TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-06-12 20:28:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: reduce origin check to tokens issued through code and implicit flow (#6681)

Browse Source 
fix: only check origin for tokens issued to users through apps (code / implicit flow)
This commit is contained in:
Livio Spring 2023-10-09 13:08:18 +03:00 committed by GitHub
parent 54676eda98
commit 9696fde676
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
internal/api/authz/context.go
View File

@ -78,9 +78,12 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID, orgDomain st
if err != nil { if err != nil {
return CtxData{}, errors.ThrowPermissionDenied(err, "AUTH-GHpw2", "could not read projectid by clientid") return CtxData{}, errors.ThrowPermissionDenied(err, "AUTH-GHpw2", "could not read projectid by clientid")
} }
} // We used to check origins for every token, but service users shouldn't be used publicly (native app / SPA).
if err := checkOrigin(ctx, origins); err != nil { // Therefore, mostly won't send an origin and aren't able to configure them anyway.
return CtxData{}, err // For the current time we will only check origins for tokens issued to users through apps (code / implicit flow).
if err := checkOrigin(ctx, origins); err != nil {
return CtxData{}, err
}
} }
if orgID == "" && orgDomain == "" { if orgID == "" && orgDomain == "" {
orgID = resourceOwner orgID = resourceOwner