Authentication Methods in ZITADEL
Client Secret Basic​
When using client_secret_basic on token or introspection endpoints, provide anAuthorization header with a Basic auth value in the following form:
Authorization: "Basic " + base64( formUrlEncode(client_id) + ":" + formUrlEncode(client_secret) )
Given the client_id 78366401571920522@amce and client_secret veryweaksecret!, this would result in the following Authorization header:
Basic NzgzNjY0MDE1NzE5MjA1MjIlNDBhbWNlOnZlcnl3ZWFrc2VjcmV0JTIx
JWT with Private Key​
When using private_key_jwt (urn:ietf:params:oauth:client-assertion-type:jwt-bearer) for token or introspection endpoints, provide a JWT as assertion generated with the following structure and signed with a downloaded key:
Key JSON
| Key | Example | Description |
|---|---|---|
| type | "application" | The type of account, right now only application is valid |
| keyId | "81693565968962154" | This is unique ID of the key |
| key | "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----" | The private key generated by ZITADEL, this can not be regenerated! |
| clientId | 78366401571920522@acme | The client_id of the application, this is the same as the subject from tokens |
| appId | 78366403256846242 | The id of the application (just for completeness, not used for JWT) |
{
"type": "application",
"keyId": "81693565968962154",
"key": "-----BEGIN RSA PRIVATE KEY-----...-----END RSA PRIVATE KEY-----",
"clientId": "78366401571920522@acme",
"appId": "78366403256846242"
}
JWT
| Claim | Example | Description |
|---|---|---|
| aud | "https://$CUSTOM-DOMAIN" | String or Array of intended audiences MUST include ZITADEL's issuing domain |
| exp | 1605183582 | Unix timestamp of the expiry |
| iat | 1605179982 | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
| iss | "78366401571920522@acme" | String which represents the requesting party (owner of the key), normally the clientID from the json key file |
| sub | "78366401571920522@acme" | The subject ID of the application, normally the clientID from the json key file |
{
"iss": "78366401571920522@acme",
"sub": "78366401571920522@acme",
"aud": "https://$CUSTOM-DOMAIN",
"exp": 1605183582,
"iat": 1605179982
}
To identify your key, it is necessary that you provide a JWT with a
kidheader claim representing your keyId from the Key JSON:{
"alg": "RS256",
"kid": "81693565968962154"
}