Supabase as JWT IDP for Zitadel
I am on Zitadel Cloud and want to use it to handel Authentication for multiple Apps.
Since I am using Supabase as my core service i would love to integrate it as IDP for zitadel.
Name: Supabase Auth
Header Name: x-custom-tkn
Issuer: https://<supabase-id>.supabase.co/auth/v1
JWT Endpoint: http://localhost:8000/jwt-callback
JWT Keys Endpoint: https://<supabase-id>.supabase.co/auth/v1/.well-known/jwks.json
Currently Zitadel Login will offer the Provider as Option and then redirect to the JWT Endpoint with a authRequestID and userAgentID as url parameters. What should happen next?
Is my use case even possible and are there any examples?
I feel like I am missing a zitadel endpoint where i can actually send the supabase jwt token to in the flow.
Greetings
Malte
6 Replies
Hi @malte, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
hey @malte I think this is the guide you may find helpful, its about setting up JWT as IDP
hey @Rajat , I tried to follow the example, but I can't manage to get it work. I tried to follow these docs, but I can't manage to get it work.
This is what I thought should happen. After Step 4 I am stuck.
Supabase App - A react app that uses supabase as backend
CustomApp - An app created in my Zitadel Cloud
1. User navigates to CustomApp, and is redirected to Zitadel Login. 2. User Clicks "Login with Supabase as JWT IDP" 3. User is redirected to configured JWT entpoint. 4. User Logs into Supabase app to obtain valid JWT 5. ??? At this state I have a valid Supabase JWT, a Zitadel authRequestID and a Zitadel userAgentID. I thought the next step would be to send these parts to https://<my-instance>.zitadel.cloud/idps/jwt . I used a supabase edge function for this, so i can send the jwt in the header, but it does not work. Using Postman with these values returns "ID=LOGIN-adfzz Message=Errors.AuthRequest.MissingParameters". Is there a fundamental flaw in my understanding?
1. User navigates to CustomApp, and is redirected to Zitadel Login. 2. User Clicks "Login with Supabase as JWT IDP" 3. User is redirected to configured JWT entpoint. 4. User Logs into Supabase app to obtain valid JWT 5. ??? At this state I have a valid Supabase JWT, a Zitadel authRequestID and a Zitadel userAgentID. I thought the next step would be to send these parts to https://<my-instance>.zitadel.cloud/idps/jwt . I used a supabase edge function for this, so i can send the jwt in the header, but it does not work. Using Postman with these values returns "ID=LOGIN-adfzz Message=Errors.AuthRequest.MissingParameters". Is there a fundamental flaw in my understanding?
Hello @malte apologies for the delay, Zitadel supports the industry standard protocols for federation (OIDC, SAML, etc.). Do you know what protocol you will be using, or do you have any reference document so we can take a look?
Thanks!
Hello @fcoppede,
I want to explicitly use the supabase JWT for the Authentication with Zitadel using the JWT-IDP option.
This is because there are some limitations of supabase, see Option A and B below.
My Supabase Service needs to manage Users and Permissions.
These Permissions should then be synchronized with Zitadel.
Zitadel will then handle the authentication with multiple other services.
A. Registering Zitadel as IDP for Superbase
Supabase does only accept specific Identityproviders using OIDC.
The only way to use Zitadel is using SAML.
Unfortunately this limits the options for user federation on the side of supabase and does not allow for a clean way to work with users before first login.
B. Registering Supabase as an IDP for Zitadel Supabase does not offer any Protocols to function as an IDP but the Zitadel JWT IDP configuration would make this possible. Authentication would be handled by Supabase. Zitadel will then accept the JWT. Currently I am using Option A, but the limitations of Supabase are annoying. Option B would be perfect for my use case, but I am stuck. That is why I am looking for a working Example of the JWT-IDP Option of Zitadel.
B. Registering Supabase as an IDP for Zitadel Supabase does not offer any Protocols to function as an IDP but the Zitadel JWT IDP configuration would make this possible. Authentication would be handled by Supabase. Zitadel will then accept the JWT. Currently I am using Option A, but the limitations of Supabase are annoying. Option B would be perfect for my use case, but I am stuck. That is why I am looking for a working Example of the JWT-IDP Option of Zitadel.
hello @malte, to understand what is the right approach, I should first understand your use case, can you please share that more in detail? what is your expected user journey/flow from the moment they land on your app?