From e158f9447e13c145c3e3adf21d872bbbb93c815e Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Wed, 10 Sep 2025 08:25:25 +0200 Subject: [PATCH] fix(oidc): ignore invalid id_token_hints (#10682) # Which Problems Are Solved Invalid id_tokens used as `id_token_hint` on the authorization endpoints currently return an error, resp. get display on the endpoint itself. # How the Problems Are Solved Ignore invalid id_token_hint errors and just log them. # Additional Changes None # Additional Context - closes https://github.com/zitadel/zitadel/issues/10673 - backport to v4.x --- internal/api/oidc/server.go | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/internal/api/oidc/server.go b/internal/api/oidc/server.go index 1a01124dd74..4f9b3d7f76c 100644 --- a/internal/api/oidc/server.go +++ b/internal/api/oidc/server.go @@ -140,9 +140,19 @@ func (s *Server) VerifyAuthRequest(ctx context.Context, r *op.Request[oidc.AuthR func (s *Server) Authorize(ctx context.Context, r *op.ClientRequest[oidc.AuthRequest]) (_ *op.Redirect, err error) { ctx, span := tracing.NewSpan(ctx) - defer func() { span.EndWithError(err) }() + defer span.End() - return s.LegacyServer.Authorize(ctx, r) + // Use an own method to validate the id_token_hint, because in case of an error, we don't want to fail the request. + // We just want to ignore the hint. + userID, err := op.ValidateAuthReqIDTokenHint(ctx, r.Data.IDTokenHint, s.Provider().IDTokenHintVerifier(ctx)) + logging.WithFields("instanceID", authz.GetInstance(ctx).InstanceID()). + OnError(err).Error("invalid id_token_hint") + + req, err := s.Provider().Storage().CreateAuthRequest(ctx, r.Data, userID) + if err != nil { + return op.TryErrorRedirect(ctx, r.Data, oidc.DefaultToServerError(err, "unable to save auth request"), s.Provider().Encoder(), s.Provider().Logger()) + } + return op.NewRedirect(r.Client.LoginURL(req.GetID())), nil } func (s *Server) DeviceAuthorization(ctx context.Context, r *op.ClientRequest[oidc.DeviceAuthorizationRequest]) (_ *op.Response, err error) {