TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-04-08 16:54:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
zitadel/internal/query
History
Livio Spring 4fde7822d8
fix(oauth): check key expiry on JWT Profile Grant 
# Which Problems Are Solved

ZITADEL allows the use of JSON Web Token (JWT) Profile OAuth 2.0 for Authorization Grants in machine-to-machine (M2M) authentication. Multiple keys can be managed for a single machine account (service user), each with an individual expiry.

A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens.

This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys.

# How the Problems Are Solved

Added proper validation of the expiry of the stored public key.

# Additional Changes

None

# Additional Context

None

(cherry picked from commit 315503beabd679f2e6aec0c004f0f9d2f5b53ed3)
2025-03-31 12:49:56 +02:00
..
projection
fix: manage root CA for LDAP IdPs correctly (#9517)
2025-03-18 16:38:22 +01:00
testdata
feat: saml application configuration for login version (#9351)
2025-02-13 16:03:05 +00:00
access_token.go
perf(oidc): nest position clause for session terminated query (#8738)
2024-10-07 12:49:55 +00:00
action_flow_test.go
fix(actions): preserve order of execution (#8895)
2024-11-14 14:04:39 +00:00
action_flow.go
fix(actions): preserve order of execution (#8895)
2024-11-14 14:04:39 +00:00
action_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
action.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
app_oidc_project_permission.sql
feat: permission check on OIDC and SAML service session API (#9304)
2025-02-11 18:45:09 +00:00
app_saml_project_permission.sql
feat: permission check on OIDC and SAML service session API (#9304)
2025-02-11 18:45:09 +00:00
app_test.go
feat: saml application configuration for login version (#9351)
2025-02-13 16:03:05 +00:00
app.go
feat: saml application configuration for login version (#9351)
2025-02-13 16:03:05 +00:00
auth_request_by_id.sql
feat(oidc): optimize the userinfo endpoint (#7706)
2024-04-09 15:15:35 +02:00
auth_request_test.go
feat: specify login UI version on instance and apps (#9071)
2024-12-19 10:37:46 +01:00
auth_request.go
feat: specify login UI version on instance and apps (#9071)
2024-12-19 10:37:46 +01:00
authn_key_test.go
perf(oidc): remove get user by ID from jwt profile grant (#8580)
2024-09-11 12:04:09 +03:00
authn_key_user.sql
fix(oauth): check key expiry on JWT Profile Grant
2025-03-31 12:49:56 +02:00
authn_key.go
perf(oidc): remove get user by ID from jwt profile grant (#8580)
2024-09-11 12:04:09 +03:00
cache.go
refactor(handler): cache active instances (#9008)
2024-12-06 11:32:53 +00:00
certificate_test.go
feat(v3alpha): web key resource (#8262)
2024-08-14 14:18:14 +00:00
certificate.go
feat(v3alpha): web key resource (#8262)
2024-08-14 14:18:14 +00:00
converter.go
feat(api): feature flags (#7356)
2024-02-28 10:55:54 +02:00
current_state_test.go
fix(eventstore): revert precise decimal (#8527) (#8679)
2024-09-24 18:43:29 +02:00
current_state.go
fix(eventstore): revert precise decimal (#8527) (#8679)
2024-09-24 18:43:29 +02:00
custom_text_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
custom_text.go
fix: automatically link user without prompt (#8487)
2024-08-28 05:33:20 +00:00
debug_events_state_by_id.sql
feat: add debug events API (#8533)
2024-09-11 08:24:00 +00:00
debug_events_states.sql
feat: add debug events API (#8533)
2024-09-11 08:24:00 +00:00
debug_events.go
feat: add debug events API (#8533)
2024-09-11 08:24:00 +00:00
device_auth_test.go
feat(api): allow Device Authorization Grant using custom login UI (#9387)
2025-02-25 07:33:13 +01:00
device_auth.go
feat(api): allow Device Authorization Grant using custom login UI (#9387)
2025-02-25 07:33:13 +01:00
domain_policy_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
domain_policy.go
refactor(fmt): run gci on complete project (#7557)
2024-04-03 10:43:43 +00:00
event.go
chore: remove bloating span (#7780)
2024-04-16 11:19:17 +00:00
execution_targets.sql
feat: add action v2 execution on requests and responses (#7637)
2024-05-04 11:55:57 +02:00
execution_test.go
feat(v3alpha): read actions (#8357)
2024-08-12 22:32:01 +02:00
execution.go
feat: action v2 signing (#8779)
2024-11-28 10:06:52 +00:00
failed_events_test.go
feat(eventstore): increase parallel write capabilities (#5940)
2023-10-19 12:19:10 +02:00
failed_events.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
generic.go
feat: query side for executions and targets for actions v2 (#7524)
2024-03-14 09:56:23 +00:00
iam_member_test.go
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
iam_member.go
feat(/internal): Add User Resource Owner (#9168)
2025-01-15 09:40:30 +01:00
idp_login_policy_link_test.go
feat: add exclusion of criteria for active idp query (#9040)
2024-12-18 16:19:05 +00:00
idp_login_policy_link.go
feat: add exclusion of criteria for active idp query (#9040)
2024-12-18 16:19:05 +00:00
idp_template_test.go
fix: manage root CA for LDAP IdPs correctly (#9517)
2025-03-18 16:38:22 +01:00
idp_template.go
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373)
2025-02-26 12:20:47 +00:00
idp_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
idp_user_link_test.go
fix: generalise permission check for query user information (#8458)
2024-08-23 06:44:18 +00:00
idp_user_link.go
fix: generalise permission check for query user information (#8458)
2024-08-23 06:44:18 +00:00
idp.go
refactor(fmt): run gci on complete project (#7557)
2024-04-03 10:43:43 +00:00
instance_by_domain.sql
feat(fields): add instance domain (#9000)
2024-12-04 18:10:10 +00:00
instance_by_id.sql
feat(storage): generic cache interface (#8628)
2024-09-25 21:40:21 +02:00
instance_domain_test.go
feat(storage): read only transactions for queries (#6415)
2023-08-22 10:49:22 +00:00
instance_domain.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
instance_features_model.go
feat: Use V2 API's in Console (#9312)
2025-02-17 19:25:46 +01:00
instance_features_test.go
fix: add action v2 execution to features (#7597)
2024-04-09 20:21:21 +03:00
instance_features.go
feat: Use V2 API's in Console (#9312)
2025-02-17 19:25:46 +01:00
instance_test.go
feat(api): feature flags (#7356)
2024-02-28 10:55:54 +02:00
instance_trusted_domain_test.go
feat: trusted (instance) domains (#8369)
2024-07-31 18:00:38 +03:00
instance_trusted_domain.go
feat: trusted (instance) domains (#8369)
2024-07-31 18:00:38 +03:00
instance.go
refactor(handler): cache active instances (#9008)
2024-12-06 11:32:53 +00:00
instanceindex_enumer.go
perf(cache): pgx pool connector (#8703)
2024-10-04 13:15:41 +00:00
introspection_client_by_id.sql
fix: correctly check app state on authentication (#8630)
2024-09-17 11:34:14 +00:00
introspection_test.go
fix: correctly check app state on authentication (#8630)
2024-09-17 11:34:14 +00:00
introspection.go
fix: correctly check app state on authentication (#8630)
2024-09-17 11:34:14 +00:00
key_test.go
feat(v3alpha): web key resource (#8262)
2024-08-14 14:18:14 +00:00
key.go
feat(v3alpha): web key resource (#8262)
2024-08-14 14:18:14 +00:00
label_policy.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
lockout_policy_test.go
feat: provide option to limit (T)OTP checks (#7693)
2024-04-10 09:14:55 +00:00
lockout_policy.go
fix: correct error messages for policy queries (#8722)
2024-10-03 17:53:03 +02:00
login_name.go
perf: remove owner removed columns from projections for oidc (#6925)
2023-11-20 17:21:08 +02:00
login_policy_test.go
chore: use pgx v5 (#7577)
2024-03-27 15:48:22 +02:00
login_policy.go
refactor(fmt): run gci on complete project (#7557)
2024-04-03 10:43:43 +00:00
mail_template.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
member_roles.go
fix(query): realtime data on defined requests (#3726)
2022-06-14 07:51:00 +02:00
member.go
feat(/internal): Add User Resource Owner (#9168)
2025-01-15 09:40:30 +01:00
message_text_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
message_text.go
feat: invite user link (#8578)
2024-09-11 10:53:55 +00:00
milestone_test.go
fix(milestones): use previous spelling for milestone types (#8886)
2024-11-11 11:28:27 +00:00
milestone.go
fix: milestone multiple results per instance domain instead of primary instance domain (#9564)
2025-03-28 07:36:31 +01:00
notification_policy_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
notification_policy.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
notification_provider_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
notification_provider.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
oidc_client_by_id.sql
feat: specify login UI version on instance and apps (#9071)
2024-12-19 10:37:46 +01:00
oidc_client_test.go
feat: saml application configuration for login version (#9351)
2025-02-13 16:03:05 +00:00
oidc_client.go
feat: specify login UI version on instance and apps (#9071)
2024-12-19 10:37:46 +01:00
oidc_settings_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
oidc_settings.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
org_domain_test.go
feat(storage): read only transactions for queries (#6415)
2023-08-22 10:49:22 +00:00
org_domain.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
org_member_test.go
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
org_member.go
feat(/internal): Add User Resource Owner (#9168)
2025-01-15 09:40:30 +01:00
org_metadata_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
org_metadata.go
refactor(fmt): run gci on complete project (#7557)
2024-04-03 10:43:43 +00:00
org_test.go
fix: generalise permission check for query user information (#8458)
2024-08-23 06:44:18 +00:00
org.go
refactor(handler): cache active instances (#9008)
2024-12-06 11:32:53 +00:00
orgindex_enumer.go
feat(cache): organization (#8903)
2024-11-21 08:05:03 +02:00
password_age_policy_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
password_age_policy.go
fix: correct error messages for policy queries (#8722)
2024-10-03 17:53:03 +02:00
password_complexity_policy_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
password_complexity_policy.go
fix: correct error messages for policy queries (#8722)
2024-10-03 17:53:03 +02:00
permission.go
fix(permissions): return current user when calling ListUsers() when user does not have permissions (#9374)
2025-02-20 15:39:48 +00:00
prepare_test.go
feat: list users scim v2 endpoint (#9187)
2025-01-21 13:31:54 +01:00
privacy_policy_test.go
feat(cnsl): docs link can be customized and custom button is available (#7840)
2024-05-13 16:01:50 +02:00
privacy_policy.go
feat(cnsl): docs link can be customized and custom button is available (#7840)
2024-05-13 16:01:50 +02:00
project_grant_member_test.go
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
project_grant_member.go
feat(/internal): Add User Resource Owner (#9168)
2025-01-15 09:40:30 +01:00
project_grant_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
project_grant.go
refactor(fmt): run gci on complete project (#7557)
2024-04-03 10:43:43 +00:00
project_member_test.go
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
project_member.go
feat(/internal): Add User Resource Owner (#9168)
2025-01-15 09:40:30 +01:00
project_role_test.go
perf: remove owner removed columns from projections for oidc (#6925)
2023-11-20 17:21:08 +02:00
project_role.go
refactor(fmt): run gci on complete project (#7557)
2024-04-03 10:43:43 +00:00
project_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
project.go
refactor(fmt): run gci on complete project (#7557)
2024-04-03 10:43:43 +00:00
query_test.go
fix(setup): init projections (#7194)
2024-01-25 17:28:20 +01:00
query.go
refactor(handler): cache active instances (#9008)
2024-12-06 11:32:53 +00:00
quota_notifications_test.go
perf: project quotas and usages (#6441)
2023-09-15 16:58:45 +02:00
quota_notifications.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
quota_periods_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
quota_periods.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
quota_test.go
chore: use pgx v5 (#7577)
2024-03-27 15:48:22 +02:00
quota.go
chore: use pgx v5 (#7577)
2024-03-27 15:48:22 +02:00
restrictions_test.go
fix: projection version of restrictions (#7028)
2023-12-06 10:30:56 +00:00
restrictions.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
saml_request_by_id.sql
feat: add saml request to link to sessions (#9001)
2024-12-19 11:11:40 +00:00
saml_request_test.go
feat: add saml request to link to sessions (#9001)
2024-12-19 11:11:40 +00:00
saml_request.go
feat: add saml request to link to sessions (#9001)
2024-12-19 11:11:40 +00:00
saml_sp_by_id.sql
feat: saml application configuration for login version (#9351)
2025-02-13 16:03:05 +00:00
saml_sp_test.go
feat: saml application configuration for login version (#9351)
2025-02-13 16:03:05 +00:00
saml_sp.go
feat: saml application configuration for login version (#9351)
2025-02-13 16:03:05 +00:00
search_query_test.go
fix: scim 2 filter: the username should be treated case-insensitive (#9257)
2025-01-29 15:22:22 +02:00
search_query.go
fix: scim 2 filter: the username should be treated case-insensitive (#9257)
2025-01-29 15:22:22 +02:00
secret_generator_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
secret_generators.go
fix(query): print log line on secret generator error (#8424)
2024-08-13 14:52:43 +02:00
security_policy.go
feat: impersonation roles (#7442)
2024-02-28 10:21:11 +00:00
session.go
fix: prevent panic when retrieving session by id in internal calls (#9442)
2025-03-03 11:24:52 +01:00
sessions_test.go
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
sms_test.go
feat: Add Twilio Verification Service (#8678)
2024-09-26 09:14:33 +02:00
sms.go
test(session): load tests for session api (#9212)
2025-01-29 12:08:20 +00:00
smtp_test.go
fix: correctly create SMTP provider list (#8724)
2024-10-04 09:34:44 +00:00
smtp.go
feat: add http as smtp provider (#8545)
2024-09-12 06:27:29 +02:00
system_features_model.go
perf: role permissions in database (#9152)
2025-01-16 10:09:15 +00:00
system_features_test.go
fix: add action v2 execution to features (#7597)
2024-04-09 20:21:21 +03:00
system_features.go
perf: role permissions in database (#9152)
2025-01-16 10:09:15 +00:00
target_test.go
feat: action v2 signing (#8779)
2024-11-28 10:06:52 +00:00
target.go
feat: action v2 signing (#8779)
2024-11-28 10:06:52 +00:00
targets_by_execution_id.sql
feat: action v2 signing (#8779)
2024-11-28 10:06:52 +00:00
targets_by_execution_ids.sql
feat: action v2 signing (#8779)
2024-11-28 10:06:52 +00:00
user_auth_method_test.go
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
user_auth_method.go
feat: v2 api add way to list authentication factors (#9065)
2025-01-02 13:14:49 +00:00
user_by_id.sql
fix: scim v2 endpoints enforce user resource owner (#9273)
2025-01-30 16:43:13 +01:00
user_by_login_name.sql
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
user_grant_test.go
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
user_grant.go
fix(eventstore): revert precise decimal (#8527) (#8679)
2024-09-24 18:43:29 +02:00
user_membership_test.go
perf: remove owner removed columns from projections for oidc (#6925)
2023-11-20 17:21:08 +02:00
user_membership.go
fix(eventstore): revert precise decimal (#8527) (#8679)
2024-09-24 18:43:29 +02:00
user_metadata_test.go
feat: list users scim v2 endpoint (#9187)
2025-01-21 13:31:54 +01:00
user_metadata.go
feat: list users scim v2 endpoint (#9187)
2025-01-21 13:31:54 +01:00
user_notify_by_id.sql
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
user_notify_by_login_name.sql
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
user_otp.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
user_password.go
feat(crypto): use passwap for machine and app secrets (#7657)
2024-04-05 09:35:49 +00:00
user_personal_access_token_test.go
refactor: rename package errors to zerrors (#7039)
2023-12-08 15:30:55 +01:00
user_personal_access_token.go
refactor(fmt): run gci on complete project (#7557)
2024-04-03 10:43:43 +00:00
user_schema_test.go
feat: add schema user create and remove (#8494)
2024-08-28 19:46:45 +00:00
user_schema.go
feat: add schema user create and remove (#8494)
2024-08-28 19:46:45 +00:00
user_test.go
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
user.go
fix(permissions): return current user when calling ListUsers() when user does not have permissions (#9374)
2025-02-20 15:39:48 +00:00
userinfo_by_id.sql
feat(users/v2): return prompt information (#9255)
2025-01-29 15:12:31 +00:00
userinfo_client_by_id.sql
feat(oidc): optimize the userinfo endpoint (#7706)
2024-04-09 15:15:35 +02:00
userinfo_test.go
feat(oidc): organization roles scope (#8120)
2024-06-14 10:00:43 +02:00
userinfo.go
feat(oidc): organization roles scope (#8120)
2024-06-14 10:00:43 +02:00
web_key_by_state.sql
fix(webkeys): remove include private key from projection index (#8436)
2024-08-16 11:41:09 +00:00
web_key_list.sql
fix(webkeys): remove include private key from projection index (#8436)
2024-08-16 11:41:09 +00:00
web_key_model.go
feat(v3alpha): web key resource (#8262)
2024-08-14 14:18:14 +00:00
web_key_public_keys.sql
fix(webkeys): remove include private key from projection index (#8436)
2024-08-16 11:41:09 +00:00
web_key_test.go
feat(v3alpha): web key resource (#8262)
2024-08-14 14:18:14 +00:00
web_key.go
feat(v3alpha): web key resource (#8262)
2024-08-14 14:18:14 +00:00
zitadel_permission.go
perf: remove owner removed columns from projections for oidc (#6925)
2023-11-20 17:21:08 +02:00