V1 Actions failing for v4.1.2 upon user authentication on Zitadel Cloud
Hi there,
since yesterday, we receive a lot of issue from our first time users that complain about not being able to login to our production app. The error for every user always is: "Login not possible. The user is required to have at least one grant on the application. Please contact your administrator. " We have actions running on internal and external authentication which will set default roles for each user. We haven't changed anything since weeks on Zitadel config and this starts popping up now out of nowhere. Any chance we missed something (there is a warning about v2 Actions but it reads that the current are still working) or that something is broken on Zitadel's side?
Cheers,
Stephan
11 Replies
Hi @stephanb, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Discord message from @blobdold on 2024-10-24 : This shows a similar issue where actions weren't working due to a mismatch between action name and function name - the action was named "addRole" but the function was named "addGrant" (1) .
2. Converting v1 Action to v2 Action: Add a default 'role' to newly created users : This discusses v1 Actions for automatically adding user grants to newly created users, including the proper syntax for user grant actions (2) .
ā
To learn more, see the sources I considered:
[1] Discord message from @blobdold on 2024-10-24
[2] Converting v1 Action to v2 Action: Add a default 'role' to newly created users
ā
Feel free to tag @Ask Inkeep with additional questions.
hey @stephanb apologies for inconvinience, what version are you on?.
Hi @Rajat and thanks for the swift reply! We are curently on v4.1.0.
are you self hosted?
no, we run on Zitadel Cloud
ok perfect, raising this internally.
thanks!
hey @stephanb I am gonna ask more questions š if that ok to help you better
are you sure that you or your org recently did NOT change any settings in ZITADEL (e.g. project grants, role assignments, actions, or IDP configs)?
Did you recently create a new project/application or update the application ID your frontend uses?
When exactly did the problem start (date/time)?
Can you confirm if your Actions are still running (for example, if default roles actually get written on user creation)?
We haven't changed anything within the last couple of weeks. The first issue was reported yesterday with several others today. Also, our app didn't receive any major update in this period which would have included any changes to the Zitadel logic. This logic was now fairly stable and hasn't been touched for quite some time - saying months.
this only affects the "actions" running on the Zitadel server. We rely on the role being added on first user authentication with the system. This fails, nothing related to our app logic that is running on our servers
okay, so that means the role-granting Action not executing (or failing š
) and this is the error you are getting as a result I suppose, correct?
for the failing user(if you know any) can you pls pick one failing user ā in ZITADEL Console: Project ā Authorizations, check if you can see the relevant user grant?. If not, chances are actions are not firing properly.
Pls share the actions script for both internal and external auth. I am checking with my team if we had any actions v1 issues
The user does not receive any grants. That is what makes me think there is an issue with the action,. The script is the following running on internal and external authenication post create:
/**
* Add usergrant to a new created/registered user
*
* Flow: Internal Authentication or External Authentication, Trigger: Post creation
*
* @param ctx
* @param api
*/
function grantRolesToNewUser(ctx, api) {
api.userGrants.push({
projectID: '287053594304193159',
roles: ['OPENAIP_USER']
});
}
I took a closer look again today and it from what it looks like, our staging system which runs on also on Zitadel Cloud is on v3.4.0. The actions run smoothly with this version and the required role gets added to the newly registered user. Our production system running on Zitadel Cloud was already upgraded to v4.1.2 which seems to completely break the v1 actions.