bawsky
bawsky13h ago

Debugging integration with external IdPs - can we log outgoing requests?

Currently using Zitadel v3.4.2 deployed with Zitadel Helm chart 8.13.4. We're currently having a lot of trouble while attempting to integrate an external idp with our Zitadel instance - and unfortunately this has been quite tricky to debug. Does Zitadel support logging outgoing requests to external IdPs? It would be very very helpful if we could: * log the redirect request from the external IdP back to Zitadel (along with whatever query parameters it sent) * log the token request/response that Zitadel made to the external IdP (if any) * log the userinfo request/response that Zitadel made to the external IdP (if any) As of now, I don't think any of this is possible (without e.g.: setting some sort of proxy to act as the middleman). Is that the case? Is there perhaps a way to use actions to help with this?
8 Replies
Ask Inkeep
Ask Inkeep12h ago
Hi @bawsky, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer about logging outgoing requests to external IdPs in the documentation. Here are some relevant sources that might help: 1. Streaming audit logs to external systems (SIEM/SOC) : Covers ZITADEL's audit logging capabilities, including using Actions to log custom messages to stdout during authentication flows (1) 2. Code examples : Shows how to use Actions with the log module to capture authentication events (2) Regarding Actions for debugging: ZITADEL Actions can log custom messages to stdout during the authentication flow (1) . You can create an action that logs information during the External Authentication flow using the Post Authentication trigger . However, the available context in Actions may not include the raw token/userinfo request/response details you're looking for. The documentation shows an example of logging authentication attempts: 
let logger = require("zitadel/log")
function log(ctx, api) {
  if (ctx.v1.authError == "none") {
    logger.log("successful login: username/" + ctx.v1.authRequest.userName + ", timestamp/" + ctx.v1.authRequest.changeDate + ", appID/" + ctx.v1.authRequest.applicationId + ", remoteAddr/" + ctx.v1.httpRequest.remoteAddr + ", request/" + JSON.stringify(ctx.v1.httpRequest) )
  } else {
    logger.log("authentication failed: error/" + ctx.v1.authError + ", username/" + ctx.v1.authRequest.userName + ", timestamp/" + ctx.v1.authRequest.changeDate + ", appID/" + ctx.v1.authRequest.applicationId + ", remoteAddr/" + ctx.v1.httpRequest.remoteAddr + ", request/" + JSON.stringify(ctx.v1.httpRequest) )
  }
}
let logger = require("zitadel/log")
function log(ctx, api) {
  if (ctx.v1.authError == "none") {
    logger.log("successful login: username/" + ctx.v1.authRequest.userName + ", timestamp/" + ctx.v1.authRequest.changeDate + ", appID/" + ctx.v1.authRequest.applicationId + ", remoteAddr/" + ctx.v1.httpRequest.remoteAddr + ", request/" + JSON.stringify(ctx.v1.httpRequest) )
  } else {
    logger.log("authentication failed: error/" + ctx.v1.authError + ", username/" + ctx.v1.authRequest.userName + ", timestamp/" + ctx.v1.authRequest.changeDate + ", appID/" + ctx.v1.authRequest.applicationId + ", remoteAddr/" + ctx.v1.httpRequest.remoteAddr + ", request/" + JSON.stringify(ctx.v1.httpRequest) )
  }
}
Would you like me to provide a general answer based on my knowledge of debugging external IdP integrations? ​ To learn more, see the sources I considered: [1] Streaming audit logs to external systems (SIEM/SOC) [2] Code examples ​ Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.
Rajat
Rajat10h ago
hey @bawsky I raised it internally and this is what I got Redirects can already be seen in the browser(network/console tab properly),no need for Zitadel logs there. From K8s side, detailed ingress/egress logging needs an enterprise CNI like Calico or Tigera,that’s outside Zitadel’s scope. Future possibility: OTLP-based tracing for outbound calls (part of Login V2) might come later, but it’s not prioritized yet. For now, if the issue is just debugging the connection, it’s best not to overcomplicate,the IdP should already return some error or log details in console like I said above. Hope this helps 🙂
bawsky
bawskyOP8h ago
I see, thanks for raising it internally @Rajat 🙂 We're just now starting to use OTLP with the hope that it helped debugging a bit, but unfortunately it seems that the traces don't include any particular information about the outbound requests during the external authentication. I think it'd be extremely helpful if there's a supported way to see detailed information about the iterations between Zitadel and external IDPs - hope to see improvements in that regard 🤞
For now, if the issue is just debugging the connection, it’s best not to overcomplicate,the IdP should already return some error or log details in console like I said above
In our particular case, it seems that the IDP we're trying to integrate is simply replying with invalid_grant everytime Zitadel requests a token - nothing helpful can be seen in the customer browser's console since the /token request happens server-side at Zitadel. Troubleshooting this has proven a bit challenging as our customer also can't see any helpful logs on their side and claim the authentication was successful on the side of their IDP. 😕
bawsky
bawskyOP8h ago
Also for completeness, here's how traces/logs look like for the case I described (where the external IDP errors with invalid_grant). This is all the information I can find on our traces/logs - which unfortunately isn't really helpful in this case 😢
No description
No description
No description
No description
bawsky
bawskyOP8h ago
For now the dirty workaround I did was to setup some 'generic OAuth' idp with similar settings but with the /token endpoint pointed to some service I can inspect incoming requests (I used https://requestbin.net/ for this) It's a dirty workaround and far from ideal though... Hope Zitadel can make this easier at some point.
RequestBin | The Ultimate HTTP & DNS Testing Platform since 2018
The most trusted HTTP request bin and DNS testing platform. Now with cloud storage, persistent data, and advanced collaboration features.
No description
Rajat
Rajat8h ago
hey @bawsky thanks for more detailed input, taking this internally. ok I raised it internally now, we should have some response.
bawsky
bawskyOP7h ago
Thanks @Rajat! btw, this is another related log entry coming from Zitadel (forgot to attach on my previous message)
No description
Rajat
Rajat7h ago
thanks, I have raised it internally!

Did you find this page helpful?