From ad0589d21d05d4210fcdf65bfe08ebeb5e31fa6e Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Wed, 27 Mar 2024 08:26:14 +0100 Subject: [PATCH] fix: prevent custom urn:zitadel:iam claims (#7647) (cherry picked from commit 1121ebfdb81bd7e199a094150acb3f2087d6e899) --- docs/docs/apis/actions/complement-token.md | 5 ++++- internal/api/oidc/client.go | 10 ++++++++++ internal/api/oidc/userinfo.go | 6 ++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/docs/docs/apis/actions/complement-token.md b/docs/docs/apis/actions/complement-token.md index b0f8fea8e2..ff342de39f 100644 --- a/docs/docs/apis/actions/complement-token.md +++ b/docs/docs/apis/actions/complement-token.md @@ -30,10 +30,12 @@ The trigger is represented by the following Ids in the API: `4` - `userinfo` This function is deprecated, please use `api.v1.claims` - `setClaim(string, Any)` - Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log` + Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log` + Note that keys with prefix `urn:zitadel:iam` will be ignored. - `claims` - `setClaim(string, Any)` Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log` + Note that keys with prefix `urn:zitadel:iam` will be ignored. - `user` - `setMetadata(string, Any)` Key of the metadata and any value @@ -62,6 +64,7 @@ The trigger is represented by the following Ids in the API: `5` - `claims` - `setClaim(string, Any)` Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log` + Note that keys with prefix `urn:zitadel:iam` will be ignored. - `appendLogIntoClaims(string)` Appends the entry into the claim `urn:zitadel:action:{action.name}:log` the value of the claim is an Array of *string* - `user` diff --git a/internal/api/oidc/client.go b/internal/api/oidc/client.go index 9af51bff61..51c5798d1f 100644 --- a/internal/api/oidc/client.go +++ b/internal/api/oidc/client.go @@ -27,6 +27,7 @@ import ( ) const ( + ClaimPrefix = "urn:zitadel:iam" ScopeProjectRolePrefix = "urn:zitadel:iam:org:project:role:" ScopeProjectsRoles = "urn:zitadel:iam:org:projects:roles" ClaimProjectRoles = "urn:zitadel:iam:org:project:roles" @@ -520,6 +521,9 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra actions.SetFields("v1", actions.SetFields("userinfo", actions.SetFields("setClaim", func(key string, value interface{}) { + if strings.HasPrefix(key, ClaimPrefix) { + return + } if userInfo.Claims[key] == nil { userInfo.AppendClaims(key, value) return @@ -532,6 +536,9 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra ), actions.SetFields("claims", actions.SetFields("setClaim", func(key string, value interface{}) { + if strings.HasPrefix(key, ClaimPrefix) { + return + } if userInfo.Claims[key] == nil { userInfo.AppendClaims(key, value) return @@ -737,6 +744,9 @@ func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, userG actions.SetFields("v1", actions.SetFields("claims", actions.SetFields("setClaim", func(key string, value interface{}) { + if strings.HasPrefix(key, ClaimPrefix) { + return + } if _, ok := claims[key]; !ok { claims = appendClaim(claims, key, value) return diff --git a/internal/api/oidc/userinfo.go b/internal/api/oidc/userinfo.go index b1ccac395c..311555a226 100644 --- a/internal/api/oidc/userinfo.go +++ b/internal/api/oidc/userinfo.go @@ -223,6 +223,9 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user actions.SetFields("v1", actions.SetFields("userinfo", actions.SetFields("setClaim", func(key string, value interface{}) { + if strings.HasPrefix(key, ClaimPrefix) { + return + } if userInfo.Claims[key] == nil { userInfo.AppendClaims(key, value) return @@ -235,6 +238,9 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user ), actions.SetFields("claims", actions.SetFields("setClaim", func(key string, value interface{}) { + if strings.HasPrefix(key, ClaimPrefix) { + return + } if userInfo.Claims[key] == nil { userInfo.AppendClaims(key, value) return