fix: add and verified projectID in audience (#957)

* feat: new scope for project id in aud * feat: add doc * feat: projectid endpoint * feat: remove handle Proejct id * fix: remove go.mod replace * fix: add project id to aud * fix: update oidc version * fix: change project id scope * update projectID scope to current usage * typo: ZITADEL uppercase Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 01:47:33 +00:00 · 2020-11-16 10:54:48 +01:00
parent 42effd8702
commit 78c0cf2f57
8 changed files with 40 additions and 3 deletions
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -99,6 +99,9 @@ func (c *Client) IsScopeAllowed(scope string) bool {
 	if strings.HasPrefix(scope, authreq_model.OrgDomainPrimaryScope) {
 		return true
 	}
+	if strings.HasPrefix(scope, authreq_model.ProjectIDScope) {
+		return true
+	}
 	for _, allowedScope := range c.allowedScopes {
 		if scope == allowedScope {
 			return true
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -109,6 +109,9 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *mod
 		return nil, err
 	}
 	request.Audience = appIDs
+	projectIDAud := request.GetScopeProjectIDsForAud()
+	request.Audience = append(request.Audience, projectIDAud...)
+	request.AppendAudIfNotExisting(app.ProjectID)
 	if request.LoginHint != "" {
 		err = repo.checkLoginName(ctx, request, request.LoginHint)
 		logging.LogWithFields("EVENT-aG311", "login name", request.LoginHint, "id", request.ID, "applicationID", request.ApplicationID).OnError(err).Debug("login hint invalid")
--- a/internal/auth_request/model/auth_request.go
+++ b/internal/auth_request/model/auth_request.go
@@ -137,3 +137,25 @@ func (a *AuthRequest) GetScopeOrgPrimaryDomain() string {
 	}
 	return ""
 }
+
+func (a *AuthRequest) GetScopeProjectIDsForAud() []string {
+	projectIDs := make([]string, 0)
+	switch request := a.Request.(type) {
+	case *AuthRequestOIDC:
+		for _, scope := range request.Scopes {
+			if strings.HasPrefix(scope, ProjectIDScope) && strings.HasSuffix(scope, AudSuffix) {
+				projectIDs = append(projectIDs, strings.TrimSuffix(strings.TrimPrefix(scope, ProjectIDScope), AudSuffix))
+			}
+		}
+	}
+	return projectIDs
+}
+
+func (a *AuthRequest) AppendAudIfNotExisting(aud string) {
+	for _, a := range a.Audience {
+		if a == aud {
+			return
+		}
+	}
+	a.Audience = append(a.Audience, aud)
+}
--- a/internal/auth_request/model/request.go
+++ b/internal/auth_request/model/request.go
@@ -19,7 +19,9 @@ const (
 )

 const (
-	OrgDomainPrimaryScope = "urn:zitadel:org:domain:primary:"
+	OrgDomainPrimaryScope = "urn:zitadel:iam:org:domain:primary:"
+	ProjectIDScope        = "urn:zitadel:iam:org:project:id:"
+	AudSuffix             = ":aud"
 )

 type AuthRequestOIDC struct {
--- a/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
+++ b/internal/authz/repository/eventsourcing/eventstore/token_verifier.go
@@ -80,8 +80,12 @@ func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenStrin
 		return "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-k9KS0", "invalid token")
 	}

+	projectID, _, err := repo.ProjectIDAndOriginsByClientID(ctx, clientID)
+	if err != nil {
+		return "", "", "", caos_errs.ThrowUnauthenticated(err, "APP-5M9so", "invalid token")
+	}
 	for _, aud := range token.Audience {
-		if clientID == aud {
+		if clientID == aud || projectID == aud {
 			return token.UserID, token.UserAgentID, token.PreferredLanguage, nil
 		}
 	}