Invalid Id Token Nonce with Zitadel

[DBLouis]

Hi
I am trying to use this with Zitadel as Idp. It seems that the authentication succeed but at the redirect I get this error:

Invalid Id Token Nonce: Invalid audiences: 'xxx' is not a trusted audience

What is very surprising is that xxx is a client ID for another application, so what am I doing wrong here?

[MarcelCoding]

This seems like a wrong configuration on the side of your IDP, the aud should always represent the client id of the application the token is designated for.

REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.

https://openid.net/specs/openid-connect-core-1_0.html

[DBLouis]

Ok so just to be 100% sure:

• In the Jitsi config, JWT_ACCEPTED_ISSUERS and JWT_ACCEPTED_AUDIENCES must be set to "jitsi", right? The readme says "fixed values", so I assume your program expects that.
• JWT_APP_ID and JITSI_SUB are arbitrary strings and can be anything as long as they are the same
• Jitsi and your program live on separate domain or sub-domain. There is no need for the domain to match, can be anything right?
• Finally, in Zitadel, my application type is "Web", with response type set to Code, authentication method set to Basic (should it be Post?) and grant type is "authorization code" (many other choice here).
• The redirect URI is https://<jitsi-openid.domain>/callback

[DBLouis]

Is it possible to get more logs from your program? Looking at docker logs jitsi-openid I never get any lines after:
2024-12-08T07:07:04.044335Z INFO jitsi_openid: Listening on 0.0.0.0:3000, have a try on: https://oidc-jitsi.example.com/room/{name}

[MarcelCoding]

You can change the log level to e.g. DEBUG using the RUST_LOG environment variable.

[MarcelCoding]

All statements of your previous comment seem correct. I would add that I've never tried deploying jitsi and jitsi openid on the same domain. Although that does not seem relevant regarding your problem.

[MarcelCoding]

Just to verify the xxx in the error message of your issue is not the client id of the client designated for jitsi openid and also not the client id configured in jitsi openid.

[DBLouis]

I do not quite understand your last comment, could you please develop? That xxx I see in the error message is the OAuth client ID of another unrelated application I have in Zitadel (I think it is for Grafana). It is neither jitsi or jitsi-openid.

[MarcelCoding]

All right, did you configure jitsi also in your idp? Your idol just needs to know jitsi openid.

[MarcelCoding]

But I don't know what reasons there could be for your idp to send an wrong client id in the aud Field.

[DBLouis]

All right, did you configure jitsi also in your idp? Your idol just needs to know jitsi openid.

No I only setup one application in Zitadel for jitsi openid.

[DBLouis]

Here are some screenshots, maybe you notice something wrong:

[DBLouis]

Just to verify the xxx in the error message of your issue is not the client id of the client designated for jitsi openid and also not the client id configured in jitsi openid.

I set the variable CLIENT_ID and CLIENT_SECRET for jitsi openid to the ID and SECRET I get in my Idp, right?

[DBLouis]

You might want to have a look here too :
zitadel/zitadel#9023