Introspect endpoint vs local JWT validation
I have a question regarding our implemention regarding our Frontend/Backend communication.
Currently I am doing a PoC where every time our frontend makes a request to our backend, the backend is reaching out to Zitadel's introspection endpoint to validate that the token is active. Is this the best practice for validating the token as it would mean a lot of requests going to the introspect endpoint? Is there throttling for this endpoint?
The alternative from what I understand would be to get the public keys JSON Web Key Set (JWKS) and doing a local validation, with the caveout that we don't know when the keys change...
Error: Failed to extract ServerMetadata from context
I was running zitadel with docker compose and zitadel is running on port 4455. And I was able to access console on http://127.0.0.1:4455/ui/console. I was able to perform all actions on ui console. But with zitadel apis for example http://127.0.0.1:4455/v2/users then getting an ERROR: Failed to extract ServerMetadata from context with relevant headers are passed. Apis in discovery endpoints are working fine.
Multi Tenancy
Hi all, a contracted software development team is building a web app for me where clients will login with Zitadel, my internal users already login with Zitadel integrated with Google workspace SSO. Both user types are in different orgs. How can I set it up such that some internal users are allowed access to this new app?
Internal Users (signing in with workspace SSO) = org A
External Users (signing in with Zitadel - email+password) = org B
App is being designed to integrate with org B using domain app.domain.com...
Getting redirect_uri does not correspond even though the redirect URI in the URL is correct
Hi, I have a issue where I get the error
redirect_uri does not correspond when trying to use PKCE flow with the Typescript app, I've checked the the request logs and the redirect_uri matches what is in Zitadel's UI
https://github.com/zitadel/zitadel/blob/94cbf97534d3712c7223208160b900c6733b096b/internal/api/oidc/token_code.go#L70...Benchmark of zitadel v2.66.0 - more details on your testing setup is needed
We have looked into your zitadel v2.66.0 benchmarking results provided at https://zitadel.com/docs/apis/benchmarks/v2.66.0/machine_jwt_profile_grant
In our setup we are getting significantly worse performance and it looks like the postgresql db cluster can be a bottleneck.
We are looking to make our postgresql db config similar to yours, but are lacking some details.
1. In yours "Database specification" it is specified "vCPU: 8 memory: 32Gib". Is it per 1 db cluster node, or an overall summed resources per all nodes?
2. How many write/read replicas are in your postgresql db cluster? Are you distributing zitadel sql queries between write/read somehow? (as zitadel doesn't support that, maybe some middleware query routing/loadbalancing solution is used?)...
Getting GrantRequired error when user has a grant
Created a new OIDC app to mirror the config of another app which works without issue. With the new app, all but one user are getting
The users all have identical grants (they're created via terraform using a loop, so I'm sure they're identical).
...
Login not possible. The user is required to have at least one grant on the application. Please contact your administrator. (Internal)
Login not possible. The user is required to have at least one grant on the application. Please contact your administrator. (Internal)
Clarifying System API Users
Hello everyone,
I'm following the Access ZITADEL APIs docs and I'm unclear abotu a couple things concerning the System API configuration, as shown here.
Can anyone confirm that if I provide the SystemAPIUsers with the IAM_OWNER and ORG_OWNER roles that I can create Users and Service Users for an organization I am authorized for as a System User?...
Restoring backup DB doesn't work
When I
pg_dump Zitadel and psql zitadel < backup.sql and boot it can't start as X already exists and fails migration.
I guess I thought they'd be inside the DB I dumped 🤔.
Use case, in case there a better solution:...Limitation with deleting of members within an authorization
Enviroment: Self Hosting
Stack: App written with PHP
User-case:
-German-
Ist Zustand:...
Zitadel uninvited user can login to app?
Hi so vaguely speaking if I have an app in a project where a user is not granted via Authorization should the user be able to login to that app or is there some scoping that typically needs to be done to limit this?
Is it secure to use sendgrid api's keys in zitadel actions?
We want to send a welcome email with our custom template upon user registration using SendGrid. Is it safe to use SendGrid API keys directly in the Zitadel action to send the welcome email, or would it be better to make an external API call to our server to handle the welcome email?
Avoid adding port in issuer url
Hello,
When the token is generated the issuer is : https//mydomain:443
Is it possible to avoid having the port at the end ?
"iss": "https://idp.dev.ludocare.com:443",...Different user IDs in local and prod in the userinfo end point.
When I sign in with Google, in local I am receiving a value which is not my User ID in the sub field for the userinfo endpoint. But when I do the same in the application which is deployed , I am receiving the correct user ID in the sub. Could you please help me figure out the error?
Issues with using AWS application load balancer
Hi i've installed the zitadel helm chart and i've been trying to expose it over AWS ALB but without much luck. I have a next.js frontend which redirects to zitadel for login and then my backend Go performs token introspection and grpc calls to zitadel. With following configuration, login works but the grpc calls don't (which i guess is expected).
```
ExternalSecure: true
ExternalPort: 443
ExternalDomain: auth.ryvn.app...
Expiry code for verification code
Hi team, I have set an expiry time for the verification code in my management console. How do I check whether the code is expired. I mean the login obviously wouldn't be working, but is there a status code or error message saying that the login failed because the verification code is expired?
If no, how can I check whether a verification code is expired so that I can give my own error message.
Thanks in advance 🙂...
Email Verification while user registration
Hi team, I am working on sending a verification email to newly registered users.
I am getting the 400 error whenever I try to register a user , the error message is "proto: (line 1:115): error parsing "sendCode", oneof zitadel.user.v2.SetHumanEmail.verification is already set".
this is my API request
const response = await fetch(...
Deactivate User account due to inactivity
Hello Team,
I have a scenario where I want to deactive a user due to being inactivty lets says for 30 days.
So the ideal solution is to look at the event logs although the client must only generate the session token and then keep on using the token to let the user perfrom actvities on their application which will not be logged in the Zitadel event store....
How can I create the human users programatically using APIs?
I have 2 organizations and I want to create users in them programatically based on the condition in the csv file, (I dont want to use the import feature because csv requires some transformation). I have tried with converting JSON file to jwt for management, auth and admin users and it didnt work.
```bash
go install github.com/zitadel/zitadel-tools@latest
...
Remove the back button in the LDAP login page, if User Name, Password login is turned OFF
Is there a way to do that?
Generated IDs are non-unique
I'm in the process of setting up IaC for our ZITADEL installations, and it seems there is a significant issue with the ID generation process. The problem is severe, as the generated IDs are not unique when multiple resources are created at once, causing consistency issues. I'm not sure what I can do about it, maybe there is something in the configuration or setup process that can help?
I'm using the latest version of Zitadel Terraform provider and Zitadel 2.60.2....
