Unable to access the system api using jwt token (invalid signature: no possible keys matches)
Original message was deleted
Rhi @Shevon酱
thanks for super detailed description, I am looking into this now and will let you know.
thanks for super detailed description, I am looking into this now and will let you know.Rhi @Shevon酱 as I investigate more into is, this typically arises when the JWT signature verification fails because Zitadel cannot find a matching public key to validate the signature
as I investigate more into is, this typically arises when the JWT signature verification fails because Zitadel cannot find a matching public key to validate the signatureRhi @Shevon酱 when you pass your
for logging, you can use enable it by chaining teh config here
https://zitadel.com/docs/self-hosting/manage/production#default-zitadel-logging-config
as for the
Its also mentioned the same in the logs above
once I have these information, I can debug it further.
when you pass your --audience and --issuer , are you passing it with https://<your domain> (or http://<your domain>?. for logging, you can use enable it by chaining teh config here
https://zitadel.com/docs/self-hosting/manage/production#default-zitadel-logging-config
as for the
issuer not match is likely coming because ZITADEL expects isssystem-user-1 here.Its also mentioned the same in the logs above
"issuer does not match: Expected: https://<my domain>, got: system-user-1"once I have these information, I can debug it further.
MAny new information on this? I have a user with a username like my domain with port 8080 e.g. https://domain.com:8080. This case is from https://github.com/zitadel/zitadel/issues/7937#issuecomment-2589415764 and it worked a few months ago, but now nothing works. I'm trying to generate jwt for:
--audience=https://domain.com:8080
--issuer=https://domain.com:8080
error="issuer does not match: Expected: https://domain.com, got: https://domain.com:8080"
--audience=https://domain.com
--issuer=https://domain.com:8080
invalid signature (invalid signature: no possible keys matches)
--audience=https://domain.com:8080
--issuer=https://domain.com
issuer does not match: Expected: https://domain.com, got: https://domain.com:8080
--audience=https://domain.com
--issuer=https://domain.com
invalid signature (invalid signature: no possible keys matches)
and nothing works.
I have the same valid keys from the last time it worked.
--audience=https://domain.com:8080
--issuer=https://domain.com:8080
error="issuer does not match: Expected: https://domain.com, got: https://domain.com:8080"
--audience=https://domain.com
--issuer=https://domain.com:8080
invalid signature (invalid signature: no possible keys matches)
--audience=https://domain.com:8080
--issuer=https://domain.com
issuer does not match: Expected: https://domain.com, got: https://domain.com:8080
--audience=https://domain.com
--issuer=https://domain.com
invalid signature (invalid signature: no possible keys matches)
and nothing works.
I have the same valid keys from the last time it worked.
GitHub
Acceptance criteria Unify the the VerifySystemToken with VerifyAccessToken and return a single error Resolve the different keysources on query level (yaml for system user vs DB for regular user) Or...
MHi @Rajat Singh, do you have any info?
M@fabienne, can you help me?
MWe want to deploy Zitadel on production and we need to change the domain in the system API, and we can't do that without access to this API ;/
NAlso saw this with for the system user.
Opened a discussion here before realizing:
Flaky error from /oauth/v2/token
Opened a discussion here before realizing:
Flaky error from /oauth/v2/token
Rhey @Mateusz Wolanowski your issuer is wrong as per the error, jhave you trued passing just the domain(without 8080)
MProblem solved thanks to their github issue, but in my case the external domain setting was also missing
Rhey @Mateusz Wolanowski glad it worked out!. Can you please briefly write here and/or update the github issue with your findings?. It can help other users looking for something similar either here or on Github, that'd be great. Thanks :gigilove:
AIndeed instructions would help, reproducible for me with v3.2.0. Worked fine with v3.0.4.