Roles missing in access token (JWT)

Hello. I'm trying to request access tokens with projects' roles without success - is this a bug or am I missing something?

Authorization request (line breaks for readability):

# note the scopes:
# openid email profile urn:zitadel:iam:org:project:id:{projectid}:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

http://localhost:8080/oauth/v2/authorize
  ?client_id=317093501659578371
  &response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &response_mode=query
  &scope=openid%20email%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Aproject%3Aid%3A317093501441409027%3Aaud%20urn%3Aiam%3Aorg%3Aproject%3Aroles%20urn%3Azitadel%3Aiam%3Aorg%3Aprojects%3Aroles
  &code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
  &code_challenge_method=S256

# note the scopes:
# openid email profile urn:zitadel:iam:org:project:id:{projectid}:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

http://localhost:8080/oauth/v2/authorize
  ?client_id=317093501659578371
  &response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &response_mode=query
  &scope=openid%20email%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Aproject%3Aid%3A317093501441409027%3Aaud%20urn%3Aiam%3Aorg%3Aproject%3Aroles%20urn%3Azitadel%3Aiam%3Aorg%3Aprojects%3Aroles
  &code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
  &code_challenge_method=S256

Token request body (line breaks for readability):

grant_type=authorization_code
  &client_id=317093501659578371
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
  &code=ONEHefIhLq9n6KgnHO6gdD9JX8np2jaB3IsJyWOzL3Zjnw

grant_type=authorization_code
  &client_id=317093501659578371
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
  &code=ONEHefIhLq9n6KgnHO6gdD9JX8np2jaB3IsJyWOzL3Zjnw

Retrieved access token

{
  "iss": "http://localhost:8080",
  "sub": "317094026115284995",
  "aud": [
    "317093501659578371",
    "317093501441409027"
  ],
  "exp": 1745542441,
  "iat": 1745499241,
  "nbf": 1745499241,
  "client_id": "317093501659578371",
  "jti": "V2_317094820197695491-at_317094820197761027"
}

{
  "iss": "http://localhost:8080",
  "sub": "317094026115284995",
  "aud": [
    "317093501659578371",
    "317093501441409027"
  ],
  "exp": 1745542441,
  "iat": 1745499241,
  "nbf": 1745499241,
  "client_id": "317093501659578371",
  "jti": "V2_317094820197695491-at_317094820197761027"
}

obs.: the role claims are also not present in the id token, but they ARE present in the userinfo response

Roles missing in access token (JWT)

Hello. I'm trying to request access tokens with projects' roles without success - is this a bug or am I missing something?

Authorization request (line breaks for readability):

# note the scopes:
# openid email profile urn:zitadel:iam:org:project:id:{projectid}:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

http://localhost:8080/oauth/v2/authorize
  ?client_id=317093501659578371
  &response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &response_mode=query
  &scope=openid%20email%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Aproject%3Aid%3A317093501441409027%3Aaud%20urn%3Aiam%3Aorg%3Aproject%3Aroles%20urn%3Azitadel%3Aiam%3Aorg%3Aprojects%3Aroles
  &code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
  &code_challenge_method=S256

# note the scopes:
# openid email profile urn:zitadel:iam:org:project:id:{projectid}:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

http://localhost:8080/oauth/v2/authorize
  ?client_id=317093501659578371
  &response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &response_mode=query
  &scope=openid%20email%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Aproject%3Aid%3A317093501441409027%3Aaud%20urn%3Aiam%3Aorg%3Aproject%3Aroles%20urn%3Azitadel%3Aiam%3Aorg%3Aprojects%3Aroles
  &code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
  &code_challenge_method=S256

Token request body (line breaks for readability):

grant_type=authorization_code
  &client_id=317093501659578371
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
  &code=ONEHefIhLq9n6KgnHO6gdD9JX8np2jaB3IsJyWOzL3Zjnw

grant_type=authorization_code
  &client_id=317093501659578371
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
  &code=ONEHefIhLq9n6KgnHO6gdD9JX8np2jaB3IsJyWOzL3Zjnw

Retrieved access token

{
  "iss": "http://localhost:8080",
  "sub": "317094026115284995",
  "aud": [
    "317093501659578371",
    "317093501441409027"
  ],
  "exp": 1745542441,
  "iat": 1745499241,
  "nbf": 1745499241,
  "client_id": "317093501659578371",
  "jti": "V2_317094820197695491-at_317094820197761027"
}

{
  "iss": "http://localhost:8080",
  "sub": "317094026115284995",
  "aud": [
    "317093501659578371",
    "317093501441409027"
  ],
  "exp": 1745542441,
  "iat": 1745499241,
  "nbf": 1745499241,
  "client_id": "317093501659578371",
  "jti": "V2_317094820197695491-at_317094820197761027"
}

obs.: the role claims are also not present in the id token, but they ARE present in the userinfo response

Roles missing in access token (JWT)

Similar Threads

Roles missing in access token (JWT)

Similar Threads