Use Zitadel from Retool
πAuthenticationβUnsolvedβQuestion
Hi all, looking for some guidance on how to integrate Zitadel OAuth2 with a Retool app.
Retool allows you to use OAuth 2 compliant endpoints as resources, and say they will handle all the complexity of managing the OAuth2 flows on behalf of the user. Basically, user logs in to retool, then starts an app. While using the app, different resources including OAuth2 compliant resource providers are used to retrieve data that is served to the user. Retool as the middleman caches tokens (both access and refresh) on behalf of the user, and uses them when making queries.
my base setup:
1. a project (TEST-PROJECT)
2. A Web app for the user interface (TEST-APP)
2.a App uses JWT token
2.b has refresh token
2.c Added Retool URI to redirect/post logout URI's
3. An API app to represent the resource provider (TEST-PROVIDER)
This basically works, but Retool doesn't know how to validate the token and direct the user to Zitadels login flow when it's not valid. I can set the settings on Retool to allow refresh/verification, but here's where I get confused.
1. I am using the introspection endpoint for verification,
2. I need a static client Id and Client Secret to be used by Retool when calling the introspect endpoint. I'm not sure how to configure that, while still allowing the user to use a user specific JWT token.
My starting attempt was to create a second API APP for Retool, which then has a id & secret configured, and provide that to Retool. However, when I test authentication using that setup Zitadel responds with an "Invalid_request" "Errors.App.NotFound" response instead of redirecting back to Retool.
-
Does anyone else have experience using Retool and Zitadel? Or is this familiar from someone elses use case?
Retool allows you to use OAuth 2 compliant endpoints as resources, and say they will handle all the complexity of managing the OAuth2 flows on behalf of the user. Basically, user logs in to retool, then starts an app. While using the app, different resources including OAuth2 compliant resource providers are used to retrieve data that is served to the user. Retool as the middleman caches tokens (both access and refresh) on behalf of the user, and uses them when making queries.
my base setup:
1. a project (TEST-PROJECT)
2. A Web app for the user interface (TEST-APP)
2.a App uses JWT token
2.b has refresh token
2.c Added Retool URI to redirect/post logout URI's
3. An API app to represent the resource provider (TEST-PROVIDER)
This basically works, but Retool doesn't know how to validate the token and direct the user to Zitadels login flow when it's not valid. I can set the settings on Retool to allow refresh/verification, but here's where I get confused.
1. I am using the introspection endpoint for verification,
/oauth/v2/introspect2. I need a static client Id and Client Secret to be used by Retool when calling the introspect endpoint. I'm not sure how to configure that, while still allowing the user to use a user specific JWT token.
My starting attempt was to create a second API APP for Retool, which then has a id & secret configured, and provide that to Retool. However, when I test authentication using that setup Zitadel responds with an "Invalid_request" "Errors.App.NotFound" response instead of redirecting back to Retool.
-
scopes: openId profile email offline_access urn:zitadel:iam:org:project:id:XXXXXXXXXXXXXX:audDoes anyone else have experience using Retool and Zitadel? Or is this familiar from someone elses use case?
