Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: TOTP app registration fails if the requested user is not the same as the authenticated one #7944

Open
1 of 2 tasks
ashep opened this issue May 13, 2024 · 2 comments
Open
1 of 2 tasks

[Bug]: TOTP app registration fails if the requested user is not the same as the authenticated one #7944

ashep opened this issue May 13, 2024 · 2 comments
Labels
bug Something isn't working resources

Comments

@ashep
Copy link

ashep commented May 13, 2024

Preflight Checklist

  • I could not find a solution in the documentation, the existing issues or discussions
  • I have joined the ZITADEL chat

Environment

ZITADEL Cloud

Version

2.49.1

Database

PostgreSQL

Database Version

No response

Describe the problem caused by this bug

When I try to start the registration of a TOTP generator for a user using bearer token that is not belongs to the requested user, but to the IAM owner, I get the Request user not equal to authenticated user (AUTH-Bohd2) error.

To reproduce

Create a new user:

curl --request POST \
  --url http://zitadel:8081/v2beta/users/human \
  --header 'Authorization: Bearer IAM_OWNER_TOKEN' \
  --header 'Content-Type: application/json' \
  --data '{
	"userId": "theUserID",
	"email": {
		"email": "theEmail@localhost",
		"isVerified": true
	},
	"profile": {
		"givenName": "theGivenName",
		"familyName": "theFamilyName"
	},
	"password": {
		"password": "theP@$$word1"
	}
}
'

Try to start the registration of a TOTP generator for a user:

curl --request POST \
  --url http://zitadel:8081/v2beta/users/theUserID/totp \
  --header 'Authorization: Bearer IAM_OWNER_TOKEN' \
  --header 'Content-Type: application/json' \
  --data '{}'

Response:

{
	"code": 7,
	"message": "Request user not equal to authenticated user (AUTH-Bohd2)",
	"details": [
		{
			"@type": "type.googleapis.com/zitadel.v1.ErrorDetail",
			"id": "AUTH-Bohd2",
			"message": "Request user not equal to authenticated user"
		}
	]
}

Screenshots

No response

Expected behavior

To be able to start the registration of a TOTP generator for a user on behalf of the IAM owner.

Operating System

No response

Relevant Configuration

No response

Additional Context

No response
@ashep ashep added the bug Something isn't working label May 13, 2024
@ashep ashep changed the title [Bug]: TOTP app registration fails if the requesting user is not the same [Bug]: TOTP app registration fails if the requested user is not the same as the authenticated one May 13, 2024
@ashep
Copy link
Author

ashep commented May 20, 2024

Hello @hifabienne! Is there any news about this? I probably misunderstand the concepts behind this API.

The question is: if I have to authenticate the request to this endpoint using the user's access token, why must the user ID be provided as well?

On the other hand, why isn't it allowed to perform the request on behalf of another user who has enough privileges, say, an IAM owner?

I really appreciate any help you can provide.

@hifabienne
Copy link
Member

@stebenz @eliobischof can you help here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working resources
Projects
Product Management
Status: 🧐 Investigating
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ashep @hifabienne