Unable to access the system api using jwt token (invalid signature: no possible keys matches)
10 Replies
Unknown UserOP•4mo ago
Message Not Public
Sign In & Join Server To View
hi @Shevon酱🌸 thanks for super detailed description, I am looking into this now and will let you know.
hi @Shevon酱🌸 as I investigate more into is, this typically arises when the JWT signature verification fails because Zitadel cannot find a matching public key to validate the signature
hi @Shevon酱🌸 when you pass your
--audience and --issuer , are you passing it with https://<your domain> (or http://<your domain>?.
for logging, you can use enable it by chaining teh config here
https://zitadel.com/docs/self-hosting/manage/production#default-zitadel-logging-config
as for the issuer not match is likely coming because ZITADEL expects iss to be the domain, NOT user ID like you passed as system-user-1 here.
Its also mentioned the same in the logs above "issuer does not match: Expected: https://<my domain>, got: system-user-1"
once I have these information, I can debug it further.Unknown UserOP•3mo ago
Message Not Public
Sign In & Join Server To View
Any new information on this? I have a user with a username like my domain with port 8080 e.g. https://domain.com:8080. This case is from https://github.com/zitadel/zitadel/issues/7937#issuecomment-2589415764 and it worked a few months ago, but now nothing works. I'm trying to generate jwt for:
--audience=https://domain.com:8080
--issuer=https://domain.com:8080
error="issuer does not match: Expected: https://domain.com, got: https://domain.com:8080"
--audience=https://domain.com
--issuer=https://domain.com:8080
invalid signature (invalid signature: no possible keys matches)
--audience=https://domain.com:8080
--issuer=https://domain.com
issuer does not match: Expected: https://domain.com, got: https://domain.com:8080
--audience=https://domain.com
--issuer=https://domain.com
invalid signature (invalid signature: no possible keys matches)
and nothing works.
I have the same valid keys from the last time it worked.
GitHub
Use a single token verifier in the auth middleware · Issue #7937 ...
Acceptance criteria Unify the the VerifySystemToken with VerifyAccessToken and return a single error Resolve the different keysources on query level (yaml for system user vs DB for regular user) Or...
Hi @Rajat Singh, do you have any info?
@fabienne, can you help me?
We want to deploy Zitadel on production and we need to change the domain in the system API, and we can't do that without access to this API ;/
Also saw this with for the system user.
Opened a discussion here before realizing:
https://discord.com/channels/927474939156643850/1372242447668875439/1372242447668875439
hey @Mateusz Wolanowski your issuer is wrong as per the error, jhave you trued passing just the domain(without 8080)
Problem solved thanks to their github issue, but in my case the external domain setting was also missing
hey @Mateusz Wolanowski glad it worked out!. Can you please briefly write here and/or update the github issue with your findings?. It can help other users looking for something similar either here or on Github, that'd be great. Thanks :gigilove:
Indeed instructions would help, reproducible for me with v3.2.0. Worked fine with v3.0.4.