nullsense•2mo ago

How to use reserved scope urn:zitadel:iam:org:roles:id:{orgID}

Hello, I'm having trouble in my token introspection. I'm trying to get a role to be returned in the response from a project in an org that a user is not part of, but has been granted auth for. Using the scope urn:zitadel:iam:org:roles:id:{orgID} , as shown in the docs here, only returns roles in the user's primary org. In fact, using only this scope of the other organization returns an error. failed token validation, parse failed due to: user does not have any authorization (assigned roles) for project {orgId} Is someone from Zitadel able to show me this working cross-org? Otherwise, I think this is a bug. I am working with self-hosted v2.71.11

3 Replies

Rajat•2mo ago

hey @nullsense pls try adding urn:zitadel:iam:org:project:id:{projectId}:aud instead and also urn:zitadel:iam:org:projects:roles I think it should work 🙂 also documented on the scopes

nullsenseOP•2mo ago

Hi @Rajat I've also tried this but the role from a project that is granted to the user from a separate organization does not return.

anlumo•2mo ago

Could be related to the bugfix https://github.com/zitadel/zitadel/pull/9861 which is currently stuck in limbo.

How to use reserved scope urn:zitadel:iam:org:roles:id:{orgID}

Did you find this page helpful?