feat: complete dynamic domain handling (#3482)

* feat: dynamic issuer * feat: default language from context * remove zitadel docs from defaults * remove ConsoleOverwriteDir * remove notification endpoints from defaults * custom domains in emails * remove (external) domain * external domain completely removed, console handling fixed * fix test * fix defaults.yaml
2025-08-11 21:27:42 +00:00 · 2022-04-25 11:16:36 +02:00
parent 75ec73ca4a
commit 2c4799c223
97 changed files with 478 additions and 381 deletions
--- a/cmd/admin/setup/03.go
+++ b/cmd/admin/setup/03.go
@@ -23,8 +23,8 @@ type DefaultInstance struct {
 	domain            string
 	defaults          systemdefaults.SystemDefaults
 	zitadelRoles      []authz.RoleMapping
-	baseURL           string
 	externalSecure    bool
+	externalPort      uint16
 }

 func (mig *DefaultInstance) Execute(ctx context.Context) error {
@@ -47,6 +47,8 @@ func (mig *DefaultInstance) Execute(ctx context.Context) error {
 		nil,
 		nil,
 		nil,
+		mig.externalSecure,
+		mig.externalPort,
 		nil,
 		nil,
 		nil,
@@ -60,7 +62,7 @@ func (mig *DefaultInstance) Execute(ctx context.Context) error {
 	}
 	ctx = authz.WithRequestedDomain(ctx, mig.domain)

-	_, _, err = cmd.SetUpInstance(ctx, &mig.InstanceSetup, mig.externalSecure, mig.baseURL)
+	_, _, err = cmd.SetUpInstance(ctx, &mig.InstanceSetup, mig.externalSecure)
 	return err
 }

--- a/cmd/admin/setup/config.go
+++ b/cmd/admin/setup/config.go
@@ -4,11 +4,11 @@ import (
 	"bytes"

 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/command"
 	"github.com/mitchellh/mapstructure"
 	"github.com/spf13/viper"

 	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/command"
 	"github.com/caos/zitadel/internal/config/hook"
 	"github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/crypto"
@@ -20,7 +20,6 @@ type Config struct {
 	SystemDefaults  systemdefaults.SystemDefaults
 	InternalAuthZ   authz.Config
 	ExternalPort    uint16
-	ExternalDomain  string
 	ExternalSecure  bool
 	Log             *logging.Config
 	EncryptionKeys  *encryptionKeyConfig
--- a/cmd/admin/setup/setup.go
+++ b/cmd/admin/setup/setup.go
@@ -10,7 +10,6 @@ import (
 	"github.com/spf13/viper"

 	"github.com/caos/zitadel/cmd/admin/key"
-	http_util "github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/database"
 	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/migration"
@@ -59,18 +58,18 @@ func Setup(config *Config, steps *Steps, masterKey string) {

 	steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address = strings.TrimSpace(steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address)
 	if steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address == "" {
-		steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address = "admin@" + config.ExternalDomain
+		steps.S3DefaultInstance.InstanceSetup.Org.Human.Email.Address = "admin@" + instanceSetup.CustomDomain
 	}

 	steps.S3DefaultInstance.es = eventstoreClient
 	steps.S3DefaultInstance.db = dbClient
 	steps.S3DefaultInstance.defaults = config.SystemDefaults
 	steps.S3DefaultInstance.masterKey = masterKey
-	steps.S3DefaultInstance.domain = config.ExternalDomain
+	steps.S3DefaultInstance.domain = instanceSetup.CustomDomain
 	steps.S3DefaultInstance.zitadelRoles = config.InternalAuthZ.RolePermissionMappings
 	steps.S3DefaultInstance.userEncryptionKey = config.EncryptionKeys.User
 	steps.S3DefaultInstance.externalSecure = config.ExternalSecure
-	steps.S3DefaultInstance.baseURL = http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
+	steps.S3DefaultInstance.externalPort = config.ExternalPort

 	ctx := context.Background()
 	err = migration.Migrate(ctx, eventstoreClient, steps.s1ProjectionTable)
--- a/cmd/admin/start/config.go
+++ b/cmd/admin/start/config.go
@@ -28,7 +28,6 @@ type Config struct {
 	Log             *logging.Config
 	Port            uint16
 	ExternalPort    uint16
-	ExternalDomain  string
 	ExternalSecure  bool
 	HTTP2HostHeader string
 	HTTP1HostHeader string
--- a/cmd/admin/start/start.go
+++ b/cmd/admin/start/start.go
@@ -29,7 +29,6 @@ import (
 	"github.com/caos/zitadel/internal/api/grpc/auth"
 	"github.com/caos/zitadel/internal/api/grpc/management"
 	"github.com/caos/zitadel/internal/api/grpc/system"
-	http_util "github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/api/oidc"
 	"github.com/caos/zitadel/internal/api/ui/console"
@@ -112,12 +111,28 @@ func startZitadel(config *Config, masterKey string) error {
 		DisplayName:    config.WebAuthNName,
 		ExternalSecure: config.ExternalSecure,
 	}
-	commands, err := command.StartCommands(eventstoreClient, config.SystemDefaults, config.InternalAuthZ.RolePermissionMappings, storage, authZRepo, webAuthNConfig, keys.IDPConfig, keys.OTP, keys.SMTP, keys.SMS, keys.User, keys.DomainVerification, keys.OIDC)
+	commands, err := command.StartCommands(
+		eventstoreClient,
+		config.SystemDefaults,
+		config.InternalAuthZ.RolePermissionMappings,
+		storage,
+		authZRepo,
+		webAuthNConfig,
+		config.ExternalSecure,
+		config.ExternalPort,
+		keys.IDPConfig,
+		keys.OTP,
+		keys.SMTP,
+		keys.SMS,
+		keys.User,
+		keys.DomainVerification,
+		keys.OIDC,
+	)
 	if err != nil {
 		return fmt.Errorf("cannot start commands: %w", err)
 	}

-	notification.Start(config.Notification, config.SystemDefaults, commands, queries, dbClient, assets.HandlerPrefix, keys.User, keys.SMTP, keys.SMS)
+	notification.Start(config.Notification, config.ExternalPort, config.ExternalSecure, commands, queries, dbClient, assets.HandlerPrefix, keys.User, keys.SMTP, keys.SMS)

 	router := mux.NewRouter()
 	err = startAPIs(ctx, router, commands, queries, eventstoreClient, dbClient, config, storage, authZRepo, keys)
@@ -146,16 +161,16 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	if err != nil {
 		return fmt.Errorf("error starting admin repo: %w", err)
 	}
-	if err := authenticatedAPIs.RegisterServer(ctx, system.CreateServer(commands, queries, adminRepo, config.DefaultInstance, config.ExternalPort, config.ExternalDomain, config.ExternalSecure)); err != nil {
+	if err := authenticatedAPIs.RegisterServer(ctx, system.CreateServer(commands, queries, adminRepo, config.DefaultInstance, config.ExternalSecure)); err != nil {
 		return err
 	}
-	if err := authenticatedAPIs.RegisterServer(ctx, admin.CreateServer(commands, queries, adminRepo, config.SystemDefaults.Domain, assets.HandlerPrefix, keys.User)); err != nil {
+	if err := authenticatedAPIs.RegisterServer(ctx, admin.CreateServer(commands, queries, adminRepo, assets.HandlerPrefix, keys.User)); err != nil {
 		return err
 	}
-	if err := authenticatedAPIs.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, assets.HandlerPrefix, keys.User)); err != nil {
+	if err := authenticatedAPIs.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, assets.HandlerPrefix, keys.User, config.ExternalSecure, oidc.HandlerPrefix)); err != nil {
 		return err
 	}
-	if err := authenticatedAPIs.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, assets.HandlerPrefix, keys.User)); err != nil {
+	if err := authenticatedAPIs.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, assets.HandlerPrefix, keys.User, config.ExternalSecure)); err != nil {
 		return err
 	}

@@ -179,14 +194,13 @@ func startAPIs(ctx context.Context, router *mux.Router, commands *command.Comman
 	}
 	authenticatedAPIs.RegisterHandler(openapi.HandlerPrefix, openAPIHandler)

-	baseURL := http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure)
 	c, err := console.Start(config.Console, config.ExternalSecure, oidcProvider.IssuerFromRequest, instanceInterceptor.Handler)
 	if err != nil {
 		return fmt.Errorf("unable to start console: %w", err)
 	}
 	authenticatedAPIs.RegisterHandler(console.HandlerPrefix, c)

-	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, config.SystemDefaults, console.HandlerPrefix+"/", config.ExternalDomain, baseURL, op.AuthCallbackURL(oidcProvider), config.ExternalSecure, userAgentInterceptor, op.NewIssuerInterceptor(oidcProvider.IssuerFromRequest).Handler, instanceInterceptor.Handler, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
+	l, err := login.CreateLogin(config.Login, commands, queries, authRepo, store, console.HandlerPrefix+"/", op.AuthCallbackURL(oidcProvider), config.ExternalSecure, userAgentInterceptor, op.NewIssuerInterceptor(oidcProvider.IssuerFromRequest).Handler, instanceInterceptor.Handler, keys.User, keys.IDPConfig, keys.CSRFCookieKey)
 	if err != nil {
 		return fmt.Errorf("unable to start login: %w", err)
 	}
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -5,7 +5,6 @@ Log:

 Port: 8080
 ExternalPort: 8080
-ExternalDomain: localhost
 ExternalSecure: true
 HTTP2HostHeader: ":authority"
 HTTP1HostHeader: "host"
@@ -97,7 +96,6 @@ Login:
    SharedMaxAge: 168h #7d

 Console:
-  ConsoleOverwriteDir: ""
  ShortCache:
    MaxAge: 5m
    SharedMaxAge: 15m
@@ -138,25 +136,8 @@ EncryptionKeys:
  CSRFCookieKeyID: "csrfCookieKey"
  UserAgentCookieKeyID: "userAgentCookieKey"

-#TODO: configure as soon as possible
-#AssetStorage:
-#  Type: $ZITADEL_ASSET_STORAGE_TYPE
-#  Config:
-#    Endpoint: $ZITADEL_ASSET_STORAGE_ENDPOINT
-#    AccessKeyID: $ZITADEL_ASSET_STORAGE_ACCESS_KEY_ID
-#    SecretAccessKey: $ZITADEL_ASSET_STORAGE_SECRET_ACCESS_KEY
-#    SSL: $ZITADEL_ASSET_STORAGE_SSL
-#    Location: $ZITADEL_ASSET_STORAGE_LOCATION
-#    BucketPrefix: $ZITADEL_ASSET_STORAGE_BUCKET_PREFIX
-#    MultiDelete: $ZITADEL_ASSET_STORAGE_MULTI_DELETE
-
 #TODO: remove as soon as possible
 SystemDefaults:
-  #  DefaultLanguage: 'en'
-  Domain: $ZITADEL_DEFAULT_DOMAIN
-  ZitadelDocs:
-    Issuer: $ZITADEL_ISSUER
-    DiscoveryEndpoint: '$ZITADEL_ISSUER/.well-known/openid-configuration'
  SecretGenerators:
    PasswordSaltCost: 14
    MachineKeySize: 2048
@@ -172,19 +153,11 @@ SystemDefaults:
      IncludeDigits: true
      IncludeSymbols: false
  Notifications:
-    Endpoints:
-      InitCode: '$ZITADEL_ACCOUNTS/user/init?userID={{.UserID}}&code={{.Code}}&passwordset={{.PasswordSet}}'
-      PasswordReset: '$ZITADEL_ACCOUNTS/password/init?userID={{.UserID}}&code={{.Code}}'
-      VerifyEmail: '$ZITADEL_ACCOUNTS/mail/verification?userID={{.UserID}}&code={{.Code}}'
-      DomainClaimed: '$ZITADEL_ACCOUNTS/login'
-      PasswordlessRegistration: '$ZITADEL_ACCOUNTS/login/passwordless/init'
    FileSystemPath: '.notifications/'
  KeyConfig:
    Size: 2048
    PrivateKeyLifetime: 6h
    PublicKeyLifetime: 30h
-    SigningKeyRotationCheck: 10s
-    SigningKeyGracefulPeriod: 10m

 DefaultInstance:
  InstanceName: