Arnau
ZZITADEL
•Created by Arnau on 3/22/2025 in #questions-help-bugs
Zitadel TypeScript login: Issues Enabling HTTP/2 for gRPC with Zitadel in K8S (ALB Ingress)
Hi everyone,
We’re onboarding the Zitadel TypeScript project in our Kubernetes setup (
zitadel-typescript-login), but we’ve run into an issue with enabling HTTP/2 support while keeping compatibility with other services.
Our Setup
- Zitadel is deployed in an EKS cluster using the official Helm Chart.
- We use an ALB ingress (via Helm) with the domain pattern *.staging.company.com.
- Zitadel’s ingress is auth.staging.company.com.
- Other company applications (e.g., foo-backend and foo-frontend deployed under foo.staging.company.com ingress) use Zitadel for authentication via OAuth2/OIDC (the backend using /oauth/v2/introspect and the frontend using oidc-client-ts with PKCE).
- These applications interact with Zitadel using HTTP/1.1, which has been working fine.
Problem
- We onboarded the Zitadel TypeScript (Next.js) app under https://login.staging.company.com, which uses gRPC to communicate with Zitadel.
- Initially, gRPC requests failed due to our ALB using HTTP/1.1.
- We enabled HTTP/2 for Zitadel by adding:
- ALB annotation: alb.ingress.kubernetes.io/backend-protocol-version: HTTP2
- Zitadel Ingress annotation: nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
This fixed Zitadel TypeScript’s gRPC calls but broke other applications:
- foo-backend OAuth token introspection fails with 464 Incompatible protocol.
- foo-frontend Cypress tests started failing (Cypress has known issues with HTTP/2).
- Other company apps in other domains calling https://auth.staging.company.com/oidc/v1/userinfo also fail.
Question
How can we enable HTTP/2 for zitadel-typescript-login without breaking our existing applications that require HTTP/1.1?
Any best practices or recommendations would be greatly appreciated.
Thank you!4 replies