Login V2: gRPC call to zitadel.user.v2.UserService.ListUsers returns 403, organization scoped
Use-case: Multi tenancy PaaS
Environment: Self hosting
Version: 4.5.0 and 4.6.2 in beta envs, 3.3.0 in production (using old zitadel/typescript repo)
Hello everyone,
Not sure if it's reproducible as well for some of you, but gRPC call to zitadel.user.v2.UserService.ListUsers endpoint returns a 403 permission_denied error to the Login V2 application when
the URL contains a pre-defined
The IAM_LOGIN_CLIENT manager role is granted to the Service Account used by Login V2.
Also tried adding IAM_OWNER, sadly with the same result.
Strangely, the REST endpoint /v2/users returns the expected search result.
I opened this issue for it:
https://github.com/zitadel/zitadel/issues/10995
Environment: Self hosting
Version: 4.5.0 and 4.6.2 in beta envs, 3.3.0 in production (using old zitadel/typescript repo)
Hello everyone,
Not sure if it's reproducible as well for some of you, but gRPC call to zitadel.user.v2.UserService.ListUsers endpoint returns a 403 permission_denied error to the Login V2 application when
the URL contains a pre-defined
organization query param resolved from scopes from the auth request, AND most strangely only for one same user email, even after deleteing + recreating the user.The IAM_LOGIN_CLIENT manager role is granted to the Service Account used by Login V2.
Also tried adding IAM_OWNER, sadly with the same result.
Strangely, the REST endpoint /v2/users returns the expected search result.
I opened this issue for it:
https://github.com/zitadel/zitadel/issues/10995
GitHub![[Bug]: Login V2: gRPC call to zitadel.user.v2.UserService.ListUsers...](https://opengraph.githubassets.com/bca041b241e337d1ea70dca4067176a90b39edbfdfc05e16856413dacc9da878/zitadel/zitadel/issues/10995)
Preflight Checklist I could not find a solution in the documentation, the existing issues or discussions I have joined the ZITADEL chat Environment Self-hosted Version 3.3.0 (with custom zitadel/ty...
