feat: add otp name and make it configurable (#5631)

* feat: add otp name and make it configurable * feat: use pre-existing otp env var * feat: use requested domain if otp issuer is empty * cleanup --------- Co-authored-by: Sem den Broeder <semnelldenbroeder@gmail.com> Co-authored-by: Elio Bischof <eliobischof@gmail.com> Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-02-28 23:27:23 +00:00 · 2023-04-26 07:17:23 +02:00 · 2023-04-26 07:17:23 +02:00 · 19f2f83b61
commit 19f2f83b61
parent 923f691d77
2 changed files with 8 additions and 2 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@ -321,6 +321,8 @@ SystemDefaults:
    ApplicationKeySize: 2048
  Multifactors:
    OTP:
+      # If this is empty, the issuer is the requested domain
+      # This is helpful in scenarios with multiple ZITADEL environments or virtual instances
      Issuer: "ZITADEL"
  DomainVerification:
    VerificationGenerator:
--- a/internal/command/user_human_otp.go
+++ b/internal/command/user_human_otp.go
@ -5,6 +5,7 @@ import (

 	"github.com/zitadel/logging"

+	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	caos_errs "github.com/zitadel/zitadel/internal/errors"
@ -71,11 +72,14 @@ func (c *Commands) AddHumanOTP(ctx context.Context, userID, resourceowner string
 	if accountName == "" {
 		accountName = string(human.EmailAddress)
 	}
-	key, secret, err := domain.NewOTPKey(c.multifactors.OTP.Issuer, accountName, c.multifactors.OTP.CryptoMFA)
+	issuer := c.multifactors.OTP.Issuer
+	if issuer == "" {
+		issuer = authz.GetInstance(ctx).RequestedDomain()
+	}
+	key, secret, err := domain.NewOTPKey(issuer, accountName, c.multifactors.OTP.CryptoMFA)
 	if err != nil {
 		return nil, err
 	}
-
 	_, err = c.eventstore.Push(ctx, user.NewHumanOTPAddedEvent(ctx, userAgg, secret))
 	if err != nil {
 		return nil, err