flatRoles breaks /oauth/v2/token endpoint

zitadel / actions

ZITADEL Actions - Easy extensibility with custom code. Think GitHub Actions in an Identity System.

https://zitadel.com

29 stars 6 forks source link

flatRoles breaks /oauth/v2/token endpoint #13

Closed chickahoona closed 1 year ago

chickahoona commented 1 year ago

I followed this guide here to configure flat roles https://zitadel.com/blog/custom-claims

copied the custom role from here https://raw.githubusercontent.com/zitadel/actions/main/examples/custom_roles.js

and are now receiving

b'{"error":"server_error","error_description":"TypeError: Cannot read property \'count\' of undefined at flatRoles (\\u003ceval\\u003e:2:62(12))"}\n'

when I call the https://test-ckfxvq.zitadel.cloud/oauth/v2/token endpoint. The "Assert Roles on Authentication" is checked as mentioend in the guide. I am using Zitadel Cloud in case someone wants to investigate this.

arslan-gait commented 1 year ago

@chickahoona Hi,

I've also faced this error but managed to solve it. I've changed the line:

  if (ctx.v1.user.grants === undefined || ctx.v1.user.grants.count == 0) {

to this one:

  if (ctx.v1.user.grants === undefined || ctx.v1.user.grants.length == 0) {

and everything is working now:

...
  "my:zitadel:grants": [
    "208654500901159169:manager"
  ],
...

chickahoona commented 1 year ago

Sadly doesn't work. Now I am getting an Error 400 with

b'{"error":"server_error","error_description":"TypeError: Cannot read property \'length\' of undefined at flatRoles (\\u003ceval\\u003e:2:62(12))"}\n'

chickahoona commented 1 year ago

Fun fact: I assumed this would only affect my call to /token, and under the hood Zitadel is using some other endpoint / mechnaism for their login, yet they don't and use the same one ;) As a result I cannot login anymore to my test environment trhough the regular zitadel interface as I always received this:

So whoever wrote this blog article / action, didn't even login once with the regular zitadel interface afterwards....

livio-a commented 1 year ago

the PR #16 will fix the problem (wrong check on undefined)... apologies for the inconvenience

@chickahoona regarding your test instance: i can temporarily set your action, that it is allowed to fail so you can login again and update the action with the fix.

chickahoona commented 1 year ago

That would be great. or just remove that action there or delete the instance. (my whole account is for testing and documentaiton purposes only, so don't be afraid that you by accident delete the wrong isntance ;D)

chickahoona commented 1 year ago

I can confirm that the fix works. Thanks alot for your help!