TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-13 19:44:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
0b82fc1ed0
zitadel/internal/query
History
Livio Spring ec222a13d7
fix(oidc): IDP and passwordless user auth methods (#7998) 
# Which Problems Are Solved

As already mentioned and (partially) fixed in #7992 we discovered,
issues with v2 tokens that where obtained through an IDP, with
passwordless authentication or with password authentication (wihtout any
2FA set up) using the v1 login for zitadel API calls
- (Previous) authentication through an IdP is now correctly treated as
auth method in case of a reauth even when the user is not redirected to
the IdP
- There were some cases where passwordless authentication was
successfully checked but not correctly set as auth method, which denied
access to ZITADEL API
- Users with password and passwordless, but no 2FA set up which
authenticate just wich password can access the ZITADEL API again

Additionally while testing we found out that because of #7969 the login
UI could completely break / block with the following error:
`sql: Scan error on column index 3, name "state": converting NULL to
int32 is unsupported (Internal)`
# How the Problems Are Solved

- IdP checks are treated the same way as other factors and it's ensured
that a succeeded check within the configured timeframe will always
provide the idp auth method
- `MFATypesAllowed` checks for possible passwordless authentication
- As with the v1 login, the token check now only requires MFA if the
policy is set or the user has 2FA set up
- UserAuthMethodsRequirements now always uses the correctly policy to
check for MFA enforcement
- `State` column is handled as nullable and additional events set the
state to active (as before #7969)

# Additional Changes

- Console now also checks for 403 (mfa required) errors (e.g. after
setting up the first 2FA in console) and redirects the user to the login
UI (with the current id_token as id_token_hint)
- Possible duplicates in auth methods / AMRs are removed now as well.

# Additional Context

- Bugs were introduced in #7822 and # and 7969 and only part of a
pre-release.
- partially already fixed with #7992
- Reported internally.
2024-05-28 08:59:49 +00:00
..
projection refactor(query): use new packages for org by id query (#7826) 2024-05-24 13:32:57 +02:00
testdata feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
access_token.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
action_flow_test.go perf: remove owner removed columns from projections for oidc (#6925) 2023-11-20 17:21:08 +02:00
action_flow.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
action_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
action.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
app_test.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
app.go fix(query): reduce app query overhead (#7817) 2024-04-22 11:30:56 +02:00
auth_request_by_id.sql feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
auth_request_test.go chore: use pgx v5 (#7577) 2024-03-27 15:48:22 +02:00
auth_request.go feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
authn_key_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
authn_key.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
certificate_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
certificate.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
converter.go feat(api): feature flags (#7356) 2024-02-28 10:55:54 +02:00
current_state_test.go feat(eventstore): increase parallel write capabilities (#5940) 2023-10-19 12:19:10 +02:00
current_state.go fix(db): wrap BeginTx in spans to get acquire metrics (#7689) 2024-04-03 11:48:24 +03:00
custom_text_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
custom_text.go feat(idp): provide option to auto link user (#7734) 2024-04-10 15:46:30 +00:00
device_auth_test.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
device_auth.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
domain_policy_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
domain_policy.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
event.go chore: remove bloating span (#7780) 2024-04-16 11:19:17 +00:00
execution_targets.sql feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
execution_test.go feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
execution.go feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
failed_events_test.go feat(eventstore): increase parallel write capabilities (#5940) 2023-10-19 12:19:10 +02:00
failed_events.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
generic.go feat: query side for executions and targets for actions v2 (#7524) 2024-03-14 09:56:23 +00:00
iam_member_test.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
iam_member.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
idp_login_policy_link_test.go feat(idp): provide option to auto link user (#7734) 2024-04-10 15:46:30 +00:00
idp_login_policy_link.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
idp_template_test.go feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) 2024-05-23 05:04:07 +00:00
idp_template.go feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) 2024-05-23 05:04:07 +00:00
idp_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
idp_user_link_test.go feat(idp): provide option to auto link user (#7734) 2024-04-10 15:46:30 +00:00
idp_user_link.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
idp.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
instance_by_domain.sql fix(query): optimize instance by domain query (#7513) 2024-03-06 18:02:16 +00:00
instance_by_id.sql fix: assign instance ID to aggregate ID when converting from v1 to v2 feature (#7505) 2024-03-05 16:12:49 +01:00
instance_domain_test.go feat(storage): read only transactions for queries (#6415) 2023-08-22 10:49:22 +00:00
instance_domain.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
instance_features_model.go refactor(query): use new packages for org by id query (#7826) 2024-05-24 13:32:57 +02:00
instance_features_test.go fix: add action v2 execution to features (#7597) 2024-04-09 20:21:21 +03:00
instance_features.go refactor(query): use new packages for org by id query (#7826) 2024-05-24 13:32:57 +02:00
instance_test.go feat(api): feature flags (#7356) 2024-02-28 10:55:54 +02:00
instance.go feat: improve instance not found error (#7413) 2024-02-28 10:49:57 +00:00
introspection_client_by_id.sql feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
introspection_test.go feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
introspection.go feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
key_test.go fix(oidc): ignore public key expiry for ID Token hints (#7293) 2024-01-29 15:11:52 +00:00
key.go fix(oidc): ignore public key expiry for ID Token hints (#7293) 2024-01-29 15:11:52 +00:00
label_policy.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
lockout_policy_test.go feat: provide option to limit (T)OTP checks (#7693) 2024-04-10 09:14:55 +00:00
lockout_policy.go feat: provide option to limit (T)OTP checks (#7693) 2024-04-10 09:14:55 +00:00
login_name.go perf: remove owner removed columns from projections for oidc (#6925) 2023-11-20 17:21:08 +02:00
login_policy_test.go chore: use pgx v5 (#7577) 2024-03-27 15:48:22 +02:00
login_policy.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
mail_template.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
member_roles.go fix(query): realtime data on defined requests (#3726) 2022-06-14 07:51:00 +02:00
member.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
message_text_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
message_text.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
milestone_test.go feat(storage): read only transactions for queries (#6415) 2023-08-22 10:49:22 +00:00
milestone.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
notification_policy_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
notification_policy.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
notification_provider_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
notification_provider.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
oidc_client_by_id.sql feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
oidc_client_test.go feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
oidc_client.go feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
oidc_settings_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
oidc_settings.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
org_domain_test.go feat(storage): read only transactions for queries (#6415) 2023-08-22 10:49:22 +00:00
org_domain.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
org_member_test.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
org_member.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
org_metadata_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
org_metadata.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
org_test.go chore: use pgx v5 (#7577) 2024-03-27 15:48:22 +02:00
org.go refactor(query): use new packages for org by id query (#7826) 2024-05-24 13:32:57 +02:00
password_age_policy_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
password_age_policy.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
password_complexity_policy_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
password_complexity_policy.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
prepare_test.go chore: use pgx v5 (#7577) 2024-03-27 15:48:22 +02:00
privacy_policy_test.go feat(cnsl): docs link can be customized and custom button is available (#7840) 2024-05-13 16:01:50 +02:00
privacy_policy.go feat(cnsl): docs link can be customized and custom button is available (#7840) 2024-05-13 16:01:50 +02:00
project_grant_member_test.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
project_grant_member.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
project_grant_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
project_grant.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
project_member_test.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
project_member.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
project_role_test.go perf: remove owner removed columns from projections for oidc (#6925) 2023-11-20 17:21:08 +02:00
project_role.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
project_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
project.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
query_test.go fix(setup): init projections (#7194) 2024-01-25 17:28:20 +01:00
query.go refactor(query): use new packages for org by id query (#7826) 2024-05-24 13:32:57 +02:00
quota_notifications_test.go perf: project quotas and usages (#6441) 2023-09-15 16:58:45 +02:00
quota_notifications.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
quota_periods_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
quota_periods.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
quota_test.go chore: use pgx v5 (#7577) 2024-03-27 15:48:22 +02:00
quota.go chore: use pgx v5 (#7577) 2024-03-27 15:48:22 +02:00
restrictions_test.go fix: projection version of restrictions (#7028) 2023-12-06 10:30:56 +00:00
restrictions.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
search_query_test.go feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
search_query.go feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
secret_generator_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
secret_generators.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
security_policy.go feat: impersonation roles (#7442) 2024-02-28 10:21:11 +00:00
session.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
sessions_test.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
sms_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
sms.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
smtp_test.go feat: SMTP Templates (#6932) 2024-04-11 09:16:10 +02:00
smtp.go feat: SMTP Templates (#6932) 2024-04-11 09:16:10 +02:00
system_features_model.go refactor(query): use new packages for org by id query (#7826) 2024-05-24 13:32:57 +02:00
system_features_test.go fix: add action v2 execution to features (#7597) 2024-04-09 20:21:21 +03:00
system_features.go refactor(query): use new packages for org by id query (#7826) 2024-05-24 13:32:57 +02:00
target_test.go feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
target.go feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
targets_by_execution_id.sql fix(actions): correct statements to query targets (#8006) 2024-05-24 14:13:36 +00:00
targets_by_execution_ids.sql fix(actions): correct statements to query targets (#8006) 2024-05-24 14:13:36 +00:00
user_auth_method_test.go fix(oidc): IDP and passwordless user auth methods (#7998) 2024-05-28 08:59:49 +00:00
user_auth_method.go fix(oidc): IDP and passwordless user auth methods (#7998) 2024-05-28 08:59:49 +00:00
user_by_id.sql feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
user_by_login_name.sql fix: correctly check user by loginname (#7740) 2024-04-10 07:18:57 +00:00
user_grant_test.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
user_grant.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
user_membership_test.go perf: remove owner removed columns from projections for oidc (#6925) 2023-11-20 17:21:08 +02:00
user_membership.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
user_metadata_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
user_metadata.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
user_notify_by_id.sql feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
user_notify_by_login_name.sql fix: correctly check user by loginname (#7740) 2024-04-10 07:18:57 +00:00
user_otp.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
user_password.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
user_personal_access_token_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
user_personal_access_token.go refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
user_schema_test.go chore: use pgx v5 (#7577) 2024-03-27 15:48:22 +02:00
user_schema.go chore: use pgx v5 (#7577) 2024-03-27 15:48:22 +02:00
user_test.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
user.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
userinfo_by_id.sql feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
userinfo_client_by_id.sql feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
userinfo_test.go feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
userinfo.go feat(oidc): optimize the userinfo endpoint (#7706) 2024-04-09 15:15:35 +02:00
zitadel_permission.go perf: remove owner removed columns from projections for oidc (#6925) 2023-11-20 17:21:08 +02:00