Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent RequireAuthorization middleware/ Auth Context #338

Closed
JVisi opened this issue May 16, 2024 · 1 comment
Closed

Inconsistent RequireAuthorization middleware/ Auth Context #338

JVisi opened this issue May 16, 2024 · 1 comment

Comments

@JVisi
Copy link

JVisi commented May 16, 2024

I'm self hosting zitadel with postgresql. I've recreated the Zitadel- Go API tutorial from quickstart, and most of the time it works correctly, however I have noticed some inconsistency.

For example in this code snippet:

router.Handle("/api/tasks", mw.RequireAuthorization()(http.HandlerFunc(
        func(w http.ResponseWriter, r *http.Request) {
            // Using the [middleware.Context] function we can gather information about the authorized user.
            // This example will just print the users ID using the provided method, and it will also
            // print the username by directly access the field of the typed [*oauth.IntrospectionContext].
            authCtx := mw.Context(r.Context())
            slog.Info("user accessed task list", "id", authCtx.UserID(), "username", authCtx.Username)

            // Although this endpoint is accessible by any authorized user, you might want to take additional steps
            // if the user is granted a specific role. In this case an `admin` will be informed to add a new task:
            list := tasks
            if authCtx.IsGrantedRole("admin") {
                list = append(list, "create a new task on /api/add-task")
            }

            // return the existing task list
            err = jsonResponse(w, &taskList{Tasks: list}, http.StatusOK)
            if err != nil {
                slog.Error("error writing response", "error", err)
            }
        })))

Sometimes it works correctly and I receive the list, however after every couple requests I get denied with the same request saying that I'm unauthorized for a couple of times, then it works again and this repeats:

token introspection failed: http status not ok: 400 Bad Request {"error":"unauthorized_client"}
I'm using a Service User with PAT for testing, what can cause this inconsistency?
It might be worth mentioning, that when I take out the middleware, and the requests fail, the authCtx is

To reproduce
Install and setup postgresql and Zitadel
follow the tutorial available on the official Zitadel docs regarding the Go API: zitadel.com/docs/examples/secure-api/go
@JVisi
Copy link
Author

JVisi commented May 16, 2024

Nevermind, the issue was not with Zitadel nor the Zitadel-Go package. It was caused by the fact that the time on the machine Zitadel was hosted from the time was behind a couple seconds, causing the token to be in the future on Zitadel's side

@JVisi JVisi closed this as completed May 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Product Management
Archived in project
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JVisi