Skip to content
Migrating from NextAuth.js v4? Read our migration guide.
API reference
zitadel

providers/zitadel

Built-in Zitadel integration.

ZitadelProfile

The returned user profile from ZITADEL when using the profile callback. See the standard claims reference here. If you need access to ZITADEL APIs or need additional information, make sure to add the corresponding scopes.

Extends

  • Record<string, any>

Properties

amr

amr: string;

aud

aud: string;

auth_time

auth_time: number;

azp

azp: string;

email

email: string;

email_verified

email_verified: boolean;

exp

exp: number;

family_name

family_name: string;

gender

gender: string;

given_name

given_name: string;

iat

iat: number;

iss

iss: string;

jti

jti: string;

locale

locale: string;

name

name: string;

nbf

nbf: number;

phone

phone: string;

phone_verified

phone_verified: boolean;

picture

picture: string;

preferred_username

preferred_username: string;

sub

sub: string;

default()

default<P>(options): OIDCConfig<P>

Add ZITADEL login to your page.

Setup

Callback URL

https://example.com/api/auth/callback/zitadel

Configuration

import { Auth } from "@auth/core"
import ZITADEL from "@auth/core/providers/zitadel"
 
const request = new Request(origin)
const response = await Auth(request, {
  providers: [
    ZITADEL({
      clientId: ZITADEL_CLIENT_ID,
      clientSecret: ZITADEL_CLIENT_SECRET,
    }),
  ],
})

Resources

Notes

By default, Auth.js assumes that the ZITADEL provider is based on the Open ID Connect specification.

The Redirect URIs used when creating the credentials must include your full domain and end in the callback path. For example:

  • For production: https://{YOUR_DOMAIN}/api/auth/callback/zitadel
  • For development: http://localhost:3000/api/auth/callback/zitadel

Make sure to enable dev mode in ZITADEL console to allow redirects for local development.

💡

The ZITADEL provider comes with a default configuration. To override the defaults for your use case, check out customizing a built-in OAuth provider.

💡

ZITADEL also returns a email_verified boolean property in the profile. You can use this property to restrict access to people with verified accounts.

const options = {
  ...
  callbacks: {
    async signIn({ account, profile }) {
      if (account.provider === "zitadel") {
        return profile.email_verified;
      }
      return true; // Do different verification for other providers that don't have `email_verified`
    },
  }
  ...
}

Disclaimer If you think you found a bug in the default configuration, you can open an issue.

Auth.js strictly adheres to the specification and it cannot take responsibility for any deviation from the spec by the provider. You can open an issue, but if the problem is non-compliance with the spec, we might not pursue a resolution. You can ask for more help in Discussions.

Type parameters

Type parameter
P extends ZitadelProfile

Parameters

ParameterType
optionsOAuthUserConfig<P>

Returns

OIDCConfig<P>

Auth.js © Balázs Orbán and Team - 2024