feat: add resource owner scope / claim (#2274)

* feat: add resource owner scope / claime * fix: private claimes * fix: private claims * fix: add claim description * Update claims.md Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 03:47:33 +00:00 · 2021-08-31 11:49:31 +02:00
parent c884a11f1b
commit 31a91a0039
7 changed files with 119 additions and 45 deletions
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -27,6 +27,8 @@ const (
 	ClaimProjectRoles      = "urn:zitadel:iam:org:project:roles"
 	ScopeUserMetaData      = "urn:zitadel:iam:user:metadata"
 	ClaimUserMetaData      = ScopeUserMetaData
+	ScopeResourceOwner     = "urn:zitadel:iam:user:resourceowner"
+	ClaimResourceOwner     = ScopeResourceOwner + ":"

 	oidcCtx = "oidc"
 )
@@ -174,6 +176,23 @@ func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.Use
 				continue
 			}
 			userInfo.SetAddress(oidc.NewUserInfoAddress(user.StreetAddress, user.Locality, user.Region, user.PostalCode, user.Country, ""))
+		case ScopeUserMetaData:
+			userMetaData, err := o.assertUserMetaData(ctx, userID)
+			if err != nil {
+				return err
+			}
+			if len(userMetaData) > 0 {
+				userInfo.AppendClaims(ClaimUserMetaData, userMetaData)
+			}
+		case ScopeResourceOwner:
+			resourceOwnerClaims, err := o.assertUserResourceOwner(ctx, userID)
+			if err != nil {
+				return err
+			}
+			for claim, value := range resourceOwnerClaims {
+				userInfo.AppendClaims(claim, value)
+			}
+
 		default:
 			if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
 				roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
@@ -183,14 +202,6 @@ func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.Use
 			}
 		}
 	}
-	userMetaData, err := o.assertUserMetaData(ctx, userID)
-	if err != nil {
-		return err
-	}
-	if len(userMetaData) > 0 {
-		userInfo.AppendClaims(ClaimUserMetaData, userMetaData)
-	}
-
 	if len(roles) == 0 || applicationID == "" {
 		return nil
 	}
@@ -230,6 +241,24 @@ func (o *OPStorage) SetIntrospectionFromToken(ctx context.Context, introspection
 func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (claims map[string]interface{}, err error) {
 	roles := make([]string, 0)
 	for _, scope := range scopes {
+		switch scope {
+		case ScopeUserMetaData:
+			userMetaData, err := o.assertUserMetaData(ctx, userID)
+			if err != nil {
+				return nil, err
+			}
+			if len(userMetaData) > 0 {
+				claims = appendClaim(claims, ClaimUserMetaData, userMetaData)
+			}
+		case ScopeResourceOwner:
+			resourceOwnerClaims, err := o.assertUserResourceOwner(ctx, userID)
+			if err != nil {
+				return nil, err
+			}
+			for claim, value := range resourceOwnerClaims {
+				claims = appendClaim(claims, claim, value)
+			}
+		}
 		if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
 			roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
 		} else if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
@@ -246,13 +275,6 @@ func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clie
 	if len(projectRoles) > 0 {
 		claims = appendClaim(claims, ClaimProjectRoles, projectRoles)
 	}
-	userMetaData, err := o.assertUserMetaData(ctx, userID)
-	if err != nil {
-		return nil, err
-	}
-	if len(userMetaData) > 0 {
-		claims = appendClaim(claims, ClaimUserMetaData, userMetaData)
-	}
 	return claims, err
 }

@@ -287,6 +309,18 @@ func (o *OPStorage) assertUserMetaData(ctx context.Context, userID string) (map[
 	return userMetaData, nil
 }

+func (o *OPStorage) assertUserResourceOwner(ctx context.Context, userID string) (map[string]string, error) {
+	resourceOwner, err := o.repo.OrgByUserID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+	return map[string]string{
+		ClaimResourceOwner + "id":             resourceOwner.AggregateID,
+		ClaimResourceOwner + "name":           resourceOwner.Name,
+		ClaimResourceOwner + "primary_domain": resourceOwner.PrimaryDomain,
+	}, nil
+}
+
 func checkGrantedRoles(roles map[string]map[string]string, grant *grant_model.UserGrantView, requestedRole string) {
 	for _, grantedRole := range grant.RoleKeys {
 		if requestedRole == grantedRole {
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -109,6 +109,9 @@ func (c *Client) IsScopeAllowed(scope string) bool {
 	if strings.HasPrefix(scope, ScopeUserMetaData) {
 		return true
 	}
+	if strings.HasPrefix(scope, ScopeResourceOwner) {
+		return true
+	}
 	for _, allowedScope := range c.allowedScopes {
 		if scope == allowedScope {
 			return true