feat: add user metadata scope and claim (#2268)

* feat: add user metadata scope and claime * docs: scope * docs: metadata base 64 encoded * docs: metadata base 64 encoded * docs: metadata base 64 encoded
2024-12-12 11:04:25 +00:00 · 2021-08-26 13:38:13 +02:00 · 2021-08-26 13:38:13 +02:00 · 5b4c64d740
commit 5b4c64d740
parent 1da68420bc
5 changed files with 49 additions and 9 deletions
--- a/docs/docs/apis/openidoauth/scopes.md
+++ b/docs/docs/apis/openidoauth/scopes.md
@ -28,5 +28,6 @@ In addition to the standard compliant scopes we utilize the following scopes.
 | urn:zitadel:iam:org:domain:primary:{domainname}  | `urn:zitadel:iam:org:domain:primary:acme.ch`                                   | When requesting this scope **ZITADEL** will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed                                                                                                                                                                                                   |
 | urn:zitadel:iam:role:{rolename}                  |                                                                                |                                                                                                                                                                                                                                                                                                                                                                         |
 | `urn:zitadel:iam:org:project:id:{projectid}:aud` | ZITADEL's Project id is `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access and id token                                                                                                                                                                                                                                                                  |
 | urn:zitadel:iam:user:metadata | `urn:zitadel:iam:user:metadata` | By adding this scope, the metadata of the user will be included in the token. The values are base64 encoded.                                                                                                                                                                                                                                                                |
 > If access to ZITADEL's API's is needed with a service user the scope `urn:zitadel:iam:org:project:id:69234237810729019:aud` needs to be used with the JWT Profile request
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@ -2,6 +2,7 @@ package oidc
 import (
 	"context"
 	"encoding/base64"
 	"strings"
 	"github.com/caos/oidc/pkg/oidc"
@ -22,14 +23,10 @@ import (
 )
 const (
 	scopeOpenID  = "openid"
 	scopeProfile = "profile"
 	scopeEmail   = "email"
 	scopePhone   = "phone"
 	scopeAddress = "address"
 	ScopeProjectRolePrefix = "urn:zitadel:iam:org:project:role:"
 	ClaimProjectRoles      = "urn:zitadel:iam:org:project:roles"
 	ScopeUserMetaData      = "urn:zitadel:iam:user:metadata"
 	ClaimUserMetaData      = ScopeUserMetaData
 	oidcCtx = "oidc"
 )
@ -186,6 +183,13 @@ func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.Use
 			}
 		}
 	}
 	userMetaData, err := o.assertUserMetaData(ctx, userID)
 	if err != nil {
 		return err
 	}
 	if len(userMetaData) > 0 {
 		userInfo.AppendClaims(ClaimUserMetaData, userMetaData)
 	}
 	if len(roles) == 0 || applicationID == "" {
 		return nil
@ -197,7 +201,6 @@ func (o *OPStorage) SetUserinfoFromScopes(ctx context.Context, userInfo oidc.Use
 	if len(projectRoles) > 0 {
 		userInfo.AppendClaims(ClaimProjectRoles, projectRoles)
 	}
 	return nil
 }
@ -243,6 +246,13 @@ func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clie
 	if len(projectRoles) > 0 {
 		claims = appendClaim(claims, ClaimProjectRoles, projectRoles)
 	}
 	userMetaData, err := o.assertUserMetaData(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
 	if len(userMetaData) > 0 {
 		claims = appendClaim(claims, ClaimUserMetaData, userMetaData)
 	}
 	return claims, err
 }
@ -264,6 +274,19 @@ func (o *OPStorage) assertRoles(ctx context.Context, userID, applicationID strin
 	return projectRoles, nil
 }
 func (o *OPStorage) assertUserMetaData(ctx context.Context, userID string) (map[string]string, error) {
 	metaData, err := o.repo.SearchUserMetadata(ctx, userID)
 	if err != nil {
 		return nil, err
 	}
 	userMetaData := make(map[string]string)
 	for _, md := range metaData.Result {
 		userMetaData[md.Key] = base64.RawURLEncoding.EncodeToString(md.Value)
 	}
 	return userMetaData, nil
 }
 func checkGrantedRoles(roles map[string]map[string]string, grant *grant_model.UserGrantView, requestedRole string) {
 	for _, grantedRole := range grant.RoleKeys {
 		if requestedRole == grantedRole {
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@ -106,6 +106,9 @@ func (c *Client) IsScopeAllowed(scope string) bool {
 	if strings.HasPrefix(scope, authreq_model.ProjectIDScope) {
 		return true
 	}
 	if strings.HasPrefix(scope, ScopeUserMetaData) {
 		return true
 	}
 	for _, allowedScope := range c.allowedScopes {
 		if scope == allowedScope {
 			return true
--- a/internal/auth/repository/eventsourcing/eventstore/user.go
+++ b/internal/auth/repository/eventsourcing/eventstore/user.go
@ -307,16 +307,27 @@ func (repo *UserRepo) GetMyMetadataByKey(ctx context.Context, key string) (*doma
 	return iam_model.MetadataViewToDomain(data), nil
 }
 func (repo *UserRepo) SearchUserMetadata(ctx context.Context, userID string) (*domain.MetadataSearchResponse, error) {
 	req := new(domain.MetadataSearchRequest)
 	return repo.searchUserMetadata(userID, "", req)
 }
 func (repo *UserRepo) SearchMyMetadata(ctx context.Context, req *domain.MetadataSearchRequest) (*domain.MetadataSearchResponse, error) {
 	ctxData := authz.GetCtxData(ctx)
 	err := req.EnsureLimit(repo.SearchLimit)
 	if err != nil {
 		return nil, err
 	}
 	return repo.searchUserMetadata(ctxData.UserID, ctxData.ResourceOwner, req)
 }
 func (repo *UserRepo) searchUserMetadata(userID, resourceOwner string, req *domain.MetadataSearchRequest) (*domain.MetadataSearchResponse, error) {
 	sequence, sequenceErr := repo.View.GetLatestUserSequence()
 	logging.Log("EVENT-N9fsd").OnError(sequenceErr).Warn("could not read latest user sequence")
-	req.AppendAggregateIDQuery(ctxData.UserID)
+	req.AppendAggregateIDQuery(userID)
-	req.AppendResourceOwnerQuery(ctxData.ResourceOwner)
+	if resourceOwner != "" {
 		req.AppendResourceOwnerQuery(resourceOwner)
 	}
 	metadata, count, err := repo.View.SearchMetadata(req)
 	if err != nil {
 		return nil, err
--- a/internal/auth/repository/user.go
+++ b/internal/auth/repository/user.go
@ -21,6 +21,8 @@ type UserRepository interface {
 	MachineKeyByID(ctx context.Context, keyID string) (*key_model.AuthNKeyView, error)
 	SearchUsers(ctx context.Context, request *model.UserSearchRequest) (*model.UserSearchResponse, error)
 	SearchUserMetadata(ctx context.Context, userID string) (*domain.MetadataSearchResponse, error)
 }
 type myUserRepo interface {