fix: scim v2 endpoints enforce user resource owner (#9273)

# Which Problems Are Solved - If a SCIM endpoint is called with an orgID in the URL that is not the resource owner, no error is returned, and the action is executed. # How the Problems Are Solved - The orgID provided in the SCIM URL path must match the resource owner of the target user. Otherwise, an error will be returned. # Additional Context Part of https://github.com/zitadel/zitadel/issues/8140
2025-08-12 04:07:31 +00:00 · 2025-01-30 16:43:13 +01:00
parent 60cfa6cb76
commit 563f74640e
16 changed files with 153 additions and 78 deletions
--- a/internal/api/scim/resources/user.go
+++ b/internal/api/scim/resources/user.go
@@ -180,7 +180,8 @@ func (h *UsersHandler) Replace(ctx context.Context, id string, user *ScimUser) (
 }

 func (h *UsersHandler) Update(ctx context.Context, id string, operations patch.OperationCollection) error {
-	userWM, err := h.command.UserHumanWriteModel(ctx, id, true, true, true, true, false, false, true)
+	orgID := authz.GetCtxData(ctx).OrgID
+	userWM, err := h.command.UserHumanWriteModel(ctx, id, orgID, true, true, true, true, false, false, true)
 	if err != nil {
 		return err
 	}
@@ -191,6 +192,9 @@ func (h *UsersHandler) Update(ctx context.Context, id string, operations patch.O
 		return err
 	}

+	// ensure the identity of the user is not modified
+	changeHuman.ID = id
+	changeHuman.ResourceOwner = orgID
 	return h.command.ChangeUserHuman(ctx, changeHuman, h.userCodeAlg)
 }

@@ -200,12 +204,12 @@ func (h *UsersHandler) Delete(ctx context.Context, id string) error {
 		return err
 	}

-	_, err = h.command.RemoveUserV2(ctx, id, memberships, grants...)
+	_, err = h.command.RemoveUserV2(ctx, id, authz.GetCtxData(ctx).OrgID, memberships, grants...)
 	return err
 }

 func (h *UsersHandler) Get(ctx context.Context, id string) (*ScimUser, error) {
-	user, err := h.query.GetUserByID(ctx, false, id)
+	user, err := h.query.GetUserByIDWithResourceOwner(ctx, false, id, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/scim/resources/user_mapping.go
+++ b/internal/api/scim/resources/user_mapping.go
@@ -9,6 +9,7 @@ import (
 	"github.com/zitadel/logging"
 	"golang.org/x/text/language"

+	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/scim/metadata"
 	"github.com/zitadel/zitadel/internal/api/scim/schemas"
 	"github.com/zitadel/zitadel/internal/command"
@@ -73,8 +74,9 @@ func (h *UsersHandler) mapToAddHuman(ctx context.Context, scimUser *ScimUser) (*

 func (h *UsersHandler) mapToChangeHuman(ctx context.Context, scimUser *ScimUser) (*command.ChangeHuman, error) {
 	human := &command.ChangeHuman{
-		ID:       scimUser.ID,
-		Username: &scimUser.UserName,
+		ID:            scimUser.ID,
+		ResourceOwner: authz.GetCtxData(ctx).OrgID,
+		Username:      &scimUser.UserName,
 		Profile: &command.Profile{
 			NickName:    &scimUser.NickName,
 			DisplayName: &scimUser.DisplayName,