invalid signature (error fetching keys: ID=QUERY-SDf32

zitadel / zitadel-go

ZITADEL Go - The official client library of ZITADEL for an easy integration into your Go project.

https://zitadel.com

Apache License 2.0

73 stars 29 forks source link

invalid signature (error fetching keys: ID=QUERY-SDf32 #277

Open AshishMittal02 opened 11 months ago

AshishMittal02 commented 11 months ago

I am trying to use Zitadel APIs to create/update user within a org . I have created a project and then a API type application then created a key for the operation.

Now when i try to hit any of the api, i keep getting error http status not ok: 400 Bad Request {"error":"server_error","error_description":"invalid signature (error fetching keys: ID=QUERY-SDf32 Message=Errors.AuthNKey.NotFound Parent=(sql: no rows in result set))

The error doesn't say anything else. I have changed keys but same result everytime. I have followed example given in here https://github.com/zitadel/zitadel-go/blob/main/example/mgmt/mgmt.go

AshishMittal02 commented 11 months ago

PS: this is a self hosted zitadel on kubernates cluster

AshishMittal02 commented 11 months ago

With service account i am getting below error rpc error: code = Unavailable desc = connection error: desc = "error reading server preface: http2: frame too large"

hifabienne commented 11 months ago

@livio-a can you help here?

roquie commented 11 months ago

Configure the appProtocol option in Service to kubernetes.io/h2c (for zitadel service).

AshishMittal02 commented 11 months ago

@roquie I tried that but it didn't work, and zitadel docs says it has to be http2 only

fforootd commented 11 months ago

Hm can you share you settings?

ZITADEL can operate with http1.1 only but you loose the gRPC apis.

H2C btw. is just unencrypted http2 😁

livio-a commented 11 months ago

To access the ZITADEL API you will need a user, in this case a service user, which like an API application can have a key to authenticate: https://zitadel.com/docs/guides/integrate/private-key-jwt resp. https://zitadel.com/docs/examples/call-zitadel-api/go

AshishMittal02 commented 11 months ago

@livio-a This is exactly what we do with one correction. The doc says we have to give projectID in scopes but it accepts actually appID.

schlapzz commented 11 months ago

Same problem here. I created a new service user and downloaded the json with the keys. Then I started the example and get the exactly same error

2023/12/21 15:06:00 ERROR cannot retrieve the organisation error="rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: http status not ok: 400 Bad Request {\"error\":\"server_error\",\"error_description\":\"invalid signature (error fetching keys: ID=QUERY-SDf32 Message=Errors.AuthNKey.NotFound Parent=(sql: no rows in result set))\"}\n"

reactima commented 9 months ago

@schlapzz recommend to trace the logic in zitadel/zitadel repo by searching "QUERY-SDf32" to debug it

https://github.com/search?q=repo%3Azitadel%2Fzitadel%20QUERY-SDf32&type=code

most of such issues caused by misconfiguration