bawsky Posts - ZITADEL

bawsky

•Created by bawsky on 6/4/2025 in #questions-help-bugs

Access the authorize request in the Complement Token flow (Actions V1)

Hello Zitadel crew 👋 We have a need to pass arbitrary parameters in the /authorize request and then run some API request inside an action using those parameters, to finally complement the token claims. E.g.: 1- User attempts to login and the frontend passes the arbitrary company_id=42 query parameter in the /authorize request 2- On an action inside Zitadel, we read that arbitrary parameter and use that to make an internal request to our backend API (to e.g.: check if user really has access to company_id=42 3- If response of that internal request is successful, the Zitadel action complements the access token with a new claim (e.g.: "company_id": 42) Looking through the documentation I didn't find a way of doing that using Action V1 - is it possible? Note: we're on Zitadel 2.67.3 (default version from Helm charts) and using only Actions V1 for now

3 replies

ZZITADEL

•Created by bawsky on 4/24/2025 in #questions-help-bugs

Roles missing in access token (JWT)

Hello. I'm trying to request access tokens with projects' roles without success - is this a bug or am I missing something? Authorization request (line breaks for readability):

# note the scopes:
# openid email profile urn:zitadel:iam:org:project:id:{projectid}:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

http://localhost:8080/oauth/v2/authorize
  ?client_id=317093501659578371
  &response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &response_mode=query
  &scope=openid%20email%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Aproject%3Aid%3A317093501441409027%3Aaud%20urn%3Aiam%3Aorg%3Aproject%3Aroles%20urn%3Azitadel%3Aiam%3Aorg%3Aprojects%3Aroles
  &code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
  &code_challenge_method=S256

# note the scopes:
# openid email profile urn:zitadel:iam:org:project:id:{projectid}:aud urn:iam:org:project:roles urn:zitadel:iam:org:projects:roles

http://localhost:8080/oauth/v2/authorize
  ?client_id=317093501659578371
  &response_type=code
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &response_mode=query
  &scope=openid%20email%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Aproject%3Aid%3A317093501441409027%3Aaud%20urn%3Aiam%3Aorg%3Aproject%3Aroles%20urn%3Azitadel%3Aiam%3Aorg%3Aprojects%3Aroles
  &code_challenge=ocYCWfMwcSjWZok91g7EAZsKLdqPI7Nn_qoUWIdHHM4
  &code_challenge_method=S256

Token request body (line breaks for readability):

grant_type=authorization_code
  &client_id=317093501659578371
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
  &code=ONEHefIhLq9n6KgnHO6gdD9JX8np2jaB3IsJyWOzL3Zjnw

grant_type=authorization_code
  &client_id=317093501659578371
  &redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Fapp%2Fsign-in%2Fzitadel
  &code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
  &code=ONEHefIhLq9n6KgnHO6gdD9JX8np2jaB3IsJyWOzL3Zjnw

Retrieved access token

{
  "iss": "http://localhost:8080",
  "sub": "317094026115284995",
  "aud": [
    "317093501659578371",
    "317093501441409027"
  ],
  "exp": 1745542441,
  "iat": 1745499241,
  "nbf": 1745499241,
  "client_id": "317093501659578371",
  "jti": "V2_317094820197695491-at_317094820197761027"
}

{
  "iss": "http://localhost:8080",
  "sub": "317094026115284995",
  "aud": [
    "317093501659578371",
    "317093501441409027"
  ],
  "exp": 1745542441,
  "iat": 1745499241,
  "nbf": 1745499241,
  "client_id": "317093501659578371",
  "jti": "V2_317094820197695491-at_317094820197761027"
}

obs.: the role claims are also not present in the id token, but they ARE present in the userinfo response

9 replies