OIDC fork (by Timshel) and Zitadel


I know this question is about a fork so this may not be the best place to ask a question but I found no other place (other than issues in the fork that are not made for help requests).

I want to use Vaultwarden OIDC fork by Timshel GitHub - Timshel/vaultwarden: Fork from dani-garcia/vaultwarden to add OpendID support. with Zitadel as my OIDC provider. I am struggling to get it to work. My compose is the following:

    image: ghcr.io/timshel/vaultwarden:latest
    container_name: vaultwarden
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - SSO_ONLY=true
      - DOMAIN=https://vault.${DOMAIN}
      - SIGNUPS_ALLOWED=false
      - SSO_AUTHORITY=https://auth.${DOMAIN}
      - SSO_PKCE=true
      - SSO_ROLES_ENABLED=true
      - SSO_ENABLED=true
      - SSO_AUDIENCE_TRUSTED='^264076946105696259$'
      - SSO_SCOPES="email profile offline_access
      - SSO_FRONTEND=override
      - SSO_CLIENT_ID=redacted
      - SSO_CLIENT_SECRET=dummy
      - services
      - ${CONFIG_FOLDER}/vaultwarden:/data
    restart: unless-stopped

When I try to login with SSO, I get a 400 error:

auth.mydomain.com CLIENTIPREDACTED - - [23/Apr/2024:21:44:37 +0200] "GET /oauth/v2/authorize?response_type=code&client_id=REDACTED&state=qgqBM4AwMr7BhhdL3kj7EgAsgoxSgmW5Fw36Q7QfxNotBS8VaWUcwpimwaAJkYx2_identifier%3Dundefined&code_challenge=W4AbiB0tG1GzI-xQYR6TDJczWDGrJT2k_HglACayhGc&code_challenge_method=S256&redirect_uri=https%3A%2F%2Fvault.mydomain.com%2Fidentity%2Fconnect%2Foidc-signin&scope=openid+%22email+profile+offline_access&nonce=Av91kk8hE6JjbVrI1jU2vA HTTP/2.0" 400 184161 "https://vault.mydomain.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0"

What I understand from this error is that Vaultwarden is not sending the correct headers to the OIDC endpoint. I suppose that my Vaultwarden configuration is incorrect.

Any help, any answer is welcome.