Hi Team , I am referring document https://docs.lightdash.com/self-host/customize-deployment/use-sso-login-for-self-hosted-lightdash and configuring lightdash with Zitadel using private_key_jwt. What are the required env variable for this to work ? Also share how to perform role mapping via environment variable . I have configured the below env variable and getting error as :

"025-03-18 13:14:51 [Lightdash] http: GET /assets/react-CH8PTu7M.js 304 - 0 ms
 2025-03-18 13:14:51 [Lightdash] http: GET /assets/index-B1M3rAyY.css
 2025-03-18 13:14:51 [Lightdash] http: GET /assets/modules-3wF3D7cd.js
 2025-03-18 13:14:51 [Lightdash] http: GET /assets/index-B1M3rAyY.css 304 - 1 ms
 2025-03-18 13:14:51 [Lightdash] http: GET /assets/modules-3wF3D7cd.js 304 - 1 ms
 2025-03-18 13:14:51 [Lightdash] http: GET /assets/vega-Cl8kYziG.js
 2025-03-18 13:14:51 [Lightdash] http: GET /assets/vega-Cl8kYziG.js 304 - 0 ms
 2025-03-18 13:14:53 [Lightdash] http: GET /api/v1/user/login-options
 2025-03-18 13:14:53 [Lightdash] http: GET /api/v1/user/login-options 304 - 1 ms
 2025-03-18 13:14:53 [Lightdash] http: GET /manifest.json
 2025-03-18 13:14:53 [Lightdash] http: GET /manifest.json 304 - 0 ms
 2025-03-18 13:14:53 [Lightdash] http: GET /assets/lightdash-black-CQ03XS_W.svg
 2025-03-18 13:14:53 [Lightdash] http: GET /assets/lightdash-black-CQ03XS_W.svg 304 - 1 ms
 2025-03-18 13:14:59 [Lightdash] http: GET /api/v1/livez
 2025-03-18 13:14:59 [Lightdash] http: GET /api/v1/livez 200 - 0 ms
 2025-03-18 13:15:07 [Lightdash] http: GET /api/v1/oauth/redirect/oidc?code=LRY2gvnhmtcW91xCz1Odg0vQS3e_k3tiT5D4Lleh3M9-Pw&state=7Ey0PuCkLyau9AhXxoZyRUgOJ4JuJCUgj5LcjIIYAIA
 TypeError: no client jwks provided for signing a client assertion with
   at Client.clientAssertion (/usr/app/node_modules/.pnpm/openid-client@5.6.4/node_modules/openid-client/lib/helpers/client.js:46:11)
   at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
   at async Client.authFor (/usr/app/node_modules/.pnpm/openid-client@5.6.4/node_modules/openid-client/lib/helpers/client.js:97:25)
   at async Client.authenticatedPost (/usr/app/node_modules/.pnpm/openid-client@5.6.4/node_modules/openid-client/lib/helpers/client.js:163:16)
   at async Client.grant (/usr/app/node_modules/.pnpm/openid-client@5.6.4/node_modules/openid-client/lib/client.js:1343:22)
   at async Client.callback (/usr/app/node_modules/.pnpm/openid-client@5.6.4/node_modules/openid-client/lib/client.js:493:24)
   at async /usr/app/node_modules/.pnpm/openid-client@5.6.4/node_modules/openid-client/lib/passport_strategy.js:166:22
 2025-03-18 13:15:07 [Lightdash] error: Handled error of type UnexpectedServerError on [GET] /api/v1/oauth/redirect/oidc Something went wrong.
 2025-03-18 13:15:07 [Lightdash] http: GET /api/v1/oauth/redirect/oidc?code=LRY2gvnhmtcW91xCz1Odg0vQS3e_k3tiT5D4Lleh3M9-Pw&state=7Ey0PuCkLyau9AhXxoZyRUgOJ4JuJCUgj5LcjIIYAIA 500 - 3 ms
 2025-03-18 13:15:09 [Lightdash] http: GET /api/v1/livez
 2025-03-18 13:15:09 [Lightdash] http: GET /api/v1/livez 200 - 0 ms"
 
   - name: AUTH_OIDC_CLIENT_ID
     value: "XXXXXXXXXXXXXXXXX"
   - name: AUTH_OIDC_METADATA_DOCUMENT_URL
     value: "<https://sd.zitadel.com/.well-known/openid-configuration>"
   - name : LIGHTDASH_PROMETHEUS_ENABLED 
     value: "true"
   - name: AUTH_DISABLE_PASSWORD_AUTHENTICATION
     value: "true"
   - name : AUTH_OIDC_AUTH_METHOD
     value: "private_key_jwt" 
   - name: NODE_EXTRA_CA_CERTS
     value: /local//certifi/oidc-ca.pem
   - name: AUTH_ENABLE_GROUP_SYNC
     value: "true"
   - name : AUTH_OIDC_SCOPES
     value: "openid profile email groups"
   - name: AUTH_OIDC_ROLE_MAPPING
     value: '{"Organization Admin": "Organization Admin"}'
   - name: AUTH_OIDC_ROLE_CLAIM
     value: "role"
   - name: AUTH_OIDC_ROLE_CLAIM_TYPE
     value: "string"
   - name: AUTH_OIDC_ROLE_CLAIM_VALUE
     value: "Organization Admin"

👋 Thanks for your message - someone from the Lightdash support team will get back to you asap. Feel free to add any additional context to the thread here in the meantime (screenshots, app version if you're self-hosting etc.).

Hey Geethika, thanks for reaching out! We will get back to you about this as soon as we can 🙂

Thanks alot @Jake Peterson

Hello @Geethika S Gireesh You need to provide the key pair when using

AUTH_OIDC_AUTH_METHOD=private_key_jwt

Here's how to do it:

sh
# Option 1: If you want to store keys as files
AUTH_OIDC_PRIVATE_KEY_FILE_PATH="/path/to/your/private-key.pem"
AUTH_OIDC_X509_PUBLIC_KEY_CERT_PATH="/path/to/your/certificate.pem"

# OR Option 2: If you want to provide key content directly
AUTH_OIDC_PRIVATE_KEY_FILE="-----BEGIN PRIVATE KEY-----\nYour private key content here\n-----END PRIVATE KEY-----"
AUTH_OIDC_X509_PUBLIC_KEY_CERT="-----BEGIN CERTIFICATE-----\nYour certificate content here\n-----END CERTIFICATE-----"

You can generate those key pairs on Zitadel app: https://zitadel.com/docs/guides/integrate/token-introspection/private-key-jwt#register-the-api-in-zitadel-and-generate-private-and-public-keys

I've upvoted issue #14120 for you! You're the first user to request this issue. I'm tracking it, so I'll notify everyone here as soon as it's fixed.

that helps alot ... Thank you so much @Giorgi Bagdavadze

Hello, When

AUTH_OIDC_AUTH_METHOD

is set to

private_key_jwt

and key pair is provided, PKCE is enabled by default

okay Thank you @Giorgi Bagdavadze