zitadel/internal
Tim Möhlmann 8054e6753a
fix(oidc): roles in userinfo for client credentials token (#7763)
* fix(oidc): roles in userinfo for client credentials token

When tokens were obtained using the client credentials grant,
with audience and role scopes, userinfo would not return the role claims. This had multiple causes:

1. There is no auth request flow, so for legacy userinfo project data was never attached to the token
2. For optimized userinfo, there is no client ID that maps to an application. The client ID for client credentials is the machine user's name. There we can't obtain a project ID. When the project ID remained empty, we always ignored the roleAudience.

This PR fixes situation 2, by always taking the roleAudience into account, even when the projectID is empty. The code responsible for the bug is also refactored to be more readable and understandable, including additional godoc.

The fix only applies to the optimized userinfo code introduced in #7706 and released in v2.50 (currently in RC). Therefore it can't be back-ported to earlier versions.

Fixes #6662

* chore(deps): update all go deps (#7764)

This change updates all go modules, including oidc, a major version of go-jose and the go 1.22 release.

* Revert "chore(deps): update all go deps" (#7772)

Revert "chore(deps): update all go deps (#7764)"

This reverts commit 6893e7d060.

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 9ccbbe05bc)
2024-04-16 15:46:13 +02:00
..
actions refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
activity fix: get orgID when missing on trigger logs (#7555) 2024-03-14 08:49:10 +00:00
admin/repository/eventsourcing fix(setup): init projections (#7194) 2024-01-25 17:28:20 +01:00
api fix(oidc): roles in userinfo for client credentials token (#7763) 2024-04-16 15:46:13 +02:00
auth/repository feat(idp): provide option to auto link user (#7734) 2024-04-10 15:46:30 +00:00
auth_request/repository fix: add action v2 execution to features (#7597) 2024-04-09 20:21:21 +03:00
authz chore(deps): update all go deps (#7773) 2024-04-15 09:17:36 +00:00
command feat: SMTP Templates (#6932) 2024-04-11 09:16:10 +02:00
config feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
crypto fix(db): wrap BeginTx in spans to get acquire metrics (#7689) 2024-04-09 14:03:03 +02:00
database fix(db): wrap BeginTx in spans to get acquire metrics (#7689) 2024-04-09 14:03:03 +02:00
domain feat: SMTP Templates (#6932) 2024-04-11 09:16:10 +02:00
eventstore fix: add action v2 execution to features (#7597) 2024-04-09 20:21:21 +03:00
feature fix: add action v2 execution to features (#7597) 2024-04-09 20:21:21 +03:00
form refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
i18n fix(middleware): init translation messages (#7778) 2024-04-16 15:46:13 +02:00
iam refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
id fix: add action v2 execution to features (#7597) 2024-04-09 20:21:21 +03:00
idp chore(deps): update all go deps (#7773) 2024-04-15 09:17:36 +00:00
integration fix(oidc): roles in userinfo for client credentials token (#7763) 2024-04-16 15:46:13 +02:00
logstore perf: project quotas and usages (#6441) 2023-09-15 16:58:45 +02:00
migration fix(setup): init projections (#7194) 2024-01-25 17:28:20 +01:00
net perf: project quotas and usages (#6441) 2023-09-15 16:58:45 +02:00
notification feat: SMTP Templates (#6932) 2024-04-11 09:16:10 +02:00
org refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
project refactor: cleanup unused code (#7130) 2024-01-02 14:26:31 +00:00
protoc merge main into next 2023-10-19 12:34:00 +02:00
qrcode docs(legal): Updated agreements and policies v2 (#3823) 2022-06-15 08:30:58 +02:00
query chore: remove bloating span (#7780) 2024-04-16 15:46:12 +02:00
renderer fix(login): (re)allow HTML in custom login texts (#7575) 2024-03-15 16:29:10 +01:00
repository feat: SMTP Templates (#6932) 2024-04-11 09:16:10 +02:00
static Merge branch 'main' into next 2024-04-15 16:37:31 +02:00
statik chore: initial version of a devcontainer (#6352) 2023-08-15 10:49:05 +02:00
telemetry refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
test refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
user feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
view/repository refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00
webauthn refactor: rename package errors to zerrors (#7039) 2023-12-08 15:30:55 +01:00
zerrors refactor(fmt): run gci on complete project (#7557) 2024-04-03 10:43:43 +00:00