Proxy service to manage users in both Zitadel and Legacy IAM

I'm trying to setup a proxy that enables having the same users in both IAM as a transition period till every functionality will be ported to Zitadel.

To achieve this I'm using a Service User with Private JWT Key to authenticate into Zitadel and be able to use the Zitadel Management API to:

1. Create a human user
2. Update a human user
3. Change password to a human user

I'm using this docs page to achieve this result:

https://zitadel.com/docs/guides/integrate/service-users/private-key-jwt

I'm receiving back this error when I try to get the bearer token from /oauth/v2/token/oauth/v2/token endpoint:

<<< RESPONSE <<<
cache-control: no-store
date: Fri, 07 Mar 2025 20:24:47 GMT
pragma: no-cache
via: 1.1 google
server: Google Frontend
vary: Origin,Cookie
content-length: 63
content-type: application/json
expires: Fri, 07 Mar 2025 19:24:47 GMT
set-cookie: __Host-zitadel.useragent=MTc0MTM3OTA4N3wxMTc3TG9EN3U1TUFyaVJMNXVlSElaRk96SmVuMUg1cnZfMm9fOTloRm1yWEh5eDBfSXNicDA2cWRCNFRzRGtYaG0tdWN6ZDhlQmZMaVltRVJJUFN5N05UeXFiRlBnPT18SNYSRm55sTI0t-Sr7EAUzFiwBtkAAiwv-yo938mOmtc=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
set-cookie: zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax
x-robots-tag: none
x-cloud-trace-context: 404d8071e06c3c51a8c4d4f623adf2d4/5545504894498014508
traceparent: 00-404d8071e06c3c51a8c4d4f623adf2d4-4cf59751f8be852c-00
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: uncacheable
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"error":"server_error","error_description":"Errors.Internal"}

<<< RESPONSE <<<
cache-control: no-store
date: Fri, 07 Mar 2025 20:24:47 GMT
pragma: no-cache
via: 1.1 google
server: Google Frontend
vary: Origin,Cookie
content-length: 63
content-type: application/json
expires: Fri, 07 Mar 2025 19:24:47 GMT
set-cookie: __Host-zitadel.useragent=MTc0MTM3OTA4N3wxMTc3TG9EN3U1TUFyaVJMNXVlSElaRk96SmVuMUg1cnZfMm9fOTloRm1yWEh5eDBfSXNicDA2cWRCNFRzRGtYaG0tdWN6ZDhlQmZMaVltRVJJUFN5N05UeXFiRlBnPT18SNYSRm55sTI0t-Sr7EAUzFiwBtkAAiwv-yo938mOmtc=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
set-cookie: zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax
x-robots-tag: none
x-cloud-trace-context: 404d8071e06c3c51a8c4d4f623adf2d4/5545504894498014508
traceparent: 00-404d8071e06c3c51a8c4d4f623adf2d4-4cf59751f8be852c-00
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: uncacheable
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"error":"server_error","error_description":"Errors.Internal"}

App configuration as in the screenshot.

User service configuration as in the screenshot.

What is wrong?

Code in following post,

ZITADEL Docs

This guide demonstrates how developers can leverage private key JWT authentication to secure communication between service users and client applications within ZITADEL.

Solution

Problem was "aud" it mus be the exact base url of your zitadel instance.

Jump to solution

Proxy service to manage users in both Zitadel and Legacy IAM

<<< RESPONSE <<<
cache-control: no-store
date: Fri, 07 Mar 2025 20:24:47 GMT
pragma: no-cache
via: 1.1 google
server: Google Frontend
vary: Origin,Cookie
content-length: 63
content-type: application/json
expires: Fri, 07 Mar 2025 19:24:47 GMT
set-cookie: __Host-zitadel.useragent=MTc0MTM3OTA4N3wxMTc3TG9EN3U1TUFyaVJMNXVlSElaRk96SmVuMUg1cnZfMm9fOTloRm1yWEh5eDBfSXNicDA2cWRCNFRzRGtYaG0tdWN6ZDhlQmZMaVltRVJJUFN5N05UeXFiRlBnPT18SNYSRm55sTI0t-Sr7EAUzFiwBtkAAiwv-yo938mOmtc=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
set-cookie: zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax
x-robots-tag: none
x-cloud-trace-context: 404d8071e06c3c51a8c4d4f623adf2d4/5545504894498014508
traceparent: 00-404d8071e06c3c51a8c4d4f623adf2d4-4cf59751f8be852c-00
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: uncacheable
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"error":"server_error","error_description":"Errors.Internal"}

<<< RESPONSE <<<
cache-control: no-store
date: Fri, 07 Mar 2025 20:24:47 GMT
pragma: no-cache
via: 1.1 google
server: Google Frontend
vary: Origin,Cookie
content-length: 63
content-type: application/json
expires: Fri, 07 Mar 2025 19:24:47 GMT
set-cookie: __Host-zitadel.useragent=MTc0MTM3OTA4N3wxMTc3TG9EN3U1TUFyaVJMNXVlSElaRk96SmVuMUg1cnZfMm9fOTloRm1yWEh5eDBfSXNicDA2cWRCNFRzRGtYaG0tdWN6ZDhlQmZMaVltRVJJUFN5N05UeXFiRlBnPT18SNYSRm55sTI0t-Sr7EAUzFiwBtkAAiwv-yo938mOmtc=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
set-cookie: zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax
x-robots-tag: none
x-cloud-trace-context: 404d8071e06c3c51a8c4d4f623adf2d4/5545504894498014508
traceparent: 00-404d8071e06c3c51a8c4d4f623adf2d4-4cf59751f8be852c-00
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: uncacheable
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"error":"server_error","error_description":"Errors.Internal"}

App configuration as in the screenshot.

User service configuration as in the screenshot.

What is wrong?

Code in following post,

ZITADEL Docs

This guide demonstrates how developers can leverage private key JWT authentication to secure communication between service users and client applications within ZITADEL.

Solution

Problem was "aud" it mus be the exact base url of your zitadel instance.

Jump to solution

Proxy service to manage users in both Zitadel and Legacy IAM

Proxy service to manage users in both Zitadel and Legacy IAM

Continue the conversation

ZITADEL

Continue the conversation

ZITADEL

Similar Threads