zitadel icon indicating copy to clipboard operation
zitadel copied to clipboard
verified publisher icon zitadel

[Bug]: Zitadel forgets `urn:zitadel:iam:org:id:{orgId}` scope if you insert domain suffix of another org

Open wlinna opened this issue 1 year ago • 0 comments

Preflight Checklist

  • [X] I could not find a solution in the documentation, the existing issues or discussions
  • [X] I have joined the ZITADEL chat

Environment

Self-hosted

Version

v2.58.2

Database

PostgreSQL

Database Version

16-alpine

Describe the problem caused by this bug

When a user accidentally or intentionally repeats the reproduction steps, Zitadel forgets the added organization scope of the authorize request during the login process, and reverts to the default organization. This can lead to users signing in / up to wrong organizations and the authentication process succeeding while the organization condition is broken.

To reproduce

  1. Enable Add organization domain as suffix to loginnames in instance settings.
  2. Have two orgs A and B. Set A to default. Create a user to A. Let's call it [email protected]@A.localhost
  3. Create projects and applications for both organizations (I use PKCE)
  4. Set your applications to add urn:zitadel:iam:org:id:{orgIdOfB} to the scopes in authorization url.
  5. Sign in. You will be greeted with Enter your login data. The user must be member of the B organization.
  6. Click Other User
  7. Input [email protected]@A.localhost. Click next
  8. Zitadel will take you to the "Registration options" screen (instead of the login by password screen as one might expect). At this point if there are branding differences, you might notice the change already
  9. Click the back-arrow of Zitadel. You will be greeted with Enter your login data. The user must be member of the A organization.
  10. Now input [email protected]@A.localhost again and click Next.
  11. Enter the password. If the password is correct, you will sign in successfully

Screenshots

First stage (hyvinkaa is my org B) image

What breaks it (s3dtest is my org A) image

Now it's in a broken state already image

Now we can log in with users of S3dtest organization image

Expected behavior

Zitadel should immediately reject my attempt at logging in with users of another organizations (unless maybe if that user has been authorized), and should not switch to the login of another organization when I use @domain syntax.

Operating System

Linux Desktop, Firefox/Chromium browsers

Relevant Configuration

Add organization domain as suffix to loginnames in instance settings should most likely be enabled, but I didn't actually test this without it.

Additional Context

I originally reported the bug in Discord. You can view the conversation here https://discord.com/channels/927474939156643850/1272929081146736701

wlinna avatar Aug 20 '24 15:08 wlinna