[Bug]: Login V2 Microsoft/Entra Identity Provider failed validation

[mark-hofmeijer]

Preflight Checklist

• I could not find a solution in the documentation, the existing issues or discussions
• I have joined the ZITADEL chat

Version

4.0.1

Describe the problem caused by this bug

I followed the official guide to configure Entra ID as Identity Provider. I have enabled the "Automatic creation" of an account if it does not exists.

Once authenticated with Entra ID, the user is redirected to the V2 login page (/ui/v2/login/idp/azure/success?id=***&requestId=oidc_V2_***&token=***), however ZITADEL fails to create the account.

[invalid_argument] invalid AddHumanUserRequest.Profile: embedded message failed validation | caused by: invalid SetHumanProfile.GivenName: value length must be between 1 and 200 runes, inclusive

After requesting an ID token manually via Entra ID and inspecting the JWT token, I can confirm that the GivenName is present in the Entra token.

To reproduce

1. Add the Microsoft provider (Entra OIDC) to the list of available Identity Providers.
2. Go to the V2 login page and select the Microsoft provider for authentication.
3. Follow the authentication flow, make sure that the account used does not exist.
4. After redirecting to the login page, the error is shown.

Screenshots

Expected behavior

Account is created and user logged in.

Relevant Configuration

Additional Context

No response

[fforootd]

Hm what an odd error, just to be sure. But the Given name is between 1 and 200 characters, right?

Can you check the zitadel stdout logs for errors as well, you might be able to spot the http call there with the payload of the givename we tried to write into the field.

[mark-hofmeijer]

Yes, correct. When requesting a token manually via the same Entra ID App, I see my name (4 characters) as the given_name in the decoded payload.

The following error is given in the stdout of the zitadel-login container:

An error occurred while creating the user: Error [ConnectError]: [invalid_argument] invalid AddHumanUserRequest.Profile: embedded message failed validation | caused by: invalid SetHumanProfile.GivenName: value length must be between 1 and 200 runes, inclusive at u (.next/server/chunks/5297.js:9:29175) at w (.next/server/chunks/5297.js:9:30087) at next (.next/server/chunks/5297.js:9:66210) at async Object.unary (.next/server/chunks/5297.js:9:64942) at async Object.i [as addHumanUser] (.next/server/chunks/5297.js:9:160293) at async x (.next/server/app/(login)/idp/[provider]/success/page.js:1:9878) { rawMessage: 'invalid AddHumanUserRequest.Profile: embedded message failed validation | caused by: invalid SetHumanProfile.GivenName: value length must be between 1 and 200 runes, inclusive', code: 3, metadata: Headers { 'grpc-message': 'invalid AddHumanUserRequest.Profile: embedded message failed validation | caused by: invalid SetHumanProfile.GivenName: value length must be between 1 and 200 runes, inclusive', 'grpc-status': '3', 'content-type': 'application/grpc+proto', date: 'Fri, 15 Aug 2025 21:19:44 GMT', 'grpc-accept-encoding': 'gzip', 'grpc-encoding': 'gzip', vary: 'Origin', 'x-robots-tag': 'none' }, details: [], cause: undefined } { '$typeName': 'zitadel.user.v2.AddHumanUserRequest', metadata: [], passwordType: { case: undefined }, idpLinks: [ { '$typeName': 'zitadel.user.v2.IDPLink', idpId: '333453723797842690', userId: '', userName: '' } ], profile: { '$typeName': 'zitadel.user.v2.SetHumanProfile', givenName: '', familyName: '', preferredLanguage: 'und' }, email: { '$typeName': 'zitadel.user.v2.SetHumanEmail', email: '', verification: { case: 'isVerified', value: true } } }

And some related logs from the zitadel container itself:

time="2025-08-15T21:19:39Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.settings.v2.SettingsService/GetHostedLoginTranslation org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810 time="2025-08-15T21:19:39Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.settings.v2.SettingsService/GetLoginSettings org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810 time="2025-08-15T21:19:39Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.settings.v2.SettingsService/GetLoginSettings org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810 time="2025-08-15T21:19:39Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.settings.v2.SettingsService/GetActiveIdentityProviders org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810 time="2025-08-15T21:19:39Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.settings.v2.SettingsService/GetBrandingSettings org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810 time="2025-08-15T21:19:41Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.user.v2.UserService/StartIdentityProviderIntent org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810 time="2025-08-15T21:19:44Z" level=error msg="migration check failed" caller="/home/runner/work/zitadel/zitadel/internal/api/idp/idp.go:441" error="ID=COMMAND-Sn3l1 Message=Errors.IDMissing" intent=333525654450498306 time="2025-08-15T21:19:44Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.settings.v2.SettingsService/GetHostedLoginTranslation org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810 time="2025-08-15T21:19:44Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.settings.v2.SettingsService/GetBrandingSettings org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810 time="2025-08-15T21:19:44Z" level=info msg=activity caller="/home/runner/work/zitadel/zitadel/internal/activity/activity.go:105" domain="http://localhost:8080" grpcStatus=0 httpStatus=200 instance=333446569456069378 isSystemUser=false method=/zitadel.user.v2.UserService/RetrieveIdentityProviderIntent org=333446569456134914 path= requestMethod= trigger=resourceAPI user=333446569456855810

So it seems that the properties are not mapped correctly. Besides the givenName, also properties like familyName and email are empty.

This code block seems to ultimately result in the ConnectError:
https://github.com/zitadel/typescript/blob/main/src/app/(login)/idp/%5Bprovider%5D/success/page.tsx#L245-L286

[mark-hofmeijer]

A side note: I did not have this error when using a v3.3.x some weeks ago, using the same Entra ID App (nothing changed on that side) but the v1 login experience. That was working well!

[fforootd]

Hm @livio-a @peintnermax are you aware of something not working in v4 here with the new login?

[livio-a]

I was not aware of this, but quickly talked with @peintnermax. It seems like a mapping issue in the backend.
@stebenz can you please check this or instruct @grvijayan with the necessary info.