lbmL
ZITADELβ€’7mo agoβ€’
11 replies
lbm

Question about validating a user's roles within an organization

Hey everyone, appologies if there is already a similar thread about this. I looked quite hard but I wasn't able to find anything.

My company is currently investigating Zitadel as a potential shared solution for product auth. From our perspective, is has a lot of clear benefits over the usual suspects like Keycloak.

One thing that's got me a bit concerned is how our product teams will be able to validate the roles assigned to a user by a specific organization. As per the docs, with the urn:zitadel:iam:org:project:id:zitadel:aud scope, the userinfo endpoint will return roles in a structure like:

{
  // ...
  "urn:zitadel:iam:org:project:roles": {
    "cfo": {
      "223281939119866113": "corporate.user-authorizations-io8epz.zitadel.cloud"
    },
    "corporate member": {
      "223279178798072065": "org-a.user-authorizations-io8epz.zitadel.cloud",
      "223279223391912193": "org-b.user-authorizations-io8epz.zitadel.cloud"
    }
  }
}


In this example, the user has been assigned the "cfo" role by the "corporate" organization, and the "corporate member" role by both the "org-a" and "org-b" organizations. This makes perfect sense. But I want to ask about how a particular application actually goes about using this information.

There are a number of examples Zitadel gives (zitadel-nextjs, zitadel-vue, zitadel-nextjs-b2b, etc.), where the equivalent of Object.keys(userinfo["urn:zitadel:iam:org:project:roles"]) is used to demonstrate getting a user's role... This seems like an extremely dangerous practice, because obviously you also need to consider the organization tied to the granted role.
Was this page helpful?