feat: implement link identity with oidc / native sign in (#2108)

Implements linking an OIDC identity to a user. It works by modifying the
existing `/token?grant_type=id_token` endpoint by allowing a
`link_identity` body parameter.

If it's set, the `Authorization` header must be set to a valid JWT
representing a user. This user will be the user to which the ID token's
identity will be linked to.

Author: hf

internal/api/auth.go

@@ -64,7 +64,7 @@ func (a *API) extractBearerToken(r *http.Request) (string, error) {
 	authHeader := r.Header.Get("Authorization")
 	matches := bearerRegexp.FindStringSubmatch(authHeader)
 	if len(matches) != 2 {
-		return "", apierrors.NewHTTPError(http.StatusUnauthorized, apierrors.ErrorCodeNoAuthorization, "This endpoint requires a Bearer token")
+		return "", apierrors.NewHTTPError(http.StatusUnauthorized, apierrors.ErrorCodeNoAuthorization, "This endpoint requires a valid Bearer token")
 	}
 
 	return matches[1], nil

internal/api/token_oidc.go

@@ -19,12 +19,13 @@ import (
 
 // IdTokenGrantParams are the parameters the IdTokenGrant method accepts
 type IdTokenGrantParams struct {
-	IdToken     string `json:"id_token"`
-	AccessToken string `json:"access_token"`
-	Nonce       string `json:"nonce"`
-	Provider    string `json:"provider"`
-	ClientID    string `json:"client_id"`
-	Issuer      string `json:"issuer"`
+	IdToken      string `json:"id_token"`
+	AccessToken  string `json:"access_token"`
+	Nonce        string `json:"nonce"`
+	Provider     string `json:"provider"`
+	ClientID     string `json:"client_id"`
+	Issuer       string `json:"issuer"`
+	LinkIdentity bool   `json:"link_identity"`
 }
 
 func (p *IdTokenGrantParams) getProvider(ctx context.Context, config *conf.GlobalConfiguration, r *http.Request) (*oidc.Provider, bool, string, []string, bool, error) {
@@ -167,6 +168,25 @@ func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.R
 		return apierrors.NewOAuthError("invalid request", "provider or client_id and issuer required")
 	}
 
+	if params.LinkIdentity {
+		if r.Header.Get("Authorization") == "" {
+			return apierrors.NewOAuthError("invalid request", "Linking requires a valid user access token in Authorization")
+		}
+
+		requireAuthCtx, err := a.requireAuthentication(w, r)
+		if err != nil {
+			return err
+		}
+
+		targetUser := getUser(requireAuthCtx)
+		if targetUser == nil {
+			return apierrors.NewOAuthError("invalid request", "Linking requires a valid user authentication")
+		}
+
+		// set it so linkIdentityToUser works below
+		ctx = withTargetUser(ctx, targetUser)
+	}
+
 	oidcProvider, skipNonceCheck, providerType, acceptableClientIDs, emailOptional, err := params.getProvider(ctx, config, r)
 	if err != nil {
 		return err
@@ -251,15 +271,21 @@ func (a *API) IdTokenGrant(ctx context.Context, w http.ResponseWriter, r *http.R
 
 	grantParams.FillGrantParams(r)
 
-	if err := a.triggerBeforeUserCreatedExternal(r, db, userData, providerType); err != nil {
-		return err
+	if !params.LinkIdentity {
+		if err := a.triggerBeforeUserCreatedExternal(r, db, userData, providerType); err != nil {
+			return err
+		}
 	}
 
 	if err := db.Transaction(func(tx *storage.Connection) error {
 		var user *models.User
 		var terr error
 
-		user, terr = a.createAccountFromExternalIdentity(tx, r, userData, providerType, emailOptional)
+		if params.LinkIdentity {
+			user, terr = a.linkIdentityToUser(r, ctx, tx, userData, providerType)
+		} else {
+			user, terr = a.createAccountFromExternalIdentity(tx, r, userData, providerType, emailOptional)
+		}
 		if terr != nil {
 			return terr
 		}

internal/e2e/e2eapi/e2eapi_test.go

@@ -139,7 +139,7 @@ func TestDo(t *testing.T) {
 		res := make(chan string)
 		err := Do(ctx, http.MethodGet, inst.APIServer.URL+"/user", nil, &res)
 		require.Error(t, err)
-		require.ErrorContains(t, err, "401: This endpoint requires a Bearer token")
+		require.ErrorContains(t, err, "401: This endpoint requires a valid Bearer token")
 	})
 
 	// Covers http.NewRequestWithContext