TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 18:17:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: SAML and OIDC issuer (in proxied use cases) (#9638)

Browse Source 
# Which Problems Are Solved

When using implicit flow through the session API and a login UI on a
custom domain (proxy), the tokens were signed by the API domain of the
instance, rather than the public (proxy) domain.
The SAML response had the same issue. Additionally, the saml library had
an issue and lost the issuer context. This prevented also a successful
login through the hosted login UI.

# How the Problems Are Solved

- The issuer of the SAML and Auth request is persisted to provide the
information when signing the responses and tokens.
- The SAML library is updated to the latest version.

# Additional Changes

None

# Additional Context

None
This commit is contained in:
Stefan Benz
2025-03-26 18:08:13 +01:00
committed by GitHub
parent 1c0c08307f
commit 0e10ed0e0b
19 changed files with 226 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
internal/command/auth_request.go
View File

@@ -29,6 +29,7 @@ type AuthRequest struct {
LoginHint *string
HintUserID *string
NeedRefreshToken bool
Issuer string
}
type CurrentAuthRequest struct {
@@ -73,6 +74,7 @@ func (c *Commands) AddAuthRequest(ctx context.Context, authRequest *AuthRequest)
authRequest.LoginHint,
authRequest.HintUserID,
authRequest.NeedRefreshToken,
authRequest.Issuer,
))
if err != nil {
return nil, err
@@ -180,6 +182,7 @@ func authRequestWriteModelToCurrentAuthRequest(writeModel *AuthRequestWriteModel
MaxAge: writeModel.MaxAge,
LoginHint: writeModel.LoginHint,
HintUserID: writeModel.HintUserID,
Issuer: writeModel.Issuer,
},
SessionID: writeModel.SessionID,
UserID: writeModel.UserID,

2
internal/command/auth_request_model.go
View File

@@ -36,6 +36,7 @@ type AuthRequestWriteModel struct {
AuthMethods []domain.UserAuthMethodType
AuthRequestState domain.AuthRequestState
NeedRefreshToken bool
Issuer string
}
func NewAuthRequestWriteModel(ctx context.Context, id string) *AuthRequestWriteModel {
@@ -68,6 +69,7 @@ func (m *AuthRequestWriteModel) Reduce() error {
m.HintUserID = e.HintUserID
m.AuthRequestState = domain.AuthRequestStateAdded
m.NeedRefreshToken = e.NeedRefreshToken
m.Issuer = e.Issuer
case *authrequest.SessionLinkedEvent:
m.SessionID = e.SessionID
m.UserID = e.UserID

22
internal/command/auth_request_test.go
View File

@@ -62,6 +62,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
nil,
nil,
false,
"issuer",
),
),
),
@@ -101,6 +102,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
false,
"issuer",
),
),
),
@@ -127,6 +129,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
MaxAge: gu.Ptr(time.Duration(0)),
LoginHint: gu.Ptr("loginHint"),
HintUserID: gu.Ptr("hintUserID"),
Issuer: "issuer",
},
},
&CurrentAuthRequest{
@@ -150,6 +153,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
MaxAge: gu.Ptr(time.Duration(0)),
LoginHint: gu.Ptr("loginHint"),
HintUserID: gu.Ptr("hintUserID"),
Issuer: "issuer",
},
},
nil,
@@ -234,6 +238,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
eventFromEventPusher(
@@ -276,6 +281,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -317,6 +323,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -356,6 +363,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -418,6 +426,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -469,6 +478,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -527,6 +537,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -557,6 +568,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -616,6 +628,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -646,6 +659,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -706,6 +720,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -736,6 +751,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -797,6 +813,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -827,6 +844,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -950,6 +968,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
nil,
nil,
true,
"issuer",
),
),
),
@@ -978,6 +997,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
ResponseMode: domain.OIDCResponseModeQuery,
Issuer: "issuer",
},
},
},
@@ -1050,6 +1070,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
),
@@ -1088,6 +1109,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(

7
internal/command/oidc_session_test.go
View File

@@ -138,6 +138,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -182,6 +183,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -234,6 +236,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -331,6 +334,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -465,6 +469,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -610,6 +615,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
true,
"issuer",
),
),
eventFromEventPusher(
@@ -748,6 +754,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
gu.Ptr("loginHint"),
gu.Ptr("hintUserID"),
false,
"issuer",
),
),
eventFromEventPusher(

35
internal/command/saml_request.go
View File

@@ -15,13 +15,14 @@ type SAMLRequest struct {
ID string
LoginClient string
ApplicationID string
ACSURL string
RelayState string
RequestID string
Binding string
Issuer string
Destination string
ApplicationID string
ACSURL string
RelayState string
RequestID string
Binding string
Issuer string
Destination string
ResponseIssuer string
}
type CurrentSAMLRequest struct {
@@ -56,6 +57,7 @@ func (c *Commands) AddSAMLRequest(ctx context.Context, samlRequest *SAMLRequest)
samlRequest.Binding,
samlRequest.Issuer,
samlRequest.Destination,
samlRequest.ResponseIssuer,
))
if err != nil {
return nil, err
@@ -131,15 +133,16 @@ func (c *Commands) FailSAMLRequest(ctx context.Context, id string, reason domain
func samlRequestWriteModelToCurrentSAMLRequest(writeModel *SAMLRequestWriteModel) (_ *CurrentSAMLRequest) {
return &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: writeModel.AggregateID,
LoginClient: writeModel.LoginClient,
ApplicationID: writeModel.ApplicationID,
ACSURL: writeModel.ACSURL,
RelayState: writeModel.RelayState,
RequestID: writeModel.RequestID,
Binding: writeModel.Binding,
Issuer: writeModel.Issuer,
Destination: writeModel.Destination,
ID: writeModel.AggregateID,
LoginClient: writeModel.LoginClient,
ApplicationID: writeModel.ApplicationID,
ACSURL: writeModel.ACSURL,
RelayState: writeModel.RelayState,
RequestID: writeModel.RequestID,
Binding: writeModel.Binding,
Issuer: writeModel.Issuer,
Destination: writeModel.Destination,
ResponseIssuer: writeModel.ResponseIssuer,
},
SessionID: writeModel.SessionID,
UserID: writeModel.UserID,

18
internal/command/saml_request_model.go
View File

@@ -15,14 +15,15 @@ type SAMLRequestWriteModel struct {
eventstore.WriteModel
aggregate *eventstore.Aggregate
LoginClient string
ApplicationID string
ACSURL string
RelayState string
RequestID string
Binding string
Issuer string
Destination string
LoginClient string
ApplicationID string
ACSURL string
RelayState string
RequestID string
Binding string
Issuer string
Destination string
ResponseIssuer string
SessionID string
UserID string
@@ -52,6 +53,7 @@ func (m *SAMLRequestWriteModel) Reduce() error {
m.Binding = e.Binding
m.Issuer = e.Issuer
m.Destination = e.Destination
m.ResponseIssuer = e.ResponseIssuer
m.SAMLRequestState = domain.SAMLRequestStateAdded
case *samlrequest.SessionLinkedEvent:
m.SessionID = e.SessionID

145
internal/command/saml_request_test.go
View File

@@ -54,6 +54,7 @@ func TestCommands_AddSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -82,6 +83,7 @@ func TestCommands_AddSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -90,27 +92,29 @@ func TestCommands_AddSAMLRequest(t *testing.T) {
args{
ctx: mockCtx,
request: &SAMLRequest{
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
},
&CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
},
nil,
@@ -187,6 +191,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
eventFromEventPusher(
@@ -222,6 +227,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -255,6 +261,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -286,6 +293,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -340,6 +348,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -383,6 +392,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -431,15 +441,16 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
authReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -462,6 +473,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -511,15 +523,16 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
authReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -541,6 +554,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -591,15 +605,16 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
authReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -622,6 +637,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -672,15 +688,16 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
authReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "loginClient",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
SessionID: "sessionID",
UserID: "userID",
@@ -703,6 +720,7 @@ func TestCommands_LinkSessionToSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -817,6 +835,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
samlrequest.NewFailedEvent(mockCtx, &samlrequest.NewAggregate("V2_id", "instanceID").Aggregate,
@@ -850,6 +869,7 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -870,15 +890,16 @@ func TestCommands_FailSAMLRequest(t *testing.T) {
details: &domain.ObjectDetails{ResourceOwner: "instanceID"},
samlReq: &CurrentSAMLRequest{
SAMLRequest: &SAMLRequest{
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ID: "V2_id",
LoginClient: "login",
ApplicationID: "application",
ACSURL: "acs",
RelayState: "relaystate",
RequestID: "request",
Binding: "binding",
Issuer: "issuer",
Destination: "destination",
ResponseIssuer: "responseissuer",
},
},
},

4
internal/command/saml_session_test.go
View File

@@ -99,6 +99,7 @@ func TestCommands_CreateSAMLSessionFromSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
),
@@ -129,6 +130,7 @@ func TestCommands_CreateSAMLSessionFromSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
eventFromEventPusher(
@@ -167,6 +169,7 @@ func TestCommands_CreateSAMLSessionFromSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
eventFromEventPusher(
@@ -248,6 +251,7 @@ func TestCommands_CreateSAMLSessionFromSAMLRequest(t *testing.T) {
"binding",
"issuer",
"destination",
"responseissuer",
),
),
eventFromEventPusher(