feat: primary domain (#936)

* fix: primary domain * fix: remove comment * fix: oidc version
2025-02-28 17:17:23 +00:00 · 2020-11-03 10:50:03 +01:00 · 2020-11-03 10:50:03 +01:00 · 51417be35d
commit 51417be35d
parent b79661d66e
5 changed files with 345 additions and 640 deletions
--- a/go.mod
+++ b/go.mod
@ -16,7 +16,7 @@ require (
 	github.com/aws/aws-sdk-go v1.35.11 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
 	github.com/caos/logging v0.0.2
-	github.com/caos/oidc v0.12.3
+	github.com/caos/oidc v0.12.4
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cockroachdb/cockroach-go/v2 v2.0.8
 	github.com/envoyproxy/protoc-gen-validate v0.4.1
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@ -2,6 +2,7 @@ package oidc

 import (
 	"context"
+	"github.com/caos/zitadel/internal/auth_request/model"
 	"strings"

 	"golang.org/x/text/language"
@ -153,6 +154,9 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID, applicati
 			if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
 				roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
 			}
+			if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
+				userInfo.AppendClaims(model.OrgDomainPrimaryScope, strings.TrimPrefix(scope, model.OrgDomainPrimaryScope))
+			}
 		}
 	}

@ -170,17 +174,19 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID, applicati
 	return userInfo, nil
 }

-func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, applicationID string, scopes []string) (claims map[string]interface{}, err error) {
+func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clientID string, scopes []string) (claims map[string]interface{}, err error) {
 	roles := make([]string, 0)
 	for _, scope := range scopes {
 		if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
 			roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
+		} else if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
+			claims = map[string]interface{}{model.OrgDomainPrimaryScope: strings.TrimPrefix(scope, model.OrgDomainPrimaryScope)}
 		}
 	}
-	if len(roles) == 0 || applicationID == "" {
-		return nil, nil
+	if len(roles) == 0 || clientID == "" {
+		return claims, nil
 	}
-	projectRoles, err := o.assertRoles(ctx, userID, applicationID, roles)
+	projectRoles, err := o.assertRoles(ctx, userID, clientID, roles)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@ -1,6 +1,8 @@
 package oidc

 import (
+	authreq_model "github.com/caos/zitadel/internal/auth_request/model"
+	"strings"
 	"time"

 	"github.com/caos/oidc/pkg/oidc"
@ -63,16 +65,22 @@ func (c *Client) DevMode() bool {
 	return c.ApplicationView.DevMode
 }

-func (c *Client) AllowedScopes() []string {
-	return c.allowedScopes
+func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
+	return func(scopes []string) []string {
+		if c.IDTokenRoleAssertion {
+			return scopes
+		}
+		return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
+	}
 }

-func (c *Client) AssertAdditionalIdTokenScopes() bool {
-	return c.IDTokenRoleAssertion
-}
-
-func (c *Client) AssertAdditionalAccessTokenScopes() bool {
-	return c.AccessTokenRoleAssertion
+func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string {
+	return func(scopes []string) []string {
+		if c.AccessTokenRoleAssertion {
+			return scopes
+		}
+		return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
+	}
 }

 func (c *Client) AccessTokenLifetime() time.Duration {
@ -87,6 +95,18 @@ func (c *Client) AccessTokenType() op.AccessTokenType {
 	return accessTokenTypeToOIDC(c.ApplicationView.AccessTokenType)
 }

+func (c *Client) IsScopeAllowed(scope string) bool {
+	if strings.HasPrefix(scope, authreq_model.OrgDomainPrimaryScope) {
+		return true
+	}
+	for _, allowedScope := range c.allowedScopes {
+		if scope == allowedScope {
+			return true
+		}
+	}
+	return false
+}
+
 func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType {
 	switch tokenType {
 	case model.OIDCTokenTypeBearer:
@ -131,3 +151,20 @@ func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
 		return oidc.ResponseTypeCode
 	}
 }
+
+func removeScopeWithPrefix(scopes []string, scopePrefix ...string) []string {
+	newScopeList := make([]string, 0)
+	for _, scope := range scopes {
+		hasPrefix := false
+		for _, prefix := range scopePrefix {
+			if strings.HasPrefix(scope, prefix) {
+				hasPrefix = true
+				continue
+			}
+		}
+		if !hasPrefix {
+			newScopeList = append(newScopeList, scope)
+		}
+	}
+	return newScopeList
+}
--- a/pkg/grpc/management/management.pb.gw.go
+++ b/pkg/grpc/management/management.pb.gw.go
--- a/pkg/grpc/management/management.swagger.json
+++ b/pkg/grpc/management/management.swagger.json