Skip to main content
Version: v4

Zitadel

Documentation​

https://zitadel.com/docs/apis/openidoauth/endpoints

Configuration​

https://zitadel.com/docs/guides/integrate/oauth-recommended-flows

The Redirect URIs used when creating the credentials must include your full domain and end in the callback path. For example:

  • For production: https://{YOUR_DOMAIN}/api/auth/callback/zitadel
  • For development: http://localhost:3000/api/auth/callback/zitadel

Make sure to enable dev mode in ZITADEL console to allow redirects for local development.

Options​

The ZITADEL Provider comes with a set of default options:

You can override any of the options to suit your own use case.

Example​

import ZitadelProvider from "next-auth/providers/zitadel";
...
providers: [
  ZitadelProvider({
    issuer: process.env.ZITADEL_ISSUER,
    clientId: process.env.ZITADEL_CLIENT_ID,
    clientSecret: process.env.ZITADEL_CLIENT_SECRET,
  })
]
...

If you need access to ZITADEL APIs or need additional information, make sure to add the corresponding scopes.

To get the full list of supported claims take a look here.

const options = {
  ...
  providers: [
    ZitadelProvider({
      clientId: process.env.ZITADEL_CLIENT_ID,
      authorization: {
        params: {
            scope: `openid email profile urn:zitadel:iam:org:project:id:${process.env.ZITADEL_PROJECT_ID}:aud`
        }
      }
    })
  ],
  ...
}

:::

tip

ZITADEL also returns a email_verified boolean property in the profile.

You can use this property to restrict access to people with verified accounts.

const options = {
  ...
  callbacks: {
    async signIn({ account, profile }) {
      if (account.provider === "zitadel") {
        return profile.email_verified;
      }
      return true; // Do different verification for other providers that don't have `email_verified`
    },
  }
  ...
}