[GH-ISSUE #1851] Docs: Pangolin/Zitadel integration claims setup missing step #6822

New Issue

Closed

opened 2026-04-25 15:46:31 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-25 15:46:31 -05:00

Owner

Copy Link

Originally created by @baughmann on GitHub (Nov 12, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1851

Describe the Bug

I've followed the relatively straight-forward docs for integrating Pangolin with Zitadel.

However, when trying to access a resource with a user provisioned for the Zitadel IdP, I get:

There was a problem connecting to Zitadel. Please contact your administrator.
User identifier not found in the ID token

I was unable to find the token in Chrome devtools otherwise I'd have looked at it in jwt.io and tried to see what I could find.

I was able to work around this by checking the "Include user's roles in the ID Token" in Zitadel -> Project -> Pangolin (App name) -> Token Settings.

Not sure if this is a bug on the Zitadel or the Pangolin side, but it seems a bit to have this field titled "roles" and then have a description of "Enables clients to retrieve profile, email, phone and address claims from ID token." Please investigate and let me know if you want me to open this bug over there.

Screenshot of the location of this checkbox in Zitadel:

Environment

For the OAuth app in Zitadel, I have the method set to Code with Basic/Authorization Code as the Auth Method/Grant Types

• Zitadel Version: v4.6.5
• OS Type & Version: Ubuntu 24.04.3 LTS,
• Docker Engine: 29.0.0
• Pangolin Version: 1.12.2
• Gerbil Version: 1.2.2
• Traefik Version: v3.6
• Newt Version: Not relevant
• Olm Version: (if applicable)

To Reproduce

Follow docs exactly: https://docs.pangolin.net/manage/identity-providers/zitadel

Just don't use the Zitadel that gets deployed with Pangolin in the quickstart.

Expected Behavior

I expect one of the following:

• The docs to be updated if this is legitimate behaviour, OR
• Zitadel to send preferred_username, OR
• Pangolin to be able to pull the correct user name from the token that Zitadel sends when the checkbox mentioned above is not checked

Originally created by @baughmann on GitHub (Nov 12, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1851 ### Describe the Bug I've followed the relatively straight-forward [docs](https://docs.pangolin.net/manage/identity-providers/zitadel) for integrating Pangolin with Zitadel. However, when trying to access a resource with a user provisioned for the Zitadel IdP, I get: ``` There was a problem connecting to Zitadel. Please contact your administrator. User identifier not found in the ID token ``` I was unable to find the token in Chrome devtools otherwise I'd have looked at it in jwt.io and tried to see what I could find. I was able to work around this by checking the "Include user's roles in the ID Token" in Zitadel -> Project -> Pangolin (App name) -> Token Settings. Not sure if this is a bug on the Zitadel or the Pangolin side, but it seems a bit to have this field titled "roles" and then have a description of "Enables clients to retrieve profile, email, phone and address claims from ID token." Please investigate and let me know if you want me to open this bug over there. Screenshot of the location of this checkbox in Zitadel: <img width="981" height="712" alt="Image" src="https://github.com/user-attachments/assets/c87c682b-fc20-4b86-a9fd-35c0615b618f" /> ### Environment For the OAuth app in Zitadel, I have the method set to Code with Basic/Authorization Code as the Auth Method/Grant Types - Zitadel Version: v4.6.5 - OS Type & Version: Ubuntu 24.04.3 LTS, - Docker Engine: 29.0.0 - Pangolin Version: 1.12.2 - Gerbil Version: 1.2.2 - Traefik Version: v3.6 - Newt Version: Not relevant - Olm Version: (if applicable) ### To Reproduce Follow docs exactly: https://docs.pangolin.net/manage/identity-providers/zitadel Just don't use the Zitadel that gets deployed with Pangolin in the quickstart. ### Expected Behavior I expect one of the following: - The docs to be updated if this is legitimate behaviour, OR - Zitadel to send `preferred_username`, OR - Pangolin to be able to pull the correct user name from the token that Zitadel sends when the checkbox mentioned above is not checked

GiteaMirror closed this issue 2026-04-25 15:46:31 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

resource-policies

copilot/fix-create-alert-visibility

dev

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

redis

crowdin_dev

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

dependabot/docker/docker/library/node-25-slim

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#6822