OIDC Generic Provider - Failed to extract ServerMetadata from context
When adding a generic OIDC provider to my Zitadel instance.
Trying to refresh the login UI, I see the specific log in my zitadel container:
Failed to extract ServerMetadata from context
...
Updating Organization Logo / Icon through the API
Is it currently possible to update the logo and the icon of an organization through the API? I couldn't find it in the documentation and it would be crucial for our work flow.
The problem is that currently our customers have the ability to set their logos through our platform and we would need to propagate the change to Zitadel for the login page branding to be correct....
Problem with upgrade from 2.66.1 to 2.67.6
Selfhosted Zitadel user with docker compose with an external PostgreSQL database here.
I just tried upgrading in two steps from 2.66.1 to 2.66.9 and from there to 2.67.6.
Only in the second step I realized that there was an error in the migration, so I am not sure whether it occured already when I upgraded to 2.66.9.
The error occured in a migration step mentioning "40_init_push_func_v4" which kept being repeated. ...
Session terminated, session.token.removed events missing in event search API
Hi team, I am looking to get active sessions of a user from events storage. I am using the API https://zitadel.com/docs/apis/resources/admin/admin-service-list-events.
Here is the body that I am using to send the request ,
```
{
"eventTypes": [...
Service user fetching /oauth/v2/token timing out
Zitadel version: v2.67.2
Running 3 instances behind nginx
Hello folks,
...
Custom OTP code
Is it possible to choose our own OTP number for the SMS OTP challange?
I'm using the session API....
Build error while migration
Hi team , I am using M1 processor and I am facing bulid errors while migration. I am facing different migration errors for different versions.
The build is working fine for intel processors in MacBook , would there be any different configuration for different processors?
The zitadel config we are using is:
...
Search User Grants sorting order does not work
hello team,
for : https://zitadel.com/docs/apis/resources/mgmt/management-service-list-user-grants
Can you please explain how the asc parameter works?...
Monitoring Zitadel http latencies via internal prometheus metrics
In order to monitor and alert on Zitadel app/pods http latencies, we have configured 95 percentile stats on ...
http_server_duration_milliseconds_bucket internal Prometheus metric (which Zitadel itself exposes):
(histogram_quantile(0.95, sum(rate(http_server_duration_milliseconds_bucket{container=~".*zitadel.*"}[5m]))
by (le, pod, net_host_name))) > 2000
(histogram_quantile(0.95, sum(rate(http_server_duration_milliseconds_bucket{container=~".*zitadel.*"}[5m]))
by (le, pod, net_host_name))) > 2000
Terminate all the active sessions at once.
Hi team, I have a user who has more than 20 sessions when I search the sessions that he has with https://zitadel.com/docs/apis/resources/session_service_v2/session-service-list-sessions. Do we have an option to terminate all the sessions at once instead of terminating the session one at a time with https://zitadel.com/docs/apis/resources/session_service_v2/session-service-delete-session ?
This termination at once would help us a lot. Thanks...
Need help upgrading form v2.55.8 to v2.67.1
I have an instance of Zitadel running on EKS that uses PostgreSQL running on RDS.
Current Zitadel Version: v2.55.8
Upgrade Version: v2.67.1
...
Options for storing zitadel's session api's token
Hi, as far as I know, the best option to storing a token is an httpOnly cookie, set by the backend. I was trying to figure out how I could do that using Zitadel, but couldn't really find a fully satisfying option, so here are the options I'm seeing:
1) have access to a zitadel's api method that would allow to have session token set as a httponly cookie (couldn't find it)
2) use the instance of the zitadel's typescript login ui running next to our zitadel's instances (non-standardized, afaik)
3) roll our own backend that will do the session creation...
Dockerfile for running zitadel/typescript?
Does anyone have a working Dockerfile for building zitadel/typescript as a docker image? I don't want to deplyo it to Vercel.
I've tried using this file, but it doesn't work:
```
FROM node:22-alpine AS base...
React - how to enable use of refresh token?
I followed this guide:
https://zitadel.com/docs/examples/login/react
which works well with my React app, however the access token valid time is set to 1 hour and my refresh token to 15 hours. After an hour I have to login again so the refresh token is not used. How do we enable the use of the refresh token?...
migration requires enterprise license?
When I want to use any version higher than 2.67.2 I get following error:
zitadel | time="2025-01-24T13:36:07Z" level=fatal msg="migration failed" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:277" error="40_init_push_func_v4 40_init_push_func.sql: ERROR: use of PL/pgSQL requires an enterprise license. see https://cockroachlabs.com/pricing for details on how to enable enterprise features (SQLSTATE XXC02)" name=40_init_push_func_v4
Is there anything I can do? I am using the free version. This problem does not exist on an instance using psql...
Actions not triggered
Are actions currently working on the hosted Zitadel Version?
I tested with a simple webhook by using the official example here: https://github.com/zitadel/actions/blob/main/examples/make_api_call.js
I added as API_URL a webhook service, tested the service with curl and then added the trigger for the action through Zitadel Console. I used three combinations:...
Creating a user with the same email could lock out other accounts
Hi, I found a problem while testing user creation, my scenario happenned to be this:
1) have an instance admin/IAM owner that has preferred login set to be same as an email
2) register another user that has a different preferred login, but same email
Now the IAM owner cannot log in, because login form is throwing an error "User not found"
...
Introspect endpoint vs local JWT validation
I have a question regarding our implemention regarding our Frontend/Backend communication.
Currently I am doing a PoC where every time our frontend makes a request to our backend, the backend is reaching out to Zitadel's introspection endpoint to validate that the token is active. Is this the best practice for validating the token as it would mean a lot of requests going to the introspect endpoint? Is there throttling for this endpoint?
The alternative from what I understand would be to get the public keys JSON Web Key Set (JWKS) and doing a local validation, with the caveout that we don't know when the keys change...
Error: Failed to extract ServerMetadata from context
I was running zitadel with docker compose and zitadel is running on port 4455. And I was able to access console on http://127.0.0.1:4455/ui/console. I was able to perform all actions on ui console. But with zitadel apis for example http://127.0.0.1:4455/v2/users then getting an ERROR: Failed to extract ServerMetadata from context with relevant headers are passed. Apis in discovery endpoints are working fine.
Multi Tenancy
Hi all, a contracted software development team is building a web app for me where clients will login with Zitadel, my internal users already login with Zitadel integrated with Google workspace SSO. Both user types are in different orgs. How can I set it up such that some internal users are allowed access to this new app?
Internal Users (signing in with workspace SSO) = org A
External Users (signing in with Zitadel - email+password) = org B
App is being designed to integrate with org B using domain app.domain.com...