Closed LeVraiRoiDHyrule closed 1 month ago
Timshel
commented
1 month ago Hey,
It was written with the expectation of a simple list of roles. In your case the role appear to be the key of a map :(.
It appears it might be possible to customize the way the role are sent: https://zitadel.com/docs/guides/integrate/retrieve-user-roles#customize-roles-using-actions
I'll have a look again to see if this kind of mapping is common or only specific to Zitadel.
LeVraiRoiDHyrule
commented
1 month ago I succeeded to configure Zitadel to show roles so that Vaultwarden could parse them. I had to create the following Action:
function flatRoles(ctx, api) {
if (ctx.v1.user.grants == undefined || ctx.v1.user.grants.count == 0) {
return;
}
let grants = [];
ctx.v1.user.grants.grants.forEach(claim => {
claim.roles.forEach(role => {
grants.push(role)
})
})
api.v1.claims.setClaim('my:zitadel:grants', grants)
}For anyone stumbling on this, I had to remove claim.projectId from the code in the docs as OIDCWarden wants the role directly and can't parse with the projectid in front.
Note : the action name needs to be same as the function
Thanks for your help and have a nice day!
Hi, My SSO provider (Zitadel) sends the following ID token:
As you can see, the roles are in
urn:zitadel:iam:org:project:286706913100431363:roles. But I can't find what path to apply to the variableSSO_ROLES_TOKEN_PATHso that it can find them. It always tell me that it doesn't find any role.I tried
SSO_ROLES_TOKEN_PATH=urn:zitadel:iam:org:project:286706913100431363:rolesandSSO_ROLES_TOKEN_PATH=/resource_access/286707258644037635/urn:zitadel:iam:org:project:286706913100431363:roles.What would be the correct path to access these roles I see in the token ? Thanks in advance for your help, have a nice day.
EDIT:
Tried with
SSO_ROLES_TOKEN_PATH=/urn:zitadel:iam:org:project:286706913100431363:rolesAnd got this errorFailed to parse user (zitadel-admin@zitadel.auth.REDACTED.fr) roles: invalid type: map, expected a sequenceWhat could be wrong ?