feat(providers): ZITADEL provider (#5479)

peintnermax · balazsorban44 · web-flow · commit d13997e1400a · 2022-10-06T09:44:21.000+02:00
* feat: zitadel provider

* Update packages/next-auth/src/providers/zitadel.ts

Co-authored-by: Balázs Orbán &lt;info@balazsorban.com&gt;

* Update packages/next-auth/src/providers/zitadel.ts

Co-authored-by: Balázs Orbán &lt;info@balazsorban.com&gt;

Co-authored-by: Balázs Orbán &lt;info@balazsorban.com&gt;
diff --git a/apps/dev/pages/api/auth/[...nextauth].ts b/apps/dev/pages/api/auth/[...nextauth].ts
@@ -35,6 +35,7 @@ import Twitter, { TwitterLegacy } from "next-auth/providers/twitter"
 import Vk from "next-auth/providers/vk"
 import Wikimedia from "next-auth/providers/wikimedia"
 import WorkOS from "next-auth/providers/workos"
+import Zitadel from "next-auth/providers/zitadel"
 
 // Adapters
 import { PrismaClient } from "@prisma/client"
@@ -120,6 +121,7 @@ export const authOptions: NextAuthOptions = {
     Vk({ clientId: process.env.VK_ID, clientSecret: process.env.VK_SECRET }),
     Wikimedia({ clientId: process.env.WIKIMEDIA_ID, clientSecret: process.env.WIKIMEDIA_SECRET }),
     WorkOS({ clientId: process.env.WORKOS_ID, clientSecret: process.env.WORKOS_SECRET }),
+    Zitadel({ issuer: process.env.ZITADEL_ISSUER, clientId: process.env.ZITADEL_CLIENT_ID, clientSecret: process.env.ZITADEL_CLIENT_SECRET }),
   ],
 }
 
diff --git a/docs/docs/providers/zitadel.md b/docs/docs/providers/zitadel.md
@@ -0,0 +1,87 @@
+---
+id: zitadel
+title: Zitadel
+---
+
+## Documentation
+
+https://docs.zitadel.com/docs/apis/openidoauth/endpoints
+
+## Configuration
+
+https://docs.zitadel.com/docs/guides/integrate/oauth-recommended-flows
+
+The Redirect URIs used when creating the credentials must include your full domain and end in the callback path. For example:
+
+- For production: `https://{YOUR_DOMAIN}/api/auth/callback/zitadel`
+- For development: `http://localhost:3000/api/auth/callback/zitadel`
+
+Make sure to enable **dev mode** in ZITADEL console to allow redirects for local development.
+
+## Options
+
+The **ZITADEL Provider** comes with a set of default options:
+
+- [ZITADEL Provider options](https://github.com/nextauthjs/next-auth/blob/main/packages/next-auth/src/providers/zitadel.ts)
+
+You can override any of the options to suit your own use case.
+
+## Example
+
+```js
+import ZitadelProvider from "next-auth/providers/zitadel";
+...
+providers: [
+  ZitadelProvider({
+    issuer: process.env.ZITADEL_ISSUER,
+    clientId: process.env.ZITADEL_CLIENT_ID,
+    clientSecret: process.env.ZITADEL_CLIENT_SECRET,
+  })
+]
+...
+```
+
+If you need access to ZITADEL APIs or need additional information, make sure to add the corresponding scopes.
+
+To get the full list of supported claims take a look [here](https://docs.zitadel.com/docs/apis/openidoauth/endpoints).
+
+```js
+const options = {
+  ...
+  providers: [
+    ZitadelProvider({
+      clientId: process.env.ZITADEL_CLIENT_ID,
+      authorization: {
+        params: {
+            scope: `openid email profile urn:zitadel:iam:org:project:id:${process.env.ZITADEL_PROJECT_ID}:aud`
+        }
+      }
+    })
+  ],
+  ...
+}
+```
+
+:::
+
+:::tip
+ZITADEL also returns a `email_verified` boolean property in the profile.
+
+You can use this property to restrict access to people with verified accounts.
+
+```js
+const options = {
+  ...
+  callbacks: {
+    async signIn({ account, profile }) {
+      if (account.provider === "zitadel") {
+        return profile.email_verified;
+      }
+      return true; // Do different verification for other providers that don't have `email_verified`
+    },
+  }
+  ...
+}
+```
+
+:::
diff --git a/packages/next-auth/src/providers/zitadel.ts b/packages/next-auth/src/providers/zitadel.ts
@@ -0,0 +1,51 @@
+import type { OAuthConfig, OAuthUserConfig } from "."
+
+export interface ZitadelProfile extends Record<string, any> {
+  amr: string // Authentication Method References as defined in RFC8176
+  aud: string // The audience of the token, by default all client id's and the project id are included
+  auth_time: number // Unix time of the authentication
+  azp: string // Client id of the client who requested the token
+  email: string // Email Address of the subject
+  email_verified: boolean // if the email was verified by ZITADEL
+  exp: number // Time the token expires (as unix time)
+  family_name: string // The subjects family name
+  given_name: string // Given name of the subject
+  gender: string // Gender of the subject
+  iat: number // Time of the token was issued at (as unix time)
+  iss: string // Issuing domain of a token
+  jti: string // Unique id of the token
+  locale: string // Language from the subject
+  name: string // The subjects full name
+  nbf: number // Time the token must not be used before (as unix time)
+  picture: string // The subjects profile picture
+  phone: string // Phone number provided by the user
+  phone_verified: boolean // if the phonenumber was verified by ZITADEL
+  preferred_username: string // ZITADEL's login name of the user. Consist of username@primarydomain
+  sub: string // Subject ID of the user
+}
+
+export default function Zitadel<P extends ZitadelProfile>(
+  options: OAuthUserConfig<P>
+): OAuthConfig<P> {
+  const { issuer } = options
+
+  return {
+    id: "zitadel",
+    name: "ZITADEL",
+    type: "oauth",
+    version: "2",
+    wellKnown: `${issuer}/.well-known/openid-configuration`,
+    authorization: { params: { scope: "openid email profile" } },
+    idToken: true,
+    checks: ["pkce", "state"],
+    async profile(profile) {
+      return {
+        id: profile.sub,
+        name: profile.name,
+        email: profile.email,
+        image: profile.picture,
+      }
+    },
+    options,
+  }
+}
