ZITADEL

Z

ZITADEL

ZITADEL - Identity infrastructure, simplified for you.

Join

questions-help-bugs

product-feedback-requests

Noah
Noah
View on Discord
8/27/2025

Login V2 not working with virtual instance?

Hi, I'm trying to test out the virtual instance functionality, but I'm running into a problem when trying to sign in to the non-default instance. I'm running the standard docker compose from the docs (https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/deploy/docker-compose.yaml), except for the fact that I added a system api user via the ZITADEL_SYSTEMAPIUSERS env var. The default instance works fine. I can go to localhost:8080 and it'll redirect me to :3000 for the login v2 ui, which allows me to login just fine....
Shengael
Shengael
View on Discord
8/27/2025

Issue linking existing user with SAML IdP (External User Not Found)

Hi 👋, I’m having an issue with SAML login and automatically linking an external user to an existing Zitadel user. Problem ...
ppenguin
ppenguin
View on Discord
8/27/2025

First test-deployment using nomad: cannot login (using loginv2)

I made an initial deployment of Zitadel in a nomad cluster. After first start I saved the 2 .pat file's contents to vault, and render them back to ZITADEL_SERVICE_USER_TOKEN_FILE=/local/login-client.vault.pat for both the login and main container. When I try to login, I get in the main container: ``` 2025-08-27T16:32:07.518788054+02:00 stderr F time="2025-08-27T14:32:07Z" level=info msg="server is listening on [::]:8080" caller="/home/runner/work/zitadel/zitadel/cmd/start/start.go:677" ,2025-08-27T16:32:54.628370448+02:00 stderr F time="2025-08-27T14:32:54Z" level=warning msg="token verifier repo: decrypt access token" caller="/home/runner/work/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore/token_verifier.go:282" error="ID=APP-8EF0zZ Message=invalid token" 2025-08-27T16:32:54.628370448+02:00 stderr F time="2025-08-27T14:32:54Z" level=warning msg="token verifier repo: verify JWT access token" caller="/home/runner/work/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore/token_verifier.go:286" error="parsing of request failed: token contains an invalid number of segments"...
BadToken
BadToken
View on Discord
8/26/2025

ClientID has no @ symbol

Hi, I am a new user of Zitadel and am receiving a 400 error (ERROR:auth:Introspection request failed: 400 Client Error: Bad Request for url:) when using the private JWT key auth method. I believe I am passing the token appropriately but I have a sneaking suspicion the fact that my clientID is different than the documentation may be an issue. My clientID does not include the @project_name. As I was reading through the documentation it seems as when you select the private key JWT authentication me...
No description
kappapilla
kappapilla
View on Discord
8/26/2025

can i get custom Okta profile fields in external IdP scenario?

https://zitadel.com/docs/guides/integrate/identity-providers/additional-information
alexgeo
alexgeo
View on Discord
8/26/2025

MCP DCR support

Hello, I would like to ask if you support or you plan to support the Dynamic Client Registration specification as described https://datatracker.ietf.org/doc/html/rfc7591 ? I am considering using Zitadel as my Authorization Server (my use case is an MCP Server) and I want to expose OAuth 2.1 authorization code grant flow to MCP Clients. Do you plan to officially supporting MCP use cases? ...
rud
rud
View on Discord
8/26/2025

Bigger picture - SCIM between Entra ID and Zitadel

Hi - thank you for working on Zitadel, it's awesome to see all the things being added all the time. We have some customers that would love to use Entra ID to let their end users sign in to our products. The idea is to create:...
justincase6507
justincase6507
View on Discord
8/26/2025

Default role during account creation without v2 actions.

Hi everyone! Thanks for the great product. In our self-hosted setup, we had a flow in Actions v1 where, upon a public user registration, the user was automatically granted a default role (internal/external flow). However, after upgrading from v3 to v4, it seems that Actions v1 no longer triggers at all (we also switched to login v2 if that relatable) I’ve read posts here suggesting that we should move to Actions v2 since v1 will be deprecated soon. But from what I can tell, there doesn’t seem to be a way to assign a role to a user internally within Zitadel the way v1 allowed....
T2
T2
View on Discord
8/26/2025

Available authentication flows?

Hello. Im not clearly understand the available authentication flows. Is zitadel designed for oauth OIDC only? We want to use classic cookie-based sessions and zitadel as a proxy, or at least jwt tokens. Self-hosted registration only, without oauth or oidc. ...
Riël
Riël
View on Discord
8/25/2025

We have configured Google and MS as external IDP, but these buttons do now show up at login

What setting are we missing? We setup all client_id's and secrets for both.
No description
destbro7
destbro7
View on Discord
8/25/2025

Integrating ZITADEL in a mobile app, UX issue

Hi, I’m integrating ZITADEL in a mobile app. I’d like users to log in natively with Google/Apple. Currently, when the user taps “Login with Google,” the app opens the browser where they see the ZITADEL login screen again (with Google/Apple buttons), so it feels like a duplicate step. Does ZITADEL fully support a flow where I can skip the extra login screen by exchanging the native Google/Apple ID token directly for ZITADEL tokens (token exchange)? And if yes, is there a recommended setup or exam...
Equinoxe
Equinoxe
View on Discord
8/24/2025

FaceID (2FA) stopped working after ExternalDomain change?

I had to change the ExternalDomain setting for a self hosted Zitadel 2 7 server, rerunning the setup step (no errors reported) . Now a customer reports that FaceID is not working on his Apple devices, but just a QR is being show. I have not detail yet on if scanning the QR works. Would changing ExternaDomain affect stored 2FA?...
Bumble Beee
Bumble Beee
View on Discord
8/24/2025

failed to validate certificate from request: %!w(<nil>)

Hello Zitadel Community, I am trying to onboard Salesforce Lumary into Zitadel using SAML. All config done but I am getting below error : <StatusMessage> failed to validate certificate from request: %!w(<nil>) ...
darioef
darioef
View on Discord
8/22/2025

Web console shows Organization Metadata values with incorrect encoding in Zitadel v3.x.x

Hi. As shown in the screenshot, the value for any key in the organization metadata is illegible. If I click the Edit button it's OK inside the popup window. It happens in all v3 versions including latest 3.4.0 (v2 and v4 are OK). Thanks!...
No description
lnxu303
lnxu303
View on Discord
8/22/2025

Intended beaviour of livenessProbe

Hi, we are using Zitadel in production on Kubernetes. We deployed it with Flux using the official helm chart. Recently, we observed that the livenessProbe always returns "ok" even if Zitadel is not able to connect to its database (and therefore broken). The readyness probe fails, as we would have expected. Is this behaviour intended? Environment: self-hosted...
elsitar
elsitar
View on Discord
8/21/2025

Multiple bugs with Microsoft IdP

Hello there, I've tried to set up Microsoft IdP in the default settings on a fresh self-hosted instance of Zitadel version 4.0.2, but i encountered a lot of issues and I'm at a loss. I've followed every step in the documentation and, at first, the first error I get is from Microsoft (first image): the url provided by the registration page (/ui/login/login/externalidp/callback) doesn't match with what is actually requested (/ipds/callback). Adding it to the allowed redirect URIs in Entra let's me move only to get a Login failed error (second image). Following an older threat i've found here i tried to search for "id_token" in the network requests but didn't find anything, searching just for "token" i've found the callback request with the auth code but no cleartext jwt. Can anyone help me? 🙏 Thanks so much in advance! L....
No description
veinnotnice
veinnotnice
View on Discord
8/20/2025

Login as an existing user to reproduce API bugs

Hi, I have a question regarding debugging and reproducing issues in Zitadel. Sometimes we run into bugs where an API call is only valid within the context of a specific user. As developers, this makes it difficult to reproduce and debug, since we can’t easily simulate the exact user session or context. Is there a way to log in “as” an existing user (impersonation or similar) so we can reproduce these issues in their context? If so, what would be the recommended or secure approach to do this?...
rud
rud
View on Discord
8/20/2025

Federated login using Microsoft Entra ID as IdP, but only for pre-approved customers?

We want to allow users to log in with Microsoft Entra ID, but ONLY if they come from one of the tenants we trust. What we've tried: Following https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc allows end users for one specific Entra ID tenant to log in. That's better than nothing, but it means we'd have an Entra ID login button for each tenant. That would be awkward, can Zitadel do better than that? More details: We want to provide a generic "Log in with Entra ID" button on the login UI in Zitadel. That'll ship the user to Entra ID where they do the actual login. Coming back to Zitadel, we then want to make sure the tenant they belong to is one we have a commercial relationship with (an allow-list, basically). After that we want to grab the list of roles we are allowed to see from Entra ID and include those in the access token....
Tim_
Tim_
View on Discord
8/19/2025

Adding userGrants in Post Creation trigger (external auth flow) fails for Entra

Hi, I'm evaluating Zitadel for SSO and identity brokering. I'm following this guide to set up role authorizations based on information in claims from Entra Id. I want to achieve something similar as described in https://discord.com/channels/927474939156643850/1259811021325864981 or https://discord.com/channels/927474939156643850/1255453819286851645 but for Post Creation trigger. In a nutshell I would like to assign roles to users created by logging in through SSO via MS Entra. After setting up SSO with Entra and verifying that it works I followed the guide linked above but got "Errors.UserGrant.NoPermissionForProject (EVENT-Shu7e)" on UI and following log:...
Oscar
Oscar
View on Discord
8/19/2025

Seeding new zitadel instances

I'm trying to get Zitadel (self-hosted) working with our current setup, but one requirement is that we can't have any manual GUI setup. Whats the recommended way for creating applications in the instance? In a way that means my own helm-charts can have the application secrets mounted? My current idea is to do an 'import' after we run out database seeding, so that the instances start with a 'common base' (obviously I'd use different keys for them) - This would also work for local development with docker too. This is blocked by my other question )...
PreviousNext