kappapillaK
ZITADELā€¢4mo agoā€¢
7 replies
kappapilla

`scope` claim in JWT

looks like scope claim is modeled differently in Zitadel compared to Okta/KeyCloak. any reason and also is it complaint to Oauth2 spec? here are some example for dfferent Auth servers

ZITADEL Implementation


Scope Format:
# ZITADEL's proprietary URN format
openid urn:zitadel:iam:org:project:id:344374183645413380:aud urn:zitadel:iam:org:projects:roles


JWT Structure:
{
  "iss": "http://localhost:8082",
  "sub": "345377791925026818",
  "aud": ["344374183645413380"],
  "exp": 1762400552,
  "iat": 1762357352,
  "client_id": "service_test-user-1762357206",
  "urn:zitadel:iam:org:project:344374183645413380:roles": {
    "streaming": {
      "344373908297744388": "ea-1761758844.localhost"
    }
  }
}


Keycloak Implementation


Scope Format:
# Standard OAuth2 scopes
openid profile email roles web-origins


JWT Structure:
{
  "exp": 1699123456,
  "iat": 1699120000,
  "jti": "abc-123-def",
  "iss": "http://localhost:8080/realms/master",
  "aud": "account",
  "sub": "service-account-client-id",
  "typ": "Bearer",
  "azp": "my-service",
  "scope": "profile email roles",
  "realm_access": {
    "roles": ["admin", "user", "streaming"]
  },
  "resource_access": {
    "my-service": {
      "roles": ["service-role"]
    }
  },
  "clientId": "my-service",
  "clientHost": "127.0.0.1"
}



Okta Implementation


Scope Format:
# Dot notation scopes
openid groups okta.users.read custom.scope


JWT Structure:
{
  "ver": 1,
  "jti": "AT.abc123def456",
  "iss": "https://dev-123456.okta.com/oauth2/default",
  "aud": "api://default",
  "iat": 1699120000,
  "exp": 1699123600,
  "cid": "client-id",
  "uid": "service-user-id",
  "scp": ["custom.scope", "okta.users.read"],
  "sub": "service-user-id"
}
Was this page helpful?