fix: idps (#777)

* fix: update client secret, skip passwordsteps only if login not if linking * fix: global policy for register * fix: scope handling * fix: back after error * fix: change org id scope to primary domain * fix: check if primarydomain empty * fix: local sh * fix: disable buttons on org login policy
2025-08-15 01:57:41 +00:00 · 2020-09-28 09:29:41 +02:00
parent 3e1204524e
commit 83b0ac1fdb
17 changed files with 196 additions and 55 deletions
--- a/internal/ui/login/handler/external_login_handler.go
+++ b/internal/ui/login/handler/external_login_handler.go
@@ -33,6 +33,7 @@ type externalIDPCallbackData struct {
 type externalNotFoundOptionFormData struct {
 	Link         bool `schema:"link"`
 	AutoRegister bool `schema:"autoregister"`
+	ResetLinking bool `schema:"resetlinking"`
 }

 type externalNotFoundOptionData struct {
@@ -139,35 +140,52 @@ func (l *Login) handleExternalNotFoundOptionCheck(w http.ResponseWriter, r *http
 	data := new(externalNotFoundOptionFormData)
 	authReq, err := l.getAuthRequestAndParseData(r, data)
 	if err != nil {
-		l.renderError(w, r, authReq, err)
+		l.renderExternalNotFoundOption(w, r, authReq, err)
 		return
 	}
 	if data.Link {
 		l.renderLogin(w, r, authReq, nil)
 		return
+	} else if data.ResetLinking {
+		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
+		err = l.authRepo.ResetLinkingUsers(r.Context(), authReq.ID, userAgentID)
+		if err != nil {
+			l.renderExternalNotFoundOption(w, r, authReq, err)
+		}
+		l.handleLogin(w, r)
+		return
 	}
 	l.handleAutoRegister(w, r, authReq)
 }

 func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
-	orgIamPolicy, err := l.getOrgIamPolicy(r, authReq.GetScopeOrgID())
-	if err != nil {
-		l.renderExternalNotFoundOption(w, r, authReq, err)
-		return
-	}
 	iam, err := l.authRepo.GetIAM(r.Context())
 	if err != nil {
 		l.renderExternalNotFoundOption(w, r, authReq, err)
 		return
 	}
+
 	resourceOwner := iam.GlobalOrgID
 	member := &org_model.OrgMember{
 		ObjectRoot: models.ObjectRoot{AggregateID: iam.GlobalOrgID},
 		Roles:      []string{orgProjectCreatorRole},
 	}
-	if authReq.GetScopeOrgID() != iam.GlobalOrgID && authReq.GetScopeOrgID() != "" {
-		member = nil
-		resourceOwner = authReq.GetScopeOrgID()
+	if authReq.GetScopeOrgPrimaryDomain() != "" {
+		primaryDomain := authReq.GetScopeOrgPrimaryDomain()
+		org, err := l.authRepo.GetOrgByPrimaryDomain(primaryDomain)
+		if err != nil {
+			l.renderExternalNotFoundOption(w, r, authReq, err)
+		}
+		if org.ID != iam.GlobalOrgID {
+			member = nil
+			resourceOwner = org.ID
+		}
+	}
+
+	orgIamPolicy, err := l.getOrgIamPolicy(r, resourceOwner)
+	if err != nil {
+		l.renderExternalNotFoundOption(w, r, authReq, err)
+		return
 	}

 	idpConfig, err := l.authRepo.GetIDPConfigByID(r.Context(), authReq.SelectedIDPConfigID)
@@ -216,7 +234,6 @@ func (l *Login) mapTokenToLoginUser(tokens *oidc.Tokens, idpConfig *iam_model.ID
 	}
 	return externalUser
 }
-
 func (l *Login) mapExternalUserToLoginUser(orgIamPolicy *org_model.OrgIAMPolicy, linkingUser *model.ExternalUser, idpConfig *iam_model.IDPConfigView) (*usr_model.User, *usr_model.ExternalIDP) {
 	username := linkingUser.PreferredUsername
 	switch idpConfig.OIDCUsernameMapping {
--- a/internal/ui/login/handler/external_register_handler.go
+++ b/internal/ui/login/handler/external_register_handler.go
@@ -71,11 +71,6 @@ func (l *Login) handleExternalRegisterCallback(w http.ResponseWriter, r *http.Re
 }

 func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, idpConfig *iam_model.IDPConfigView, userAgentID string, tokens *oidc.Tokens) {
-	orgIamPolicy, err := l.getOrgIamPolicy(r, authReq.GetScopeOrgID())
-	if err != nil {
-		l.renderRegisterOption(w, r, authReq, err)
-		return
-	}
 	iam, err := l.authRepo.GetIAM(r.Context())
 	if err != nil {
 		l.renderRegisterOption(w, r, authReq, err)
@@ -86,11 +81,24 @@ func (l *Login) handleExternalUserRegister(w http.ResponseWriter, r *http.Reques
 		ObjectRoot: models.ObjectRoot{AggregateID: iam.GlobalOrgID},
 		Roles:      []string{orgProjectCreatorRole},
 	}
-	if authReq.GetScopeOrgID() != iam.GlobalOrgID && authReq.GetScopeOrgID() != "" {
-		member = nil
-		resourceOwner = authReq.GetScopeOrgID()
-	}

+	if authReq.GetScopeOrgPrimaryDomain() != "" {
+		primaryDomain := authReq.GetScopeOrgPrimaryDomain()
+		org, err := l.authRepo.GetOrgByPrimaryDomain(primaryDomain)
+		if err != nil {
+			l.renderRegisterOption(w, r, authReq, err)
+			return
+		}
+		if org.ID != iam.GlobalOrgID {
+			member = nil
+			resourceOwner = org.ID
+		}
+	}
+	orgIamPolicy, err := l.getOrgIamPolicy(r, resourceOwner)
+	if err != nil {
+		l.renderRegisterOption(w, r, authReq, err)
+		return
+	}
 	user, externalIDP := l.mapTokenToLoginUserAndExternalIDP(orgIamPolicy, tokens, idpConfig)
 	_, err = l.authRepo.RegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, member, resourceOwner)
 	if err != nil {
--- a/internal/ui/login/handler/register_handler.go
+++ b/internal/ui/login/handler/register_handler.go
@@ -71,9 +71,17 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
 		ObjectRoot: models.ObjectRoot{AggregateID: iam.GlobalOrgID},
 		Roles:      []string{orgProjectCreatorRole},
 	}
-	if authRequest.GetScopeOrgID() != "" && authRequest.GetScopeOrgID() != iam.GlobalOrgID {
-		member = nil
-		resourceOwner = authRequest.GetScopeOrgID()
+	if authRequest.GetScopeOrgPrimaryDomain() != "" {
+		primaryDomain := authRequest.GetScopeOrgPrimaryDomain()
+		org, err := l.authRepo.GetOrgByPrimaryDomain(primaryDomain)
+		if err != nil {
+			l.renderRegisterOption(w, r, authRequest, err)
+			return
+		}
+		if org.ID != iam.GlobalOrgID {
+			member = nil
+			resourceOwner = org.ID
+		}
 	}
 	user, err := l.authRepo.Register(setContext(r.Context(), resourceOwner), data.toUserModel(), member, resourceOwner)
 	if err != nil {
--- a/internal/ui/login/handler/renderer.go
+++ b/internal/ui/login/handler/renderer.go
@@ -292,7 +292,14 @@ func (l *Login) getOrgID(authReq *model.AuthRequest) string {
 	if authReq.Request == nil {
 		return ""
 	}
-	return authReq.GetScopeOrgID()
+	primaryDomain := authReq.GetScopeOrgPrimaryDomain()
+	if primaryDomain != "" {
+		org, _ := l.authRepo.GetOrgByPrimaryDomain(primaryDomain)
+		if org != nil {
+			return org.ID
+		}
+	}
+	return ""
 }

 func getRequestID(authReq *model.AuthRequest, r *http.Request) string {
--- a/internal/ui/login/static/templates/error-message.html
+++ b/internal/ui/login/static/templates/error-message.html
@@ -1,9 +1,7 @@
 {{ define "error-message" }}
 {{if .ErrMessage }}
-<div class="field">
-    <div class="error">
-        {{ if .ErrType }}{{ .ErrType }} - {{end}}{{ .ErrMessage }}
-    </div>
+<div class="error">
+    {{ if .ErrType }}{{ .ErrType }} - {{end}}{{ .ErrMessage }}
 </div>
 {{end}}
 {{ end }}
--- a/internal/ui/login/static/templates/external_not_found_option.html
+++ b/internal/ui/login/static/templates/external_not_found_option.html
@@ -15,9 +15,7 @@
    <div class="actions">
        <button class="secondary right" name="link" value="true" formnovalidate>{{t "ExternalNotFoundOption.Link"}}</button>
        <button class="secondary right" name="autoregister" value="true" formnovalidate>{{t "ExternalNotFoundOption.AutoRegister"}}</button>
-        <a class="button secondary" href="{{ loginUrl .AuthReqID }}">
-            {{t "Actions.Back"}}
-        </a>
+        <button class="secondary right" name="resetlinking" value="true" formnovalidate>{{t "Actions.Back"}}</button>
    </div>

    {{template "error-message" .}}