ZITADELZZITADEL
Powered by
PhilippP
ZITADELā€¢4w agoā€¢
8 replies
Philipp

Getting grants across organization boundary

āš™ļøConfigurationšŸ¬Self-hostedšŸ”¬Roles & Permissionsā“QuestionšŸ”—OIDC
Hi all,

I have this resource setup:

Org: WebAPI
  Proj: WebAPI
    App: SPA
    App: API
  Users:
    * UserA
Org: A
  Proj: A-A
    Role: a
    Grant: UserA->a
  Proj: B-A
    Role: a
Org: B
  Proj: B-A
    Role: a
Org: WebAPI
  Proj: WebAPI
    App: SPA
    App: API
  Users:
    * UserA
Org: A
  Proj: A-A
    Role: a
    Grant: UserA->a
  Proj: B-A
    Role: a
Org: B
  Proj: B-A
    Role: a


The user logs in using the Web-Interface I wrote using Vue and the 
zitadel-vue
zitadel-vue
 library.
I then pass the 
accessToken
accessToken
 to the API I wrote using FastAPI and the validator from the documentation.

The token introspection does not return the Grant of 
a
a
 to the user from OrgA/ProjectA-A. How can I achieve that?

If I add the scope 
urn:zitadel:iam:org:project:id:<A-A>:aud
urn:zitadel:iam:org:project:id:<A-A>:aud
 to the oidcAuth in the Vue-App, the grant is returned in the userinfo as shown in the Vue example. This does not scale, though, as I would need to add all projects to the list of scopes to get a complete view of the users' grants.

Also, if I pass that token to the API and from there to the token inspection endpoint, although the scope gets shown, the grant is not.

Am I missing something very obvious?
ZITADEL banner
ZITADELJoin
ZITADEL - Identity infrastructure, simplified for you.
4,374Members
Resources

Similar Threads

Was this page helpful?
Recent Announcements

Similar Threads

Search User Grants
2isprime22isprime / questions-help-bugs
2y ago