App integration without direct access to Zitadel?
āļøConfigurationš¬Self-hostedšAuthenticationāUnsolvedāQuestion
I am trying to build an app and use Zitadel for authentication. My goal was auth.example.com for zitadel and app.example.com for the app. Right now I have it working where it directs to auth and then back to app. I was wondering if it is possible or recommended to somehow build zitadel into the flow directly so that my user only ever sees my application. The biggest issue I am running into though is handling passkeys as they are scoped to auth not app and if the user wants to update their passkey they would need to go to the auth side either way. I would like to prevent this if possible unless it is possible to restrict what users see on their zitadel dashboard, to only change password, MFA and passkey support and then gets redirected back to the app?
My idea is to split depending on which portion they are hitting auth goes through zitadel directly but through an app endpoint (both services hosted on the same subdomain) but using something like traefik to route based on endpoint to the specific location. Would love to hear how others have used this for application login. My major concern is just user experience when needing to update email, MFA, password/passkeys and I don't want to lose passkey support.
My idea is to split depending on which portion they are hitting auth goes through zitadel directly but through an app endpoint (both services hosted on the same subdomain) but using something like traefik to route based on endpoint to the specific location. Would love to hear how others have used this for application login. My major concern is just user experience when needing to update email, MFA, password/passkeys and I don't want to lose passkey support.
