Do service user ignore "Check authorization on Authentication"
Hi,
I am testing service users on a API application (client_id+client_secret) with PATs.
I have one service user with a role/authorization (userA) in the project and one without (userB). In the project I have checked " Check authorization on Authentication". My understanding was that userB should not return as valid under the introspection endpoint. But both are returned as active.
Where is my understanding wrong?
5 Replies
Hi @Weltenbrand your understanding is right.
The
active field in the introspection response indicates whether the token is currently valid.The introspection endpoint does not check whether the token's associated user has specific roles or permissions within your application.
Therefore, both userA and userB tokens are reported as active because they meet the criteria above. "Check Authorization on Authentication" Ensures users have necessary roles during authentication, not during token validation.Thank you for you response.
What is correct way to check if a PAT has the authorization in an application?
Hi @Weltenbrand the only way to do it would be a separate projects would work . Its more of a workaround and not an out of the box/native solution within zitadel as we are project scoped.
seprate projects -> seprate apps -> seprate user/PATBut arent user/service user based on organizations? How can I create a service user for a single project?
hi @Weltenbrand yes you are right, we are scoped at org.