ZITADEL•13mo ago

Getting `unauthorized_client` error while introspecting token from NestJS API

Hello everyone

I'm trying to implement authentication via Zitadel on a NestJS REST API, like on this example repo. On the Zitadel side, I have a project with two apps:

one with “API” type, with JWT private key authentication (dedicated to the NestJS API)
one with “User Agent” type, with PKCE authentication (so that a user can retrieve an access token).
With a client like Postman, I'm able to fetch a user access token via “Authentication Code” grant type and the
```
/oauth/v2/authorize
```
/oauth/v2/authorize
```
/oauth/v2/authorize
```
/oauth/v2/authorize
and
```
/oauth/v2/token
```
/oauth/v2/token
```
/oauth/v2/token
```
/oauth/v2/token
endpoints. When calling a NestJS API endpoint protected by Zitadel authentication, the call to the introspection endpoint made in the
```
strategy.js
```
strategy.js
```
strategy.js
```
strategy.js
file of the
```
passport-zitadel
```
passport-zitadel
```
passport-zitadel
```
passport-zitadel
library receives a 400 Bad Request, indicating “unauthorized_client”. Any ideas?

myoufOP•11/28/24, 9:15 AM

Also, while debugging, I can see that the call made by the

passport-zitadel

passport-zitadel

lib to Zitadel is a

POST

POST

to the

/oauth/v2/introspect

/oauth/v2/introspect

endpoint, with the following payload:

{
    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
    client_assertion: "JWT generated via backend app credentials",
    token: "access token of the calling external user"
}

{
    client_assertion_type: "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
    client_assertion: "JWT generated via backend app credentials",
    token: "access token of the calling external user"
}

This seems to correspond to what is described in the documentation here: https://zitadel.com/docs/apis/openidoauth/endpoints#introspection_endpoint

FFO•11/28/24, 12:33 PM

Hm this sounds about right.

Are you using our cloud? Or self-hosted?

myoufOP•11/28/24, 2:32 PM

Hey @FFO, I'm using cloud on free plan for the moment. We want to test the tool a little before switching to pro plan

Decoding the API's JWT with https://jwt.io/, it shows me an "invalid signature". There must be a problem here

FFO•11/28/24, 3:28 PM

Hm can you share one of the tokens per DM?

FFO•11/28/24, 3:28 PM

And testing makes absolut sense

myoufOP•11/29/24, 10:05 AM

Closing this ticket after DM exchange with @FFO. What was causing the issue was a configuration problem with the IDP_AUTHORITY env variable, which must not contain trailing slash