fix(oidc): roles in service user ID token (#8561)

# Which Problems Are Solved Return the user's project roles when the `urn:zitadel:iam:org:projects:roles` scope is requested. We alreayd returned it for access tokens, now also ID tokens. # How the Problems Are Solved Set `idTokenRoleAssertion` to `true` when calling `accessTokenResponseFromSession` for service users. This parameter is normally set to the client config. However, service user authentication does not have a client. # Additional Changes - none # Additional Context - Introduced in https://github.com/zitadel/zitadel/pull/8046 - Closes https://github.com/zitadel/zitadel/issues/8107 Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-01-05 14:37:45 +00:00 · 2024-09-11 07:45:59 +03:00 · 2024-09-11 07:45:59 +03:00 · 328c409271
commit 328c409271
parent 622a176be4
2 changed files with 2 additions and 2 deletions
--- a/internal/api/oidc/token_client_credentials.go
+++ b/internal/api/oidc/token_client_credentials.go
@ -51,5 +51,5 @@ func (s *Server) ClientCredentialsExchange(ctx context.Context, r *op.ClientRequ
 		return nil, err
 	}

-	return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, false, false))
+	return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, true, false))
 }
--- a/internal/api/oidc/token_jwt_profile.go
+++ b/internal/api/oidc/token_jwt_profile.go
@ -58,7 +58,7 @@ func (s *Server) JWTProfile(ctx context.Context, r *op.Request[oidc.JWTProfileGr
 	if err != nil {
 		return nil, err
 	}
-	return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, false, false))
+	return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, true, false))
 }

 func (s *Server) verifyJWTProfile(ctx context.Context, req *oidc.JWTProfileGrantRequest) (user *query.User, tokenRequest *oidc.JWTTokenRequest, err error) {