Z
ZITADEL3w ago
Masum

Userinfo endpoint not returning all roles from all Role Audiences

When requesting the /userinfo endpoint using an access_token with the following scopes: openid profile email urn:zitadel:iam:org:project:id:zitadel:aud urn:zitadel:iam:org:project:id:<PROJECT-ID-1>:aud urn:zitadel:iam:org:project:id:<PROJECT-ID-2>:aud urn:zitadel:iam:org:projects:roles Describe your ideal solution I expect the response to include all project roles for the audiences included in the token scope. However, the response currently returns only the roles associated with the current project. Version v3.0.1 Environment Self-hosted Additional Context Steps to Reproduce Create project-1 Add some roles to the project. Create a new client application in project-1 with PKCE enabled. Create project-2 Add some roles here as well. Generate an access token. Use the following scopes: openid profile email urn:zitadel:iam:org:project:id:zitadel:aud urn:zitadel:iam:org:project:id:<PROJECT-ID-1>:aud urn:zitadel:iam:org:project:id:<PROJECT-ID-2>:aud urn:zitadel:iam:org:projects:roles Call the /userinfo endpoint; Pass the above access token. Expected Behavior The /userinfo response should include all roles assigned to the user from both project-1 and project-2, as both audiences were included in the access token. Actual Behavior Only the roles from the current project are being returned. Roles from other projects (even though audiences are included) are not present in the response. Why this matters? With the above setup, it should be possible to fetch all assigned roles for a user across multiple projects. This is critical for proper user authorization across services that rely on multi-project access controls.
14 Replies
Masum
MasumOP3w ago
I have tried to fix above issue in in this PR, Can anyone validate the changes? https://github.com/zitadel/zitadel/pull/9861
GitHub
feat(api): Added new claim in userinfo responce to return all reque...
Which Problems Are Solved The /userinfo endpoint only returns roles for the current project, even if the access token includes multiple project aud scopes. This prevents clients from retrieving all...
Masum
MasumOP3w ago
@FFO @fabienne
Rajat
Rajat3w ago
hi @Masum thaks for the PR, someone from the team will take a look, can you also pls add few tests as well?.
Rajat
Rajat3w ago
hey @Masum I did reproduce the issue, seems like I was getting back all the roles
No description
Masum
MasumOP3w ago
I have tried on latest Zitadel version but facing same issue. I am using PKCE authentication method for generating access token, I am attaching code snippet with which i am generating access_token.

oidc.html

Rajat Singh
Rajat Singh3w ago
Hi @Masum I'll take a look
Rajat
Rajat3w ago
hi @Masum what is the response you got?. Can you double check if the projectId mentioned on the scope are correct?. Have you checked this? https://zitadel.com/docs/guides/integrate/retrieve-user-roles#role-settings-in-the-zitadel-console Your code seems to be right, I did the same but with curl requests
ZITADEL Docs
This guide explains all the possible ways of retrieving user roles across different organizations and projects using ZITADEL's APIs.
Masum
MasumOP3w ago
Here is the responce which I am getting, { "email": "[email protected]", "email_verified": true, "family_name": "Admin", "given_name": "ZITADEL", "locale": "en", "name": "ZITADEL Admin", "preferred_username": "[email protected]", "sub": "303600376249647106", "updated_at": 1737455926, "urn:zitadel:iam:org:project:303895702814064642:roles": { "Test": { "303600376249122818": "zitadel.localhost" }, "Test-01": { "303600376249122818": "zitadel.localhost" }, "Test-02": { "303600376249122818": "zitadel.localhost" }, "Test-04": { "303600376249122818": "zitadel.localhost" } }, "urn:zitadel:iam:org:project:roles": { "Test": { "303600376249122818": "zitadel.localhost" }, "Test-01": { "303600376249122818": "zitadel.localhost" }, "Test-02": { "303600376249122818": "zitadel.localhost" }, "Test-04": { "303600376249122818": "zitadel.localhost" } } }
Masum
MasumOP3w ago
If I am compiling zitadel with my changes, It is returning all roles.

message.txt

Rajat
Rajat3w ago
something seems off, you have more projects being returned, the project ID 303895702814064642 doesnt exist in your acces token, while my returns the relevant information(ONLY 2 project Ids in the token and being retruned)
No description
Rajat
Rajat3w ago
I might have to check it internally
Masum
MasumOP3w ago
This projectId 303895702814064642 is the project where my application resides. So, I don't think , I need to add audience for that project.
Rajat Singh
Rajat Singh3w ago
hi @Masum in that case, we see all the roles in the response , right?. Maybe crosscheck/verify the roles from the UI if something was missed
Masum
MasumOP3w ago
No, As you can see, I have multiple projects and I want to include all project roles in response which audience is present on scope. Second response in which we are seeing all roles with extra claim ( urn:zitadel:iam:org:projects:roles ) is coming with my solution.

Did you find this page helpful?