Unique AI Documentation

Zitadel Role/Permission validation on Post Authentication

1 min read

Unique AI offers an API endpoint to validate a users group assignments and permissions. This endpoint is primarily designed to be called within the Post Authentication Zitadel Action. It means the external authentication has already been done but before Zitadel issues a JWT token for the user it calls in this Post Authentication Action the Unique API endpoint. This allows Unique with this new API to validate and grant/remove all needed roles or permission for this user. Check the detailed description of the membership-role-validation on this page: Zitadel Role Management on Unique for more detailed information what this API endpoint does.

With the following Action added it will no longer be possible to login with a role which has been assigned manually via Zitadel to a user which is not configured on Unique side.

js
/**
 * This function is designed to be used in the Zitadel Actions for Post Authentication.
 * After the user has been authenticated, this function will be called in order to sync and setup the user with unique.
 * 
 * The endpoint that is getting called will do the following things:
 * - Sync external group memberships of the user (provided via authentication token and stored with the post creation action on the metadata of the user)
 * - Fetch all roles of the user based on the current group memberships in Unique
 * - Fetch all roles of the user based on the current zitadel roles
 * - Compare the roles with the roles of the user
 * - Revoke roles that are not in the user's groups
 * - Grant roles that are in the user's groups
 *
 * @param {Object} ctx - The context object.
 */

const logger = require("zitadel/log")
const http = require('zitadel/http')

function syncUserMembership(ctx) {
  const userId = ctx.v1.authRequest.userId;
  const companyId = ctx.v1.authRequest.resourceOwner;

  http.fetch('https:/{scopeMgmtGatewayBaseUrl}/membership-sync/manual-membership-sync', {
    method: 'POST',
    headers: {
      "Content-Type": "application/json"
    },
    body: {
      userId,
      companyId
      // revokeRoles: false - disables strict mode -> does not revoke roles from user (manually assigned roles)
    }
  }).json();

  logger.log('User sync successful');
}
info

User your `scopeMgmtGatewayBaseUrl` of your cluster.

As default additional roles are getting revoked from the user if not present on Unique side. This can be disabled by passing and setting `revokeRoles` to false. Therefore manual assigned roles will not be revoked from the user on login.

If you already use a Post Authentication Action for the “add-user-groups-metadata via ID token” solution, you can add this action body right after the existing logic. The action will then also consider the assigned groups via metadata.

Last updated