2022-02-09 15:01:19 +01:00
Log :
2022-10-03 15:20:16 +02:00
Level : info
2022-02-09 15:01:19 +01:00
Formatter :
2022-02-11 11:02:47 +01:00
Format : text
2022-07-18 10:42:32 +02:00
# Exposes metrics on /debug/metrics
Metrics :
# Select type otel (OpenTelemetry) or none (disables collection and endpoint)
Type : otel
2022-06-24 14:38:22 +02:00
# Port ZITADEL will listen on
2022-02-14 17:22:30 +01:00
Port : 8080
2022-06-24 14:38:22 +02:00
# Port ZITADEL is exposed on, it can differ from port e.g. if you proxy the traffic
# !!! Changing this after initial setup breaks your system !!!
2022-02-14 17:22:30 +01:00
ExternalPort : 8080
2022-06-24 14:38:22 +02:00
# Domain / hostname ZITADEL is exposed externally
# !!! Changing this after initial setup breaks your system !!!
2022-05-17 19:23:51 +02:00
ExternalDomain : localhost
2022-06-24 14:38:22 +02:00
# specifies if ZITADEL is exposed externally through TLS
# this must be set to true even if TLS is not enabled on ZITADEL itself
# but TLS traffic is terminated on a reverse proxy
# !!! Changing this after initial setup breaks your system !!!
2022-02-14 17:22:30 +01:00
ExternalSecure : true
2022-06-24 14:38:22 +02:00
TLS :
# if enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC)
# you must then also provide a private key and certificate to be used for the connection
# either directly or by a path to the corresponding file
Enabled : true
# Path to the private key of the TLS certificate, it will be loaded into the Key
# and overwrite any exising value
KeyPath : #/path/to/key/file.pem
# Private key of the TLS certificate (KeyPath will this overwrite, if specified)
Key : #<bas64 encoded content of a pem file>
# Path to the certificate for the TLS connection, it will be loaded into the Cert
# and overwrite any exising value
CertPath : #/path/to/cert/file.pem
# Certificate for the TLS connection (CertPath will this overwrite, if specified)
Cert : #<bas64 encoded content of a pem file>
# Header name of HTTP2 (incl. gRPC) calls from which the instance will be matched
2022-03-29 11:53:19 +02:00
HTTP2HostHeader : ":authority"
2022-06-24 14:38:22 +02:00
# Header name of HTTP1 calls from which the instance will be matched
2022-03-29 11:53:19 +02:00
HTTP1HostHeader : "host"
2022-02-14 17:22:30 +01:00
2022-04-25 10:01:17 +02:00
WebAuthNName : ZITADEL
2022-02-14 17:22:30 +01:00
Database :
2022-08-31 09:52:43 +02:00
# CockroachDB is the default datbase of ZITADEL
2022-07-28 16:25:42 +02:00
cockroach :
Host : localhost
Port : 26257
Database : zitadel
MaxOpenConns : 20
MaxConnLifetime : 30m
MaxConnIdleTime : 30m
Options : ""
User :
Username : zitadel
Password : ""
SSL :
Mode : disable
RootCert : ""
Cert : ""
Key : ""
Admin :
Username : root
Password : ""
SSL :
Mode : disable
RootCert : ""
Cert : ""
Key : ""
2022-08-31 09:52:43 +02:00
# Postgres is used as soon as a value is set
# The values describe the possible fields to set values
postgres :
2022-09-27 11:53:49 +01:00
Host :
2022-08-31 09:52:43 +02:00
Port :
Database :
MaxOpenConns :
MaxConnLifetime :
MaxConnIdleTime :
Options :
User :
Username :
Password :
SSL :
Mode :
RootCert :
Cert :
Key :
Admin :
Username :
Password :
SSL :
Mode :
RootCert :
Cert :
Key :
2022-02-14 17:22:30 +01:00
feat: Configurable Unique Machine Identification (#3626)
* feat: Configurable Unique Machine Identification
This change fixes Segfault on AWS App Runner with v2 #3625
The change introduces two new dependencies:
* github.com/drone/envsubst for supporting AWS ECS, which has its metadata endpoint described by an environment variable
* github.com/jarcoal/jpath so that only relevant data from a metadata response is used to identify the machine.
The change ads new configuration (see `defaults.yaml`):
* `Machine.Identification` enables configuration of how machines are uniquely identified - I'm not sure about the top level category `Machine`, as I don't have anything else to add to it. Happy to hear suggestions for better naming or structure here.
* `Machine.Identifiation.PrivateId` turns on or off the existing private IP based identification. Default is on.
* `Machine.Identification.Hostname` turns on or off using the OS hostname to identify the machine. Great for most cloud environments, where this tends to be set to something that identifies the machine uniquely. Enabled by default.
* `Machine.Identification.Webhook` configures identification based on the response to an HTTP GET request. Request headers can be configured, a JSONPath can be set for processing the response (no JSON parsing is done if this is not set), and the URL is allowed to contain environment variables in the format `"${var}"`.
The new flow for getting a unique machine id is:
1. PrivateIP (if enabled)
2. Hostname (if enabled)
3. Webhook (if enabled, to configured URL)
4. Give up and error out.
It's important that init configures machine identity first. Otherwise we could try to get an ID before configuring it. To prevent this from causing difficult to debug issues, where for example the default configuration was used, I've ensured that
the application will generate an error if the module hasn't been configured and you try to get an ID.
Misc changes:
* Spelling and gramatical corrections to `init.go::New()` long description.
* Spelling corrections to `verify_zitadel.go::newZitadel()`.
* Updated `production.md` and `development.md` based on the new build process. I think the run instructions are also out of date, but I'll leave that for someone else.
* `id.SonyFlakeGenerator` is now a function, which sets `id.sonyFlakeGenerator`, this allows us to defer initialization until configuration has been read.
* Update internal/id/config.go
Co-authored-by: Alexei-Barnes <82444470+Alexei-Barnes@users.noreply.github.com>
* Fix authored by @livio-a for tests
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2022-05-24 15:57:57 +01:00
Machine :
# Cloud hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified.
Identification :
# Use private IP to identify machines uniquely
PrivateIp :
Enabled : true
# Use hostname to identify machines uniquely
# You want the process to be identified uniquely, so this works well in k8s where each pod gets its own
# unique host name, but not as well in some other hosting environments.
Hostname :
Enabled : false
# Use a webhook response to identify machines uniquely
# Google Cloud Configuration
Webhook :
Enabled : true
Url : "http://metadata.google.internal/computeMetadata/v1/instance/id"
Headers :
"Metadata-Flavor": "Google"
#
# AWS EC2 IMDSv1 Configuration: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
# Webhook:
# Url: "http://169.254.169.254/latest/meta-data/ami-id"
#
# AWS ECS v4 Configuration: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html
# Webhook:
# Url: "${ECS_CONTAINER_METADATA_URI_V4}"
# JPath: "$.DockerId"
#
# Azure Configuration: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux
# Webhook:
# Url: "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# JPath: "$.compute.vmId"
2022-08-16 07:04:36 +02:00
# Storage for assets like user avatar, organization logo, icon, font, ...
AssetStorage :
Type : db
# HTTP cache control settings for serving assets in the assets API and login UI
# the assets will also be served with an etag and last-modified header
Cache :
MaxAge : 5s
SharedMaxAge : 168h #7d
2022-02-14 17:22:30 +01:00
Projections :
2022-07-22 12:08:39 +02:00
RequeueEvery : 60s
2022-03-28 10:05:09 +02:00
RetryFailedAfter : 1s
MaxFailureCount : 5
2022-09-02 16:05:13 +02:00
ConcurrentInstances : 1
2022-03-28 10:05:09 +02:00
BulkLimit : 200
MaxIterators : 1
Customizations :
projects :
BulkLimit : 2000
2022-02-14 17:22:30 +01:00
Auth :
SearchLimit : 1000
Spooler :
ConcurrentWorkers : 1
2022-07-22 12:08:39 +02:00
ConcurrentInstances : 10
2022-02-14 17:22:30 +01:00
BulkLimit : 10000
FailureCountUntilSkip : 5
Admin :
SearchLimit : 1000
Spooler :
ConcurrentWorkers : 1
2022-07-22 12:08:39 +02:00
ConcurrentInstances : 10
2022-02-14 17:22:30 +01:00
BulkLimit : 10000
FailureCountUntilSkip : 5
UserAgentCookie :
Name : zitadel.useragent
MaxAge : 8760h #365*24h (1 year)
OIDC :
CodeMethodS256 : true
AuthMethodPost : true
AuthMethodPrivateKeyJWT : true
GrantTypeRefreshToken : true
RequestObjectSupported : true
SigningKeyAlgorithm : RS256
2022-09-27 11:53:49 +01:00
# Sets the default values for lifetime and expiration for OIDC
# This default can be overwritten in the default instance configuration and for each instance during runtime
# !!! Changing this after initial setup will have no impact without a restart !!!
2022-02-14 17:22:30 +01:00
DefaultAccessTokenLifetime : 12h
DefaultIdTokenLifetime : 12h
DefaultRefreshTokenIdleExpiration : 720h #30d
DefaultRefreshTokenExpiration : 2160h #90d
Cache :
MaxAge : 12h
SharedMaxAge : 168h #7d
CustomEndpoints :
2022-06-07 10:04:51 +02:00
Auth :
Path : /oauth/v2/authorize
Token :
Path : /oauth/v2/token
Introspection :
Path : /oauth/v2/introspect
Userinfo :
Path : /oidc/v1/userinfo
Revocation :
Path : /oauth/v2/revoke
EndSession :
Path : /oidc/v1/end_session
Keys :
Path : /oauth/v2/keys
2022-02-14 17:22:30 +01:00
2022-09-12 17:18:08 +01:00
SAML :
ProviderConfig :
MetadataConfig :
Path : "/metadata"
SignatureAlgorithm : "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
IDPConfig :
SignatureAlgorithm : "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
WantAuthRequestsSigned : true
Endpoints :
#Organisation:
# Name: ZITADEL
# URL: https://zitadel.com
#ContactPerson:
# ContactType: "technical"
# Company: ZITADEL
# EmailAddress: hi@zitadel.com
2022-02-14 17:22:30 +01:00
Login :
LanguageCookieName : zitadel.login.lang
2022-03-14 07:55:09 +01:00
CSRFCookieName : zitadel.login.csrf
2022-02-14 17:22:30 +01:00
Cache :
MaxAge : 12h
SharedMaxAge : 168h #7d
Console :
ShortCache :
2022-05-13 14:06:44 +02:00
MaxAge : 0m
SharedMaxAge : 5m
2022-02-14 17:22:30 +01:00
LongCache :
MaxAge : 12h
2022-08-16 07:04:36 +02:00
SharedMaxAge : 168h #7d
2022-02-14 17:22:30 +01:00
Notification :
Repository :
Spooler :
ConcurrentWorkers : 1
2022-07-22 12:08:39 +02:00
ConcurrentInstances : 10
2022-02-14 17:22:30 +01:00
BulkLimit : 10000
FailureCountUntilSkip : 5
Handlers :
2022-03-14 07:55:09 +01:00
EncryptionKeys :
DomainVerification :
EncryptionKeyID : "domainVerificationKey"
DecryptionKeyIDs :
IDPConfig :
EncryptionKeyID : "idpConfigKey"
DecryptionKeyIDs :
OIDC :
EncryptionKeyID : "oidcKey"
DecryptionKeyIDs :
2022-09-12 17:18:08 +01:00
SAML :
EncryptionKeyID : "samlKey"
DecryptionKeyIDs :
2022-03-14 07:55:09 +01:00
OTP :
EncryptionKeyID : "otpKey"
DecryptionKeyIDs :
SMS :
EncryptionKeyID : "smsKey"
DecryptionKeyIDs :
SMTP :
EncryptionKeyID : "smtpKey"
DecryptionKeyIDs :
User :
EncryptionKeyID : "userKey"
DecryptionKeyIDs :
CSRFCookieKeyID : "csrfCookieKey"
UserAgentCookieKeyID : "userAgentCookieKey"
2022-05-30 13:38:30 +02:00
SystemAPIUsers :
2022-09-27 11:53:49 +01:00
# add keys for authentication of the systemAPI here:
# you can specify any name for the user, but they will have to match the `issuer` and `sub` claim in the JWT:
# - superuser:
# Path: /path/to/superuser/key.pem # you can provide the key either by reference with the path
# - superuser2:
# KeyData: <base64 encoded key> # or you can directly embed it as base64 encoded value
2022-05-30 13:38:30 +02:00
2022-02-14 17:22:30 +01:00
#TODO: remove as soon as possible
SystemDefaults :
SecretGenerators :
PasswordSaltCost : 14
MachineKeySize : 2048
ApplicationKeySize : 2048
Multifactors :
OTP :
2022-04-29 10:25:12 +02:00
Issuer : "ZITADEL"
2022-02-14 17:22:30 +01:00
DomainVerification :
VerificationGenerator :
Length : 32
IncludeLowerLetters : true
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
Notifications :
2022-04-29 10:25:12 +02:00
FileSystemPath : ".notifications/"
2022-02-14 17:22:30 +01:00
KeyConfig :
Size : 2048
2022-09-12 17:18:08 +01:00
CertificateSize : 4096
2022-02-14 17:22:30 +01:00
PrivateKeyLifetime : 6h
PublicKeyLifetime : 30h
2022-09-12 17:18:08 +01:00
CertificateLifetime : 8766h
2022-03-29 11:53:19 +02:00
2022-10-06 14:23:59 +02:00
Actions :
HTTP :
# wildcard sub domains are currently unsupported
DenyList :
- localhost
- '127.0.0.1'
2022-04-21 12:37:39 +02:00
DefaultInstance :
InstanceName :
2022-05-03 15:58:38 +02:00
DefaultLanguage : en
2022-04-21 12:37:39 +02:00
Org :
Name :
Human :
2022-09-23 14:08:10 +02:00
# in case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email,
# it will be suffixed by the org domain (org-name + domain from config).
# for example: zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld
2022-04-21 12:37:39 +02:00
UserName : zitadel-admin
FirstName : ZITADEL
LastName : Admin
NickName :
DisplayName :
Email :
Address :
Verified : false
2022-04-28 10:30:41 +02:00
PreferredLanguage : en
2022-04-21 12:37:39 +02:00
Gender :
Phone :
Number :
Verified :
Password :
SecretGenerators :
PasswordSaltCost : 14
ClientSecret :
Length : 64
IncludeLowerLetters : true
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
InitializeUserCode :
Length : 6
2022-04-29 10:25:12 +02:00
Expiry : "72h"
2022-04-21 12:37:39 +02:00
IncludeLowerLetters : false
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
EmailVerificationCode :
Length : 6
2022-04-29 10:25:12 +02:00
Expiry : "1h"
2022-04-21 12:37:39 +02:00
IncludeLowerLetters : false
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
PhoneVerificationCode :
Length : 6
2022-04-29 10:25:12 +02:00
Expiry : "1h"
2022-04-21 12:37:39 +02:00
IncludeLowerLetters : false
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
PasswordVerificationCode :
Length : 6
2022-04-29 10:25:12 +02:00
Expiry : "1h"
2022-04-21 12:37:39 +02:00
IncludeLowerLetters : false
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
PasswordlessInitCode :
Length : 12
2022-04-29 10:25:12 +02:00
Expiry : "1h"
2022-04-21 12:37:39 +02:00
IncludeLowerLetters : true
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
DomainVerification :
Length : 32
IncludeLowerLetters : true
IncludeUpperLetters : true
IncludeDigits : true
IncludeSymbols : false
PasswordComplexityPolicy :
MinLength : 8
HasLowercase : true
HasUppercase : true
HasNumber : true
HasSymbol : true
PasswordAgePolicy :
ExpireWarnDays : 0
MaxAgeDays : 0
DomainPolicy :
2022-09-23 14:08:10 +02:00
UserLoginMustBeDomain : false
2022-04-21 12:37:39 +02:00
ValidateOrgDomains : true
2022-09-02 09:04:29 +02:00
SMTPSenderAddressMatchesInstanceDomain : false
2022-04-21 12:37:39 +02:00
LoginPolicy :
AllowUsernamePassword : true
AllowRegister : true
AllowExternalIDP : true
ForceMFA : false
HidePasswordReset : false
2022-05-16 15:39:09 +02:00
IgnoreUnknownUsernames : false
2022-10-06 13:30:14 +02:00
AllowDomainDiscovery : false
2022-04-21 12:37:39 +02:00
PasswordlessType: 1 #1: allowed 0 : not allowed
2022-05-16 15:39:09 +02:00
DefaultRedirectURI : #empty because we use the Console UI
2022-04-21 12:37:39 +02:00
PasswordCheckLifetime : 240h #10d
ExternalLoginCheckLifetime : 240h #10d
MfaInitSkipLifetime : 720h #30d
SecondFactorCheckLifetime : 18h
MultiFactorCheckLifetime : 12h
PrivacyPolicy :
2022-05-20 16:32:06 +02:00
TOSLink : https://docs.zitadel.com/docs/legal/terms-of-service
PrivacyLink : https://docs.zitadel.com/docs/legal/privacy-policy
2022-04-29 10:25:12 +02:00
HelpLink : ""
2022-04-21 12:37:39 +02:00
LabelPolicy :
2022-04-29 10:25:12 +02:00
PrimaryColor : "#5469d4"
BackgroundColor : "#fafafa"
WarnColor : "#cd3d56"
FontColor : "#000000"
PrimaryColorDark : "#bbbafa"
BackgroundColorDark : "#111827"
WarnColorDark : "#ff3b5b"
FontColorDark : "#ffffff"
2022-04-21 12:37:39 +02:00
HideLoginNameSuffix : false
ErrorMsgPopup : false
DisableWatermark : false
LockoutPolicy :
MaxAttempts : 0
ShouldShowLockoutFailure : true
2022-05-16 09:52:10 +02:00
EmailTemplate : CjwhZG9jdHlwZSBodG1sPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSI+CjxoZWFkPgogIDx0aXRsZT4KCiAgPC90aXRsZT4KICA8IS0tW2lmICFtc29dPjwhLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICA8IS0tPCFbZW5kaWZdLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSI+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KICAgICNvdXRsb29rIGEgeyBwYWRkaW5nOjA7IH0KICAgIGJvZHkgeyBtYXJnaW46MDtwYWRkaW5nOjA7LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OjEwMCU7LW1zLXRleHQtc2l6ZS1hZGp1c3Q6MTAwJTsgfQogICAgdGFibGUsIHRkIHsgYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlO21zby10YWJsZS1sc3BhY2U6MHB0O21zby10YWJsZS1yc3BhY2U6MHB0OyB9CiAgICBpbWcgeyBib3JkZXI6MDtoZWlnaHQ6YXV0bztsaW5lLWhlaWdodDoxMDAlOyBvdXRsaW5lOm5vbmU7dGV4dC1kZWNvcmF0aW9uOm5vbmU7LW1zLWludGVycG9sYXRpb24tbW9kZTpiaWN1YmljOyB9CiAgICBwIHsgZGlzcGxheTpibG9jazttYXJnaW46MTNweCAwOyB9CiAgPC9zdHlsZT4KICA8IS0tW2lmIG1zb10+CiAgPHhtbD4KICAgIDxvOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgICAgIDxvOkFsbG93UE5HLz4KICAgICAgPG86UGl4ZWxzUGVySW5jaD45NjwvbzpQaXhlbHNQZXJJbmNoPgogICAgPC9vOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgPC94bWw+CiAgPCFbZW5kaWZdLS0+CiAgPCEtLVtpZiBsdGUgbXNvIDExXT4KICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgogICAgLm1qLW91dGxvb2stZ3JvdXAtZml4IHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyB9CiAgPC9zdHlsZT4KICA8IVtlbmRpZl0tLT4KCgogIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBAbWVkaWEgb25seSBzY3JlZW4gYW5kIChtaW4td2lkdGg6NDgwcHgpIHsKICAgICAgLm1qLWNvbHVtbi1wZXItMTAwIHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyBtYXgtd2lkdGg6IDEwMCU7IH0KICAgICAgLm1qLWNvbHVtbi1wZXItNjAgeyB3aWR0aDo2MCUgIWltcG9ydGFudDsgbWF4LXdpZHRoOiA2MCU7IH0KICAgIH0KICA8L3N0eWxlPgoKCiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KCgoKICAgIEBtZWRpYSBvbmx5IHNjcmVlbiBhbmQgKG1heC13aWR0aDo0ODBweCkgewogICAgICB0YWJsZS5tai1mdWxsLXdpZHRoLW1vYmlsZSB7IHdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7IH0KICAgICAgdGQubWotZnVsbC13aWR0aC1tb2JpbGUgeyB3aWR0aDogYXV0byAhaW1wb3J0YW50OyB9CiAgICB9CgogIDwvc3R5bGU+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2hhZG93IGEgewogICAgYm94LXNoYWRvdzogMHB4IDNweCAxcHggLTJweCByZ2JhKDAsIDAsIDAsIDAuMiksIDBweCAycHggMnB4IDBweCByZ2JhKDAsIDAsIDAsIDAuMTQpLCAwcHggMXB4IDVweCAwcHggcmdiYSgwLCAwLCAwLCAwLjEyKTsKICB9PC9zdHlsZT4KCiAge3tpZiAuRm9udFVSTH19CiAgPHN0eWxlPgogICAgQGZvbnQtZmFjZSB7CiAgICAgIGZvbnQtZmFtaWx5OiAne3suRm9udEZhY2VGYW1pbHl9fSc7CiAgICAgIGZvbnQtc3R5bGU6IG5vcm1hbDsKICAgICAgZm9udC1kaXNwbGF5OiBzd2FwOwogICAgICBzcmM6IHVybCh7ey5Gb250VVJMfX0pOwogICAgfQogIDwvc3R5bGU+CiAge3tlbmR9fQoKPC9oZWFkPgo8Ym9keSBzdHlsZT0id29yZC1zcGFjaW5nOm5vcm1hbDsiPgoKCjxkaXYKICAgICAgICBzdHlsZT0iIgo+CgogIDx0YWJsZQogICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9ImJhY2tncm91bmQ6e3suQmFja2dyb3VuZENvbG9yfX07YmFja2dyb3VuZC1jb2xvcjp7ey5CYWNrZ3JvdW5kQ29sb3J9fTt3aWR0aDoxMDAlO2JvcmRlci1yYWRpdXM6MTZweDsiCiAgPgogICAgPHRib2R5PgogICAgPHRyPgogICAgICA8dGQ+CgoKICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIGNsYXNzPSIiIHN0eWxlPSJ3aWR0aDo4MDBweDsiIHdpZHRoPSI4MDAiID48dHI+PHRkIHN0eWxlPSJsaW5lLWhlaWdodDowcHg7Zm9udC1zaXplOjBweDttc28tbGluZS1oZWlnaHQtcnVsZTpleGFjdGx5OyI+PCFbZW5kaWZdLS0+CgoKICAgICAgICA8ZGl2ICBzdHlsZT0ibWFyZ2luOjBweCBhdXRvO2JvcmRlci1yYWRpdXM6MTZweDttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7Ym9yZGVyLXJhZGl1czoxNnB4OyIKICAgICAgICAgID4KICAgICAgICAgICAgPHRib2R5PgogICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iZGlyZWN0aW9uOmx0cjtmb250LXNpemU6MHB4O3BhZGRpbmc6MjBweCAwO3BhZGRpbmctbGVmdDowO3RleHQtYWxpZ246Y2VudGVyOyIKICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiB3aWR0aD0iODAwcHgiID48IVtlbmRpZl0tLT4KCiAgICAgICAgICAgICAgIC
2022-09-27 11:53:49 +01:00
# Sets the default values for lifetime and expiration for OIDC in each newly created instance
# This default can be overwritten for each instance during runtime
# Overwrites the system defaults
# If defined but not all durations are set it will result in an error
OIDCSettings :
AccessTokenLifetime : 12h
IdTokenLifetime : 12h
RefreshTokenIdleExpiration : 720h #30d
RefreshTokenExpiration : 2160h #90d
2022-05-30 17:39:18 +02:00
# this configuration sets the default email configuration
SMTPConfiguration :
# configuration of the host
SMTP :
#for example smtp.mailtrap.io:2525
Host :
User :
Password :
TLS :
# if the host of the sender is different from ExternalDomain set DefaultInstance.DomainPolicy.SMTPSenderAddressMatchesInstanceDomain to false
From :
FromName :
2022-04-21 12:37:39 +02:00
MessageTexts :
- MessageTextType : InitCode
Language : de
Title : Zitadel - User initialisieren
PreHeader : User initialisieren
Subject : User initialisieren
Greeting : Hallo {{.FirstName}} {{.LastName}},
Text : Dieser Benutzer wurde soeben im Zitadel erstellt. Mit dem Benutzernamen <br><strong>{{.PreferredLoginName}}</strong><br> kannst du dich anmelden. Nutze den untenstehenden Button, um die Initialisierung abzuschliessen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es einfach ignorieren.
ButtonText : Initialisierung abschliessen
- MessageTextType : PasswordReset
Language : de
Title : Zitadel - Passwort zurücksetzen
PreHeader : Passwort zurücksetzen
Subject : Passwort zurücksetzen
Greeting : Hallo {{.FirstName}} {{.LastName}},
Text : Wir haben eine Anfrage für das Zurücksetzen deines Passwortes bekommen. Du kannst den untenstehenden Button verwenden, um dein Passwort zurückzusetzen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es ignorieren.
ButtonText : Passwort zurücksetzen
- MessageTextType : VerifyEmail
Language : de
Title : Zitadel - Email verifizieren
PreHeader : Email verifizieren
Subject : Email verifizieren
Greeting : Hallo {{.FirstName}} {{.LastName}},
Text : Eine neue E-Mail Adresse wurde hinzugefügt. Bitte verwende den untenstehenden Button um diese zu verifizieren <br>(Code <strong>{{.Code}}</strong>).<br> Falls du deine E-Mail Adresse nicht selber hinzugefügt hast, kannst du dieses E-Mail ignorieren.
ButtonText : Email verifizieren
- MessageTextType : VerifyPhone
Language : de
Title : Zitadel - Telefonnummer verifizieren
PreHeader : Telefonnummer verifizieren
Subject : Telefonnummer verifizieren
Greeting : Hallo {{.FirstName}} {{.LastName}},
Text : Eine Telefonnummer wurde hinzugefügt. Bitte verifiziere diese in dem du folgenden Code eingibst (Code {{.Code}})
ButtonText : Telefon verifizieren
- MessageTextType : DomainClaimed
Language : de
Title : Zitadel - Domain wurde beansprucht
PreHeader : Email / Username ändern
Subject : Domain wurde beansprucht
Greeting : Hallo {{.FirstName}} {{.LastName}},
Text : Die Domain {{.Domain}} wurde von einer Organisation beansprucht. Dein derzeitiger User {{.Username}} ist nicht Teil dieser Organisation. Daher musst du beim nächsten Login eine neue Email hinterlegen. Für diesen Login haben wir dir einen temporären Usernamen ({{.TempUsername}}) erstellt.
ButtonText : Login
- MessageTextType : InitCode
Language : en
Title : Zitadel - Initialize User
PreHeader : Initialize User
Subject : Initialize User
Greeting : Hello {{.FirstName}} {{.LastName}},
Text : This user was created in Zitadel. Use the username {{.PreferredLoginName}} to login. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.
ButtonText : Finish initialization
- MessageTextType : PasswordReset
Language : en
Title : Zitadel - Reset password
PreHeader : Reset password
Subject : Reset password
Greeting : Hello {{.FirstName}} {{.LastName}},
Text : We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.
ButtonText : Reset password
- MessageTextType : VerifyEmail
Language : en
Title : Zitadel - Verify email
PreHeader : Verify email
Subject : Verify email
Greeting : Hello {{.FirstName}} {{.LastName}},
Text : A new email has been added. Please use the button below to verify your mail. (Code {{.Code}}) If you din't add a new email, please ignore this email.
ButtonText : Verify email
- MessageTextType : VerifyPhone
Language : en
Title : Zitadel - Verify phone
PreHeader : Verify phone
Subject : Verify phone
Greeting : Hello {{.FirstName}} {{.LastName}},
Text : A new phonenumber has been added. Please use the following code to verify it {{.Code}}.
ButtonText : Verify phone
- MessageTextType : DomainClaimed
Language : en
Title : Zitadel - Domain has been claimed
PreHeader : Change email / username
Subject : Domain has been claimed
Greeting : Hello {{.FirstName}} {{.LastName}},
Text : The domain {{.Domain}} has been claimed by an organisation. Your current user {{.UserName}} is not part of this organisation. Therefore you'll have to change your email when you login. We have created a temporary username ({{.TempUsername}}) for this login.
ButtonText : Login
2022-03-29 11:53:19 +02:00
InternalAuthZ :
RolePermissionMappings :
2022-04-29 10:25:12 +02:00
- Role : "IAM_OWNER"
2022-03-29 11:53:19 +02:00
Permissions :
- "iam.read"
- "iam.write"
- "iam.policy.read"
- "iam.policy.write"
- "iam.policy.delete"
- "iam.member.read"
- "iam.member.write"
- "iam.member.delete"
- "iam.idp.read"
- "iam.idp.write"
- "iam.idp.delete"
- "iam.action.read"
- "iam.action.write"
- "iam.action.delete"
- "iam.flow.read"
- "iam.flow.write"
- "iam.flow.delete"
- "org.read"
- "org.global.read"
- "org.create"
- "org.write"
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2022-04-29 10:25:12 +02:00
- Role : "IAM_OWNER_VIEWER"
2022-03-29 11:53:19 +02:00
Permissions :
- "iam.read"
- "iam.policy.read"
- "iam.member.read"
- "iam.idp.read"
- "iam.action.read"
- "iam.flow.read"
- "org.read"
- "org.member.read"
- "org.idp.read"
- "org.action.read"
- "org.flow.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
2022-04-29 10:25:12 +02:00
- Role : "IAM_ORG_MANAGER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.global.read"
- "org.create"
- "org.write"
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2022-04-29 10:25:12 +02:00
- Role : "IAM_USER_MANAGER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.global.read"
- "org.member.read"
- "org.member.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
2022-04-29 10:25:12 +02:00
- Role : "ORG_OWNER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.global.read"
- "org.create"
- "org.write"
- "org.member.read"
- "org.member.write"
- "org.member.delete"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "org.action.read"
- "org.action.write"
- "org.action.delete"
- "org.flow.read"
- "org.flow.write"
- "org.flow.delete"
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "user.credential.write"
- "policy.read"
- "policy.write"
- "policy.delete"
- "project.read"
- "project.create"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
2022-04-29 10:25:12 +02:00
- Role : "ORG_USER_MANAGER"
2022-03-29 11:53:19 +02:00
Permissions :
- "user.read"
- "user.global.read"
- "user.write"
- "user.delete"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
- "project.read"
- "project.role.read"
2022-04-29 10:25:12 +02:00
- Role : "ORG_OWNER_VIEWER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.member.read"
- "org.idp.read"
- "org.action.read"
- "org.flow.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.user.grant.read"
2022-07-12 10:03:44 +02:00
- Role : "ORG_SETTINGS_MANAGER"
Permissions :
- "org.read"
- "org.write"
- "org.member.read"
- "org.idp.read"
- "org.idp.write"
- "org.idp.delete"
- "policy.read"
- "policy.write"
- "policy.delete"
2022-04-29 10:25:12 +02:00
- Role : "ORG_USER_PERMISSION_EDITOR"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
2022-04-29 10:25:12 +02:00
- Role : "ORG_PROJECT_PERMISSION_EDITOR"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.read"
- "org.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
2022-04-29 10:25:12 +02:00
- Role : "ORG_PROJECT_CREATOR"
2022-03-29 11:53:19 +02:00
Permissions :
- "user.global.read"
- "policy.read"
- "project.read:self"
- "project.create"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_OWNER"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.global.read"
- "policy.read"
- "project.read"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "project.grant.read"
- "project.grant.write"
- "project.grant.delete"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_OWNER_VIEWER"
2022-03-29 11:53:19 +02:00
Permissions :
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "SELF_MANAGEMENT_GLOBAL"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.create"
- "policy.read"
- "user.self.delete"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_OWNER_GLOBAL"
2022-03-29 11:53:19 +02:00
Permissions :
- "org.global.read"
- "policy.read"
- "project.read"
- "project.write"
- "project.delete"
- "project.member.read"
- "project.member.write"
- "project.member.delete"
- "project.role.read"
- "project.role.write"
- "project.role.delete"
- "project.app.read"
- "project.app.write"
- "project.app.delete"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_OWNER_VIEWER_GLOBAL"
2022-03-29 11:53:19 +02:00
Permissions :
- "policy.read"
- "project.read"
- "project.member.read"
- "project.role.read"
- "project.app.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_GRANT_OWNER"
2022-03-29 11:53:19 +02:00
Permissions :
- "policy.read"
- "org.global.read"
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- "project.grant.member.write"
- "project.grant.member.delete"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.grant.write"
- "user.grant.delete"
- "user.membership.read"
2022-04-29 10:25:12 +02:00
- Role : "PROJECT_GRANT_OWNER_VIEWER"
2022-03-29 11:53:19 +02:00
Permissions :
- "policy.read"
- "project.read"
- "project.grant.read"
- "project.grant.member.read"
- "user.read"
- "user.global.read"
- "user.grant.read"
- "user.membership.read"