From f73b2fefd6a6cbc82b757a73d4eebd4dfd98f2cf Mon Sep 17 00:00:00 2001 From: Maximilian Date: Fri, 1 Aug 2025 13:09:47 +0200 Subject: [PATCH] docs(inconsistent naming): Organization ID (#10370) # Which Problems Are Solved partially #9342 # How the Problems Are Solved Suggested changes. "Resource Owner" will remain in a couple of places, since these are terms that are used in console / APIs. # Additional Changes # Additional Context --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> --- docs/docs/apis/actions/objects.md | 2 +- docs/docs/apis/openidoauth/claims.md | 6 +++--- docs/docs/apis/openidoauth/scopes.md | 6 +++--- docs/docs/guides/manage/console/projects.mdx | 4 ++-- docs/docs/guides/migrate/sources/zitadel.md | 4 ++-- docs/docs/guides/solution-scenarios/b2b.mdx | 2 +- docs/src/components/authrequest.jsx | 4 ++-- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/docs/docs/apis/actions/objects.md b/docs/docs/apis/actions/objects.md index 41307ee580..bbde0f22d3 100644 --- a/docs/docs/apis/actions/objects.md +++ b/docs/docs/apis/actions/objects.md @@ -145,7 +145,7 @@ This object contains context information about the request to the [authorization - `requestedOrgDomain` *bool* - `applicationResourceOwner` *string* - `privateLabelingSetting` *Number* - + - `selectedIdpConfigId` *string* - `linkingUsers` Array of [*ExternalUser*](#external-user) - `passwordVerified` *bool* diff --git a/docs/docs/apis/openidoauth/claims.md b/docs/docs/apis/openidoauth/claims.md index b7424aaf1d..c82e3a3883 100644 --- a/docs/docs/apis/openidoauth/claims.md +++ b/docs/docs/apis/openidoauth/claims.md @@ -111,6 +111,6 @@ ZITADEL reserves some claims to assert certain data. Please check out the [reser | urn:zitadel:iam:org:project:roles | `{"urn:zitadel:iam:org:project:roles": [ {"user": {"id1": "acme.zitade.ch", "id2": "caos.ch"} } ] }` | When roles are asserted, ZITADEL does this by providing the `id` and `primaryDomain` below the role. This gives you the option to check in which organization a user has the role on the current project (where your client belongs to). | | urn:zitadel:iam:org:project:\{projectid}:roles | `{"urn:zitadel:iam:org:project:id3:roles": [ {"user": {"id1": "acme.zitade.ch", "id2": "caos.ch"} } ] }` | When roles are asserted, ZITADEL does this by providing the `id` and `primaryDomain` below the role. This gives you the option to check in which organization a user has the role on a specific project. | | urn:zitadel:iam:user:metadata | `{"urn:zitadel:iam:user:metadata": [ {"key": "VmFsdWU=" } ] }` | The metadata claim will include all metadata of a user. The values are base64 encoded. | -| urn:zitadel:iam:user:resourceowner:id | `{"urn:zitadel:iam:user:resourceowner:id": "orgid"}` | This claim represents the id of the resource owner organisation of the user. | -| urn:zitadel:iam:user:resourceowner:name | `{"urn:zitadel:iam:user:resourceowner:name": "ACME"}` | This claim represents the name of the resource owner organisation of the user. | -| urn:zitadel:iam:user:resourceowner:primary_domain | `{"urn:zitadel:iam:user:resourceowner:primary_domain": "acme.ch"}` | This claim represents the primary domain of the resource owner organisation of the user. | +| urn:zitadel:iam:user:resourceowner:id | `{"urn:zitadel:iam:user:resourceowner:id": "orgid"}` | This claim represents the user's organization ID. | +| urn:zitadel:iam:user:resourceowner:name | `{"urn:zitadel:iam:user:resourceowner:name": "ACME"}` | This claim represents the user's organization's name. | +| urn:zitadel:iam:user:resourceowner:primary_domain | `{"urn:zitadel:iam:user:resourceowner:primary_domain": "acme.ch"}` | This claim represents the user's organization's primary domain. | diff --git a/docs/docs/apis/openidoauth/scopes.md b/docs/docs/apis/openidoauth/scopes.md index d1fe9c7c5b..c7efa914c6 100644 --- a/docs/docs/apis/openidoauth/scopes.md +++ b/docs/docs/apis/openidoauth/scopes.md @@ -31,8 +31,8 @@ In addition to the standard compliant scopes we utilize the following scopes. | `urn:zitadel:iam:org:id:{id}` | `urn:zitadel:iam:org:id:178204173316174381` | When requesting this scope **ZITADEL** will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed. It will assert the `urn:zitadel:iam:user:resourceowner` claims. | | `urn:zitadel:iam:org:domain:primary:{domainname}` | `urn:zitadel:iam:org:domain:primary:acme.ch` | When requesting this scope **ZITADEL** will enforce that the user is a member of the selected organization and the username is suffixed by the provided domain. If the organization does not exist a failure is displayed | | `urn:zitadel:iam:org:roles:id:{orgID}` | `urn:zitadel:iam:org:roles:id:178204173316174381` | This scope can be used one or more times to limit the granted organization IDs in the returned roles. Unknown organization IDs are ignored. When this scope is not used, all granted organizations are returned inside the roles. | -| `urn:zitadel:iam:org:project:id:{projectid}:aud` | `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access token | -| `urn:zitadel:iam:org:project:id:zitadel:aud` | `urn:zitadel:iam:org:project:id:zitadel:aud` | By adding this scope, the ZITADEL project ID will be added to the audience of the access token | +| `urn:zitadel:iam:org:project:id:{projectid}:aud` | `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested project id will be added to the audience of the access token | +| `urn:zitadel:iam:org:project:id:zitadel:aud` | `urn:zitadel:iam:org:project:id:zitadel:aud` | By adding this scope, the ZITADEL project id will be added to the audience of the access token | | `urn:zitadel:iam:user:metadata` | `urn:zitadel:iam:user:metadata` | By adding this scope, the metadata of the user will be included in the token. The values are base64 encoded. | -| `urn:zitadel:iam:user:resourceowner` | `urn:zitadel:iam:user:resourceowner` | By adding this scope: id, name and primary_domain of the resource owner (the users organization) will be included in the token. | +| `urn:zitadel:iam:user:resourceowner` | `urn:zitadel:iam:user:resourceowner` | By adding this scope: id, name and primary_domain of the user's organization will be included in the token. | | `urn:zitadel:iam:org:idp:id:{idp_id}` | `urn:zitadel:iam:org:idp:id:76625965177954913` | By adding this scope the user will directly be redirected to the identity provider to authenticate. Make sure you also send the primary domain scope if a custom login policy is configured. Otherwise the system will not be able to identify the identity provider. | diff --git a/docs/docs/guides/manage/console/projects.mdx b/docs/docs/guides/manage/console/projects.mdx index 53abea2dac..9fa41d850e 100644 --- a/docs/docs/guides/manage/console/projects.mdx +++ b/docs/docs/guides/manage/console/projects.mdx @@ -77,8 +77,8 @@ You can choose from | Setting | Description | | -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Unspecified | If nothing is specified the default will trigger. (System settings) | -| Enforce project resource owner policy | This setting will enforce the private labeling of the organization (resource owner) of the project through the whole login process. | -| Allow Login User resource owner policy | With this setting first the private labeling of the organization (resource owner) of the project will trigger. As soon as the user and its organization (resource owner) is identified by ZITADEL, the settings will change to the organization of the user. | +| Enforce project's policy | This setting will enforce the private labeling of the organization of the project through the whole login process. | +| Allow login user policy | With this setting first the private labeling of the organization of the project will trigger. As soon as the user and its organization is identified by ZITADEL, the settings will change to the organization of the user. | In a B2B use case, you would typically use the organization setting. If you want to omit organization detection, you can preselect an organization with the [primary domain scope](/apis/openidoauth/scopes#reserved-scopes) (ex. `urn:zitadel:iam:org:domain:primary:{domainname}`). diff --git a/docs/docs/guides/migrate/sources/zitadel.md b/docs/docs/guides/migrate/sources/zitadel.md index 99b6e1d64e..3f97629951 100644 --- a/docs/docs/guides/migrate/sources/zitadel.md +++ b/docs/docs/guides/migrate/sources/zitadel.md @@ -80,7 +80,7 @@ curl --request POST \ | Field | Type | Description | | ---------------- | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| org_ids | list of strings | provide a list of organizationIDs to select which organizations should be exported (eg, `[ "70669144072186707", "70671105999825752" ]`); leave empty to export all | +| org_ids | list of strings | provide a list of Organization IDs to select which organizations should be exported (eg, `[ "70669144072186707", "70671105999825752" ]`); leave empty to export all | | excluded_org_ids | list of strings | to exclude several organization, if for example no organizations are selected | | with_passwords | bool | to include the hashed_passwords of the users in the export | | with_otp | bool | to include the OTP-code of the users in the export | @@ -143,7 +143,7 @@ curl --request POST \ | Field | Type | Description | | ---------------- | ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| org_ids | list of strings | provide a list of organizationIDs to select which organizations should be exported (eg, `[ "70669144072186707", "70671105999825752" ]`); leave empty to export all | +| org_ids | list of strings | provide a list of Organization IDs to select which organizations should be exported (eg, `[ "70669144072186707", "70671105999825752" ]`); leave empty to export all | | excluded_org_ids | list of strings | to exclude several organization, if for example no organizations are selected | | with_passwords | bool | to include the hashed_passwords of the users in the export | | with_otp | bool | to include the OTP-code of the users in the export | diff --git a/docs/docs/guides/solution-scenarios/b2b.mdx b/docs/docs/guides/solution-scenarios/b2b.mdx index 144853b3f8..7ec1129b52 100644 --- a/docs/docs/guides/solution-scenarios/b2b.mdx +++ b/docs/docs/guides/solution-scenarios/b2b.mdx @@ -43,7 +43,7 @@ In order to define the need of the **Portal Application** some planning consider You can decide whether a organization is preselected for the login or if the user is redirected to the default login screen. Using OpenID Connect, you can send the user to a specific organization by defining the organization in a [reserved scope](/docs/apis/openidoauth/scopes#reserved-scopes) (primary domain). Settings to the branding or the login options of the organization can be made from the organization section in [Console](/docs/concepts/features/console). -The behavior of the login branding can be set in your projects detail page. You can choose the branding of the selected organization, the user resource owner, or the projects resource owner. +The behavior of the login branding can be set in your projects detail page. You can choose the branding of the selected organization, the user's organization, or the project's organization. ### Organizations diff --git a/docs/src/components/authrequest.jsx b/docs/src/components/authrequest.jsx index 82ecc91337..f864b1cbbb 100644 --- a/docs/src/components/authrequest.jsx +++ b/docs/src/components/authrequest.jsx @@ -111,7 +111,7 @@ export function SetAuthRequest() { "urn:zitadel:iam:org:project:id:zitadel:aud", "urn:zitadel:iam:user:metadata", `urn:zitadel:iam:org:id:${ - organizationId ? organizationId : "[organizationId]" + organizationId ? organizationId : "[Organization ID]" }`, ]; @@ -525,7 +525,7 @@ export function SetAuthRequest() { const value = event.target.value; setOrganizationId(value); allScopes[7] = `urn:zitadel:iam:org:id:${ - value ? value : "[organizationId]" + value ? value : "[Organization ID]" }`; toggleScope(8, true); setScope(