zitadel-go icon indicating copy to clipboard operation
zitadel-go copied to clipboard

Published 20 hours ago verified publisher icon zitadel

invalid signature (error fetching keys: ID=QUERY-SDf32

Open AshishMittal02 opened this issue 1 year ago • 10 comments

I am trying to use Zitadel APIs to create/update user within a org . I have created a project and then a API type application then created a key for the operation.

Now when i try to hit any of the api, i keep getting error http status not ok: 400 Bad Request {"error":"server_error","error_description":"invalid signature (error fetching keys: ID=QUERY-SDf32 Message=Errors.AuthNKey.NotFound Parent=(sql: no rows in result set))

The error doesn't say anything else. I have changed keys but same result everytime. I have followed example given in here https://github.com/zitadel/zitadel-go/blob/main/example/mgmt/mgmt.go

AshishMittal02 avatar Dec 15 '23 16:12 AshishMittal02

PS: this is a self hosted zitadel on kubernates cluster

AshishMittal02 avatar Dec 15 '23 16:12 AshishMittal02

With service account i am getting below error rpc error: code = Unavailable desc = connection error: desc = "error reading server preface: http2: frame too large"

AshishMittal02 avatar Dec 16 '23 06:12 AshishMittal02

@livio-a can you help here?

hifabienne avatar Dec 18 '23 07:12 hifabienne

Configure the appProtocol option in Service to kubernetes.io/h2c (for zitadel service).

roquie avatar Dec 18 '23 11:12 roquie

@roquie I tried that but it didn't work, and zitadel docs says it has to be http2 only

AshishMittal02 avatar Dec 19 '23 03:12 AshishMittal02

Hm can you share you settings?

ZITADEL can operate with http1.1 only but you loose the gRPC apis.

H2C btw. is just unencrypted http2 😁

fforootd avatar Dec 19 '23 08:12 fforootd

To access the ZITADEL API you will need a user, in this case a service user, which like an API application can have a key to authenticate: https://zitadel.com/docs/guides/integrate/private-key-jwt resp. https://zitadel.com/docs/examples/call-zitadel-api/go

livio-a avatar Dec 19 '23 11:12 livio-a

@livio-a This is exactly what we do with one correction. The doc says we have to give projectID in scopes but it accepts actually appID.

AshishMittal02 avatar Dec 19 '23 12:12 AshishMittal02

Same problem here. I created a new service user and downloaded the json with the keys. Then I started the example and get the exactly same error

2023/12/21 15:06:00 ERROR cannot retrieve the organisation error="rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: http status not ok: 400 Bad Request {\"error\":\"server_error\",\"error_description\":\"invalid signature (error fetching keys: ID=QUERY-SDf32 Message=Errors.AuthNKey.NotFound Parent=(sql: no rows in result set))\"}\n"

schlapzz avatar Dec 21 '23 14:12 schlapzz

@schlapzz recommend to trace the logic in zitadel/zitadel repo by searching "QUERY-SDf32" to debug it

https://github.com/search?q=repo%3Azitadel%2Fzitadel%20QUERY-SDf32&type=code

most of such issues caused by misconfiguration

reactima avatar Feb 29 '24 13:02 reactima