Avoid adding port in issuer url
Hello,
When the token is generated the issuer is : https//mydomain:443
Is it possible to avoid having the port at the end ?
"iss": "https://idp.dev.ludocare.com:443",
Why I'm asking ?
Because 443 port is implicit, and when using traefik as L4, the host header is automatically transformed
from https://idp.dev.ludocare.com:443
to https://idp.dev.ludocare.com
I know I can handle it by forcing the host header with traefik, but it's a workaround I would like to avoid.
If I do not force host header with traefik, then when introspecting token, I have the following error :
issuer does not match: Expected: https://idp.dev.ludocare.com, got: https://idp.dev.ludocare.com:4435 Replies
Hey @JayPe!
On the client-side, can you check if you provided the issuer with or without port?
Well, the thing is that my traefik is removing it by default
I'm sure.
And it's not very nice to force traefik to force it with middleware
Zitadel should not add 443 in the issuer as the 443 port is the normal one
It seems normal to add the port in the issuer if it's not 443, but as a common thing.
Browser does not display 80 or 443.
So zitadel should not force us to specify 443 or 80 to check the issuer
Hey @JayPe! Can you share the exact steps you took to get that error along with your Zitadel config?
Can you also possibly provide the configuration you're using on your application's side? We're going to try and reproduce the error to look into this issue a bit more :gigipixel:
You configure your zitadel
With TLS enabled False.
But with EXTERNAL_PORT 443.
So this means that your zitadel does not wait for TLS and let it to an L4 or L7.
In my case Traefik.
Your zitadel documentation is well documented on this.
Then you configure a project with an application (app native) with JWT token and not opaque bearer token.
You use the Authorize URL to get back the Authorization code.
You use the API endpoint to retrieve the access token with the authorization code.
Then you use the API endpoint to introspect the access token.
The result will be an error on the issuer.
Saying the issuer is not the same as the one who calls the endpoint to introspect.
Why : because in the access token, if you decode it, the issuer contains the 443 port.
As said before, Traefik remove the port from the host even if I specify it.
So two possibilities :
Zitadel removes the 443 port from the issuer.
Zitadel does not take into account the 443 port when comparing the endpoint host and the token issuer.
As the 443 should be implicit
Thanks for sharing this - @Elio could you eyeball this? I think you might have some more insight on this issue!