fix: primary domain claim (#1082)

* fix: primary domain scope (overwrite by roles and rogue `:`) * disable wrong users * fix test * show requested org name * only show domain when selected
2025-08-12 01:27:32 +00:00 · 2020-12-14 10:54:29 +01:00
parent c6fed8ae86
commit b71a444e86
27 changed files with 245 additions and 148 deletions
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -2,17 +2,16 @@ package oidc

 import (
 	"context"
-	"github.com/caos/zitadel/internal/auth_request/model"
 	"strings"

-	"golang.org/x/text/language"
-	"gopkg.in/square/go-jose.v2"
-
 	"github.com/caos/oidc/pkg/oidc"
 	"github.com/caos/oidc/pkg/op"
+	"golang.org/x/text/language"
+	"gopkg.in/square/go-jose.v2"

 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/auth_request/model"
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	proj_model "github.com/caos/zitadel/internal/project/model"
@@ -155,7 +154,7 @@ func (o *OPStorage) GetUserinfoFromScopes(ctx context.Context, userID, applicati
 				roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
 			}
 			if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
-				userInfo.AppendClaims(model.OrgDomainPrimaryScope, strings.TrimPrefix(scope, model.OrgDomainPrimaryScope))
+				userInfo.AppendClaims(model.OrgDomainPrimaryClaim, strings.TrimPrefix(scope, model.OrgDomainPrimaryScope))
 			}
 		}
 	}
@@ -180,7 +179,7 @@ func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clie
 		if strings.HasPrefix(scope, ScopeProjectRolePrefix) {
 			roles = append(roles, strings.TrimPrefix(scope, ScopeProjectRolePrefix))
 		} else if strings.HasPrefix(scope, model.OrgDomainPrimaryScope) {
-			claims = map[string]interface{}{model.OrgDomainPrimaryScope: strings.TrimPrefix(scope, model.OrgDomainPrimaryScope)}
+			claims = appendClaim(claims, model.OrgDomainPrimaryClaim, strings.TrimPrefix(scope, model.OrgDomainPrimaryScope))
 		}
 	}
 	if len(roles) == 0 || clientID == "" {
@@ -191,7 +190,7 @@ func (o *OPStorage) GetPrivateClaimsFromScopes(ctx context.Context, userID, clie
 		return nil, err
 	}
 	if len(projectRoles) > 0 {
-		claims = map[string]interface{}{ClaimProjectRoles: projectRoles}
+		claims = appendClaim(claims, ClaimProjectRoles, projectRoles)
 	}
 	return claims, err
 }
@@ -240,3 +239,11 @@ func getGender(gender user_model.Gender) string {
 	}
 	return ""
 }
+
+func appendClaim(claims map[string]interface{}, claim string, value interface{}) map[string]interface{} {
+	if claims == nil {
+		claims = make(map[string]interface{})
+	}
+	claims[claim] = value
+	return claims
+}