External OAuth2 provider Error:SetHumanProfile.GivenName: value length must be between 1 and 200 run
I use an external OAuth2 provider as an alternative to the default zitadel login. Currently im facing the following error after succesfull OAuth login flow:
"[invalid_argument] invalid AddHumanUserRequest.Profile: embedded message failed validation | caused by: invalid SetHumanProfile.GivenName: value length must be between 1 and 200 runes, inclusive"
Zitadel is requesting the OAuth2 user endpoint and getting the following example response:
Zitadel Settings:
- ID Attribute: "sub" (uuid is working as well)
- Scopes: "user:read"
Questions:
- Is there any example response in the docs where the correct userendpoint json structure is listed for the external OAuth2 IDP?
- Can anyone help how the "given_name" must me formatted?
Thank u so much
6 Replies
Hi @Linus, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Using Actions : This documentation shows how to use Actions to customize user data mapping from external providers, including token extension and user management workflows (1) .
2. [Bug]: Generic OAuth IdP registration fails because IdP intent does not contain username (analysis included) : This GitHub issue describes a similar problem where the generic OAuth provider mapper doesn't extract preferred_username claims and returns empty strings, with a suggestion to use Actions as a workaround (2) .
The issue appears to be related to how ZITADEL's generic OAuth provider maps user attributes from your OAuth2 endpoint response. You may need to use Actions to properly map the user data from your provider's response format.
ā
To learn more, see the sources I considered:
[1] Using Actions
[2] [Bug]: Generic OAuth IdP registration fails because IdP intent does not contain username (analysis included)
ā
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
hey @Linus thanks for your question, I will look into it and will get back to you
Thank u so much! š I already tried Actions (v2), but the actions will not applied at all in the OAuth flow. Tested with all Events and triggers.
hey @Linus I got a response from the team,
this looks like a mapping issue, not related to the import/export API, you mention that you use an oauth2 provider. Maybe there is a missing attribute not coming from that IDP. You are pasting the oauth2 provider response but you normally do not see that in the browser network tab, how did you get it?.
Its my own OAuth Server and im logging each request with response, so im sure the data is correct.
To your mapping question: The actions (especially v2) are never triggered
hello @Linus - to map attributes with Actions V2 you have to do the following:
1. Create a REST Call Target for the webhook
2. Create an Response Action using the following: method: /zitadel.user.v2.UserService/RetrieveIdentityProviderIntent
Have you tried that?
Zitadel will send a POST to your webhook with the body that for testing purposes, you can return unmodified. This is better explained here:
- https://zitadel.com/docs/guides/integrate/actions/testing-response-manipulation
ZITADEL Docs
This guide shows you how to leverage the ZITADEL actions feature to manipulate API responses in your ZITADEL instance.