Getting grants across organization boundary

⚙️Configuration🏬Self-hosted🔬Roles & Permissions❓Question🔗OIDC

Hi all,

I have this resource setup:

Org: WebAPI
  Proj: WebAPI
    App: SPA
    App: API
  Users:
    * UserA
Org: A
  Proj: A-A
    Role: a
    Grant: UserA->a
  Proj: B-A
    Role: a
Org: B
  Proj: B-A
    Role: a

Org: WebAPI
  Proj: WebAPI
    App: SPA
    App: API
  Users:
    * UserA
Org: A
  Proj: A-A
    Role: a
    Grant: UserA->a
  Proj: B-A
    Role: a
Org: B
  Proj: B-A
    Role: a

Org: WebAPI
  Proj: WebAPI
    App: SPA
    App: API
  Users:
    * UserA
Org: A
  Proj: A-A
    Role: a
    Grant: UserA->a
  Proj: B-A
    Role: a
Org: B
  Proj: B-A
    Role: a

Org: WebAPI
  Proj: WebAPI
    App: SPA
    App: API
  Users:
    * UserA
Org: A
  Proj: A-A
    Role: a
    Grant: UserA->a
  Proj: B-A
    Role: a
Org: B
  Proj: B-A
    Role: a

The user logs in using the Web-Interface I wrote using Vue and the

zitadel-vue

zitadel-vue

zitadel-vue

zitadel-vue library.
I then pass the

accessToken

accessToken

accessToken

accessToken to the API I wrote using FastAPI and the validator from the documentation.

The token introspection does not return the Grant of
a
a
a
a to the user from OrgA/ProjectA-A. How can I achieve that?

If I add the scope

urn:zitadel:iam:org:project:id:<A-A>:aud

urn:zitadel:iam:org:project:id:<A-A>:aud

urn:zitadel:iam:org:project:id:<A-A>:aud

urn:zitadel:iam:org:project:id:<A-A>:aud to the oidcAuth in the Vue-App, the grant is returned in the userinfo as shown in the Vue example. This does not scale, though, as I would need to add all projects to the list of scopes to get a complete view of the users' grants.

Also, if I pass that token to the API and from there to the token inspection endpoint, although the scope gets shown, the grant is not.

Am I missing something very obvious?

Getting grants across organization boundary

Similar Threads

Similar Threads

Similar Threads