Generic OAuth Provider: Silent error after successful callback from provider
🏬Self-hosted🔍Authentication🛡️Authorization❓Question🪲Bugs
Hello,
We've started to implementing auth based system on zitadel for role/access management on our app however recently we found an issue with custom oauth provider causing "An error occurred while trying to login." We're running self hosted ZITADEL version: v4.2.0 (Helm chart 9.13.0), oauth configured as:
- Auth method: client_secret_basic with PKCE enabled
- Scopes: openid, email, offline
We've tracked that the oauth is able to go to the provider, and get the auth code, but then it fails with error mentioned earlier without any logs even on debug level set.
Looks like it might be related to one of:
- https://github.com/zitadel/zitadel/issues/11065
- https://github.com/zitadel/zitadel/pull/11070
but our case have very different config so not sure if this is related, as we're not experts in Zitadel tweaks.
So the questions are basically:
1. Why would ZITADEL fail before calling the token endpoint? What could cause this silent failure?
2. How can we enable more verbose logging for the Generic OAuth flow to see what's happening internally?
3. Is there a known issue with Generic OAuth providers and the token exchange step?
4. Could this be related to the prompt parameter being rejected by our provider, even though we're now stripping it via a proxy and passing proper auth code back?
We've started to implementing auth based system on zitadel for role/access management on our app however recently we found an issue with custom oauth provider causing "An error occurred while trying to login." We're running self hosted ZITADEL version: v4.2.0 (Helm chart 9.13.0), oauth configured as:
- Auth method: client_secret_basic with PKCE enabled
- Scopes: openid, email, offline
We've tracked that the oauth is able to go to the provider, and get the auth code, but then it fails with error mentioned earlier without any logs even on debug level set.
Looks like it might be related to one of:
- https://github.com/zitadel/zitadel/issues/11065
- https://github.com/zitadel/zitadel/pull/11070
but our case have very different config so not sure if this is related, as we're not experts in Zitadel tweaks.
So the questions are basically:
1. Why would ZITADEL fail before calling the token endpoint? What could cause this silent failure?
2. How can we enable more verbose logging for the Generic OAuth flow to see what's happening internally?
3. Is there a known issue with Generic OAuth providers and the token exchange step?
4. Could this be related to the prompt parameter being rejected by our provider, even though we're now stripping it via a proxy and passing proper auth code back?
