mirrors/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel synced 2024-11-22 00:39:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
5a85c3eda8
zitadel/internal/domain/token_test.go
Tim Möhlmann 120ed0af73
feat(oidc): organization roles scope (#8120) 
# Which Problems Are Solved

An admin / application might want to be able to reduce the amount of
roles returned in the token, for example if a user is granted to many
organizations or for specific cases where the application want to narrow
down the access for that token to a specific organization or multiple.
This can now be achieved by providing a scope with the id of the
organization, resp. multiple scopes for every organization, which should
be included.

```
urn:zitadel:iam:org:roles🆔{orgID}
```

**Note:** the new scope does not work when Introspection / Userinfo are
set to legacy mode.

# How the Problems Are Solved

The user info query now has two variants:

1. Variant that returns all organization authorization grants if the new
scope wasn't provided for backward compatibility.
2. Variant that filters the organizations based on the IDs passed in one
or more of the above scopes and returns only those authorization grants.

The query is defined as a `text/template` and both variants are rendered
once in package `init()`.

# Additional Changes

- In the integration tests `assertProjectRoleClaims` now also checks the
org IDs in the roles.

# Additional Context

- Closes #7996
2024-06-14 10:00:43 +02:00

46 lines
766 B
Go
Raw Blame History

package domain
import (
"testing"
"github.com/stretchr/testify/assert"
)
func TestRoleOrgIDsFromScope(t *testing.T) {
type args struct {
scopes []string
}
tests := []struct {
name string
args args
want []string
}{
{
name: "nil",
args: args{nil},
want: nil,
},
{
name: "unrelated scope",
args: args{[]string{"foo", "bar"}},
want: nil,
},
{
name: "orgID role scope",
args: args{[]string{OrgRoleIDScope + "123"}},
want: []string{"123"},
},
{
name: "mixed scope",
args: args{[]string{"foo", OrgRoleIDScope + "123"}},
want: []string{"123"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
got := RoleOrgIDsFromScope(tt.args.scopes)
assert.Equal(t, tt.want, got)
})
}
}
Reference in New Issue View Git Blame Copy Permalink