fix(oidc): IDP and machine user auth methods (#7992)

# Which Problems Are Solved After https://github.com/zitadel/zitadel/pull/7822 was merged we discovered that v2 tokens that where obtained through an IDP using the v1 login, can't be used for zitadel API calls. - Because we used to store the AMR claim on the auth request, but internally use the domain.UserAuthMethod type. AMR has no notion of an IDP login, so that "factor" was lost during conversion. Rendering those v2 tokens invalid on the zitadel API. - A wrong check on machine user tokens falsly allowed some tokens to be valid - The client ID was set to tokens from client credentials and JWT profile, which made client queries fail in the validation middleware. The middleware expects client ID unset for machine users. # How the Problems Are Solved Store the domain.AuthMethods directly in the auth requests and session, instead of using AMR claims with lossy conversion. - IDPs have seperate auth method, which is not an AMR claim - Machine users are treated specialy, eg auth methods are not required. - Do not set the client ID for client credentials and JWT profile # Additional Changes Cleaned up mostly unused `oidc.getInfoFromRequest()`. # Additional Context - Bugs were introduced in https://github.com/zitadel/zitadel/pull/7822 and not yet part of a release. - Reported internally.
2025-08-11 19:07:30 +00:00 · 2024-05-23 07:35:10 +02:00
parent e57a9b57c8
commit f5e9d4f57f
11 changed files with 126 additions and 112 deletions
--- a/internal/query/user_auth_method_test.go
+++ b/internal/query/user_auth_method_test.go
@@ -59,6 +59,7 @@ var (
 	prepareAuthMethodTypesRequiredStmt = `SELECT projections.users12_notifications.password_set,` +
 		` auth_method_types.method_type,` +
 		` user_idps_count.count,` +
+		` projections.users12.type,` +
 		` auth_methods_force_mfa.force_mfa,` +
 		` auth_methods_force_mfa.force_mfa_local_only` +
 		` FROM projections.users12` +
@@ -75,6 +76,7 @@ var (
 `
 	prepareAuthMethodTypesRequiredCols = []string{
 		"password_set",
+		"type",
 		"method_type",
 		"idps_count",
 		"force_mfa",
@@ -317,14 +319,10 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 		},
 		{
 			name: "prepareUserAuthMethodTypesRequiredQuery no result",
-			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*testUserAuthMethodTypesRequired, error)) {
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*UserAuthMethodRequirements, error)) {
 				builder, scan := prepareUserAuthMethodTypesRequiredQuery(ctx, db)
-				return builder, func(rows *sql.Rows) (*testUserAuthMethodTypesRequired, error) {
-					authMethods, forceMFA, forceMFALocalOnly, err := scan(rows)
-					if err != nil {
-						return nil, err
-					}
-					return &testUserAuthMethodTypesRequired{authMethods: authMethods, forceMFA: forceMFA, forceMFALocalOnly: forceMFALocalOnly}, nil
+				return builder, func(rows *sql.Rows) (*UserAuthMethodRequirements, error) {
+					return scan(rows)
 				}
 			},
 			want: want{
@@ -334,18 +332,14 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 					nil,
 				),
 			},
-			object: &testUserAuthMethodTypesRequired{authMethods: []domain.UserAuthMethodType{}, forceMFA: false},
+			object: &UserAuthMethodRequirements{AuthMethods: []domain.UserAuthMethodType{}, ForceMFA: false},
 		},
 		{
 			name: "prepareUserAuthMethodTypesRequiredQuery one second factor",
-			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*testUserAuthMethodTypesRequired, error)) {
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*UserAuthMethodRequirements, error)) {
 				builder, scan := prepareUserAuthMethodTypesRequiredQuery(ctx, db)
-				return builder, func(rows *sql.Rows) (*testUserAuthMethodTypesRequired, error) {
-					authMethods, forceMFA, forceMFALocalOnly, err := scan(rows)
-					if err != nil {
-						return nil, err
-					}
-					return &testUserAuthMethodTypesRequired{authMethods: authMethods, forceMFA: forceMFA, forceMFALocalOnly: forceMFALocalOnly}, nil
+				return builder, func(rows *sql.Rows) (*UserAuthMethodRequirements, error) {
+					return scan(rows)
 				}
 			},
 			want: want{
@@ -357,32 +351,30 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 							true,
 							domain.UserAuthMethodTypePasswordless,
 							1,
+							domain.UserTypeHuman,
 							true,
 							true,
 						},
 					},
 				),
 			},
-			object: &testUserAuthMethodTypesRequired{
-				authMethods: []domain.UserAuthMethodType{
+			object: &UserAuthMethodRequirements{
+				UserType: domain.UserTypeHuman,
+				AuthMethods: []domain.UserAuthMethodType{
 					domain.UserAuthMethodTypePasswordless,
 					domain.UserAuthMethodTypePassword,
 					domain.UserAuthMethodTypeIDP,
 				},
-				forceMFA:          true,
-				forceMFALocalOnly: true,
+				ForceMFA:          true,
+				ForceMFALocalOnly: true,
 			},
 		},
 		{
 			name: "prepareUserAuthMethodTypesRequiredQuery multiple second factors",
-			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*testUserAuthMethodTypesRequired, error)) {
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*UserAuthMethodRequirements, error)) {
 				builder, scan := prepareUserAuthMethodTypesRequiredQuery(ctx, db)
-				return builder, func(rows *sql.Rows) (*testUserAuthMethodTypesRequired, error) {
-					authMethods, forceMFA, forceMFALocalOnly, err := scan(rows)
-					if err != nil {
-						return nil, err
-					}
-					return &testUserAuthMethodTypesRequired{authMethods: authMethods, forceMFA: forceMFA, forceMFALocalOnly: forceMFALocalOnly}, nil
+				return builder, func(rows *sql.Rows) (*UserAuthMethodRequirements, error) {
+					return scan(rows)
 				}
 			},
 			want: want{
@@ -394,6 +386,7 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 							true,
 							domain.UserAuthMethodTypePasswordless,
 							1,
+							domain.UserTypeHuman,
 							true,
 							true,
 						},
@@ -401,6 +394,7 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 							true,
 							domain.UserAuthMethodTypeTOTP,
 							1,
+							domain.UserTypeHuman,
 							true,
 							true,
 						},
@@ -408,27 +402,24 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 				),
 			},

-			object: &testUserAuthMethodTypesRequired{
-				authMethods: []domain.UserAuthMethodType{
+			object: &UserAuthMethodRequirements{
+				UserType: domain.UserTypeHuman,
+				AuthMethods: []domain.UserAuthMethodType{
 					domain.UserAuthMethodTypePasswordless,
 					domain.UserAuthMethodTypeTOTP,
 					domain.UserAuthMethodTypePassword,
 					domain.UserAuthMethodTypeIDP,
 				},
-				forceMFA:          true,
-				forceMFALocalOnly: true,
+				ForceMFA:          true,
+				ForceMFALocalOnly: true,
 			},
 		},
 		{
 			name: "prepareUserAuthMethodTypesRequiredQuery sql err",
-			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*testUserAuthMethodTypesRequired, error)) {
+			prepare: func(ctx context.Context, db prepareDatabase) (sq.SelectBuilder, func(*sql.Rows) (*UserAuthMethodRequirements, error)) {
 				builder, scan := prepareUserAuthMethodTypesRequiredQuery(ctx, db)
-				return builder, func(rows *sql.Rows) (*testUserAuthMethodTypesRequired, error) {
-					authMethods, forceMFA, forceMFALocalOnly, err := scan(rows)
-					if err != nil {
-						return nil, err
-					}
-					return &testUserAuthMethodTypesRequired{authMethods: authMethods, forceMFA: forceMFA, forceMFALocalOnly: forceMFALocalOnly}, nil
+				return builder, func(rows *sql.Rows) (*UserAuthMethodRequirements, error) {
+					return scan(rows)
 				}
 			},
 			want: want{
@@ -452,10 +443,3 @@ func Test_UserAuthMethodPrepares(t *testing.T) {
 		})
 	}
 }
-
-// testUserAuthMethodTypesRequired is required as assetPrepare is only able to return a single object from scan
-type testUserAuthMethodTypesRequired struct {
-	authMethods       []domain.UserAuthMethodType
-	forceMFA          bool
-	forceMFALocalOnly bool
-}