boyswan
boyswan4mo ago

Scope Zitadel API by Org

I'm struggling to identify the the best way to interact with the zitadel API scoped by a single org/tenant. In this scenario, a humans is granted an auth_token after logging in, is validated on the backend, and now the Zitadel API needs to be used to search users that are in the same org as the The general approach I'm taking is along the lines of: 
auth := client.DefaultServiceUserAuthentication(jsonkeyPath,
  oidc.ScopeOpenID,
  client.ScopeZitadelAPI(),
)

client, err := client.New(ctx, conf, client.WithAuth(auth))
if err != nil {
  return nil, err
}

users, err := client.UserServiceV2().ListUsers(ctx, &user.ListUsersRequest{
  Query: &object.ListQuery{
    Limit: 10,
    Asc:   false,
  },
})
auth := client.DefaultServiceUserAuthentication(jsonkeyPath,
  oidc.ScopeOpenID,
  client.ScopeZitadelAPI(),
)

client, err := client.New(ctx, conf, client.WithAuth(auth))
if err != nil {
  return nil, err
}

users, err := client.UserServiceV2().ListUsers(ctx, &user.ListUsersRequest{
  Query: &object.ListQuery{
    Limit: 10,
    Asc:   false,
  },
})
Now AFAIK there's two approaches here in terms of authenticating the client - One SU per org/tenant, each a manager on their respective orgs - One SU for the project, is a manager on all orgs/tenant If I have an SU per tenant, this suggests that I need to create a new client for every request (as each SU will need its own client jwt key). At best you could do some caching across users in the same org, but this feels a little messy. The benefit though is better isolation between orgs. Alternatively, a single project SU means the client only uses one key, and I can have a single client instance in my app. However I can't figure out how to then scope requests to a single org. I've seen references to x-zitadel-orgid, but this doesn't seem to work (or is intended for v1?) I guess my question is - what is the idiomatic way to approach this? SU per org and then manage the clients, or one SU and scope requests to an org on the fly?
3 Replies
Rajat Singh
Rajat Singh4mo ago
Hey @boyswan thanks for your question, I'll look into this and get back to you
Rajat
Rajat4mo ago
hey @boyswan
Use one project-wide Service User and scope requests using x-zitadel-orgid. In most multi-tenant setups, the single SU + x-zitadel-orgid pattern works, the correct way to scope ZITADEL API calls to individual organizations. I will get back with more info in some time
boyswan
boyswanOP4mo ago
Thanks for getting back to me. Ok great, I think I got confused because the v2 endpoints don't seem to work with the x-zitadel-origd, ie https://zitadel.com/docs/apis/resources/user_service_v2/user-service-list-users suggests users are filtered by permissions rather than providing the x-zitadel header My concern is that x-zitadel-origd is the "old" way of doing things, I would really appreciate it if you could confirm whether this will eventually be deprecated in v2 endpoints

Did you find this page helpful?