The scope property of a (personal access) token introspection includes already removed roles/grants.

⛓️‍💥APIs☁️Zitadel Cloud🛡️Authorization❓Question🔗OIDC

Hello All,
I've been experimenting with ZITADEL for a few days and found it absolutely great, but I've run into an issue that I was not able to debug, so looking for help: I'm using Basic auth API to introspect a system user's personal access token and besides validating it's

active

active

, also looking for a specific

scope

scope

-- the problem is when I remove that grant/role authorization for the system user, it's still showing up in the list of

scope

scope

. Any pointers why is that? The related

urn:zitadel:iam:org:project:roles

urn:zitadel:iam:org:project:roles

property and

urn:zitadel:iam:org:project:***:roles

urn:zitadel:iam:org:project:***:roles

get removed, but the actual

scope

scope

property is not udpated.
Thanks,
Gergely

The scope property of a (personal access) token introspection includes already removed roles/grants.

Similar Threads