ZITADEL + Grafana Generic OAuth Configuration

Hello! I am trying to setup ZITADEL for providing SSO to an Angular web app and Grafana, so that I can embed Grafana plots into the web app.
Here is the configuration that I made:

GF_AUTH_GENERIC_OAUTH_SCOPES=openid email profile offline_access roles

After clicking on the OAuth button on Grafana’s login page I keep receiving an error

logger=context userId=0 orgId=0 uname= t=2023-09-01T10:47:40.851902657Z level=info msg="Request Completed" method=GET path=/login/generic_oauth status=302 remote_addr= time_ms=0 duration=347.915µs size=396 referer=http://localhost:3000/login handler=/login/:name
logger=oauth t=2023-09-01T10:47:42.704640444Z level=info msg="state check" queryState=f316eb6ebf202255057064f3f1a0f45a2373e0304f10835ba9cf7728f80cf08f cookieState=f316eb6ebf202255057064f3f1a0f45a2373e0304f10835ba9cf7728f80cf08f
logger=context userId=0 orgId=0 uname= t=2023-09-01T10:47:42.707990045Z level=error msg=login.OAuthLogin(NewTransportWithCode) error="oauth2: cannot fetch token: 404 Not Found\nResponse: ID=QUERY-n0wng Message=Instance not found\n"
logger=context userId=0 orgId=0 uname= t=2023-09-01T10:47:42.708049722Z level=error msg="Request Completed" method=GET path=/login/generic_oauth status=500 remote_addr= time_ms=3 duration=3.640827ms size=1365 referer= handler=/login/:name

Anyone knows what does "msg=login.OAuthLogin(NewTransportWithCode) error=“oauth2: cannot fetch token: 404 Not Found\nResponse: ID=QUERY-n0wng Message=Instance not found” mean?

It looks like request to configured token url returned 404 response.

Hi Zitadel co-founder here

It looks to me that you run Zitadel on localhost:8080 (your authorization endpoint at least points to this but not the api, token endpoint). If you want to use a different domain/port you need to configure it or you need to tell a proxy to rewrite the host header.

You can configure externaldomain in Zitadel through an env or config. read more here Custom Domain | ZITADEL Docs

Btw. We have a discord community on ZITADEL with a lot of resources for such questions


Thank you for your answer!
Yeah, the environment variables may appear slightly confusing, but I am trying to make it work on my PC with a Docker Compose with ZITADEL, Grafana, and Caddy images. The containers are on the same Docker network, so the token and api URLs (that are used by the Grafana container) refer to the ZITADEL Compose service.

So, as of now, the Grafana container is interacting directly with the ZITADEL container and, if I understand correctly, the HTTP requests have the wrong “Host” header due to the host configured on the URLs (zitadel:8080), which is not a known ZITADEL instance domain. Is it correct?

I read the “Custom Domain” guide, but it asks for mandatory HTTPS. Is there any way to use HTTP (for development)?