Masum
Masum
PostsComments
ZZITADEL
Created by Masum on 5/23/2025 in #questions-help-bugs
[Bug]: Role deletion/update fails when role key contains a slash (/) – returns 404
The API should handle URL-encoded role keys (e.g., keys containing /) correctly. When a role key like test/abc/app is encoded as test%2Fabc%2Fapp in the URL, the server should correctly decode and process it.
3 replies
ZZITADEL
Created by Masum on 5/7/2025 in #questions-help-bugs
Userinfo endpoint not returning all roles from all Role Audiences
When requesting the /userinfo endpoint using an access_token with the following scopes: openid profile email urn:zitadel:iam:org:project:id:zitadel:aud urn:zitadel:iam:org:project:id:<PROJECT-ID-1>:aud urn:zitadel:iam:org:project:id:<PROJECT-ID-2>:aud urn:zitadel:iam:org:projects:roles Describe your ideal solution I expect the response to include all project roles for the audiences included in the token scope. However, the response currently returns only the roles associated with the current project. Version v3.0.1 Environment Self-hosted Additional Context Steps to Reproduce Create project-1 Add some roles to the project. Create a new client application in project-1 with PKCE enabled. Create project-2 Add some roles here as well. Generate an access token. Use the following scopes: openid profile email urn:zitadel:iam:org:project:id:zitadel:aud urn:zitadel:iam:org:project:id:<PROJECT-ID-1>:aud urn:zitadel:iam:org:project:id:<PROJECT-ID-2>:aud urn:zitadel:iam:org:projects:roles Call the /userinfo endpoint; Pass the above access token. Expected Behavior The /userinfo response should include all roles assigned to the user from both project-1 and project-2, as both audiences were included in the access token. Actual Behavior Only the roles from the current project are being returned. Roles from other projects (even though audiences are included) are not present in the response. Why this matters? With the above setup, it should be possible to fetch all assigned roles for a user across multiple projects. This is critical for proper user authorization across services that rely on multi-project access controls.
16 replies