mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-12 00:07:36 +00:00
feat: add resource owner scope / claim (#2274)
* feat: add resource owner scope / claime * fix: private claimes * fix: private claims * fix: add claim description * Update claims.md Co-authored-by: Livio Amstutz <livio.a@gmail.com>
This commit is contained in:
Fabi
@@ -5,31 +5,35 @@ title: Claims
|
||||
ZITADEL asserts claims on different places according to the corresponding specifications or project and clients settings.
|
||||
Please check below the matrix for an overview where which scope is asserted.
|
||||
|
||||
| Claims | Userinfo | Introspection | ID Token | Access Token |
|
||||
|:------------------------------------------------|:---------------|----------------|---------------------------------------------|--------------------------------------|
|
||||
| acr | No | No | Yes | No |
|
||||
| address | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| amr | No | No | Yes | No |
|
||||
| aud | No | No | Yes | When JWT |
|
||||
| auth_time | No | No | Yes | No |
|
||||
| azp | No | No | Yes | When JWT |
|
||||
| email | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| email_verified | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| exp | No | No | Yes | When JWT |
|
||||
| family_name | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| gender | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| given_name | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| iat | No | No | Yes | When JWT |
|
||||
| iss | No | No | Yes | When JWT |
|
||||
| locale | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| name | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| nonce | No | No | Yes | No |
|
||||
| phone | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| phone_verified | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| preferred_username (username when Introspect ) | When requested | When requested | Yes | No |
|
||||
| sub | Yes | Yes | Yes | When JWT |
|
||||
| urn:zitadel:iam:org:domain:primary:{domainname} | When requested | When requested | When requested | When JWT and requested |
|
||||
| urn:zitadel:iam:org:project:roles:{rolename} | When requested | When requested | When requested or configured | When JWT and requested or configured |
|
||||
| Claims | Userinfo | Introspection | ID Token | Access Token |
|
||||
|:--------------------------------------------------|:---------------|----------------|---------------------------------------------|--------------------------------------|
|
||||
| acr | No | No | Yes | No |
|
||||
| address | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| amr | No | No | Yes | No |
|
||||
| aud | No | No | Yes | When JWT |
|
||||
| auth_time | No | No | Yes | No |
|
||||
| azp | No | No | Yes | When JWT |
|
||||
| email | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| email_verified | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| exp | No | No | Yes | When JWT |
|
||||
| family_name | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| gender | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| given_name | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| iat | No | No | Yes | When JWT |
|
||||
| iss | No | No | Yes | When JWT |
|
||||
| locale | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| name | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| nonce | No | No | Yes | No |
|
||||
| phone | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| phone_verified | When requested | When requested | When requested amd response_type `id_token` | No |
|
||||
| preferred_username (username when Introspect ) | When requested | When requested | Yes | No |
|
||||
| sub | Yes | Yes | Yes | When JWT |
|
||||
| urn:zitadel:iam:org:domain:primary:{domainname} | When requested | When requested | When requested | When JWT and requested |
|
||||
| urn:zitadel:iam:org:project:roles:{rolename} | When requested | When requested | When requested or configured | When JWT and requested or configured |
|
||||
| urn:zitadel:iam:user:metadata | When requested | When requested | When requested | When JWT and requested |
|
||||
| urn:zitadel:iam:user:resourceowner:id | When requested | When requested | When requested | When JWT and requested |
|
||||
| urn:zitadel:iam:user:resourceowner:name | When requested | When requested | When requested | When JWT and requested |
|
||||
| urn:zitadel:iam:user:resourceowner:primary_domain | When requested | When requested | When requested | When JWT and requested |
|
||||
|
||||
## Standard Claims
|
||||
|
||||
@@ -64,8 +68,12 @@ Please check below the matrix for an overview where which scope is asserted.
|
||||
|
||||
ZITADEL reserves some claims to assert certain data.
|
||||
|
||||
| Claims | Example | Description |
|
||||
|:------------------------------------------------|:-----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| urn:zitadel:iam:org:domain:primary:{domainname} | `{"urn:zitadel:iam:org:domain:primary": "acme.ch"}` | This claim represents the primary domain of the organization the user belongs to. |
|
||||
| urn:zitadel:iam:org:project:roles:{rolename} | `{"urn:zitadel:iam:org:project:roles": [ {"user": {"id1": "acme.zitade.ch", "id2": "caos.ch"} } ] }` | When roles are asserted, ZITADEL does this by providing the `id` and `primaryDomain` below the role. This gives you the option to check in which organization a user has the role. |
|
||||
| urn:zitadel:iam:roles:{rolename} | TBA | TBA |
|
||||
| Claims | Example | Description |
|
||||
|:--------------------------------------------------|:-----------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| urn:zitadel:iam:org:domain:primary:{domainname} | `{"urn:zitadel:iam:org:domain:primary": "acme.ch"}` | This claim represents the primary domain of the organization the user belongs to. |
|
||||
| urn:zitadel:iam:org:project:roles:{rolename} | `{"urn:zitadel:iam:org:project:roles": [ {"user": {"id1": "acme.zitade.ch", "id2": "caos.ch"} } ] }` | When roles are asserted, ZITADEL does this by providing the `id` and `primaryDomain` below the role. This gives you the option to check in which organization a user has the role. |
|
||||
| urn:zitadel:iam:roles:{rolename} | TBA | TBA |
|
||||
| urn:zitadel:iam:user:metadata | `{"urn:zitadel:iam:user:metadata": [ {"key": "VmFsdWU=" } ] }` | The metadata claim will include all metadata of a user. The values are base64 encoded. |
|
||||
| urn:zitadel:iam:user:resourceowner:id | `{"urn:zitadel:iam:user:resourceowner:id": "orgid"}` | This claim represents the id of the resource owner organisation of the user. |
|
||||
| urn:zitadel:iam:user:resourceowner:name | `{"urn:zitadel:iam:user:resourceowner:name": "ACME"}` | This claim represents the name of the resource owner organisation of the user. |
|
||||
| urn:zitadel:iam:user:resourceowner:primary_domain | `{"urn:zitadel:iam:user:resourceowner:primary_domain": "acme.ch"}` | This claim represents the primary domain of the resource owner organisation of the user. |
|
||||
|
||||
@@ -29,5 +29,6 @@ In addition to the standard compliant scopes we utilize the following scopes.
|
||||
| urn:zitadel:iam:role:{rolename} | | |
|
||||
| `urn:zitadel:iam:org:project:id:{projectid}:aud` | ZITADEL's Project id is `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access and id token |
|
||||
| urn:zitadel:iam:user:metadata | `urn:zitadel:iam:user:metadata` | By adding this scope, the metadata of the user will be included in the token. The values are base64 encoded. |
|
||||
| urn:zitadel:iam:user:resourceowner | `urn:zitadel:iam:user:resourceowner` | By adding this scope, the resourceowner (id, name, primary_domain) of the user will be included in the token. |
|
||||
|
||||
> If access to ZITADEL's API's is needed with a service user the scope `urn:zitadel:iam:org:project:id:69234237810729019:aud` needs to be used with the JWT Profile request
|
||||
|
||||
Reference in New Issue
Block a user