fix: use issuer for jwt profile check on system api (#3741)

cmd/admin/start/start.go

@@ -29,6 +29,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/grpc/auth"
 	"github.com/zitadel/zitadel/internal/api/grpc/management"
 	"github.com/zitadel/zitadel/internal/api/grpc/system"
+	http_util "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
 	"github.com/zitadel/zitadel/internal/api/oidc"
 	"github.com/zitadel/zitadel/internal/api/ui/console"
@@ -150,7 +151,7 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 		authZRepo,
 		queries,
 	}
-	verifier := internal_authz.Start(repo, config.ExternalDomain, systemAPIKeys)
+	verifier := internal_authz.Start(repo, http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)+oidc.HandlerPrefix, systemAPIKeys)
 
 	apis := api.New(config.Port, router, queries, verifier, config.InternalAuthZ, config.ExternalSecure, config.HTTP2HostHeader)
 	authRepo, err := auth_es.Start(config.Auth, config.SystemDefaults, commands, queries, dbClient, keys.OIDC, keys.User)

internal/api/authz/token.go

@@ -35,7 +35,7 @@ type authZRepo interface {
 	ExistsOrg(ctx context.Context, orgID string) error
 }
 
-func Start(authZRepo authZRepo, systemAPI string, keys map[string]*SystemAPIUser) (v *TokenVerifier) {
+func Start(authZRepo authZRepo, issuer string, keys map[string]*SystemAPIUser) (v *TokenVerifier) {
 	return &TokenVerifier{
 		authZRepo: authZRepo,
 		systemJWTProfile: op.NewJWTProfileVerifier(
@@ -43,7 +43,7 @@ func Start(authZRepo authZRepo, systemAPI string, keys map[string]*SystemAPIUser
 				keys:       keys,
 				cachedKeys: make(map[string]*rsa.PublicKey),
 			},
-			systemAPI,
+			issuer,
 			1*time.Hour,
 			time.Second,
 		),