[SM-324] Add Organization to JWT claim

src/Core/Entities/ApiKey.cs

@@ -17,9 +17,9 @@ public class ApiKey : ITableObject<Guid>
     public string EncryptedPayload { get; set; }
     // Key for decrypting `EncryptedPayload`. Encrypted using the organization key.
     public string Key { get; set; }
-    public DateTime ExpireAt { get; internal set; }
-    public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
-    public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;
+    public DateTime ExpireAt { get; set; }
+    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
 
     public void SetNewId()
     {

src/Core/Identity/Claims.cs

@@ -13,4 +13,7 @@ public static class Claims
     public const string OrganizationCustom = "orgcustom";
     public const string ProviderAdmin = "providerprovideradmin";
     public const string ProviderServiceUser = "providerserviceuser";
+
+    // Service Account
+    public const string Organization = "organization";
 }

src/Core/Models/Data/ApiKeyDetails.cs

@@ -0,0 +1,10 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.Models.Data;
+
+public class ApiKeyDetails : ApiKey
+{
+    public ApiKeyDetails() { }
+
+    public Guid ServiceAccountOrganizationId { get; set; }
+}

src/Core/Repositories/IApiKeyRepository.cs

@@ -1,7 +1,9 @@
 using Bit.Core.Entities;
+using Bit.Core.Models.Data;
 
 namespace Bit.Core.Repositories;
 
 public interface IApiKeyRepository : IRepository<ApiKey, Guid>
 {
+    Task<ApiKeyDetails> GetDetailsByIdAsync(Guid id);
 }

src/Identity/IdentityServer/ApiResources.cs

@@ -31,7 +31,7 @@ public static IEnumerable<ApiResource> GetApiResources()
             new(ApiScopes.ApiLicensing, new[] { JwtClaimTypes.Subject }),
             new(ApiScopes.ApiOrganization, new[] { JwtClaimTypes.Subject }),
             new(ApiScopes.ApiInstallation, new[] { JwtClaimTypes.Subject }),
-            new(ApiScopes.ApiSecrets, new[] { JwtClaimTypes.Subject }),
+            new(ApiScopes.ApiSecrets, new[] { JwtClaimTypes.Subject, Claims.Organization }),
         };
     }
 }

src/Identity/IdentityServer/ClientStore.cs

@@ -2,6 +2,7 @@
 using System.Security.Claims;
 using Bit.Core.Context;
 using Bit.Core.Enums;
+using Bit.Core.Identity;
 using Bit.Core.IdentityServer;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@@ -86,7 +87,7 @@ public async Task<Client> FindClientByIdAsync(string clientId)
 
     private async Task<Client> CreateApiKeyClientAsync(string clientId)
     {
-        var apiKey = await _apiKeyRepository.GetByIdAsync(new Guid(clientId));
+        var apiKey = await _apiKeyRepository.GetDetailsByIdAsync(new Guid(clientId));
 
         if (apiKey == null || apiKey.ExpireAt <= DateTime.Now)
         {
@@ -108,6 +109,7 @@ private async Task<Client> CreateApiKeyClientAsync(string clientId)
             Claims = new List<ClientClaim>
             {
                 new(JwtClaimTypes.Subject, apiKey.ServiceAccountId.ToString()),
+                new(Claims.Organization, apiKey.ServiceAccountOrganizationId.ToString())
             },
         };
     }

src/Infrastructure.Dapper/Repositories/ApiKeyRepository.cs

@@ -1,6 +1,10 @@
-using Bit.Core.Entities;
+using System.Data;
+using Bit.Core.Entities;
+using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
+using Dapper;
+using Microsoft.Data.SqlClient;
 
 namespace Bit.Infrastructure.Dapper.Repositories;
 
@@ -13,4 +17,15 @@ public ApiKeyRepository(GlobalSettings globalSettings)
     public ApiKeyRepository(string connectionString, string readOnlyConnectionString)
         : base(connectionString, readOnlyConnectionString)
     { }
+
+    public async Task<ApiKeyDetails> GetDetailsByIdAsync(Guid id)
+    {
+        using var connection = new SqlConnection(ConnectionString);
+        var results = await connection.QueryAsync<ApiKeyDetails>(
+            $"[{Schema}].[ApiKeyDetails_ReadById]",
+            new { Id = id },
+            commandType: CommandType.StoredProcedure);
+
+        return results.SingleOrDefault();
+    }
 }

src/Infrastructure.EntityFramework/Repositories/ApiKeyRepository.cs

@@ -1,6 +1,8 @@
 using AutoMapper;
+using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Infrastructure.EntityFramework.Models;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
 
 namespace Bit.Infrastructure.EntityFramework.Repositories;
@@ -11,4 +13,30 @@ public ApiKeyRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper
         : base(serviceScopeFactory, mapper, (DatabaseContext context) => context.ApiKeys)
     {
     }
+
+    public async Task<ApiKeyDetails> GetDetailsByIdAsync(Guid id)
+    {
+        using var scope = ServiceScopeFactory.CreateScope();
+        var dbContext = GetDatabaseContext(scope);
+        var entity = await GetDbSet(dbContext)
+            .Where(apiKey => apiKey.Id == id)
+            .Include(apiKey => apiKey.ServiceAccount)
+            .Select(apiKey => new ApiKeyDetails
+            {
+                Id = apiKey.Id,
+                ServiceAccountId = apiKey.ServiceAccountId,
+                Name = apiKey.Name,
+                ClientSecret = apiKey.ClientSecret,
+                Scope = apiKey.Scope,
+                EncryptedPayload = apiKey.EncryptedPayload,
+                Key = apiKey.Key,
+                ExpireAt = apiKey.ExpireAt,
+                CreationDate = apiKey.CreationDate,
+                RevisionDate = apiKey.RevisionDate,
+                ServiceAccountOrganizationId = apiKey.ServiceAccount.OrganizationId
+            })
+            .FirstOrDefaultAsync();
+
+        return Mapper.Map<ApiKeyDetails>(entity);
+    }
 }

src/Sql/Sql.sqlproj

@@ -73,7 +73,8 @@
     <Build Include="dbo\Functions\PolicyApplicableToUser.sql" />
     <Build Include="dbo\Functions\UserCipherDetails.sql" />
     <Build Include="dbo\Functions\UserCollectionDetails.sql" />
-    <Build Include="dbo\Stored Procedures\ApiKey_ReadById.sql" />
+    <Build Include="dbo\Stored Procedures\ApiKey\ApiKey_ReadById.sql" />
+    <Build Include="dbo\Stored Procedures\ApiKey\ApiKeyDetails_ReadById.sql" />
     <Build Include="dbo\Stored Procedures\AuthRequest_Create.sql" />
     <Build Include="dbo\Stored Procedures\AuthRequest_DeleteById.sql" />
     <Build Include="dbo\Stored Procedures\AuthRequest_DeleteIfExpired.sql" />
@@ -391,6 +392,7 @@
     <Build Include="dbo\User Defined Types\OrganizationUserType.sql" />
     <Build Include="dbo\User Defined Types\SelectionReadOnlyArray.sql" />
     <Build Include="dbo\User Defined Types\TwoGuidIdArray.sql" />
+    <Build Include="dbo\Views\ApiKeyDetailsView.sql" />
     <Build Include="dbo\Views\ApiKeyView.sql" />
     <Build Include="dbo\Views\AuthRequestView.sql" />
     <Build Include="dbo\Views\CipherView.sql" />

src/Sql/dbo/Stored Procedures/ApiKey/ApiKeyDetails_ReadById.sql

@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[ApiKeyDetails_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[ApiKeyDetailsView]
+    WHERE
+        [Id] = @Id
+END

src/Sql/dbo/Views/ApiKeyDetailsView.sql

@@ -0,0 +1,9 @@
+CREATE VIEW [dbo].[ApiKeyDetailsView]
+AS
+SELECT
+    AK.*,
+    SA.[OrganizationId] ServiceAccountOrganizationId
+FROM
+    [dbo].[ApiKey] AS AK
+LEFT JOIN
+    [dbo].[ServiceAccount] SA ON SA.[Id] = AK.[ServiceAccountId]

test/Identity.IntegrationTest/openid-configuration.json

@@ -28,7 +28,8 @@
     "orgcustom",
     "providerprovideradmin",
     "providerserviceuser",
-    "sub"
+    "sub",
+    "organization"
   ],
   "grant_types_supported": [
     "authorization_code",

util/Migrator/DbScripts/2022-11-03_00_ApiKeyDetails.sql

@@ -0,0 +1,24 @@
+CREATE OR ALTER VIEW [dbo].[ApiKeyDetailsView]
+AS
+SELECT
+    AK.*,
+    SA.[OrganizationId] ServiceAccountOrganizationId
+FROM
+    [dbo].[ApiKey] AS AK
+LEFT JOIN
+    [dbo].[ServiceAccount] SA ON SA.[Id] = AK.[ServiceAccountId]
+GO
+
+CREATE OR ALTER PROCEDURE [dbo].[ApiKeyDetails_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[ApiKeyDetailsView]
+    WHERE
+        [Id] = @Id
+END