fix: include Logto org scopes in OIDC config pushed to servers

Without urn:logto:scope:organizations and urn:logto:scope:organization_roles in the additionalScopes, Logto doesn't include organization role data in the Custom JWT context. This caused the roles claim to be empty, so all OIDC users got defaultRoles (VIEWER) instead of their org role (e.g. owner → server:admin). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 12:10:56 +02:00
parent e24c6da025
commit 9824d06824
1 changed files with 4 additions and 1 deletions
--- a/src/main/java/net/siegeln/cameleer/saas/vendor/VendorTenantService.java
+++ b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorTenantService.java
@@ -143,7 +143,10 @@ public class VendorTenantService {
                            "displayNameClaim", "name",
                            "rolesClaim", "roles",
                            "audience", "https://api.cameleer.local",
-                            "additionalScopes", List.of()
+                            "additionalScopes", List.of(
+                                "urn:logto:scope:organizations",
+                                "urn:logto:scope:organization_roles"
+                            )
                        ));
                        log.info("Pushed OIDC config to server for tenant {}", tenant.getSlug());
                    } catch (Exception e) {