Debugging integration with external IdPs - can we log outgoing requests?

Currently using Zitadel v3.4.2 deployed with Zitadel Helm chart 8.13.4.

We're currently having a lot of trouble while attempting to integrate an external idp with our Zitadel instance - and unfortunately this has been quite tricky to debug.
Does Zitadel support logging outgoing requests to external IdPs? It would be very very helpful if we could:

log the redirect request from the external IdP back to Zitadel (along with whatever query parameters it sent)
log the token request/response that Zitadel made to the external IdP (if any)
log the userinfo request/response that Zitadel made to the external IdP (if any)

As of now, I don't think any of this is possible (without e.g.: setting some sort of proxy to act as the middleman). Is that the case?
Is there perhaps a way to use actions to help with this?

Ask Inkeep•10/27/25, 1:35 PM

Hi @bawsky, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/27/25, 1:35 PM

Answer

I wasn't able to find a direct answer about logging outgoing requests to external IdPs in the documentation. Here are some relevant sources that might help:

Streaming audit logs to external systems (SIEM/SOC) : Covers ZITADEL's audit logging capabilities, including using Actions to log custom messages to stdout during authentication flows (1)
Code examples : Shows how to use Actions with the log module to capture authentication events (2)

Regarding Actions for debugging: ZITADEL Actions can log custom messages to stdout during the authentication flow (1) . You can create an action that logs information during the External Authentication flow using the Post Authentication trigger . However, the available context in Actions may not include the raw token/userinfo request/response details you're looking for.

The documentation shows an example of logging authentication attempts:

Ask Inkeep•10/27/25, 1:35 PM

let logger = require("zitadel/log")
function log(ctx, api) {
  if (ctx.v1.authError == "none") {
    logger.log("successful login: username/" + ctx.v1.authRequest.userName + ", timestamp/" + ctx.v1.authRequest.changeDate + ", appID/" + ctx.v1.authRequest.applicationId + ", remoteAddr/" + ctx.v1.httpRequest.remoteAddr + ", request/" + JSON.stringify(ctx.v1.httpRequest) )
  } else {
    logger.log("authentication failed: error/" + ctx.v1.authError + ", username/" + ctx.v1.authRequest.userName + ", timestamp/" + ctx.v1.authRequest.changeDate + ", appID/" + ctx.v1.authRequest.applicationId + ", remoteAddr/" + ctx.v1.httpRequest.remoteAddr + ", request/" + JSON.stringify(ctx.v1.httpRequest) )
  }
}

let logger = require("zitadel/log")
function log(ctx, api) {
  if (ctx.v1.authError == "none") {
    logger.log("successful login: username/" + ctx.v1.authRequest.userName + ", timestamp/" + ctx.v1.authRequest.changeDate + ", appID/" + ctx.v1.authRequest.applicationId + ", remoteAddr/" + ctx.v1.httpRequest.remoteAddr + ", request/" + JSON.stringify(ctx.v1.httpRequest) )
  } else {
    logger.log("authentication failed: error/" + ctx.v1.authError + ", username/" + ctx.v1.authRequest.userName + ", timestamp/" + ctx.v1.authRequest.changeDate + ", appID/" + ctx.v1.authRequest.applicationId + ", remoteAddr/" + ctx.v1.httpRequest.remoteAddr + ", request/" + JSON.stringify(ctx.v1.httpRequest) )
  }
}

Would you like me to provide a general answer based on my knowledge of debugging external IdP integrations?

Ask Inkeep•10/27/25, 1:35 PM

To learn more, see the sources I considered:

[1] Streaming audit logs to external systems (SIEM/SOC)
[2] Code examples

Ask Inkeep•10/27/25, 1:35 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] Streaming audit logs to ext...

Ask InkeepAPP•10/27/25, 2:35 PM

Got it. Tagging @Rajat for additional help.

Rajat•10/27/25, 4:44 PM

hey @bawsky I raised it internally and this is what I got
Redirects can already be seen in the browser(network/console tab properly),no need for Zitadel logs there. From K8s side, detailed ingress/egress logging needs an enterprise CNI like Calico or Tigera,that’s outside Zitadel’s scope.

Future possibility: OTLP-based tracing for outbound calls (part of Login V2) might come later, but it’s not prioritized yet.
For now, if the issue is just debugging the connection, it’s best not to overcomplicate,the IdP should already return some error or log details in console like I said above.
Hope this helps

bawskyOP•10/27/25, 5:50 PM

I see, thanks for raising it internally @Rajat

We're just now starting to use OTLP with the hope that it helped debugging a bit, but unfortunately it seems that the traces don't include any particular information about the outbound requests during the external authentication.
I think it'd be extremely helpful if there's a supported way to see detailed information about the iterations between Zitadel and external IDPs - hope to see improvements in that regard

For now, if the issue is just debugging the connection, it’s best not to overcomplicate,the IdP should already return some error or log details in console like I said above

In our particular case, it seems that the IDP we're trying to integrate is simply replying with invalid_grantinvalid_grant everytime Zitadel requests a token - nothing helpful can be seen in the customer browser's console since the /token/token request happens server-side at Zitadel.
Troubleshooting this has proven a bit challenging as our customer also can't see any helpful logs on their side and claim the authentication was successful on the side of their IDP.

bawskyOP•10/27/25, 6:28 PM

Also for completeness, here's how traces/logs look like for the case I described (where the external IDP errors with invalid_grantinvalid_grant).
This is all the information I can find on our traces/logs - which unfortunately isn't really helpful in this case

bawskyOP•10/27/25, 6:35 PM

For now the dirty workaround I did was to setup some 'generic OAuth' idp with similar settings but with the /token/token endpoint pointed to some service I can inspect incoming requests (I used https://requestbin.net/ for this)

It's a dirty workaround and far from ideal though... Hope Zitadel can make this easier at some point.

RequestBin | The Ultimate HTTP & DNS Testing Platform since 2018

The most trusted HTTP request bin and DNS testing platform. Now with cloud storage, persistent data, and advanced collaboration features.

Rajat•10/27/25, 6:40 PM

hey @bawsky thanks for more detailed input, taking this internally.

Rajat•10/27/25, 6:44 PM

ok I raised it internally now, we should have some response.

bawskyOP•10/27/25, 6:50 PM

Thanks @Rajat!

btw, this is another related log entry coming from Zitadel (forgot to attach on my previous message)

Bbawsky Thanks @Rajat! btw, this is another related log entry coming from Zitadel (for...

Rajat•10/27/25, 6:51 PM

thanks, I have raised it internally!