fix: token verification (don't cache zitadel id system wide) (#3542)

internal/api/authz/token.go

@@ -78,14 +78,10 @@ func (v *TokenVerifier) clientIDAndProjectIDFromMethod(ctx context.Context, meth
 		return "", "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-G2qrh", "Errors.Internal")
 	}
 	c := app.(*client)
-	if c.id != "" {
-		return c.id, c.projectID, nil
-	}
 	c.id, c.projectID, err = v.authZRepo.VerifierClientID(ctx, c.name)
 	if err != nil {
 		return "", "", caos_errs.ThrowPermissionDenied(err, "AUTHZ-ptTIF2", "Errors.Internal")
 	}
-	v.clients.Store(prefix, c)
 	return c.id, c.projectID, nil
 }
 func (v *TokenVerifier) SearchMyMemberships(ctx context.Context) (_ []*Membership, err error) {

internal/authz/repository/eventsourcing/eventstore/token_verifier.go

@@ -90,7 +90,7 @@ func (repo *TokenVerifierRepo) VerifyAccessToken(ctx context.Context, tokenStrin
 		return token.UserID, "", "", "", token.ResourceOwner, nil
 	}
 	for _, aud := range token.Audience {
-		if verifierClientID == aud || projectID == aud {
+		if verifierClientID == aud || projectID == aud || authz.GetInstance(ctx).ProjectID() == aud {
 			return token.UserID, token.UserAgentID, token.ApplicationID, token.PreferredLanguage, token.ResourceOwner, nil
 		}
 	}
@@ -236,11 +236,7 @@ func (repo *TokenVerifierRepo) VerifierClientID(ctx context.Context, appName str
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	iam, err := repo.Query.Instance(ctx)
-	if err != nil {
-		return "", "", err
-	}
-	app, err := repo.View.ApplicationByProjecIDAndAppName(ctx, iam.IAMProjectID, appName)
+	app, err := repo.View.ApplicationByProjecIDAndAppName(ctx, authz.GetInstance(ctx).ProjectID(), appName)
 	if err != nil {
 		return "", "", err
 	}