From 25c1d4b55f329cdd28318cdc994fc46b4c5fb31f Mon Sep 17 00:00:00 2001
From: Thatcher <thatcher@t2studio.nl>
Date: Mon, 3 Mar 2025 23:29:23 +0700
Subject: [PATCH] docs: Clarify how to add the users' organization claim
 (#9441)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

I looked _several times_ to find how to add the organization name or ID
to the JWT. but kept overlooking this.

The claim `urn:zitadel:iam:user:resourceowner` claim adds the users'
organization. But because the word organization was missing from the
description, it was very much non-obvious.

This fix proposes a clarification of the description to clarify this.

# Which Problems Are Solved
- It is hard to find how to add the organization name or ID to the JWT.
but kept overlooking this.

# How the Problems Are Solved

- This patch proposes a clarification of the description to clarify that
by users `resourceowner`. we mean org.

# Additional Context

- This changes documentation only.

Co-authored-by: Fabienne Bühler <fabienne@zitadel.com>
---
 docs/docs/apis/openidoauth/scopes.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/docs/apis/openidoauth/scopes.md b/docs/docs/apis/openidoauth/scopes.md
index a43f18b2f9..263d888f31 100644
--- a/docs/docs/apis/openidoauth/scopes.md
+++ b/docs/docs/apis/openidoauth/scopes.md
@@ -35,7 +35,7 @@ In addition to the standard compliant scopes we utilize the following scopes.
 | `urn:zitadel:iam:org:project:id:{projectid}:aud`  | `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access token                                                                                                                                                                              |
 | `urn:zitadel:iam:org:project:id:zitadel:aud`      | `urn:zitadel:iam:org:project:id:zitadel:aud`           | By adding this scope, the ZITADEL project ID will be added to the audience of the access token                                                                                                                                                                               |
 | `urn:zitadel:iam:user:metadata`                   | `urn:zitadel:iam:user:metadata`                        | By adding this scope, the metadata of the user will be included in the token. The values are base64 encoded.                                                                                                                                                                 |
-| `urn:zitadel:iam:user:resourceowner`              | `urn:zitadel:iam:user:resourceowner`                   | By adding this scope, the resourceowner (id, name, primary_domain) of the user will be included in the token.                                                                                                                                                                |
+| `urn:zitadel:iam:user:resourceowner`              | `urn:zitadel:iam:user:resourceowner`                   | By adding this scope: id, name and  primary_domain of the resource owner (the users organization) will be included in the token.                                                                                                                                                                |
 | `urn:zitadel:iam:org:idp:id:{idp_id}`             | `urn:zitadel:iam:org:idp:id:76625965177954913`         | By adding this scope the user will directly be redirected to the identity provider to authenticate. Make sure you also send the primary domain scope if a custom login policy is configured. Otherwise the system will not be able to identify the identity provider.        |
 
 [^1]: `urn:zitadel:iam:org:roles:id:{orgID}` is not supported when the `oidcLegacyIntrospection` [feature flag](/docs/apis/resources/feature_service_v2/feature-service-set-instance-features) is enabled.