ZITADEL

ZITADEL - Identity infrastructure, simplified for you.

Join

ZITADEL

ZITADEL - Identity infrastructure, simplified for you.

Join

questions-help-bugs

product-feedback-requests

Kanimozhi

8/28/2025

Password Expiration Warning

Hi all, I have configured the password expiration feature in Zitadel under Organization Settings → Password Expiry. I set Maximum validity in days to 2 and Expiration warning after days to 1. The maximum validity setting works as expected — after 2 days, the system requires me to set a new password....

arunmg007

8/27/2025

Initial Human login fails with 'Could not verify password' - Docker Deployment

Tried with default and custom username and password using steps.yaml with overriding initial creds. But still fails with the same error Could not verify password appreciate any help to resolve this. Including a screenshot of the first login message....

Noah

8/27/2025

Hi, I'm trying to test out the virtual instance functionality, but I'm running into a problem when trying to sign in to the non-default instance. I'm running the standard docker compose from the docs (https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/deploy/docker-compose.yaml), except for the fact that I added a system api user via the ZITADEL_SYSTEMAPIUSERS env var. The default instance works fine. I can go to localhost:8080 and it'll redirect me to :3000 for the login v2 ui, which allows me to login just fine....

Shengael

8/27/2025

Issue linking existing user with SAML IdP (External User Not Found)

Hi 👋, I’m having an issue with SAML login and automatically linking an external user to an existing Zitadel user. Problem ...

ppenguin

8/27/2025

First test-deployment using nomad: cannot login (using loginv2)

I made an initial deployment of Zitadel in a nomad cluster. After first start I saved the 2 .pat file's contents to vault, and render them back to ZITADEL_SERVICE_USER_TOKEN_FILE=/local/login-client.vault.pat for both the login and main container. When I try to login, I get in the main container: ``` 2025-08-27T16:32:07.518788054+02:00 stderr F time="2025-08-27T14:32:07Z" level=info msg="server is listening on [::]:8080" caller="/home/runner/work/zitadel/zitadel/cmd/start/start.go:677" ,2025-08-27T16:32:54.628370448+02:00 stderr F time="2025-08-27T14:32:54Z" level=warning msg="token verifier repo: decrypt access token" caller="/home/runner/work/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore/token_verifier.go:282" error="ID=APP-8EF0zZ Message=invalid token" 2025-08-27T16:32:54.628370448+02:00 stderr F time="2025-08-27T14:32:54Z" level=warning msg="token verifier repo: verify JWT access token" caller="/home/runner/work/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore/token_verifier.go:286" error="parsing of request failed: token contains an invalid number of segments"...

BadToken

8/26/2025

ClientID has no @ symbol

Hi, I am a new user of Zitadel and am receiving a 400 error (ERROR:auth:Introspection request failed: 400 Client Error: Bad Request for url:) when using the private JWT key auth method. I believe I am passing the token appropriately but I have a sneaking suspicion the fact that my clientID is different than the documentation may be an issue. My clientID does not include the @project_name. As I was reading through the documentation it seems as when you select the private key JWT authentication me...

kappapilla

8/26/2025

can i get custom Okta profile fields in external IdP scenario?

https://zitadel.com/docs/guides/integrate/identity-providers/additional-information

alexgeo

8/26/2025

MCP DCR support

Hello, I would like to ask if you support or you plan to support the Dynamic Client Registration specification as described https://datatracker.ietf.org/doc/html/rfc7591 ? I am considering using Zitadel as my Authorization Server (my use case is an MCP Server) and I want to expose OAuth 2.1 authorization code grant flow to MCP Clients. Do you plan to officially supporting MCP use cases? ...

rud

8/26/2025

Bigger picture - SCIM between Entra ID and Zitadel

Hi - thank you for working on Zitadel, it's awesome to see all the things being added all the time. We have some customers that would love to use Entra ID to let their end users sign in to our products. The idea is to create:...

justincase6507

8/26/2025

Default role during account creation without v2 actions.

Hi everyone! Thanks for the great product. In our self-hosted setup, we had a flow in Actions v1 where, upon a public user registration, the user was automatically granted a default role (internal/external flow). However, after upgrading from v3 to v4, it seems that Actions v1 no longer triggers at all (we also switched to login v2 if that relatable) I’ve read posts here suggesting that we should move to Actions v2 since v1 will be deprecated soon. But from what I can tell, there doesn’t seem to be a way to assign a role to a user internally within Zitadel the way v1 allowed....

8/26/2025

Available authentication flows?

Hello. Im not clearly understand the available authentication flows. Is zitadel designed for oauth OIDC only? We want to use classic cookie-based sessions and zitadel as a proxy, or at least jwt tokens. Self-hosted registration only, without oauth or oidc. ...

Riël

8/25/2025

We have configured Google and MS as external IDP, but these buttons do now show up at login

What setting are we missing? We setup all client_id's and secrets for both.

destbro7

8/25/2025

Integrating ZITADEL in a mobile app, UX issue

Hi, I’m integrating ZITADEL in a mobile app. I’d like users to log in natively with Google/Apple. Currently, when the user taps “Login with Google,” the app opens the browser where they see the ZITADEL login screen again (with Google/Apple buttons), so it feels like a duplicate step. Does ZITADEL fully support a flow where I can skip the extra login screen by exchanging the native Google/Apple ID token directly for ZITADEL tokens (token exchange)? And if yes, is there a recommended setup or exam...

Equinoxe

8/24/2025

FaceID (2FA) stopped working after ExternalDomain change?

I had to change the ExternalDomain setting for a self hosted Zitadel 2 7 server, rerunning the setup step (no errors reported) . Now a customer reports that FaceID is not working on his Apple devices, but just a QR is being show. I have not detail yet on if scanning the QR works. Would changing ExternaDomain affect stored 2FA?...

Bumble Beee

8/24/2025

failed to validate certificate from request: %!w(<nil>)

Hello Zitadel Community, I am trying to onboard Salesforce Lumary into Zitadel using SAML. All config done but I am getting below error : <StatusMessage> failed to validate certificate from request: %!w(<nil>) ...

darioef

8/22/2025

Web console shows Organization Metadata values with incorrect encoding in Zitadel v3.x.x

Hi. As shown in the screenshot, the value for any key in the organization metadata is illegible. If I click the Edit button it's OK inside the popup window. It happens in all v3 versions including latest 3.4.0 (v2 and v4 are OK). Thanks!...

lnxu303

8/22/2025

Intended beaviour of livenessProbe

Hi, we are using Zitadel in production on Kubernetes. We deployed it with Flux using the official helm chart. Recently, we observed that the livenessProbe always returns "ok" even if Zitadel is not able to connect to its database (and therefore broken). The readyness probe fails, as we would have expected. Is this behaviour intended? Environment: self-hosted...

elsitar

8/21/2025

Multiple bugs with Microsoft IdP

Hello there, I've tried to set up Microsoft IdP in the default settings on a fresh self-hosted instance of Zitadel version 4.0.2, but i encountered a lot of issues and I'm at a loss. I've followed every step in the documentation and, at first, the first error I get is from Microsoft (first image): the url provided by the registration page (/ui/login/login/externalidp/callback) doesn't match with what is actually requested (/ipds/callback). Adding it to the allowed redirect URIs in Entra let's me move only to get a Login failed error (second image). Following an older threat i've found here i tried to search for "id_token" in the network requests but didn't find anything, searching just for "token" i've found the callback request with the auth code but no cleartext jwt. Can anyone help me? 🙏 Thanks so much in advance! L....

veinnotnice

8/20/2025

Hi, I have a question regarding debugging and reproducing issues in Zitadel. Sometimes we run into bugs where an API call is only valid within the context of a specific user. As developers, this makes it difficult to reproduce and debug, since we can’t easily simulate the exact user session or context. Is there a way to log in “as” an existing user (impersonation or similar) so we can reproduce these issues in their context? If so, what would be the recommended or secure approach to do this?...

rud

8/20/2025

Federated login using Microsoft Entra ID as IdP, but only for pre-approved customers?

We want to allow users to log in with Microsoft Entra ID, but ONLY if they come from one of the tenants we trust. What we've tried: Following https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-oidc allows end users for one specific Entra ID tenant to log in. That's better than nothing, but it means we'd have an Entra ID login button for each tenant. That would be awkward, can Zitadel do better than that? More details: We want to provide a generic "Log in with Entra ID" button on the login UI in Zitadel. That'll ship the user to Entra ID where they do the actual login. Coming back to Zitadel, we then want to make sure the tenant they belong to is one we have a commercial relationship with (an allow-list, basically). After that we want to grab the list of roles we are allowed to see from Entra ID and include those in the access token....

Previous Next