mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 01:27:32 +00:00
fix: JWT Profile (#748)
* fix: correct env var for tracing type * fix: local env tracing * fix: key in detail as string * fix: implement storage * fix: machine key by id fix: store public key as bytes instead of crypto value * update oidc pkg * dont check origins for service account tokens * fix: scopes * fix: dependencies * fix: dependencies * fix: remove unused code * fix: variable naming Co-authored-by: Livio Amstutz <livio.a@gmail.com>
This commit is contained in:
Silvan
@@ -2,14 +2,16 @@ package oidc
|
||||
|
||||
import (
|
||||
"context"
|
||||
"github.com/caos/logging"
|
||||
|
||||
"golang.org/x/text/language"
|
||||
"gopkg.in/square/go-jose.v2"
|
||||
|
||||
"github.com/caos/oidc/pkg/oidc"
|
||||
"github.com/caos/oidc/pkg/op"
|
||||
|
||||
"github.com/caos/zitadel/internal/api/authz"
|
||||
"github.com/caos/zitadel/internal/api/http"
|
||||
"github.com/caos/zitadel/internal/crypto"
|
||||
"github.com/caos/zitadel/internal/errors"
|
||||
proj_model "github.com/caos/zitadel/internal/project/model"
|
||||
user_model "github.com/caos/zitadel/internal/user/model"
|
||||
@@ -36,6 +38,25 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (op.Clie
|
||||
return ClientFromBusiness(client, o.defaultLoginURL, o.defaultAccessTokenLifetime, o.defaultIdTokenLifetime)
|
||||
}
|
||||
|
||||
func (o *OPStorage) GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (*jose.JSONWebKey, error) {
|
||||
key, err := o.repo.MachineKeyByID(ctx, keyID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if key.UserID != userID {
|
||||
return nil, errors.ThrowPermissionDenied(nil, "OIDC-24jm3", "key from different user")
|
||||
}
|
||||
publicKey, err := crypto.BytesToPublicKey(key.PublicKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &jose.JSONWebKey{
|
||||
KeyID: key.ID,
|
||||
Use: "sig",
|
||||
Key: publicKey,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (o *OPStorage) AuthorizeClientIDSecret(ctx context.Context, id string, secret string) error {
|
||||
ctx = authz.SetCtxData(ctx, authz.CtxData{
|
||||
UserID: oidcCtx,
|
||||
@@ -49,12 +70,14 @@ func (o *OPStorage) GetUserinfoFromToken(ctx context.Context, tokenID, origin st
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
app, err := o.repo.ApplicationByClientID(ctx, token.ApplicationID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if origin != "" && !http.IsOriginAllowed(app.OriginAllowList, origin) {
|
||||
return nil, errors.ThrowPermissionDenied(nil, "OIDC-da1f3", "origin is not allowed")
|
||||
if token.ApplicationID != "" {
|
||||
app, err := o.repo.ApplicationByClientID(ctx, token.ApplicationID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if origin != "" && !http.IsOriginAllowed(app.OriginAllowList, origin) {
|
||||
return nil, errors.ThrowPermissionDenied(nil, "OIDC-da1f3", "origin is not allowed")
|
||||
}
|
||||
}
|
||||
return o.GetUserinfoFromScopes(ctx, token.UserID, token.Scopes)
|
||||
}
|
||||
@@ -70,22 +93,34 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID string, sc
|
||||
case scopeOpenID:
|
||||
userInfo.Subject = user.ID
|
||||
case scopeEmail:
|
||||
if user.HumanView == nil {
|
||||
continue
|
||||
}
|
||||
userInfo.Email = user.Email
|
||||
userInfo.EmailVerified = user.IsEmailVerified
|
||||
case scopeProfile:
|
||||
userInfo.Name = user.DisplayName
|
||||
userInfo.FamilyName = user.LastName
|
||||
userInfo.GivenName = user.FirstName
|
||||
userInfo.Nickname = user.NickName
|
||||
userInfo.PreferredUsername = user.PreferredLoginName
|
||||
userInfo.UpdatedAt = user.ChangeDate
|
||||
userInfo.Gender = oidc.Gender(getGender(user.Gender))
|
||||
userInfo.Locale, err = language.Parse(user.PreferredLanguage)
|
||||
logging.Log("OIDC-4ks9F").OnError(err).Debug("unable to parse locale")
|
||||
if user.HumanView != nil {
|
||||
userInfo.Name = user.DisplayName
|
||||
userInfo.FamilyName = user.LastName
|
||||
userInfo.GivenName = user.FirstName
|
||||
userInfo.Nickname = user.NickName
|
||||
userInfo.Gender = oidc.Gender(getGender(user.Gender))
|
||||
userInfo.Locale, err = language.Parse(user.PreferredLanguage)
|
||||
} else {
|
||||
userInfo.Name = user.MachineView.Name
|
||||
}
|
||||
case scopePhone:
|
||||
if user.HumanView == nil {
|
||||
continue
|
||||
}
|
||||
userInfo.PhoneNumber = user.Phone
|
||||
userInfo.PhoneNumberVerified = user.IsPhoneVerified
|
||||
case scopeAddress:
|
||||
if user.HumanView == nil {
|
||||
continue
|
||||
}
|
||||
userInfo.Address.StreetAddress = user.StreetAddress
|
||||
userInfo.Address.Locality = user.Locality
|
||||
userInfo.Address.Region = user.Region
|
||||
|
||||
Reference in New Issue
Block a user