mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-14 03:54:21 +00:00
f065b42a97
# Which Problems Are Solved After deployment of 2.53.x, customers noted that the roles claims where always present in the tokens even if the corresponding option on the client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled. Only the project flag (assertRolesOnAuthentication) would be considered. Further it was noted, that the action on the preAccessTokenCreation trigger would not be executed. Additionally, while testing those issues we found out, that the user information (name, givenname, family name, ...) where always present in the id_token even if the option (idTokenUserInfo) was not enabled. # How the Problems Are Solved - The `getUserinfoOnce` which was used for access and id_tokens is refactored to `getUserInfo` and no longer only queries the info once from the database, but still provides a mechanism to be reused for access and id_token where the corresponding `roleAssertion` and action `triggerType` can be passed. - `userInfo` on the other hand now directly makes sure the information is only queried once from the database. Role claims are asserted every time and action triggers are executed on every call. - `userInfo` now also checks if the profile information need to be returned. # Additional Changes None. # Additional Context - relates to #7822 - reported by customers
251 lines
7.6 KiB
Go
251 lines
7.6 KiB
Go
package oidc
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"errors"
|
|
"slices"
|
|
"time"
|
|
|
|
"github.com/zitadel/oidc/v3/pkg/oidc"
|
|
"github.com/zitadel/oidc/v3/pkg/op"
|
|
|
|
"github.com/zitadel/zitadel/internal/api/authz"
|
|
"github.com/zitadel/zitadel/internal/domain"
|
|
"github.com/zitadel/zitadel/internal/query"
|
|
"github.com/zitadel/zitadel/internal/telemetry/tracing"
|
|
"github.com/zitadel/zitadel/internal/zerrors"
|
|
)
|
|
|
|
func (s *Server) Introspect(ctx context.Context, r *op.Request[op.IntrospectionRequest]) (resp *op.Response, err error) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
defer func() {
|
|
err = oidcError(err)
|
|
span.EndWithError(err)
|
|
}()
|
|
|
|
features := authz.GetFeatures(ctx)
|
|
if features.LegacyIntrospection {
|
|
return s.LegacyServer.Introspect(ctx, r)
|
|
}
|
|
if features.TriggerIntrospectionProjections {
|
|
query.TriggerIntrospectionProjections(ctx)
|
|
}
|
|
|
|
ctx, cancel := context.WithCancel(ctx)
|
|
defer cancel()
|
|
|
|
clientChan := make(chan *introspectionClientResult)
|
|
go s.introspectionClientAuth(ctx, r.Data.ClientCredentials, clientChan)
|
|
|
|
tokenChan := make(chan *introspectionTokenResult)
|
|
go s.introspectionToken(ctx, r.Data.Token, tokenChan)
|
|
|
|
var (
|
|
client *introspectionClientResult
|
|
token *introspectionTokenResult
|
|
)
|
|
|
|
// make sure both channels are always read,
|
|
// and cancel the context on first error
|
|
for i := 0; i < 2; i++ {
|
|
var resErr error
|
|
|
|
select {
|
|
case client = <-clientChan:
|
|
resErr = client.err
|
|
case token = <-tokenChan:
|
|
resErr = token.err
|
|
}
|
|
|
|
if resErr == nil {
|
|
continue
|
|
}
|
|
cancel()
|
|
|
|
// we only care for the first error that occurred,
|
|
// as the next error is most probably a context error.
|
|
if err == nil {
|
|
err = resErr
|
|
}
|
|
}
|
|
|
|
// only client auth errors should be returned
|
|
var target *oidc.Error
|
|
if errors.As(err, &target) && target.ErrorType == oidc.UnauthorizedClient {
|
|
return nil, err
|
|
}
|
|
|
|
// remaining errors shouldn't be returned to the client,
|
|
// so we catch errors here, log them and return the response
|
|
// with active: false
|
|
defer func() {
|
|
if err != nil {
|
|
if zerrors.IsInternal(err) {
|
|
s.getLogger(ctx).ErrorContext(ctx, "oidc introspection", "err", err)
|
|
} else {
|
|
s.getLogger(ctx).InfoContext(ctx, "oidc introspection", "err", err)
|
|
}
|
|
resp, err = op.NewResponse(new(oidc.IntrospectionResponse)), nil
|
|
}
|
|
}()
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// TODO: can we get rid of this separate query?
|
|
if token.isPAT {
|
|
if err = s.assertClientScopesForPAT(ctx, token.accessToken, client.clientID, client.projectID); err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
if err = validateIntrospectionAudience(token.audience, client.clientID, client.projectID); err != nil {
|
|
return nil, err
|
|
}
|
|
userInfo, err := s.userInfo(
|
|
token.userID,
|
|
token.scope,
|
|
client.projectID,
|
|
client.projectRoleAssertion,
|
|
true,
|
|
true,
|
|
)(ctx, true, domain.TriggerTypePreUserinfoCreation)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
introspectionResp := &oidc.IntrospectionResponse{
|
|
Active: true,
|
|
Scope: token.scope,
|
|
ClientID: token.clientID,
|
|
TokenType: oidc.BearerToken,
|
|
Expiration: oidc.FromTime(token.tokenExpiration),
|
|
IssuedAt: oidc.FromTime(token.tokenCreation),
|
|
AuthTime: oidc.FromTime(token.authTime),
|
|
NotBefore: oidc.FromTime(token.tokenCreation),
|
|
Audience: token.audience,
|
|
AuthenticationMethodsReferences: AuthMethodTypesToAMR(token.authMethods),
|
|
Issuer: op.IssuerFromContext(ctx),
|
|
JWTID: token.tokenID,
|
|
Actor: actorDomainToClaims(token.actor),
|
|
}
|
|
introspectionResp.SetUserInfo(userInfo)
|
|
return op.NewResponse(introspectionResp), nil
|
|
}
|
|
|
|
type introspectionClientResult struct {
|
|
clientID string
|
|
projectID string
|
|
projectRoleAssertion bool
|
|
err error
|
|
}
|
|
|
|
var errNoClientSecret = errors.New("client has no configured secret")
|
|
|
|
func (s *Server) introspectionClientAuth(ctx context.Context, cc *op.ClientCredentials, rc chan<- *introspectionClientResult) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
|
|
clientID, projectID, projectRoleAssertion, err := func() (string, string, bool, error) {
|
|
client, err := s.clientFromCredentials(ctx, cc)
|
|
if err != nil {
|
|
return "", "", false, err
|
|
}
|
|
|
|
if cc.ClientAssertion != "" {
|
|
verifier := op.NewJWTProfileVerifierKeySet(keySetMap(client.PublicKeys), op.IssuerFromContext(ctx), time.Hour, time.Second)
|
|
if _, err := op.VerifyJWTAssertion(ctx, cc.ClientAssertion, verifier); err != nil {
|
|
return "", "", false, oidc.ErrUnauthorizedClient().WithParent(err)
|
|
}
|
|
return client.ClientID, client.ProjectID, client.ProjectRoleAssertion, nil
|
|
|
|
}
|
|
if client.HashedSecret != "" {
|
|
if err := s.introspectionClientSecretAuth(ctx, client, cc.ClientSecret); err != nil {
|
|
return "", "", false, oidc.ErrUnauthorizedClient().WithParent(err)
|
|
}
|
|
return client.ClientID, client.ProjectID, client.ProjectRoleAssertion, nil
|
|
}
|
|
return "", "", false, oidc.ErrUnauthorizedClient().WithParent(errNoClientSecret)
|
|
}()
|
|
|
|
span.EndWithError(err)
|
|
|
|
rc <- &introspectionClientResult{
|
|
clientID: clientID,
|
|
projectID: projectID,
|
|
projectRoleAssertion: projectRoleAssertion,
|
|
err: err,
|
|
}
|
|
}
|
|
|
|
var errNoAppType = errors.New("introspection client without app type")
|
|
|
|
func (s *Server) introspectionClientSecretAuth(ctx context.Context, client *query.IntrospectionClient, secret string) error {
|
|
var (
|
|
successCommand func(ctx context.Context, appID, projectID, resourceOwner, updated string)
|
|
failedCommand func(ctx context.Context, appID, projectID, resourceOwner string)
|
|
)
|
|
switch client.AppType {
|
|
case query.AppTypeAPI:
|
|
successCommand = s.command.APISecretCheckSucceeded
|
|
failedCommand = s.command.APISecretCheckFailed
|
|
case query.AppTypeOIDC:
|
|
successCommand = s.command.OIDCSecretCheckSucceeded
|
|
failedCommand = s.command.OIDCSecretCheckFailed
|
|
default:
|
|
return zerrors.ThrowInternal(errNoAppType, "OIDC-ooD5Ot", "Errors.Internal")
|
|
}
|
|
|
|
ctx, spanPasswordComparison := tracing.NewNamedSpan(ctx, "passwap.Verify")
|
|
updated, err := s.hasher.Verify(client.HashedSecret, secret)
|
|
spanPasswordComparison.EndWithError(err)
|
|
if err != nil {
|
|
failedCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner)
|
|
return err
|
|
}
|
|
successCommand(ctx, client.AppID, client.ProjectID, client.ResourceOwner, updated)
|
|
return nil
|
|
}
|
|
|
|
// clientFromCredentials parses the client ID early,
|
|
// and makes a single query for the client for either auth methods.
|
|
func (s *Server) clientFromCredentials(ctx context.Context, cc *op.ClientCredentials) (client *query.IntrospectionClient, err error) {
|
|
clientID, assertion, err := clientIDFromCredentials(cc)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
client, err = s.query.GetIntrospectionClientByID(ctx, clientID, assertion)
|
|
if errors.Is(err, sql.ErrNoRows) {
|
|
return nil, oidc.ErrUnauthorizedClient().WithParent(err)
|
|
}
|
|
// any other error is regarded internal and should not be reported back to the client.
|
|
return client, err
|
|
}
|
|
|
|
type introspectionTokenResult struct {
|
|
*accessToken
|
|
err error
|
|
}
|
|
|
|
func (s *Server) introspectionToken(ctx context.Context, tkn string, rc chan<- *introspectionTokenResult) {
|
|
ctx, span := tracing.NewSpan(ctx)
|
|
token, err := s.verifyAccessToken(ctx, tkn)
|
|
span.EndWithError(err)
|
|
|
|
rc <- &introspectionTokenResult{
|
|
accessToken: token,
|
|
err: err,
|
|
}
|
|
}
|
|
|
|
func validateIntrospectionAudience(audience []string, clientID, projectID string) error {
|
|
if slices.ContainsFunc(audience, func(entry string) bool {
|
|
return entry == clientID || entry == projectID
|
|
}) {
|
|
return nil
|
|
}
|
|
|
|
return zerrors.ThrowPermissionDenied(nil, "OIDC-sdg3G", "token is not valid for this client")
|
|
}
|