent.IDPAccessToken != nil {
-		information.IdpInformation.Access, err = idpOAuthTokensToPb(intent.IDPIDToken, intent.IDPAccessToken, alg)
+		information.IdpInformation.Access, err = idpOAuthTokensToPb(intent.IDPIDToken, intent.IDPAccessToken, intent.IDPRefreshToken, alg)
 		if err != nil {
 			return nil, err
 		}
@@ -547,7 +547,7 @@ func idpIntentToIDPIntentPb(intent *command.IDPIntentWriteModel, alg crypto.Encr
 	return connect.NewResponse(information), nil
 }
 
-func idpOAuthTokensToPb(idpIDToken string, idpAccessToken *crypto.CryptoValue, alg crypto.EncryptionAlgorithm) (_ *user.IDPInformation_Oauth, err error) {
+func idpOAuthTokensToPb(idpIDToken string, idpAccessToken, idpRefreshToken *crypto.CryptoValue, alg crypto.EncryptionAlgorithm) (_ *user.IDPInformation_Oauth, err error) {
 	var idToken *string
 	if idpIDToken != "" {
 		idToken = &idpIDToken
@@ -559,10 +559,19 @@ func idpOAuthTokensToPb(idpIDToken string, idpAccessToken *crypto.CryptoValue, a
 			return nil, err
 		}
 	}
+	var refreshToken *string
+	if idpRefreshToken != nil {
+		decryptedRefreshToken, err := crypto.DecryptString(idpRefreshToken, alg)
+		if err != nil {
+			return nil, err
+		}
+		refreshToken = &decryptedRefreshToken
+	}
 	return &user.IDPInformation_Oauth{
 		Oauth: &user.IDPOAuthAccessInformation{
-			AccessToken: accessToken,
-			IdToken:     idToken,
+			AccessToken:  accessToken,
+			RefreshToken: refreshToken,
+			IdToken:      idToken,
 		},
 	}, nil
 }

internal/command/idp_intent.go

@@ -170,7 +170,7 @@ func (c *Commands) SucceedIDPIntent(ctx context.Context, writeModel *IDPIntentWr
 	if err != nil {
 		return "", err
 	}
-	accessToken, idToken, err := tokensForSucceededIDPIntent(idpSession, c.idpConfigEncryption)
+	accessToken, refreshToken, idToken, err := tokensForSucceededIDPIntent(idpSession, c.idpConfigEncryption)
 	if err != nil {
 		return "", err
 	}
@@ -186,6 +186,7 @@ func (c *Commands) SucceedIDPIntent(ctx context.Context, writeModel *IDPIntentWr
 		idpUser.GetPreferredUsername(),
 		userID,
 		accessToken,
+		refreshToken,
 		idToken,
 		idpSession.ExpiresAt(),
 	)
@@ -295,8 +296,9 @@ func (c *Commands) GetIntentWriteModel(ctx context.Context, id, resourceOwner st
 	return writeModel, err
 }
 
-// tokensForSucceededIDPIntent extracts the oidc.Tokens if available (and encrypts the access_token) for the succeeded event payload
-func tokensForSucceededIDPIntent(session idp.Session, encryptionAlg crypto.EncryptionAlgorithm) (*crypto.CryptoValue, string, error) {
+// tokensForSucceededIDPIntent extracts the oidc.Tokens if available for the succeeded event payload.
+// It also encrypts the access token and refresh token (if set).
+func tokensForSucceededIDPIntent(session idp.Session, encryptionAlg crypto.EncryptionAlgorithm) (*crypto.CryptoValue, *crypto.CryptoValue, string, error) {
 	var tokens *oidc.Tokens[*oidc.IDTokenClaims]
 	switch s := session.(type) {
 	case *oauth.Session:
@@ -312,11 +314,25 @@ func tokensForSucceededIDPIntent(session idp.Session, encryptionAlg crypto.Encry
 	case *apple.Session:
 		tokens = s.Tokens
 	default:
-		return nil, "", nil
+		return nil, nil, "", nil
+	}
+	if tokens == nil {
+		return nil, nil, "", nil
 	}
 	if tokens.Token == nil || tokens.AccessToken == "" {
-		return nil, tokens.IDToken, nil
+		return nil, nil, tokens.IDToken, nil
 	}
 	accessToken, err := crypto.Encrypt([]byte(tokens.AccessToken), encryptionAlg)
-	return accessToken, tokens.IDToken, err
+	if err != nil {
+		return nil, nil, tokens.IDToken, err
+	}
+	var refreshToken *crypto.CryptoValue
+	if tokens.RefreshToken != "" {
+		refreshToken, err = crypto.Encrypt([]byte(tokens.RefreshToken), encryptionAlg)
+		if err != nil {
+			return nil, nil, tokens.IDToken, err
+		}
+	}
+
+	return accessToken, refreshToken, tokens.IDToken, nil
 }

internal/command/idp_intent_model.go

@@ -23,8 +23,9 @@ type IDPIntentWriteModel struct {
 	UserID       string
 	LoginHint    string
 
-	IDPAccessToken *crypto.CryptoValue
-	IDPIDToken     string
+	IDPAccessToken  *crypto.CryptoValue
+	IDPRefreshToken *crypto.CryptoValue
+	IDPIDToken      string
 
 	IDPEntryAttributes map[string][]string
 
@@ -131,6 +132,7 @@ func (wm *IDPIntentWriteModel) reduceOAuthSucceededEvent(e *idpintent.SucceededE
 	wm.IDPUserID = e.IDPUserID
 	wm.IDPUserName = e.IDPUserName
 	wm.IDPAccessToken = e.IDPAccessToken
+	wm.IDPRefreshToken = e.IDPRefreshToken
 	wm.IDPIDToken = e.IDPIDToken
 	wm.State = domain.IDPIntentStateSucceeded
 	wm.succeededAt = e.CreationDate()