OIDC Generic Provider - Failed to extract ServerMetadata from context
When adding a generic OIDC provider to my Zitadel instance.
Trying to refresh the login UI, I see the specific log in my zitadel container:
Failed to extract ServerMetadata from context
On the login UI page, when clicking on the button of the provider :
OpenID Provider Configuration Discovery has failed
http status not ok: 404 Not Found
15 Replies
I don't have any other logs ...
Even if I change the OIDC issuer URL , still the same error
To try to debug a little bit :
I configured Microsoft with your built-in provider : It works well
I configured Microsoft with OIDC Generic built-in provider : KO
Error on the selfhosted login ui :
OpenID Provider Configuration Discovery has failed
http status not ok: 404 Not Found
Whereas I'm sure of the issuer of the issuer configuraiton :
https://login.microsoftonline.com/MY_TENANT_ID/v2.0/.well-known/openid-configuration
My OIDC generic microsoft and microsoft conf use the same client id and secret id.
the only difference is that in the OIDC generic conf, I have to add the issuer
One is working, the other does not
@fabienne , @FFO , did you already get this kind of behavior ?
When I try with the Gitlab Self Hosted provider , I have this error :
do you use our built in login ui, or our new typescrip login ui, or your custom built one?
built in login ui
So when we have an explicit provider, we recommend taking that one, as there might be a problem in regards of oidc compliance, and it won't work
for gitlab, did you follow this guide? https://zitadel.com/docs/guides/integrate/identity-providers/gitlab
ZITADEL Docs
Open the GitLab Identity Provider Template
Yes I followed it for gitlab ..
I understand you recommend taking the specific one when you have an explicit provider.
I made this try, to see if zitadel had a problem with the generic OIDC, and it seems it's the case.
I did it because I want to integrate Azuma (Health ID OIDC provider).
When testing Azuma, I have the same error when testing Microsoft with generic OIDC.
But with the same credentials, Microsoft works well with the built in provider.
So the conclusion for me is : Zitadel Generic OIDC does not work properly.
And I don't know where to find more logs.
@fabienne
So to summarize :
- Azuma with Generic OIDC => Failed
- Microsoft with built in => Working
- Microsoft with Generic OIDC => Failed
- Self Hosted Gitlab with built in => Failed
We checked, and there is no general problem with the oidc idp.
That said, i think you will have to look at each configuration in separat to figure out what the problem is
Could you at least explain me where I can troubleshoot this message error form the login ui :
OpenID Provider Configuration Discovery has failed
http status not ok: 404 Not Found
the configuration is very very small, so double checking the configuration isn't complicated.
and my cross test with microsoft shows that the generic OIDC configuration may be buggy
And something that tells me there is a problem with the generic OIDC is that I'm using another tool called "Budibase" , low code solution.
When I set up the microsoft OIDC it works like a charm without any bug, and this is not a buitl-in microsoft OIDC, I'm using their generic OIDC configuration
Ok, I found it !
By default Zitadel is concatenating the issuer url we set up with /.well-known/openid-configuration
And zitadel is waiting for a json format.
An enhancement :
You should let the user choose the entire URL and do not try to concat the end.
Because you are not sure how other providers fullfill the OIDC requirement
So now it works with Microsoft on the Generic OIDC, but it does not work with Azuma HealthID as there json configuration link is :
https://DNS_SAMPLE/oidcf/joe-simulation/.well-known/openid-federation/json
great you found the problem thanks for the info.
we do it this way, as this is defined by the oidc standard, and needs to look the same for each oidc compliant provider
if they do something different, they are not oidc compliant
Yes, you are right 🙂
This is what I checked, and I fount the correct URL from them.
Thanks for your help.
Maybe it could be a little bit more documented, explain the issuer url and how it will be used.
But now I have the right URL, another error coming 🙂
Issuer does not match
Because of missing / at the end of the url
Hey @JayPe - Wanted to follow up on this, are you still experiencing this issue?
@Raccine , the issuer "does not match" comes from the fact that I had to add a ending "/" to the issuer URL.
But now, I have another error
Zitadel is redirecting correctly to the "Azuma OIDC", Then I can login to Azuma, but after that, I have an error on the login ui of Zitadel, need to double check