ZITADEL•10mo ago

Proxy service to manage users in both Zitadel and Legacy IAM

I'm trying to setup a proxy that enables having the same users in both IAM as a transition period till every functionality will be ported to Zitadel.

To achieve this I'm using a Service User with Private JWT Key to authenticate into Zitadel and be able to use the Zitadel Management API to:

Create a human user
Update a human user
Change password to a human user

I'm using this docs page to achieve this result:

https://zitadel.com/docs/guides/integrate/service-users/private-key-jwt

I'm receiving back this error when I try to get the bearer token from

/oauth/v2/token

/oauth/v2/token

/oauth/v2/token

/oauth/v2/token endpoint:

<<< RESPONSE <<<
cache-control: no-store
date: Fri, 07 Mar 2025 20:24:47 GMT
pragma: no-cache
via: 1.1 google
server: Google Frontend
vary: Origin,Cookie
content-length: 63
content-type: application/json
expires: Fri, 07 Mar 2025 19:24:47 GMT
set-cookie: __Host-zitadel.useragent=MTc0MTM3OTA4N3wxMTc3TG9EN3U1TUFyaVJMNXVlSElaRk96SmVuMUg1cnZfMm9fOTloRm1yWEh5eDBfSXNicDA2cWRCNFRzRGtYaG0tdWN6ZDhlQmZMaVltRVJJUFN5N05UeXFiRlBnPT18SNYSRm55sTI0t-Sr7EAUzFiwBtkAAiwv-yo938mOmtc=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
set-cookie: zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax
x-robots-tag: none
x-cloud-trace-context: 404d8071e06c3c51a8c4d4f623adf2d4/5545504894498014508
traceparent: 00-404d8071e06c3c51a8c4d4f623adf2d4-4cf59751f8be852c-00
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: uncacheable
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"error":"server_error","error_description":"Errors.Internal"}

<<< RESPONSE <<<
cache-control: no-store
date: Fri, 07 Mar 2025 20:24:47 GMT
pragma: no-cache
via: 1.1 google
server: Google Frontend
vary: Origin,Cookie
content-length: 63
content-type: application/json
expires: Fri, 07 Mar 2025 19:24:47 GMT
set-cookie: __Host-zitadel.useragent=MTc0MTM3OTA4N3wxMTc3TG9EN3U1TUFyaVJMNXVlSElaRk96SmVuMUg1cnZfMm9fOTloRm1yWEh5eDBfSXNicDA2cWRCNFRzRGtYaG0tdWN6ZDhlQmZMaVltRVJJUFN5N05UeXFiRlBnPT18SNYSRm55sTI0t-Sr7EAUzFiwBtkAAiwv-yo938mOmtc=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
set-cookie: zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax
x-robots-tag: none
x-cloud-trace-context: 404d8071e06c3c51a8c4d4f623adf2d4/5545504894498014508
traceparent: 00-404d8071e06c3c51a8c4d4f623adf2d4-4cf59751f8be852c-00
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: uncacheable
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"error":"server_error","error_description":"Errors.Internal"}

<<< RESPONSE <<<
cache-control: no-store
date: Fri, 07 Mar 2025 20:24:47 GMT
pragma: no-cache
via: 1.1 google
server: Google Frontend
vary: Origin,Cookie
content-length: 63
content-type: application/json
expires: Fri, 07 Mar 2025 19:24:47 GMT
set-cookie: __Host-zitadel.useragent=MTc0MTM3OTA4N3wxMTc3TG9EN3U1TUFyaVJMNXVlSElaRk96SmVuMUg1cnZfMm9fOTloRm1yWEh5eDBfSXNicDA2cWRCNFRzRGtYaG0tdWN6ZDhlQmZMaVltRVJJUFN5N05UeXFiRlBnPT18SNYSRm55sTI0t-Sr7EAUzFiwBtkAAiwv-yo938mOmtc=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
set-cookie: zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax
x-robots-tag: none
x-cloud-trace-context: 404d8071e06c3c51a8c4d4f623adf2d4/5545504894498014508
traceparent: 00-404d8071e06c3c51a8c4d4f623adf2d4-4cf59751f8be852c-00
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: uncacheable
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"error":"server_error","error_description":"Errors.Internal"}

<<< RESPONSE <<<
cache-control: no-store
date: Fri, 07 Mar 2025 20:24:47 GMT
pragma: no-cache
via: 1.1 google
server: Google Frontend
vary: Origin,Cookie
content-length: 63
content-type: application/json
expires: Fri, 07 Mar 2025 19:24:47 GMT
set-cookie: __Host-zitadel.useragent=MTc0MTM3OTA4N3wxMTc3TG9EN3U1TUFyaVJMNXVlSElaRk96SmVuMUg1cnZfMm9fOTloRm1yWEh5eDBfSXNicDA2cWRCNFRzRGtYaG0tdWN6ZDhlQmZMaVltRVJJUFN5N05UeXFiRlBnPT18SNYSRm55sTI0t-Sr7EAUzFiwBtkAAiwv-yo938mOmtc=; Path=/; Max-Age=31536000; HttpOnly; Secure; SameSite=Lax
set-cookie: zitadel.quota.exhausted=; Path=/; Max-Age=0; SameSite=Lax
x-robots-tag: none
x-cloud-trace-context: 404d8071e06c3c51a8c4d4f623adf2d4/5545504894498014508
traceparent: 00-404d8071e06c3c51a8c4d4f623adf2d4-4cf59751f8be852c-00
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-cache-hit: uncacheable
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

{"error":"server_error","error_description":"Errors.Internal"}

App configuration as in the screenshot.

User service configuration as in the screenshot.

What is wrong?

Code in following post,

ZITADEL Docs

This guide demonstrates how developers can leverage private key JWT authentication to secure communication between service users and client applications within ZITADEL.

Solution

Problem was "aud" it mus be the exact base url of your zitadel instance.

Jump to solution

tommasop#2001OP•3/7/25, 8:42 PM

  @doc """
  Generates a signed JWT using the provided identity and private key.
  """
  def generate_jwt(user_id, key_id, private_key) do
    payload = %{
      "iss" => user_id,
      "sub" => user_id,
      "aud" => "https://zitadel.cloud",
      "iat" => :os.system_time(:second),
      "exp" => :os.system_time(:second) + 300
    }

    AssentJWT.sign(payload, "RS256", private_key, json_library: Jason, private_key_id: key_id)
  end

  @doc """
  Requests an OAuth token from ZITADEL using the generated JWT.
  """
  def request_oauth_token(url, user_id, key_id, private_key) do
    {:ok, jwt} = generate_jwt(user_id, key_id, private_key)

    body = %{
      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
      scope: "openid urn:zitadel:iam:org:project🆔zitadel:aud",
      assertion: jwt
    }

    middleware = [
      Tesla.Middleware.FormUrlencoded,
      {Tesla.Middleware.BaseUrl, url},
      Tesla.Middleware.Logger
    ]

    client = Tesla.client(middleware)

    Tesla.post(client, "#{url}/oauth/v2/token", body)
  end

  @doc """
  Generates a signed JWT using the provided identity and private key.
  """
  def generate_jwt(user_id, key_id, private_key) do
    payload = %{
      "iss" => user_id,
      "sub" => user_id,
      "aud" => "https://zitadel.cloud",
      "iat" => :os.system_time(:second),
      "exp" => :os.system_time(:second) + 300
    }

    AssentJWT.sign(payload, "RS256", private_key, json_library: Jason, private_key_id: key_id)
  end

  @doc """
  Requests an OAuth token from ZITADEL using the generated JWT.
  """
  def request_oauth_token(url, user_id, key_id, private_key) do
    {:ok, jwt} = generate_jwt(user_id, key_id, private_key)

    body = %{
      grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
      scope: "openid urn:zitadel:iam:org:project🆔zitadel:aud",
      assertion: jwt
    }

    middleware = [
      Tesla.Middleware.FormUrlencoded,
      {Tesla.Middleware.BaseUrl, url},
      Tesla.Middleware.Logger
    ]

    client = Tesla.client(middleware)

    Tesla.post(client, "#{url}/oauth/v2/token", body)
  end

Solution

tommasop#2001•3/10/25, 7:00 PM

Problem was "aud" it mus be the exact base url of your zitadel instance.

@doc """ Generates a signed JWT using the provided identity and private key. """ def generate_jwt(user_id, key_id, private_key) do payload = %{ "iss" => user_id, "sub" => user_id, "aud" => "https://zitadel.cloud", "iat" => :os.system_time(:second), "exp" => :os.system_time(:second) + 300 } AssentJWT.sign(payload, "RS256", private_key, json_library: Jason, private_key_id: key_id) end @doc """ Requests an OAuth token from ZITADEL using the generated JWT. """ def request_oauth_token(url, user_id, key_id, private_key) do {:ok, jwt} = generate_jwt(user_id, key_id, private_key) body = %{ grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer", scope: "openid urn:zitadel:iam:org:project🆔zitadel:aud", assertion: jwt } middleware = [ Tesla.Middleware.FormUrlencoded, {Tesla.Middleware.BaseUrl, url}, Tesla.Middleware.Logger ] client = Tesla.client(middleware) Tesla.post(client, "#{url}/oauth/v2/token", body) end