fix: system admin does not have access to resources (#796)

Signed-off-by: Kenta Kozuka <[email protected]>

pkg/auth/api/api.go

@@ -383,18 +383,18 @@ func (s *authService) generateToken(
 		}
 		return nil, dt.Err()
 	}
-	adminRole := accountproto.Account_UNASSIGNED
-	if hasSystemAdminOrganization(resp.Organizations) {
-		adminRole = accountproto.Account_OWNER
-	}
 	idToken := &token.IDToken{
 		Issuer:    claims.Iss,
 		Subject:   claims.Sub,
 		Audience:  claims.Aud,
 		Expiry:    time.Unix(claims.Exp, 0),
 		IssuedAt:  time.Unix(claims.Iat, 0),
 		Email:     claims.Email,
-		AdminRole: adminRole,
+		AdminRole: accountproto.Account_UNASSIGNED,
+	}
+	if hasSystemAdminOrganization(resp.Organizations) {
+		idToken.IsSystemAdmin = true
+		idToken.AdminRole = accountproto.Account_OWNER
 	}
 	signedIDToken, err := s.signer.Sign(idToken)
 	if err != nil {