Zitadel Cloud instance ignores x-zitadel-public-host when setting URLs in responses

❌Unsolved☁️Zitadel Cloud🪲Bugs🔗OIDC

I am using a Zitadel Cloud instance and have implemented a custom ui per the documentation. When proxying the oidc endpoints from my ui at ⁨

login.example.com

login.example.com

⁩ to my instance at ⁨

auth.example.com

auth.example.com

⁩, I set ⁨

x-zitadel-public-host: login.example.com

x-zitadel-public-host: login.example.com

⁩ and ⁨

x-zitadel-instance-host: auth.example.com

x-zitadel-instance-host: auth.example.com

⁩ headers before sending forwarding the request to my instance. The instance is ignoring these headers and any URLs in the responses contain the instance domain, not the ui/proxy/public host domain.

So a call to get the ⁨

.well-known/openid-configuration

.well-known/openid-configuration

⁩ returns a response with URLs of ⁨

auth.example.com

auth.example.com

⁩ instead of ⁨

login.example.com

login.example.com

⁩. This can easily be rewritten by nginx, however, the token response returns a token with a jwt that has the claim ⁨

iss: https://auth.example.com

iss: https://auth.example.com

⁩ instead of ⁨

iss: https://login.example.com

iss: https://login.example.com

⁩.

What is the correct way to make a Zitadel Cloud instance respond with my proxy domain instead of the instance domain when calls are made to it?

Zitadel Cloud instance ignores x-zitadel-public-host when setting URLs in responses

Similar Threads