StartIdentityProviderIntent gRPC Issue

The gRPC StartIdentityProviderIntentStartIdentityProviderIntent endpoint returns an empty response (only detailsdetails field) when using service account JWT authentication, but the REST API equivalent (POST /v2/idp_intentsPOST /v2/idp_intents) works perfectly with the same auth.

What We Tried

1. gRPC with service account auth → Empty response
2. REST API with service account auth → Works!

Server Logs

level=debug msg="could not check projectID and origin of clientID (might be service account)"
clientID=helveston-backend-mgmt-api
error="ID=QUERY-Fdfax Message=Errors.App.NotExisting"

level=debug msg="could not check projectID and origin of clientID (might be service account)"
clientID=helveston-backend-mgmt-api
error="ID=QUERY-Fdfax Message=Errors.App.NotExisting"

Is the gRPC endpoint intended only for user-session context, while backend services should use the REST API? The docs don't clarify this distinction.

Workaround

We're using the REST API instead:

POST https://zitadel-instance/v2/idp_intents
Authorization: Bearer <service-account-jwt>
{
  "idpId": "idp-id",
  "urls": {
    "successUrl": "...",
    "failureUrl": "..."
  }
}

POST https://zitadel-instance/v2/idp_intents
Authorization: Bearer <service-account-jwt>
{
  "idpId": "idp-id",
  "urls": {
    "successUrl": "...",
    "failureUrl": "..."
  }
}

This works perfectly and returns the expected formDataformData for SAML POST binding.

---

Environment: Zitadel v4.2.0 protobuf definitions, self-hosted Docker, SAML 2.0 IdP

Slightly concern about using a REST API workaround given the deprecation notice?

ZITADEL•8mo ago•

8 replies

nicjac

StartIdentityProviderIntent gRPC Issue

What We Tried

1. gRPC with service account auth → Empty response
2. REST API with service account auth → Works!

Server Logs

level=debug msg="could not check projectID and origin of clientID (might be service account)"
clientID=helveston-backend-mgmt-api
error="ID=QUERY-Fdfax Message=Errors.App.NotExisting"

level=debug msg="could not check projectID and origin of clientID (might be service account)"
clientID=helveston-backend-mgmt-api
error="ID=QUERY-Fdfax Message=Errors.App.NotExisting"

Is the gRPC endpoint intended only for user-session context, while backend services should use the REST API? The docs don't clarify this distinction.

Workaround

We're using the REST API instead:

POST https://zitadel-instance/v2/idp_intents
Authorization: Bearer <service-account-jwt>
{
  "idpId": "idp-id",
  "urls": {
    "successUrl": "...",
    "failureUrl": "..."
  }
}

POST https://zitadel-instance/v2/idp_intents
Authorization: Bearer <service-account-jwt>
{
  "idpId": "idp-id",
  "urls": {
    "successUrl": "...",
    "failureUrl": "..."
  }
}

Continue the conversation

Join the Discord to ask follow-up questions and connect with the community

ZITADEL

ZITADEL - Identity infrastructure, simplified for you.

4,566 Members

Join

StartIdentityProviderIntent gRPC Issue

What We Tried

Server Logs

Workaround

StartIdentityProviderIntent gRPC Issue

What We Tried

Server Logs

Workaround

Continue the conversation

ZITADEL

Continue the conversation

ZITADEL

Similar Threads