OIDC Login Fails with Zitadel – Invalid Audience

[shanil-sasikumar]

When integrating SQLPage with a self-hosted Zitadel instance using OIDC, the login screen appears correctly and authentication completes successfully. However, after login, the SQLPage server terminal logs the following error, and the application does not proceed:

ERROR sqlpage::webserver::oidc] Failed to process OIDC callback with params code=zxEH4-2j8tEq6Zkp-pQ9gxMK3MIy-Id9VzTd80Uu8Ha--g&state=nnve1VTxumBj2-pFY9gFdQ: Invalid audiences: `329836626744180738` is not a trusted audience
[2025-07-22T06:36:31.502Z INFO  actix_web::middleware::logger] 127.0.0.1 "GET /sqlpage/oidc_callback?code=...&state=... HTTP/1.1" 307 14 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/138.0.0.0 Safari/537.36" 0.457895

Details

• OIDC Provider: Zitadel (self-hosted)
• Discovery URL: {oidc_issuer_url}/.well-known/openid-configuration
• OIDC Docs: Zitadel OIDC Integration Guide
• SQLPage Config:

{
  "oidc_issuer_url": "<zitadel-self-hosted-url>",
  "oidc_client_id": "<client-id>",
  "oidc_client_secret": "<client-secret>",
  "host": "localhost:8080"
}

• Redirect URI registered in Zitadel: http://localhost:8080/sqlpage/oidc_callback

Observation

After login, Zitadel issues a code, but SQLPage fails to validate the token with the error that the audience is not trusted.

Suggestion

It seems SQLPage may not recognize Zitadel as a valid OIDC provider or does not extract and validate the aud claim as expected for Zitadel-issued tokens. Guidance on expected audience format or a compatibility fix would help support Zitadel out-of-the-box.

[lovasoa]

Hi !

SQLPage rejects the ID token because it contains extra audiences (probably your zitadel project ID?) that are not trusted by your sqlpage application. This is required by the oidc spec: https://openid.net/specs/openid-connect-basic-1_0.html#IDTokenValidation

You should be able to fix it by making sure zitadel does not include any extra audiences in the aud claim of the jwt token it generates.

If your use case does require generating token with multiple audiences and having sqlpage trust additional audiences, then you could implement a new configuration option in sqlpage with custom extra audiences, and open a pull request. It is very rare to actually need multiple audiences, though, the easiest in your case is probably just to generate tokens with the right audience from the start.

[lovasoa]

https://questions.zitadel.com/m/1170780000014840008

[lovasoa]

@shanil-sasikumar a new configuration parameter has been added (oidc_additional_trusted_audiences), and additional audiences are now allowed by default.

In short Zitadel + SQLPage will work out of the box in v0.36