How to query project users belonging to a certain role
Hi,
I'm trying to write a Zitadel backend for the Apricot project (An LDAP proxy for OIDC backends), but I'm running into some API limitations that I am hoping you could potentially assist with.
I am making a couple (unqualified) assumptions about both Zitadel and LDAP (as I'm inexperienced with both, please let me know if I'm completely off chart here):
1. A Zitadel user will map 1:1 to an LDAP user.
2. A Zitadel Project Role will map 1:1 to an LDAP group.
The way I've set up the proxy is that it runs on a per project basis, as that is the only way you can connect users with (customizable) roles. It also makes sense, to me, as it eliminates collisions between multiple projects sharing role names.
I am running into 2 main issues:
1. I need a numerical ID per role that is stable. I thought about using the
creationDate timestamp, but not does it not fit in the unsigned 32 bit maximum size per gidNumber, but I assume it also is not unique if you create the roles in bulk mode.
2. I need a way to find all users belonging to a role for the given project. Ideally there would be a query where I could say give me all the project members belonging to this role. I might have overlooked it, but I can't seem to find this query.
I'd appreciate any and all help to solve this. I really want to use Zitadel instead of Authentik or KeyCloak, but I also really need an LDAP interface. I can see from a discussion on GH that it is something you are considering, but lack the manpower to solve, so maybe this could be a happy middle ground for those who, like me, need it for certain services.
Vb,
ChristianGitHub
GitHub - alan-turing-institute/apricot: An OpenID Connect LDAP proxy
An OpenID Connect LDAP proxy. Contribute to alan-turing-institute/apricot development by creating an account on GitHub.
4 Replies
Looks like nr. 2 will be possible in the V2 API with https://zitadel.com/docs/apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-list-authorizations.
Does an equivalent resource exist in V1?
hey @Jenkins welcome to the server and good morning, the equivalent V1 api exist and its List My Authorizations / User Grants altho it will be deprecated soon BUT still does the job 🙂
Hey @Rajat
Thanks for getting back to me.
That API unfortunately does not look like what I need. I need to query the authorizations for an arbitrary user in a given project - not the authorizations of the user making the request.
Sorry if I didn't make that clear.
Sorry - I need to query which users are assigned to a specific role. So like a "List Project Authorizations" where I pass the role key (or ideally the role ID) as a filter.
Hi @Jenkins so in ListAuthorizations you can indeed pass the role ID which is called
project_grant_id in here while calling it in teh API, just like in the screenshot below OR you can use the old [V1 Get User Grant By ID (https://zitadel.com/docs/apis/resources/mgmt/management-service-get-user-grant-by-id) where you can just pass the userId and grantId and it will return the matching user with that grant, check this [response (https://zitadel.com/docs/apis/resources/mgmt/management-service-get-user-grant-by-id#responses) lmk if it helps