Zitadel TypeScript login: Issues Enabling HTTP/2 for gRPC with Zitadel in K8S (ALB Ingress)
Hi everyone,
We’re onboarding the Zitadel TypeScript project in our Kubernetes setup (
Our Setup
- Zitadel is deployed in an EKS cluster using the official Helm Chart.
- We use an ALB ingress (via Helm) with the domain pattern
- Zitadel’s ingress is
- Other company applications (e.g., foo-backend and foo-frontend deployed under
- These applications interact with Zitadel using HTTP/1.1, which has been working fine.
Problem
- We onboarded the Zitadel TypeScript (Next.js) app under https://login.staging.company.com, which uses gRPC to communicate with Zitadel.
- Initially, gRPC requests failed due to our ALB using HTTP/1.1.
- We enabled HTTP/2 for Zitadel by adding:
- ALB annotation:
- Zitadel Ingress annotation:
This fixed Zitadel TypeScript’s gRPC calls but broke other applications:
- foo-backend OAuth token introspection fails with 464 Incompatible protocol.
- foo-frontend Cypress tests started failing (Cypress has known issues with HTTP/2).
- Other company apps in other domains calling
Question
How can we enable HTTP/2 for zitadel-typescript-login without breaking our existing applications that require HTTP/1.1?
Any best practices or recommendations would be greatly appreciated.
Thank you!
We’re onboarding the Zitadel TypeScript project in our Kubernetes setup (
zitadel-typescript-loginzitadel-typescript-login), but we’ve run into an issue with enabling HTTP/2 support while keeping compatibility with other services.Our Setup
- Zitadel is deployed in an EKS cluster using the official Helm Chart.
- We use an ALB ingress (via Helm) with the domain pattern
*.staging.company.com*.staging.company.com.- Zitadel’s ingress is
auth.staging.company.comauth.staging.company.com.- Other company applications (e.g., foo-backend and foo-frontend deployed under
foo.staging.company.comfoo.staging.company.com ingress) use Zitadel for authentication via OAuth2/OIDC (the backend using /oauth/v2/introspect/oauth/v2/introspect and the frontend using oidc-client-tsoidc-client-ts with PKCE).- These applications interact with Zitadel using HTTP/1.1, which has been working fine.
Problem
- We onboarded the Zitadel TypeScript (Next.js) app under https://login.staging.company.com, which uses gRPC to communicate with Zitadel.
- Initially, gRPC requests failed due to our ALB using HTTP/1.1.
- We enabled HTTP/2 for Zitadel by adding:
- ALB annotation:
alb.ingress.kubernetes.io/backend-protocol-version: HTTP2alb.ingress.kubernetes.io/backend-protocol-version: HTTP2- Zitadel Ingress annotation:
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"nginx.ingress.kubernetes.io/backend-protocol: "GRPC"This fixed Zitadel TypeScript’s gRPC calls but broke other applications:
- foo-backend OAuth token introspection fails with 464 Incompatible protocol.
- foo-frontend Cypress tests started failing (Cypress has known issues with HTTP/2).
- Other company apps in other domains calling
https://auth.staging.company.com/oidc/v1/userinfohttps://auth.staging.company.com/oidc/v1/userinfo also fail.Question
How can we enable HTTP/2 for zitadel-typescript-login without breaking our existing applications that require HTTP/1.1?
Any best practices or recommendations would be greatly appreciated.
Thank you!
