spacemule•22h ago

Human users created with terraform cannot login with v2 login unless username is email

I don't know if I'm doing something very wrong or if there is a strange bug. I'm trying to set up human users using the terraform provider (latest version of both tf provider and zitadel installed using the helm chart with traefik ingress). If I set the username to anything other than the email address, the login fails for both email and username in v2 login with "User not found." v1 login works fine, so it seems the issue is v2 login and not zitadel itself or the tf provider. Anyone else encountered this? Is this a known limitation that I just missed, or is this a real bug? Here's a little snippet of my tf in case anything jumps out:

resource "zitadel_default_login_policy" "default" {
  allow_external_idp            = false
  allow_register                = false
  default_redirect_uri          = ""
  external_login_check_lifetime = "240h0m0s"
  force_mfa                     = false
  force_mfa_local_only          = false
  hide_password_reset           = true
  ignore_unknown_usernames      = false
  mfa_init_skip_lifetime        = "720h0m0s"
  multi_factor_check_lifetime   = "18h0m0s"
  password_check_lifetime       = "240h0m0s"
  passwordless_type             = "PASSWORDLESS_TYPE_ALLOWED"
  second_factor_check_lifetime  = "24h0m0s"
  second_factors                = ["SECOND_FACTOR_TYPE_OTP", "SECOND_FACTOR_TYPE_U2F"]
  multi_factors                 = ["MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION"]
  user_login                    = true
  disable_login_with_email      = false
  disable_login_with_phone      = true
}
resource "zitadel_human_user" "test-user" {
  email                        = "bone@test.net"
  org_id                       = zitadel_org.default.id
  initial_skip_password_change = true
  is_phone_verified            = false
  first_name                   = "testee"
  last_name                    = "useree"
  user_name                    = "bone@test.net"
  initial_password             = "Password1!"
  is_email_verified            = true
}

resource "zitadel_default_login_policy" "default" {
  allow_external_idp            = false
  allow_register                = false
  default_redirect_uri          = ""
  external_login_check_lifetime = "240h0m0s"
  force_mfa                     = false
  force_mfa_local_only          = false
  hide_password_reset           = true
  ignore_unknown_usernames      = false
  mfa_init_skip_lifetime        = "720h0m0s"
  multi_factor_check_lifetime   = "18h0m0s"
  password_check_lifetime       = "240h0m0s"
  passwordless_type             = "PASSWORDLESS_TYPE_ALLOWED"
  second_factor_check_lifetime  = "24h0m0s"
  second_factors                = ["SECOND_FACTOR_TYPE_OTP", "SECOND_FACTOR_TYPE_U2F"]
  multi_factors                 = ["MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION"]
  user_login                    = true
  disable_login_with_email      = false
  disable_login_with_phone      = true
}
resource "zitadel_human_user" "test-user" {
  email                        = "bone@test.net"
  org_id                       = zitadel_org.default.id
  initial_skip_password_change = true
  is_phone_verified            = false
  first_name                   = "testee"
  last_name                    = "useree"
  user_name                    = "bone@test.net"
  initial_password             = "Password1!"
  is_email_verified            = true
}

4 Replies

Ask Inkeep•22h ago

Hi @spacemule, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer in the available sources about this specific v2 login behavior with Terraform-created users where the username differs from the email address. Here are some potentially relevant sources: 1. Custom Login Screen for Zitadel - Username & Password Authentication Issue (1) : This discussion mentions that when using the Session API with v2 login, the user identified an issue where using the email value in loginName didn't work, but using the 'Preferred login name' did work . The user noted they have two available login methods: 'Preferred login name' and email, and needed to authenticate using email for multi-tenant scenarios . 2. Setting up Project and App from zero using Terraform Provider (Docker Compose) (2) : This provides examples of setting up ZITADEL with Terraform, including user creation configuration . Would you like me to provide a general answer based on my knowledge of ZITADEL's authentication mechanisms? To learn more, see the sources I considered: [1] Custom Login Screen for Zitadel - Username & Password Authentication Issue [2] Setting up Project and App from zero using Terraform Provider (Docker Compose) Feel free to tag @Ask Inkeep with additional questions.

spacemuleOP•7h ago

Would you like me to provide a general answer based on my knowledge of ZITADEL's authentication mechanisms?

@Ask Inkeep You can try

Rajat•5h ago

hey @spacemule thanks for your question, I will check with my team, it could be one of those V2 login bugs internally, could you please continue using V1 login for now if that's not a problem?. Thanks

spacemuleOP•4h ago

yup. going to have to use v1 anyways as v2 doesn't trigger actions properly for external auth 😢

Human users created with terraform cannot login with v2 login unless username is email

Did you find this page helpful?