TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 18:17:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(login v1): correctly auto-link users on organizations with suffixed usernames (#10205)

Browse Source
This commit is contained in:
Livio Spring
2025-07-11 05:29:27 -04:00
committed by GitHub
parent fefeaea56a
commit 8f61b24532
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
internal/api/ui/login/external_provider_handler.go
View File

@@ -523,7 +523,7 @@ func (l *Login) handleExternalUserAuthenticated(
// The decision, which information will be checked is based on the IdP template option.
// The function returns a boolean whether a user was found or not.
// If single a user was found, it will be automatically linked.
func (l *Login) checkAutoLinking(r *http.Request, authReq *domain.AuthRequest, provider *query.IDPTemplate, externalUser *domain.ExternalUser) (bool, error) {
func (l *Login) checkAutoLinking(r *http.Request, authReq *domain.AuthRequest, provider *query.IDPTemplate, externalUser *domain.ExternalUser, human *domain.Human) (bool, error) {
queries := make([]query.SearchQuery, 0, 2)
switch provider.AutoLinking {
case domain.AutoLinkingOptionUnspecified:
@@ -532,7 +532,7 @@ func (l *Login) checkAutoLinking(r *http.Request, authReq *domain.AuthRequest, p
case domain.AutoLinkingOptionUsername:
// if we're checking for usernames there are to options:
//
// If no specific org has been requested (by id or domain scope), we'll check the provided username against
// If no specific org has been requested (by id or domain scope), we'll check the provided username (loginname) against
// all existing loginnames and directly use that result to either prompt or continue with other idp options.
if authReq.RequestedOrgID == "" {
user, err := l.query.GetNotifyUserByLoginName(r.Context(), false, externalUser.PreferredUsername)
@@ -544,8 +544,9 @@ func (l *Login) checkAutoLinking(r *http.Request, authReq *domain.AuthRequest, p
}
return true, nil
}
// If a specific org has been requested, we'll check the provided username against usernames (of that org).
usernameQuery, err := query.NewUserUsernameSearchQuery(externalUser.PreferredUsername, query.TextEqualsIgnoreCase)
// If a specific org has been requested, we'll check the username (org policy (suffixed or not) is already applied)
// against usernames (of that org).
usernameQuery, err := query.NewUserUsernameSearchQuery(human.Username, query.TextEqualsIgnoreCase)
if err != nil {
return false, nil
}
@@ -605,7 +606,7 @@ func (l *Login) createOrLinkUser(w http.ResponseWriter, r *http.Request, authReq
human, idpLink, _ := mapExternalUserToLoginUser(externalUser, orgIAMPolicy.UserLoginMustBeDomain)
// let's check if auto-linking is enabled and if the user would be found by the corresponding option
if provider.AutoLinking != domain.AutoLinkingOptionUnspecified {
userLinked, err = l.checkAutoLinking(r, authReq, provider, externalUser)
userLinked, err = l.checkAutoLinking(r, authReq, provider, externalUser, human)
if err != nil {
l.renderError(w, r, authReq, err)
return false