fix: prevent custom urn:zitadel:iam claims (#7647)

(cherry picked from commit 1121ebfdb81bd7e199a094150acb3f2087d6e899)

docs/docs/apis/actions/complement-token.md

@@ -31,9 +31,11 @@ The trigger is represented by the following Ids in the API: `4`
       This function is deprecated, please use `api.v1.claims`
       - `setClaim(string, Any)`  
         Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log` 
+        Note that keys with prefix `urn:zitadel:iam` will be ignored.
     - `claims`
       - `setClaim(string, Any)`  
         Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log`
+        Note that keys with prefix `urn:zitadel:iam` will be ignored.
     - `user`
       - `setMetadata(string, Any)`  
         Key of the metadata and any value
@@ -62,6 +64,7 @@ The trigger is represented by the following Ids in the API: `5`
     - `claims`
       - `setClaim(string, Any)`  
         Sets any value if the key is not already present. If it's already present there is a message added to `urn:zitadel:iam:action:${action.name}:log`
+        Note that keys with prefix `urn:zitadel:iam` will be ignored.
       - `appendLogIntoClaims(string)`  
         Appends the entry into the claim `urn:zitadel:action:{action.name}:log` the value of the claim is an Array of *string*
     - `user`

internal/api/oidc/client.go

@@ -27,6 +27,7 @@ import (
 )
 
 const (
+	ClaimPrefix             = "urn:zitadel:iam"
 	ScopeProjectRolePrefix  = "urn:zitadel:iam:org:project:role:"
 	ScopeProjectsRoles      = "urn:zitadel:iam:org:projects:roles"
 	ClaimProjectRoles       = "urn:zitadel:iam:org:project:roles"
@@ -520,6 +521,9 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra
 			actions.SetFields("v1",
 				actions.SetFields("userinfo",
 					actions.SetFields("setClaim", func(key string, value interface{}) {
+						if strings.HasPrefix(key, ClaimPrefix) {
+							return
+						}
 						if userInfo.Claims[key] == nil {
 							userInfo.AppendClaims(key, value)
 							return
@@ -532,6 +536,9 @@ func (o *OPStorage) userinfoFlows(ctx context.Context, user *query.User, userGra
 				),
 				actions.SetFields("claims",
 					actions.SetFields("setClaim", func(key string, value interface{}) {
+						if strings.HasPrefix(key, ClaimPrefix) {
+							return
+						}
 						if userInfo.Claims[key] == nil {
 							userInfo.AppendClaims(key, value)
 							return
@@ -737,6 +744,9 @@ func (o *OPStorage) privateClaimsFlows(ctx context.Context, userID string, userG
 			actions.SetFields("v1",
 				actions.SetFields("claims",
 					actions.SetFields("setClaim", func(key string, value interface{}) {
+						if strings.HasPrefix(key, ClaimPrefix) {
+							return
+						}
 						if _, ok := claims[key]; !ok {
 							claims = appendClaim(claims, key, value)
 							return

internal/api/oidc/userinfo.go

@@ -223,6 +223,9 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
 			actions.SetFields("v1",
 				actions.SetFields("userinfo",
 					actions.SetFields("setClaim", func(key string, value interface{}) {
+						if strings.HasPrefix(key, ClaimPrefix) {
+							return
+						}
 						if userInfo.Claims[key] == nil {
 							userInfo.AppendClaims(key, value)
 							return
@@ -235,6 +238,9 @@ func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, user
 				),
 				actions.SetFields("claims",
 					actions.SetFields("setClaim", func(key string, value interface{}) {
+						if strings.HasPrefix(key, ClaimPrefix) {
+							return
+						}
 						if userInfo.Claims[key] == nil {
 							userInfo.AppendClaims(key, value)
 							return