TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-12 00:27:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent custom urn:zitadel:iam claims (#7647)

Browse Source
This commit is contained in:
Livio Spring
2024-03-27 08:26:14 +01:00
committed by GitHub
parent a83829b5ff
commit 1121ebfdb8
3 changed files with 20 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
internal/api/oidc/client.go
View File

@@ -27,6 +27,7 @@ import (
)
const (
ClaimPrefix = "urn:zitadel:iam"
ScopeProjectRolePrefix = "urn:zitadel:iam:org:project:role:"
ScopeProjectsRoles = "urn:zitadel:iam:org:projects:roles"
ClaimProjectRoles = "urn:zitadel:iam:org:project:roles"
@@ -522,6 +523,9 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra
actions.SetFields("v1",
actions.SetFields("userinfo",
actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if userInfo.Claims[key] == nil {
userInfo.AppendClaims(key, value)
return
@@ -534,6 +538,9 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra
),
actions.SetFields("claims",
actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if userInfo.Claims[key] == nil {
userInfo.AppendClaims(key, value)
return
@@ -739,6 +746,9 @@ func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, userG
actions.SetFields("v1",
actions.SetFields("claims",
actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if _, ok := claims[key]; !ok {
claims = appendClaim(claims, key, value)
return

6
internal/api/oidc/userinfo.go
View File

@@ -223,6 +223,9 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
actions.SetFields("v1",
actions.SetFields("userinfo",
actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if userInfo.Claims[key] == nil {
userInfo.AppendClaims(key, value)
return
@@ -235,6 +238,9 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
),
actions.SetFields("claims",
actions.SetFields("setClaim", func(key string, value interface{}) {
if strings.HasPrefix(key, ClaimPrefix) {
return
}
if userInfo.Claims[key] == nil {
userInfo.AppendClaims(key, value)
return