Device Auth Token requested Org ID not enforced
Hi All,
I recently was testing out Device Auth Token on the latest stable Zitadel (v4) and followed the normal instructions for setting up a Device Auth Project.
When I perform the portion of the user authorizing the Device on their account, I use the scope:
urn:zitadel:iam:org:id:{id}
Regardless of the user's membership (e.g. they aren't part of the organization id specified), the access token is returned and when querying user_info endpoint with that token, the organization id is listed.
I believe this is a bug because the user shouldn't have been issued an access token when they failed the urn:zitadel:iam:org:id:{id} scope assertion? Or atleast that I wouldn't expect that id to be present on the user_info since they aren't a part of the organization.1 Reply
Hi @Dawn, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. [OpenID Connect Endpoints in ZITADEL] (1) :
Describes how scopes are processed and how tokens are issued, but does not specify enforcement for organization membership in the context of device authorization.
2. [User authentication using zitadel end points] (2) :
Discusses scope usage and token validation, but does not clarify behavior when a user is not a member of the requested organization.
To learn more, see the sources I considered:
[1] OpenID Connect Endpoints in ZITADEL
[2] User authentication using zitadel end points
Feel free to tag @Ask Inkeep with additional questions.