id_token missing in callback when `urn:zitadel:iam:org:id:{orgId}` added to the scope
UPDATE: This was my mistake. I added the additional scope with
+ because I saw that profile+email+openid also has a plus. Also, my plus turned into %2B while other + characters didn't change for some reason.
However, after I replaced my own + (%2B) with whitespace, I get the id_token.
I want to enforce that the user belongs to the specified organization so I add it to the scope when creating the url.
However, when Zitadel calls the callback, id_token is missing (I only get an access token that looks opaque) .
If I omit urn:zitadel:iam:org:id:{orgId}, I get the id_token as expected
Is this expected behavior? If it is, where can I read more about it?
Here is what the authorization url looks like
http://localhost:4444/oauth/v2/authorize?response_type=code&client_id=280114109276553218&audience=&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fsession%2Fcallback&scope=profile+email+openid%2Burn%3Azitadel%3Aiam%3Aorg%3Aid%3A280113846494953474&state=_rhU4K3SX4C2JoO33tUUCA&code_challenge=OMUSKo6i5w0NocjXV_g-t50l1vxB7PD0eEcXlzC727Q&code_challenge_method=S256I
I'm running Zitadel v2.58.2 in a Docker container1 Reply
Great to know that this is resolved!