Key

Error with typescript app detecting wrong hostname ? After our login-demo app using the next middleware forwards to

GET https://login.foo.com/oauth/v2/authorize?client_id=289301738480009300&scope=openid%20email%20profile%20offline_access%20urn%3Azitadel%3Aiam%3Auser%3Ametadata&response_type=code&redirect_uri=https%3A%2F%2Flogin-demo.foo.com%2Fapi%2Fauth%2Fcallback%2Fzitadel&state=xlfcfYDhU9io7B4i1zlsTP-FxBYHsu9nQAbaPtevIXo&code_challenge=zX6uooEi8ixzVk6_VOxxzmmgXMThOgNfX092SP-Xl0E&code_challenge_method=S256

the login app forward me to https://login-ui-8644fb44f5-fr8km:3000/accounts?authRequestId=V2_289367805545939075 effectively breaking the login Is there a way that the typescript code should pickup the real Host / X-Forwarded-Host for this?

login-ui-8644fb44f5-fr8km login-ui o [ConnectError]: [failed_precondition] Session has expired (COMMAND-Hkl3d)
login-ui-8644fb44f5-fr8km login-ui     at _ (/app/apps/login/.next/server/chunks/7026.js:34:160888)
login-ui-8644fb44f5-fr8km login-ui     at q (/app/apps/login/.next/server/chunks/7026.js:34:161877)
login-ui-8644fb44f5-fr8km login-ui     at next (/app/apps/login/.next/server/chunks/7026.js:34:167805)
login-ui-8644fb44f5-fr8km login-ui     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
login-ui-8644fb44f5-fr8km login-ui     at async Object.unary (/app/apps/login/.next/server/chunks/7026.js:34:166550)
login-ui-8644fb44f5-fr8km login-ui     at async Object.createCallback (/app/apps/login/.next/server/chunks/7026.js:34:173740)
login-ui-8644fb44f5-fr8km login-ui     at async w (/app/apps/login/.next/server/app/login/route.js:1:5503)
login-ui-8644fb44f5-fr8km login-ui     at async /app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
login-ui-8644fb44f5-fr8km login-ui     at async eC.execute (/app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
login-ui-8644fb44f5-fr8km login-ui     at async eC.handle (/app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186) {
login-ui-8644fb44f5-fr8km login-ui   rawMessage: 'Session has expired (COMMAND-Hkl3d)',
login-ui-8644fb44f5-fr8km login-ui   code: 9,
login-ui-8644fb44f5-fr8km login-ui   metadata: Headers {
login-ui-8644fb44f5-fr8km login-ui     'grpc-message': 'Session has expired (COMMAND-Hkl3d)',
login-ui-8644fb44f5-fr8km login-ui     'grpc-status': '9',
login-ui-8644fb44f5-fr8km login-ui     'grpc-status-details-bin': 'CAkSI1Nlc3Npb24gaGFzIGV4cGlyZWQgKENPTU1BTkQtSGtsM2QpGlIKKnR5cGUuZ29vZ2xlYXBpcy5jb20veml0YWRlbC52MS5FcnJvckRldGFpbBIkCg1DT01NQU5ELUhrbDNkEhNTZXNzaW9uIGhhcyBleHBpcmVk',
login-ui-8644fb44f5-fr8km login-ui     'cache-control': 'no-store',
login-ui-8644fb44f5-fr8km login-ui     'content-type': 'application/grpc+proto',
login-ui-8644fb44f5-fr8km login-ui     expires: 'Mon, 14 Oct 2024 20:42:17 GMT',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-cache-control': 'no-store',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-expires': 'Mon, 14 Oct 2024 20:42:17 GMT',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-pragma': 'no-cache',
login-ui-8644fb44f5-fr8km login-ui     pragma: 'no-cache',
login-ui-8644fb44f5-fr8km login-ui     trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
login-ui-8644fb44f5-fr8km login-ui     'x-robots-tag': 'none'
login-ui-8644fb44f5-fr8km login-ui   },
login-ui-8644fb44f5-fr8km login-ui   details: [ { type: 'zitadel.v1.ErrorDetail', value: [Uint8Array] } ],
login-ui-8644fb44f5-fr8km login-ui   cause: undefined
login-ui-8644fb44f5-fr8km login-ui }

login-ui-8644fb44f5-fr8km login-ui o [ConnectError]: [failed_precondition] Session has expired (COMMAND-Hkl3d)
login-ui-8644fb44f5-fr8km login-ui     at _ (/app/apps/login/.next/server/chunks/7026.js:34:160888)
login-ui-8644fb44f5-fr8km login-ui     at q (/app/apps/login/.next/server/chunks/7026.js:34:161877)
login-ui-8644fb44f5-fr8km login-ui     at next (/app/apps/login/.next/server/chunks/7026.js:34:167805)
login-ui-8644fb44f5-fr8km login-ui     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
login-ui-8644fb44f5-fr8km login-ui     at async Object.unary (/app/apps/login/.next/server/chunks/7026.js:34:166550)
login-ui-8644fb44f5-fr8km login-ui     at async Object.createCallback (/app/apps/login/.next/server/chunks/7026.js:34:173740)
login-ui-8644fb44f5-fr8km login-ui     at async w (/app/apps/login/.next/server/app/login/route.js:1:5503)
login-ui-8644fb44f5-fr8km login-ui     at async /app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:36932
login-ui-8644fb44f5-fr8km login-ui     at async eC.execute (/app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:27548)
login-ui-8644fb44f5-fr8km login-ui     at async eC.handle (/app/node_modules/.pnpm/next@14.2.10_@babel+core@7.25.2_react-dom@18.3.1_react@18.3.1__react@18.3.1_sass@1.79.1/node_modules/next/dist/compiled/next-server/app-route.runtime.prod.js:6:38186) {
login-ui-8644fb44f5-fr8km login-ui   rawMessage: 'Session has expired (COMMAND-Hkl3d)',
login-ui-8644fb44f5-fr8km login-ui   code: 9,
login-ui-8644fb44f5-fr8km login-ui   metadata: Headers {
login-ui-8644fb44f5-fr8km login-ui     'grpc-message': 'Session has expired (COMMAND-Hkl3d)',
login-ui-8644fb44f5-fr8km login-ui     'grpc-status': '9',
login-ui-8644fb44f5-fr8km login-ui     'grpc-status-details-bin': 'CAkSI1Nlc3Npb24gaGFzIGV4cGlyZWQgKENPTU1BTkQtSGtsM2QpGlIKKnR5cGUuZ29vZ2xlYXBpcy5jb20veml0YWRlbC52MS5FcnJvckRldGFpbBIkCg1DT01NQU5ELUhrbDNkEhNTZXNzaW9uIGhhcyBleHBpcmVk',
login-ui-8644fb44f5-fr8km login-ui     'cache-control': 'no-store',
login-ui-8644fb44f5-fr8km login-ui     'content-type': 'application/grpc+proto',
login-ui-8644fb44f5-fr8km login-ui     expires: 'Mon, 14 Oct 2024 20:42:17 GMT',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-cache-control': 'no-store',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-expires': 'Mon, 14 Oct 2024 20:42:17 GMT',
login-ui-8644fb44f5-fr8km login-ui     'grpc-metadata-pragma': 'no-cache',
login-ui-8644fb44f5-fr8km login-ui     pragma: 'no-cache',
login-ui-8644fb44f5-fr8km login-ui     trailer: 'Grpc-Status, Grpc-Message, Grpc-Status-Details-Bin',
login-ui-8644fb44f5-fr8km login-ui     'x-robots-tag': 'none'
login-ui-8644fb44f5-fr8km login-ui   },
login-ui-8644fb44f5-fr8km login-ui   details: [ { type: 'zitadel.v1.ErrorDetail', value: [Uint8Array] } ],
login-ui-8644fb44f5-fr8km login-ui   cause: undefined
login-ui-8644fb44f5-fr8km login-ui }

10 Replies

FFO•14mo ago

@peintnermax can you please advise

Endre | Blackr4tOP•14mo ago

@peintnermax any idea?

peintnermax•13mo ago

Hi @Endre | Blackr4t , where does the https://login-ui-8644fb44f5-fr8km:3000 come from? could you send me your proxy configuration? 🤔

Endre | Blackr4tOP•13mo ago

@peintnermax I'm using Traefik with GatewayAPI ontop of Kubernetes but sure

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: login-ui
  namespace: foo-id
spec:
  hostnames:
    - login.foo.com
  parentRefs:
    - name: traefik-gateway
      namespace: ingress-system
  rules:
    - backendRefs:
        - name: login-ui
          port: 80
      matches:
        - path:
            type: PathPrefix
            value: /
      filters:
        - type: RequestHeaderModifier
          requestHeaderModifier:
            set:
              - name: X-Forwarded-Host
                value: login.foo.com

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: login-ui
  namespace: foo-id
spec:
  hostnames:
    - login.foo.com
  parentRefs:
    - name: traefik-gateway
      namespace: ingress-system
  rules:
    - backendRefs:
        - name: login-ui
          port: 80
      matches:
        - path:
            type: PathPrefix
            value: /
      filters:
        - type: RequestHeaderModifier
          requestHeaderModifier:
            set:
              - name: X-Forwarded-Host
                value: login.foo.com

@peintnermax Do you know though what's the expected headers? 🤔

peintnermax•13mo ago

We have documented the required headers for the new login here: https://zitadel.com/docs/guides/integrate/login-ui/typescript-repo#oidc-proxy We require a x-zitadel-client-name header which is the id of your service user x-zitadel-public-host should point to login.foo.com, and x-zitadel-instance-host defines the host of your instance.

ZITADEL Docs

To replace our current golang built login UI and showcase the use of our new resource, session and OIDC APIs, we've created the Typescript Repository.

Endre | Blackr4tOP•13mo ago

@peintnermax yes that is for login -> zitadel communication, but the issue now seems to be that request.nextUrl.host is not being set to the value of the incoming Host header this means for example that 1. Proxied requests via the middleware.ts file towards zitadel will get wrong x-zitadel-public-host 2. Redirects / other things where the login app responds back to the client will get the wrong Host in the URL

peintnermax•13mo ago

could you set up these headers / rewrites in traefik and remove the middleware of the login app? You dont have to use nextjs if you have a custom proxy..

Endre | Blackr4tOP•13mo ago

Hmm, good point actually @peintnermax But that's just some of the calls though, what about the redircts also that happen that also seem to be reliant on it?

peintnermax•13mo ago

 "/.well-known/:path*",
    "/oauth/:path*",
    "/oidc/:path*",
    "/idps/callback/:path*",

are not relevant for the login itself so you could use traefik to forward them 🙂

Endre | Blackr4tOP•13mo ago

@peintnermax yeah I know that, but those are not the problem anymore anyways, we're still at the root problem still really which is that NextJS seems to ignore setting request.nextUrl.host to the incoming Host header for some reason and that causes the other later redirect() calls to give the wrong value for the host

Key

Did you find this page helpful?