From 4da29451d0c6319e705f6ca4e59b0660614ef491 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gabriel=20G=C3=B3rski?= <glaeqen@gmail.com>
Date: Tue, 4 Jun 2024 10:46:24 +0200
Subject: [PATCH] Add missing `openid` scope when requesting JWT token (#2089)

According to the Zitadel documentation, `openid` scope is required
when requesting JWT tokens.

Apparently Zitadel was accepting requests without it until very
recently. Now lack thereof causes 400 Bad Requests which makes it
impossible to authenticate to the Netbird dashboard.

https://zitadel.com/docs/guides/integrate/service-users/client-credentials#2-authenticating-a-service-user-and-request-a-token
---
 management/server/idp/zitadel.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/management/server/idp/zitadel.go b/management/server/idp/zitadel.go
index c09d362d8..9021d6752 100644
--- a/management/server/idp/zitadel.go
+++ b/management/server/idp/zitadel.go
@@ -154,7 +154,7 @@ func (zc *ZitadelCredentials) requestJWTToken() (*http.Response, error) {
 	data.Set("client_id", zc.clientConfig.ClientID)
 	data.Set("client_secret", zc.clientConfig.ClientSecret)
 	data.Set("grant_type", zc.clientConfig.GrantType)
-	data.Set("scope", "urn:zitadel:iam:org:project:id:zitadel:aud")
+	data.Set("scope", "openid urn:zitadel:iam:org:project:id:zitadel:aud")
 
 	payload := strings.NewReader(data.Encode())
 	req, err := http.NewRequest(http.MethodPost, zc.clientConfig.TokenEndpoint, payload)