Human users created with terraform cannot login with v2 login unless username is email

❓Question🪲Bugs✅Solved

I don't know if I'm doing something very wrong or if there is a strange bug. I'm trying to set up human users using the terraform provider (latest version of both tf provider and zitadel installed using the helm chart with traefik ingress).

If I set the username to anything other than the email address, the login fails for both email and username in v2 login with "User not found." v1 login works fine, so it seems the issue is v2 login and not zitadel itself or the tf provider.

Anyone else encountered this? Is this a known limitation that I just missed, or is this a real bug?

Here's a little snippet of my tf in case anything jumps out:

resource "zitadel_default_login_policy" "default" {
  allow_external_idp            = false
  allow_register                = false
  default_redirect_uri          = ""
  external_login_check_lifetime = "240h0m0s"
  force_mfa                     = false
  force_mfa_local_only          = false
  hide_password_reset           = true
  ignore_unknown_usernames      = false
  mfa_init_skip_lifetime        = "720h0m0s"
  multi_factor_check_lifetime   = "18h0m0s"
  password_check_lifetime       = "240h0m0s"
  passwordless_type             = "PASSWORDLESS_TYPE_ALLOWED"
  second_factor_check_lifetime  = "24h0m0s"
  second_factors                = ["SECOND_FACTOR_TYPE_OTP", "SECOND_FACTOR_TYPE_U2F"]
  multi_factors                 = ["MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION"]
  user_login                    = true
  disable_login_with_email      = false
  disable_login_with_phone      = true
}
resource "zitadel_human_user" "test-user" {
  email                        = "bone@test.net"
  org_id                       = zitadel_org.default.id
  initial_skip_password_change = true
  is_phone_verified            = false
  first_name                   = "testee"
  last_name                    = "useree"
  user_name                    = "bone@test.net"
  initial_password             = "Password1!"
  is_email_verified            = true
}

resource "zitadel_default_login_policy" "default" {
  allow_external_idp            = false
  allow_register                = false
  default_redirect_uri          = ""
  external_login_check_lifetime = "240h0m0s"
  force_mfa                     = false
  force_mfa_local_only          = false
  hide_password_reset           = true
  ignore_unknown_usernames      = false
  mfa_init_skip_lifetime        = "720h0m0s"
  multi_factor_check_lifetime   = "18h0m0s"
  password_check_lifetime       = "240h0m0s"
  passwordless_type             = "PASSWORDLESS_TYPE_ALLOWED"
  second_factor_check_lifetime  = "24h0m0s"
  second_factors                = ["SECOND_FACTOR_TYPE_OTP", "SECOND_FACTOR_TYPE_U2F"]
  multi_factors                 = ["MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION"]
  user_login                    = true
  disable_login_with_email      = false
  disable_login_with_phone      = true
}
resource "zitadel_human_user" "test-user" {
  email                        = "bone@test.net"
  org_id                       = zitadel_org.default.id
  initial_skip_password_change = true
  is_phone_verified            = false
  first_name                   = "testee"
  last_name                    = "useree"
  user_name                    = "bone@test.net"
  initial_password             = "Password1!"
  is_email_verified            = true
}

❓Question🪲Bugs✅Solved

resource "zitadel_default_login_policy" "default" {
  allow_external_idp            = false
  allow_register                = false
  default_redirect_uri          = ""
  external_login_check_lifetime = "240h0m0s"
  force_mfa                     = false
  force_mfa_local_only          = false
  hide_password_reset           = true
  ignore_unknown_usernames      = false
  mfa_init_skip_lifetime        = "720h0m0s"
  multi_factor_check_lifetime   = "18h0m0s"
  password_check_lifetime       = "240h0m0s"
  passwordless_type             = "PASSWORDLESS_TYPE_ALLOWED"
  second_factor_check_lifetime  = "24h0m0s"
  second_factors                = ["SECOND_FACTOR_TYPE_OTP", "SECOND_FACTOR_TYPE_U2F"]
  multi_factors                 = ["MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION"]
  user_login                    = true
  disable_login_with_email      = false
  disable_login_with_phone      = true
}
resource "zitadel_human_user" "test-user" {
  email                        = "bone@test.net"
  org_id                       = zitadel_org.default.id
  initial_skip_password_change = true
  is_phone_verified            = false
  first_name                   = "testee"
  last_name                    = "useree"
  user_name                    = "bone@test.net"
  initial_password             = "Password1!"
  is_email_verified            = true
}

resource "zitadel_default_login_policy" "default" {
  allow_external_idp            = false
  allow_register                = false
  default_redirect_uri          = ""
  external_login_check_lifetime = "240h0m0s"
  force_mfa                     = false
  force_mfa_local_only          = false
  hide_password_reset           = true
  ignore_unknown_usernames      = false
  mfa_init_skip_lifetime        = "720h0m0s"
  multi_factor_check_lifetime   = "18h0m0s"
  password_check_lifetime       = "240h0m0s"
  passwordless_type             = "PASSWORDLESS_TYPE_ALLOWED"
  second_factor_check_lifetime  = "24h0m0s"
  second_factors                = ["SECOND_FACTOR_TYPE_OTP", "SECOND_FACTOR_TYPE_U2F"]
  multi_factors                 = ["MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION"]
  user_login                    = true
  disable_login_with_email      = false
  disable_login_with_phone      = true
}
resource "zitadel_human_user" "test-user" {
  email                        = "bone@test.net"
  org_id                       = zitadel_org.default.id
  initial_skip_password_change = true
  is_phone_verified            = false
  first_name                   = "testee"
  last_name                    = "useree"
  user_name                    = "bone@test.net"
  initial_password             = "Password1!"
  is_email_verified            = true
}

Human users created with terraform cannot login with v2 login unless username is email

Similar Threads

Human users created with terraform cannot login with v2 login unless username is email

Similar Threads

Similar Threads

Similar Threads