Skip to content

Commit

Permalink
Service identities only have trust with their managing ORG
Browse files Browse the repository at this point in the history
  • Loading branch information
@loafoe
loafoe committed Jul 8, 2024
1 parent 9dcc27d commit 51c78ee
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion connector/hsdp/extend_payload.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ func (c *HSDPConnector) ExtendPayload(scopes []string, payload []byte, cdata []b
return payload, err
}

c.logger.Info("ExtendPayload called", "user", cd.Introspect.Username)
c.logger.Info("ExtendPayload called", "sub", cd.Introspect.Sub, "user", cd.Introspect.Username)

// Check if we have a trusted org mapping
aud := originalClaims["aud"].(string)
Expand All @@ -28,6 +28,11 @@ func (c *HSDPConnector) ExtendPayload(scopes []string, payload []byte, cdata []b
trustedOrgID = orgID
}

// Service identities only support their managing org as the trusted org
if cd.Introspect.IdentityType == "Service" {
trustedOrgID = cd.Introspect.Organizations.ManagingOrganization
}

for _, scope := range scopes {
// Experimental fill introspect body into claims
if scope == "hsp:iam:introspect" {
Expand All @@ -38,6 +43,7 @@ func (c *HSDPConnector) ExtendPayload(scopes []string, payload []byte, cdata []b
originalClaims["tkn"] = string(cd.AccessToken)
}
}
originalClaims["idt"] = cd.Introspect.IdentityType
originalClaims["mid"] = cd.Introspect.Organizations.ManagingOrganization
originalClaims["tid"] = trustedOrgID
// Rewrite subject
Expand Down

0 comments on commit 51c78ee

Please sign in to comment.