ZITADELZZITADEL
Powered by
evil.bobE
ZITADEL•2mo ago•
5 replies
evil.bob

Zitadel Cloud instance ignores x-zitadel-public-host when setting URLs in responses

❌Unsolved☁️Zitadel Cloud🪲Bugs🔗OIDC
I am using a Zitadel Cloud instance and have implemented a custom ui per the documentation. When proxying the oidc endpoints from my ui at ⁨
login.example.com
login.example.com
⁩ to my instance at ⁨
auth.example.com
auth.example.com
⁩, I set ⁨
x-zitadel-public-host: login.example.com
x-zitadel-public-host: login.example.com
⁩ and ⁨
x-zitadel-instance-host: auth.example.com
x-zitadel-instance-host: auth.example.com
⁩ headers before sending forwarding the request to my instance. The instance is ignoring these headers and any URLs in the responses contain the instance domain, not the ui/proxy/public host domain.

So a call to get the ⁨
.well-known/openid-configuration
.well-known/openid-configuration
⁩ returns a response with URLs of ⁨
auth.example.com
auth.example.com
⁩ instead of ⁨
login.example.com
login.example.com
⁩. This can easily be rewritten by nginx, however, the token response returns a token with a jwt that has the claim ⁨
iss: https://auth.example.com
iss: https://auth.example.com
⁩ instead of ⁨
iss: https://login.example.com
iss: https://login.example.com
⁩.

What is the correct way to make a Zitadel Cloud instance respond with my proxy domain instead of the instance domain when calls are made to it?
ZITADEL banner
ZITADELJoin
ZITADEL - Identity infrastructure, simplified for you.
4,374Members
Resources
Recent Announcements

Similar Threads

Was this page helpful?

Similar Threads

Zitadel Cloud instance sets content-encoding header erroneously
evil.bobEevil.bob / questions-help-bugs
4w ago