Role field scope in token introspection
Hi Zitadel team, I have some questions about token introspection endpoint for OIDC.
I have a setup in zitadel with two projects, let's named it project A and B, I would like to design the "shared role" for every projects in organization in project A and access it via token introspection from API application in project B because it's possible to have more additional roles in project B
Currently, token introspection endpoint for OIDC only return role from current project and ignore role from other projects in audience field. Is it possible for token introspection endpoint to access role from external project that API key does not reside on, especially in audience field ?
Ref:
- https://github.com/zitadel/zitadel/blob/1a24b107023af4cf605ecdeb4c17fe126341432e/internal/api/oidc/introspect.go#L99-L106
GitHub
zitadel/internal/api/oidc/introspect.go at 1a24b107023af4cf605ecdeb...
ZITADEL - Identity infrastructure, simplified for you. - zitadel/zitadel
1 Reply
hey @miello thanks for your question, looking into it.
hey @miello good morning and welcome to the server 🙂 token introspection only covers the current project or audience you've explicitly added via scope BUT I thinkcyou can use token exchnage as it supports multi audience tokens, please give it a read and it might help.