Slef-hosted; How do you obtain roles for a Service User?

We are running self-hosted version: v2.71.8

I am able to obtain roles for Client Users, using the scope:

openid offline_access profile email urn:zitadel:iam:org:project:id:<project>:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

openid offline_access profile email urn:zitadel:iam:org:project:id:<project>:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

Via userinfo:

user {
  email: "barry.scott@example.com",
  email_verified: true,
  family_name: "Scott",
  given_name: "Barry",
  locale: null,
  name: "Barry Scott",
  preferred_username: "barry.scott@example.com",
  sub: "<sub>",
  updated_at: 1748336346,
  "urn:zitadel:iam:org:project:<project>:roles": {
    "api": {
      "<project>": "<org>.us1.zitadel.cloud",
    },
  },
  "urn:zitadel:iam:org:project:roles": {
    "api": {
      "<project>": "<org>.us1.zitadel.cloud",
    },
  },
}

user {
  email: "barry.scott@example.com",
  email_verified: true,
  family_name: "Scott",
  given_name: "Barry",
  locale: null,
  name: "Barry Scott",
  preferred_username: "barry.scott@example.com",
  sub: "<sub>",
  updated_at: 1748336346,
  "urn:zitadel:iam:org:project:<project>:roles": {
    "api": {
      "<project>": "<org>.us1.zitadel.cloud",
    },
  },
  "urn:zitadel:iam:org:project:roles": {
    "api": {
      "<project>": "<org>.us1.zitadel.cloud",
    },
  },
}

But if I try get the roles of a PAT Service User via userinfo, nothing comes through:

user {
  name: "PAT API User",
  preferred_username: "pat_api_user",
  sub: "<sub>",
  updated_at: 1755769128,
  "urn:zitadel:iam:user:resourceowner:id": "<resource>",
  "urn:zitadel:iam:user:resourceowner:name": "<org name>",
  "urn:zitadel:iam:user:resourceowner:primary_domain": "<org>.us1.zitadel.cloud",
}

user {
  name: "PAT API User",
  preferred_username: "pat_api_user",
  sub: "<sub>",
  updated_at: 1755769128,
  "urn:zitadel:iam:user:resourceowner:id": "<resource>",
  "urn:zitadel:iam:user:resourceowner:name": "<org name>",
  "urn:zitadel:iam:user:resourceowner:primary_domain": "<org>.us1.zitadel.cloud",
}

A role has definitely been set.

Slef-hosted; How do you obtain roles for a Service User?

We are running self-hosted version: v2.71.8

I am able to obtain roles for Client Users, using the scope:

openid offline_access profile email urn:zitadel:iam:org:project:id:<project>:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

openid offline_access profile email urn:zitadel:iam:org:project:id:<project>:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

Via userinfo:

user {
  email: "barry.scott@example.com",
  email_verified: true,
  family_name: "Scott",
  given_name: "Barry",
  locale: null,
  name: "Barry Scott",
  preferred_username: "barry.scott@example.com",
  sub: "<sub>",
  updated_at: 1748336346,
  "urn:zitadel:iam:org:project:<project>:roles": {
    "api": {
      "<project>": "<org>.us1.zitadel.cloud",
    },
  },
  "urn:zitadel:iam:org:project:roles": {
    "api": {
      "<project>": "<org>.us1.zitadel.cloud",
    },
  },
}

user {
  email: "barry.scott@example.com",
  email_verified: true,
  family_name: "Scott",
  given_name: "Barry",
  locale: null,
  name: "Barry Scott",
  preferred_username: "barry.scott@example.com",
  sub: "<sub>",
  updated_at: 1748336346,
  "urn:zitadel:iam:org:project:<project>:roles": {
    "api": {
      "<project>": "<org>.us1.zitadel.cloud",
    },
  },
  "urn:zitadel:iam:org:project:roles": {
    "api": {
      "<project>": "<org>.us1.zitadel.cloud",
    },
  },
}

But if I try get the roles of a PAT Service User via userinfo, nothing comes through:

user {
  name: "PAT API User",
  preferred_username: "pat_api_user",
  sub: "<sub>",
  updated_at: 1755769128,
  "urn:zitadel:iam:user:resourceowner:id": "<resource>",
  "urn:zitadel:iam:user:resourceowner:name": "<org name>",
  "urn:zitadel:iam:user:resourceowner:primary_domain": "<org>.us1.zitadel.cloud",
}

user {
  name: "PAT API User",
  preferred_username: "pat_api_user",
  sub: "<sub>",
  updated_at: 1755769128,
  "urn:zitadel:iam:user:resourceowner:id": "<resource>",
  "urn:zitadel:iam:user:resourceowner:name": "<org name>",
  "urn:zitadel:iam:user:resourceowner:primary_domain": "<org>.us1.zitadel.cloud",
}

A role has definitely been set.

Slef-hosted; How do you obtain roles for a Service User?

Similar Threads

Slef-hosted; How do you obtain roles for a Service User?

Similar Threads

Similar Threads

Similar Threads