Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System API JWT token struggles #7937

Open
2 tasks done
reactima opened this issue May 10, 2024 · 0 comments
Open
2 tasks done

System API JWT token struggles #7937

reactima opened this issue May 10, 2024 · 0 comments
Labels
auth docs Improvements or additions to documentation improvement

Comments

@reactima
Copy link

reactima commented May 10, 2024
edited

Preflight Checklist

  • I could not find a solution in the existing issues, docs, nor discussions
  • I have joined the ZITADEL chat

Describe your problem

If you are struggling with System API JWT token related issues, here are few tips:

It can be result of:

  1. misconfiguring zitadel-tool option --audience= --issuer=

https://github.com/zitadel/zitadel-tools

you can double check payload and verify signature with public key here

https://jwt.io/

  1. diffrent behavior of openssl and base64 tools on macos and ubuntu

can be caused how/where you generate output of "base64 system-user-1.pub" command

i didnt dig deeper, but can be caused by stupid thing like trying copy-paste keys into your editor and later differences in encoding or \n \r symbols

  1. misconfiguring or typo in username
SystemAPIUsers:
  - system-user-1:
      KeyData: <base64 encoded value of system-user-1.pub>
  1. expired token

To understand all the above I had to go ... very deep into code

I was able to trace my issues by studying APITokenVerifier, VerifySystemToken functions output ...

zitadel/internal/api/authz/context.go

Line 114 in 3396657

sysMemberships, userID, sysTokenErr = t.VerifySystemToken(ctx, tokenWOBearer, orgID)

VerifyAccessToken
https://github.com/zitadel/oidc/blob/6d1231cb37c27f29ed6fc52bb52d5e7e260ca2dc/pkg/op/verifier_access_token.go#L31

Recommend to re-read documentation
https://github.com/zitadel/zitadel/tree/main/docs/docs/guides/integrate/zitadel-apis

And use grpcui
https://github.com/fullstorydev/grpcui

Zitadel code worked as intended, but I have to admit it was a struggle to understand and debug.

What I was trying to replication with System API is an experience similar to Terraform.

I didnt want to configure test environment by clicking through all UI features. I wanted to get a POC all configuration options are reproducible through the code.

Hope it helps

Describe your ideal solution

The ideal solution is just more error handling messages and more documentations

Version

latest

Environment

Self-hosted

Additional Context

No response
@livio-a livio-a added the docs Improvements or additions to documentation label May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth docs Improvements or additions to documentation improvement
Projects
Product Management
Status: 🐛 Bugs/Small Issues
Milestone
No milestone
Development

No branches or pull requests
3 participants
@livio-a @reactima @hifabienne