Zitadel Audience

[Aurel004]

Hi,

I am trying to add Zitadel to Vaultwarden using your image but I'm facing issues. In the docs it's written

Additionally Zitadel include the Project id and the Client Id in the audience of the Id Token. For the validation to work you will need to add the Resource Id as a trusted audience (Client Id is trusted by default). You can control the trusted audience with the config SSO_AUDIENCE_TRUSTED and

SSO_AUDIENCE_TRUSTED='^${Project Id}$'

But the thing is that whenever you have multiple apps in the project, they are added in the audience, therefore there is a list in the audience of all the apps Client Id

So, should I add every Client ID in the SSO_AUDIENCE_TRUSTED ? If so, how to add a list ? The issue with this is that as soon as I add an app, I would need to update the environment variable

Better option (easier for me, not for you) would be to check if the Client ID is present in the list then accept ?

How to deal with this ?

Thank you

[Timshel]

Hey,

The SSO_AUDIENCE_TRUSTED takes a regex, so you could either:

• list all project: SSO_AUDIENCE_TRUSTED='^(ProjectId1|ProjectId2|ProjectId3)$'
• allow every audience:

Note that this regex applies to "additional audience" the client ID is trusted by default. For the issue around adding an app I believe that the audience outside of dev environment are formatted with a radical id@radical ? Maybe in this case you can use a regex in the format of SSO_AUDIENCE_TRUSTED='^.*@radical$'.