2022-02-09 15:01:19 +01:00
Log :
2023-08-07 22:32:10 +02:00
Level : info # ZITADEL_LOG_LEVEL
2022-02-09 15:01:19 +01:00
Formatter :
2024-02-16 17:04:42 +01:00
Format : text # ZITADEL_LOG_FORMATTER_FORMAT
2022-02-11 11:02:47 +01:00
2022-07-18 10:42:32 +02:00
# Exposes metrics on /debug/metrics
Metrics :
# Select type otel (OpenTelemetry) or none (disables collection and endpoint)
2023-08-07 22:32:10 +02:00
Type : otel # ZITADEL_METRICS_TYPE
2022-07-18 10:42:32 +02:00
2022-11-03 12:22:17 +01:00
Tracing :
# Choose one in "otel", "google", "log" and "none"
2023-11-24 13:38:52 +01:00
# Depending on the type there are different configuration options
# for type 'otel' is used for standard [open telemetry](https://opentelemetry.io)
# Fraction: 1.0
# Endpoint: 'otel.collector.endpoint'
2024-05-13 16:01:50 +02:00
#
2023-11-24 13:38:52 +01:00
# type 'log' or '' disables tracing
2024-05-13 16:01:50 +02:00
#
2023-11-24 13:38:52 +01:00
# for type 'google'
# ProjectID: ''
# Fraction: 1.0
2023-08-07 22:32:10 +02:00
Type : none # ZITADEL_TRACING_TYPE
Fraction : 1.0 # ZITADEL_TRACING_FRACTION
2023-11-24 13:38:52 +01:00
# The endpoint of the otel collector endpoint
2024-05-13 16:01:50 +02:00
Endpoint : "" #ZITADEL_TRACING_ENDPOINT
2022-11-03 12:22:17 +01:00
2024-08-16 15:26:53 +02:00
# Profiler enables capturing profiling data (CPU, Memory, ...) for performance analysis
Profiler :
# Choose one of "google" and "none"
# Depending on the type there are different configuration options
# for type 'google'
# ProjectID: google-project-id
#
# type 'none' or '' disables profiling
Type : none # ZITADEL_PROFILER_TYPE
# projectID for google
ProjectID : '' # ZITADEL_PROFILER_PROJECTID
2023-07-06 08:38:13 +02:00
Telemetry :
# As long as Enabled is true, ZITADEL tries to send usage data to the configured Telemetry.Endpoints.
# Data is projected by ZITADEL even if Enabled is false.
# This means that switching this to true makes ZITADEL try to send past data.
2024-02-16 17:04:42 +01:00
Enabled : false # ZITADEL_TELEMETRY_ENABLED
2023-07-06 08:38:13 +02:00
# Push telemetry data to all these endpoints at least once using an HTTP POST request.
# If one endpoint returns an unsuccessful response code or times out,
# ZITADEL retries to push the data point to all configured endpoints until it succeeds.
# Configure delivery guarantees and intervals in the section Projections.Customizations.Telemetry
# The endpoints can be reconfigured at runtime.
# Ten redirects are followed.
# If you change this configuration at runtime, remaining data that is not successfully delivered to the old endpoints is sent to the new endpoints.
Endpoints :
- https://httpbin.org/post
# These headers are sent with every request to the configured endpoints.
2024-02-16 17:04:42 +01:00
# Configure headers by environment variable using a JSON string with header values as arrays, like this:
# ZITADEL_TELEMETRY_HEADERS='{"header1": ["value1"], "header2": ["value2", "value3"]}'
Headers : # ZITADEL_TELEMETRY_HEADERS
2023-07-06 08:38:13 +02:00
# single-value: "single-value"
# multi-value:
# - "multi-value-1"
# - "multi-value-2"
# The maximum number of data points that are queried before they are sent to the configured endpoints.
Limit : 100 # ZITADEL_TELEMETRY_LIMIT
2022-06-24 14:38:22 +02:00
# Port ZITADEL will listen on
2023-08-07 22:32:10 +02:00
Port : 8080 # ZITADEL_PORT
2023-11-09 11:30:15 +01:00
# ExternalPort is the port on which end users access ZITADEL.
# It can differ from Port e.g. if a reverse proxy forwards the traffic to ZITADEL
# Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domain
2023-08-15 12:53:26 +01:00
ExternalPort : 8080 # ZITADEL_EXTERNALPORT
2024-11-22 10:25:25 +01:00
# ExternalDomain is the domain on which end users access ZITADEL.
2023-11-09 11:30:15 +01:00
# Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domain
2023-08-15 12:53:26 +01:00
ExternalDomain : localhost # ZITADEL_EXTERNALDOMAIN
2023-11-09 11:30:15 +01:00
# ExternalSecure specifies if ZITADEL is exposed externally using HTTPS or HTTP.
# Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domain
2023-08-07 22:32:10 +02:00
ExternalSecure : true # ZITADEL_EXTERNALSECURE
2022-06-24 14:38:22 +02:00
TLS :
2023-08-07 22:32:10 +02:00
# If enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC)
2022-06-24 14:38:22 +02:00
# you must then also provide a private key and certificate to be used for the connection
# either directly or by a path to the corresponding file
2023-08-07 22:32:10 +02:00
Enabled : true # ZITADEL_TLS_ENABLED
# Path to the private key of the TLS certificate, will be loaded into the key
# and overwrite any existing value
# E.g. /path/to/key/file.pem
KeyPath : # ZITADEL_TLS_KEYPATH
# Private key of the TLS certificate (KeyPath has a higher priority than Key)
# base64 encoded content of a pem file
Key : # ZITADEL_TLS_KEY
# Path to the certificate for the TLS connection, will be loaded into the Cert
# and overwrite any existing value
# E.g. /path/to/cert/file.pem
CertPath : # ZITADEL_TLS_CERTPATH
# Certificate for the TLS connection (CertPath will this overwrite if specified)
# base64 encoded content of a pem file
Cert : # ZITADEL_TLS_CERT
2022-06-24 14:38:22 +02:00
# Header name of HTTP2 (incl. gRPC) calls from which the instance will be matched
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved
ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.
# How the Problems Are Solved
- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain
# Additional Changes
None
# Additional Context
- part of #8279
- open topics:
- "single-instance" mode
- Console UI
2024-07-31 17:00:38 +02:00
# Deprecated: Use the InstanceHostHeaders instead
2023-08-07 22:32:10 +02:00
HTTP2HostHeader : ":authority" # ZITADEL_HTTP2HOSTHEADER
2022-06-24 14:38:22 +02:00
# Header name of HTTP1 calls from which the instance will be matched
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved
ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.
# How the Problems Are Solved
- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain
# Additional Changes
None
# Additional Context
- part of #8279
- open topics:
- "single-instance" mode
- Console UI
2024-07-31 17:00:38 +02:00
# Deprecated: Use the InstanceHostHeaders instead
2023-08-07 22:32:10 +02:00
HTTP1HostHeader : "host" # ZITADEL_HTTP1HOSTHEADER
feat: trusted (instance) domains (#8369)
# Which Problems Are Solved
ZITADEL currently selects the instance context based on a HTTP header
(see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and
checks it against the list of instance domains. Let's call it instance
or API domain.
For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in
emails, ...) the requested domain (instance domain) will be used. Let's
call it the public domain.
In cases of proxied setups, all exposed domains (public domains) require
the domain to be managed as instance domain.
This can either be done using the "ExternalDomain" in the runtime config
or via system API, which requires a validation through CustomerPortal on
zitadel.cloud.
# How the Problems Are Solved
- Two new headers / header list are added:
- `InstanceHostHeaders`: an ordered list (first sent wins), which will
be used to match the instance.
(For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader`
and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked
afterwards as well)
- `PublicHostHeaders`: an ordered list (first sent wins), which will be
used as public host / domain. This will be checked against a list of
trusted domains on the instance.
- The middleware intercepts all requests to the API and passes a
`DomainCtx` object with the hosts and protocol into the context
(previously only a computed `origin` was passed)
- HTTP / GRPC server do not longer try to match the headers to instances
themself, but use the passed `http.DomainContext` in their interceptors.
- The `RequestedHost` and `RequestedDomain` from authz.Instance are
removed in favor of the `http.DomainContext`
- When authenticating to or signing out from Console UI, the current
`http.DomainContext(ctx).Origin` (already checked by instance
interceptor for validity) is used to compute and dynamically add a
`redirect_uri` and `post_logout_redirect_uri`.
- Gateway passes all configured host headers (previously only did
`x-zitadel-*`)
- Admin API allows to manage trusted domain
# Additional Changes
None
# Additional Context
- part of #8279
- open topics:
- "single-instance" mode
- Console UI
2024-07-31 17:00:38 +02:00
# Ordered header name list, which will be used to match the instance
InstanceHostHeaders : # ZITADEL_INSTANCEHOSTHEADERS
- "x-zitadel-instance-host"
# Ordered header name list, which will be used as the public host
PublicHostHeaders : # ZITADEL_PUBLICHOSTHEADERS
- "x-zitadel-public-host"
2022-02-14 17:22:30 +01:00
2024-02-16 17:04:42 +01:00
WebAuthNName : ZITADEL # ZITADEL_WEBAUTHNNAME
2022-04-25 10:01:17 +02:00
2022-02-14 17:22:30 +01:00
Database :
2023-12-20 18:13:04 +02:00
# ZITADEL manages three database connection pools.
# The *ConnRatio settings define the ratio of how many connections from
# MaxOpenConns and MaxIdleConns are used to push events and spool projections.
# Remaining connection are used for queries (search).
# Values may not be negative and the sum of the ratios must always be less than 1.
2024-07-17 17:16:02 +02:00
# For example this defaults define 15 MaxOpenConns overall.
# - 15*0.2=3 connections are allocated to the event pusher;
# - 15*0.135=2 connections are allocated to the projection spooler;
# - 15-(3+2)=10 connections are remaining for queries;
2023-10-19 12:19:10 +02:00
EventPushConnRatio : 0.2 # ZITADEL_DATABASE_COCKROACH_EVENTPUSHCONNRATIO
2024-07-17 17:16:02 +02:00
ProjectionSpoolerConnRatio : 0.135 # ZITADEL_DATABASE_COCKROACH_PROJECTIONSPOOLERCONNRATIO
2023-08-07 22:32:10 +02:00
# CockroachDB is the default database of ZITADEL
2022-07-28 16:25:42 +02:00
cockroach :
2023-08-07 22:32:10 +02:00
Host : localhost # ZITADEL_DATABASE_COCKROACH_HOST
Port : 26257 # ZITADEL_DATABASE_COCKROACH_PORT
Database : zitadel # ZITADEL_DATABASE_COCKROACH_DATABASE
2024-07-17 17:16:02 +02:00
MaxOpenConns : 15 # ZITADEL_DATABASE_COCKROACH_MAXOPENCONNS
MaxIdleConns : 12 # ZITADEL_DATABASE_COCKROACH_MAXIDLECONNS
2023-08-07 22:32:10 +02:00
MaxConnLifetime : 30m # ZITADEL_DATABASE_COCKROACH_MAXCONNLIFETIME
MaxConnIdleTime : 5m # ZITADEL_DATABASE_COCKROACH_MAXCONNIDLETIME
Options : "" # ZITADEL_DATABASE_COCKROACH_OPTIONS
2022-07-28 16:25:42 +02:00
User :
2023-08-07 22:32:10 +02:00
Username : zitadel # ZITADEL_DATABASE_COCKROACH_USER_USERNAME
Password : "" # ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
2022-07-28 16:25:42 +02:00
SSL :
2023-08-07 22:32:10 +02:00
Mode : disable # ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE
RootCert : "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT
Cert : "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT
Key : "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY
2022-07-28 16:25:42 +02:00
Admin :
2024-06-10 12:49:30 +02:00
# By default, ExistingDatabase is not specified in the connection string
# If the connection resolves to a database that is not existing in your system, configure an existing one here
# It is used in zitadel init to connect to cockroach and create a dedicated database for ZITADEL.
ExistingDatabase : # ZITADEL_DATABASE_COCKROACH_ADMIN_EXISTINGDATABASE
2023-08-07 22:32:10 +02:00
Username : root # ZITADEL_DATABASE_COCKROACH_ADMIN_USERNAME
Password : "" # ZITADEL_DATABASE_COCKROACH_ADMIN_PASSWORD
2022-07-28 16:25:42 +02:00
SSL :
2023-08-07 22:32:10 +02:00
Mode : disable # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE
RootCert : "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT
Cert : "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT
Key : "" # ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY
2022-08-31 09:52:43 +02:00
# Postgres is used as soon as a value is set
# The values describe the possible fields to set values
postgres :
2023-08-07 22:32:10 +02:00
Host : # ZITADEL_DATABASE_POSTGRES_HOST
Port : # ZITADEL_DATABASE_POSTGRES_PORT
Database : # ZITADEL_DATABASE_POSTGRES_DATABASE
MaxOpenConns : # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS
MaxIdleConns : # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS
MaxConnLifetime : # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME
MaxConnIdleTime : # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME
Options : # ZITADEL_DATABASE_POSTGRES_OPTIONS
2022-08-31 09:52:43 +02:00
User :
2023-08-07 22:32:10 +02:00
Username : # ZITADEL_DATABASE_POSTGRES_USER_USERNAME
Password : # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
2022-08-31 09:52:43 +02:00
SSL :
2023-08-07 22:32:10 +02:00
Mode : # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
RootCert : # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
Cert : # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
Key : # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
2022-08-31 09:52:43 +02:00
Admin :
2024-06-10 12:49:30 +02:00
# The default ExistingDatabase is postgres
# If your db system doesn't have a database named postgres, configure an existing database here
# It is used in zitadel init to connect to postgres and create a dedicated database for ZITADEL.
ExistingDatabase : # ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE
2023-08-07 22:32:10 +02:00
Username : # ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME
Password : # ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD
2022-08-31 09:52:43 +02:00
SSL :
2023-08-07 22:32:10 +02:00
Mode : # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE
RootCert : # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_ROOTCERT
Cert : # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_CERT
Key : # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_KEY
2022-02-14 17:22:30 +01:00
2024-09-25 22:40:21 +03:00
# Caches are EXPERIMENTAL. The following config may have breaking changes in the future.
# If no config is provided, caching is disabled by default.
2024-11-04 11:44:51 +01:00
Caches :
2024-09-25 22:40:21 +03:00
# Connectors are reused by caches.
2024-11-04 11:44:51 +01:00
Connectors :
2024-09-25 22:40:21 +03:00
# Memory connector works with local server memory.
# It is the simplest (and probably fastest) cache implementation.
# Unsuitable for deployments with multiple containers,
# as each container's cache may hold a different state of the same object.
2024-11-04 11:44:51 +01:00
Memory :
Enabled : false
2024-09-25 22:40:21 +03:00
# AutoPrune removes invalidated or expired object from the cache.
2024-11-04 11:44:51 +01:00
AutoPrune :
Interval : 1m
TimeOut : 5s
2025-01-06 10:47:46 +01:00
# Postgres connector uses the configured database (postgres or cockraochdb) as cache.
# It is suitable for deployments with multiple containers.
# The cache is enabled by default because it is the default cache states for IdP form callbacks
2024-11-04 11:44:51 +01:00
Postgres :
2025-01-06 10:47:46 +01:00
Enabled : true
2024-11-04 11:44:51 +01:00
AutoPrune :
Interval : 15m
TimeOut : 30s
Redis :
Enabled : false
# The network type, either tcp or unix.
# Default is tcp.
# Network string
# host:port address.
Addr : localhost:6379
# ClientName will execute the `CLIENT SETNAME ClientName` command for each conn.
2024-11-13 23:18:47 +02:00
ClientName : ""
2024-11-04 11:44:51 +01:00
# Use the specified Username to authenticate the current connection
# with one of the connections defined in the ACL list when connecting
# to a Redis 6.0 instance, or greater, that is using the Redis ACL system.
2024-11-13 23:18:47 +02:00
Username : ""
2024-11-04 11:44:51 +01:00
# Optional password. Must match the password specified in the
# requirepass server configuration option (if connecting to a Redis 5.0 instance, or lower),
# or the User Password when connecting to a Redis 6.0 instance, or greater,
# that is using the Redis ACL system.
Password : ""
# Each ZITADEL cache uses an incremental DB namespace.
# This option offsets the first DB so it doesn't conflict with other databases on the same server.
# Note that ZITADEL uses FLUSHDB command to truncate a cache.
# This can have destructive consequences when overlapping DB namespaces are used.
DBOffset : 10
# Maximum number of retries before giving up.
# Default is 3 retries; -1 (not 0) disables retries.
MaxRetries : 3
# Minimum backoff between each retry.
# Default is 8 milliseconds; -1 disables backoff.
MinRetryBackoff : 8ms
# Maximum backoff between each retry.
# Default is 512 milliseconds; -1 disables backoff.
MaxRetryBackoff : 512ms
# Dial timeout for establishing new connections.
# Default is 5 seconds.
DialTimeout : 1s
# Timeout for socket reads. If reached, commands will fail
# with a timeout instead of blocking. Supported values:
# - `0` - default timeout (3 seconds).
# - `-1` - no timeout (block indefinitely).
# - `-2` - disables SetReadDeadline calls completely.
ReadTimeout : 100ms
# Timeout for socket writes. If reached, commands will fail
# with a timeout instead of blocking. Supported values:
# - `0` - default timeout (3 seconds).
# - `-1` - no timeout (block indefinitely).
# - `-2` - disables SetWriteDeadline calls completely.
WriteTimeout : 100ms
# Type of connection pool.
# true for FIFO pool, false for LIFO pool.
# Note that FIFO has slightly higher overhead compared to LIFO,
# but it helps closing idle connections faster reducing the pool size.
PoolFIFO : false
# Base number of socket connections.
# Default is 10 connections per every available CPU as reported by runtime.GOMAXPROCS.
# If there is not enough connections in the pool, new connections will be allocated in excess of PoolSize,
# you can limit it through MaxActiveConns
PoolSize : 20
# Amount of time client waits for connection if all connections
# are busy before returning an error.
# Default is ReadTimeout + 1 second.
PoolTimeout : 100ms
# Minimum number of idle connections which is useful when establishing
# new connection is slow.
# Default is 0. the idle connections are not closed by default.
MinIdleConns : 5
# Maximum number of idle connections.
# Default is 0. the idle connections are not closed by default.
MaxIdleConns : 10
# Maximum number of connections allocated by the pool at a given time.
# When zero, there is no limit on the number of connections in the pool.
MaxActiveConns : 40
# ConnMaxIdleTime is the maximum amount of time a connection may be idle.
# Should be less than server's timeout.
# Expired connections may be closed lazily before reuse.
# If d <= 0, connections are not closed due to a connection's idle time.
# Default is 30 minutes. -1 disables idle timeout check.
ConnMaxIdleTime : 30m
# ConnMaxLifetime is the maximum amount of time a connection may be reused.
# Expired connections may be closed lazily before reuse.
# If <= 0, connections are not closed due to a connection's age.
# Default is to not close idle connections.
ConnMaxLifetime : -1
# Enable TLS server authentication using the default system bundle.
EnableTLS : false
# Disable set-lib on connect. Default is false.
DisableIndentity : false
# Add suffix to client name. Default is empty.
IdentitySuffix : ""
2024-11-13 20:11:48 +02:00
# Implementation of [Circuit Breaker Pattern](https://learn.microsoft.com/en-us/previous-versions/msp-n-p/dn589784(v=pandp.10)?redirectedfrom=MSDN)
CircuitBreaker :
# Interval when the counters are reset to 0.
# 0 interval never resets the counters until the CB is opened.
Interval : 0
# Amount of consecutive failures permitted
MaxConsecutiveFailures : 5
# The ratio of failed requests out of total requests
MaxFailureRatio : 0.1
# Timeout after opening of the CB, until the state is set to half-open.
Timeout : 60s
# The allowed amount of requests that are allowed to pass when the CB is half-open.
MaxRetryRequests : 1
2024-09-25 22:40:21 +03:00
# Instance caches auth middleware instances, gettable by domain or ID.
2024-11-04 11:44:51 +01:00
Instance :
2024-09-25 22:40:21 +03:00
# Connector must be enabled above.
# When connector is empty, this cache will be disabled.
2024-11-04 11:44:51 +01:00
Connector : ""
MaxAge : 1h
2025-01-06 10:47:46 +01:00
LastUseAge : 10m
2024-11-04 11:44:51 +01:00
# Log enables cache-specific logging. Default to error log to stderr when omitted.
Log :
Level : error
AddSource : true
Formatter :
Format : text
# Milestones caches instance milestone state, gettable by instance ID
Milestones :
Connector : ""
MaxAge : 1h
2025-01-06 10:47:46 +01:00
LastUseAge : 10m
2024-11-04 11:44:51 +01:00
Log :
Level : error
AddSource : true
Formatter :
Format : text
2024-11-21 08:05:03 +02:00
# Organization cache, gettable by primary domain or ID.
Organization :
Connector : ""
MaxAge : 1h
2025-01-06 10:47:46 +01:00
LastUseAge : 10m
Log :
Level : error
AddSource : true
Formatter :
Format : text
# IdP callbacks using form POST cache, required for handling them securely and without possible too big request urls.
IdPFormCallbacks :
Connector : "postgres"
MaxAge : 1h
LastUseAge : 10m
2024-11-21 08:05:03 +02:00
Log :
Level : error
AddSource : true
Formatter :
Format : text
2024-09-25 22:40:21 +03:00
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
Machine :
2023-08-07 22:32:10 +02:00
# Cloud-hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified.
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
Identification :
# Use private IP to identify machines uniquely
PrivateIp :
2023-08-07 22:32:10 +02:00
Enabled : true # ZITADEL_MACHINE_IDENTIFICATION_PRIVATEIP_ENABLED
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
# Use hostname to identify machines uniquely
# You want the process to be identified uniquely, so this works well in k8s where each pod gets its own
2023-08-07 22:32:10 +02:00
# unique hostname, but not as well in some other hosting environments.
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
Hostname :
2023-08-07 22:32:10 +02:00
Enabled : false # ZITADEL_MACHINE_IDENTIFICATION_HOSTNAME_ENABLED
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
# Use a webhook response to identify machines uniquely
# Google Cloud Configuration
Webhook :
2023-08-07 22:32:10 +02:00
Enabled : true # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_ENABLED
Url : "http://metadata.google.internal/computeMetadata/v1/instance/id" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
Headers :
2024-02-16 17:04:42 +01:00
"Metadata-Flavor": "Google"
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
#
# AWS EC2 IMDSv1 Configuration: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
# Webhook:
2023-08-07 22:32:10 +02:00
# Url: "http://169.254.169.254/latest/meta-data/ami-id" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
#
# AWS ECS v4 Configuration: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html
# Webhook:
2023-08-07 22:32:10 +02:00
# Url: "${ECS_CONTAINER_METADATA_URI_V4}" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL
# JPath: "$.DockerId" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_JPATH
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
#
# Azure Configuration: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux
# Webhook:
2023-08-07 22:32:10 +02:00
# Url: "http://169.254.169.254/metadata/instance?api-version=2021-02-01" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL
# JPath: "$.compute.vmId" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_JPATH
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
2022-08-16 07:04:36 +02:00
# Storage for assets like user avatar, organization logo, icon, font, ...
AssetStorage :
2023-08-07 22:32:10 +02:00
Type : db # ZITADEL_ASSET_STORAGE_TYPE
2022-08-16 07:04:36 +02:00
# HTTP cache control settings for serving assets in the assets API and login UI
# the assets will also be served with an etag and last-modified header
Cache :
2023-08-07 22:32:10 +02:00
MaxAge : 5s # ZITADEL_ASSETSTORAGE_CACHE_MAXAGE
# 168h are 7 days
SharedMaxAge : 168h # ZITADEL_ASSETSTORAGE_CACHE_SHAREDMAXAGE
2022-08-16 07:04:36 +02:00
2023-08-07 22:32:10 +02:00
# The Projections section defines the behavior for the scheduled and synchronous events projections.
2022-02-14 17:22:30 +01:00
Projections :
2024-05-13 16:01:50 +02:00
# The maximum duration a transaction remains open
2023-10-19 12:19:10 +02:00
# before it spots left folding additional events
# and updates the table.
2024-09-17 13:08:13 +03:00
TransactionDuration : 1m # ZITADEL_PROJECTIONS_TRANSACTIONDURATION
2023-03-27 14:34:01 +02:00
# Time interval between scheduled projections
2023-08-07 22:32:10 +02:00
RequeueEvery : 60s # ZITADEL_PROJECTIONS_REQUEUEEVERY
2023-03-27 14:34:01 +02:00
# Time between retried database statements resulting from projected events
2024-02-16 17:04:42 +01:00
RetryFailedAfter : 1s # ZITADEL_PROJECTIONS_RETRYFAILEDAFTER
2023-03-27 14:34:01 +02:00
# Retried execution number of database statements resulting from projected events
2023-08-07 22:32:10 +02:00
MaxFailureCount : 5 # ZITADEL_PROJECTIONS_MAXFAILURECOUNT
2023-03-27 14:34:01 +02:00
# Limit of returned events per query
2023-08-07 22:32:10 +02:00
BulkLimit : 200 # ZITADEL_PROJECTIONS_BULKLIMIT
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
2023-12-19 13:32:08 +02:00
# If set to 0 (default), every instance is always considered active
HandleActiveInstances : 0s # ZITADEL_PROJECTIONS_HANDLEACTIVEINSTANCES
2024-12-06 12:32:53 +01:00
# Maximum amount of instances cached as active
# If set to 0, every instance is always considered active
MaxActiveInstances : 0 # ZITADEL_PROJECTIONS_MAXACTIVEINSTANCES
2023-03-27 14:34:01 +02:00
# In the Customizations section, all settings from above can be overwritten for each specific projection
2022-03-28 10:05:09 +02:00
Customizations :
2023-10-27 20:43:13 +03:00
custom_texts :
BulkLimit : 400
2024-07-17 07:23:29 +02:00
project_grant_fields :
TransactionDuration : 0s
BulkLimit : 2000
org_domain_verified_fields :
TransactionDuration : 0s
BulkLimit : 2000
2024-11-11 22:03:15 +10:00
2023-03-27 14:34:01 +02:00
# The Notifications projection is used for sending emails and SMS to users
Notifications :
2023-08-07 22:32:10 +02:00
# As notification projections don't result in database statements, retries don't have an effect
2023-10-19 12:19:10 +02:00
MaxFailureCount : 10 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONS_MAXFAILURECOUNT
# Sending emails can take longer than 500ms
TransactionDuration : 5s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONS_TRANSACTIONDURATION
password_complexities :
TransactionDuration : 2s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_PASSWORD_COMPLEXITIES_TRANSACTIONDURATION
lockout_policy :
TransactionDuration : 2s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_LOCKOUT_POLICY_TRANSACTIONDURATION
2023-03-29 00:09:06 +02:00
# The NotificationsQuotas projection is used for calling quota webhooks
NotificationsQuotas :
2023-08-07 22:32:10 +02:00
# As quota notification projections don't result in database statements, retries don't have an effect
2023-10-19 12:19:10 +02:00
MaxFailureCount : 10 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONSQUOTAS_MAXFAILURECOUNT
2023-08-07 22:32:10 +02:00
# Quota notifications are not so time critical. Setting RequeueEvery every five minutes doesn't annoy the db too much.
RequeueEvery : 300s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONSQUOTAS_REQUEUEEVERY
2023-10-19 12:19:10 +02:00
# Sending emails can take longer than 500ms
TransactionDuration : 5s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONQUOTAS_TRANSACTIONDURATION
milestones :
BulkLimit : 50
2023-08-07 22:32:10 +02:00
# The Telemetry projection is used for calling telemetry webhooks
2023-07-06 08:38:13 +02:00
Telemetry :
# As sending telemetry data doesn't result in database statements, retries don't have any effects
2023-08-07 22:32:10 +02:00
MaxFailureCount : 0 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_TELEMETRY_MAXFAILURECOUNT
2023-07-06 08:38:13 +02:00
# Telemetry data synchronization is not time critical. Setting RequeueEvery to 55 minutes doesn't annoy the database too much.
2023-08-07 22:32:10 +02:00
RequeueEvery : 3300s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_TELEMETRY_REQUEUEEVERY
2022-02-14 17:22:30 +01:00
feat(notification): use event worker pool (#8962)
# Which Problems Are Solved
The current handling of notification follows the same pattern as all
other projections:
Created events are handled sequentially (based on "position") by a
handler. During the process, a lot of information is aggregated (user,
texts, templates, ...).
This leads to back pressure on the projection since the handling of
events might take longer than the time before a new event (to be
handled) is created.
# How the Problems Are Solved
- The current user notification handler creates separate notification
events based on the user / session events.
- These events contain all the present and required information
including the userID.
- These notification events get processed by notification workers, which
gather the necessary information (recipient address, texts, templates)
to send out these notifications.
- If a notification fails, a retry event is created based on the current
notification request including the current state of the user (this
prevents race conditions, where a user is changed in the meantime and
the notification already gets the new state).
- The retry event will be handled after a backoff delay. This delay
increases with every attempt.
- If the configured amount of attempts is reached or the message expired
(based on config), a cancel event is created, letting the workers know,
the notification must no longer be handled.
- In case of successful send, a sent event is created for the
notification aggregate and the existing "sent" events for the user /
session object is stored.
- The following is added to the defaults.yaml to allow configuration of
the notification workers:
```yaml
Notifications:
# The amount of workers processing the notification request events.
# If set to 0, no notification request events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS
# The amount of events a single worker will process in a run.
BulkLimit: 10 # ZITADEL_NOTIFIACATIONS_BULKLIMIT
# Time interval between scheduled notifications for request events
RequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_REQUEUEEVERY
# The amount of workers processing the notification retry events.
# If set to 0, no notification retry events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
RetryWorkers: 1 # ZITADEL_NOTIFIACATIONS_RETRYWORKERS
# Time interval between scheduled notifications for retry events
RetryRequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_RETRYREQUEUEEVERY
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
# If set to 0 (default), every instance is always considered active
HandleActiveInstances: 0s # ZITADEL_NOTIFIACATIONS_HANDLEACTIVEINSTANCES
# The maximum duration a transaction remains open
# before it spots left folding additional events
# and updates the table.
TransactionDuration: 1m # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
# Automatically cancel the notification after the amount of failed attempts
MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
# Automatically cancel the notification if it cannot be handled within a specific time
MaxTtl: 5m # ZITADEL_NOTIFIACATIONS_MAXTTL
# Failed attempts are retried after a confogired delay (with exponential backoff).
# Set a minimum and maximum delay and a factor for the backoff
MinRetryDelay: 1s # ZITADEL_NOTIFIACATIONS_MINRETRYDELAY
MaxRetryDelay: 20s # ZITADEL_NOTIFIACATIONS_MAXRETRYDELAY
# Any factor below 1 will be set to 1
RetryDelayFactor: 1.5 # ZITADEL_NOTIFIACATIONS_RETRYDELAYFACTOR
```
# Additional Changes
None
# Additional Context
- closes #8931
2024-11-27 16:01:17 +01:00
Notifications :
2024-12-06 10:56:19 +01:00
# Notifications can be processed by either a sequential mode (legacy) or a new parallel mode.
# The parallel mode is currently only recommended for Postgres databases.
# For CockroachDB, the sequential mode is recommended, see: https://github.com/zitadel/zitadel/issues/9002
# If legacy mode is enabled, the worker config below is ignored.
LegacyEnabled : true # ZITADEL_NOTIFICATIONS_LEGACYENABLED
feat(notification): use event worker pool (#8962)
# Which Problems Are Solved
The current handling of notification follows the same pattern as all
other projections:
Created events are handled sequentially (based on "position") by a
handler. During the process, a lot of information is aggregated (user,
texts, templates, ...).
This leads to back pressure on the projection since the handling of
events might take longer than the time before a new event (to be
handled) is created.
# How the Problems Are Solved
- The current user notification handler creates separate notification
events based on the user / session events.
- These events contain all the present and required information
including the userID.
- These notification events get processed by notification workers, which
gather the necessary information (recipient address, texts, templates)
to send out these notifications.
- If a notification fails, a retry event is created based on the current
notification request including the current state of the user (this
prevents race conditions, where a user is changed in the meantime and
the notification already gets the new state).
- The retry event will be handled after a backoff delay. This delay
increases with every attempt.
- If the configured amount of attempts is reached or the message expired
(based on config), a cancel event is created, letting the workers know,
the notification must no longer be handled.
- In case of successful send, a sent event is created for the
notification aggregate and the existing "sent" events for the user /
session object is stored.
- The following is added to the defaults.yaml to allow configuration of
the notification workers:
```yaml
Notifications:
# The amount of workers processing the notification request events.
# If set to 0, no notification request events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS
# The amount of events a single worker will process in a run.
BulkLimit: 10 # ZITADEL_NOTIFIACATIONS_BULKLIMIT
# Time interval between scheduled notifications for request events
RequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_REQUEUEEVERY
# The amount of workers processing the notification retry events.
# If set to 0, no notification retry events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
RetryWorkers: 1 # ZITADEL_NOTIFIACATIONS_RETRYWORKERS
# Time interval between scheduled notifications for retry events
RetryRequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_RETRYREQUEUEEVERY
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
# If set to 0 (default), every instance is always considered active
HandleActiveInstances: 0s # ZITADEL_NOTIFIACATIONS_HANDLEACTIVEINSTANCES
# The maximum duration a transaction remains open
# before it spots left folding additional events
# and updates the table.
TransactionDuration: 1m # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
# Automatically cancel the notification after the amount of failed attempts
MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
# Automatically cancel the notification if it cannot be handled within a specific time
MaxTtl: 5m # ZITADEL_NOTIFIACATIONS_MAXTTL
# Failed attempts are retried after a confogired delay (with exponential backoff).
# Set a minimum and maximum delay and a factor for the backoff
MinRetryDelay: 1s # ZITADEL_NOTIFIACATIONS_MINRETRYDELAY
MaxRetryDelay: 20s # ZITADEL_NOTIFIACATIONS_MAXRETRYDELAY
# Any factor below 1 will be set to 1
RetryDelayFactor: 1.5 # ZITADEL_NOTIFIACATIONS_RETRYDELAYFACTOR
```
# Additional Changes
None
# Additional Context
- closes #8931
2024-11-27 16:01:17 +01:00
# The amount of workers processing the notification request events.
# If set to 0, no notification request events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
Workers : 1 # ZITADEL_NOTIFIACATIONS_WORKERS
# The amount of events a single worker will process in a run.
BulkLimit : 10 # ZITADEL_NOTIFIACATIONS_BULKLIMIT
# Time interval between scheduled notifications for request events
2024-12-04 21:17:49 +01:00
RequeueEvery : 5s # ZITADEL_NOTIFIACATIONS_REQUEUEEVERY
feat(notification): use event worker pool (#8962)
# Which Problems Are Solved
The current handling of notification follows the same pattern as all
other projections:
Created events are handled sequentially (based on "position") by a
handler. During the process, a lot of information is aggregated (user,
texts, templates, ...).
This leads to back pressure on the projection since the handling of
events might take longer than the time before a new event (to be
handled) is created.
# How the Problems Are Solved
- The current user notification handler creates separate notification
events based on the user / session events.
- These events contain all the present and required information
including the userID.
- These notification events get processed by notification workers, which
gather the necessary information (recipient address, texts, templates)
to send out these notifications.
- If a notification fails, a retry event is created based on the current
notification request including the current state of the user (this
prevents race conditions, where a user is changed in the meantime and
the notification already gets the new state).
- The retry event will be handled after a backoff delay. This delay
increases with every attempt.
- If the configured amount of attempts is reached or the message expired
(based on config), a cancel event is created, letting the workers know,
the notification must no longer be handled.
- In case of successful send, a sent event is created for the
notification aggregate and the existing "sent" events for the user /
session object is stored.
- The following is added to the defaults.yaml to allow configuration of
the notification workers:
```yaml
Notifications:
# The amount of workers processing the notification request events.
# If set to 0, no notification request events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS
# The amount of events a single worker will process in a run.
BulkLimit: 10 # ZITADEL_NOTIFIACATIONS_BULKLIMIT
# Time interval between scheduled notifications for request events
RequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_REQUEUEEVERY
# The amount of workers processing the notification retry events.
# If set to 0, no notification retry events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
RetryWorkers: 1 # ZITADEL_NOTIFIACATIONS_RETRYWORKERS
# Time interval between scheduled notifications for retry events
RetryRequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_RETRYREQUEUEEVERY
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
# If set to 0 (default), every instance is always considered active
HandleActiveInstances: 0s # ZITADEL_NOTIFIACATIONS_HANDLEACTIVEINSTANCES
# The maximum duration a transaction remains open
# before it spots left folding additional events
# and updates the table.
TransactionDuration: 1m # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
# Automatically cancel the notification after the amount of failed attempts
MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
# Automatically cancel the notification if it cannot be handled within a specific time
MaxTtl: 5m # ZITADEL_NOTIFIACATIONS_MAXTTL
# Failed attempts are retried after a confogired delay (with exponential backoff).
# Set a minimum and maximum delay and a factor for the backoff
MinRetryDelay: 1s # ZITADEL_NOTIFIACATIONS_MINRETRYDELAY
MaxRetryDelay: 20s # ZITADEL_NOTIFIACATIONS_MAXRETRYDELAY
# Any factor below 1 will be set to 1
RetryDelayFactor: 1.5 # ZITADEL_NOTIFIACATIONS_RETRYDELAYFACTOR
```
# Additional Changes
None
# Additional Context
- closes #8931
2024-11-27 16:01:17 +01:00
# The amount of workers processing the notification retry events.
# If set to 0, no notification retry events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
RetryWorkers : 1 # ZITADEL_NOTIFIACATIONS_RETRYWORKERS
# Time interval between scheduled notifications for retry events
2024-12-04 21:17:49 +01:00
RetryRequeueEvery : 5s # ZITADEL_NOTIFIACATIONS_RETRYREQUEUEEVERY
feat(notification): use event worker pool (#8962)
# Which Problems Are Solved
The current handling of notification follows the same pattern as all
other projections:
Created events are handled sequentially (based on "position") by a
handler. During the process, a lot of information is aggregated (user,
texts, templates, ...).
This leads to back pressure on the projection since the handling of
events might take longer than the time before a new event (to be
handled) is created.
# How the Problems Are Solved
- The current user notification handler creates separate notification
events based on the user / session events.
- These events contain all the present and required information
including the userID.
- These notification events get processed by notification workers, which
gather the necessary information (recipient address, texts, templates)
to send out these notifications.
- If a notification fails, a retry event is created based on the current
notification request including the current state of the user (this
prevents race conditions, where a user is changed in the meantime and
the notification already gets the new state).
- The retry event will be handled after a backoff delay. This delay
increases with every attempt.
- If the configured amount of attempts is reached or the message expired
(based on config), a cancel event is created, letting the workers know,
the notification must no longer be handled.
- In case of successful send, a sent event is created for the
notification aggregate and the existing "sent" events for the user /
session object is stored.
- The following is added to the defaults.yaml to allow configuration of
the notification workers:
```yaml
Notifications:
# The amount of workers processing the notification request events.
# If set to 0, no notification request events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS
# The amount of events a single worker will process in a run.
BulkLimit: 10 # ZITADEL_NOTIFIACATIONS_BULKLIMIT
# Time interval between scheduled notifications for request events
RequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_REQUEUEEVERY
# The amount of workers processing the notification retry events.
# If set to 0, no notification retry events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
RetryWorkers: 1 # ZITADEL_NOTIFIACATIONS_RETRYWORKERS
# Time interval between scheduled notifications for retry events
RetryRequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_RETRYREQUEUEEVERY
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
# If set to 0 (default), every instance is always considered active
HandleActiveInstances: 0s # ZITADEL_NOTIFIACATIONS_HANDLEACTIVEINSTANCES
# The maximum duration a transaction remains open
# before it spots left folding additional events
# and updates the table.
TransactionDuration: 1m # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
# Automatically cancel the notification after the amount of failed attempts
MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
# Automatically cancel the notification if it cannot be handled within a specific time
MaxTtl: 5m # ZITADEL_NOTIFIACATIONS_MAXTTL
# Failed attempts are retried after a confogired delay (with exponential backoff).
# Set a minimum and maximum delay and a factor for the backoff
MinRetryDelay: 1s # ZITADEL_NOTIFIACATIONS_MINRETRYDELAY
MaxRetryDelay: 20s # ZITADEL_NOTIFIACATIONS_MAXRETRYDELAY
# Any factor below 1 will be set to 1
RetryDelayFactor: 1.5 # ZITADEL_NOTIFIACATIONS_RETRYDELAYFACTOR
```
# Additional Changes
None
# Additional Context
- closes #8931
2024-11-27 16:01:17 +01:00
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
# If set to 0 (default), every instance is always considered active
HandleActiveInstances : 0s # ZITADEL_NOTIFIACATIONS_HANDLEACTIVEINSTANCES
# The maximum duration a transaction remains open
# before it spots left folding additional events
# and updates the table.
2024-12-04 21:17:49 +01:00
TransactionDuration : 10s # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
feat(notification): use event worker pool (#8962)
# Which Problems Are Solved
The current handling of notification follows the same pattern as all
other projections:
Created events are handled sequentially (based on "position") by a
handler. During the process, a lot of information is aggregated (user,
texts, templates, ...).
This leads to back pressure on the projection since the handling of
events might take longer than the time before a new event (to be
handled) is created.
# How the Problems Are Solved
- The current user notification handler creates separate notification
events based on the user / session events.
- These events contain all the present and required information
including the userID.
- These notification events get processed by notification workers, which
gather the necessary information (recipient address, texts, templates)
to send out these notifications.
- If a notification fails, a retry event is created based on the current
notification request including the current state of the user (this
prevents race conditions, where a user is changed in the meantime and
the notification already gets the new state).
- The retry event will be handled after a backoff delay. This delay
increases with every attempt.
- If the configured amount of attempts is reached or the message expired
(based on config), a cancel event is created, letting the workers know,
the notification must no longer be handled.
- In case of successful send, a sent event is created for the
notification aggregate and the existing "sent" events for the user /
session object is stored.
- The following is added to the defaults.yaml to allow configuration of
the notification workers:
```yaml
Notifications:
# The amount of workers processing the notification request events.
# If set to 0, no notification request events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS
# The amount of events a single worker will process in a run.
BulkLimit: 10 # ZITADEL_NOTIFIACATIONS_BULKLIMIT
# Time interval between scheduled notifications for request events
RequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_REQUEUEEVERY
# The amount of workers processing the notification retry events.
# If set to 0, no notification retry events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
RetryWorkers: 1 # ZITADEL_NOTIFIACATIONS_RETRYWORKERS
# Time interval between scheduled notifications for retry events
RetryRequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_RETRYREQUEUEEVERY
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
# If set to 0 (default), every instance is always considered active
HandleActiveInstances: 0s # ZITADEL_NOTIFIACATIONS_HANDLEACTIVEINSTANCES
# The maximum duration a transaction remains open
# before it spots left folding additional events
# and updates the table.
TransactionDuration: 1m # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
# Automatically cancel the notification after the amount of failed attempts
MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
# Automatically cancel the notification if it cannot be handled within a specific time
MaxTtl: 5m # ZITADEL_NOTIFIACATIONS_MAXTTL
# Failed attempts are retried after a confogired delay (with exponential backoff).
# Set a minimum and maximum delay and a factor for the backoff
MinRetryDelay: 1s # ZITADEL_NOTIFIACATIONS_MINRETRYDELAY
MaxRetryDelay: 20s # ZITADEL_NOTIFIACATIONS_MAXRETRYDELAY
# Any factor below 1 will be set to 1
RetryDelayFactor: 1.5 # ZITADEL_NOTIFIACATIONS_RETRYDELAYFACTOR
```
# Additional Changes
None
# Additional Context
- closes #8931
2024-11-27 16:01:17 +01:00
# Automatically cancel the notification after the amount of failed attempts
MaxAttempts : 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
# Automatically cancel the notification if it cannot be handled within a specific time
MaxTtl : 5m # ZITADEL_NOTIFIACATIONS_MAXTTL
# Failed attempts are retried after a confogired delay (with exponential backoff).
# Set a minimum and maximum delay and a factor for the backoff
2024-12-04 21:17:49 +01:00
MinRetryDelay : 5s # ZITADEL_NOTIFIACATIONS_MINRETRYDELAY
MaxRetryDelay : 1m # ZITADEL_NOTIFIACATIONS_MAXRETRYDELAY
feat(notification): use event worker pool (#8962)
# Which Problems Are Solved
The current handling of notification follows the same pattern as all
other projections:
Created events are handled sequentially (based on "position") by a
handler. During the process, a lot of information is aggregated (user,
texts, templates, ...).
This leads to back pressure on the projection since the handling of
events might take longer than the time before a new event (to be
handled) is created.
# How the Problems Are Solved
- The current user notification handler creates separate notification
events based on the user / session events.
- These events contain all the present and required information
including the userID.
- These notification events get processed by notification workers, which
gather the necessary information (recipient address, texts, templates)
to send out these notifications.
- If a notification fails, a retry event is created based on the current
notification request including the current state of the user (this
prevents race conditions, where a user is changed in the meantime and
the notification already gets the new state).
- The retry event will be handled after a backoff delay. This delay
increases with every attempt.
- If the configured amount of attempts is reached or the message expired
(based on config), a cancel event is created, letting the workers know,
the notification must no longer be handled.
- In case of successful send, a sent event is created for the
notification aggregate and the existing "sent" events for the user /
session object is stored.
- The following is added to the defaults.yaml to allow configuration of
the notification workers:
```yaml
Notifications:
# The amount of workers processing the notification request events.
# If set to 0, no notification request events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
Workers: 1 # ZITADEL_NOTIFIACATIONS_WORKERS
# The amount of events a single worker will process in a run.
BulkLimit: 10 # ZITADEL_NOTIFIACATIONS_BULKLIMIT
# Time interval between scheduled notifications for request events
RequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_REQUEUEEVERY
# The amount of workers processing the notification retry events.
# If set to 0, no notification retry events will be handled. This can be useful when running in
# multi binary / pod setup and allowing only certain executables to process the events.
RetryWorkers: 1 # ZITADEL_NOTIFIACATIONS_RETRYWORKERS
# Time interval between scheduled notifications for retry events
RetryRequeueEvery: 2s # ZITADEL_NOTIFIACATIONS_RETRYREQUEUEEVERY
# Only instances are projected, for which at least a projection-relevant event exists within the timeframe
# from HandleActiveInstances duration in the past until the projection's current time
# If set to 0 (default), every instance is always considered active
HandleActiveInstances: 0s # ZITADEL_NOTIFIACATIONS_HANDLEACTIVEINSTANCES
# The maximum duration a transaction remains open
# before it spots left folding additional events
# and updates the table.
TransactionDuration: 1m # ZITADEL_NOTIFIACATIONS_TRANSACTIONDURATION
# Automatically cancel the notification after the amount of failed attempts
MaxAttempts: 3 # ZITADEL_NOTIFIACATIONS_MAXATTEMPTS
# Automatically cancel the notification if it cannot be handled within a specific time
MaxTtl: 5m # ZITADEL_NOTIFIACATIONS_MAXTTL
# Failed attempts are retried after a confogired delay (with exponential backoff).
# Set a minimum and maximum delay and a factor for the backoff
MinRetryDelay: 1s # ZITADEL_NOTIFIACATIONS_MINRETRYDELAY
MaxRetryDelay: 20s # ZITADEL_NOTIFIACATIONS_MAXRETRYDELAY
# Any factor below 1 will be set to 1
RetryDelayFactor: 1.5 # ZITADEL_NOTIFIACATIONS_RETRYDELAYFACTOR
```
# Additional Changes
None
# Additional Context
- closes #8931
2024-11-27 16:01:17 +01:00
# Any factor below 1 will be set to 1
RetryDelayFactor : 1.5 # ZITADEL_NOTIFIACATIONS_RETRYDELAYFACTOR
2022-02-14 17:22:30 +01:00
Auth :
2023-10-19 12:19:10 +02:00
# See Projections.BulkLimit
2023-08-07 22:32:10 +02:00
SearchLimit : 1000 # ZITADEL_AUTH_SEARCHLIMIT
2022-02-14 17:22:30 +01:00
Spooler :
2024-05-13 16:01:50 +02:00
# See Projections.TransationDuration
2023-10-19 12:19:10 +02:00
TransactionDuration : 10s #ZITADEL_AUTH_SPOOLER_TRANSACTIONDURATION
# See Projections.BulkLimit
BulkLimit : 100 #ZITADEL_AUTH_SPOOLER_BULKLIMIT
# See Projections.MaxFailureCount
FailureCountUntilSkip : 5 #ZITADEL_AUTH_SPOOLER_FAILURECOUNTUNTILSKIP
2024-04-23 13:23:50 +02:00
# Defines the amount of auth requests stored in the LRU caches.
# There are two caches implemented one for id and one for code
2024-04-26 09:30:35 +02:00
AmountOfCachedAuthRequests : 0 #ZITADEL_AUTH_AMOUNTOFCACHEDAUTHREQUESTS
2022-02-14 17:22:30 +01:00
Admin :
2023-10-19 12:19:10 +02:00
# See Projections.BulkLimit
2023-08-07 22:32:10 +02:00
SearchLimit : 1000 # ZITADEL_ADMIN_SEARCHLIMIT
2022-02-14 17:22:30 +01:00
Spooler :
2023-10-19 12:19:10 +02:00
# See Projections.TransationDuration
TransactionDuration : 10s
# See Projections.BulkLimit
BulkLimit : 200
# See Projections.MaxFailureCount
FailureCountUntilSkip : 5
2022-02-14 17:22:30 +01:00
UserAgentCookie :
2023-08-07 22:32:10 +02:00
Name : zitadel.useragent # ZITADEL_USERAGENTCOOKIE_NAME
# 8760h are 365 days, one year
MaxAge : 8760h # ZITADEL_USERAGENTCOOKIE_MAXAGE
2022-02-14 17:22:30 +01:00
OIDC :
2023-08-07 22:32:10 +02:00
CodeMethodS256 : true # ZITADEL_OIDC_CODEMETHODS256
AuthMethodPost : true # ZITADEL_OIDC_AUTHMETHODPOST
AuthMethodPrivateKeyJWT : true # ZITADEL_OIDC_AUTHMETHODPRIVATEKEYJWT
GrantTypeRefreshToken : true # ZITADEL_OIDC_GRANTTYPEREFRESHTOKEN
RequestObjectSupported : true # ZITADEL_OIDC_REQUESTOBJECTSUPPORTED
2024-11-11 22:03:15 +10:00
2024-08-23 15:43:46 +03:00
# Deprecated: The signing algorithm is determined by the generated keys.
# Use the web keys resource to generate keys with different algorithms.
2023-08-07 22:32:10 +02:00
SigningKeyAlgorithm : RS256 # ZITADEL_OIDC_SIGNINGKEYALGORITHM
2022-09-27 11:53:49 +01:00
# Sets the default values for lifetime and expiration for OIDC
# This default can be overwritten in the default instance configuration and for each instance during runtime
2023-08-07 22:32:10 +02:00
# !!! Changing this after the initial setup will have no impact without a restart !!!
DefaultAccessTokenLifetime : 12h # ZITADEL_OIDC_DEFAULTACCESSTOKENLIFETIME
DefaultIdTokenLifetime : 12h # ZITADEL_OIDC_DEFAULTIDTOKENLIFETIME
# 720h are 30 days, one month
DefaultRefreshTokenIdleExpiration : 720h # ZITADEL_OIDC_DEFAULTREFRESHTOKENIDLEEXPIRATION
# 2160h are 90 days, three months
DefaultRefreshTokenExpiration : 2160h # ZITADEL_OIDC_DEFAULTREFRESHTOKENEXPIRATION
2024-11-11 22:03:15 +10:00
2024-08-23 15:43:46 +03:00
# HTTP Cache-Control max-age header value to set on the jwks endpoint.
# Only used when the web keys feature is enabled. 0 sets a no-store value.
JWKSCacheControlMaxAge : 5m # ZITADEL_OIDC_JWKSCACHECONTROLMAXAGE
2022-02-14 17:22:30 +01:00
CustomEndpoints :
2022-06-07 10:04:51 +02:00
Auth :
2023-08-07 22:32:10 +02:00
Path : /oauth/v2/authorize # ZITADEL_OIDC_CUSTOMENDPOINTS_AUTH_PATH
2022-06-07 10:04:51 +02:00
Token :
2023-08-07 22:32:10 +02:00
Path : /oauth/v2/token # ZITADEL_OIDC_CUSTOMENDPOINTS_TOKEN_PATH
2022-06-07 10:04:51 +02:00
Introspection :
2023-08-07 22:32:10 +02:00
Path : /oauth/v2/introspect # ZITADEL_OIDC_CUSTOMENDPOINTS_INTROSPECTION_PATH
2022-06-07 10:04:51 +02:00
Userinfo :
2023-08-07 22:32:10 +02:00
Path : /oidc/v1/userinfo # ZITADEL_OIDC_CUSTOMENDPOINTS_USERINFO_PATH
2022-06-07 10:04:51 +02:00
Revocation :
2023-08-07 22:32:10 +02:00
Path : /oauth/v2/revoke # ZITADEL_OIDC_CUSTOMENDPOINTS_REVOCATION_PATH
2022-06-07 10:04:51 +02:00
EndSession :
2023-08-07 22:32:10 +02:00
Path : /oidc/v1/end_session # ZITADEL_OIDC_CUSTOMENDPOINTS_ENDSESSION_PATH
2022-06-07 10:04:51 +02:00
Keys :
2023-08-07 22:32:10 +02:00
Path : /oauth/v2/keys # ZITADEL_OIDC_CUSTOMENDPOINTS_KEYS_PATH
2023-04-19 11:46:02 +03:00
DeviceAuth :
2023-08-07 22:32:10 +02:00
Path : /oauth/v2/device_authorization # ZITADEL_OIDC_CUSTOMENDPOINTS_DEVICEAUTH_PATH
2024-08-12 11:55:07 +02:00
DeviceAuth :
Lifetime : 5m # ZITADEL_OIDC_DEVICEAUTH_LIFETIME
PollInterval : 5s # ZITADEL_OIDC_DEVICEAUTH_POLLINTERVAL
UserCode :
CharSet : "BCDFGHJKLMNPQRSTVWXZ" # ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARSET
CharAmount : 8 # ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARARMOUNT
DashInterval : 4 # ZITADEL_OIDC_DEVICEAUTH_USERCODE_DASHINTERVAL
2023-08-07 22:32:10 +02:00
DefaultLoginURLV2 : "/login?authRequest=" # ZITADEL_OIDC_DEFAULTLOGINURLV2
DefaultLogoutURLV2 : "/logout?post_logout_redirect=" # ZITADEL_OIDC_DEFAULTLOGOUTURLV2
2024-01-29 17:11:52 +02:00
PublicKeyCacheMaxAge : 24h # ZITADEL_OIDC_PUBLICKEYCACHEMAXAGE
2024-10-31 15:57:17 +01:00
DefaultBackChannelLogoutLifetime : 15m # ZITADEL_OIDC_DEFAULTBACKCHANNELLOGOUTLIFETIME
2022-02-14 17:22:30 +01:00
2022-09-12 17:18:08 +01:00
SAML :
2024-12-19 12:11:40 +01:00
DefaultLoginURLV2 : "/login?authRequest=" # ZITADEL_SAML_DEFAULTLOGINURLV2
2022-09-12 17:18:08 +01:00
ProviderConfig :
MetadataConfig :
2023-08-07 22:32:10 +02:00
Path : "/metadata" # ZITADEL_SAML_PROVIDERCONFIG_METADATACONFIG_PATH
SignatureAlgorithm : "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" # ZITADEL_SAML_PROVIDERCONFIG_METADATACONFIG_SIGNATUREALGORITHM
2022-09-12 17:18:08 +01:00
IDPConfig :
2023-08-07 22:32:10 +02:00
SignatureAlgorithm : "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" # ZITADEL_SAML_PROVIDERCONFIG_IDPCONFIG_SIGNATUREALGORITHM
WantAuthRequestsSigned : true # ZITADEL_SAML_PROVIDERCONFIG_IDPCONFIG_WANTAUTHREQUESTSSIGNED
2022-09-12 17:18:08 +01:00
Endpoints :
#Organisation:
2023-08-07 22:32:10 +02:00
# Name: ZITADEL # ZITADEL_SAML_PROVIDERCONFIG_ORGANISATION_NAME
# URL: https://zitadel.com # ZITADEL_SAML_PROVIDERCONFIG_ORGANISATION_URL
2022-09-12 17:18:08 +01:00
#ContactPerson:
2023-08-07 22:32:10 +02:00
# ContactType: "technical" # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_CONTACTTYPE
# Company: ZITADEL # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_COMPANY
# EmailAddress: hi@zitadel.com # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_EMAILADDRESS
2022-09-12 17:18:08 +01:00
2022-02-14 17:22:30 +01:00
Login :
2023-08-07 22:32:10 +02:00
LanguageCookieName : zitadel.login.lang # ZITADEL_LOGIN_LANGUAGECOOKIENAME
CSRFCookieName : zitadel.login.csrf # ZITADEL_LOGIN_CSRFCOOKIENAME
2022-02-14 17:22:30 +01:00
Cache :
2023-08-07 22:32:10 +02:00
MaxAge : 12h # ZITADEL_LOGIN_CACHE_MAXAGE
# 168h is 7 days, one week
SharedMaxAge : 168h # ZITADEL_LOGIN_CACHE_SHAREDMAXAGE
2023-08-24 11:41:52 +02:00
DefaultOTPEmailURLV2 : "/otp/verify?loginName={{.LoginName}}&code={{.Code}}" # ZITADEL_LOGIN_CACHE_DEFAULTOTPEMAILURLV2
2022-02-14 17:22:30 +01:00
Console :
ShortCache :
2023-08-07 22:32:10 +02:00
MaxAge : 0m # ZITADEL_CONSOLE_SHORTCACHE_MAXAGE
SharedMaxAge : 5m # ZITADEL_CONSOLE_SHORTCACHE_SHAREDMAXAGE
2022-02-14 17:22:30 +01:00
LongCache :
2023-08-07 22:32:10 +02:00
MaxAge : 12h # ZITADEL_CONSOLE_LONGCACHE_MAXAGE
# 168h is 7 days, one week
SharedMaxAge : 168h # ZITADEL_CONSOLE_LONGCACHE_SHAREDMAXAGE
InstanceManagementURL : "" # ZITADEL_CONSOLE_INSTANCEMANAGEMENTURL
2025-01-07 15:38:13 +01:00
PostHog :
URL : "" # ZITADEL_CONSOLE_POSTHOG_URL
Token : "" # ZITADEL_CONSOLE_POSTHOG_TOKEN
2022-02-14 17:22:30 +01:00
2022-03-14 07:55:09 +01:00
EncryptionKeys :
DomainVerification :
2023-08-07 22:32:10 +02:00
EncryptionKeyID : "domainVerificationKey" # ZITADEL_ENCRYPTIONKEYS_DOMAINVERIFICATION_ENCRYPTIONKEYID
2024-02-16 17:04:42 +01:00
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_DOMAINVERIFICATION_DECRYPTIONKEYIDS (comma separated list)
2022-03-14 07:55:09 +01:00
IDPConfig :
2023-08-07 22:32:10 +02:00
EncryptionKeyID : "idpConfigKey" # ZITADEL_ENCRYPTIONKEYS_IDPCONFIG_ENCRYPTIONKEYID
2024-02-16 17:04:42 +01:00
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_IDPCONFIG_DECRYPTIONKEYIDS (comma separated list)
2022-03-14 07:55:09 +01:00
OIDC :
2023-08-07 22:32:10 +02:00
EncryptionKeyID : "oidcKey" # ZITADEL_ENCRYPTIONKEYS_OIDC_ENCRYPTIONKEYID
2024-02-16 17:04:42 +01:00
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_OIDC_DECRYPTIONKEYIDS (comma separated list)
2022-09-12 17:18:08 +01:00
SAML :
2023-08-07 22:32:10 +02:00
EncryptionKeyID : "samlKey" # ZITADEL_ENCRYPTIONKEYS_SAML_ENCRYPTIONKEYID
2024-02-16 17:04:42 +01:00
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_SAML_DECRYPTIONKEYIDS (comma separated list)
2022-03-14 07:55:09 +01:00
OTP :
2023-08-07 22:32:10 +02:00
EncryptionKeyID : "otpKey" # ZITADEL_ENCRYPTIONKEYS_OTP_ENCRYPTIONKEYID
2024-02-16 17:04:42 +01:00
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_OTP_DECRYPTIONKEYIDS (comma separated list)
2022-03-14 07:55:09 +01:00
SMS :
2023-08-07 22:32:10 +02:00
EncryptionKeyID : "smsKey" # ZITADEL_ENCRYPTIONKEYS_SMS_ENCRYPTIONKEYID
2024-02-16 17:04:42 +01:00
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_SMS_DECRYPTIONKEYIDS (comma separated list)
2022-03-14 07:55:09 +01:00
SMTP :
2023-08-07 22:32:10 +02:00
EncryptionKeyID : "smtpKey" # ZITADEL_ENCRYPTIONKEYS_SMTP_ENCRYPTIONKEYID
2024-02-16 17:04:42 +01:00
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_SMTP_DECRYPTIONKEYIDS (comma separated list)
2022-03-14 07:55:09 +01:00
User :
2023-08-07 22:32:10 +02:00
EncryptionKeyID : "userKey" # ZITADEL_ENCRYPTIONKEYS_USER_ENCRYPTIONKEYID
2024-02-16 17:04:42 +01:00
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_USER_DECRYPTIONKEYIDS (comma separated list)
2024-11-28 11:06:52 +01:00
Target :
EncryptionKeyID : "targetKey" # ZITADEL_ENCRYPTIONKEYS_TARGET_ENCRYPTIONKEYID
DecryptionKeyIDs : # ZITADEL_ENCRYPTIONKEYS_TARGET_DECRYPTIONKEYIDS (comma separated list)
2023-08-07 22:32:10 +02:00
CSRFCookieKeyID : "csrfCookieKey" # ZITADEL_ENCRYPTIONKEYS_CSRFCOOKIEKEYID
UserAgentCookieKeyID : "userAgentCookieKey" # ZITADEL_ENCRYPTIONKEYS_USERAGENTCOOKIEKEYID
2022-03-14 07:55:09 +01:00
2022-05-30 13:38:30 +02:00
SystemAPIUsers :
2023-10-25 17:10:45 +02:00
# # Add keys for authentication of the systemAPI here:
# # you can specify any name for the user, but they will have to match the `issuer` and `sub` claim in the JWT:
2022-09-27 11:53:49 +01:00
# - superuser:
2023-10-25 17:10:45 +02:00
# Path: /path/to/superuser/ey.pem # you can provide the key either by reference with the path
# Memberships:
# # MemberType System allows the user to access all APIs for all instances or organizations
# - MemberType: System
# Roles:
# - "SYSTEM_OWNER"
# # Actually, we don't recommend adding IAM_OWNER and ORG_OWNER to the System membership, as this basically enables god mode for the system user
# - "IAM_OWNER"
# - "ORG_OWNER"
# # MemberType IAM and Organization let you restrict access to a specific instance or organization by specifying the AggregateID
# - MemberType: IAM
# Roles: "IAM_OWNER"
# AggregateID: "123456789012345678"
# - MemberType: Organization
# Roles: "ORG_OWNER"
# AggregateID: "123456789012345678"
2022-09-27 11:53:49 +01:00
# - superuser2:
2023-10-25 17:10:45 +02:00
# # If no memberships are specified, the user has a membership of type System with the role "SYSTEM_OWNER"
2022-09-27 11:53:49 +01:00
# KeyData: <base64 encoded key> # or you can directly embed it as base64 encoded value
2024-02-16 17:04:42 +01:00
# Configure the SystemAPIUsers by environment variable using JSON notation:
# ZITADEL_SYSTEMAPIUSERS='{"systemuser":{"Path":"/path/to/superuser/key.pem"},"systemuser2":{"KeyData":"<base64 encoded key>"}}'
2022-05-30 13:38:30 +02:00
2022-02-14 17:22:30 +01:00
SystemDefaults :
SecretGenerators :
2023-08-07 22:32:10 +02:00
MachineKeySize : 2048 # ZITADEL_SYSTEMDEFAULTS_SECRETGENERATORS_MACHINEKEYSIZE
ApplicationKeySize : 2048 # ZITADEL_SYSTEMDEFAULTS_SECRETGENERATORS_APPLICATIONKEYSIZE
2023-07-14 09:49:57 +03:00
PasswordHasher :
2023-08-29 09:08:24 +02:00
# Set hasher configuration for user passwords.
# Passwords previously hashed with a different algorithm
# or cost are automatically re-hashed using this config,
# upon password validation or update.
2023-07-14 09:49:57 +03:00
Hasher :
2024-05-08 08:48:26 +02:00
# Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2"
# Depending on the algorithm, different configuration options take effect.
2024-07-23 16:13:35 +02:00
Algorithm : bcrypt # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM
2024-05-08 08:48:26 +02:00
# Cost takes effect for the algorithms bcrypt and scrypt
2023-08-07 22:32:10 +02:00
Cost : 14 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST
2024-05-08 08:48:26 +02:00
# Time takes effect for the algorithms argon2i and argon2id
Time : 3 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME
# Memory takes effect for the algorithms argon2i and argon2id
Memory : 32768 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY
# Threads takes effect for the algorithms argon2i and argon2id
Threads : 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS
# Rounds takes effect for the algorithm pbkdf2
Rounds : 290000 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ROUNDS
# Hash takes effect for the algorithm pbkdf2
# Can be "sha1", "sha224", "sha256", "sha384" or "sha512"
Hash : sha256 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_HASH
2023-08-02 14:27:18 +03:00
2023-07-14 09:49:57 +03:00
# Verifiers enable the possibility of verifying
# passwords that are previously hashed using another
# algorithm then the Hasher.
# This can be used when migrating from one algorithm to another,
# or when importing users with hashed passwords.
# There is no need to enable a Verifier of the same algorithm
# as the Hasher.
#
# The format of the encoded hash strings must comply
# with https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md
# https://passlib.readthedocs.io/en/stable/modular_crypt_format.html
#
# Supported verifiers: (uncomment to enable)
2024-05-08 08:48:26 +02:00
Verifiers : # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS
2024-06-25 11:10:49 +03:00
# - "argon2" # verifier for both argon2i and argon2id.
2023-07-14 09:49:57 +03:00
# - "bcrypt"
2024-06-25 11:10:49 +03:00
# - "md5" # md5Crypt with salt and password shuffling.
# - "md5plain" # md5 digest of a password without salt
2023-07-14 09:49:57 +03:00
# - "scrypt"
2024-06-25 11:10:49 +03:00
# - "pbkdf2" # verifier for all pbkdf2 hash modes.
2024-04-05 12:35:49 +03:00
SecretHasher :
# Set hasher configuration for machine users, API and OIDC client secrets.
Hasher :
2024-05-08 08:48:26 +02:00
# Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2"
# Depending on the algorithm, different configuration options take effect.
2024-07-23 16:13:35 +02:00
Algorithm : bcrypt # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ALGORITHM
2024-05-08 08:48:26 +02:00
# Cost takes effect for the algorithms bcrypt and scrypt
2024-04-05 12:35:49 +03:00
Cost : 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_COST
2024-05-08 08:48:26 +02:00
# Time takes effect for the algorithms argon2i and argon2id
Time : 3 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_TIME
# Memory takes effect for the algorithms argon2i and argon2id
Memory : 32768 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_MEMORY
# Threads takes effect for the algorithms argon2i and argon2id
Threads : 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_THREADS
# Rounds takes effect for the algorithm pbkdf2
Rounds : 290000 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ROUNDS
# Hash takes effect for the algorithm pbkdf2
# Can be "sha1", "sha224", "sha256", "sha384" or "sha512"
Hash : sha256 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_HASH
Verifiers : # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_VERIFIERS
2022-02-14 17:22:30 +01:00
Multifactors :
OTP :
2023-04-26 07:17:23 +02:00
# If this is empty, the issuer is the requested domain
# This is helpful in scenarios with multiple ZITADEL environments or virtual instances
2023-08-07 22:32:10 +02:00
Issuer : "ZITADEL" # ZITADEL_SYSTEMDEFAULTS_MULTIFACTORS_OTP_ISSUER
2022-02-14 17:22:30 +01:00
DomainVerification :
VerificationGenerator :
2023-08-07 22:32:10 +02:00
Length : 32 # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_LENGTH
IncludeLowerLetters : true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDESYMBOLS
2022-02-14 17:22:30 +01:00
Notifications :
2023-08-07 22:32:10 +02:00
FileSystemPath : ".notifications/" # ZITADEL_SYSTEMDEFAULTS_NOTIFICATIONS_FILESYSTEMPATH
2022-02-14 17:22:30 +01:00
KeyConfig :
2023-08-07 22:32:10 +02:00
Size : 2048 # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_SIZE
CertificateSize : 4096 # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_CERTIFICATESIZE
PrivateKeyLifetime : 6h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_PRIVATEKEYLIFETIME
PublicKeyLifetime : 30h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_PUBLICKEYLIFETIME
# 8766h are 1 year
CertificateLifetime : 8766h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_CERTIFICATELIFETIME
2024-08-12 22:32:01 +02:00
# DefaultQueryLimit limits the number of items that can be queried in a single v3 API search request without explicitly passing a limit.
DefaultQueryLimit : 100 # ZITADEL_SYSTEMDEFAULTS_DEFAULTQUERYLIMIT
# MaxQueryLimit limits the number of items that can be queried in a single v3 API search request with explicitly passing a limit.
MaxQueryLimit : 1000 # ZITADEL_SYSTEMDEFAULTS_MAXQUERYLIMIT
2022-03-29 11:53:19 +02:00
2022-10-06 14:23:59 +02:00
Actions :
HTTP :
2023-08-07 22:32:10 +02:00
# Wildcard sub domains are currently unsupported
2024-02-16 17:04:42 +01:00
DenyList : # ZITADEL_ACTIONS_HTTP_DENYLIST (comma separated list)
2022-10-06 14:23:59 +02:00
- localhost
2024-10-22 16:16:44 +02:00
- "127.0.0.0/8"
- "::1"
- "0.0.0.0"
- "::"
2022-10-06 14:23:59 +02:00
2023-02-15 02:52:11 +01:00
LogStore :
Access :
Stdout :
2023-08-07 22:32:10 +02:00
# If enabled, all access logs are printed to the binary's standard output
Enabled : false # ZITADEL_LOGSTORE_ACCESS_STDOUT_ENABLED
2023-02-15 02:52:11 +01:00
Execution :
Stdout :
2023-08-07 22:32:10 +02:00
# If enabled, all execution logs are printed to the binary's standard output
Enabled : true # ZITADEL_LOGSTORE_EXECUTION_STDOUT_ENABLED
2023-02-15 02:52:11 +01:00
Quotas :
Access :
2023-09-15 16:58:45 +02:00
# If enabled, authenticated requests are counted and potentially limited depending on the configured quota of the instance
Enabled : false # ZITADEL_QUOTAS_ACCESS_ENABLED
Debounce :
MinFrequency : 0s # ZITADEL_QUOTAS_ACCESS_DEBOUNCE_MINFREQUENCY
MaxBulkSize : 0 # ZITADEL_QUOTAS_ACCESS_DEBOUNCE_MAXBULKSIZE
2023-08-07 22:32:10 +02:00
ExhaustedCookieKey : "zitadel.quota.exhausted" # ZITADEL_QUOTAS_ACCESS_EXHAUSTEDCOOKIEKEY
ExhaustedCookieMaxAge : "300s" # ZITADEL_QUOTAS_ACCESS_EXHAUSTEDCOOKIEMAXAGE
2023-09-15 16:58:45 +02:00
Execution :
# If enabled, all action executions are counted and potentially limited depending on the configured quota of the instance
Enabled : false # ZITADEL_QUOTAS_EXECUTION_DATABASE_ENABLED
Debounce :
MinFrequency : 0s # ZITADEL_QUOTAS_EXECUTION_DEBOUNCE_MINFREQUENCY
MaxBulkSize : 0 # ZITADEL_QUOTAS_EXECUTION_DEBOUNCE_MAXBULKSIZE
2023-02-15 02:52:11 +01:00
2022-12-15 10:40:13 +01:00
Eventstore :
2023-10-19 12:19:10 +02:00
# Sets the maximum duration of transactions pushing events
PushTimeout : 15s #ZITADEL_EVENTSTORE_PUSHTIMEOUT
2024-02-23 10:29:10 +02:00
# Maximum amount of push retries in case of primary key violation on the sequence
MaxRetries : 5 #ZITADEL_EVENTSTORE_MAXRETRIES
2022-12-15 10:40:13 +01:00
2024-03-05 08:37:12 +01:00
# The DefaultInstance section defines the default values for each new virtual instance that is created.
# Check out https://zitadel.com/docs/concepts/structure/instance#multiple-virtual-instances for more information about virtual instances.
# For the initial setup, the default values are used to create the first instance.
# However, you might want to have your first instance created by the setup job to have a different configuration.
# To overwrite the default values for the initial setup, configure the FirstInstance yaml section and pass it using the --steps flag.
2022-04-21 12:37:39 +02:00
DefaultInstance :
2023-08-07 22:32:10 +02:00
InstanceName : ZITADEL # ZITADEL_DEFAULTINSTANCE_INSTANCENAME
DefaultLanguage : en # ZITADEL_DEFAULTINSTANCE_DEFAULTLANGUAGE
2022-04-21 12:37:39 +02:00
Org :
2023-08-07 22:32:10 +02:00
Name : ZITADEL # ZITADEL_DEFAULTINSTANCE_ORG_NAME
# In the DefaultInstance.Org.Human section, the initial organization's admin user with the role IAM_OWNER is defined.
2024-07-04 13:39:28 +02:00
# If DefaultInstance.Org.Machine.Machine is defined, a service user is created with the IAM_OWNER role.
2022-04-21 12:37:39 +02:00
Human :
2023-08-07 22:32:10 +02:00
# In case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email,
2022-09-23 14:08:10 +02:00
# it will be suffixed by the org domain (org-name + domain from config).
2023-08-07 22:32:10 +02:00
# for example zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld
UserName : zitadel-admin # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME
FirstName : ZITADEL # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_FIRSTNAME
LastName : Admin # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_LASTNAME
NickName : # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_NICKNAME
DisplayName : # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_DISPLAYNAME
2022-04-21 12:37:39 +02:00
Email :
2023-08-07 22:32:10 +02:00
Address : # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_EMAIL_ADDRESS
Verified : false # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_EMAIL_VERIFIED
PreferredLanguage : en # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PREFERREDLANGUAGE
Gender : # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_GENDER
2022-04-21 12:37:39 +02:00
Phone :
2023-08-07 22:32:10 +02:00
Number : # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PHONE_NUMBER
Verified : # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PHONE_VERIFIED
Password : # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PASSWORD
# In the DefaultInstance.Org.Machine section, the initial organization's admin user with the role IAM_OWNER is defined.
2024-07-04 13:39:28 +02:00
# If DefaultInstance.Org.Machine.Machine is defined, a service user is created with the IAM_OWNER role.
2022-12-09 13:04:33 +00:00
Machine :
Machine :
2023-08-07 22:32:10 +02:00
Username : # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_MACHINE_USERNAME
Name : # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_MACHINE_NAME
2022-12-09 13:04:33 +00:00
MachineKey :
2023-08-07 22:32:10 +02:00
# date format: 2023-01-01T00:00:00Z
ExpirationDate : # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_MACHINEKEY_EXPIRATIONDATE
# Currently, the only supported value is 1 for JSON
Type : # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE
2022-12-09 13:04:33 +00:00
Pat :
2023-08-07 22:32:10 +02:00
# date format: 2023-01-01T00:00:00Z
ExpirationDate : # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE
2022-04-21 12:37:39 +02:00
SecretGenerators :
ClientSecret :
2023-08-07 22:32:10 +02:00
Length : 64 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_LENGTH
IncludeLowerLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_INCLUDESYMBOLS
2022-04-21 12:37:39 +02:00
InitializeUserCode :
2023-08-07 22:32:10 +02:00
Length : 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_LENGTH
Expiry : "72h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_EXPIRY
IncludeLowerLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDESYMBOLS
2022-04-21 12:37:39 +02:00
EmailVerificationCode :
2023-08-07 22:32:10 +02:00
Length : 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_LENGTH
Expiry : "1h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_EXPIRY
IncludeLowerLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_INCLUDESYMBOLS
2022-04-21 12:37:39 +02:00
PhoneVerificationCode :
2023-08-07 22:32:10 +02:00
Length : 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_LENGTH
Expiry : "1h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_EXPIRY
IncludeLowerLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_INCLUDESYMBOLS
2022-04-21 12:37:39 +02:00
PasswordVerificationCode :
2023-08-07 22:32:10 +02:00
Length : 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_LENGTH
Expiry : "1h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_EXPIRY
IncludeLowerLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_INCLUDESYMBOLS
2022-04-21 12:37:39 +02:00
PasswordlessInitCode :
2023-08-07 22:32:10 +02:00
Length : 12 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_LENGTH
Expiry : "1h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_EXPIRY
IncludeLowerLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_INCLUDESYMBOLS
2022-04-21 12:37:39 +02:00
DomainVerification :
2023-08-07 22:32:10 +02:00
Length : 32 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_LENGTH
IncludeLowerLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_INCLUDESYMBOLS
2023-07-26 13:00:41 +02:00
OTPSMS :
2023-08-07 22:32:10 +02:00
Length : 8 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_LENGTH
Expiry : "5m" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_EXPIRY
IncludeLowerLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_INCLUDELOWERLETTERS
IncludeUpperLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_INCLUDESYMBOLS
2023-07-26 13:00:41 +02:00
OTPEmail :
2023-08-07 22:32:10 +02:00
Length : 8 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_LENGTH
Expiry : "5m" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_EXPIRY
IncludeLowerLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_INCLUDELOWERLETTERS
IncludeUpperLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_INCLUDESYMBOLS
2024-09-11 12:53:55 +02:00
InviteCode :
Length : 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_LENGTH
Expiry : "72h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_EXPIRY
IncludeLowerLetters : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDESYMBOLS
2024-11-28 11:06:52 +01:00
SigningKey :
Length : 36 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_LENGTH
IncludeLowerLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDELOWERLETTERS
IncludeUpperLetters : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDEUPPERLETTERS
IncludeDigits : true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDEDIGITS
IncludeSymbols : false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDESYMBOLS
2022-04-21 12:37:39 +02:00
PasswordComplexityPolicy :
2023-08-07 22:32:10 +02:00
MinLength : 8 # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_MINLENGTH
HasLowercase : true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASLOWERCASE
HasUppercase : true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASUPPERCASE
HasNumber : true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASNUMBER
HasSymbol : true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASSYMBOL
2022-04-21 12:37:39 +02:00
PasswordAgePolicy :
2023-08-07 22:32:10 +02:00
ExpireWarnDays : 0 # ZITADEL_DEFAULTINSTANCE_PASSWORDAGEPOLICY_EXPIREWARNDAYS
MaxAgeDays : 0 # ZITADEL_DEFAULTINSTANCE_PASSWORDAGEPOLICY_MAXAGEDAYS
2022-04-21 12:37:39 +02:00
DomainPolicy :
2023-08-07 22:32:10 +02:00
UserLoginMustBeDomain : false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_USERLOGINMUSTBEDOMAIN
2023-09-20 12:45:11 +02:00
ValidateOrgDomains : false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
2023-08-07 22:32:10 +02:00
SMTPSenderAddressMatchesInstanceDomain : false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN
2022-04-21 12:37:39 +02:00
LoginPolicy :
2023-08-07 22:32:10 +02:00
AllowUsernamePassword : true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWUSERNAMEPASSWORD
AllowRegister : true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWREGISTER
AllowExternalIDP : true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWEXTERNALIDP
ForceMFA : false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_FORCEMFA
HidePasswordReset : false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_HIDEPASSWORDRESET
IgnoreUnknownUsernames : false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_IGNOREUNKNOWNUSERNAMES
2023-09-20 12:45:11 +02:00
AllowDomainDiscovery : true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
2023-08-07 22:32:10 +02:00
# 1 is allowed, 0 is not allowed
PasswordlessType : 1 # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_PASSWORDLESSTYPE
# DefaultRedirectURL is empty by default because we use the Console UI
DefaultRedirectURI : # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_DEFAULTREDIRECTURI
# 240h = 10d
PasswordCheckLifetime : 240h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_PASSWORDCHECKLIFETIME
# 240h = 10d
ExternalLoginCheckLifetime : 240h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_EXTERNALLOGINCHECKLIFETIME
# 720h = 30d
MfaInitSkipLifetime : 720h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_MFAINITSKIPLIFETIME
SecondFactorCheckLifetime : 18h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_SECONDFACTORCHECKLIFETIME
MultiFactorCheckLifetime : 12h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_MULTIFACTORCHECKLIFETIME
2022-04-21 12:37:39 +02:00
PrivacyPolicy :
2024-07-25 08:39:10 +02:00
TOSLink : "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_TOSLINK
PrivacyLink : "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_PRIVACYLINK
2023-08-07 22:32:10 +02:00
HelpLink : "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_HELPLINK
SupportEmail : "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_SUPPORTEMAIL
2024-05-13 16:01:50 +02:00
DocsLink : https://zitadel.com/docs # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_DOCSLINK
CustomLink : "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_CUSTOMLINK
CustomLinkText : "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_CUSTOMLINKTEXT
2023-01-25 09:49:41 +01:00
NotificationPolicy :
2023-08-07 22:32:10 +02:00
PasswordChange : true # ZITADEL_DEFAULTINSTANCE_NOTIFICATIONPOLICY_PASSWORDCHANGE
2022-04-21 12:37:39 +02:00
LabelPolicy :
2023-08-07 22:32:10 +02:00
PrimaryColor : "#5469d4" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_PRIMARYCOLOR
BackgroundColor : "#fafafa" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_BACKGROUNDCOLOR
WarnColor : "#cd3d56" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_WARNCOLOR
FontColor : "#000000" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_FONTCOLOR
PrimaryColorDark : "#2073c4" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_PRIMARYCOLORDARK
BackgroundColorDark : "#111827" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_BACKGROUNDCOLORDARK
WarnColorDark : "#ff3b5b" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_WARNCOLORDARK
FontColorDark : "#ffffff" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_FONTCOLORDARK
HideLoginNameSuffix : false # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_HIDELOGINNAMESUFFIX
ErrorMsgPopup : false # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_ERRORMSGPOPUP
DisableWatermark : false # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_DISABLEWATERMARK
2022-04-21 12:37:39 +02:00
LockoutPolicy :
2024-04-10 11:14:55 +02:00
MaxPasswordAttempts : 0 # ZITADEL_DEFAULTINSTANCE_LOCKOUTPOLICY_MAXPASSWORDATTEMPTS
MaxOTPAttempts : 0 # ZITADEL_DEFAULTINSTANCE_LOCKOUTPOLICY_MAXOTPATTEMPTS
2023-08-07 22:32:10 +02:00
ShouldShowLockoutFailure : true # ZITADEL_DEFAULTINSTANCE_LOCKOUTPOLICY_SHOULDSHOWLOCKOUTFAILURE
EmailTemplate : CjwhZG9jdHlwZSBodG1sPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSI+CjxoZWFkPgogIDx0aXRsZT4KCiAgPC90aXRsZT4KICA8IS0tW2lmICFtc29dPjwhLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICA8IS0tPCFbZW5kaWZdLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSI+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KICAgICNvdXRsb29rIGEgeyBwYWRkaW5nOjA7IH0KICAgIGJvZHkgeyBtYXJnaW46MDtwYWRkaW5nOjA7LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OjEwMCU7LW1zLXRleHQtc2l6ZS1hZGp1c3Q6MTAwJTsgfQogICAgdGFibGUsIHRkIHsgYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlO21zby10YWJsZS1sc3BhY2U6MHB0O21zby10YWJsZS1yc3BhY2U6MHB0OyB9CiAgICBpbWcgeyBib3JkZXI6MDtoZWlnaHQ6YXV0bztsaW5lLWhlaWdodDoxMDAlOyBvdXRsaW5lOm5vbmU7dGV4dC1kZWNvcmF0aW9uOm5vbmU7LW1zLWludGVycG9sYXRpb24tbW9kZTpiaWN1YmljOyB9CiAgICBwIHsgZGlzcGxheTpibG9jazttYXJnaW46MTNweCAwOyB9CiAgPC9zdHlsZT4KICA8IS0tW2lmIG1zb10+CiAgPHhtbD4KICAgIDxvOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgICAgIDxvOkFsbG93UE5HLz4KICAgICAgPG86UGl4ZWxzUGVySW5jaD45NjwvbzpQaXhlbHNQZXJJbmNoPgogICAgPC9vOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgPC94bWw+CiAgPCFbZW5kaWZdLS0+CiAgPCEtLVtpZiBsdGUgbXNvIDExXT4KICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgogICAgLm1qLW91dGxvb2stZ3JvdXAtZml4IHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyB9CiAgPC9zdHlsZT4KICA8IVtlbmRpZl0tLT4KCgogIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBAbWVkaWEgb25seSBzY3JlZW4gYW5kIChtaW4td2lkdGg6NDgwcHgpIHsKICAgICAgLm1qLWNvbHVtbi1wZXItMTAwIHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyBtYXgtd2lkdGg6IDEwMCU7IH0KICAgICAgLm1qLWNvbHVtbi1wZXItNjAgeyB3aWR0aDo2MCUgIWltcG9ydGFudDsgbWF4LXdpZHRoOiA2MCU7IH0KICAgIH0KICA8L3N0eWxlPgoKCiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KCgoKICAgIEBtZWRpYSBvbmx5IHNjcmVlbiBhbmQgKG1heC13aWR0aDo0ODBweCkgewogICAgICB0YWJsZS5tai1mdWxsLXdpZHRoLW1vYmlsZSB7IHdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7IH0KICAgICAgdGQubWotZnVsbC13aWR0aC1tb2JpbGUgeyB3aWR0aDogYXV0byAhaW1wb3J0YW50OyB9CiAgICB9CgogIDwvc3R5bGU+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2hhZG93IGEgewogICAgYm94LXNoYWRvdzogMHB4IDNweCAxcHggLTJweCByZ2JhKDAsIDAsIDAsIDAuMiksIDBweCAycHggMnB4IDBweCByZ2JhKDAsIDAsIDAsIDAuMTQpLCAwcHggMXB4IDVweCAwcHggcmdiYSgwLCAwLCAwLCAwLjEyKTsKICB9PC9zdHlsZT4KCiAge3tpZiAuRm9udFVSTH19CiAgPHN0eWxlPgogICAgQGZvbnQtZmFjZSB7CiAgICAgIGZvbnQtZmFtaWx5OiAne3suRm9udEZhY2VGYW1pbHl9fSc7CiAgICAgIGZvbnQtc3R5bGU6IG5vcm1hbDsKICAgICAgZm9udC1kaXNwbGF5OiBzd2FwOwogICAgICBzcmM6IHVybCh7ey5Gb250VVJMfX0pOwogICAgfQogIDwvc3R5bGU+CiAge3tlbmR9fQoKPC9oZWFkPgo8Ym9keSBzdHlsZT0id29yZC1zcGFjaW5nOm5vcm1hbDsiPgoKCjxkaXYKICAgICAgICBzdHlsZT0iIgo+CgogIDx0YWJsZQogICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9ImJhY2tncm91bmQ6e3suQmFja2dyb3VuZENvbG9yfX07YmFja2dyb3VuZC1jb2xvcjp7ey5CYWNrZ3JvdW5kQ29sb3J9fTt3aWR0aDoxMDAlO2JvcmRlci1yYWRpdXM6MTZweDsiCiAgPgogICAgPHRib2R5PgogICAgPHRyPgogICAgICA8dGQ+CgoKICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIGNsYXNzPSIiIHN0eWxlPSJ3aWR0aDo4MDBweDsiIHdpZHRoPSI4MDAiID48dHI+PHRkIHN0eWxlPSJsaW5lLWhlaWdodDowcHg7Zm9udC1zaXplOjBweDttc28tbGluZS1oZWlnaHQtcnVsZTpleGFjdGx5OyI+PCFbZW5kaWZdLS0+CgoKICAgICAgICA8ZGl2ICBzdHlsZT0ibWFyZ2luOjBweCBhdXRvO2JvcmRlci1yYWRpdXM6MTZweDttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7Ym9yZGVyLXJhZGl1czoxNnB4OyIKICAgICAgICAgID4KICAgICAgICAgICAgPHRib2R5PgogICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iZGlyZWN0aW9uOmx0cjtmb250LXNpemU6MHB4O3BhZGRpbmc6MjBweCAwO3BhZGRpbmctbGVmdDowO3RleHQtYWxpZ246Y2VudGVyOyIKICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiB3aWR0aD0iODAwcHgiID48IVtlbmRpZl0tLT4KCiAgICAgICAgICAgICAgIC
2024-11-11 22:03:15 +10:00
2024-08-14 17:18:14 +03:00
# WebKeys configures the OIDC token signing keys that are generated when a new instance is created.
# WebKeys are still in alpha, so the config is disabled here. This will prevent generation of keys for now.
# WebKeys:
# Type: "rsa" # ZITADEL_DEFAULTINSTANCE_WEBKEYS_TYPE
# Config:
# Bits: "2048" # ZITADEL_DEFAULTINSTANCE_WEBKEYS_CONFIG_BITS
# Hasher: "sha256" # ZITADEL_DEFAULTINSTANCE_WEBKEYS_CONFIG_HASHER
# WebKeys:
# Type: "ecdsa"
# Config:
# Curve: "P256" # ZITADEL_DEFAULTINSTANCE_WEBKEYS_CONFIG_CURVE
2024-11-11 22:03:15 +10:00
2022-09-27 11:53:49 +01:00
# Sets the default values for lifetime and expiration for OIDC in each newly created instance
# This default can be overwritten for each instance during runtime
# Overwrites the system defaults
# If defined but not all durations are set it will result in an error
OIDCSettings :
2023-08-07 22:32:10 +02:00
AccessTokenLifetime : 12h # ZITADEL_DEFAULTINSTANCE_OIDCSETTINGS_ACCESSTOKENLIFETIME
IdTokenLifetime : 12h # ZITADEL_DEFAULTINSTANCE_OIDCSETTINGS_IDTOKENLIFETIME
# 720h are 30 days
RefreshTokenIdleExpiration : 720h # ZITADEL_DEFAULTINSTANCE_OIDCSETTINGS_REFRESHTOKENIDLEEXPIRATION
# 2160h are 90 days
RefreshTokenExpiration : 2160h # ZITADEL_DEFAULTINSTANCE_OIDCSETTINGS_REFRESHTOKENEXPIRATION
2022-05-30 17:39:18 +02:00
# this configuration sets the default email configuration
SMTPConfiguration :
2023-08-07 22:32:10 +02:00
# Configuration of the host
2022-05-30 17:39:18 +02:00
SMTP :
2023-01-17 10:20:16 +01:00
# must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525
2023-08-07 22:32:10 +02:00
Host : # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_HOST
User : # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_USER
Password : # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_PASSWORD
2023-12-18 11:54:43 +01:00
TLS : # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_TLS
2023-08-07 22:32:10 +02:00
# If the host of the sender is different from ExternalDomain set DefaultInstance.DomainPolicy.SMTPSenderAddressMatchesInstanceDomain to false
2023-12-18 11:54:43 +01:00
From : # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_FROM
FromName : # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_FROMNAME
ReplyToAddress : # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_REPLYTOADDRESS
2024-02-16 17:04:42 +01:00
# Configure the MessageTexts by environment variable using JSON notation:
# ZITADEL_DEFAULTINSTANCE_MESSAGETEXTS='[{"messageTextType": "InitCode", "title": "My custom title"},{"messageTextType": "PasswordReset", "greeting": "Hi there!"}]'
# Beware that if you configure the MessageTexts by environment variable, all the default MessageTexts are lost.
2022-04-21 12:37:39 +02:00
MessageTexts :
- MessageTextType : InitCode
Language : de
Title : Zitadel - User initialisieren
PreHeader : User initialisieren
Subject : User initialisieren
2023-04-11 17:56:51 +02:00
Greeting : Hallo {{.DisplayName}},
2024-10-14 13:12:08 +05:30
Text : Dieser Benutzer wurde soeben im Zitadel erstellt. Mit dem Benutzernamen <br><strong>{{.PreferredLoginName}}</strong><br> kannst du dich anmelden. Nutze den untenstehenden Button, um die Initialisierung abzuschliessen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es einfach ignorieren.
2022-04-21 12:37:39 +02:00
ButtonText : Initialisierung abschliessen
- MessageTextType : PasswordReset
Language : de
Title : Zitadel - Passwort zurücksetzen
PreHeader : Passwort zurücksetzen
Subject : Passwort zurücksetzen
2023-04-11 17:56:51 +02:00
Greeting : Hallo {{.DisplayName}},
2024-10-14 13:12:08 +05:30
Text : Wir haben eine Anfrage für das Zurücksetzen deines Passwortes bekommen. Du kannst den untenstehenden Button verwenden, um dein Passwort zurückzusetzen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es ignorieren.
2022-04-21 12:37:39 +02:00
ButtonText : Passwort zurücksetzen
- MessageTextType : VerifyEmail
Language : de
Title : Zitadel - Email verifizieren
PreHeader : Email verifizieren
Subject : Email verifizieren
2023-04-11 17:56:51 +02:00
Greeting : Hallo {{.DisplayName}},
2024-10-14 13:12:08 +05:30
Text : Eine neue E-Mail Adresse wurde hinzugefügt. Bitte verwende den untenstehenden Button um diese zu verifizieren <br>(Code <strong>{{.Code}}</strong>).<br> Falls du deine E-Mail Adresse nicht selber hinzugefügt hast, kannst du dieses E-Mail ignorieren.
2022-04-21 12:37:39 +02:00
ButtonText : Email verifizieren
- MessageTextType : VerifyPhone
Language : de
Title : Zitadel - Telefonnummer verifizieren
PreHeader : Telefonnummer verifizieren
Subject : Telefonnummer verifizieren
2023-04-11 17:56:51 +02:00
Greeting : Hallo {{.DisplayName}},
2022-04-21 12:37:39 +02:00
Text : Eine Telefonnummer wurde hinzugefügt. Bitte verifiziere diese in dem du folgenden Code eingibst (Code {{.Code}})
ButtonText : Telefon verifizieren
- MessageTextType : DomainClaimed
Language : de
Title : Zitadel - Domain wurde beansprucht
PreHeader : Email / Username ändern
Subject : Domain wurde beansprucht
2023-04-11 17:56:51 +02:00
Greeting : Hallo {{.DisplayName}},
2022-04-21 12:37:39 +02:00
Text : Die Domain {{.Domain}} wurde von einer Organisation beansprucht. Dein derzeitiger User {{.Username}} ist nicht Teil dieser Organisation. Daher musst du beim nächsten Login eine neue Email hinterlegen. Für diesen Login haben wir dir einen temporären Usernamen ({{.TempUsername}}) erstellt.
ButtonText : Login
2023-01-25 09:49:41 +01:00
- MessageTextType : PasswordChange
Language : de
Title : ZITADEL - Passwort von Benutzer wurde geändert
PreHeader : Passwort Änderung
Subject : Passwort von Benutzer wurde geändert
2023-04-11 17:56:51 +02:00
Greeting : Hallo {{.DisplayName}},
2023-01-25 09:49:41 +01:00
Text : Das Password vom Benutzer wurde geändert. Wenn diese Änderung von jemand anderem gemacht wurde, empfehlen wir die sofortige Zurücksetzung ihres Passworts.
ButtonText : Login
2022-04-21 12:37:39 +02:00
- MessageTextType : InitCode
Language : en
Title : Zitadel - Initialize User
PreHeader : Initialize User
Subject : Initialize User
2023-04-11 17:56:51 +02:00
Greeting : Hello {{.DisplayName}},
2022-04-21 12:37:39 +02:00
Text : This user was created in Zitadel. Use the username {{.PreferredLoginName}} to login. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.
ButtonText : Finish initialization
- MessageTextType : PasswordReset
Language : en
Title : Zitadel - Reset password
PreHeader : Reset password
Subject : Reset password
2023-04-11 17:56:51 +02:00
Greeting : Hello {{.DisplayName}},
2022-04-21 12:37:39 +02:00
Text : We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.
ButtonText : Reset password
- MessageTextType : VerifyEmail
Language : en
Title : Zitadel - Verify email
PreHeader : Verify email
Subject : Verify email
2023-04-11 17:56:51 +02:00
Greeting : Hello {{.DisplayName}},
2024-11-11 22:03:15 +10:00
Text : A new email has been added. Please use the button below to verify your email. (Code {{.Code}}) If you didn't add a new email, please ignore this email.
2022-04-21 12:37:39 +02:00
ButtonText : Verify email
- MessageTextType : VerifyPhone
Language : en
Title : Zitadel - Verify phone
PreHeader : Verify phone
Subject : Verify phone
2023-04-11 17:56:51 +02:00
Greeting : Hello {{.DisplayName}},
2023-08-07 22:32:10 +02:00
Text : A new phone number has been added. Please use the following code to verify it {{.Code}}.
2022-04-21 12:37:39 +02:00
ButtonText : Verify phone
- MessageTextType : DomainClaimed
Language : en
Title : Zitadel - Domain has been claimed
2023-08-07 22:32:10 +02:00
PreHeader : Change email/username
2022-04-21 12:37:39 +02:00
Subject : Domain has been claimed
2023-04-11 17:56:51 +02:00
Greeting : Hello {{.DisplayName}},
2023-08-07 22:32:10 +02:00
Text : The domain {{.Domain}} has been claimed by an organization. Your current user {{.UserName}} is not part of this organization. Therefore you'll have to change your email when you login. We have created a temporary username ({{.TempUsername}}) for this login.
2022-04-21 12:37:39 +02:00
ButtonText : Login
2023-01-25 09:49:41 +01:00
- MessageTextType : PasswordChange
Language : en
Title : ZITADEL - Password of user has changed
PreHeader : Change password
Subject : Password of user has changed
2023-04-11 17:56:51 +02:00
Greeting : Hello {{.DisplayName}},
2023-01-25 09:49:41 +01:00
Text : The password of your user has changed. If this change was not done by you, please be advised to immediately reset your password.
ButtonText : Login
2024-03-12 14:50:13 +01:00
2024-02-28 10:55:54 +02:00
# Once a feature is set on the instance (true or false), system level feature settings
# will be ignored until instance level features are reset.
2023-09-29 10:21:32 +02:00
Features :
2024-02-28 10:55:54 +02:00
LoginDefaultOrg : true # ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINDEFAULTORG
# TriggerIntrospectionProjections: false # ZITADEL_DEFAULTINSTANCE_FEATURES_TRIGGERINTROSPECTIONPROJECTIONS
# LegacyIntrospection: false # ZITADEL_DEFAULTINSTANCE_FEATURES_LEGACYINTROSPECTION
2023-10-25 13:42:00 +02:00
Limits :
# AuditLogRetention limits the number of events that can be queried via the events API by their age.
# A value of "0s" means that all events are available.
# If this value is set, it overwrites the system default unless it is not reset via the admin API.
AuditLogRetention : # ZITADEL_DEFAULTINSTANCE_LIMITS_AUDITLOGRETENTION
2024-01-17 11:16:48 +01:00
# If Block is true, all requests except to /ui/console or the system API are blocked and /ui/login is redirected to /ui/console.
# /ui/console shows a message that the instance is blocked with a link to Console.InstanceManagementURL
Block : # ZITADEL_DEFAULTINSTANCE_LIMITS_BLOCK
2023-11-22 10:29:38 +01:00
Restrictions :
# DisallowPublicOrgRegistration defines if ZITADEL should expose the endpoint /ui/login/register/org
# If it is true, the endpoint returns the HTTP status 404 on GET requests, and 409 on POST requests.
DisallowPublicOrgRegistration : # ZITADEL_DEFAULTINSTANCE_RESTRICTIONS_DISALLOWPUBLICORGREGISTRATION
2023-12-05 12:12:01 +01:00
# AllowedLanguages restricts the languages that can be used.
# If the list is empty, all supported languages are allowed.
AllowedLanguages : # ZITADEL_DEFAULTINSTANCE_RESTRICTIONS_ALLOWEDLANGUAGES
# - en
# - de
2023-02-15 02:52:11 +01:00
Quotas :
2023-08-07 22:32:10 +02:00
# Items take a slice of quota configurations, whereas, for each unit type and instance, one or zero quotas may exist.
2023-02-15 02:52:11 +01:00
# The following unit types are supported
# "requests.all.authenticated"
# The sum of all requests to the ZITADEL API with an authorization header,
# excluding the following exceptions
# - Calls to the System API
# - Calls that cause internal server errors
# - Failed authorizations
# - Requests after the quota already exceeded
# "actions.all.runs.seconds"
# The sum of all actions run durations in seconds
2024-02-16 17:04:42 +01:00
# Configure the Items by environment variable using JSON notation:
# ZITADEL_DEFAULTINSTANCE_QUOTAS_ITEMS='[{"unit": "requests.all.authenticated", "notifications": [{"percent": 100}]}]'
Items : # ZITADEL_DEFAULTINSTANCE_QUOTAS_ITEMS
2023-02-15 02:52:11 +01:00
# - Unit: "requests.all.authenticated"
2023-08-07 22:32:10 +02:00
# # From defines the starting time from which the current quota period is calculated.
2023-02-15 02:52:11 +01:00
# # This is relevant for querying the current usage.
# From: "2023-01-01T00:00:00Z"
# # ResetInterval defines the quota periods duration
# ResetInterval: 720h # 30 days
# # Amount defines the number of units for this quota
# Amount: 25000
2024-01-17 11:16:48 +01:00
# # Limit defines whether ZITADEL should block further authenticated requests when the configured amount is used.
# # If you not only want to block authenticated requests but also authentication itself, consider using the system APIs SetLimits method.
2023-02-15 02:52:11 +01:00
# Limit: false
# # Notifications are emitted by ZITADEL when certain quota percentages are reached
# Notifications:
# # Percent defines the relative amount of used units, after which a notification should be emitted.
# - Percent: 100
# # Repeat defines, whether a notification should be emitted each time when a multitude of the configured Percent is used.
# Repeat: true
# # CallURL is called when a relative amount of the quota is used.
# CallURL: "https://httpbin.org/post"
2023-10-25 13:42:00 +02:00
# AuditLogRetention limits the number of events that can be queried via the events API by their age.
# A value of "0s" means that all events are available.
# If an audit log retention is set using an instance limit, it will overwrite the system default.
AuditLogRetention : 0s # ZITADEL_AUDITLOGRETENTION
2023-03-17 10:14:06 +01:00
2022-03-29 11:53:19 +02:00
InternalAuthZ :
2024-02-16 17:04:42 +01:00
# Configure the RolePermissionMappings by environment variable using JSON notation:
2024-04-14 11:55:54 +02:00
# ZITADEL_INTERNALAUTHZ_ROLEPERMISSIONMAPPINGS='[{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write"]}]'
2024-02-16 17:04:42 +01:00
# Beware that if you configure the RolePermissionMappings by environment variable, all the default RolePermissionMappings are lost.
2022-03-29 11:53:19 +02:00
RolePermissionMappings :
2023-10-25 17:10:45 +02:00
- Role : "SYSTEM_OWNER"
Permissions :
- "system.instance.read"
- "system.instance.write"
- "system.instance.delete"
- "system.domain.read"
- "system.domain.write"
- "system.domain.delete"
- "system.debug.read"
- "system.debug.write"
- "system.debug.delete"
2024-02-28 10:55:54 +02:00
- "system.feature.read"
2023-10-25 17:10:45 +02:00
- "system.feature.write"
2024-02-28 10:55:54 +02:00
- "system.feature.delete"
2023-10-25 17:10:45 +02:00
- "system.limits.write"
- "system.limits.delete"
- "system.quota.write"
- "system.quota.delete"
- "system.iam.member.read"
- Role : "SYSTEM_OWNER_VIEWER"
Permissions :
- "system.instance.read"
- "system.domain.read"
- "system.debug.read"
2024-02-28 10:55:54 +02:00
- "system.feature.read"
2023-10-25 17:10:45 +02:00
- "system.iam.member.read"
2022-04-29 10:25:12 +02:00
- Role : "IAM_OWNER"
2022-03-29 11:53:19 +02:00
Permissions :
- "iam.read"
- "iam.write"
- "iam.policy.read"
- "iam.policy.write"
- "iam.policy.delete"
- "iam.member.read"
- "iam.member.write"
- "iam.member.delete"
- "iam.idp.read"
- "iam.idp.write"
- "iam.idp.delete"
- "iam.action.read"
- "iam.action.write"
- "iam.action.delete"
- "iam.flow.read"
- "iam.flow.write"
- "iam.flow.delete"
2024-02-28 10:55:54 +02:00
- "iam.feature.read"
2023-09-29 10:21:32 +02:00
- "iam.feature.write"
2024-02-28 10:55:54 +02:00
- "iam.feature.delete"
2023-11-22 10:29:38 +01:00
- "iam.restrictions.read"
- "iam.restrictions.write"
2024-08-14 17:18:14 +03:00
- "iam.web_key.write"
- "iam.web_key.delete"
- "iam.web_key.read"
2024-09-11 11:24:00 +03:00
- "iam.debug.write"
- "iam.debug.read"
2022-03-29 11:53:19 +02:00
- "org.read"
- "org.global.read"
- "org.create"
- "org.write"
2022-11-30 17:01:17 +01:00
- "org.delete"
2022-03-29 11:53:19 +02:00
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
2024-02-28 10:55:54 +02:00
- "org.feature.read"
- "org.feature.write"
- "org.feature.delete"
2022-03-29 11:53:19 +02:00
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
2023-05-24 13:22:00 +03:00
- "user.passkey.write"
2024-02-28 10:55:54 +02:00
- "user.feature.read"
- "user.feature.write"
- "user.feature.delete"
2022-03-29 11:53:19 +02:00
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2023-01-16 12:30:03 +01:00
- "events.read"
2023-10-25 13:16:34 +02:00
- "milestones.read"
2024-12-19 10:37:46 +01:00
- "session.read"
2023-11-16 08:35:50 +02:00
- "session.delete"
2024-08-12 22:32:01 +02:00
- "action.target.read"
2024-07-31 14:42:12 +02:00
- "action.target.write"
- "action.target.delete"
2024-08-12 22:32:01 +02:00
- "action.execution.read"
2024-07-31 14:42:12 +02:00
- "action.execution.write"
2024-03-22 14:26:13 +01:00
- "userschema.read"
2024-03-12 14:50:13 +01:00
- "userschema.write"
- "userschema.delete"
2022-04-29 10:25:12 +02:00
- Role : "IAM_OWNER_VIEWER"
2022-03-29 11:53:19 +02:00
Permissions :
- "iam.read"
- "iam.policy.read"
- "iam.member.read"
- "iam.idp.read"
- "iam.action.read"
- "iam.flow.read"
2023-11-22 10:29:38 +01:00
- "iam.restrictions.read"
2024-02-28 10:55:54 +02:00
- "iam.feature.read"
2024-08-14 17:18:14 +03:00
- "iam.web_key.read"
2024-09-11 11:24:00 +03:00
- "iam.debug.read"
2022-03-29 11:53:19 +02:00
- "org.read"
- "org.member.read"
- "org.idp.read"
- "org.action.read"
- "org.flow.read"
2024-02-28 10:55:54 +02:00
- "org.feature.read"
2022-03-29 11:53:19 +02:00
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2024-02-28 10:55:54 +02:00
- "user.feature.read"
2022-03-29 11:53:19 +02:00
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
2023-01-16 12:30:03 +01:00
- "events.read"
2023-10-25 13:16:34 +02:00
- "milestones.read"
2024-08-12 22:32:01 +02:00
- "action.target.read"
- "action.execution.read"
2024-03-22 14:26:13 +01:00
- "userschema.read"
2022-04-29 10:25:12 +02:00
- Role : "IAM_ORG_MANAGER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.global.read"
- "org.create"
- "org.write"
2022-11-30 17:01:17 +01:00
- "org.delete"
2022-03-29 11:53:19 +02:00
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
2024-02-28 10:55:54 +02:00
- "org.feature.read"
- "org.feature.write"
- "org.feature.delete"
2022-03-29 11:53:19 +02:00
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
2023-05-24 13:22:00 +03:00
- "user.passkey.write"
2024-02-28 10:55:54 +02:00
- "user.feature.read"
- "user.feature.write"
- "user.feature.delete"
2022-03-29 11:53:19 +02:00
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2023-11-16 08:35:50 +02:00
- "session.delete"
2022-04-29 10:25:12 +02:00
- Role : "IAM_USER_MANAGER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.global.read"
- "org.member.read"
- "org.member.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2023-05-24 13:22:00 +03:00
- "user.passkey.write"
2024-02-28 10:55:54 +02:00
- "user.feature.read"
- "user.feature.write"
- "user.feature.delete"
2022-03-29 11:53:19 +02:00
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
2023-11-16 08:35:50 +02:00
- "session.delete"
2024-02-28 12:21:11 +02:00
- Role : "IAM_ADMIN_IMPERSONATOR"
Permissions :
- "admin.impersonation"
- "impersonation"
- Role : "IAM_END_USER_IMPERSONATOR"
Permissions :
- "impersonation"
2022-04-29 10:25:12 +02:00
- Role : "ORG_OWNER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.global.read"
- "org.write"
2022-11-30 17:01:17 +01:00
- "org.delete"
2022-03-29 11:53:19 +02:00
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
2024-02-28 10:55:54 +02:00
- "org.feature.read"
- "org.feature.write"
- "org.feature.delete"
2022-03-29 11:53:19 +02:00
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
2023-05-24 13:22:00 +03:00
- "user.passkey.write"
2024-02-28 10:55:54 +02:00
- "user.feature.read"
- "user.feature.write"
- "user.feature.delete"
2022-03-29 11:53:19 +02:00
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2023-11-16 08:35:50 +02:00
- "session.delete"
2024-12-19 10:37:46 +01:00
- Role : "IAM_LOGIN_CLIENT"
Permissions :
- "iam.read"
- "iam.policy.read"
- "iam.member.read"
- "iam.member.write"
- "iam.idp.read"
- "iam.feature.read"
- "iam.restrictions.read"
- "org.read"
- "org.member.read"
- "org.member.write"
- "org.idp.read"
- "org.feature.read"
- "user.read"
- "user.write"
- "user.grant.read"
- "user.grant.write"
- "user.membership.read"
- "user.credential.write"
- "user.passkey.write"
- "user.feature.read"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.member.write"
- "project.role.read"
- "project.app.read"
- "project.member.read"
- "project.member.write"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.member.write"
- "session.read"
- "session.link"
- "session.delete"
- "userschema.read"
2022-04-29 10:25:12 +02:00
- Role : "ORG_USER_MANAGER"
2022-03-29 11:53:19 +02:00
Permissions :
2023-02-21 09:31:35 +01:00
- "org.read"
2022-03-29 11:53:19 +02:00
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2024-02-28 10:55:54 +02:00
- "user.feature.read"
- "user.feature.write"
- "user.feature.delete"
2023-02-21 09:31:35 +01:00
- "policy.read"
2022-03-29 11:53:19 +02:00
- "project.read"
- "project.role.read"
2023-11-16 08:35:50 +02:00
- "session.delete"
2022-04-29 10:25:12 +02:00
- Role : "ORG_OWNER_VIEWER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.member.read"
- "org.idp.read"
- "org.action.read"
- "org.flow.read"
2024-02-28 10:55:54 +02:00
- "org.feature.read"
2022-03-29 11:53:19 +02:00
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2024-02-28 10:55:54 +02:00
- "user.feature.read"
2022-03-29 11:53:19 +02:00
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.user.grant.read"
2022-07-12 10:03:44 +02:00
- Role : "ORG_SETTINGS_MANAGER"
Permissions :
- "org.read"
- "org.write"
- "org.member.read"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
2024-02-28 10:55:54 +02:00
- "org.feature.read"
- "org.feature.write"
- "org.feature.delete"
2022-07-12 10:03:44 +02:00
- "policy.read"
- "policy.write"
- "policy.delete"
2022-04-29 10:25:12 +02:00
- Role : "ORG_USER_PERMISSION_EDITOR"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
2022-04-29 10:25:12 +02:00
- Role : "ORG_PROJECT_PERMISSION_EDITOR"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
2022-04-29 10:25:12 +02:00
- Role : "ORG_PROJECT_CREATOR"
2022-03-29 11:53:19 +02:00
Permissions :
- "user.global.read"
- "policy.read"
- "project.read:self"
- "project.create"
2024-02-28 12:21:11 +02:00
- Role : "ORG_ADMIN_IMPERSONATOR"
Permissions :
- "admin.impersonation"
- "impersonation"
- Role : "ORG_END_USER_IMPERSONATOR"
Permissions :
- "impersonation"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_OWNER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.global.read"
- "policy.read"
- "project.read"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_OWNER_VIEWER"
2022-03-29 11:53:19 +02:00
Permissions :
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "SELF_MANAGEMENT_GLOBAL"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.create"
- "policy.read"
- "user.self.delete"
2023-07-07 22:14:07 +02:00
- Role : "ORG_USER_SELF_MANAGER"
Permissions :
- "policy.read"
- "user.self.delete"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_OWNER_GLOBAL"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.global.read"
- "policy.read"
- "project.read"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_OWNER_VIEWER_GLOBAL"
2022-03-29 11:53:19 +02:00
Permissions :
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_GRANT_OWNER"
2022-03-29 11:53:19 +02:00
Permissions :
- "policy.read"
- "org.global.read"
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_GRANT_OWNER_VIEWER"
2022-03-29 11:53:19 +02:00
Permissions :
- "policy.read"
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2024-01-25 17:28:20 +01:00
# If a new projection is introduced it will be prefilled during the setup process (if enabled)
# This can prevent serving outdated data after a version upgrade, but might require a longer setup / upgrade process:
# https://zitadel.com/docs/self-hosting/manage/updating_scaling
InitProjections :
2024-03-23 12:52:52 +01:00
Enabled : true # ZITADEL_INITPROJECTIONS_ENABLED
2024-01-25 17:28:20 +01:00
RetryFailedAfter : 100ms # ZITADEL_INITPROJECTIONS_RETRYFAILEDAFTER
MaxFailureCount : 2 # ZITADEL_INITPROJECTIONS_MAXFAILURECOUNT
2024-05-13 16:01:50 +02:00
BulkLimit : 1000 # ZITADEL_INITPROJECTIONS_BULKLIMIT