fix: audience in create token (#985)

2025-01-12 18:23:42 +00:00 · 2020-11-18 17:11:37 +01:00 · 2020-11-18 17:11:37 +01:00 · a40ec1f25b
commit a40ec1f25b
parent 1e23292fc4
3 changed files with 21 additions and 5 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@ -109,8 +109,6 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *mod
 		return nil, err
 	}
 	request.Audience = appIDs
-	projectIDAud := request.GetScopeProjectIDsForAud()
-	request.Audience = append(request.Audience, projectIDAud...)
 	request.AppendAudIfNotExisting(app.ProjectID)
 	if request.LoginHint != "" {
 		err = repo.checkLoginName(ctx, request, request.LoginHint)
--- a/internal/auth/repository/eventsourcing/eventstore/token.go
+++ b/internal/auth/repository/eventsourcing/eventstore/token.go
@ -3,11 +3,13 @@ package eventstore
 import (
 	"context"
 	"github.com/caos/logging"
+	auth_req_model "github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	usr_model "github.com/caos/zitadel/internal/user/model"
 	user_event "github.com/caos/zitadel/internal/user/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/user/repository/view/model"
+	"strings"
 	"time"

 	"github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
@ -18,19 +20,26 @@ type TokenRepo struct {
 	View       *view.View
 }

-func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error) {
+func (repo *TokenRepo) CreateToken(ctx context.Context, agentID, clientID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error) {
 	preferredLanguage := ""
 	user, _ := repo.View.UserByID(userID)
 	if user != nil {
 		preferredLanguage = user.PreferredLanguage
 	}
+
+	for _, scope := range scopes {
+		if strings.HasPrefix(scope, auth_req_model.ProjectIDScope) && strings.HasSuffix(scope, auth_req_model.AudSuffix) {
+			audience = append(audience, strings.TrimSuffix(strings.TrimPrefix(scope, auth_req_model.ProjectIDScope), auth_req_model.AudSuffix))
+		}
+	}
+
 	now := time.Now().UTC()
 	token := &usr_model.Token{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: userID,
 		},
 		UserAgentID:       agentID,
-		ApplicationID:     applicationID,
+		ApplicationID:     clientID,
 		Audience:          audience,
 		Scopes:            scopes,
 		Expiration:        now.Add(lifetime),
@ -82,3 +91,12 @@ func (repo *TokenRepo) TokenByID(ctx context.Context, userID, tokenID string) (*
 	}
 	return model.TokenViewToModel(token), nil
 }
+
+func AppendAudIfNotExisting(aud string, existingAud []string) []string {
+	for _, a := range existingAud {
+		if a == aud {
+			return existingAud
+		}
+	}
+	return append(existingAud, aud)
+}
--- a/internal/auth/repository/token.go
+++ b/internal/auth/repository/token.go
@ -7,7 +7,7 @@ import (
 )

 type TokenRepository interface {
-	CreateToken(ctx context.Context, agentID, applicationID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error)
+	CreateToken(ctx context.Context, agentID, clientID, userID string, audience, scopes []string, lifetime time.Duration) (*usr_model.Token, error)
 	IsTokenValid(ctx context.Context, userID, tokenID string) (bool, error)
 	TokenByID(ctx context.Context, userID, tokenID string) (*usr_model.TokenView, error)
 }