I’m trying to set up authentication using Zitadel as the identity provider along with oauth2-proxy and nginx-proxy-manager. Has anyone successfully integrated these three components together? I’m looking for a detailed walkthrough or configuration examples.
I found some basic documentation about creating applications in Zitadel and configuring oauth2-proxy, but I’m stuck on the integration part. Specifically, I need help understanding how to properly configure the reverse proxy setup with nginx-proxy-manager so that the authentication flow works correctly.
The tricky part seems to be getting all the redirects and headers configured properly between these services. Any working examples or step-by-step instructions would be really helpful!
I ran into similar headaches when setting this up last year. The key issue I encountered was the callback URL configuration - you need to make sure your Zitadel application has the correct redirect URI that matches your oauth2-proxy endpoint. What worked for me was setting up oauth2-proxy to run on a subdomain like auth.yourdomain.com, then in nginx-proxy-manager I configured the main application with an auth_request directive pointing to the oauth2-proxy auth endpoint. The critical part is ensuring the X-Auth-Request-* headers are properly passed through. One gotcha that cost me hours of debugging was the cookie domain settings in oauth2-proxy. Make sure your cookie domain is set correctly to match your setup, otherwise you’ll get authentication loops. Also double-check that your Zitadel client secret and oauth2-proxy configuration are using the same encoding format - I had issues with base64 encoding mismatches initially.
Been running this exact stack in production for about 8 months now. The configuration that finally worked for me involved setting up oauth2-proxy as a sidecar container and configuring nginx-proxy-manager to handle the authentication flow through internal networking. What most guides miss is the session storage configuration - I had persistent authentication issues until I switched oauth2-proxy from cookie-based sessions to Redis for session storage. This solved random logouts and improved reliability significantly. Another critical piece is the --skip-auth-regex parameter in oauth2-proxy for health checks and static assets. Without properly excluding these endpoints, your monitoring will break and static resources won’t load correctly. Make sure to test the entire flow with incognito browsers during setup because cached sessions can mask configuration problems. The redirect chain should be: user hits protected resource → nginx redirects to oauth2-proxy → oauth2-proxy redirects to Zitadel → back through the chain with proper tokens.
just went thru this nightmare myself lol. biggest thing that got me was the CORS settings in zitadel - make sure you whitelist your oauth2-proxy domain there or it’ll fail silently. also dont forget to set the --upstream flag in oauth2-proxy to point to your actual app backend, not the nginx frontend