bawsky
bawsky
PostsComments
ZZITADEL
Created by bawsky on 6/4/2025 in #questions-help-bugs
Access the authorize request in the Complement Token flow (Actions V1)
So, thinking about it, I guess if I want to pass arbitrary data into my token claims, the correct approach would be passing through the /token request - NOT the /authorize request, right? That way we theoretically wouldn't have to store any "intermediate" state I don't think this is possible in Actions V1 at all 🤔 Perhaps it is possible in Actions V2? (set custom claims based on parameters sent to /token request)
3 replies
ZZITADEL
Created by bawsky on 6/4/2025 in #questions-help-bugs
Access the authorize request in the Complement Token flow (Actions V1)
I was able to workaround that by using two separate actions (one in a Post Authentication, and one in Complement Token) - in the authorize request, pass state encoded with the arbitrary data I want, e.g.: state=company_id:42;subdomain:mycompany;foo:bar - in an action in External Authentication or Internal Authentication flow, parse the state (from ctx.v1.authRequest.transferState), then add company_id to the user metadata, e.g.: 
let stateTuples = ctx.v1.authRequest.transferState.split(";").map((str) => str.split(":"));
let companyIdTuple = stateTuples.find((tuple) => tuple[0] === "company_id");
if (companyIdTuple && companyIdTuple[1]) {
  api.v1.user.appendMetadata("company_id", companyIdTuple[1]);
}
let stateTuples = ctx.v1.authRequest.transferState.split(";").map((str) => str.split(":"));
let companyIdTuple = stateTuples.find((tuple) => tuple[0] === "company_id");
if (companyIdTuple && companyIdTuple[1]) {
  api.v1.user.appendMetadata("company_id", companyIdTuple[1]);
}
- in an action in Complement Token flow (pre access token creation): 
// no error handling for brevity 
const user = ctx.v1.getUser();
const metadata = ctx.v1.user.getMetadata();
const companyIdMetadata = metadata.metadata.find(m => m.key === 'company_id');
const companyId = Number(companyIdMetadata.value);
api.v1.claims.setClaim('company_id', companyId);
// no error handling for brevity 
const user = ctx.v1.getUser();
const metadata = ctx.v1.user.getMetadata();
const companyIdMetadata = metadata.metadata.find(m => m.key === 'company_id');
const companyId = Number(companyIdMetadata.value);
api.v1.claims.setClaim('company_id', companyId);
This is not great though... If the user is logged into multiple devices the state could leak between them, e.g.: - login using my computer passing company_id=1 - and that is successfuly added as a claim in the token - login using my phone passing company_id=42 - when my computer generates a new token (using the refresh_token), it would NOT go through the Post Authentication Flow and read directly from the user metadata, so it would add company_id=42 to the new token claims - regardless of the previous company_id my computer used to authenticate
3 replies
ZZITADEL
Created by bawsky on 4/24/2025 in #questions-help-bugs
Roles missing in access token (JWT)
No trouble at all! We're just starting the work on integrating Zitadel into our already-consolidated product - so this issue doesn't really affect us yet (we are integrating Zitadel for authentication but we still control roles and authorization inside our application - I'm just evaluating the possibility of also migrating that part to Zitadel at some point in future). Thanks a lot for the response @Rajat 😄 Looking forward to understand this - please keep me updated here (and let me know if I should open a GitHub to track it if it's a bug).
9 replies
ZZITADEL
Created by bawsky on 4/24/2025 in #questions-help-bugs
Roles missing in access token (JWT)
Hello @Rajat! I've actually tried both ways: - when it's selected, the user roles are ALWAYS added to the access token, regardless of urn:iam:org:project:roles and urn:zitadel:iam:org:projects:roles scopes - when it is not selected, the user roles are NEVER added to the access token, regardless of urn:iam:org:project:roles and urn:zitadel:iam:org:projects:roles scopes
9 replies
ZZITADEL
Created by bawsky on 4/24/2025 in #questions-help-bugs
Roles missing in access token (JWT)
NOTE: selecting "Add user roles to the access token" in the application's "Token Settings" work, but then the roles are retrieved independently of what scopes I pass (i.e. urn:iam:org:project:roles and urn:zitadel:iam:org:projects:roles scopes seem to be ignored) Also probably relevant: I'm running Zitadel locally with docker-compose v2.71.7
9 replies
ZZITADEL
Created by bawsky on 4/24/2025 in #questions-help-bugs
Roles missing in access token (JWT)
Here are my setup steps: 1. Setup the main org/project/app: 1. Create a new 'example_org' organization 2. Inside the 'example_org' organization, create a new 'example_project' project - in the project 'General' settings, enable "Assert Roles on Authentication" 3. Inside the 'example_project' project, create a new 'example_role' 4. Inside the 'example_project' project, create a new 'example_app' (note: I'm using a 'User Agent' app, with PKCE enabled) - in the app 'Token Settings' settings, set "Auth Token Type" to "JWT" 2. Setup another org with a user: 1. Create a new 'example_org2' organization 2. Inside the 'example_org2' organization, create a new 'example_user' user 3. Grant the user access to the project: 1. Inside the 'example_project' project, grant 'example_role' to the 'example_org2' organization 2. Inside the 'example_org2' organization, grant 'example_role' authorization to the 'example_user' user userinfo response: 
{
  "email": "user@example.com",
  "email_verified": true,
  "family_name": "example",
  "given_name": "user",
  "locale": null,
  "name": "user example",
  "preferred_username": "user@example.com",
  "sub": "317094026115284995",
  "updated_at": 1745498768,
  "urn:zitadel:iam:org:project:317093501441409027:roles": {
    "example_role": {
      "317093501844062211": "exampleorg2.localhost"
    }
  },
  "urn:zitadel:iam:org:project:roles": {
    "example_role": {
      "317093501844062211": "exampleorg2.localhost"
    }
  }
}
{
  "email": "user@example.com",
  "email_verified": true,
  "family_name": "example",
  "given_name": "user",
  "locale": null,
  "name": "user example",
  "preferred_username": "user@example.com",
  "sub": "317094026115284995",
  "updated_at": 1745498768,
  "urn:zitadel:iam:org:project:317093501441409027:roles": {
    "example_role": {
      "317093501844062211": "exampleorg2.localhost"
    }
  },
  "urn:zitadel:iam:org:project:roles": {
    "example_role": {
      "317093501844062211": "exampleorg2.localhost"
    }
  }
}
9 replies
ZZITADEL
Created by Raccine on 3/3/2025 in #product-feedback-requests
SDKs - Poll
I've missed the opportunity to vote - it'd be Ruby for me 🙂 💎 We're starting to roll Zitadel for in our ruby services (a b2b app) as it seems the most interesting SSO solution right now and our previous solution (Azure AD B2C) was giving us a lot of headache and terrible support. That said however, it's very unfortunate that the Ruby support at Zitadel is poor... Simply generating the sdk from the proto files was a bit of a pain (these docs are outdated: https://zitadel.com/docs/sdk-examples/introduction#example-with-ruby)
11 replies