fix: user session with external login (#797)

* fix: user session with external login * fix: tests * fix: tests * fix: change idp config name
2025-08-15 01:57:41 +00:00 · 2020-10-02 08:02:09 +02:00
parent 124988e2d2
commit 198370325d
24 changed files with 267 additions and 101 deletions
--- a/internal/ui/login/handler/external_login_handler.go
+++ b/internal/ui/login/handler/external_login_handler.go
@@ -6,6 +6,7 @@ import (
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
 	caos_errors "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
@@ -40,6 +41,15 @@ type externalNotFoundOptionData struct {
 	baseData
 }

+func (l *Login) handleExternalLoginStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, selectedIDPConfigID string) {
+	for _, idp := range authReq.AllowedExternalIDPs {
+		if idp.IDPConfigID == selectedIDPConfigID {
+			l.handleIDP(w, r, authReq, selectedIDPConfigID)
+		}
+	}
+	l.renderLogin(w, r, authReq, errors.ThrowInvalidArgument(nil, "VIEW-Fsj7f", "Errors.User.ExternalIDP.NotAllowed"))
+}
+
 func (l *Login) handleExternalLogin(w http.ResponseWriter, r *http.Request) {
 	data := new(externalIDPData)
 	authReq, err := l.getAuthRequestAndParseData(r, data)
@@ -51,7 +61,11 @@ func (l *Login) handleExternalLogin(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, l.zitadelURL, http.StatusFound)
 		return
 	}
-	idpConfig, err := l.getIDPConfigByID(r, data.IDPConfigID)
+	l.handleIDP(w, r, authReq, data.IDPConfigID)
+}
+
+func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, selectedIDPConfigID string) {
+	idpConfig, err := l.getIDPConfigByID(r, selectedIDPConfigID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -117,7 +131,7 @@ func (l *Login) getRPConfig(w http.ResponseWriter, r *http.Request, authReq *mod

 func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
 	externalUser := l.mapTokenToLoginUser(tokens, idpConfig)
-	err := l.authRepo.CheckExternalUserLogin(r.Context(), authReq.ID, userAgentID, externalUser)
+	err := l.authRepo.CheckExternalUserLogin(r.Context(), authReq.ID, userAgentID, externalUser, model.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderExternalNotFoundOption(w, r, authReq, nil)
 		return
@@ -196,7 +210,7 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR

 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
 	user, externalIDP := l.mapExternalUserToLoginUser(orgIamPolicy, authReq.LinkingUsers[len(authReq.LinkingUsers)-1], idpConfig)
-	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, member, authReq.ID, userAgentID, resourceOwner)
+	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, member, authReq.ID, userAgentID, resourceOwner, model.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderExternalNotFoundOption(w, r, authReq, err)
 		return
--- a/internal/ui/login/handler/link_users_handler.go
+++ b/internal/ui/login/handler/link_users_handler.go
@@ -13,7 +13,7 @@ const (

 func (l *Login) linkUsers(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	err = l.authRepo.LinkExternalUsers(setContext(r.Context(), authReq.UserOrgID), authReq.ID, userAgentID)
+	err = l.authRepo.LinkExternalUsers(setContext(r.Context(), authReq.UserOrgID), authReq.ID, userAgentID, model.BrowserInfoFromRequest(r))
 	l.renderLinkUsersDone(w, r, authReq, err)
 }

--- a/internal/ui/login/handler/renderer.go
+++ b/internal/ui/login/handler/renderer.go
@@ -156,6 +156,7 @@ func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *
 	authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID)
 	if err != nil {
 		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-sio0W", "could not get authreq"))
+		return
 	}
 	if len(authReq.PossibleSteps) == 0 {
 		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-9sdp4", "no possible steps"))
@@ -208,6 +209,8 @@ func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *
 		l.linkUsers(w, r, authReq, err)
 	case *model.ExternalNotFoundOptionStep:
 		l.renderExternalNotFoundOption(w, r, authReq, err)
+	case *model.ExternalLoginStep:
+		l.handleExternalLoginStep(w, r, authReq, step.SelectedIDPConfigID)
 	default:
 		l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-ds3QF", "step no possible"))
 	}
--- a/internal/ui/login/static/i18n/de.yaml
+++ b/internal/ui/login/static/i18n/de.yaml
@@ -225,5 +225,6 @@ Errors:
    NotActive: Benutzer ist nicht aktiv
    ExternalIDP:
      IDPTypeNotImplemented: IDP Typ ist nicht implementiert
+      NotAllowed: Externer Login Provider ist nicht erlaubt

 optional: (optional)
--- a/internal/ui/login/static/i18n/en.yaml
+++ b/internal/ui/login/static/i18n/en.yaml
@@ -225,6 +225,7 @@ Errors:
    NotActive: User is not active
    ExternalIDP:
      IDPTypeNotImplemented: IDP Type is not implemented
+      NotAllowed: External Login Provider not allowed


 optional: (optional)