raystack
diff --git a/‎core/authenticate/mocks/service_user_service.go‎
Lines changed: 58 additions & 1 deletion b/‎core/authenticate/mocks/service_user_service.go‎
Lines changed: 58 additions & 1 deletion
diff --git a/‎core/authenticate/service.go‎
Lines changed: 40 additions & 20 deletions b/‎core/authenticate/service.go‎
Lines changed: 40 additions & 20 deletions
diff --git a/‎core/authenticate/token/service.go‎
Lines changed: 4 additions & 2 deletions b/‎core/authenticate/token/service.go‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎internal/api/v1beta1/authenticate.go‎
Lines changed: 2 additions & 5 deletions b/‎internal/api/v1beta1/authenticate.go‎
Lines changed: 2 additions & 5 deletions
diff --git a/‎internal/api/v1beta1/mocks/authn_service.go‎
Lines changed: 16 additions & 16 deletions b/‎internal/api/v1beta1/mocks/authn_service.go‎
Lines changed: 16 additions & 16 deletions
diff --git a/‎internal/api/v1beta1/user_test.go‎
Lines changed: 4 additions & 1 deletion b/‎internal/api/v1beta1/user_test.go‎
Lines changed: 4 additions & 1 deletion
@@ -65,6 +65,7 @@ type UserService interface {
 }
 
 type ServiceUserService interface {
+	Get(ctx context.Context, id string) (serviceuser.ServiceUser, error)
 	GetByJWT(ctx context.Context, token string) (serviceuser.ServiceUser, error)
 	GetBySecret(ctx context.Context, clientID, clientSecret string) (serviceuser.ServiceUser, error)
 }
@@ -677,8 +678,12 @@ func (s Service) applyOIDC(ctx context.Context, request RegistrationFinishReques
 }
 
 // BuildToken creates an access token for the given subjectID
-func (s Service) BuildToken(ctx context.Context, subjectID string, metadata map[string]string) ([]byte, error) {
-	return s.internalTokenService.Build(subjectID, metadata)
+func (s Service) BuildToken(ctx context.Context, principal Principal, metadata map[string]string) ([]byte, error) {
+	metadata[token.SubTypeClaimsKey] = principal.Type
+	if principal.Type == schema.UserPrincipal && s.config.Token.Claims.AddUserEmailClaim {
+		metadata[token.SubEmailClaimsKey] = principal.User.Email
+	}
+	return s.internalTokenService.Build(principal.ID, metadata)
 }
 
 // JWKs returns the public keys to verify the access token
@@ -775,27 +780,42 @@ func (s Service) GetPrincipal(ctx context.Context, assertions ...ClientAssertion
 				return Principal{}, errors.ErrUnauthenticated
 			}
 			// check type of jwt
-			if val, ok := insecureJWT.Get(token.GeneratedClaimKey); ok {
-				if claimVal, ok := val.(string); ok && claimVal == token.GeneratedClaimValue {
-					// extract user from token if present as its created by frontier
-					userID, _, err := s.internalTokenService.Parse(ctx, []byte(userToken))
-					if err == nil && utils.IsValidUUID(userID) {
-						// userID is a valid uuid
-						currentUser, err := s.userService.GetByID(ctx, userID)
-						if err != nil {
-							return Principal{}, err
-						}
-						return Principal{
-							ID:   currentUser.ID,
-							Type: schema.UserPrincipal,
-							User: &currentUser,
-						}, nil
-					}
+			if genClaim, ok := insecureJWT.Get(token.GeneratedClaimKey); ok {
+				// jwt generated by frontier using public key
+				claimVal, ok := genClaim.(string)
+				if !ok || claimVal != token.GeneratedClaimValue {
+					return Principal{}, errors.ErrUnauthenticated
+				}
+
+				// extract user from token if present as its created by frontier
+				userID, claims, err := s.internalTokenService.Parse(ctx, []byte(userToken))
+				if err != nil || !utils.IsValidUUID(userID) {
+					s.log.Debug("failed to parse as internal token ", "err", err)
+					return Principal{}, errors.ErrUnauthenticated
+				}
+
+				// userID is a valid uuid
+				if claims[token.SubTypeClaimsKey] == schema.ServiceUserPrincipal {
+					currentUser, err := s.serviceUserService.Get(ctx, userID)
 					if err != nil {
-						s.log.Debug("failed to parse as internal token ", "err", err)
-						return Principal{}, errors.ErrUnauthenticated
+						return Principal{}, err
 					}
+					return Principal{
+						ID:          currentUser.ID,
+						Type:        schema.ServiceUserPrincipal,
+						ServiceUser: &currentUser,
+					}, nil
+				}
+
+				currentUser, err := s.userService.GetByID(ctx, userID)
+				if err != nil {
+					return Principal{}, err
 				}
+				return Principal{
+					ID:   currentUser.ID,
+					Type: schema.UserPrincipal,
+					User: &currentUser,
+				}, nil
 			}
 		}
 
 
@@ -21,6 +21,8 @@ const (
 	GeneratedClaimKey   = "gen"
 	GeneratedClaimValue = "system"
 	OrgIDsClaimKey      = "org_ids"
+	SubTypeClaimsKey    = "sub_type"
+	SubEmailClaimsKey   = "email"
 )
 
 type Service struct {
@@ -79,11 +81,11 @@ func (s Service) Parse(ctx context.Context, userToken []byte) (string, map[strin
 	// verify token with jwks
 	verifiedToken, err := jwt.Parse(userToken, jwt.WithKeySet(s.publicKeySet))
 	if err != nil {
-		return "", nil, fmt.Errorf("%s: %w", ErrInvalidToken.Error(), err)
+		return "", nil, fmt.Errorf("%s: %w", err.Error(), ErrInvalidToken)
 	}
 	tokenClaims, err := verifiedToken.AsMap(ctx)
 	if err != nil {
-		return "", nil, fmt.Errorf("%s: %w", ErrInvalidToken.Error(), err)
+		return "", nil, fmt.Errorf("%s: %w", err.Error(), ErrInvalidToken)
 	}
 	return verifiedToken.Subject(), tokenClaims, nil
 }
@@ -38,7 +38,7 @@ import (
 type AuthnService interface {
 	StartFlow(ctx context.Context, request authenticate.RegistrationStartRequest) (*authenticate.RegistrationStartResponse, error)
 	FinishFlow(ctx context.Context, request authenticate.RegistrationFinishRequest) (*authenticate.RegistrationFinishResponse, error)
-	BuildToken(ctx context.Context, principalID string, metadata map[string]string) ([]byte, error)
+	BuildToken(ctx context.Context, principal authenticate.Principal, metadata map[string]string) ([]byte, error)
 	JWKs(ctx context.Context) jwk.Set
 	GetPrincipal(ctx context.Context, via ...authenticate.ClientAssertion) (authenticate.Principal, error)
 	SupportedStrategies() []string
@@ -292,9 +292,6 @@ func (h Handler) getAccessToken(ctx context.Context, principal authenticate.Prin
 		}
 		customClaims[token.OrgIDsClaimKey] = strings.Join(orgIds, ",")
 	}
-	if principal.Type == schema.UserPrincipal && h.authConfig.Token.Claims.AddUserEmailClaim {
-		customClaims["email"] = principal.User.Email
-	}
 
 	// find selected project id
 	if md, ok := metadata.FromIncomingContext(ctx); ok {
@@ -317,7 +314,7 @@ func (h Handler) getAccessToken(ctx context.Context, principal authenticate.Prin
 	}
 
 	// build jwt for user context
-	return h.authnService.BuildToken(ctx, principal.ID, customClaims)
+	return h.authnService.BuildToken(ctx, principal, customClaims)
 }
 
 func setRedirectHeaders(ctx context.Context, url string) error {
 
@@ -450,7 +450,10 @@ func TestGetCurrentUser(t *testing.T) {
 			mockOrgService := new(mocks.OrganizationService)
 			mockOrgService.EXPECT().ListByUser(mock.Anything, "user-id-1", organization.Filter{}).Return([]organization.Organization{}, nil)
 			mockAuthnSrv.EXPECT().BuildToken(mock.Anything,
-				"user-id-1", map[string]string{"orgs": ""}).Return(nil, token.ErrMissingRSADisableToken)
+				authenticate.Principal{
+					ID:   "user-id-1",
+					Type: schema.UserPrincipal,
+				}, map[string]string{"orgs": ""}).Return(nil, token.ErrMissingRSADisableToken)
 
 			if tt.setup != nil {
 				ctx = tt.setup(ctx, mockAuthnSrv, nil)
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ const (`
`21`	`21`	`GeneratedClaimKey = "gen"`
`22`	`22`	`GeneratedClaimValue = "system"`
`23`	`23`	`OrgIDsClaimKey = "org_ids"`
	`24`	`+ SubTypeClaimsKey = "sub_type"`
	`25`	`+ SubEmailClaimsKey = "email"`
`24`	`26`	`)`
`25`	`27`
`26`	`28`	`type Service struct {`
`@@ -79,11 +81,11 @@ func (s Service) Parse(ctx context.Context, userToken []byte) (string, map[strin`
`79`	`81`	`// verify token with jwks`
`80`	`82`	`verifiedToken, err := jwt.Parse(userToken, jwt.WithKeySet(s.publicKeySet))`
`81`	`83`	`if err != nil {`
`82`		`- return "", nil, fmt.Errorf("%s: %w", ErrInvalidToken.Error(), err)`
	`84`	`+ return "", nil, fmt.Errorf("%s: %w", err.Error(), ErrInvalidToken)`
`83`	`85`	`}`
`84`	`86`	`tokenClaims, err := verifiedToken.AsMap(ctx)`
`85`	`87`	`if err != nil {`
`86`		`- return "", nil, fmt.Errorf("%s: %w", ErrInvalidToken.Error(), err)`
	`88`	`+ return "", nil, fmt.Errorf("%s: %w", err.Error(), ErrInvalidToken)`
`87`	`89`	`}`
`88`	`90`	`return verifiedToken.Subject(), tokenClaims, nil`
`89`	`91`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ import (`
`38`	`38`	`type AuthnService interface {`
`39`	`39`	`StartFlow(ctx context.Context, request authenticate.RegistrationStartRequest) (*authenticate.RegistrationStartResponse, error)`
`40`	`40`	`FinishFlow(ctx context.Context, request authenticate.RegistrationFinishRequest) (*authenticate.RegistrationFinishResponse, error)`
`41`		`- BuildToken(ctx context.Context, principalID string, metadata map[string]string) ([]byte, error)`
	`41`	`+ BuildToken(ctx context.Context, principal authenticate.Principal, metadata map[string]string) ([]byte, error)`
`42`	`42`	`JWKs(ctx context.Context) jwk.Set`
`43`	`43`	`GetPrincipal(ctx context.Context, via ...authenticate.ClientAssertion) (authenticate.Principal, error)`
`44`	`44`	`SupportedStrategies() []string`
`@@ -292,9 +292,6 @@ func (h Handler) getAccessToken(ctx context.Context, principal authenticate.Prin`
`292`	`292`	`}`
`293`	`293`	`customClaims[token.OrgIDsClaimKey] = strings.Join(orgIds, ",")`
`294`	`294`	`}`
`295`		`- if principal.Type == schema.UserPrincipal && h.authConfig.Token.Claims.AddUserEmailClaim {`
`296`		`- customClaims["email"] = principal.User.Email`
`297`		`- }`
`298`	`295`
`299`	`296`	`// find selected project id`
`300`	`297`	`if md, ok := metadata.FromIncomingContext(ctx); ok {`
`@@ -317,7 +314,7 @@ func (h Handler) getAccessToken(ctx context.Context, principal authenticate.Prin`
`317`	`314`	`}`
`318`	`315`
`319`	`316`	`// build jwt for user context`
`320`		`- return h.authnService.BuildToken(ctx, principal.ID, customClaims)`
	`317`	`+ return h.authnService.BuildToken(ctx, principal, customClaims)`
`321`	`318`	`}`
`322`	`319`
`323`	`320`	`func setRedirectHeaders(ctx context.Context, url string) error {`