feat: primary domain (#936)

* fix: primary domain * fix: remove comment * fix: oidc version
2025-08-12 00:27:31 +00:00 · 2020-11-03 10:50:03 +01:00
parent b79661d66e
commit 51417be35d
5 changed files with 345 additions and 640 deletions
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -1,6 +1,8 @@
 package oidc

 import (
+	authreq_model "github.com/caos/zitadel/internal/auth_request/model"
+	"strings"
 	"time"

 	"github.com/caos/oidc/pkg/oidc"
@@ -63,16 +65,22 @@ func (c *Client) DevMode() bool {
 	return c.ApplicationView.DevMode
 }

-func (c *Client) AllowedScopes() []string {
-	return c.allowedScopes
+func (c *Client) RestrictAdditionalIdTokenScopes() func(scopes []string) []string {
+	return func(scopes []string) []string {
+		if c.IDTokenRoleAssertion {
+			return scopes
+		}
+		return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
+	}
 }

-func (c *Client) AssertAdditionalIdTokenScopes() bool {
-	return c.IDTokenRoleAssertion
-}
-
-func (c *Client) AssertAdditionalAccessTokenScopes() bool {
-	return c.AccessTokenRoleAssertion
+func (c *Client) RestrictAdditionalAccessTokenScopes() func(scopes []string) []string {
+	return func(scopes []string) []string {
+		if c.AccessTokenRoleAssertion {
+			return scopes
+		}
+		return removeScopeWithPrefix(scopes, ScopeProjectRolePrefix)
+	}
 }

 func (c *Client) AccessTokenLifetime() time.Duration {
@@ -87,6 +95,18 @@ func (c *Client) AccessTokenType() op.AccessTokenType {
 	return accessTokenTypeToOIDC(c.ApplicationView.AccessTokenType)
 }

+func (c *Client) IsScopeAllowed(scope string) bool {
+	if strings.HasPrefix(scope, authreq_model.OrgDomainPrimaryScope) {
+		return true
+	}
+	for _, allowedScope := range c.allowedScopes {
+		if scope == allowedScope {
+			return true
+		}
+	}
+	return false
+}
+
 func accessTokenTypeToOIDC(tokenType model.OIDCTokenType) op.AccessTokenType {
 	switch tokenType {
 	case model.OIDCTokenTypeBearer:
@@ -131,3 +151,20 @@ func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
 		return oidc.ResponseTypeCode
 	}
 }
+
+func removeScopeWithPrefix(scopes []string, scopePrefix ...string) []string {
+	newScopeList := make([]string, 0)
+	for _, scope := range scopes {
+		hasPrefix := false
+		for _, prefix := range scopePrefix {
+			if strings.HasPrefix(scope, prefix) {
+				hasPrefix = true
+				continue
+			}
+		}
+		if !hasPrefix {
+			newScopeList = append(newScopeList, scope)
+		}
+	}
+	return newScopeList
+}