Get all roles from every project into one access token
Hello everyone I have a question.
Currently when I get a token from the oidc client everything works fine. With the ClientId i get the roles from the project.
Now my question is if its possible to get all roles of the user from every project that is currently available in the project. I have about 7 projects and I need all users roles for every project. If I want to do that I need 7 different access tokens but I only want to have 1. Is something like that possible?
81 Replies
Hm good question
Currently we do not have that ability read made.
However if you want to be create you could create an action and with the help of our http module you could call the data through the management API (the internal managment API does not expose this yet)
I.e with this you can tweak the token content https://zitadel.com/docs/apis/actions/complement-token
ZITADEL Docs
This flow is executed during the creation of tokens and token introspection.
This is the http module for actions https://zitadel.com/docs/apis/actions/modules
ZITADEL Docs
ZITADEL provides the following modules.
hey @FFO thanks for your message. I have to admit I don't even know where to begin making this action and what exactly I have to doπ
. As much as I understand it I have to call an action in my backend and tweak the token content (I don't know what tweak means). Is that right?
is this the action you've meant?
Yes, you can basically run JS code at certain points of zitadel
I.e when we create tokens
We just started collecting examples here https://github.com/zitadel/actions/tree/main/examples
GitHub
actions/examples at main Β· zitadel/actions
ZITADEL Actions - Easy extensibility with custom code. Think GitHub Actions in an Identity System. - actions/examples at main Β· zitadel/actions
Can you tell me how I tweak the token content with all roles?
What should my script have to do?
Currently its a little verbose π
You would need to fetch all the roles from a call to the management API with the current users id set
/users/grants/_search
this could be done using the http module
and then you can assert the values to the tokens
thats the ListMyUserGrants right?
on the auth api yes
but that is only scoped to a single user when you have the users token
in the actions you currently do not have the users token
the thing is when i do that i get the result i want: every role the user has on every project. but i think the performance would really struggle if i do it like this in the backend cause i would have to call it every time my API gets called.
i actually only want all roles from a single user but on different projects. I think you misunderstood me at the beginning could that be?
the only thing is that i want this information in the users claim in the access token so i dont have to call it every time with ListMyUserGrants.
because currently i only get the roles of one project.
You can easy cache the response for a moment and in most place you should get the response quickly from our end
No I understood that.
My point was more that in actions you could call the management API with the userID as filter to get all roles from a user across all projects. The reason to use the mgmt API is only that you can hardcode the access token into the action π
that makes sense to me. The only thing is i don't know where to start with the action π
Got it π
I can try and spend some time tomorrow on an example π
In the meantime the query you make could be cached to reduce the burden of latency π
is it something like that? thats from the docs
Out of curiosity with gRPC how high is the latency on your end?
yes
https://github.com/zitadel/actions/blob/main/examples/add_user_grant.js this is an example that uses the action internal mgmt methods to add grants to a user.
but we are always evolving this so we will open up more things internally
GitHub
actions/add_user_grant.js at main Β· zitadel/actions
ZITADEL Actions - Easy extensibility with custom code. Think GitHub Actions in an Identity System. - actions/add_user_grant.js at main Β· zitadel/actions
uf i would have to test it can't tell you rigth away
no problem, i was just curious
well in my example i have to setClaim() in the access token is that right?
well this is how you set the grants in the access token but how do i get them in the first place π
yeah the getting the roles is basically a POST with JS to our management API
this one right?
yes
Pro Tip, create a new zitadel instance to tinker around
π
the userid is in ctx.v1.user ?
ctx.v1.user.id
aha okey
thats what you want to pass as filter
its starts to make sense even more now i think i know where i can begin now to do the action π
in your case the flow should be https://zitadel.com/docs/apis/actions/complement-token with the trigger pre-access-token if you want to have a JWT access token with the roles
ZITADEL Docs
This flow is executed during the creation of tokens and token introspection.
yes that makes sense
well i'm gonna try it and tell u the result later on π . Really appreciate your help thanks!
happy to help
one more questionπ
. Is that the only way to make an action? can i make the action in a standalone javascript file so i have a debugger and interpreter.
ATM yes, but thats currently a field we are planning to improve π
Btw. make sure that the name and the function name lines up
there would be terraform to apply action but developing them needs more love
i was just trying something out there π
π
its a bit hard to think without a interpreter hahaha
agreed
you can create the code in your ide and paste it π
already did hehe
url right as i did or does it need the full path?
full path
how can i see if it worked or not?
I made this script and zitadel gives me no feedback if it works or not. the action is stated as active but nothing happens
its says its active but it doesn't look like its working
it looks like my function never gets called but i'm not sure
sorry was out for lunch
What you need to do is not write on the api.userGrants but instead on api.v1.claims.setClaim
btw. are you self-hosted or cloud?
because in self-hosted you can also use our log method to printout stuff to stdout
(there is a logger coming for the cloud as well)
no problem I was out too. I'm currently self-hosted
how does that work?
i tried to do api.v1.userinfo.setClaim('year', 2023) as a test but it didnt get added
api.v1.userinfo.setClaim is for id_tokens
oh i see
api.v1.claims.setClaim is for access tokens
so this should work?
i think you need to do a post to fetch data
but first glance looks good
jep that true
just FYI @livio and I a hunting a bug in the setClaim code
is it even right if i set the parameters like in my code? it seems to take a string and any
ehm, a string as key and any as body
is that enough to get my function executed?
make sure the name of the function is the same as your func ....
i looked at my logs i dont get a hello world or anything else
name of the function is also the same
I searched my logs in the docker container. But there is nothing. is there a own log file in the system that outputs the logs?
does it depend on this settings? https://zitadel.com/docs/self-hosting/manage/quotas
ZITADEL Docs
Quotas is an enterprise feature that is relevant if you want to host ZITADEL as a service.
GitHub
zitadel/defaults.yaml at main Β· zitadel/zitadel
ZITADEL - The best of Auth0 and Keycloak combined. Built for the serverless era. - zitadel/defaults.yaml at main Β· zitadel/zitadel
do i need that stuff? and if yes where do i have to add it
hm no that was just introduced to have option with zitadel to log all acces request (i.e reading data)
hm if it is not logging it is either not hit or you hit the bug @livio are looking for
The actions i did should be hit as much as i can tell because everything was done right on the console site. It could really be that nothing gets logged. It was really frustrating yesterday searching for this logsπ . Is it right that those logs must show up in "docker compose logs"?
I also tried to test actions made from your sample (https://github.com/zitadel/actions/blob/main/examples/post_auth_log.js). Here even the syntax and everything should be okay but still no logs there. Also none that the process failed or something.
just for my understanding. When does the action gets executed exactly? When the user calls "/oauth/v2/token"?
Yes exactly, to me it looks like your hit a bug there, let me work this out with @livio
Yes sure. Pls let me know if there is a updateπ
Will do
So, we just poked around a little.
Can you try the same with zitadel 2.20.0
we improved the logger to output error better
Is that the latest version?
yes
i get now console logs π . but kinda not helpful logs but still better then nothing π . it looks like i get the whole http request logged. i dont know why beacause i dont log that anywhere.
starts with: time="2023-02-17T13:25:06Z" level=info msg="log record emitted" caller="/home/runner/work/zitadel/zitadel/internal/logstore/emitters/stdout/stdout.go:19" record="{"logDate":"2023-02-17T13:25:06.892322614Z","protocol":1,"requestUrl":"/oauth/v2/token\ ........ and goes on
hm can you share more of the logs?
yes but can i send it private to you?
surely, send a DM