boyswan
boyswan3d ago

Scope Zitadel API by Org

I'm struggling to identify the the best way to interact with the zitadel API scoped by a single org/tenant. In this scenario, a humans is granted an auth_token after logging in, is validated on the backend, and now the Zitadel API needs to be used to search users that are in the same org as the The general approach I'm taking is along the lines of: 
auth := client.DefaultServiceUserAuthentication(jsonkeyPath,
  oidc.ScopeOpenID,
  client.ScopeZitadelAPI(),
)

client, err := client.New(ctx, conf, client.WithAuth(auth))
if err != nil {
  return nil, err
}

users, err := client.UserServiceV2().ListUsers(ctx, &user.ListUsersRequest{
  Query: &object.ListQuery{
    Limit: 10,
    Asc:   false,
  },
})
auth := client.DefaultServiceUserAuthentication(jsonkeyPath,
  oidc.ScopeOpenID,
  client.ScopeZitadelAPI(),
)

client, err := client.New(ctx, conf, client.WithAuth(auth))
if err != nil {
  return nil, err
}

users, err := client.UserServiceV2().ListUsers(ctx, &user.ListUsersRequest{
  Query: &object.ListQuery{
    Limit: 10,
    Asc:   false,
  },
})
Now AFAIK there's two approaches here in terms of authenticating the client - One SU per org/tenant, each a manager on their respective orgs - One SU for the project, is a manager on all orgs/tenant If I have an SU per tenant, this suggests that I need to create a new client for every request (as each SU will need its own client jwt key). At best you could do some caching across users in the same org, but this feels a little messy. The benefit though is better isolation between orgs. Alternatively, a single project SU means the client only uses one key, and I can have a single client instance in my app. However I can't figure out how to then scope requests to a single org. I've seen references to x-zitadel-orgid, but this doesn't seem to work (or is intended for v1?) I guess my question is - what is the idiomatic way to approach this? SU per org and then manage the clients, or one SU and scope requests to an org on the fly?
1 Reply
Rajat Singh
Rajat Singh22h ago
Hey @boyswan thanks for your question, I'll look into this and get back to you

Did you find this page helpful?