mirror of
https://github.com/zitadel/zitadel.git
synced 2025-07-13 14:28:34 +00:00
0e10ed0e0b
# Which Problems Are Solved When using implicit flow through the session API and a login UI on a custom domain (proxy), the tokens were signed by the API domain of the instance, rather than the public (proxy) domain. The SAML response had the same issue. Additionally, the saml library had an issue and lost the issuer context. This prevented also a successful login through the hosted login UI. # How the Problems Are Solved - The issuer of the SAML and Auth request is persisted to provide the information when signing the responses and tokens. - The SAML library is updated to the latest version. # Additional Changes None # Additional Context None
268 lines
10 KiB
Go
268 lines
10 KiB
Go
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"encoding/base64"
|
|
|
|
"github.com/zitadel/logging"
|
|
"github.com/zitadel/oidc/v3/pkg/op"
|
|
"google.golang.org/protobuf/types/known/durationpb"
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
|
|
http_utils "github.com/zitadel/zitadel/internal/api/http"
|
|
"github.com/zitadel/zitadel/internal/api/oidc"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2"
|
|
)
|
|
|
|
func (s *Server) GetAuthRequest(ctx context.Context, req *oidc_pb.GetAuthRequestRequest) (*oidc_pb.GetAuthRequestResponse, error) {
|
|
authRequest, err := s.query.AuthRequestByID(ctx, true, req.GetAuthRequestId(), true)
|
|
if err != nil {
|
|
logging.WithError(err).Error("query authRequest by ID")
|
|
return nil, err
|
|
}
|
|
return &oidc_pb.GetAuthRequestResponse{
|
|
AuthRequest: authRequestToPb(authRequest),
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) CreateCallback(ctx context.Context, req *oidc_pb.CreateCallbackRequest) (*oidc_pb.CreateCallbackResponse, error) {
|
|
switch v := req.GetCallbackKind().(type) {
|
|
case *oidc_pb.CreateCallbackRequest_Error:
|
|
return s.failAuthRequest(ctx, req.GetAuthRequestId(), v.Error)
|
|
case *oidc_pb.CreateCallbackRequest_Session:
|
|
return s.linkSessionToAuthRequest(ctx, req.GetAuthRequestId(), v.Session)
|
|
default:
|
|
return nil, zerrors.ThrowUnimplementedf(nil, "OIDCv2-zee7A", "verification oneOf %T in method CreateCallback not implemented", v)
|
|
}
|
|
}
|
|
|
|
func (s *Server) GetDeviceAuthorizationRequest(ctx context.Context, req *oidc_pb.GetDeviceAuthorizationRequestRequest) (*oidc_pb.GetDeviceAuthorizationRequestResponse, error) {
|
|
deviceRequest, err := s.query.DeviceAuthRequestByUserCode(ctx, req.GetUserCode())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
encrypted, err := s.encryption.Encrypt([]byte(deviceRequest.DeviceCode))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &oidc_pb.GetDeviceAuthorizationRequestResponse{
|
|
DeviceAuthorizationRequest: &oidc_pb.DeviceAuthorizationRequest{
|
|
Id: base64.RawURLEncoding.EncodeToString(encrypted),
|
|
ClientId: deviceRequest.ClientID,
|
|
Scope: deviceRequest.Scopes,
|
|
AppName: deviceRequest.AppName,
|
|
ProjectName: deviceRequest.ProjectName,
|
|
},
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) AuthorizeOrDenyDeviceAuthorization(ctx context.Context, req *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest) (*oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse, error) {
|
|
deviceCode, err := s.deviceCodeFromID(req.GetDeviceAuthorizationId())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
switch req.GetDecision().(type) {
|
|
case *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session:
|
|
_, err = s.command.ApproveDeviceAuthWithSession(ctx, deviceCode, req.GetSession().GetSessionId(), req.GetSession().GetSessionToken())
|
|
case *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny:
|
|
_, err = s.command.CancelDeviceAuth(ctx, deviceCode, domain.DeviceAuthCanceledDenied)
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, nil
|
|
}
|
|
|
|
func authRequestToPb(a *query.AuthRequest) *oidc_pb.AuthRequest {
|
|
pba := &oidc_pb.AuthRequest{
|
|
Id: a.ID,
|
|
CreationDate: timestamppb.New(a.CreationDate),
|
|
ClientId: a.ClientID,
|
|
Scope: a.Scope,
|
|
RedirectUri: a.RedirectURI,
|
|
Prompt: promptsToPb(a.Prompt),
|
|
UiLocales: a.UiLocales,
|
|
LoginHint: a.LoginHint,
|
|
HintUserId: a.HintUserID,
|
|
}
|
|
if a.MaxAge != nil {
|
|
pba.MaxAge = durationpb.New(*a.MaxAge)
|
|
}
|
|
return pba
|
|
}
|
|
|
|
func promptsToPb(promps []domain.Prompt) []oidc_pb.Prompt {
|
|
out := make([]oidc_pb.Prompt, len(promps))
|
|
for i, p := range promps {
|
|
out[i] = promptToPb(p)
|
|
}
|
|
return out
|
|
}
|
|
|
|
func promptToPb(p domain.Prompt) oidc_pb.Prompt {
|
|
switch p {
|
|
case domain.PromptUnspecified:
|
|
return oidc_pb.Prompt_PROMPT_UNSPECIFIED
|
|
case domain.PromptNone:
|
|
return oidc_pb.Prompt_PROMPT_NONE
|
|
case domain.PromptLogin:
|
|
return oidc_pb.Prompt_PROMPT_LOGIN
|
|
case domain.PromptConsent:
|
|
return oidc_pb.Prompt_PROMPT_CONSENT
|
|
case domain.PromptSelectAccount:
|
|
return oidc_pb.Prompt_PROMPT_SELECT_ACCOUNT
|
|
case domain.PromptCreate:
|
|
return oidc_pb.Prompt_PROMPT_CREATE
|
|
default:
|
|
return oidc_pb.Prompt_PROMPT_UNSPECIFIED
|
|
}
|
|
}
|
|
|
|
func (s *Server) checkPermission(ctx context.Context, clientID string, userID string) error {
|
|
permission, err := s.query.CheckProjectPermissionByClientID(ctx, clientID, userID)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !permission.HasProjectChecked {
|
|
return zerrors.ThrowPermissionDenied(nil, "OIDC-foSyH49RvL", "Errors.User.ProjectRequired")
|
|
}
|
|
if !permission.ProjectRoleChecked {
|
|
return zerrors.ThrowPermissionDenied(nil, "OIDC-foSyH49RvL", "Errors.User.GrantRequired")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *oidc_pb.AuthorizationError) (*oidc_pb.CreateCallbackResponse, error) {
|
|
details, aar, err := s.command.FailAuthRequest(ctx, authRequestID, errorReasonToDomain(ae.GetError()))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
authReq := &oidc.AuthRequestV2{CurrentAuthRequest: aar}
|
|
callback, err := oidc.CreateErrorCallbackURL(authReq, errorReasonToOIDC(ae.GetError()), ae.GetErrorDescription(), ae.GetErrorUri(), s.op.Provider())
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &oidc_pb.CreateCallbackResponse{
|
|
Details: object.DomainToDetailsPb(details),
|
|
CallbackUrl: callback,
|
|
}, nil
|
|
}
|
|
|
|
func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID string, session *oidc_pb.Session) (*oidc_pb.CreateCallbackResponse, error) {
|
|
details, aar, err := s.command.LinkSessionToAuthRequest(ctx, authRequestID, session.GetSessionId(), session.GetSessionToken(), true, s.checkPermission)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
authReq := &oidc.AuthRequestV2{CurrentAuthRequest: aar}
|
|
issuer := authReq.Issuer
|
|
if issuer == "" {
|
|
issuer = http_utils.DomainContext(ctx).Origin()
|
|
}
|
|
ctx = op.ContextWithIssuer(ctx, issuer)
|
|
var callback string
|
|
if aar.ResponseType == domain.OIDCResponseTypeCode {
|
|
callback, err = oidc.CreateCodeCallbackURL(ctx, authReq, s.op.Provider())
|
|
} else {
|
|
callback, err = s.op.CreateTokenCallbackURL(ctx, authReq)
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &oidc_pb.CreateCallbackResponse{
|
|
Details: object.DomainToDetailsPb(details),
|
|
CallbackUrl: callback,
|
|
}, nil
|
|
}
|
|
|
|
func errorReasonToDomain(errorReason oidc_pb.ErrorReason) domain.OIDCErrorReason {
|
|
switch errorReason {
|
|
case oidc_pb.ErrorReason_ERROR_REASON_UNSPECIFIED:
|
|
return domain.OIDCErrorReasonUnspecified
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST:
|
|
return domain.OIDCErrorReasonInvalidRequest
|
|
case oidc_pb.ErrorReason_ERROR_REASON_UNAUTHORIZED_CLIENT:
|
|
return domain.OIDCErrorReasonUnauthorizedClient
|
|
case oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED:
|
|
return domain.OIDCErrorReasonAccessDenied
|
|
case oidc_pb.ErrorReason_ERROR_REASON_UNSUPPORTED_RESPONSE_TYPE:
|
|
return domain.OIDCErrorReasonUnsupportedResponseType
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INVALID_SCOPE:
|
|
return domain.OIDCErrorReasonInvalidScope
|
|
case oidc_pb.ErrorReason_ERROR_REASON_SERVER_ERROR:
|
|
return domain.OIDCErrorReasonServerError
|
|
case oidc_pb.ErrorReason_ERROR_REASON_TEMPORARY_UNAVAILABLE:
|
|
return domain.OIDCErrorReasonTemporaryUnavailable
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INTERACTION_REQUIRED:
|
|
return domain.OIDCErrorReasonInteractionRequired
|
|
case oidc_pb.ErrorReason_ERROR_REASON_LOGIN_REQUIRED:
|
|
return domain.OIDCErrorReasonLoginRequired
|
|
case oidc_pb.ErrorReason_ERROR_REASON_ACCOUNT_SELECTION_REQUIRED:
|
|
return domain.OIDCErrorReasonAccountSelectionRequired
|
|
case oidc_pb.ErrorReason_ERROR_REASON_CONSENT_REQUIRED:
|
|
return domain.OIDCErrorReasonConsentRequired
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_URI:
|
|
return domain.OIDCErrorReasonInvalidRequestURI
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_OBJECT:
|
|
return domain.OIDCErrorReasonInvalidRequestObject
|
|
case oidc_pb.ErrorReason_ERROR_REASON_REQUEST_NOT_SUPPORTED:
|
|
return domain.OIDCErrorReasonRequestNotSupported
|
|
case oidc_pb.ErrorReason_ERROR_REASON_REQUEST_URI_NOT_SUPPORTED:
|
|
return domain.OIDCErrorReasonRequestURINotSupported
|
|
case oidc_pb.ErrorReason_ERROR_REASON_REGISTRATION_NOT_SUPPORTED:
|
|
return domain.OIDCErrorReasonRegistrationNotSupported
|
|
default:
|
|
return domain.OIDCErrorReasonUnspecified
|
|
}
|
|
}
|
|
|
|
func errorReasonToOIDC(reason oidc_pb.ErrorReason) string {
|
|
switch reason {
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST:
|
|
return "invalid_request"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_UNAUTHORIZED_CLIENT:
|
|
return "unauthorized_client"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED:
|
|
return "access_denied"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_UNSUPPORTED_RESPONSE_TYPE:
|
|
return "unsupported_response_type"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INVALID_SCOPE:
|
|
return "invalid_scope"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_TEMPORARY_UNAVAILABLE:
|
|
return "temporarily_unavailable"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INTERACTION_REQUIRED:
|
|
return "interaction_required"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_LOGIN_REQUIRED:
|
|
return "login_required"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_ACCOUNT_SELECTION_REQUIRED:
|
|
return "account_selection_required"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_CONSENT_REQUIRED:
|
|
return "consent_required"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_URI:
|
|
return "invalid_request_uri"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_OBJECT:
|
|
return "invalid_request_object"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_REQUEST_NOT_SUPPORTED:
|
|
return "request_not_supported"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_REQUEST_URI_NOT_SUPPORTED:
|
|
return "request_uri_not_supported"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_REGISTRATION_NOT_SUPPORTED:
|
|
return "registration_not_supported"
|
|
case oidc_pb.ErrorReason_ERROR_REASON_UNSPECIFIED, oidc_pb.ErrorReason_ERROR_REASON_SERVER_ERROR:
|
|
fallthrough
|
|
default:
|
|
return "server_error"
|
|
}
|
|
}
|
|
|
|
func (s *Server) deviceCodeFromID(deviceAuthID string) (string, error) {
|
|
decoded, err := base64.RawURLEncoding.DecodeString(deviceAuthID)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return s.encryption.DecryptString(decoded, s.encryption.EncryptionKeyID())
|
|
}
|