Roles missing in access token (JWT)

Hello. I'm trying to request access tokens with projects' roles without success - is this a bug or am I missing something?

Authorization request (line breaks for readability):

# note the scopes:
# openid email profile urn:zitadel:iam:org:project🆔{projectid}:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

http://localhost:8080/oauth/v2/authorize
  ?client_id=317093501659578371
  &response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &response_mode=query
  &scope=openid%20email%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Aproject%3Aid%3A317093501441409027%3Aaud%20urn%3Aiam%3Aorg%3Aproject%3Aroles%20urn%3Azitadel%3Aiam%3Aorg%3Aprojects%3Aroles
  &code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
  &code_challenge_method=S256

# note the scopes:
# openid email profile urn:zitadel:iam:org:project🆔{projectid}:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

http://localhost:8080/oauth/v2/authorize
  ?client_id=317093501659578371
  &response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &response_mode=query
  &scope=openid%20email%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Aproject%3Aid%3A317093501441409027%3Aaud%20urn%3Aiam%3Aorg%3Aproject%3Aroles%20urn%3Azitadel%3Aiam%3Aorg%3Aprojects%3Aroles
  &code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
  &code_challenge_method=S256

Token request body (line breaks for readability):

grant_type=authorization_code
  &client_id=317093501659578371
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
  &code=ONEHefIhLq9n6KgnHO6gdD9JX8np2jaB3IsJyWOzL3Zjnw

grant_type=authorization_code
  &client_id=317093501659578371
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
  &code=ONEHefIhLq9n6KgnHO6gdD9JX8np2jaB3IsJyWOzL3Zjnw

Retrieved access token

{
  "iss": "http://localhost:8080",
  "sub": "317094026115284995",
  "aud": [
    "317093501659578371",
    "317093501441409027"
  ],
  "exp": 1745542441,
  "iat": 1745499241,
  "nbf": 1745499241,
  "client_id": "317093501659578371",
  "jti": "V2_317094820197695491-at_317094820197761027"
}

{
  "iss": "http://localhost:8080",
  "sub": "317094026115284995",
  "aud": [
    "317093501659578371",
    "317093501441409027"
  ],
  "exp": 1745542441,
  "iat": 1745499241,
  "nbf": 1745499241,
  "client_id": "317093501659578371",
  "jti": "V2_317094820197695491-at_317094820197761027"
}

obs.: the role claims are also not present in the id token, but they ARE present in the userinfo response

bawskyOP•4/24/25, 1:00 PM

Here are my setup steps:

Setup the main org/project/app:
1. Create a new 'example_org' organization
2. Inside the 'example_org' organization, create a new 'example_project' project
  - in the project 'General' settings, enable "Assert Roles on Authentication"
3. Inside the 'example_project' project, create a new 'example_role'
4. Inside the 'example_project' project, create a new 'example_app' (note: I'm using a 'User Agent' app, with PKCE enabled)
  - in the app 'Token Settings' settings, set "Auth Token Type" to "JWT"
Setup another org with a user:
1. Create a new 'example_org2' organization
2. Inside the 'example_org2' organization, create a new 'example_user' user
Grant the user access to the project:
1. Inside the 'example_project' project, grant 'example_role' to the 'example_org2' organization
2. Inside the 'example_org2' organization, grant 'example_role' authorization to the 'example_user' user

userinfo response:

{
  "email": "user@example.com",
  "email_verified": true,
  "family_name": "example",
  "given_name": "user",
  "locale": null,
  "name": "user example",
  "preferred_username": "user@example.com",
  "sub": "317094026115284995",
  "updated_at": 1745498768,
  "urn:zitadel:iam:org:project:317093501441409027:roles": {
    "example_role": {
      "317093501844062211": "exampleorg2.localhost"
    }
  },
  "urn:zitadel:iam:org:project:roles": {
    "example_role": {
      "317093501844062211": "exampleorg2.localhost"
    }
  }
}

{
  "email": "user@example.com",
  "email_verified": true,
  "family_name": "example",
  "given_name": "user",
  "locale": null,
  "name": "user example",
  "preferred_username": "user@example.com",
  "sub": "317094026115284995",
  "updated_at": 1745498768,
  "urn:zitadel:iam:org:project:317093501441409027:roles": {
    "example_role": {
      "317093501844062211": "exampleorg2.localhost"
    }
  },
  "urn:zitadel:iam:org:project:roles": {
    "example_role": {
      "317093501844062211": "exampleorg2.localhost"
    }
  }
}

bawskyOP•4/24/25, 1:05 PM

NOTE: selecting "Add user roles to the access token" in the application's "Token Settings" work, but then the roles are retrieved independently of what scopes I pass (i.e.

urn:iam:org:project:roles

urn:iam:org:project:roles

and

urn:zitadel:iam:org:projects:roles

urn:zitadel:iam:org:projects:roles

scopes seem to be ignored)

Also probably relevant: I'm running Zitadel locally with docker-compose v2.71.7

Rajat•4/28/25, 1:24 PM

hi @bawsky do you have

Add user roles to the access token

Add user roles to the access token

enabled within the User Agent app?

Rajat•4/28/25, 1:26 PM

bawskyOP•4/28/25, 6:06 PM

Hello @Rajat!

I've actually tried both ways:

when it's selected, the user roles are ALWAYS added to the access token, regardless of

urn:iam:org:project:roles

urn:iam:org:project:roles

and

urn:zitadel:iam:org:projects:roles

urn:zitadel:iam:org:projects:roles

scopes

when it is not selected, the user roles are NEVER added to the access token, regardless of

urn:iam:org:project:roles

urn:iam:org:project:roles

and

urn:zitadel:iam:org:projects:roles

urn:zitadel:iam:org:projects:roles

scopes

Rajat•4/29/25, 11:31 AM

hi @bawsky apologies for the trouble :))
as a fallback/workaround, since roles are present in the

/userinfo

/userinfo

response but not in the token, retrieve them via an API call to

/oauth/v2/userinfo

/oauth/v2/userinfo

after authentication , while I check with my team if its a bug or a feature. If that helps.
Thanks

bawskyOP•4/29/25, 2:04 PM

No trouble at all! We're just starting the work on integrating Zitadel into our already-consolidated product - so this issue doesn't really affect us yet (we are integrating Zitadel for authentication but we still control roles and authorization inside our application - I'm just evaluating the possibility of also migrating that part to Zitadel at some point in future).

Thanks a lot for the response @Rajat

Looking forward to understand this - please keep me updated here (and let me know if I should open a GitHub to track it if it's a bug).

Bbawsky No trouble at all! We're just starting the work on integrating Zitadel into our ...

Rajat•5/5/25, 5:41 PM

hi @bawsky sure, pls go ahead and open a bug

tag this thread and someone from the team will take a look and we'll prioritise it