StartIdentityProviderIntent gRPC Issue

The gRPC

StartIdentityProviderIntent

StartIdentityProviderIntent

endpoint returns an empty response (only

details

details

field) when using service account JWT authentication, but the REST API equivalent (

POST /v2/idp_intents

POST /v2/idp_intents

) works perfectly with the same auth.

What We Tried

1. gRPC with service account auth → Empty response
2. REST API with service account auth → Works!

Server Logs

level=debug msg="could not check projectID and origin of clientID (might be service account)"
clientID=helveston-backend-mgmt-api
error="ID=QUERY-Fdfax Message=Errors.App.NotExisting"

level=debug msg="could not check projectID and origin of clientID (might be service account)"
clientID=helveston-backend-mgmt-api
error="ID=QUERY-Fdfax Message=Errors.App.NotExisting"

Is the gRPC endpoint intended only for user-session context, while backend services should use the REST API? The docs don't clarify this distinction.

Workaround

We're using the REST API instead:

POST https://zitadel-instance/v2/idp_intents
Authorization: Bearer <service-account-jwt>
{
  "idpId": "idp-id",
  "urls": {
    "successUrl": "...",
    "failureUrl": "..."
  }
}

POST https://zitadel-instance/v2/idp_intents
Authorization: Bearer <service-account-jwt>
{
  "idpId": "idp-id",
  "urls": {
    "successUrl": "...",
    "failureUrl": "..."
  }
}

This works perfectly and returns the expected

formData

formData

for SAML POST binding.

---

Environment: Zitadel v4.2.0 protobuf definitions, self-hosted Docker, SAML 2.0 IdP

Slightly concern about using a REST API workaround given the deprecation notice?

StartIdentityProviderIntent gRPC Issue

What We Tried

Server Logs

Workaround

Similar Threads