feat: restrict login to specific org by id (scope) (#4294)

* feat: add new org scope * change default of UserLoginMustBeDomain to false * return resource owner claims * fix: use email style for first user * fix: ensure email style for default users (backwards compatibility) * change to external domain (as it was before UserLoginMustBeDomain change) * update e2e tests to use email style usernames * document new scope * lint e2e Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
2025-08-11 21:17:32 +00:00 · 2022-09-23 14:08:10 +02:00
parent c98170c19b
commit 7dfa1925cc
17 changed files with 114 additions and 19 deletions
--- a/internal/domain/auth_request.go
+++ b/internal/domain/auth_request.go
@@ -37,6 +37,7 @@ type AuthRequest struct {
 	RequestedOrgID           string
 	RequestedOrgName         string
 	RequestedPrimaryDomain   string
+	RequestedOrgDomain       bool
 	ApplicationResourceOwner string
 	PrivateLabelingSetting   PrivateLabelingSetting
 	SelectedIDPConfigID      string
@@ -164,3 +165,15 @@ func (a *AuthRequest) GetScopeOrgPrimaryDomain() string {
 	}
 	return ""
 }
+
+func (a *AuthRequest) GetScopeOrgID() string {
+	switch request := a.Request.(type) {
+	case *AuthRequestOIDC:
+		for _, scope := range request.Scopes {
+			if strings.HasPrefix(scope, OrgIDScope) {
+				return strings.TrimPrefix(scope, OrgIDScope)
+			}
+		}
+	}
+	return ""
+}
--- a/internal/domain/org_domain.go
+++ b/internal/domain/org_domain.go
@@ -32,7 +32,7 @@ func (domain *OrgDomain) GenerateVerificationCode(codeGenerator crypto.Generator
 }

 func NewIAMDomainName(orgName, iamDomain string) string {
-	return strings.ToLower(strings.ReplaceAll(orgName, " ", "-") + "." + iamDomain)
+	return strings.ToLower(strings.ReplaceAll(strings.TrimSpace(orgName), " ", "-") + "." + iamDomain)
 }

 type OrgDomainValidationType int32
--- a/internal/domain/request.go
+++ b/internal/domain/request.go
@@ -2,7 +2,9 @@ package domain

 const (
 	OrgDomainPrimaryScope = "urn:zitadel:iam:org:domain:primary:"
+	OrgIDScope            = "urn:zitadel:iam:org:id:"
 	OrgDomainPrimaryClaim = "urn:zitadel:iam:org:domain:primary"
+	OrgIDClaim            = "urn:zitadel:iam:org:id"
 	ProjectIDScope        = "urn:zitadel:iam:org:project:id:"
 	ProjectIDScopeZITADEL = "zitadel"
 	AudSuffix             = ":aud"