zitadel/internal/api/oidc
Livio Spring a3fcf6431a
fix(oidc): remove MFA requirement on ZITADEL API based on user auth methods (#8069)
# Which Problems Are Solved

Request to the ZITADEL API currently require multi factor authentication
if the user has set up any second factor.
However, the login UI will only prompt the user to check factors that
are allowed by the login policy.
This can lead to situations, where the user has set up a factor (e.g.
some OTP) which was not allowed by the policy, therefore will not have
to verify the factor, the ZITADEL API however will require the check
since the user has set it up.

# How the Problems Are Solved

The requirement for multi factor authentication based on the user's
authentication methods is removed when accessing the ZITADEL APIs.
Those requests will only require MFA in case the login policy does so
because of `requireMFA` or `requireMFAForLocalUsers`.

# Additional Changes

None.

# Additional Context

- a customer reached out to support
- discussed internally
- relates #7822
- backport to 2.53.x

(cherry picked from commit fb2b1610f9)
2024-06-13 13:55:05 +02:00
..
access_token.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
amr_test.go feat(oidc): token exchange impersonation (#7516) 2024-03-20 10:18:46 +00:00
amr.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
auth_request_converter_v2.go merge main into next 2023-10-19 12:34:00 +02:00
auth_request_converter.go fix(oidc): IDP and machine user auth methods (#7992) 2024-05-23 05:35:10 +00:00
auth_request_integration_test.go fix(oidc): only return state in access token response for implicit flow (#8108) 2024-06-13 13:55:04 +02:00
auth_request.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
client_converter.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
client_credentials.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
client_integration_test.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
client.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
device_auth.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
error_test.go fix: uniform oidc errors (#7237) 2024-01-18 07:10:49 +01:00
error.go fix(oidc): return bad request for base64 errors (#7730) 2024-04-09 08:42:59 +02:00
introspect.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
jwt-profile.go fix: uniform oidc errors (#7237) 2024-01-18 07:10:49 +01:00
key_test.go chore(deps): update all go deps (#7773) 2024-04-15 09:17:36 +00:00
key.go chore(deps): update all go deps (#7773) 2024-04-15 09:17:36 +00:00
oidc_integration_test.go fix(oidc): remove MFA requirement on ZITADEL API based on user auth methods (#8069) 2024-06-13 13:55:05 +02:00
op.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
server_integration_test.go chore(oidc): add refresh token error integration test (#7766) 2024-04-17 08:38:03 +00:00
server_test.go feat: restrict languages (#6931) 2023-12-05 11:12:01 +00:00
server.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
token_client_credentials_integration_test.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
token_client_credentials.go fix(oauth2): correctly return an error on client_credentials and jwt_profile (#8092) 2024-06-12 08:43:48 +02:00
token_code.go fix(oidc): only return state in access token response for implicit flow (#8108) 2024-06-13 13:55:04 +02:00
token_device.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
token_exchange_converter.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
token_exchange_integration_test.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
token_exchange.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
token_jwt_profile_integration_test.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
token_jwt_profile.go fix(oauth2): correctly return an error on client_credentials and jwt_profile (#8092) 2024-06-12 08:43:48 +02:00
token_refresh.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
token.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
userinfo_integration_test.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
userinfo_test.go fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046) 2024-05-31 10:10:18 +00:00
userinfo.go fix(oidc): make sure id_token does not contain any info from access token actions (#8053) 2024-05-31 15:08:00 +02:00