fix: provide domain in session, passkey and u2f (#6097)

This fix provides a possibility to pass a domain on the session, which will be used (as rpID) to create a passkey / u2f assertion and attestation. This is useful in cases where the login UI is served under a different domain / origin than the ZITADEL API.
2025-08-12 01:47:33 +00:00 · 2023-06-27 14:36:07 +02:00
parent d0cda1b479
commit bd5defa96a
32 changed files with 287 additions and 123 deletions
--- a/internal/api/grpc/session/v2/session.go
+++ b/internal/api/grpc/session/v2/session.go
@@ -47,7 +47,7 @@ func (s *Server) CreateSession(ctx context.Context, req *session.CreateSessionRe
 	}
 	challengeResponse, cmds := s.challengesToCommand(req.GetChallenges(), checks)

-	set, err := s.command.CreateSession(ctx, cmds, metadata)
+	set, err := s.command.CreateSession(ctx, cmds, req.GetDomain(), metadata)
 	if err != nil {
 		return nil, err
 	}
@@ -107,6 +107,7 @@ func sessionToPb(s *query.Session) *session.Session {
 		Sequence:     s.Sequence,
 		Factors:      factorsToPb(s),
 		Metadata:     s.Metadata,
+		Domain:       s.Domain,
 	}
 }

--- a/internal/api/grpc/session/v2/session_integration_test.go
+++ b/internal/api/grpc/session/v2/session_integration_test.go
@@ -141,6 +141,7 @@ func TestServer_CreateSession(t *testing.T) {
 					},
 				},
 				Metadata: map[string][]byte{"foo": []byte("bar")},
+				Domain:   "domain",
 			},
 			want: &session.CreateSessionResponse{
 				Details: &object.Details{
@@ -169,6 +170,22 @@ func TestServer_CreateSession(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		{
+			name: "passkey without domain (not registered) error",
+			req: &session.CreateSessionRequest{
+				Checks: &session.Checks{
+					User: &session.CheckUser{
+						Search: &session.CheckUser_UserId{
+							UserId: User.GetUserId(),
+						},
+					},
+				},
+				Challenges: []session.ChallengeKind{
+					session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
+				},
+			},
+			wantErr: true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -198,6 +215,7 @@ func TestServer_CreateSession_passkey(t *testing.T) {
 		Challenges: []session.ChallengeKind{
 			session.ChallengeKind_CHALLENGE_KIND_PASSKEY,
 		},
+		Domain: Tester.Config.ExternalDomain,
 	})
 	require.NoError(t, err)
 	verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil)
@@ -325,7 +343,7 @@ func TestServer_SetSession_flow(t *testing.T) {
 	var wantFactors []wantFactor

 	// create new, empty session
-	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{})
+	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{Domain: Tester.Config.ExternalDomain})
 	require.NoError(t, err)
 	verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, wantFactors...)
 	sessionToken := createResp.GetSessionToken()
--- a/internal/api/grpc/user/v2/passkey.go
+++ b/internal/api/grpc/user/v2/passkey.go
@@ -20,11 +20,11 @@ func (s *Server) RegisterPasskey(ctx context.Context, req *user.RegisterPasskeyR
 	)
 	if code := req.GetCode(); code != nil {
 		return passkeyRegistrationDetailsToPb(
-			s.command.RegisterUserPasskeyWithCode(ctx, req.GetUserId(), resourceOwner, authenticator, code.Id, code.Code, s.userCodeAlg),
+			s.command.RegisterUserPasskeyWithCode(ctx, req.GetUserId(), resourceOwner, authenticator, code.Id, code.Code, req.GetDomain(), s.userCodeAlg),
 		)
 	}
 	return passkeyRegistrationDetailsToPb(
-		s.command.RegisterUserPasskey(ctx, req.GetUserId(), resourceOwner, authenticator),
+		s.command.RegisterUserPasskey(ctx, req.GetUserId(), resourceOwner, req.GetDomain(), authenticator),
 	)
 }

--- a/internal/api/grpc/user/v2/u2f.go
+++ b/internal/api/grpc/user/v2/u2f.go
@@ -12,7 +12,7 @@ import (

 func (s *Server) RegisterU2F(ctx context.Context, req *user.RegisterU2FRequest) (*user.RegisterU2FResponse, error) {
 	return u2fRegistrationDetailsToPb(
-		s.command.RegisterUserU2F(ctx, req.GetUserId(), authz.GetCtxData(ctx).ResourceOwner),
+		s.command.RegisterUserU2F(ctx, req.GetUserId(), authz.GetCtxData(ctx).ResourceOwner, req.GetDomain()),
 	)
 }