feat: authorization (#269)

Starts the new version of the ZITADEL SDK, which will provide more flexibility and better UX by (re)implementing the authorization feature.

BREAKING CHANGES:

- NewClient functions require context.Context
- remove deprecated WithKeyPath client connection options

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>

.github/workflows/release.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        go: ['1.19', '1.20', '1.21']
+        go: ['1.20', '1.21']
     name: Go ${{ matrix.go }} test
     steps:
       - uses: actions/checkout@v3

README.md

@@ -8,23 +8,23 @@
 [![Go Report Card](https://goreportcard.com/badge/github.com/zitadel/zitadel-go)](https://goreportcard.com/report/github.com/zitadel/zitadel-go)
 [![codecov](https://codecov.io/gh/zitadel/zitadel-go/branch/main/graph/badge.svg)](https://codecov.io/gh/zitadel/zitadel-go)
 
-> This project is in alpha state. It can AND will continue breaking until version 2.0.0 is released
+> This branch is WIP. It can AND will continue breaking until version 3.0.0 is released
 
-Go client library for the [ZITADEL](https://github.com/zitadel/zitadel) API.
+Go library for [ZITADEL](https://github.com/zitadel/zitadel). It provides features including:
+ - Authorization checks
+ - Authentication
+ - Client for ZITADEL API
 
 ## Usage
 
 Add the package to your go.mod by
 
 ```
-go get github.com/zitadel/zitadel-go/v2
+go get -u github.com/zitadel/zitadel-go/v3
 ```
 
 ...and check out the [examples](./example) in this repo or head over to our [docs website](https://docs.zitadel.com/docs/quickstarts/introduction).
 
-### V1
-
-If you're looking for Version 1, please check out the [main branch](https://github.com/zitadel/zitadel-go/tree/main).
 
 ## Supported Go Versions
 
@@ -33,8 +33,7 @@ Versions that also build are marked with :warning:.
 
 | Version | Supported          |
 |---------|--------------------|
-| <1.19   | :x:                |
-| 1.19    | :warning:          |
+| <1.20   | :x:                |
 | 1.20    | :white_check_mark: |
 | 1.21    | :white_check_mark: |
 

build/zitadel/Dockerfile

@@ -16,10 +16,10 @@ ENV PROTOC_ARCH x86_64
 ## protoc and protoc-gen-grpc-web for later use
 #######################
 FROM ${BUILDARCH}-base AS base
-ARG PROTOC_VERSION=3.18.0
+ARG PROTOC_VERSION=25.1
 ARG PROTOC_ZIP=protoc-${PROTOC_VERSION}-linux-${PROTOC_ARCH}.zip
-ARG GATEWAY_VERSION=2.18.0
-ARG VALIDATOR_VERSION=0.9.1
+ARG GATEWAY_VERSION=2.18.1
+ARG VALIDATOR_VERSION=1.0.2
 ARG TAG_NAME=main
 
 
@@ -51,16 +51,18 @@ RUN git clone --depth 1 -b ${TAG_NAME} https://github.com/zitadel/zitadel . \
 #######################
 FROM golang:${GO_VERSION} as go-dep
 COPY --from=base /proto/include /proto/include
+ARG PROTOC_GEN_GO_GRPC_VERSION=1.3.0
+ARG PROTOC_GEN_GO_VERSION=1.31.0
 
 WORKDIR /go/src/github.com/zitadel/zitadel-go
-RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1.0
-RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.27.1
+RUN go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v${PROTOC_GEN_GO_GRPC_VERSION}
+RUN go install google.golang.org/protobuf/cmd/protoc-gen-go@v${PROTOC_GEN_GO_VERSION}
 
 #######################
 ## Go base build
 #######################
 FROM go-dep as zitadel-client
-ARG PROJECT_PATH=github.com/zitadel/zitadel-go/v2/pkg/client
+ARG PROJECT_PATH=github.com/zitadel/zitadel-go/v3/pkg/client
 
 COPY --from=base /proto /proto
 COPY --from=base /usr/local/bin /usr/local/bin/.
@@ -84,5 +86,5 @@ RUN ./build/zitadel/generate-grpc-client.sh ${PROJECT_PATH} \
 ## prepare generated files for output
 #######################
 FROM scratch as zitadel-copy
-ARG PROJECT_PATH=github.com/zitadel/zitadel-go/v2/pkg/client
+ARG PROJECT_PATH=github.com/zitadel/zitadel-go/v3/pkg/client
 COPY --from=zitadel-client /zitadel-api/go/src/${PROJECT_PATH}/zitadel /zitadel

build/zitadel/README.md

@@ -26,5 +26,5 @@ For example: TAG_NAME=v1.0.0
 use under project root:
 
 ```
-DOCKER_BUILDKIT=1 docker build --target zitadel-copy -t zitadel-go:main --build-arg PROJECT_PATH=github.com/zitadel/zitadel-go/v2/pkg/client --build-arg TAG_NAME=main -f build/zitadel/Dockerfile . -o ./pkg/client
+DOCKER_BUILDKIT=1 docker build --target zitadel-copy -t zitadel-go:main --build-arg PROJECT_PATH=github.com/zitadel/zitadel-go/v3/pkg/client --build-arg TAG_NAME=main -f build/zitadel/Dockerfile . -o ./pkg/client
 ``` 

example/admin/admin.go

@@ -5,11 +5,11 @@ import (
 	"flag"
 	"log"
 
-	"github.com/zitadel/oidc/pkg/oidc"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
 
-	"github.com/zitadel/zitadel-go/v2/pkg/client/admin"
-	"github.com/zitadel/zitadel-go/v2/pkg/client/zitadel"
-	pb "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/admin"
+	"github.com/zitadel/zitadel-go/v3/pkg/client/admin"
+	"github.com/zitadel/zitadel-go/v3/pkg/client/zitadel"
+	pb "github.com/zitadel/zitadel-go/v3/pkg/client/zitadel/admin"
 )
 
 var (
@@ -21,12 +21,15 @@ var (
 func main() {
 	flag.Parse()
 
+	ctx := context.Background()
+
 	//create a client for the admin api providing:
 	//- issuer (e.g. https://acme-dtfhdg.zitadel.cloud)
 	//- api (e.g. acme-dtfhdg.zitadel.cloud:443)
 	//- scopes (including the ZITADEL project ID),
 	//- a JWT Profile source token (e.g. path to your key json), if not provided, the file will be read from the path set in env var ZITADEL_KEY_PATH
 	client, err := admin.NewClient(
+		ctx,
 		*issuer,
 		*api,
 		[]string{oidc.ScopeOpenID, zitadel.ScopeZitadelAPI()},
@@ -42,7 +45,6 @@ func main() {
 		}
 	}()
 
-	ctx := context.Background()
 	//call ZITADEL and print the name and creation date of the requested organisation
 	//the call was successful if no error occurred
 	resp, err := client.GetOrgByID(ctx, &pb.GetOrgByIDRequest{

example/api/grpc/main.go

@@ -0,0 +1,81 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"net"
+	"os"
+
+	"golang.org/x/exp/slog"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/reflection"
+
+	v3alpha "github.com/zitadel/zitadel-go/v3/example/api/grpc/proto"
+	"github.com/zitadel/zitadel-go/v3/pkg/authorization/oauth"
+	"github.com/zitadel/zitadel-go/v3/pkg/grpc/middleware"
+	"github.com/zitadel/zitadel-go/v3/pkg/zitadel"
+)
+
+var (
+	// flags to be provided for running the example server
+	domain = flag.String("domain", "", "your ZITADEL instance domain (in the form: https://<instance>.zitadel.cloud or https://<yourdomain>)")
+	key    = flag.String("key", "", "path to your key.json")
+	port   = flag.String("port", "8089", "port to run the server on (default is 8089)")
+)
+
+func main() {
+	flag.Parse()
+
+	ctx := context.Background()
+
+	// Initiate the zitadel sdk by providing its domain
+	// and as this example will focus on authorization (using Oauth2 Introspection),
+	// you will also need to initialize that with the downloaded api key.json
+	//
+	// it's a short form of:
+	// 	z, err := zitadel.New("https://your-domain.zitadel.cloud",
+	//		zitadel.WithAuthorization(ctx,
+	//			oauth.WithIntrospection[*oauth.IntrospectionContext](
+	//				oauth.JWTProfileIntrospectionAuthentication("./key.json"),
+	//			),
+	//		),
+	//	)
+	z, err := zitadel.New(*domain,
+		zitadel.WithAuthorization(ctx,
+			oauth.DefaultAuthorization(*key),
+		),
+	)
+	if err != nil {
+		slog.Error("zitadel sdk could not initialize", "error", err)
+		os.Exit(1)
+	}
+
+	// Initialize the GRPC middleware by providing the sdk and the authorization checks
+	mw := middleware.New(z.Authorization, checks)
+
+	// Create the GRPC server and provide the necessary interceptors
+	serverOptions := []grpc.ServerOption{
+		grpc.UnaryInterceptor(mw.Unary()),
+		grpc.StreamInterceptor(mw.Stream()),
+	}
+	grpcServer := grpc.NewServer(serverOptions...)
+
+	// Register your server implementation
+	v3alpha.RegisterExampleServiceServer(grpcServer, NewServer(mw))
+	// for easier use, we also register the grpc server reflection
+	reflection.Register(grpcServer)
+
+	// finally start the server on port 8099
+	lis, err := net.Listen("tcp", fmt.Sprintf(":%s", *port))
+	if err != nil {
+		slog.Error("creating listener failed", "error", err)
+		os.Exit(1)
+	}
+	err = grpcServer.Serve(lis)
+	if err != nil {
+		slog.Error("server terminated", "error", err)
+		os.Exit(1)
+	}
+}