Device Auth Token requested Org ID not enforced
Hi All,
I recently was testing out Device Auth Token on the latest stable Zitadel (v4) and followed the normal instructions for setting up a Device Auth Project.
When I perform the portion of the user authorizing the Device on their account, I use the scope:
Regardless of the user's membership (e.g. they aren't part of the organization id specified), the access token is returned and when querying user_info endpoint with that token, the organization id is listed.
I believe this is a bug because the user shouldn't have been issued an access token when they failed the
I recently was testing out Device Auth Token on the latest stable Zitadel (v4) and followed the normal instructions for setting up a Device Auth Project.
When I perform the portion of the user authorizing the Device on their account, I use the scope:
urn:zitadel:iam:org:id:{id} Regardless of the user's membership (e.g. they aren't part of the organization id specified), the access token is returned and when querying user_info endpoint with that token, the organization id is listed.
I believe this is a bug because the user shouldn't have been issued an access token when they failed the
urn:zitadel:iam:org:id:{id} scope assertion? Or atleast that I wouldn't expect that id to be present on the user_info since they aren't a part of the organization.
