From e6ce1af0038d4913431aa9de0a688d81d7b09d7e Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Tue, 11 Mar 2025 12:14:18 +0100 Subject: [PATCH] fix(token exchange): properly return an error if membership is missing (#9468) # Which Problems Are Solved When requesting a JWT (`urn:ietf:params:oauth:token-type:jwt`) to be returned in a Token Exchange request, ZITADEL would panic if the `actor` was not granted the necessary permission. # How the Problems Are Solved Properly check the error and return it. # Additional Changes None # Additional Context - closes #9436 --- .../api/oidc/integration_test/token_exchange_test.go | 11 +++++++++++ internal/api/oidc/token_exchange.go | 3 +++ 2 files changed, 14 insertions(+) diff --git a/internal/api/oidc/integration_test/token_exchange_test.go b/internal/api/oidc/integration_test/token_exchange_test.go index 1319eea19a..0844898a2f 100644 --- a/internal/api/oidc/integration_test/token_exchange_test.go +++ b/internal/api/oidc/integration_test/token_exchange_test.go @@ -428,6 +428,17 @@ func TestServer_TokenExchangeImpersonation(t *testing.T) { }, wantErr: true, }, + { + name: "IMPERSONATION: subject: userID, actor: access token, requested type: JWT, membership not found error", + args: args{ + SubjectToken: userResp.GetUserId(), + SubjectTokenType: oidc_api.UserIDTokenType, + RequestedTokenType: oidc.JWTTokenType, + ActorToken: noPermPAT, + ActorTokenType: oidc.AccessTokenType, + }, + wantErr: true, + }, { name: "IAM IMPERSONATION: subject: userID, actor: access token, success", args: args{ diff --git a/internal/api/oidc/token_exchange.go b/internal/api/oidc/token_exchange.go index 3887ff7c51..030066ea1c 100644 --- a/internal/api/oidc/token_exchange.go +++ b/internal/api/oidc/token_exchange.go @@ -349,6 +349,9 @@ func (s *Server) createExchangeJWT( "", domain.OIDCResponseTypeUnspecified, ) + if err != nil { + return "", "", 0, err + } accessToken, err = s.createJWT(ctx, client, session, getUserInfo, roleAssertion, getSigner) if err != nil { return "", "", 0, err