Skip to content

Roles in ID token from Zitadel is removed #2494

Open
#2504
Open
Roles in ID token from Zitadel is removed#2494
#2504
Labels
bugSomething isn't working
@jimraynor2470

Description

@jimraynor2470
jimraynor2470
opened on Apr 21, 2026

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

Zitadel sends roles in ID token using keys urn:zitadel:iam:org:project:<projectid>:roles and urn:zitadel:iam:org:project:roles. However, these keys are not present in session object returned from supabase.auth.getSession.

To Reproduce

  1. Create Zitadel project.
  2. Enable Asset Roles on Authentication in project settings.
  3. Create application(WEB/CODE) under project.
  4. Enable User roles inside ID Token in token settings.
  5. Add Zitadel as custom OIDC provider.
  6. Authenticate using supabase.auth.signInWithOAuth and check session data using supabase.auth.getSession.

Expected behavior

Roles sent by Zitadel in ID token should be present in session data.

System information

  • Self hosted Supabase
  • supabase/gotrue:v2.188.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions