diff --git a/docs/docs/apis/apis.md b/docs/docs/apis/apis.md index f11ad27f5f..052c239afa 100644 --- a/docs/docs/apis/apis.md +++ b/docs/docs/apis/apis.md @@ -6,6 +6,11 @@ All of our APIs are generated by proto defintions. You can find all the proto de > More about [Protocol Buffer](https://developers.google.com/protocol-buffers) +## Swagger Documentation + +We provide some json files for the swagger documentation of our APIs with the following link: [https://api.zitadel.ch/openapi/v2/swagger/](https://api.zitadel.ch/openapi/v2/swagger/) +The easiest way to have a look at them is, to import them in the [Swagger Editor](https://editor.swagger.io/) + ## Authentication API aka Auth The authentication API (aka Auth API) is used for all operations on the currently logged in user. diff --git a/docs/docs/apis/openidoauth/scopes.md b/docs/docs/apis/openidoauth/scopes.md index 604fe7ec01..6f18f837d6 100644 --- a/docs/docs/apis/openidoauth/scopes.md +++ b/docs/docs/apis/openidoauth/scopes.md @@ -26,6 +26,6 @@ In addition to the standard compliant scopes we utilize the following scopes. | urn:zitadel:iam:org:project:role:{rolename} | `urn:zitadel:iam:org:project:role:user` | By using this scope a client can request the claim urn:zitadel:iam:roles:rolename} to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the [project](../../guides/projects) a client belongs to. | | urn:zitadel:iam:org:domain:primary:{domainname} | `urn:zitadel:iam:org:domain:primary:acme.ch` | When requesting this scope **ZITADEL** will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed | | urn:zitadel:iam:role:{rolename} | | | -| urn:zitadel:iam:org:project:id:{projectid}:aud | ZITADEL's Project id is `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access and id token | +| `urn:zitadel:iam:org:project:id:{projectid}:aud` | ZITADEL's Project id is `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access and id token | > If access to ZITADEL's API's is needed with a service user the scope `urn:zitadel:iam:org:project:id:69234237810729019:aud` needs to be used with the JWT Profile request diff --git a/docs/docs/guides/access-zitadel-apis.md b/docs/docs/guides/access-zitadel-apis.md new file mode 100644 index 0000000000..bab38b2a42 --- /dev/null +++ b/docs/docs/guides/access-zitadel-apis.md @@ -0,0 +1,132 @@ +--- +title: Access ZITADEL APIs +--- + + + + + + + + + + + + + + +
DescriptionLearn how to authorize Service Users to access ZITADEL APIs.
Learning Outcomes + In this module you will: +
    +
  • Grant a Service User for ZITADEL
    • +
  • Authorize a Service User with JWT signed with your private key
    • +
+
Prerequisites + +
+ +## ZITADEL Managers + +ZITADEL Managers are Users who have permission to manage ZITADEL itself. There are some different levels for managers. + +- **IAM Managers**: This is the highest level. Users with IAM Manager roles are able to manage the whole IAM. +- **Org Managers**: Managers in the Organisation Level are able to manage everything within the granted Organisation. +- **Project Mangers**: In this level the user is able to manage a project. +- **Project Grant Manager**: The project grant manager is for projects, which are granted of another organisation. + +On each level we have some different Roles. Here you can find more about the different roles: [ZITADEL Manager Roles](../manuals/admin-managers) + + +## Exercise: Add ORG_OWNER to Service User + +Make sure you have a Service User with a Key. (For more detailed informations about creating a service user go to [Service User](serviceusers)) + +1. Navigate to Organisation Detail +2. Click the **+** button in the right part of console, in the managers part of details +3. Search the user and select it +4. Choose the role ORG_OWNER + +![Add Org Manager](/img/console_org_manager_add.gif) + +## Authenticating a service user + +In ZITADEL we use the `private_jwt` (**“JWT bearer token with private key”**, [RFC7523](https://tools.ietf.org/html/rfc7523)) authorization grant for this non-interactive authentication. +This is already described in the [Service User](serviceusers), so make sure you follow this guide. + +### Request an OAuth token, with audience for ZITADEL + +With the encoded JWT from the prior step, you will need to craft a POST request to ZITADEL's token endpoint: + +To access the ZITADEL APIs you need the ZITADEL Project ID in the audience of your token. +This is possible by sending a custom scope for the audience. More about [Custom Scopes](../apis/openidoauth/scopes) + +Use the scope `urn:zitadel:iam:org:project:id:{projectid}:aud` to include the project id in your audience + +> The scope for zitadel.ch is: `urn:zitadel:iam:org:project:id:69234237810729019:aud` + +```bash +curl --request POST \ + --url https://api.zitadel.ch/oauth/v2/token \ + --header 'Content-Type: application/x-www-form-urlencoded' \ + --data grant_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer \ + --data scope='openid profile email urn:zitadel:iam:org:project:id:69234237810729019:aud' \ + --data assertion=eyJ0eXAiOiJKV1QiL... +``` + +* `grant_type` must be set to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` +* `scope` should contain any [Scopes](../apis/openidoauth/scopes) you want to include, but must include `openid`. For this example, please include `profile` and `email` +* `assertion` is the encoded value of the JWT that was signed with your private key from the prior step + +You should receive a successful response with `access_token`, `token_type` and time to expiry in seconds as `expires_in`. + +```bash +HTTP/1.1 200 OK +Content-Type: application/json + +{ + "access_token": "MtjHodGy4zxKylDOhg6kW90WeEQs2q...", + "token_type": "Bearer", + "expires_in": 43199 +} +``` + +With this token you are allowed to access the [ZITADEL APIs](../apis/introduction) . +## Knowledge Check + + +* Managers are used for all users to get authorizations for all projects? + - [ ] yes + - [ ] no +* You need the ZITADEL Project Id in your audience and can access this with a custom scope? + - [ ] yes + - [ ] no + + +
+ + Solutions + + + +* Managers are used for all users to get authorizations for all projects? + - [ ] yes + - [x] no (Managers are only used to grant users for ZITADEL) +* You need the ZITADEL Project Id in your audience and can access this with a custom scope? + - [x] yes + - [ ] no + +
+ +## Summary + +* Grant a user for ZITADEL +* Because there is no interactive logon, you need to use a JWT signed with your private key to authorize the user +* With a custom scope (`urn:zitadel:iam:org:project:id:{projectid}:aud`) you can access ZITADEL APIs + + +Where to go from here: + +* [ZITADEL API Documentation](../apis/introduction) diff --git a/docs/docs/guides/serviceusers.md b/docs/docs/guides/serviceusers.md index df5ea38098..b3d9ab1964 100644 --- a/docs/docs/guides/serviceusers.md +++ b/docs/docs/guides/serviceusers.md @@ -146,7 +146,7 @@ Content-Type: application/json } ``` -### 4. Verify that you have a valid access toaken +### 4. Verify that you have a valid access token For this example let's call the userinfo endpoint to verfiy that our access token works. diff --git a/docs/docs/manuals/admin-managers.md b/docs/docs/manuals/admin-managers.md new file mode 100644 index 0000000000..e8ea0e08ae --- /dev/null +++ b/docs/docs/manuals/admin-managers.md @@ -0,0 +1,31 @@ +--- +title: ZITADEL Managers +--- + + +ZITADEL Managers are Users who have permission to manage ZITADEL itself. There are some different levels for managers. + +- **IAM Managers**: This is the highest level. Users with IAM Manager roles are able to manage the whole IAM. +- **Org Managers**: Managers in the Organisation Level are able to manage everything within the granted Organisation. +- **Project Mangers**: In this level the user is able to manage a project. +- **Project Grant Manager**: The project grant manager is for projects, which are granted of another organisation. + +To configure managers in ZITADEL go to the resource where you like to add it (e.g IAM, Organisation, Project, GrantedProject). +In the right part of the console you can finde **MANAGERS** in the details part. Here you have a list of the current managers and can add a new one. + +## Roles + +| Role | Description | +|---|---| +| IAM_OWNER | Manage the IAM, manage all organisations with their content | +| IAM_OWNER_VIEWER | View the IAM and view all organisations with their content | +| ORG_OWNER | Manage everything within an organisation | +| ORG_OWNER_VIEWER | View everything within an organisation | +| ORG_USER_PERMISSION_EDITOR | Manage user grants and view everything needed for this | +| ORG_PROJECT_PERMISSION_EDITOR | Grant Projects to other organisations and view everything needed for this | +| ORG_PROJECT_CREATOR | This role is used for users in the global organisation. They are allowed to create projects and manage them. | +| PROJECT_OWNER | Manage everything within a project. This includes to grant users for the project. | +| PROJECT_OWNER_VIEWER | View everything within a project.| +| PROJECT_OWNER_GLOBAL | Same as PROJECT_OWNER, but in the global organisation. | +| PROJECT_OWNER_VIEWER_GLOBAL | Same as PROJECT_OWNER_VIEWER, but in the global organisation. | +| PROJECT_GRANT_OWNER | Same as PROJECT_OWNER but for a granted proejct. | diff --git a/docs/sidebars.js b/docs/sidebars.js index c508b35eee..e6ef27e82b 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -6,6 +6,11 @@ module.exports = { label: 'User', items: ['manuals/user'], }, + { + type: 'category', + label: 'Administrator', + items: ['manuals/admin-managers'], + }, ], quickstarts: [ 'quickstarts/introduction', @@ -25,7 +30,7 @@ module.exports = { { type: 'category', label: 'Get to know ZITADEL', - items: ['guides/get-started', 'guides/organizations', 'guides/projects', 'guides/serviceusers', 'guides/oauth-recommended-flows', 'guides/identity-brokering'], + items: ['guides/get-started', 'guides/organizations', 'guides/projects', 'guides/oauth-recommended-flows', 'guides/serviceusers', 'guides/access-zitadel-apis', 'guides/identity-brokering'], }, ], apis: [ diff --git a/docs/static/img/console_org_manager_add.gif b/docs/static/img/console_org_manager_add.gif new file mode 100644 index 0000000000..35a46abb22 Binary files /dev/null and b/docs/static/img/console_org_manager_add.gif differ