diff --git a/docs/docs/apis/ratelimits/ratelimits.md b/docs/docs/apis/ratelimits/ratelimits.md deleted file mode 100644 index d01b53b7e4..0000000000 --- a/docs/docs/apis/ratelimits/ratelimits.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: ZITADEL Cloud Rate Limits ---- - -Rate limits are implemented according to our [rate limit policy](/legal/rate-limit-policy.md) with the following rules: - -| Path | Description | Rate Limiting | One Minute Banning | -|--------------------------|----------------------------------------|--------------------------------------|----------------------------------------| -| /ui/login* | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes | -| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes | diff --git a/docs/docs/concepts/structure/instance.mdx b/docs/docs/concepts/structure/instance.mdx index 825af63be0..ce4eb99530 100644 --- a/docs/docs/concepts/structure/instance.mdx +++ b/docs/docs/concepts/structure/instance.mdx @@ -14,6 +14,8 @@ which in turn can represent your own company (e.g. departments), your business c Read more about how to configure your instance in our [instance guide](/guides/manage/console/instance-settings). +![Two instances with each organizations in it using the same database](/img/concepts/objects/instances.png) + ## Multiple Virtual Instances ZITADEL has the concept of virtual instances. diff --git a/docs/docs/examples/call-zitadel-api/dot-net.md b/docs/docs/examples/call-zitadel-api/dot-net.md index 8aeafc563a..31e7ce7cfc 100644 --- a/docs/docs/examples/call-zitadel-api/dot-net.md +++ b/docs/docs/examples/call-zitadel-api/dot-net.md @@ -17,7 +17,7 @@ All that is required, is a service account with an Org Owner (or another role, d However, we recommend you read the guide on [how to access ZITADEL API](../../guides/integrate/access-zitadel-apis) and the associated guides for a basic knowledge of : - [Recommended Authorization Flows](../../guides/integrate/oauth-recommended-flows.md) - - [Service Users](../../guides/integrate/serviceusers.md) + - [Service Users](../../guides/integrate/serviceusers) > Be sure to have a valid key JSON and that its service account is either ORG_OWNER or at least ORG_OWNER_VIEWER before you continue with this guide. diff --git a/docs/docs/examples/call-zitadel-api/go.md b/docs/docs/examples/call-zitadel-api/go.md index eebef207bb..52435240df 100644 --- a/docs/docs/examples/call-zitadel-api/go.md +++ b/docs/docs/examples/call-zitadel-api/go.md @@ -14,7 +14,7 @@ All that is required, is a service account with an Org Owner (or another role, d However, we recommend you read the guide on [how to access ZITADEL API](../../guides/integrate/access-zitadel-apis) and the associated guides for a basic knowledge of : - [Recommended Authorization Flows](../../guides/integrate/oauth-recommended-flows.md) - - [Service Users](../../guides/integrate/serviceusers.md) + - [Service Users](../../guides/integrate/serviceusers) > Be sure to have a valid key JSON and that its service account is either ORG_OWNER or at least ORG_OWNER_VIEWER before you continue with this guide. diff --git a/docs/docs/guides/integrate/access-zitadel-apis.md b/docs/docs/guides/integrate/access-zitadel-apis.md index 77f39392f9..2509c07243 100644 --- a/docs/docs/guides/integrate/access-zitadel-apis.md +++ b/docs/docs/guides/integrate/access-zitadel-apis.md @@ -19,7 +19,7 @@ On each level we have some different Roles. Here you can find more about the dif ## Add ORG_OWNER to Service User -Make sure you have a Service User with a Key. (For more detailed informations about creating a service user go to [Service User](serviceusers.md)) +Make sure you have a Service User with a Key. (For more detailed informations about creating a service user go to [Service User](serviceusers)) 1. Navigate to Organization Detail 2. Click the **+** button in the right part of console, in the managers part of details @@ -31,7 +31,7 @@ Make sure you have a Service User with a Key. (For more detailed informations ab ## Authenticating a service user In ZITADEL we use the `urn:ietf:params:oauth:grant-type:jwt-bearer` (**“JWT bearer token with private key”**, [RFC7523](https://tools.ietf.org/html/rfc7523)) authorization grant for this non-interactive authentication. -This is already described in the [Service User](serviceusers.md), so make sure you follow this guide. +This is already described in the [Service User](./serviceusers), so make sure you follow this guide. ### Request an OAuth token, with audience for ZITADEL diff --git a/docs/docs/guides/integrate/serviceusers.md b/docs/docs/guides/integrate/private-key-jwt.md similarity index 99% rename from docs/docs/guides/integrate/serviceusers.md rename to docs/docs/guides/integrate/private-key-jwt.md index 278e4d9083..a02f48b376 100644 --- a/docs/docs/guides/integrate/serviceusers.md +++ b/docs/docs/guides/integrate/private-key-jwt.md @@ -1,5 +1,5 @@ --- -title: Service Users +title: Private Key JWT --- This is a guide on how to create service users in ZITADEL. You can read more about users [here](/concepts/structure/users.md). diff --git a/docs/docs/support/advisory/a10000.md b/docs/docs/support/advisory/a10000.md new file mode 100644 index 0000000000..9943bcc307 --- /dev/null +++ b/docs/docs/support/advisory/a10000.md @@ -0,0 +1,26 @@ +--- +title: Technical Advisory 10000 +--- + +## Description + +Currently, by default, users are directed to the "Select Account Page" on the ZITADEL login. +However, this can be modified by including a [prompt or a login hint](/docs/apis/openidoauth/endpoints#additional-parameters) in the authentication request. + +As a result of this default behavior, users who already have an active session in one application and wish to log in to a second one will need to select their user account, even if no other session is active. + +To address this, we are going to change this behavior so that users will be automatically authenticated when logging into a second application, as long as they only have one active session. + +## Statement + +This behaviour change is tracked in the following issue: [Reuse current session if no prompt is selected ](https://github.com/zitadel/zitadel/issues/4841) +As soon as the release version is published, we will include the version here. + +## Mitigation + +If you want to prompt users to always select their account on purpose, please make sure to include the `select_account` [prompt](/docs/apis/openidoauth/endpoints#additional-parameters) in your authentication request. + +## Impact + +Once this update has been released and deployed, your users will be automatically authenticated +No action will be required on your part if this is the intended behavior. diff --git a/docs/docs/support/technical_advisory.mdx b/docs/docs/support/technical_advisory.mdx new file mode 100644 index 0000000000..c866c32934 --- /dev/null +++ b/docs/docs/support/technical_advisory.mdx @@ -0,0 +1,39 @@ +--- +title: Technical Advisory +--- + +Technical advisories are notices that report major issues with ZITADEL Self-Hosted or the ZITADEL Cloud platform that could potentially impact security or stability in production environments. +These advisories may include details about the nature of the issue, its potential impact, and recommended mitigation actions. + +Users are strongly encouraged to evaluate these advisories and consider the recommended mitigation actions independently from their version upgrade schedule. +We understand that these advisories may include breaking changes, and we aim to provide clear guidance on how to address these changes. + + + + + + + + + + + + + + + + + + + +
AdvisoryNameTypeSummaryAffected versionsDate
A-10000Reusing user sessionBreaking Behaviour ChangeThe default behavior for users logging in is to be directed to the Select Account Page on the Login. With the upcoming changes, users will be automatically authenticated when logging into a second application, as long as they only have one active session. No action is required on your part if this is the intended behavior.TBDTBD
+ +## Categories + +### Breaking Behaviour Change + +A breaking behavior change refers to a modification or update that changes the behavior of ZITADEL. +This change does not necessarily affect the APIs or any functions you are calling, so it may not require an update to your code. +However, if you rely on specific results or behaviors, they may no longer be guaranteed after the change is implemented. +Therefore, it is important to be aware of breaking behavior changes and their potential impact on your use of ZITADEL, and to take appropriate action if needed to ensure continued functionality. + diff --git a/docs/sidebars.js b/docs/sidebars.js index 2d7bc5578d..ca0250612e 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -175,9 +175,16 @@ module.exports = { { type: "category", label: "Authenticate Service Users", + link: { + type: "generated-index", + title: "Authenticate Service Users", + slug: "/guides/integrate/serviceusers", + description: + "How to authenticate service users", + }, collapsed: true, items: [ - "guides/integrate/serviceusers", + "guides/integrate/private-key-jwt", "guides/integrate/client-credentials", "guides/integrate/pat", ], @@ -303,6 +310,21 @@ module.exports = { collapsed: true, items: [ "support/troubleshooting", + { + type: 'category', + label: "Technical Advisory", + link: { + type: 'doc', + id: 'support/technical_advisory', + }, + collapsed: true, + items: [ + { + type: 'autogenerated', + dirName: 'support/advisory', + }, + ], + }, { type: "category", label: "Trainings", diff --git a/docs/static/img/concepts/objects/instances.png b/docs/static/img/concepts/objects/instances.png new file mode 100644 index 0000000000..6ab053a1e1 Binary files /dev/null and b/docs/static/img/concepts/objects/instances.png differ