feat: restrict login to specific org by id (scope) (#4294)

* feat: add new org scope * change default of UserLoginMustBeDomain to false * return resource owner claims * fix: use email style for first user * fix: ensure email style for default users (backwards compatibility) * change to external domain (as it was before UserLoginMustBeDomain change) * update e2e tests to use email style usernames * document new scope * lint e2e Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
2025-08-13 02:58:11 +00:00 · 2022-09-23 14:08:10 +02:00
parent c98170c19b
commit 7dfa1925cc
17 changed files with 114 additions and 19 deletions
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -507,7 +507,7 @@ func (l *Login) isDisplayLoginNameSuffix(authReq *domain.AuthRequest) bool {
 	if authReq == nil {
 		return false
 	}
-	if authReq.RequestedOrgID == "" {
+	if authReq.RequestedOrgID == "" || !authReq.RequestedOrgDomain {
 		return false
 	}
 	return authReq.LabelPolicy != nil && !authReq.LabelPolicy.HideLoginNameSuffix