Strange redirect_uri bug in self-hosted 4.6.1
Hey all. I’m looking for any advice at all on this. It’s possible we’re overlooking something silly, but I’ve searched through all the documentation and threads that I can find.
We have a self-hosted instance running 4.6.1 and using the v2 login UI. First of all, we are having issues with organization discovery (“User not found in the system”), but I believe this is already a known and tracked bug according to GitHub.
However, we’re even having trouble signing into the default organization with a configured external OIDC provider. On hitting the button, we get an error from our IdP about mismatching redirect_uri’s.
Zitadel is requesting we configure the IdP to allow https://domain.com/ui/v2/loginidps/callback, but the actual request made by Zitadel to the IdP when hitting the external login button looks like https://domain.com:443/idps/callback
If I add that second callback uri (with the port) to the IdP configuration, then when I click the button I now get an error from Zitadel (“An error occurred while trying to login.”)
So it seems to me that the error might be caused by Zitadel adding in the 443 and then getting confused by it. Is my understanding right, or does anyone have any ideas what I might be doing wrong? I believe we are running a fairly standard setup and configuration. Running behind an AWS ALB.
6 Replies
Hi @lbm, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Handle External Logins in a Custom Login UI : Covers the external identity provider flow and callback handling, noting that the redirect URL is `https://$%7BCUSTOM_DOMAIN%7D/idps/callback%60 when using the V2 hosted login. (1)
2. ZITADEL Default Settings : Explains identity provider configuration at the instance level and domain settings that might affect callback behavior. (2)
**
To learn more, see the sources I considered:
[1] Handle External Logins in a Custom Login UI
[2] ZITADEL Default Settings
Feel free to tag @Ask Inkeep with additional questions.
That answer is a bit confusing, since the actual in-app documentation after configuring and external OIDC provider is specifically to use https://domain.com/ui/v2/loginidps/callback for v2 callbacks. Yet that article does indicate it’s the latter (without the port).
So I guess the two questions are:
1. Which one is correct?
2. Why is our instance adding the 443 port to the initial IdP request?
Got it. Tagging @Rajat for additional help.
Humbly pinging @Rajat for any assistance. Granted we are not paying users, but that’s not for lack of want! If the cloud offering ever becomes available in Japan, we’d love to talk 💕
This issue is blocking adoption by a number of our internal teams who are willing to give it a try. So I want to resolve this quickly to keep the momentum going.
hey @lbm thanks for the ping and welcome to the server. Let me read it and I will get back to you 🙂
hey @lbm
We only host cloud in US, Switzerland, Germany and Australia. The closest would be Australia for you. You can always self host if you want the data and implementation to be in Japan. Will that be an option?.
@Rajat Oh sorry, that was just a remark. It wasn’t the actual question I’m having.
I need help with this OIDC error.