Return groups header
Hi,
I have zitadel running behind oauth2-proxy which sits behind the nginx auth_request (see image). Its running the Auth Code Flow.
My resource server is only reachable through nginx protected through auth request, so I assume I can trust the headers that I receive.
Now, I would like to set the header x-groups containing the users' groups (or roles) from zitadel.
On my resource server I want to verify that the user can perform a query based on the groups header.
Can Zitadel pass the users groups or roles in any header with the auth code?
I have tried to request the "groups" scope as well as the "urn:zitadel:iam:org:projects:roles" scope.
3 Replies
hey @Valle welcome to the server and thanks for your question, as you can see the claims matrix here so the scope
urn:zitadel:iam:org:project:roles is only present in the JWT (ID-token or access-token) under the claim.
So, oauth2-proxy extracts that claim from the ID or Access Token.
Configure oauth2-proxy to pass it as X-Groups (or similar) to nginx → resource server.
makes sense?Thanks Rahat! I have figured out how to switch from Auth Code to JWT and now it works as expected
🎉 Looks like you just helped out another community member! Thanks for being so helpful <@1346540274674827395>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀