mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-12 02:54:20 +00:00
fix: use correct org id for external authentication actions (#5793)
This commit is contained in:
parent
40bf7e49cc
commit
e0505b2def
@ -6,6 +6,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
"github.com/dop251/goja"
|
"github.com/dop251/goja"
|
||||||
|
"github.com/zitadel/logging"
|
||||||
"github.com/zitadel/oidc/v2/pkg/oidc"
|
"github.com/zitadel/oidc/v2/pkg/oidc"
|
||||||
"golang.org/x/text/language"
|
"golang.org/x/text/language"
|
||||||
|
|
||||||
@ -14,6 +15,7 @@ import (
|
|||||||
"github.com/zitadel/zitadel/internal/api/authz"
|
"github.com/zitadel/zitadel/internal/api/authz"
|
||||||
"github.com/zitadel/zitadel/internal/domain"
|
"github.com/zitadel/zitadel/internal/domain"
|
||||||
"github.com/zitadel/zitadel/internal/idp"
|
"github.com/zitadel/zitadel/internal/idp"
|
||||||
|
"github.com/zitadel/zitadel/internal/query"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (l *Login) runPostExternalAuthenticationActions(
|
func (l *Login) runPostExternalAuthenticationActions(
|
||||||
@ -26,7 +28,21 @@ func (l *Login) runPostExternalAuthenticationActions(
|
|||||||
) (_ *domain.ExternalUser, userChanged bool, err error) {
|
) (_ *domain.ExternalUser, userChanged bool, err error) {
|
||||||
ctx := httpRequest.Context()
|
ctx := httpRequest.Context()
|
||||||
|
|
||||||
|
// use the request org (scopes or domain discovery) as default
|
||||||
resourceOwner := authRequest.RequestedOrgID
|
resourceOwner := authRequest.RequestedOrgID
|
||||||
|
// if the user was already linked to an IDP and redirected to that, the requested org might be empty
|
||||||
|
if resourceOwner == "" {
|
||||||
|
resourceOwner = authRequest.UserOrgID
|
||||||
|
}
|
||||||
|
// if we will have no org (e.g. user clicked directly on the IDP on the login page)
|
||||||
|
if resourceOwner == "" {
|
||||||
|
// in this case the user might nevertheless already be linked to an IDP,
|
||||||
|
// so let's do a workaround and resourceOwnerOfUserIDPLink if there would be a IDP link
|
||||||
|
resourceOwner, err = l.resourceOwnerOfUserIDPLink(ctx, authRequest.SelectedIDPConfigID, user.ExternalUserID)
|
||||||
|
logging.WithFields("authReq", authRequest.ID, "idpID", authRequest.SelectedIDPConfigID).OnError(err).
|
||||||
|
Warn("could not determine resource owner for runPostExternalAuthenticationActions, fall back to default org id")
|
||||||
|
}
|
||||||
|
// fallback to default org id
|
||||||
if resourceOwner == "" {
|
if resourceOwner == "" {
|
||||||
resourceOwner = authz.GetInstance(ctx).DefaultOrganisationID()
|
resourceOwner = authz.GetInstance(ctx).DefaultOrganisationID()
|
||||||
}
|
}
|
||||||
@ -394,3 +410,25 @@ func tokenCtxFields(tokens *oidc.Tokens[*oidc.IDTokenClaims]) []actions.FieldOpt
|
|||||||
actions.SetFields("claimsJSON", claimsJSON),
|
actions.SetFields("claimsJSON", claimsJSON),
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (l *Login) resourceOwnerOfUserIDPLink(ctx context.Context, idpConfigID string, externalUserID string) (string, error) {
|
||||||
|
idQuery, err := query.NewIDPUserLinkIDPIDSearchQuery(idpConfigID)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
externalIDQuery, err := query.NewIDPUserLinksExternalIDSearchQuery(externalUserID)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
queries := []query.SearchQuery{
|
||||||
|
idQuery, externalIDQuery,
|
||||||
|
}
|
||||||
|
links, err := l.query.IDPUserLinks(ctx, &query.IDPUserLinksSearchQuery{Queries: queries}, false)
|
||||||
|
if err != nil {
|
||||||
|
return "", err
|
||||||
|
}
|
||||||
|
if len(links.Links) != 1 {
|
||||||
|
return "", nil
|
||||||
|
}
|
||||||
|
return links.Links[0].ResourceOwner, nil
|
||||||
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user