TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-16 12:58:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
5fa32cbfb9
zitadel/internal/domain
History
Tim Möhlmann f5e9d4f57f
fix(oidc): IDP and machine user auth methods (#7992) 
# Which Problems Are Solved

After https://github.com/zitadel/zitadel/pull/7822 was merged we
discovered that
v2 tokens that where obtained through an IDP using the v1 login, can't
be used for
zitadel API calls.

- Because we used to store the AMR claim on the auth request, but
internally use the domain.UserAuthMethod type. AMR has no notion of an
IDP login, so that "factor" was lost
during conversion. Rendering those v2 tokens invalid on the zitadel API.
- A wrong check on machine user tokens falsly allowed some tokens to be
valid
- The client ID was set to tokens from client credentials and JWT
profile, which made client queries fail in the validation middleware.
The middleware expects client ID unset for machine users.

# How the Problems Are Solved

Store the domain.AuthMethods directly in  the auth requests and session,
instead of using AMR claims with lossy conversion.

- IDPs have seperate auth method, which is not an AMR claim
- Machine users are treated specialy, eg auth methods are not required.
- Do not set the client ID for client credentials and JWT profile

# Additional Changes

Cleaned up mostly unused `oidc.getInfoFromRequest()`.

# Additional Context

- Bugs were introduced in https://github.com/zitadel/zitadel/pull/7822
and not yet part of a release.
- Reported internally.
2024-05-23 05:35:10 +00:00
..
schema feat: implement user schema management (#7416) 2024-03-12 13:50:13 +00:00
action.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
application_api.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
application_key.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
application_oauth.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
application_oidc_test.go fix: remove hard requirement of grant type auth code for device code apps + warnings for missing urls (#7429) 2024-02-29 15:28:06 +00:00
application_oidc.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
application_saml.go feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 18:18:08 +02:00
application.go feat: protos refactoring 2021-03-09 10:30:11 +01:00
asset.go fix: return absolute asset urls (#3676) 2022-05-20 10:30:12 +02:00
auth_request_test.go feat(oidc): id token for device authorization (#7088) 2023-12-20 13:21:08 +01:00
auth_request.go fix(oidc): IDP and machine user auth methods (#7992) 2024-05-23 05:35:10 +00:00
authn_key.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
browser_info.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
bucket.go feat: asset storage (#1696) 2021-05-03 10:15:50 +02:00
custom_login_text.go feat(idp): provide option to auto link user (#7734) 2024-04-10 15:46:30 +00:00
custom_message_text.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
custom_text.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
device_auth_test.go feat(oidc): id token for device authorization (#7088) 2023-12-20 13:21:08 +01:00
device_auth.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
deviceauthstate_string.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
execution.go feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
expiration.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
factors.go feat: enable otp email and sms (#6260) 2023-07-28 07:39:30 +02:00
feature.go fix: add action v2 execution to features (#7597) 2024-04-09 20:21:21 +03:00
flow.go feat: add executions for actions v2 (#7433) 2024-02-26 12:49:43 +02:00
human_address.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
human_email_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
human_email.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
human_otp.go fix: import totp in add human user with secret (#7936) 2024-05-14 09:20:31 +02:00
human_password.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
human_phone_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
human_phone.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
human_profile.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
human_test.go fix: set displayname correctly in EnsureDisplayName (#5702) 2023-04-17 06:26:40 +00:00
human_web_auth_n.go fix: provide domain in session, passkey and u2f (#6097) 2023-06-27 14:36:07 +02:00
human.go feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
idp_config.go feat(login): use new IDP templates (#5315) 2023-02-28 21:20:58 +01:00
idp.go feat(saml): allow setting nameid-format and alternative mapping for transient format (#7979) 2024-05-23 05:04:07 +00:00
instance_domain.go feat: add random string to generated domain (#3634) 2022-05-16 11:26:24 +02:00
instance.go fix: instance remove (#4602) 2022-10-26 13:06:48 +00:00
key_pair.go feat(saml): implementation of saml for ZITADEL v2 (#3618) 2022-09-12 18:18:08 +02:00
language.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
machine_key.go fix: add expiration date information to service users keys (#7497) 2024-03-13 18:21:19 +00:00
machine.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
member.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
metadata.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
mfa.go refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
next_step.go feat: display login succeeded page only for native apps (#2839) 2021-12-14 09:47:49 +01:00
notification.go refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
object.go feat(api): feature flags (#7356) 2024-02-28 10:55:54 +02:00
oidc_code_challenge.go fix: move v2 pkgs (#1331) 2021-02-23 15:13:04 +01:00
oidc_error_reason_test.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
oidc_error_reason.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
oidc_mapping_field.go fix: move v2 pkgs (#1331) 2021-02-23 15:13:04 +01:00
oidc_session.go feat(api): add OIDC session service (#6157) 2023-07-10 13:27:00 +00:00
oidc_settings.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
org_domain_test.go fix: allow unicode characters in org domains (#6675) 2023-10-11 09:55:01 +02:00
org_domain.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
org.go fix: allow unicode characters in org domains (#6675) 2023-10-11 09:55:01 +02:00
permission.go fix: allow other users to set up MFAs (#7914) 2024-05-07 05:38:26 +00:00
policy_domain.go feat: restrict smtp sender address (#3637) 2022-05-16 14:08:47 +00:00
policy_label_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
policy_label.go refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
policy_login_test.go feat: add default redirect uri and handling of unknown usernames (#3616) 2022-05-16 13:39:09 +00:00
policy_login.go fix(login): correct rendering of idps (#7151) 2024-01-05 14:35:51 +00:00
policy_mail_template.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
policy_password_age.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
policy_password_complexity.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
policy_password_lockout.go feat: provide option to limit (T)OTP checks (#7693) 2024-04-10 09:14:55 +00:00
policy_privacy.go feat(cnsl): docs link can be customized and custom button is available (#7840) 2024-05-13 16:01:50 +02:00
policy.go refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
project_grant_member.go refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
project_grant.go refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
project_role.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
project.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
provider.go refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
refresh_token.go fix(oidc): return bad request for base64 errors (#7730) 2024-04-09 08:42:59 +02:00
request.go feat(oidc): allow additional audience based on scope in device auth (#7685) 2024-04-03 09:06:21 +03:00
roles.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
search_method.go fix: todos (#1346) 2021-03-01 08:48:50 +01:00
secret_generator.go feat: add secret generators for OTP (#6262) 2023-07-26 11:00:41 +00:00
session.go feat(api): add otp (sms and email) checks in session api (#6422) 2023-08-24 09:41:52 +00:00
sms.go feat: Default configs sms provider (#3187) 2022-02-21 12:22:20 +00:00
smtp.go feat: SMTP Templates (#6932) 2024-04-11 09:16:10 +02:00
target.go feat: add action v2 execution on requests and responses (#7637) 2024-05-04 11:55:57 +02:00
token.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
tokenreason_enumer.go feat(oidc): token exchange impersonation (#7516) 2024-03-20 10:18:46 +00:00
url_template_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
url_template.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
user_agent_test.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
user_agent.go perf(oidc): optimize token creation (#7822) 2024-05-16 07:07:56 +02:00
user_grant.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
user_idp_link.go chore(v2): move to new org (#3499) 2022-04-26 23:01:45 +00:00
user_schema.go feat: implement user schema management (#7416) 2024-03-12 13:50:13 +00:00
user_v2_passkey_test.go refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
user_v2_passkey.go feat(v2): register user u2f (#6020) 2023-06-15 05:32:40 +00:00
user.go fix(oidc): IDP and machine user auth methods (#7992) 2024-05-23 05:35:10 +00:00