| Excerpt | ||
|---|---|---|
| ||
QTA-10000 outlines, how primarily self-hosting clients can maintain control/access over/to their IDP (specifically Zitadel) instance where human access was granted over an Identity Provider which then for any reason broke or became invalid (e.g. an expired secret). |
Statement
This procedure is neither a security leak, issue or backdoor. Granting System API Access to key-authenticated users is a core feature of Zitadel. Having this authentication in place ensures, that the deployment operator (the persona self-hosting the IDP) can always recover the instance even if the instance owners (users or the deployment operator themselves) make potentially fatal (lock-out) configuration mistakes.
Mitigation
The mitigation is actually achievable via the Zitadel Documentation. Unique outlines the high-level procedure again though as it can be critical to restore/keep the control over the instance.
...
Follow the Access ZITADEL System API guide to create
a key pair
add the key pair to the instance (deployment)
assign a role to the key
Code Block zitadel: configmapConfig: SystemAPIUsers: - my-emergency-user-1: KeyData: <base64 encoded public key .pub> Memberships: - MemberType: System Roles: - "IAM_OWNER"⚠️ This is an example! Make sure you choose your roles carefully for the use cases you want to cover! Refer to the Access ZITADEL System API guide to learn more.
You must create yourself a JWT. This part is not so trivial but Zitadel offers help here as well:
https://github.com/zitadel/zitadel-tools →
key2jwt
Since we try to update a
clientSecretor an IdP in this procedure, depending where the IdP was added there is a two way split:The IdP was added to the Instance…
The IdP was added to an organisation…
It goes without saying that the private key from step 1 is stored according to your companies standards.
Impact
There is no downtime expected when following the mitigation. Also the mitigation can be performed anytime.
...