Serving concurrently via HTTPS and HTTP #11650

rafaelri · 2026-02-20T12:03:14Z

rafaelri
Feb 20, 2026

Hi all,

I'm willing to deploy Zitadel combined with oauth2-proxy so that my backend has almost no concerns when it comes to authenticating the requests.

                                                     ┌─────────────────────────────────┐
                                                     │                                 │
                                                     │ ┌──────────────┐    ┌──────┐    │
                                                     │ │              │    │      │    │
                                              ┌──────┼►│ OAuth2-Proxy ┼───►│      │    │
                                              │      │ │              │    │  B   │    │
┌──────────────┐        ┌──────────────┐      │      │ └──────┬───────┘    │  a   │    │
│              │        │              │      │      │        │            │  c   │    │
│  Frontend    ├───────►│ Reverse Proxy├──────┼      │        ▼            │  k   │    │
│              │        │ + SSL Term   │      │      │ ┌──────────────┐    │  e   │    │
└──────────────┘        └──────────────┘      │      │ │              │    │  n   │    │
                                              │      │ │ Zitadel      │    │  d   │    │
                                              └──────┼►│              │    │      │    │
                                                     │ └──────────────┘    └──────┘    │
                                                     │                                 │
                                                     └─────────────────────────────────┘

The issue I'm facing is that since SSL termination is being handled outside Zitadel (as expected) and oauth2-proxy is reaching to zitadel via the service mesh it only sees zitadel HTTP port but when trying to do the OIDC discovery Zitadel responds with a HTTPS header since it thinks everyone is reaching to it from the external world and hence via HTTPS.
Below is the error message I'm getting from oauth2-proxy:

[2026/02/19 22:48:21] [main.go:58] ERROR: Failed to initialise OAuth2 Proxy: error initialising provider: could not create provider data: error building OIDC ProviderVerifier: could not get verifier builder: error while discovery OIDC configuration: oidc: issuer did not match the issuer returned by provider, expected "http://zitadel:8080" got "https://zitadel:8080"

Is there any configuration option I can set on zitadel to select between http and https on a per-host basis?

rafaelri · 2026-02-22T01:01:42Z

rafaelri
Feb 22, 2026
Author

Found a far from ideal workaround of using OAUTH2_PROXY_INSECURE_OIDC_SKIP_ISSUER_VERIFICATION=true

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Serving concurrently via HTTPS and HTTP #11650

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Serving concurrently via HTTPS and HTTP #11650

Uh oh!

Uh oh!

rafaelri Feb 20, 2026

Replies: 1 comment

Uh oh!

rafaelri Feb 22, 2026 Author

rafaelri
Feb 20, 2026

rafaelri
Feb 22, 2026
Author