docs: Clarify how to add the users' organization claim (#9441)

I looked _several times_ to find how to add the organization name or ID to the JWT. but kept overlooking this. The claim `urn:zitadel:iam:user:resourceowner` claim adds the users' organization. But because the word organization was missing from the description, it was very much non-obvious. This fix proposes a clarification of the description to clarify this. # Which Problems Are Solved - It is hard to find how to add the organization name or ID to the JWT. but kept overlooking this. # How the Problems Are Solved - This patch proposes a clarification of the description to clarify that by users `resourceowner`. we mean org. # Additional Context - This changes documentation only. Co-authored-by: Fabienne Bühler <fabienne@zitadel.com>
2025-06-11 13:48:32 +00:00 · 2025-03-03 23:29:23 +07:00 · 2025-03-03 23:29:23 +07:00 · 25c1d4b55f
commit 25c1d4b55f
parent 9f0d933bf6
1 changed files with 1 additions and 1 deletions
--- a/docs/docs/apis/openidoauth/scopes.md
+++ b/docs/docs/apis/openidoauth/scopes.md
@ -35,7 +35,7 @@ In addition to the standard compliant scopes we utilize the following scopes.
 | `urn:zitadel:iam:org:project:id:{projectid}:aud`  | `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access token                                                                                                                                                                              |
 | `urn:zitadel:iam:org:project:id:zitadel:aud`      | `urn:zitadel:iam:org:project:id:zitadel:aud`           | By adding this scope, the ZITADEL project ID will be added to the audience of the access token                                                                                                                                                                               |
 | `urn:zitadel:iam:user:metadata`                   | `urn:zitadel:iam:user:metadata`                        | By adding this scope, the metadata of the user will be included in the token. The values are base64 encoded.                                                                                                                                                                 |
-| `urn:zitadel:iam:user:resourceowner`              | `urn:zitadel:iam:user:resourceowner`                   | By adding this scope, the resourceowner (id, name, primary_domain) of the user will be included in the token.                                                                                                                                                                |
+| `urn:zitadel:iam:user:resourceowner`              | `urn:zitadel:iam:user:resourceowner`                   | By adding this scope: id, name and  primary_domain of the resource owner (the users organization) will be included in the token.                                                                                                                                                                |
 | `urn:zitadel:iam:org:idp:id:{idp_id}`             | `urn:zitadel:iam:org:idp:id:76625965177954913`         | By adding this scope the user will directly be redirected to the identity provider to authenticate. Make sure you also send the primary domain scope if a custom login policy is configured. Otherwise the system will not be able to identify the identity provider.        |

 [^1]: `urn:zitadel:iam:org:roles:id:{orgID}` is not supported when the `oidcLegacyIntrospection` [feature flag](/docs/apis/resources/feature_service_v2/feature-service-set-instance-features) is enabled.