Using:
Example Zitadel.WebApi source
nuget version 5.0.24
Zitadel self-hosted Docker v2.19.2

User Roles are not mapped from zitadel claims:

HTTP /authed/jwt response:

{
    "ping": "Pong",
    "timestamp": "2023-02-23T13:07:47.8544079+13:00",
    "authType": "ZITADEL_JWT",
    "userName": "Shaun Wratten",
    "userId": "201926742074524083",
    "claims": [
        {
            "type": "active",
            "value": "true"
        },
        {
            "type": "aud",
            "value": "202357448760164787@licensing"
        },
        {
            "type": "aud",
            "value": "202357485485490611@licensing"
        },
        {
            "type": "aud",
            "value": "202342795002773939"
        },
        {
            "type": "client_id",
            "value": "202357448760164787@licensing"
        },
        {
            "type": "email",
            "value": "[email protected]"
        },
        {
            "type": "email_verified",
            "value": "true"
        },
        {
            "type": "exp",
            "value": "1677153977"
        },
        {
            "type": "family_name",
            "value": "Wratten"
        },
        {
            "type": "given_name",
            "value": "Shaun"
        },
        {
            "type": "iat",
            "value": "1677110777"
        },
        {
            "type": "iss",
            "value": "https://my.self.hosted.zitadel.domain"
        },
        {
            "type": "jti",
            "value": "202358016870187443"
        },
        {
            "type": "name",
            "value": "Shaun Wratten"
        },
        {
            "type": "nbf",
            "value": "1677110777"
        },
        {
            "type": "preferred_username",
            "value": "[email protected]"
        },
        {
            "type": "sub",
            "value": "201926742074524083"
        },
        {
            "type": "token_type",
            "value": "Bearer"
        },
        {
            "type": "updated_at",
            "value": "1676854129"
        },
        {
            "type": "urn:zitadel:iam:org:project:roles",
            "value": "{\"Admin\":{\"201926742074458547\":\"arl.co.nz\"},\"User\":{\"201926742074458547\":\"arl.co.nz\"}}"
        },
        {
            "type": "username",
            "value": "[email protected]"
        },
        {
            "type": "scope",
            "value": "openid"
        },
        {
            "type": "scope",
            "value": "email"
        },
        {
            "type": "scope",
            "value": "profile"
        },
        {
            "type": "scope",
            "value": "urn:zitadel:iam:org:project:role:Admin"
        },
        {
            "type": "scope",
            "value": "urn:zitadel:iam:org:project:role:User"
        }
    ],
    "isInAdminRole": false,
    "isInUserRole": false
}

I assume this is a bug?

I am currently trying to use Zitadel to authenticate users in a Blazor Webassembly App.

Is this possible with this package?

Do you have some guidance for it?

The dependency update for Zitadel is stuck. The renovate bot's attempt to upgrade the submodule leads to a failing build in the pull request.

This prevents developers from using the most recent API features or bug fixes.
The error is caused by missing proto definitions.

Use the same claim types (e.g. ClaimTypes.Name instead of just "name") for AddZitadel, AddZitadelWithSession and AddZitadelApi

Hi

I am trying to use Zitadel with Azure Functions butI am having trouble setting it up.

I am running .NET 8 in isolated mode. I have a test app, to which I am logged and I am trying to send fetch with Barer token to the emulated function/

I have been trying to use the DarkLoop.Azure.Functions.Authorization, which returns 401 all the time.
Other attempt was to use the ZitadelAPI but I have no idea where introspection API is and how to use it.

I am having 2 problems. The first one is an issue that I can't seem to resolve using the Zitadel SDK following this code example to Authenticate a service account: https://github.com/smartive/zitadel-net/blob/main/examples/Zitadel.ApiAccess/Program.cs

I am getting back a response from my zitadel cloud instance of issuedAt of token is in the future: (iat: 2023-04-10 22:18:07 +0000 UTC, now with offset: 2023-04-10 22:18:06 +0000 UTC)\" I don't know why the server is telling me my issuedAt time is in the future. I don't even know how to specify the criteria the determines the issuedAt but I believe this is potentially a Daylight Saving Time bug. I'm not 100% sure. I'm getting the exact same issue when running Zitadel's tests locally as well. My machine is in Central Daylight Time GMT-5 (When Standard it's -6 GMT), but we are currently in a daylight saving time period. Again, this is just a theory, but I'm wondering if somehow it's a timezone or daylight saving time related issue.

The second concern I have, is that I wasn't able to even find this error message without downloading the Zitadel c# sdk source code and importing it locally to my project as a project reference, because the zitadel gRPC calls were just returning a very generic response like this: Error starting gRPC call. HttpRequestException: Response status code does not indicate success: 400 (Bad Request).", DebugException="System.Net.Http.HttpRequestException: Response status code does not indicate success: 400 (Bad Request).") I had to dig all the way into Zitadel.Credentials.ServiceAccount.AuthenticateAsync to find a meaningful error message to work with. EnsureSuccessStatusCode() was converting the message that the Zitadel api was actually returning into "400: Bad Request". I think the fix would be to append original error message from the cloud api as opposed to completely replacing it

right now only 400 requests are returned. if there is an error, it should include the error message details.

Installed nuget package version: 5.0.14

Following the documentation from here: Authentication in Web APIs the Basic Auth with client_id and client_secret successfully validates the access token whereas the JWT profile does not. I'm able to load and parse the JSON from string and from file but the endpoint returns Unauthorized with the same test user in contrast to when using Basic Auth.

Are you able to reproduce this on your end?
Thanks & best regards

I am getting AuthenticationFailureException: OpenIdConnectAuthenticationHandler: message.State is null or empty. if iam tring to use Zitadel for Razor pages in .net 8

Hi, currently I'm hosting a test instance of zitadel in docker. The address is http://localhost:8080.

Now I want to access the zitadel api via a ManagementClient of this library.

    var serviceAccount = ServiceAccount.LoadFromJsonString(serviceAccountJson);
    _managementClient = Clients.ManagementService(new Clients.Options(options.Value.Authority, ITokenProvider.ServiceAccount(options.Value.Authority, serviceAccount, new ServiceAccount.AuthOptions { ApiAccess = true })));

...

    var usersResponse = await _managementClient.ListUsersAsync(new ListUsersRequest());

However when I use this client I get the following exception:

Grpc.Core.RpcException: Status(StatusCode="Internal", Detail="Error starting gRPC call. InvalidOperationException: IDX20803: Unable to obtain configuration from: 'http://localhost:8080/.well-known/openid-configuration'. ArgumentException: IDX20108: The address specified 'http://localhost:8080/.well-known/openid-configuration' is not valid as per HTTPS scheme. Please specify an https address for security reasons. If you want to test with http address, set the RequireHttps property  on IDocumentRetriever to false. (Parameter 'address')", DebugException="System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'http://localhost:8080/.well-known/openid-configuration'.")
 ---> System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'http://localhost:8080/.well-known/openid-configuration'.
 ---> System.ArgumentException: IDX20108: The address specified 'http://localhost:8080/.well-known/openid-configuration' is not valid as per HTTPS scheme. Please specify an https address for security reasons. If you want to test with http address, set the RequireHttps property  on IDocumentRetriever to false. (Parameter 'address')
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync()
   at Zitadel.Credentials.ServiceAccount.AuthenticateAsync(String audience, AuthOptions authOptions)
   at Zitadel.Api.ServiceAccountTokenProvider.Handler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at Grpc.Net.Client.Internal.GrpcCall`2.RunCall(HttpRequestMessage request, Nullable`1 timeout)
   --- End of inner exception stack trace ---

I think it's related to gRPC and the need for HTTPS but I can't find a way to set RequireHttps on IDocumentRetriever to false as mentioned in the error.

I've already tried to resolve the issue by calling the following code as described in the Microsoft documentation on gRPC but no improvement:

IdentityModelEventSource.ShowPII = true;
AppContext.SetSwitch("System.Net.Http.SocketsHttpHandler.Http2UnencryptedSupport", true);

Is it possible that this library can't be used without HTTPS or is there a way to work around this?

In order to support multiple C# runtimes, multitargeting for NetStandard 2.1 should be added to the Zitadel.gRPC library.

Specifically, this will assist with the development of LuzFaltex.Zitadel's console library which allows desktop services to integrate with Zitadel's rest API.

API change

Modify config.target's target framework selection.

<PropertyGroup>
-     <TargetFramework>net6.0</TargetFramework>
+     <TargetFrameworks>netstandard2.1;net6.0</TargetFrameworks>
</PropertyGroup>

Risks

I have examined the Zitadel.gRPC dependencies to ensure there are no issues, however a similar check has yet to be performed for Zitadel.Net library. It is possible that some third party nuget dependencies will not be compatible with NetStandard 2.1. That said, this compatibility is only necessary for the gRPC package, so if there are any issues, an alternative solution may be to modify that projects csproj instead to minimize the potential impact of this change.

Edit: If this change is approved, I am willing to PR the issue.

🚨 The automated release from the main branch failed. 🚨

I recommend you give this issue a high priority, so other packages depending on you can benefit from your bug fixes and new features again.

You can find below the list of errors reported by semantic-release. Each one of them has to be resolved in order to automatically publish your package. I’m sure you can fix this 💪.

Errors are usually caused by a misconfiguration or an authentication problem. With each error reported below you will find explanation and guidance to help you to resolve it.

Once all the errors are resolved, semantic-release will release your package the next time you push a commit to the main branch. You can also manually restart the failed CI job that runs semantic-release.

If you are not sure how to resolve this, here are some links that can help you:

• Usage documentation
• Frequently Asked Questions
• Support channels

If those don’t help, or if this issue is reporting something you think isn’t right, you can always ask the humans behind semantic-release.

Cannot push to the Git repository.

semantic-release cannot push the version tag to the branch main on the remote Git repository with URL https://github.com/zitadel/zitadel-net.

This can be caused by:

• a misconfiguration of the repositoryUrl option
• the repository being unavailable
• or missing push permission for the user configured via the Git credentials on your CI environment

Good luck with your project ✨

Your semantic-release bot 📦🚀

When using the AddIDPLink() function, I receive the following error:

Grpc.Core.RpcException: Status(StatusCode="Cancelled", Detail="Bad gRPC response. Invalid content-type value: text/html; charset=utf-8")
   at Grpc.Net.Client.Internal.HttpClientCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequestrequest)
   at Grpc.Core.Interceptors.InterceptingCallInvoker.<BlockingUnaryCall>b__3_0[TRequest,TResponse](TRequest req, ClientInterceptorContext`2 ctx)
   at Grpc.Core.ClientBase.ClientBaseConfiguration.ClientBaseConfigurationInterceptor.BlockingUnaryCall[TRequest,TResponse](TRequest request, ClientInterceptorContext`2 context, BlockingUnaryCallContinuation`2 continuation)
   at Grpc.Core.Interceptors.InterceptingCallInvoker.BlockingUnaryCall[TRequest,TResponse](Method`2 method, String host, CallOptions options, TRequestrequest)
   at Zitadel.User.V2Alpha.UserService.UserServiceClient.AddIDPLink(AddIDPLinkRequest request, Metadata headers, Nullable`1 deadline, CancellationToken cancellationToken)
   at project.Services.SSO.Implementations.Zitadel.GRPCClient.LinkUserIDP(String zitadelUserId, User user) in ...

I think this was caused by a change in the latest release of Zitadel as this function has previously worked in my code.

This issue provides visibility into Renovate updates and their statuses. Learn more

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(test deps): update testing dependencies (Microsoft.AspNetCore.Mvc.Testing, Microsoft.NET.Test.Sdk, Roslynator.Analyzers, StyleCop.Analyzers)
• chore(test deps): update dependency fluentassertions to v6

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• fix(deps): update dependencies to v5 (major) (Microsoft.AspNetCore.Authentication.JwtBearer, Microsoft.AspNetCore.Authentication.OpenIdConnect)

• Check this box to trigger a request for Renovate to run again on this repository

Zitadel may want to update it's reference from the package Portable.BouncyCastle to BouncyCastle.Cryptography which appears to be the latest and up to date support for .net Crypto from BouncyCastle. Portable.BouncyCastle is over year since last update. https://www.bouncycastle.org/csharp/ Their website explicitly mentions BouncyCastle.Cryptography. I downloaded the source code for Zitadel c# sdk and tried BouncyCastle.Cryptography without any compilation issues or seemingly runtime issues so far.