From 9824d068240bc81d61c2916b0b470e2f68d8289a Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Fri, 10 Apr 2026 12:10:56 +0200
Subject: [PATCH] fix: include Logto org scopes in OIDC config pushed to
 servers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without urn:logto:scope:organizations and
urn:logto:scope:organization_roles in the additionalScopes, Logto
doesn't include organization role data in the Custom JWT context.
This caused the roles claim to be empty, so all OIDC users got
defaultRoles (VIEWER) instead of their org role (e.g. owner →
server:admin).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../siegeln/cameleer/saas/vendor/VendorTenantService.java    | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/net/siegeln/cameleer/saas/vendor/VendorTenantService.java b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorTenantService.java
index 4e5aa03..7b197cf 100644
--- a/src/main/java/net/siegeln/cameleer/saas/vendor/VendorTenantService.java
+++ b/src/main/java/net/siegeln/cameleer/saas/vendor/VendorTenantService.java
@@ -143,7 +143,10 @@ public class VendorTenantService {
                             "displayNameClaim", "name",
                             "rolesClaim", "roles",
                             "audience", "https://api.cameleer.local",
-                            "additionalScopes", List.of()
+                            "additionalScopes", List.of(
+                                "urn:logto:scope:organizations",
+                                "urn:logto:scope:organization_roles"
+                            )
                         ));
                         log.info("Pushed OIDC config to server for tenant {}", tenant.getSlug());
                     } catch (Exception e) {