TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-12-24 12:29:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5cfbc7b00751be735c869e769180dba64d59dc4
zitadel/internal/api/oidc
History
masum-msphere 295584648d feat(oidc): Added new claim in userinfo response to return all requested audience roles (#9861) 
# Which Problems Are Solved

The /userinfo endpoint only returns roles for the current project, even
if the access token includes multiple project aud scopes.

This prevents clients from retrieving all user roles across multiple
projects, making multi-project access control ineffective.

# How the Problems Are Solved

Modified the /userinfo handler logic to resolve roles across all valid
project audience scopes provided in the token, not just the current
project.
Ensured that if **urn:zitadel:iam:org:projects:roles is in the scopes**,
roles from all declared project audiences are collected and included in
the response in **urn:zitadel:iam:org:projects:roles claim**.

# Additional Changes

# Additional Context

This change enables service-to-service authorization workflows and SPA
role resolution across multiple project contexts with a single token.
- Closes #9831

---------

Co-authored-by: Masum Patel <patelmasum98@gmail.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-09-22 09:55:21 +00:00
..
integration_test
feat(oidc): Added new claim in userinfo response to return all requested audience roles (#9861)
2025-09-22 09:55:21 +00:00
access_token.go
chore(oidc): remove feature flag for introspection triggers (#10132)
2025-06-30 05:48:04 +00:00
amr_test.go
amr.go
auth_request_converter_test.go
auth_request_converter_v2.go
auth_request_converter.go
chore(oidc): graduate webkey to stable (#10122)
2025-06-26 19:17:45 +03:00
auth_request_test.go
feat(OIDC): handle logout hint on end_session_endpoint (#10039)
2025-07-28 13:55:55 +00:00
auth_request.go
feat(OIDC): handle logout hint on end_session_endpoint (#10039)
2025-07-28 13:55:55 +00:00
client_converter.go
feat: specify login UI version on instance and apps (#9071)
2024-12-19 10:37:46 +01:00
client_credentials.go
fix: remove legacy events (#10464)
2025-08-19 15:22:34 +02:00
client.go
feat(oidc): Added new claim in userinfo response to return all requested audience roles (#9861)
2025-09-22 09:55:21 +00:00
device_auth.go
chore(oidc): remove legacy storage methods (#10061)
2025-06-26 08:08:37 +00:00
error_test.go
error.go
chore: update dependencies (#9784)
2025-05-19 10:16:49 +00:00
introspect.go
feat: actions context information add clientID (#10339)
2025-07-29 00:08:12 +02:00
jwt-profile.go
chore(oidc): remove legacy storage methods (#10061)
2025-06-26 08:08:37 +00:00
key_test.go
key.go
chore(oidc): graduate webkey to stable (#10122)
2025-06-26 19:17:45 +03:00
op.go
perf(actionsv2): execution target router (#10564)
2025-09-01 07:21:10 +02:00
server_test.go
chore(oidc): graduate webkey to stable (#10122)
2025-06-26 19:17:45 +03:00
server.go
fix(oidc): ignore invalid id_token_hints (#10682)
2025-09-10 06:25:25 +00:00
token_client_credentials.go
token_code.go
fix(OIDC): back channel logout work for custom UI (#9487)
2025-03-11 14:19:09 +00:00
token_device.go
fix(OIDC): back channel logout work for custom UI (#9487)
2025-03-11 14:19:09 +00:00
token_exchange_converter.go
token_exchange.go
feat: actions context information add clientID (#10339)
2025-07-29 00:08:12 +02:00
token_jwt_profile.go
token_refresh.go
token.go
feat: actions context information add clientID (#10339)
2025-07-29 00:08:12 +02:00
userinfo_test.go
userinfo.go
feat(oidc): Added new claim in userinfo response to return all requested audience roles (#9861)
2025-09-22 09:55:21 +00:00