fix(oidc): roles in service user ID token (#8561)

# Which Problems Are Solved

Return the user's project roles when the
`urn:zitadel:iam:org:projects:roles` scope is requested.
We alreayd returned it for access tokens, now also ID tokens.

# How the Problems Are Solved

Set `idTokenRoleAssertion` to `true` when calling
`accessTokenResponseFromSession` for service users. This parameter is
normally set to the client config. However, service user authentication
does not have a client.

# Additional Changes

- none

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/8046
- Closes https://github.com/zitadel/zitadel/issues/8107

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Tim Möhlmann 2024-09-11 07:45:59 +03:00 committed by GitHub
parent 622a176be4
commit 328c409271
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 2 additions and 2 deletions

View File

@ -51,5 +51,5 @@ func (s *Server) ClientCredentialsExchange(ctx context.Context, r *op.ClientRequ
return nil, err return nil, err
} }
return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, false, false)) return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, true, false))
} }

View File

@ -58,7 +58,7 @@ func (s *Server) JWTProfile(ctx context.Context, r *op.Request[oidc.JWTProfileGr
if err != nil { if err != nil {
return nil, err return nil, err
} }
return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, false, false)) return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, true, false))
} }
func (s *Server) verifyJWTProfile(ctx context.Context, req *oidc.JWTProfileGrantRequest) (user *query.User, tokenRequest *oidc.JWTTokenRequest, err error) { func (s *Server) verifyJWTProfile(ctx context.Context, req *oidc.JWTProfileGrantRequest) (user *query.User, tokenRequest *oidc.JWTTokenRequest, err error) {