TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 21:07:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: improve documentation for v2 release (#4046)

Browse Source 
* WIP: docs(proxy): describe proxy settings

* fix nginx

* refactor (docs): deploy and operate sections

* chore: ignore package-lock since we use yarn

* chore: update to rc1

* chore: broken links

* chore: update yarn

* docs: move disclaimer to bottom

* chore: fix broken links

* Update docs/docs/guides/operate/tls_modes.mdx

Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>

* test caddy files

* syntax highlight

* traefik example

* refactor: docs

* refactor

* working state

* got a working state

* remove bar

* mark rate limits for update

* remove zitadel.ch

* fix cases

* docs: zitadel quickstart

* docs: zitadel quickstart

* docs: create app and project

* docs: move customer portal docs to guides manage cloud

* docs: move customer portal docs to guides manage cloud

* docs: move customer portal docs to guides manage cloud

* docs: add help me choose in the quickstart

* docs: broken links

* fix broken links

* Update knative guide

* styling

* docs: support customer portal

* update to main instead v2-alpha

* use version 2 tag

* docs: images

* docs: move authentication and authorization guides to integrate

* docs: quickstart use examples

* docs: lb example

* fix broken link

* docs: update userinfo endpoints

* docs: update userinfo endpoints

* fix oidc endpoint

* docs: remove unused endpoints in app.module

Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com>
Co-authored-by: Livio Amstutz <livio.a@gmail.com>
This commit is contained in:
Florian Forster 2022-07-29 10:13:45 +02:00 committed by GitHub
parent fb52575f79
commit 3c3bce1a6b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
123 changed files with 3212 additions and 25673 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
console/src/app/app.module.ts
View File

@ -87,17 +87,7 @@ const authConfig: AuthConfig = {
CommonModule,
BrowserModule,
HeaderModule,
OAuthModule.forRoot({
resourceServer: {
allowedUrls: [
'https://test.api.zitadel.caos.ch/caos.zitadel.auth.api.v1.AuthService',
'https://test.api.zitadel.caos.ch/oauth/v2/userinfo',
'https://test.api.zitadel.caos.ch/caos.zitadel.management.api.v1.ManagementService/',
'https://preview.api.zitadel.caos.ch',
],
sendAccessToken: true,
},
}),
OAuthModule.forRoot(),
TranslateModule.forRoot({
loader: {
provide: TranslateLoader,

6
deploy/knative/zitadel-knative-service.yaml
View File

@ -7,7 +7,7 @@ spec:
template:
metadata:
annotations:
client.knative.dev/user-image: ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64
client.knative.dev/user-image: ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.43-amd64
creationTimestamp: null
spec:
containerConcurrency: 0
@ -28,7 +28,9 @@ spec:
value: 80
- name: ZITADEL_EXTERNALDOMAIN
value: zitadel.default.127.0.0.1.sslip.io
image: ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64
- name: ZITADEL_S3DEFAULTINSTANCE_CUSTOMDOMAIN
value: zitadel.default.127.0.0.1.sslip.io
image: ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.43-amd64
name: user-container
ports:
- containerPort: 8080

1
docs/.gitignore vendored
View File

@ -14,6 +14,7 @@
.env.development.local
.env.test.local
.env.production.local
package-lock.json
npm-debug.log*
yarn-debug.log*

6
docs/docs/apis/actions.md
View File

@ -11,7 +11,7 @@ Go to the [goja GitHub page](https://github.com/dop251/goja) for detailed refere
Actions do not have access to any libraries yet.
Also, sending HTTP requests is not supported yet.
[We plan to add such features in the future](https://zitadel.ch/roadmap).
[We plan to add such features in the future](https://zitadel.com/roadmap).
## Flows
@ -35,7 +35,7 @@ function doSomething(ctx, api){
```
ZITADEL supports only the external authentication flow at the moment.
[More flows are coming soon](https://zitadel.ch/roadmap).
[More flows are coming soon](https://zitadel.com/roadmap).
### External authentication flow triggers
@ -103,4 +103,4 @@ ZITADEL supports only the external authentication flow at the moment.
## Further reading
- [Actions concept](../concepts/features/actions)
- [Actions guide](../guides/customization/behavior)
- [Actions guide](../guides/manage/customize/behavior)

2
docs/docs/apis/openidoauth/scopes.md
View File

@ -24,7 +24,7 @@ In addition to the standard compliant scopes we utilize the following scopes.
| Scopes | Example | Description |
|:-------------------------------------------------|:-------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| urn:zitadel:iam:org:project:role:{rolename} | `urn:zitadel:iam:org:project:role:user` | By using this scope a client can request the claim urn:zitadel:iam:roles:rolename} to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the [project](../../guides/basics/projects) a client belongs to. |
| urn:zitadel:iam:org:project:role:{rolename} | `urn:zitadel:iam:org:project:role:user` | By using this scope a client can request the claim urn:zitadel:iam:roles:rolename} to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the [project](../../guides/manage/console/projects) a client belongs to. |
| urn:zitadel:iam:org:domain:primary:{domainname} | `urn:zitadel:iam:org:domain:primary:acme.ch` | When requesting this scope **ZITADEL** will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed |
| urn:zitadel:iam:role:{rolename} | | |
| `urn:zitadel:iam:org:project:id:{projectid}:aud` | ZITADEL's Project id is `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access and id token |

11
docs/docs/apis/ratelimits/api.md
View File

@ -1,9 +1,8 @@
---
title: API Endpoint Rate Limits
title: API Rate Limits
---
## api.zitadel.ch
<!-- //TODO Elio please update according to the current config -->
| Path | Description | Effective Limit |
|-----------------------------------------------------|--------------------------|----------------------------|
@ -13,9 +12,3 @@ title: API Endpoint Rate Limits
| /caos.zitadel.auth.api.v1.AuthService/* | | none |
| /management/v1/* | | 240 request per 1 min |
| /caos.zitadel.management.api.v1.ManagementService/* | | 240 request per 1 min |
## issuer.zitadel.ch
| Path | Description | Effective Limit |
|------|-----------------------------------------|-----------------|
| /* | Sum of all request to the issuer domain | none |

3
docs/docs/apis/ratelimits/accounts.md → docs/docs/apis/ratelimits/login.md
View File

@ -2,8 +2,7 @@
title: Login Rate Limits
---
## accounts.zitadel.ch
<!-- //TODO Elio please update according to the current config -->
| Path | Description | Effective Limit |
|---------------------|----------------------------------------|---------------------------|

4
docs/docs/concepts/features/actions.md
View File

@ -7,7 +7,7 @@ This is useful when you have special business requirements that ZITADEL doesn't
:::caution
ZITADEL actions is in an early development stage.
In the [roadmap](https://zitadel.ch/roadmap), you see how we are planning to expand and improve it.
In the [roadmap](https://zitadel.com/roadmap), you see how we are planning to expand and improve it.
Please tell us about your needs and help us prioritize further fixes and features.
:::
@ -34,5 +34,5 @@ Within the JavaScript code, you can read and manipulate the state.
## Further reading
- [Assign users a role after they register using an external identity provider](../../guides/customization/behavior)
- [Assign users a role after they register using an external identity provider](../../guides/manage/customize/behavior)
- [Actions reference](../../apis/actions)

2
docs/docs/concepts/structure/_instance_description.mdx
View File

@ -2,4 +2,4 @@ An instance is the top hierarchy in the ZITADEL.
Within an instance all the default [settings](/docs/concepts/structure/policies), such as branding, login policy, password policy, etc. for the system can be configured.
One instance normally runs on one domain and has one issuer. (e.g login.customer.com)
One instance can contain multiple [organizations](./organizations). Which can represent the own company or the customers.
One instance can contain multiple [organizations](/docs/concepts/structure/organizations). Which can represent the own company or the customers.

2
docs/docs/concepts/structure/_org_description.mdx
View File

@ -1,6 +1,6 @@
ZITADEL is organized around the idea that:
* Multiple organizations can be managed within one [instance](./instance).
* Multiple organizations can be managed within one [instance](/docs/concepts/structure/instance).
* organizations can grant each other rights to self-manage certain aspects of the IAM (eg, roles for access management)
* organizations are vessels for users and projects

2
docs/docs/concepts/structure/applications.md
View File

@ -19,4 +19,4 @@ As a fourth option there's the API (OAuth Resource Server), which generally has
Depending on the app type registered, there are small differences in the possible settings.
Please read the following guide about the
[different-client-profiles](../../guides/authorization/oauth-recommended-flows#different-client-profiles).
[different-client-profiles](../../guides/integrate/oauth-recommended-flows.md#different-client-profiles).

4
docs/docs/concepts/structure/policies.md
View File

@ -97,7 +97,7 @@ You can configure all kinds of external identity providers for identity brokerin
Create a new identity provider configuration and enable it in the list afterwards.
For a detailed guide about how to configure a new identity provider for identity brokering have a look at our guide:
[Identity Brokering](../../guides/authentication/identity-brokering)
[Identity Brokering](../../guides/integrate/identity-brokering)
## Domain policy
@ -105,7 +105,7 @@ In the domain policy you have two different settings.
One is the "user_login_must_be_domain", by setting this all the users within an organisation will be suffixed with the domain of the organisation.
The second is "validate_org_domains" if this is set to true all created domains on an organisation must be verified per acme challenge.
More about how to verify a domain [here](../../guides/basics/organizations#domain-verification-and-primary-domain).
More about how to verify a domain [here](../../guides/manage/console/organizations#domain-verification-and-primary-domain).
If it is set to false, all registered domain will automatically be created as verified and the users will be able to use the domain for login.
## Branding

4
docs/docs/concepts/structure/projects.md
View File

@ -10,7 +10,7 @@ import ProjectDescription from './_project_description.mdx';
## Project Settings
On default the login screen will be shown in the private labeling settings of the system (e.g zitadel.ch).
On default the login screen will be shown in the private labeling settings of the system.
With the [primary domain scope](../../apis/openidoauth/scopes#reserves-scopes) it is possible to trigger the setting of the given organization.
But this will also restrict, the login to user of the given organization.
@ -18,7 +18,7 @@ With the private labeling setting it is possible to choose which settings should
| Setting | Description |
| --- | --- |
| Unspecified | If nothing is specified the default will trigger. (System settings zitadel.ch) |
| Unspecified | If nothing is specified the default will trigger. (System settings) |
| Enforce project resource owner policy | This setting will enforce the private labeling of the organization (resource owner) of the project through the whole login process. |
| Allow Login User resource owner policy | With this setting first the private labeling of the organization (resource owner) of the project will trigger. As soon as the user and its organization (resource owner) is identified by ZITADEL, the settings will change to the organization of the user. |

2
docs/docs/concepts/usecases/saas.md
View File

@ -67,5 +67,5 @@ If the setting is set to `Ensure Project Resource Owner Setting`, the private la
The last possibility is to show the private labeling of the project organization and as soon as the user is identitfied the user organization settings will be triggered.
For this the Allow User Resource Owner Setting should be set.
:::note
More about [Private Labeling](../../guides/customization/branding)
More about [Private Labeling](../../guides/manage/customize/branding)
:::

118
docs/docs/examples/call-zitadel-api/dot-net.md Normal file
View File

@ -0,0 +1,118 @@
---
title: .NET
---
This integration guide shows you how to integrate **ZITADEL** into your .NET application.
It demonstrates how to fetch some data from the ZITADEL management API.
At the end of the guide you should have an application able to read the details of your organization.
If you need any other information about the .NET SDK go to the [documentation](https://caos.github.io/zitadel-net/) of the SDK itself.
## Prerequisites
The client [SDK](https://github.com/zitadel/zitadel-net) will handle all necessary OAuth 2.0 requests and send the required headers to the ZITADEL API.
All that is required, is a service account with an Org Owner (or another role, depending on the needed api requests) role assigned and its key JSON.
However, we recommend you read the guide on [how to access ZITADEL API](../../guides/integrate/access-zitadel-apis) and the associated guides for a basic knowledge of :
- [Recommended Authorization Flows](../../guides/integrate/oauth-recommended-flows.md)
- [Service Users](../../guides/integrate/serviceusers.md)
> Be sure to have a valid key JSON and that its service account is either ORG_OWNER or at least ORG_OWNER_VIEWER before you continue with this guide.
## .NET Setup
### Create a .NET application
Use the IDE of your choice or the command line to create a new application.
```bash
dotnet new web
```
### Install the package
Install the package via nuget
```bash
dotnet add package Zitadel.Api
```
### Create example client
Change the program.cs file to the content below. This will create a client for the management api and call its `GetMyUsers` function.
The SDK will make sure you will have access to the API by retrieving a Bearer Token using JWT Profile with the provided scopes (`openid` and `urn:zitadel:iam:org:project:id:{projectID}:aud`).
Make sure to fill the const `apiUrl`, `apiProject` and `personalAccessToken` with your own instance data. The used vars below are from a test instance, to show you how it should look.
The apiURL is the domain of your instance you can find it on the instance detail in the Customer Portal or in the Console
The apiProject you will find in the ZITADEL project in the first organization of your instance.
```csharp
// This file contains two examples:
// 1. An example with a service account "personal access token" to access the ZITADEL API.
// 2. An example with a service account "jwt profile key" to access the ZITADEL API.
using Zitadel.Api;
using Zitadel.Credentials;
const string apiUrl = "https://zitadel-libraries-l8boqa.zitadel.cloud";
const string personalAccessToken = "ge85fvmgTX4XAhjpF0XGpelB2vn9LZanJaqmUQDuf7iTpKVowb44LFl-86pqY2mfJCEoIOk";
// or create the token provider directly:
// new StaticTokenProvider(token)
var client = Clients.AuthService(new(apiUrl, ITokenProvider.Static(personalAccessToken)));
var result = await client.GetMyUserAsync(new());
Console.WriteLine($"User: {result.User}");
const string apiProject = "170078979166961921";
var serviceAccount = ServiceAccount.LoadFromJsonString(
@"
{
""type"": ""serviceaccount"",
""keyId"": ""170084658355110145"",
""key"": ""-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAnQisbU4FuLmjLR9I2Q01Rm9Mx6WySat2mbxgmOzu04oXuESI\nyS+RkiimdN0khjqouBftYqtVes7yngMLq3E8hMCwv/kLE+YeXphZXnn8tps8M2gV\n7S//uCp9LooK9qeh0lSkOqIsh0atj/l7NAHFxnhuNhfmn8XIYJNLVNSj5yzTri5E\nSn92SAsUQLSONgr7IEmIjcuPtYeU0iLvVno52ljZHnPX2WJ0HEZv44nZpkR4qBfv\n3hJzNx7sd4TdPGHHugJD8jdG/X4bAxwL5XGHZu18cUVM5RerSMpFQHSuIGgpKmK4\nWlM1AJGeut6EX/SrCxUDvhyOnXAgqhunTUmi6QIDAQABAoIBAHn7y92Y1y743X3m\nqHMbJIBTYyRPXaCGljm0MKF6o8clpWlZq5wE3KLZ+vwa8Q1oMbnXtGqKR3t/mM4P\n9Ze2/djtyh9GOUm632qCFCIkxp+fFPOl7ipyt8V7FAT77KpP6490eqKlacunppmJ\nph/vJJAY6xwQEvGX9SC4KrN5/txLKXbVtR3V2RXy9sxbbL4cpnklmRBMeXQkpwEM\nTKELUr5Rmhg9KvS3yALgVv0dIRtOA8Z995R234hXfY0St48YEvZtsxeme47u2CVl\nHJcVH4aa9Sw6XlgAEQBxqbQHpcLvUIu3XempO7VfGklWE6OlGuEcnUWpJCD8jMZW\nPYtt9LUCgYEAwi8josS3Iyto+DMJjJKCw175N2cmFMxBGu9Rw4aHjTiN57z7AUkn\nbmT44WnSmc1bCLC+nMB34vhiEyBKXYrH7zgbeMO8QDG3aO6gXdod/IdsieZR8E3b\ngUA1wtZYyRbc7eo8U4Nqkv1NXVRuDJkz/Mfoy+m1BVKcW7YeZaaZN9MCgYEAzwYB\n/LAiJoyx5UPwuieizlT7kHI7uvZRo4oLx+cZipNCJ0NGKgX4l1NIYLaNDbCoT9N0\nylico+kn+nihzDmD6SjY2hHGSIHk7AnJOcW+Bk5TfsYb8clxfgX40udLMIS0F13R\nrJt0gD9x0O3AZv4MV9cSI0/Md0tbWePgrLI44NMCgYEAojj7TlmEnY8AbIlGqvci\n4tCO5qf3elyA712LMwtKZsIeWsDX+OUCWglkmfvsAq06JfJx60YnYagbVtsdBTSR\nftmiqarrs71U+gaQVpeHgZYpKLMPNO/2Nu5Le2/SUHwXKXML3sDk4dNXNGb6YPAE\nLGNdqiyeG8o98agdkNIzIh0CgYEAlTGhMPfGRL3UXoNN8vopjEUWXozUmvJ090S/\nJLtZXtKtNBp5cEOJWZT9biVhFeKgCZc8ba7ahA29b/aLs+AnPlrfnJh+qzZhQfHz\ngJ0PSwAbkBs5fFBOaCHppiRlvXuFRemo95m4pcwTPBx7Mj4Xqx4lxij2E2rNVMSy\n4AI4l10CgYBwefqXt8B+D+0EvmhyHk19Tk8/fPelclJUv/IVI59c0F9UMAA2rD1U\nNW6k9251OGU7mQkztluNvl13qtAW/DveOjkFeDJIMzhFjravpLQXhUK4ETnM44YL\nFbClVGJaHYSHgOkNpcN5lYVLoyEvzv9rEPwBqpZRVnwWj6L+/I2L5Q==\n-----END RSA PRIVATE KEY-----\n"",
""userId"": ""170079991923474689""
}");
client = Clients.AuthService(
new(
apiUrl,
ITokenProvider.ServiceAccount(
serviceAccount,
apiUrl,
apiProject)));
result = await client.GetMyUserAsync(new());
Console.WriteLine($"User: {result.User}");
```
### Test client
After you have configured everything correctly, you can simply start the example by:
```bash
dotnet run
```
This will output something similar to:
```
User: {"FirstName": "MyName", "LastName": "MyLastName" ... }
```
## Completion
You have successfully used the ZITADEL .NET SDK to call the auth API!
To use the auth API you will not need a specific role, because only an authenticated user is needed.
For accessing the admin or management API the user will need some specific roles.
If you encountered an error (e.g. `code = PermissionDenied desc = No matching permissions found`),
ensure your service user has the required permissions by assigning the `ORG_OWNER` or `ORG_OWNER_VIEWER` role
and check the mentioned [guides](#prerequisites) at the beginning.
If you've run into any other problem, don't hesitate to contact us or raise an issue on [ZITADEL](https://github.com/zitadel/zitadel/issues) or in the [SDK](https://github.com/zitadel/zitadel-go/issues).
### Whats next?
Now you can proceed implementing our APIs by adding more calls.
Checkout more [examples from the SDK](https://github.com/zitadel/zitadel-go/blob/main/example) or refer to our [API Docs](../../apis/introduction).
> This guide will be updated soon to show you how to use the SDK for your own API as well.

65
docs/docs/quickstarts/call-zitadel-api/go.md → docs/docs/examples/call-zitadel-api/go.md
View File

@ -12,9 +12,9 @@ At the end of the guide you should have an application able to read the details
The client [SDK](https://github.com/zitadel/zitadel-go) will handle all necessary OAuth 2.0 requests and send the required headers to the ZITADEL API using our [OIDC client library](https://github.com/zitadel/oidc).
All that is required, is a service account with an Org Owner (or another role, depending on the needed api requests) role assigned and its key JSON.
However, we recommend you read the guide on [how to access ZITADEL API](../../guides/api/access-zitadel-apis) and the associated guides for a basic knowledge of :
- [Recommended Authorization Flows](../../guides/authorization/oauth-recommended-flows)
- [Service Users](../../guides/authentication/serviceusers)
However, we recommend you read the guide on [how to access ZITADEL API](../../guides/integrate/access-zitadel-apis) and the associated guides for a basic knowledge of :
- [Recommended Authorization Flows](../../guides/integrate/oauth-recommended-flows.md)
- [Service Users](../../guides/integrate/serviceusers.md)
> Be sure to have a valid key JSON and that its service account is either ORG_OWNER or at least ORG_OWNER_VIEWER before you continue with this guide.
@ -25,34 +25,49 @@ However, we recommend you read the guide on [how to access ZITADEL API](../../gu
You need to add the SDK into Go Modules by:
```bash
go get github.com/zitadel/zitadel-go
go get github.com/zitadel/zitadel-go/v2
```
### Create example client
Create a new go file with the content below. This will create a client for the management api and call its `GetMyOrg` function.
The SDK will make sure you will have access to the API by retrieving a Bearer Token using JWT Profile with the provided scopes (`openid` and `urn:zitadel:iam:org:project:id:69234237810729019:aud`).
The SDK will make sure you will have access to the API by retrieving a Bearer Token using JWT Profile with the provided scopes (`openid` and `urn:zitadel:iam:org:project:id:{projectID}:aud`).
Make sure to fill the vars `issuer`, `api`, `projectID `and `orgID`
The issuer and api is the domain of your instance you can find it on the instance detail in the ZITADEL Cloud Customer Portal or in the ZITADEL Console.
The projectID you will find in the ZITADEL project in the first organization of your instance and the orgID on the first organization.
```go
package main
import (
"context"
"log"
"github.com/zitadel/oidc/pkg/oidc"
"github.com/zitadel/zitadel-go/pkg/client/management"
"github.com/zitadel/zitadel-go/pkg/client/middleware"
"github.com/zitadel/zitadel-go/pkg/client/zitadel"
pb "github.com/zitadel/zitadel-go/pkg/client/zitadel/management"
"context"
"flag"
"log"
"github.com/zitadel/oidc/pkg/oidc"
"github.com/zitadel/zitadel-go/v2/pkg/client/management"
"github.com/zitadel/zitadel-go/v2/pkg/client/middleware"
"github.com/zitadel/zitadel-go/v2/pkg/client/zitadel"
pb "github.com/zitadel/zitadel-go/v2/pkg/client/zitadel/management"
)
var (
issuer = flag.String("issuer", "", "issuer of your ZITADEL instance (in the form: https://<instance>.zitadel.cloud or https://<yourdomain>)")
api = flag.String("api", "", "gRPC endpoint of your ZITADEL instance (in the form: <instance>.zitadel.cloud:443 or <yourdomain>:443)")
projectID = flag.String("projectID", "", "ZITADEL projectID in your instance")
orgID = flag.String("orgID", "", "orgID to set for overwrite example")
)
func main() {
flag.Parse()
client, err := management.NewClient(
[]string{oidc.ScopeOpenID, zitadel.ScopeZitadelAPI()},
)
*issuer,
*api,
[]string{oidc.ScopeOpenID, zitadel.ScopeProjectID(*projectID)},
)
if err != nil {
log.Fatalln("could not create client", err)
}
@ -64,12 +79,18 @@ func main() {
}()
ctx := context.Background()
resp, err := client.GetMyOrg(ctx, &pb.GetMyOrgRequest{})
if err != nil {
log.Fatalln("call failed: ", err)
}
log.Printf("%s was created on: %s", resp.Org.Name, resp.Org.Details.CreationDate.AsTime())
}
respOverwrite, err := client.GetMyOrg(middleware.SetOrgID(ctx, *orgID), &pb.GetMyOrgRequest{})
if err != nil {
log.Fatalln("call failed: ", err)
}
log.Printf("%s was created on: %s", respOverwrite.Org.Name, respOverwrite.Org.Details.CreationDate.AsTime())
```
#### Key JSON
@ -91,16 +112,6 @@ client, err := management.NewClient(
)
```
#### Custom ZITADEL instance
If your client will not use ZITADEL Cloud (zitadel.ch), be sure to provide the correct values for the ZITADEL ProjectID, Issuer and API options:
```go
client, err := management.NewClient(
[]string{oidc.ScopeOpenID, zitadel.ScopeProjectID("ZITADEL-ProjectID")},
zitadel.WithCustomURL("https://issuer.custom.ch", "api.custom.ch:443")
)
```
### Test client
After you have configured everything correctly, you can simply start the example by:

8
docs/docs/quickstarts/identity-proxy/oauth2-proxy.md → docs/docs/examples/identity-proxy/oauth2-proxy.md
View File

@ -2,14 +2,16 @@
title: OAuth 2.0 Proxy
---
<!-- //TODO Florian update this to zitadel.cloud-->
[OAuth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a project which allows services to delegate the authentication flow to a IDP, for example **ZITADEL**
## Configure Zitadel
## Configure ZITADEL
### Setup Application and get Keys
Before we can start building our application we have do do a few configuration steps in ZITADEL Console.
You will need to provide some information about your app. We recommend creating a new app to start from scratch. Navigate to your [Project](https://console.zitadel.ch/projects) and add a new application at the top of the page.
You will need to provide some information about your app. We recommend creating a new app to start from scratch. Navigate to your project and add a new application at the top of the page.
Select Web Application and continue.
We recommend that you use [Authorization Code](../../apis/openidoauth/grant-types#authorization-code) for the OAuth 2.0 Proxy.
@ -41,7 +43,7 @@ provider = "oidc"
user_id_claim = "sub" #uses the subject as ID instead of the email
provider_display_name = "ZITADEL"
redirect_url = "http://127.0.0.1:4180/oauth2/callback"
oidc_issuer_url = "https://issuer.zitadel.ch"
oidc_issuer_url = "https://{your_domain}.zitadel.cloud"
upstreams = [
"https://example.corp.com"
]

8
docs/docs/quickstarts/introduction.mdx → docs/docs/examples/introduction.mdx
View File

@ -11,10 +11,10 @@ Get started with ZITADEL quickly by reading a quickstart or by cloning an exampl
<Tabs>
<TabItem value="app" label="Web · Native applications" default>
<CardWrapper>
<Card link="/docs/quickstarts/login/angular" imageSource="/img/tech/angular.svg" title="Angular" description="Add the user login to your application and query some data from the userinfo endpoint" />
<Card link="/docs/quickstarts/login/react" imageSource="/img/tech/react.png" title="React" description="Logs into your application and queries some data from the userinfo endpoint" />
<Card link="/docs/quickstarts/login/flutter" imageSource="/img/tech/flutter.svg" title="Flutter" description="Mobile Application working for iOS and Android that authenticates your user." />
<Card link="/docs/quickstarts/login/nextjs" imageSource="/img/tech/nextjs.svg" title="NextJS" description="A simple application to log into your user account and query some data from User endpoint." />
<Card link="/docs/examples/login/angular" imageSource="/img/tech/angular.svg" title="Angular" description="Add the user login to your application and query some data from the userinfo endpoint" />
<Card link="/docs/examples/login/react" imageSource="/img/tech/react.png" title="React" description="Logs into your application and queries some data from the userinfo endpoint" />
<Card link="/docs/examples/login/flutter" imageSource="/img/tech/flutter.svg" title="Flutter" description="Mobile Application working for iOS and Android that authenticates your user." />
<Card link="/docs/examples/login/nextjs" imageSource="/img/tech/nextjs.svg" title="NextJS" description="A simple application to log into your user account and query some data from User endpoint." />
</CardWrapper>
</TabItem>
<TabItem value="backend" label="Backend · API">

0
docs/docs/quickstarts/libs.md → docs/docs/examples/libs.md
View File

0
docs/docs/quickstarts/login/angular.md → docs/docs/examples/login/angular.md
View File

4
docs/docs/quickstarts/login/flutter.md → docs/docs/examples/login/flutter.md
View File

@ -268,7 +268,7 @@ Future<void> _authenticate() async {
);
final userInfoResponse = await get(
Uri.parse('https://[your-instance].zitadel.cloud/oauth/v2/userinfo'),
Uri.parse('https://[your-instance].zitadel.cloud/oidc/v1/userinfo'),
headers: {
HttpHeaders.authorizationHeader: 'Bearer ${result.accessToken}',
HttpHeaders.acceptHeader: 'application/json; charset=UTF-8'
@ -333,7 +333,7 @@ class _MyHomePageState extends State<MyHomePage> {
);
final userInfoResponse = await get(
Uri.parse('https:/[your-domain]-[random-string].zitadel.cloud/oauth/v2/userinfo'), // replace with your instance
Uri.parse('https:/[your-domain]-[random-string].zitadel.cloud/oidc/v1/userinfo'), // replace with your instance
headers: {
HttpHeaders.authorizationHeader: 'Bearer ${result.accessToken}',
HttpHeaders.acceptHeader: 'application/json; charset=UTF-8'

0
docs/docs/quickstarts/login/nextjs.md → docs/docs/examples/login/nextjs.md
View File

0
docs/docs/quickstarts/login/react.md → docs/docs/examples/login/react.md
View File

0
docs/docs/quickstarts/secure-api/dot-net.md → docs/docs/examples/secure-api/dot-net.md
View File

28
docs/docs/quickstarts/secure-api/go.md → docs/docs/examples/secure-api/go.md
View File

@ -20,7 +20,7 @@ All that is required, is an API and its key JSON. But for complete
You need to add the SDK into Go Modules by:
```bash
go get github.com/zitadel/zitadel-go
go get github.com/zitadel/zitadel-go/v2
```
### Create example API
@ -29,22 +29,28 @@ Create a new go file with the content below. This will create an API with two en
back `ok` and the current timestamp. On `/protected` it will respond the same but only if a valid access_token is sent. The token
must not be expired and the API has to be part of the audience (either client_id or project_id).
Make sure to fill the var `issuer` with your own domain. This is the domain of your instance you can find it on the instance detail in the ZITADEL Cloud Customer Portal or in the ZITADEL Console.
```go
package main
import (
"flag"
"log"
"net/http"
"time"
api_mw "github.com/zitadel/zitadel-go/pkg/api/middleware"
http_mw "github.com/zitadel/zitadel-go/pkg/api/middleware/http"
"github.com/zitadel/zitadel-go/pkg/client"
"github.com/zitadel/zitadel-go/pkg/client/middleware"
http_mw "github.com/zitadel/zitadel-go/v2/pkg/api/middleware/http"
"github.com/zitadel/zitadel-go/v2/pkg/client/middleware"
)
var (
issuer = flag.String("issuer", "", "issuer of your ZITADEL instance (in the form: https://<instance>.zitadel.cloud or https://<yourdomain>)")
)
func main() {
introspection, err := http_mw.NewIntrospectionInterceptor(client.Issuer, middleware.OSKeyPath())
flag.Parse()
introspection, err := http_mw.NewIntrospectionInterceptor(*issuer, middleware.OSKeyPath())
if err != nil {
log.Fatal(err)
}
@ -82,16 +88,6 @@ introspection, err := http_mw.NewIntrospectionInterceptor(
)
```
#### Custom ZITADEL instance
If your client will not use ZITADEL Cloud (zitadel.ch), be sure to provide the correct Issuer:
```go
introspection, err := http_mw.NewIntrospectionInterceptor(
"https://issuer.custom.ch",
middleware.OSKeyPath(),
)
```
### Test API
After you have configured everything correctly, you can simply start the example by:

54
docs/docs/guides/basics/get-started.mdx
View File

@ -1,54 +0,0 @@
---
title: Get started
---
import Column from "../../../src/components/column";
Most applications need to know the identity of a user allowing to securely store user data in the cloud and provide the same personalised experience across all of the user's devices.
ZITADEL's authentication provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users in your application. It supports authentication using passwords and applies additional security with the help of a second factor, for example OTP, to ensure a safe and secure access.
It additionally leverages industry standards like OAuth 2.0 and OpenID Connect such that it can be easily integrated in your custom backend.
This provides a quick start guide on how to register your organization as well as creating your first project.
## Trying out ZITADEL on zitadel.cloud
1. Go to zitadel.cloud to create your first ZITADEL instance. If you already have a ZITADEL instance sign in with your Customer Portal user.already
2. Enter all the data for your instance
3. By clicking "Let's go" we will create a new instance in the "Free" tier, where you already get all the features
4. You will now get two different initialize emails. One is to verify the user for the Customer Portal and one for the first user in your ZITADEL instance
You can now use the Customer Portal and you are ready to configure your ZITADEL instance
![Customer Portal Landing Page](/img/manuals/portal/customer_portal_landing_page.png)
## Login to your instance
After you have initialized your first admin user of the new created ZITADEL instance. You can access the Instance Console, to manage all your resources.
Login with the user you have initialized.
![Console Landing Page](/img/console_dashboard.png)
### Elect Managers
ZITADEL allows you to give other users control over ZITADEL Console itself. This can be restricted to some kind of write and/or read. This can be especially useful for directing administration over several users. You can have managers able to edit project settings and others able to create/add users only.
Read the [guides](../overview) for more information.
> Note: ZITADEL Managers are always located on the right sidepanel of console.
### Integrating an application
After creating your project you can start integrating your applications.
After choosing your project add a client application on the top of the page.
The wizard should provide some guidance what client is the proper for you. If you are still unsure consult our [Guide Project](projects).
## Login to Customer Portal
Use your Customer Portal user to login to the ZITADEL Customer Portal.
Here you can manage all your different instances, subscriptions and billing data.
1. Click on the new created instance in the list
2. In the section Domains you can find the generated domain for your instanc
3. Click on the domain and you will be able to login
Find out more about the Customer Portal [here](/docs/manuals/customerportal/overview).

90
docs/docs/guides/basics/instance.mdx
View File

@ -1,90 +0,0 @@
---
title: Instance
---
| | |
| --- | --- |
| Description | Learn what an instance in ZITADEL is and what kind of configurations you are able to do. |
| Learning Outcomes | In this module you will: <ul><li>Learn about the instance</li><li>Create a new instance</li><li>Add a custom domain</li><li>configure some settings</li></ul> |
|Prerequisites|None|
## What is an instance?
import InstanceDescription from '../../concepts/structure/_instance_description.mdx';
import Column from '../../../src/components/column';
<InstanceDescription name="InstanceDescription" />
## Exercise - Create a new instance
The creation and management of an instance takes place in the Customer Portal.
To manage your existing instances you need login with your Customer Portal user. Be aware that this is not the same user as in the instance itself.
![Create new instance](/img/console_org_register.png)
## Exercise - Add a custom domain
1. Browse to your instance
2. Click **Add custom domain**
3. To start the domain verification click the domain name and a dialog will appear, where you can choose between DNS or HTTP challenge methods.
4. For example, create a TXT record with your DNS provider for the used domain and click verify. ZITADEL will then proceed an check your DNS.
5. When the verification is successful you have the option to activate the domain by clicking **Set as primary**
![Verify Domain](/img/console_verify_domain.gif)
> **_Please note:_** Do not delete the verification code, as ZITADEL Customer Portal will re-check the ownership of your domain from time to time
## Exercise - Change default settings of the instance
Redirect to your instance and login with your generated user ???
Go to the settings with the button at the top right of the header.
You will find all different kind of default settings here.
From password policy, to branding to texts of the login ui.
For this case we will change the branding.
Choose modify on the setting "branding".
You can switch between the light and the dark mode. Upload your logo and define the colors you like to have.
Make sure to click the button "apply configuration" after you are finish to trigger your settings.
## Knowledge Check
* Instance has to be configured in the Customer Portal
- [ ] yes
- [ ] no
* I can use the same user for the Customer Portal as for my created instance
- [ ] yes
- [ ] no
* I will find the default settings in the Customer Portal
- [ ] yes
- [ ] no
<details>
<summary>
Solutions
</summary>
* Users exist only within projects or clients
- [x] yes
- [ ] no
* I can use the same user for the Customer Portal as for my created instance
- [ ] yes
- [x] no (Due to separation of concern you will not be able to use the same user for both)
* I will find the default settings in the Customer Portal
- [ ] yes
- [x] no (The default settings are after login to you instance on the settings page)
</details>
## Summary
* Create your instance in the Customer Portal
* Verify your domain in the Customer Portal to improve user experience; remember to not delete the verification code to allow recheck of ownership
* You can manage all your default settings in the instance itself
Where to go from here:
* Create an organization
* Create a project
* Setup Passwordless MFA
* Manage ZITADEL Roles

114
docs/docs/guides/basics/projects.md
View File

@ -1,114 +0,0 @@
---
title: Projects
---
| | |
| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Description | Learn the basics about applications, roles and authorizations, and how projects allow you to group these together. |
| Learning Outcomes | In this module you will: <ul><li>Learn about projects and granted projects</li><li>Create a new project</li><li>Creating simple roles and authorizations</li><li>Create an organization grant for your project</li></ul> |
| Prerequisites | <ul><li>ZITADEL organizations</li><li>Role Based Access Management (RBAC)</li></ul> |
## What is a project?
import ProjectDescription from '../../concepts/structure/_project_description.mdx';
<ProjectDescription name="ProjectDescription" />
The goal of this module is to give you an overview, but not dive too deep into details around managing access rights and delegating management of roles to third parties. So lets create a straightforward example project first.
## Exercise - Create a simple project
Visit <https://console.zitadel.ch/projects> or select “Projects” within your organization, then click the button to create a new project.
![Empty Project](/img/console_projects_empty.png)
Enter the name “ My first project” and continue.
Lets make this more interesting and add some basic roles and authorizations to your project and then confirm the scope of the roles and authorizations.
Jump to the section ROLES and create two new roles with the following values
* Key: reader
* Display Name: Reader
* Group: user
and
* Key: editor
* Display Name: Editor
* Group: user
![Add New Roles](/img/console_projects_add_new_roles.gif)
Now, you can add roles to your own user, or you can create a new user. To create a new user, go to Users and click “New”. Enter the required contact details and save by clicking “Create”.
![Create new user](/img/console_users_create_new_user.gif)
To grant users certain roles, you need to create authorizations. Go back to the project, and jump to the section AUTHORIZATIONS.
![Verify your authorization](/img/console_projects_create_authorization.gif)
You can verify the role grant on the user. Select Users from the navigation menu and click on the user Coyote. Scroll down to the section AUTHORIZATION, there you should be able to verify that the user has the role reader for your project My first project.
![Organization grant](/img/console_projects_authorization_created.png)
Now create another project (eg. “My second project”) and verify that there are no roles or authorizations on your second project.
## What is a granted project?
import GrantedProjectDescription from '../../concepts/structure/_granted_project_description.mdx';
<GrantedProjectDescription name="GrantedProjectDescription" />
## Exercise - Grant a project
1. Visit the project that you have created before, then in the section GRANTED ORGANIZATIONS click New.
2. Enter the domain acme.caos.ch, search the organization and continue to the next step.
3. Select some roles you would like to grant to the organization ACME and confirm.
4. You should now see ACME-CAOS in the section GRANTED ORGANIZATIONS
![Grant a project](/img/projects_create_org_grant.gif)
## Knowledge Check (2)
* You can setup multiple projects within an organization to manage scope
- [ ] yes
- [ ] no
* Authorizations are define more detailed access rights within your application
- [ ] yes
- [ ] no
* Your projects as well as projects granted to your organization are visible within the Tab Projects of your organization
- [ ] yes
- [ ] no
<details>
<summary>
Solutions
</summary>
* You can setup multiple projects within an organization to manage scope
- [x] yes
- [ ] no
* Authorizations are define more detailed access rights within your application
- [ ] yes
- [x] no (Authorizations link users to certain roles)
* Your projects as well as projects granted to your organization are visible within the Tab Projects of your organization
- [ ] yes
- [x] no (Projects and Granted Projects are shown on different tabs)
</details>
## Summary (2)
* Manage scope of roles, authorizations and applications with projects
* Create and assign roles to users of your organization within your project
* Use project grants to enable other organizations to self-manage access rights (roles) to your applications
Where to go from here:
* Manage roles for your project
* Grant roles to other organizations or users
* Service Users
* Manage IAM Roles
* Setup a SaaS Application with granted projects (Learning Path)

0
docs/docs/guides/installation/run/_defaultuser.mdx → docs/docs/guides/deploy/_defaultuser.mdx
View File

8
docs/docs/guides/deploy/_disclaimer.mdx Normal file
View File

@ -0,0 +1,8 @@
## Disclaimer
This guide is for development / demonstration purpose only and does NOT reflect a production setup.
Things such as TLS termination and email verification will not be available unless you
- Use an API gateway with valid certificates in front of the service
- Configure an appropriate email server

4
docs/docs/guides/installation/run/_nextselfhosted.mdx → docs/docs/guides/deploy/_next.mdx
View File

@ -1,9 +1,9 @@
## What's next
For running a production grade ZITADEL instance in your environment, go on with the [configure ZITADEL](/docs/guides/installation/configure) section.
For running a production grade ZITADEL instance in your environment, go on with the [configure ZITADEL](/docs/guides/manage/self-hosted/configure) section.
:::caution
<!-- TODO: Better mark the link in the UI -->
The ZITADEL management console [requires end-to-end HTTP/2 support](/docs/guides/installation/http2-support)
The ZITADEL management console [requires end-to-end HTTP/2 support](/docs/guides/manage/self-hosted/http2)

13
docs/docs/guides/installation/run/_compose.mdx → docs/docs/guides/deploy/compose.mdx
View File

@ -1,5 +1,12 @@
---
title: Docker Compose
---
import CodeBlock from '@theme/CodeBlock';
import DockerComposeSource from '!!raw-loader!./docker-compose.yaml'
import Disclaimer from './_disclaimer.mdx'
import DefaultUser from './_defaultuser.mdx'
import Next from './_next.mdx'
The setup is tested against Docker version 20.10.17 and Docker Compose version v2.2.3
@ -11,8 +18,12 @@ By executing the commands below, you will download the following file:
```bash
# Download the docker compose example configuration. For example:
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/run/docker-compose.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/deploy/docker-compose.yaml
# Run the database and application containers
docker compose up --detach
```
<DefaultUser components={props.components} />
<Next components={props.components} />
<Disclaimer components={props.components} />

2
docs/docs/guides/installation/run/docker-compose.yaml → docs/docs/guides/deploy/docker-compose.yaml
View File

@ -5,7 +5,7 @@ services:
restart: 'always'
networks:
- 'zitadel'
image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64'
image: 'ghcr.io/zitadel/zitadel:v2.0.0-amd64'
command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled'
environment:
- 'ZITADEL_DATABASE_HOST=db'

53
docs/docs/guides/installation/run/_knative.mdx → docs/docs/guides/deploy/knative.mdx
View File

@ -1,41 +1,30 @@
## New Knative environment
### Download and run Knative quickstart
---
title: Knative
---
import Disclaimer from './_disclaimer.mdx'
import DefaultUser from './_defaultuser.mdx'
import Next from './_next.mdx'
## Install Knative
Follow the [Knative quickstart guide](https://knative.dev/docs/getting-started/quickstart-install/) to get a local kind/minikube environment with Knative capabilities.
It is basically 4 commands on Mac:
## Run CockroachDB
Start a single-node cockroachdb as statefulset
```bash
# Install knative
brew install knative/client/kn
# Install knative quickstart sandbox
brew install knative-sandbox/kn-plugins/quickstart
# Install kind
brew install kind
# Install quickstart cluster
kn quickstart kind
```
That will get you a ready to go knative/kubernetes environment.
## Database
start a single-node cockroachdb as statefulset
```bash
kubectl apply -f https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/deploy/knative/cockroachdb-statefulset-single-node.yaml
kubectl apply -f https://raw.githubusercontent.com/zitadel/zitadel/main/deploy/knative/cockroachdb-statefulset-single-node.yaml
```
## Start ZITADEL
## Start ZITADEL with Knative
Either use the kn binary...
### Knative Command
```bash
kn service create zitadel \
--image ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64 \
--image ghcr.io/zitadel/zitadel:v2.0.0-amd64 \
--port 8080 \
--env ZITADEL_DATABASE_HOST=cockroachdb \
--env ZITADEL_EXTERNALSECURE=false \
@ -45,15 +34,15 @@ kn service create zitadel \
--arg "start-from-init" --arg "--masterkey" --arg "MasterkeyNeedsToHave32Characters"
```
... or use the knative service yaml
### Knavite yaml
```bash
kubectl apply -f https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/deploy/knative/zitadel-knative-service.yaml
kubectl apply -f https://raw.githubusercontent.com/zitadel/zitadel/main/deploy/knative/zitadel-knative-service.yaml
```
## Get started with ZITADEL
## Access ZITADEL
Get ZITADEL URL
### Get the ZITADEL URL
```bash
kn services list
@ -70,3 +59,5 @@ If you didn't configure something else, this is the default IAM admin users logi
* username: zitadel-admin@<span></span>zitadel.zitadel.default.127.0.0.1.sslip.io
* password: Password1!
<Next components={props.components} />
<Disclaimer components={props.components} />

31
docs/docs/guides/installation/run/_helm.mdx → docs/docs/guides/deploy/kubernetes.mdx
View File

@ -1,12 +1,26 @@
---
title: Kubernetes
---
import Disclaimer from './_disclaimer.mdx'
import DefaultUser from './_defaultuser.mdx'
import Next from './_next.mdx'
Installation and configuration details are described in the [open source ZITADEL charts repo](https://github.com/zitadel/zitadel-charts).
By default, the chart installs a secure and highly available ZITADEL instance.
For running an easily testable, insecure, non-HA ZITADEL instance, run the following commands.
```bash
# Add the helm repository
helm repo add zitadel https://charts.zitadel.com
## Helm
# Install an insecure zitadel release that works with localhost
### Add the helm repository
```bash
helm repo add zitadel https://charts.zitadel.com
```
### Install an insecure zitadel release that works with localhost
```bash
helm install --namespace zitadel --create-namespace my-zitadel zitadel/zitadel \
--set zitadel.masterkey="MasterkeyNeedsToHave32Characters" \
--set zitadel.configmapConfig.ExternalDomain="localhost" \
@ -15,7 +29,14 @@ helm install --namespace zitadel --create-namespace my-zitadel zitadel/zitadel \
--set replicaCount=1 \
--set cockroachdb.single-node=true \
--set cockroachdb.statefulset.replicas=1
```
# Forward the ZITADEL service port to your local machine
### Forward the ZITADEL service port to your local machine
```bash
kubectl port-forward svc/my-zitadel 8080:80
```
<DefaultUser components={props.components} />
<Next components={props.components} />
<Disclaimer components={props.components} />

34
docs/docs/guides/deploy/linux.mdx Normal file
View File

@ -0,0 +1,34 @@
---
title: Linux
---
import Disclaimer from './_disclaimer.mdx'
import DefaultUser from './_defaultuser.mdx'
import Next from './_next.mdx'
## Install CockroachDB
Download a `cockroach` binary as described [in the CockroachDB docs](https://www.cockroachlabs.com/docs/v22.1/install-cockroachdb).
ZITADEL is tested against CockroachDB v22.1.0 and Ubuntu 20.04.
## Run CockroachDB
```bash
cockroach start-single-node --insecure --background --http-addr :9090 --listen-addr=localhost
```
## Install ZITADEL
```bash
curl -s https://api.github.com/repos/zitadel/zitadel/releases/tags/v2.0.0 | grep "browser_download_url.*zitadel_Linux_$(uname -m).tar.gz" | cut -d '"' -f 4 | xargs wget -qO - | sudo tar --extract --gzip --overwrite --directory /usr/local/bin zitadel && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadel
```
## Run ZITADEL
```bash
ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
```
<DefaultUser components={props.components} />
<Next components={props.components} />
<Disclaimer components={props.components} />

2
docs/docs/guides/installation/loadbalancing-example/docker-compose.yaml → docs/docs/guides/deploy/loadbalancing-example/docker-compose.yaml
View File

@ -15,7 +15,7 @@ services:
restart: 'always'
networks:
- 'zitadel'
image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64'
image: 'ghcr.io/zitadel/zitadel:v2.0.0-amd64'
command: 'start-from-init --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml --steps /example-zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}" --tlsMode external'
depends_on:
chown:

0
docs/docs/guides/installation/loadbalancing-example/example-traefik.yaml → docs/docs/guides/deploy/loadbalancing-example/example-traefik.yaml
View File

2
docs/docs/guides/installation/loadbalancing-example/example-zitadel-config.yaml → docs/docs/guides/deploy/loadbalancing-example/example-zitadel-config.yaml
View File

@ -1,4 +1,4 @@
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
Log:
Level: 'info'

2
docs/docs/guides/installation/loadbalancing-example/example-zitadel-init-steps.yaml → docs/docs/guides/deploy/loadbalancing-example/example-zitadel-init-steps.yaml
View File

@ -1,4 +1,4 @@
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/adminn/setup/steps.yaml
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/adminn/setup/steps.yaml
FirstInstance:
Org:
Name: 'My Org'

2
docs/docs/guides/installation/loadbalancing-example/example-zitadel-secrets.yaml → docs/docs/guides/deploy/loadbalancing-example/example-zitadel-secrets.yaml
View File

@ -1,4 +1,4 @@
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
# If not using the docker compose example, adjust these values for connecting ZITADEL to your CockroachDB
Database:

10
docs/docs/guides/installation/loadbalancing-example/loadbalancing-example.mdx → docs/docs/guides/deploy/loadbalancing-example/loadbalancing-example.mdx
View File

@ -38,19 +38,19 @@ By executing the commands below, you will download the following files:
```bash
# Download the docker compose example configuration. For example:
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/loadbalancing-example/docker-compose.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/deploye/loadbalancing-example/loadbalancing-example/docker-compose.yaml
# Download the docker compose example configuration. For example:
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/loadbalancing-example/example-traefik.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/deploye/loadbalancing-example/loadbalancing-example/example-traefik.yaml
# Download and adjust the example configuration file containing standard configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/loadbalancing-example/example-zitadel-config.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/deploye/loadbalancing-example/loadbalancing-example/example-zitadel-config.yaml
# Download and adjust the example configuration file containing secret configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/loadbalancing-example/example-zitadel-secrets.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/deploye/loadbalancing-example/loadbalancing-example/example-zitadel-secrets.yaml
# Download and adjust the example configuration file containing database initialization configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/loadbalancing-example/example-zitadel-init-steps.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/deploye/loadbalancing-example/loadbalancing-example/example-zitadel-init-steps.yaml
# A single ZITADEL instance always needs the same 32 characters long masterkey
# If you haven't done so already, you can generate a new one.

43
docs/docs/guides/deploy/macos.mdx Normal file
View File

@ -0,0 +1,43 @@
---
title: MacOS
---
import Disclaimer from './_disclaimer.mdx'
import DefaultUser from './_defaultuser.mdx'
import Next from './_next.mdx'
## Install CockroachDB
Download a `cockroach` binary as described [in the CockroachDB docs](https://www.cockroachlabs.com/docs/v22.1/install-cockroachdb).
ZITADEL is tested against CockroachDB v22.1.0.
## Run CockroachDB
```bash
cockroach start-single-node --insecure --background --http-addr :9090 --listen-addr=localhost
```
## Install ZITADEL
### Homebrew
```bash
brew install zitadel/tap/zitadel
```
### Download from GitHub
```bash
export MY_ARCHITECTURE="arm64 or amd64 depeding on your mac"
curl -s https://api.github.com/repos/zitadel/zitadel/releases/tags/v2.0.0 | grep "browser_download_url.*zitadel_Darwin_${MY_ARCHITECTURE}.tar.gz" | cut -d '"' -f 4 | xargs wget -qO - | sudo tar --extract --gzip --overwrite --directory /usr/local/bin zitadel && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadel
```
## Run ZITADEL
```bash
ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
```
<DefaultUser components={props.components} />
<Next components={props.components} />
<Disclaimer components={props.components} />

19
docs/docs/guides/deploy/overview.mdx Normal file
View File

@ -0,0 +1,19 @@
---
title: Overview
---
Choose your platform and run ZITADEL with the most minimal configuration possible.
For an easy self-hosted production setup, we recommend running ZITADEL on [Kubernetes](https://kubernetes.io/docs/home/), using our official [Helm](https://helm.sh/docs/) chart.
By default, it runs a highly available ZITADEL instance along with a secure and highly available [CockroachDB](https://www.cockroachlabs.com/docs/stable/) instance.
- [Linux](./linux)
- [MacOS](./macos)
- [Docker Compose](./compose)
- [Knative](./knative)
- [Kubernetes](./kubernetes)
## Prerequisits
- ZITADEL does not need much resource 1 CPU and 512MB memory is more than enough. (With more CPU the password hashing might be faster)
- A cockroachDB or [🚧 Postgresql coming soon](https://github.com/zitadel/zitadel/pull/3998) as only needed storage
- If you want to front ZTIADEL with a revers proxy, web application firewall or content delivery network make sure to support [HTTP/2](../manage/self-hosted/http2)

10
docs/docs/guides/installation/http2-support.md
View File

@ -1,10 +0,0 @@
---
title: HTTP/2 Support
---
The ZITADEL console (prefix `/ui/console`) uses [gRPC-Web](https://github.com/grpc/grpc-web) for its API calls.
The ZITADEL backend service accepts gRPC-Web requests and translates them into real gRPC calls to itself.
Because ZITADEL accepts gRPC-Web and translates it to gRPC itself, your reverse proxy doesn't need to be able to support gRPC or gRPC-Web.
However, as gRPC requires HTTP/2, your reverse proxy is required to send and receive downstream and upstream HTTP/2 traffic.
Go to the [loadbalancing example with Traefik](./loadbalancing-example) for seeing a working example configuration.

19
docs/docs/guides/installation/run/_linux.mdx
View File

@ -1,19 +0,0 @@
## Download The CockroachDB binary
Download a `cockroach` binary as described [in the CockroachDB docs](https://www.cockroachlabs.com/docs/v22.1/install-cockroachdb).
ZITADEL is tested against CockroachDB v22.1.0 and Ubuntu 20.04.
## Run CockroachDB
```bash
cockroach start-single-node --insecure --background --http-addr :9090 --listen-addr=localhost
```
## Run ZITADEL
```bash
# Download the zitadel binary
curl -s https://api.github.com/repos/zitadel/zitadel/releases/tags/v2.0.0-v2-alpha.39 | grep "browser_download_url.*zitadel_Linux_$(uname -i).tar.gz" | cut -d '"' -f 4 | xargs wget -qO - | sudo tar --extract --gzip --overwrite --directory /usr/local/bin zitadel && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadel
# Run the zitadel binary
ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
```

32
docs/docs/guides/installation/run/_macos.mdx
View File

@ -1,32 +0,0 @@
## Download The CockroachDB binary
Download a `cockroach` binary as described [in the CockroachDB docs](https://www.cockroachlabs.com/docs/v22.1/install-cockroachdb).
ZITADEL is tested against CockroachDB v22.1.0.
## Run CockroachDB and ZITADEL
Run a CockroachDB instance
```bash
cockroach start-single-node --insecure --background --http-addr :9090 --listen-addr=localhost
```
# Download and Install ZITADEL
Either use `Homebrew` ...
```bash
brew install zitadel/tap/zitadel
```
... or download the binary from GitHub
```bash
export MY_ARCHITECTURE="arm64 or amd64 depeding on your mac"
curl -s https://api.github.com/repos/zitadel/zitadel/releases/tags/v2.0.0-v2-alpha.39 | grep "browser_download_url.*zitadel_Darwin_${MY_ARCHITECTURE}.tar.gz" | cut -d '"' -f 4 | xargs wget -qO - | sudo tar --extract --gzip --overwrite --directory /usr/local/bin zitadel && sudo chown $(id -u):$(id -g) /usr/local/bin/zitadel
```
Run ZITADEL
```bash
ZITADEL_EXTERNALSECURE=false zitadel start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled

72
docs/docs/guides/installation/run/run.mdx
View File

@ -1,72 +0,0 @@
---
title: Run
---
import Tabs from "@theme/Tabs";
import TabItem from "@theme/TabItem";
import Linux from './_linux.mdx'
import MacOS from './_macos.mdx'
import Compose from './_compose.mdx'
import Helm from './_helm.mdx'
import Knative from './_knative.mdx'
import NextSelfHosted from './_nextselfhosted.mdx'
import DefaultUser from './_defaultuser.mdx'
# Run ZITADEL
Choose your platform and run ZITADEL with the most minimal configuration possible.
For an easy self-hosted production setup, we recommend running ZITADEL on [Kubernetes](https://kubernetes.io/docs/home/), using our official [Helm](https://helm.sh/docs/) chart.
By default, it runs a highly available ZITADEL instance along with a secure and highly available [CockroachDB](https://www.cockroachlabs.com/docs/stable/) instance.
## Disclaimer
This guide is for development / demonstration purpose only and does NOT reflect a production setup.
Things such as TLS termination and email verification will not be available unless you
- use an API gateway with valid certificates in front of the service
- configure an appropriate email server
see loadbalancing example [here](/docs/guides/installation/loadbalancing-example)
<!-- TODO: Destroy -->
<Tabs
groupId="installation-target"
default="saas"
values={[
{'label': 'SaaS', 'value': 'saas'},
{'label': 'Linux', 'value': 'linux'},
{'label': 'MacOS', 'value': 'macos'},
{'label': 'Docker Compose', 'value': 'compose'},
{'label': 'Kubernetes (Helm)', 'value': 'k8s'},
{'label': 'Knative', 'value': 'knative'}
]}
>
<TabItem value="saas">
Try our <a href="https://zitadel.com">SaaS offering</a>. The first 25k requests are free.
</TabItem>
<TabItem value="linux">
<Linux/>
<DefaultUser/>
<NextSelfHosted/>
</TabItem>
<TabItem value="macos">
<MacOS/>
<DefaultUser/>
<NextSelfHosted/>
</TabItem>
<TabItem value="compose">
<Compose/>
<DefaultUser/>
<NextSelfHosted/>
</TabItem>
<TabItem value="k8s">
<Helm/>
<DefaultUser/>
<NextSelfHosted/>
</TabItem>
<TabItem value="knative">
<Knative/>
<NextSelfHosted/>
</TabItem>
</Tabs>

10
docs/docs/guides/api/access-zitadel-apis.md → docs/docs/guides/integrate/access-zitadel-apis.md
View File

@ -21,8 +21,8 @@ title: Access ZITADEL APIs
<td>Prerequisites</td>
<td>
<ul>
<li>Knowledge of <a href="/docs/guides/authorization/oauth-recommended-flows">Recommended Authorization Flows</a></li>
<li>Knowledge of <a href="/docs/guides/authentication/serviceusers">Service Users</a></li>
<li>Knowledge of <a href="/docs/guides/integrate/oauth-recommended-flows">Recommended Authorization Flows</a></li>
<li>Knowledge of <a href="/docs/guides/integrate/serviceusers">Service Users</a></li>
</ul>
</td>
</tr>
@ -42,7 +42,7 @@ On each level we have some different Roles. Here you can find more about the dif
## Exercise: Add ORG_OWNER to Service User
Make sure you have a Service User with a Key. (For more detailed informations about creating a service user go to [Service User](../authentication/serviceusers))
Make sure you have a Service User with a Key. (For more detailed informations about creating a service user go to [Service User](serviceusers.md))
1. Navigate to Organization Detail
2. Click the **+** button in the right part of console, in the managers part of details
@ -54,7 +54,7 @@ Make sure you have a Service User with a Key. (For more detailed informations ab
## Authenticating a service user
In ZITADEL we use the `private_jwt` (**“JWT bearer token with private key”**, [RFC7523](https://tools.ietf.org/html/rfc7523)) authorization grant for this non-interactive authentication.
This is already described in the [Service User](../authentication/serviceusers), so make sure you follow this guide.
This is already described in the [Service User](serviceusers.md), so make sure you follow this guide.
### Request an OAuth token, with audience for ZITADEL
@ -65,8 +65,6 @@ This is possible by sending a custom scope for the audience. More about [Custom
Use the scope `urn:zitadel:iam:org:project:id:{projectid}:aud` to include the project id in your audience
> The scope for zitadel.ch is: `urn:zitadel:iam:org:project:id:69234237810729019:aud`
```bash
curl --request POST \
--url {your_domain}/oauth/v2/token \

0
docs/docs/guides/integrations/application/application.mdx → docs/docs/guides/integrate/application/application.mdx
View File

0
docs/docs/guides/integrations/application/auth-type.mdx → docs/docs/guides/integrate/application/auth-type.mdx
View File

0
docs/docs/guides/integrations/application/generate-key.mdx → docs/docs/guides/integrate/application/generate-key.mdx
View File

0
docs/docs/guides/integrations/application/redirect-uris.mdx → docs/docs/guides/integrate/application/redirect-uris.mdx
View File

0
docs/docs/guides/integrations/application/review-config.mdx → docs/docs/guides/integrate/application/review-config.mdx
View File

5
docs/docs/guides/integrations/auth0.md → docs/docs/guides/integrate/auth0.md
View File

@ -11,8 +11,9 @@ It covers how to:
Prerequisites:
- existing ZITADEL organization, if not present follow [this guide](../../guides/basics/get-started#trying-out-zitadel-on-zitadelch)
- existing project, if not present follow the first 3 steps [here](../../guides/basics/projects#exercise---create-a-simple-project)
- existing ZITADEL Instance, if not present follow [this guide](../../guides/start/quickstart)
- existing ZITADEL Organization, if not present follow [this guide](../../guides/manage/console/organizations)
- existing ZITADEL project, if not present follow the first 3 steps [here](../../guides/manage/console/projects)
- existing Auth0 tenant as described [here](https://auth0.com/docs/get-started/auth0-overview/create-tenants)
> We have to switch between ZITADEL and a Auth0. If the headings begin with "ZITADEL" switch to the ZITADEL Console and if the headings start with Auth0 please switch to the Auth0 GUI.

18
docs/docs/guides/integrations/authenticated-mongodb-charts.md → docs/docs/guides/integrate/authenticated-mongodb-charts.md
View File

@ -9,13 +9,13 @@ This integration guide shows how you can embed authenticated MongoDB Charts in y
Before you can embed an authenticated chart in your application, you have to do a few configuration steps in ZITADEL Console.
You will need to provide some information about your app. We recommend creating a new app to start from scratch.
1. Navigate to your [Project](https://console.zitadel.ch/projects)
1. Add a new application at the top of the page.
1. Select Web application type and continue.
1. Use [Authorization Code](../../apis/openidoauth/grant-types#authorization-code) in combination with [Proof Key for Code Exchange (PKCE)](../../apis/openidoauth/grant-types#proof-key-for-code-exchange).
1. Skip the redirect settings and confirm the app creation
1. Copy the client ID, you will need to tell MongoDB Charts about it.
1. When you created the app, expand its _OIDC Configuration_ section, change the _Auth Token Type_ to _JWT_ and save the change.
1. Navigate to your Project
2. Add a new application at the top of the page.
3. Select Web application type and continue.
4. Use [Authorization Code](../../apis/openidoauth/grant-types#authorization-code) in combination with [Proof Key for Code Exchange (PKCE)](../../apis/openidoauth/grant-types#proof-key-for-code-exchange).
5. Skip the redirect settings and confirm the app creation
6. Copy the client ID, you will need to tell MongoDB Charts about it.
7. When you created the app, expand its _OIDC Configuration_ section, change the _Auth Token Type_ to _JWT_ and save the change.
Your application configuration should now look similar to this:
@ -28,7 +28,7 @@ Configure ZITADEL as your _Custom JWT Provider_ following the [MongoDB docs](htt
Configure the following values:
- Signing Algorithm: RS256
- Signing Key: JWK or JWKS URL
- JWKS: https://api.zitadel.ch/oauth/v2/keys
- JWKS: https://{your_domain}.zitadel.cloud/oauth/v2/keys
- Audience: Your app's client ID which you copied when you created the ZITADEL app
Your configuration should look similar to this:
@ -39,7 +39,7 @@ Your configuration should look similar to this:
Embed a chart into your application now, following the corresponding [MongoDB docs](https://docs.mongodb.com/charts/saas/embed-chart-jwt-auth/).
If you've done the [Angular Quickstart](../../quickstarts/login/angular.md), your code could look something like this:
If you've done the [Angular Quickstart](../../examples/login/angular.md), your code could look something like this:
```html
<!-- chart.component.html -->

0
docs/docs/guides/authentication/authmethods.mdx → docs/docs/guides/integrate/authmethods.mdx
View File

0
docs/docs/guides/authentication/authmethods/basic.mdx → docs/docs/guides/integrate/authmethods/basic.mdx
View File

0
docs/docs/guides/authentication/authmethods/implicit.mdx → docs/docs/guides/integrate/authmethods/implicit.mdx
View File

0
docs/docs/guides/authentication/authmethods/jwtpk.mdx → docs/docs/guides/integrate/authmethods/jwtpk.mdx
View File

0
docs/docs/guides/authentication/authmethods/pkce.mdx → docs/docs/guides/integrate/authmethods/pkce.mdx
View File

0
docs/docs/guides/authentication/authmethods/pkcenative.mdx → docs/docs/guides/integrate/authmethods/pkcenative.mdx
View File

0
docs/docs/guides/api/export-and-import.md → docs/docs/guides/integrate/export-and-import.md
View File

5
docs/docs/guides/integrations/gitlab-self-hosted.md → docs/docs/guides/integrate/gitlab-self-hosted.md
View File

@ -11,8 +11,9 @@ It covers how to:
Prerequisites:
- existing ZITADEL organization, if not present follow [this guide](../../guides/basics/get-started#trying-out-zitadel-on-zitadelch)
- existing project, if not present follow the first 3 steps [here](../../guides/basics/projects#exercise---create-a-simple-project)
- existing ZITADEL Instance, if not present follow [this guide](../../guides/start/quickstart)
- existing ZITADEL Organization, if not present follow [this guide](../../guides/manage/console/organizations)
- existing ZITADEL project, if not present follow the first 3 steps [here](../../guides/manage/console/projects)
- running Gitlab instance see [installation guide](https://docs.gitlab.com/ee/install/)
import CreateApp from "./application/application.mdx";

39
docs/docs/guides/authentication/identity-brokering.md → docs/docs/guides/integrate/identity-brokering.md
View File

@ -22,7 +22,7 @@ title: Identity Brokering
<td>Prerequisites</td>
<td>
<ul>
<li>Knowledge of <a href="/docs/guides/basics/organizations">Organizations</a></li>
<li>Knowledge of <a href="/docs/guides/manage/console/organizations">Organizations</a></li>
</ul>
</td>
</tr>
@ -99,46 +99,13 @@ An organization's login settings will be shown
- as soon as the user has entered the loginname and ZITADEL can identitfy to which organization he belongs; or
- by sending a primary domain scope.
To get your own configuration you will have to send the [primary domain scope](https://docs.zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes) in your [authorization request](https://docs.zitadel.com/docs/guides/authentication/login-users/#auth-request) .
To get your own configuration you will have to send the [primary domain scope](../../apis/openidoauth/scopes#reserved-scopes) in your [authorization request](../../guides/integrate/login-users#auth-request) .
The primary domain scope will restrict the login to your organization, so only users of your own organization will be able to login, also your branding and policies will trigger.
:::note
You need to create your own auth request with your applications parameters. Please see the docs to construct an [Auth Request](https://docs.zitadel.com/docs/guides/authentication/login-users/#auth-request).
You need to create your own auth request with your applications parameters. Please see the docs to construct an [Auth Request](../../guides/integrate/login-users#auth-request).
:::
Your user will now be able to choose Google for login instead of username/password or mfa.
## Knowledge Check
* The issuer for your identity provider is <https://issuer.zitadel.ch>
- [ ] yes
- [ ] no
* The identity provider has to be oAuth 2.0 compliant
- [ ] yes
- [ ] no
<details>
<summary>
Solutions
</summary>
* The issuer for your identity provider is https://issuer.zitadel.ch
- [ ] yes
- [x] no (The issuer is provided by your choosen identity provider. In the case of Google it's https://accounts.google.com)
* The identity provider has to be oAuth 2.0 compliant
- [x] yes
- [ ] no
</details>
## Summary
* You can federate identities of all oAuth 2.0 compliant external identity providers
* Configure the provider in your custom login policy
Where to go from here:
* ZITADEL Projects
* Service users

2
docs/docs/guides/authentication/login-users.mdx → docs/docs/guides/integrate/login-users.mdx
View File

@ -22,7 +22,7 @@ OAuth and therefore OIDC know three different application types:
Depending on the app type you're trying to register, there are small differences.
But regardless of the app type we recommend using Proof Key for Code Exchange (PKCE).
Please read the following guide about the [different-client-profiles](../authorization/oauth-recommended-flows#different-client-profiles) and why to use PKCE.
Please read the following guide about the [different-client-profiles](./oauth-recommended-flows#different-client-profiles) and why to use PKCE.
### Code Flow

0
docs/docs/guides/authorization/oauth-recommended-flows.md → docs/docs/guides/integrate/oauth-recommended-flows.md
View File

10
docs/docs/guides/authentication/serviceusers.md → docs/docs/guides/integrate/serviceusers.md
View File

@ -22,7 +22,7 @@ title: Service Users
<td>Prerequisites</td>
<td>
<ul>
<li>Knowledge of <a href="/docs/guides/authorization/oauth-recommended-flows">Recommended Authorization Flows</a></li>
<li>Knowledge of <a href="/docs/guides/integrate/oauth-recommended-flows">Recommended Authorization Flows</a></li>
</ul>
</td>
</tr>
@ -97,7 +97,7 @@ Payload
{
"iss": "100507859606888466",
"sub": "100507859606888466",
"aud": "https://issuer.zitadel.ch",
"aud": "{your_domain}.zitadel.cloud",
"iat": [Current UTC timestamp, e.g. 1605179982, max. 1 hour ago],
"exp": [UTC timestamp, e.g. 1605183582]
}
@ -119,7 +119,7 @@ With the encoded JWT from the prior step, you will need to craft a POST request
```bash
curl --request POST \
--url https://api.zitadel.ch/oauth/v2/token \
--url https://{your_domain}.zitadel.cloud/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
--data scope='openid profile email' \
@ -149,7 +149,7 @@ For this example let's call the userinfo endpoint to verfiy that our access toke
```bash
curl --request POST \
--url https://api.zitadel.ch/oauth/v2/userinfo \
--url https://{your_domain}.zitadel.cloud/oidc/v1/userinfo \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer MtjHodGy4zxKylDOhg6kW90WeEQs2q...'
```
@ -162,7 +162,7 @@ Content-Type: application/json
{
"name": "MyServiceUser",
"preferred_username": "service_user@acme.zitadel.ch",
"preferred_username": "service_user@{your_domain}.zitadel.cloud",
"updated_at": 1616417938
}
```

38
docs/docs/guides/manage/cloud/billing.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Billing
---
In the billing page shows your configured payment methods and the invoice
![Customer Portal Billing](/img/manuals/portal/customer_portal_billing.png)
## Payment Method
If you click on the "+" Button a popup will be shown with the needed fields to add a new payment method.
At the moment we provide only "Credit Card" payment
Once a payment method is configured, it can be selected directly in the instance creation process.
## Customer
To be able to create correct billings we will need some customer information from you.
This includes the following fields:
- Name
- Country
- Email address
- Address line 1
- Address line 2
- Postal Code
- City
## Update Billing Information
You will only need to add billing information if your instance is in the paid tier. There are two options on how to add your billing info.
2. Go to the billing menu and add a new payment method. You will be able to choose the added method, when upgrading the instance to the paid tier.
3. Add the billing information directly during the upgrade process.
## Invoices
We show all you invoices, and you are able to download them directly in the Customer Portal.

8
docs/docs/manuals/customerportal/instances.md → docs/docs/guides/manage/cloud/instances.md
View File

@ -52,6 +52,14 @@ A free instance can be upgraded to a "pay as you go" instance. By upgrading your
We recommend register a custom domain to access your ZITADEL instance.
The primary domain of your ZITADEL instance will be the issuer of the instance. All other domains can be used to access the instance itself
1. Browse to your instance
2. Click **Add custom domain**
3. To start the domain verification click the domain name and a dialog will appear, where you can choose between DNS or HTTP challenge methods.
4. For example, create a TXT record with your DNS provider for the used domain and click verify. ZITADEL will then proceed an check your DNS.
5. When the verification is successful you have the option to activate the domain by clicking **Set as primary**
> **_Please note:_** Do not delete the verification code, as ZITADEL Customer Portal will re-check the ownership of your domain from time to time
Be aware that it has some impacts if you change the primary domain of your instance.
1. The urls and issuer have to change in your app
2. Passwordless authentication is based on the domain, if you change it, your users will not be able to login with the registered passwordless authentication

0
docs/docs/manuals/customerportal/notifications.md → docs/docs/guides/manage/cloud/notifications.md
View File

0
docs/docs/manuals/customerportal/overview.md → docs/docs/guides/manage/cloud/overview.md
View File

0
docs/docs/manuals/customerportal/start.md → docs/docs/guides/manage/cloud/start.md
View File

4
docs/docs/manuals/customerportal/support.md → docs/docs/guides/manage/cloud/support.md
View File

@ -5,10 +5,10 @@ title: Support
In the header you can find a button for the support.
Create a new support request with the following information:
- Severity
- Subject
- Message
- Affected instance
At the bottom of the page you can see all your support requests.
This form will generate a prefilled E-Mail you can send directly to our support address.
![Customer Portal Support](/img/manuals/portal/customer_portal_support.png)

0
docs/docs/manuals/customerportal/users.md → docs/docs/guides/manage/cloud/users.md
View File

41
docs/docs/guides/basics/applications.mdx → docs/docs/guides/manage/console/applications.mdx
View File

@ -4,39 +4,10 @@ title: Applications
import ThemedImage from '@theme/ThemedImage';
import AuthType from '../integrations/application/auth-type.mdx';
import RedirectURIs from '../integrations/application/redirect-uris.mdx';
import GenerateKey from '../integrations/application/generate-key.mdx';
import ReviewConfig from '../integrations/application/review-config.mdx';
<table className="table-wrapper">
<tbody>
<tr>
<td>Description</td>
<td>Learn what applications are and how to use.</td>
</tr>
<tr>
<td>Learning Outcomes</td>
<td>
In this module you will:
<ul>
<li>Get an overview of application types</li>
<li>Learn which application type allows which authentication types</li>
<li>Learn why Redirect URIs make login processes more secure</li>
</ul>
</td>
</tr>
<tr>
<td>Prerequisites</td>
<td>
<ul>
<li>ZITADEL <a href="./organizations">organization</a></li>
<li>ZITADEL <a href="./projects">project</a></li>
</ul>
</td>
</tr>
</tbody>
</table>
import AuthType from '../../integrate/application/auth-type.mdx';
import RedirectURIs from '../../integrate/application/redirect-uris.mdx';
import GenerateKey from '../../integrate/application/generate-key.mdx';
import ReviewConfig from '../../integrate/application/review-config.mdx';
## What is an application?
@ -48,7 +19,7 @@ Applications are the entry point to your project. Users either login into one of
If you create a new application in ZITADEL Console you have to choose the type of your application. But which one do you have to choose?
Detailed information about authentication types can be found [here](../authentication/login-users#create-application).
Detailed information about authentication types can be found [here](../../integrate/login-users#create-application).
<ThemedImage
alt="Redirect URIs configuration"
@ -76,7 +47,7 @@ These applications uses the Key file generated by ZITADEL to authenticate.
### User Agent
Applications that are executed in a web browser, for example single page applications executed in the browser developed with JavaScript frameworks like [Angular](../../quickstarts/login/angular) or [React](../../quickstarts/login/react)
Applications that are executed in a web browser, for example single page applications executed in the browser developed with JavaScript frameworks like [Angular](../../../examples/login/angular) or [React](../../../examples/login/react)
Following authentication types can be used:

65
docs/docs/guides/basics/organizations.mdx → docs/docs/guides/manage/console/organizations.mdx
View File

@ -2,17 +2,10 @@
title: Organizations
---
| | |
| --- | --- |
| Description | Learn how ZITADEL is structured around Organizations and how to create your organization and verify a domain to use with that new organization. |
| Learning Outcomes | In this module you will: <ul><li>Learn about organizations</li><li>Create a new organization</li><li>Verify your domain name </li></ul> |
|Prerequisites|Existing instance|
## What is an organization?
import OrgDescription from '../../concepts/structure/_org_description.mdx';
import Column from '../../../src/components/column';
import OrgDescription from '../../../concepts/structure/_org_description.mdx';
import Column from '../../../../src/components/column';
<OrgDescription name="OrgDescription" />
@ -32,27 +25,26 @@ The customer needs to fill in the form with the organization name and the contac
![Register new Organization](/img/console_org_register.png)
## How ZITADEL handles usernames
As we mentioned before, each organization has its own pool of usernames, which includes human and service.
This means that, for example a user with the username road.runner, can only exist once in an organization called ACME. ZITADEL will automatically generate a "logonname" for each consisting of `{username}@{domainname}.{zitadeldomain}`, in our example road.runner@acme.zitadel.ch.
This means that, for example a user with the username road.runner, can only exist once in an organization called ACME. ZITADEL will automatically generate a "logonname" for each consisting of `{username}@{domainname}.{zitadeldomain}`, in our example road.runner@acme.zitadel.cloud.
When you verify your domain name, then ZITADEL will generate additional logonames for each user with the verified domain. If our example organization would own the domain acme.ch and verify within the organization ACME, then the resulting logonname in our example would be road.runner@acme.ch in addition to the already generated road.runner@acme.zitadel.ch. The user can now use either logonname to authenticate with your application.
When you verify your domain name, then ZITADEL will generate additional logonames for each user with the verified domain. If our example organization would own the domain acme.ch and verify within the organization ACME, then the resulting logonname in our example would be road.runner@acme.ch in addition to the already generated road.runner@acme.zitadel.cloud. The user can now use either logonname to authenticate with your application.
## Domain verification and primary domain
Once you have successfully registered your organization, ZITADEL will automatically generate a domain name for your organization (eg, acme.zitadel.ch). Users that you create within your organization will be suffixed with this domain name.
Once you have successfully registered your organization, ZITADEL will automatically generate a domain name for your organization (eg, acme.zitadel.cloud). Users that you create within your organization will be suffixed with this domain name.
You can improve the user experience, by suffixing users with a domain name that is in your control. If the "validate ord domains" settings in the [Domain Policy](../../concepts/structure/policies) is set to true, you have to prove the ownership of your domain, by DNS or HTTP challenge.
You can improve the user experience, by suffixing users with a domain name that is in your control. If the "validate ord domains" settings in the [Domain Policy](../../../concepts/structure/policies) is set to true, you have to prove the ownership of your domain, by DNS or HTTP challenge.
If the settings is set to false, the created domain will automatically be set to verifed.
An organization can have multiple domain names, but only one domain can be primary. The primary domain defines which login name ZITADEL displays to the user, and what information gets asserted in access_tokens (`preferred_username`).
Please note that domain verification also removes the logonname from all users, who might have used this combination in the global organization (ie. users not belonging to a specific organization). Relating to our example with acme.ch: If a user coyote exists in the global organization with the logonname coyote@acme.ch, then after verification of acme.ch, this logonname will be replaced with `coyote@{randomvalue.tld}`. ZITADEL will notify users affected by this change.
## Exercise - Verify your domain name
## Verify your domain name
1. Browse to your organization
2. Click **Add Domain**
@ -64,45 +56,4 @@ Please note that domain verification also removes the logonname from all users,
> **_Please note:_** Do not delete the verification code, as ZITADEL will re-check the ownership of your domain from time to time
## Knowledge Check
* Users exist only within projects or clients
- [ ] yes
- [ ] no
* User can only login with `{username}@{domainname}.{zitadeldomain}`
- [ ] yes
- [ ] no
* You can delegate access management self-service to another organization
- [ ] yes
- [ ] no
<details>
<summary>
Solutions
</summary>
* Users exist only within projects or clients
- [ ] yes
- [x] no (users exist within organizations)
* User can only login with `{username}@{domainname}.{zitadeldomain}`
- [ ] yes
- [x] no (You can validate your own domain and login with `{loginname}@{yourdomain.tld}`)
* You can delegate access management self-service to another organization
- [x] yes
- [ ] no
</details>
## Summary
* Create your organization and a new user by visiting zitadel.ch
* Organizations are the top-most vessel for your IAM objects, such as users or projects
* Verify your domain in the Console to improve user experience; remember to not delete the verification code to allow recheck of ownership
* You can delegate certain aspects of your IAM to other organizations for self-service
Where to go from here:
* Create a project
* Setup Passwordless MFA
* Manage ZITADEL Roles
* Grant roles to other organizations or users
<!-- //TODO Add whats next again -->

66
docs/docs/guides/manage/console/projects.mdx Normal file
View File

@ -0,0 +1,66 @@
---
title: Projects
---
## What is a project?
import ProjectDescription from '../../../concepts/structure/_project_description.mdx';
<ProjectDescription name="ProjectDescription" />
The goal of this module is to give you an overview, but not dive too deep into details around managing access rights and delegating management of roles to third parties. So lets create a straightforward example project first.
## Create a project
Visit <https://{your_domain}.zitadel.cloud/ui/console/projects> or select “Projects” within your organization, then click the button to create a new project.
![Empty Project](/img/console_projects_empty.png)
Enter the name “ My first project” and continue.
Lets make this more interesting and add some basic roles and authorizations to your project and then confirm the scope of the roles and authorizations.
Jump to the section ROLES and create two new roles with the following values
* Key: reader
* Display Name: Reader
* Group: user
and
* Key: editor
* Display Name: Editor
* Group: user
![Add New Roles](/img/console_projects_add_new_roles.gif)
Now, you can add roles to your own user, or you can create a new user. To create a new user, go to Users and click “New”. Enter the required contact details and save by clicking “Create”.
![Create new user](/img/console_users_create_new_user.gif)
To grant users certain roles, you need to create authorizations. Go back to the project, and jump to the section AUTHORIZATIONS.
![Verify your authorization](/img/console_projects_create_authorization.gif)
You can verify the role grant on the user. Select Users from the navigation menu and click on the user Coyote. Scroll down to the section AUTHORIZATION, there you should be able to verify that the user has the role reader for your project My first project.
![Organization grant](/img/console_projects_authorization_created.png)
Now create another project (eg. “My second project”) and verify that there are no roles or authorizations on your second project.
## What is a granted project?
import GrantedProjectDescription from '../../../concepts/structure/_granted_project_description.mdx';
<GrantedProjectDescription name="GrantedProjectDescription" />
## Grant a project
1. Visit the project that you have created before, then in the section GRANTED ORGANIZATIONS click New.
2. Enter the domain acme.caos.ch, search the organization and continue to the next step.
3. Select some roles you would like to grant to the organization ACME and confirm.
4. You should now see ACME-CAOS in the section GRANTED ORGANIZATIONS
![Grant a project](/img/projects_create_org_grant.gif)
<!-- //TODO Add whats next again -->

12
docs/docs/guides/customization/behavior.md → docs/docs/guides/manage/customize/behavior.md
View File

@ -2,7 +2,7 @@
title: Behavior Customization
---
In this guide, you will create a [ZITADEL action](../../concepts/features/actions).
In this guide, you will create a [ZITADEL action](../../../concepts/features/actions).
After users register using an external identity provider, the action assigns them a role.
## Prerequisites
@ -11,8 +11,8 @@ Before you start, make sure you have everything set up correctly.
- You need to be at least a ZITADEL *ORG_OWNER*
- Your ZITADEL organization needs to have the actions feature enabled. <!-- TODO: How to enable it for SaaS ZITADEL? -->
- [Your ZITADEL organization needs to have at least one external identity provider enabled](../authentication/identity-brokering)
- [You need to have at least one role configured for a project](../basics/projects)
- [Your ZITADEL organization needs to have at least one external identity provider enabled](../../integrate/identity-brokering)
- [You need to have at least one role configured for a project](../console/projects)
## Copy some information for the action
@ -40,7 +40,7 @@ function addGrant(ctx, api) {
## Run the action when a user registers
Now, make the action hook into the [external authentication flow](../../apis/actions#external-authentication-flow).
Now, make the action hook into the [external authentication flow](../../../apis/actions#external-authentication-flow).
1. In the **Flows <i class="las la-exchange-alt"></i>** section, select the **+ New** button.
1. Select the **Flow Type** *External Authentication*.
@ -54,5 +54,5 @@ New users automatically are assiged a role now if they register by authenticatin
## What's next?
- [Read more about the concepts around actions](../../concepts/features/actions)
- [Read more about all the options you have with actions](../../apis/actions)
- [Read more about the concepts around actions](../../../concepts/features/actions)
- [Read more about all the options you have with actions](../../../apis/actions)

2
docs/docs/guides/customization/branding.md → docs/docs/guides/manage/customize/branding.md
View File

@ -41,7 +41,7 @@ The primary domain scope will restrict the login to your organization, so only u
See the following link as an example. Users will be able to register and login to the organization that verified the @caos.ch domain only.
```
https://{your_domain.zitadel.cloud}/oauth/v2/authorize?client_id=69234247558357051%40zitadel&scope=openid%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Adomain%3Aprimary%3Acaos.ch&redirect_uri=https%3A%2F%2Fconsole.zitadel.ch%2Fauth%2Fcallback&state=testd&response_type=code&nonce=test&code_challenge=UY30LKMy4bZFwF7Oyk6BpJemzVblLRf0qmFT8rskUW0
https://{your_domain.zitadel.cloud}/oauth/v2/authorize?client_id=69234247558357051%40zitadel&scope=openid%20profile%20urn%3Azitadel%3Aiam%3Aorg%3Adomain%3Aprimary%3Acaos.ch&redirect_uri=https%3A%2F%2Fconsole.zitadel.cloud%2Fauth%2Fcallback&state=testd&response_type=code&nonce=test&code_challenge=UY30LKMy4bZFwF7Oyk6BpJemzVblLRf0qmFT8rskUW0
```
:::info

2
docs/docs/guides/customization/texts.md → docs/docs/guides/manage/customize/texts.md
View File

@ -40,4 +40,4 @@ ZITADEL is available in the following languages
A language is displayed based on your agent's language header. The default language is English.
If you need support for a specific language we highly encourage you to [contribute translation files](https://github.com/zitadel/zitadel/blob/v2-alpha/CONTRIBUTING.md) for the missing language.
If you need support for a specific language we highly encourage you to [contribute translation files](https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md) for the missing language.

2
docs/docs/guides/customization/user-metadata.md → docs/docs/guides/manage/customize/user-metadata.md
View File

@ -17,7 +17,7 @@ Typical examples for user metadata include:
### Create a new client
- Create a new [web application](https://docs.zitadel.com/docs/guides/basics/applications#web)
- Create a new [web application](https://docs.zitadel.com/docs/guides/start/applications#web)
- Use Code-Flow
- In this example we will use `http://localhost` as redirect url
- Make sure to note the client secret

8
docs/docs/guides/installation/configure/_compose.mdx → docs/docs/guides/manage/self-hosted/configure/_compose.mdx
View File

@ -23,16 +23,16 @@ By executing the commands below, you will download the following files:
```bash
# Download the docker compose example configuration for a secure CockroachDB. For example:
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/docker-compose.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/docker-compose.yaml
# Download and adjust the example configuration file containing standard configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/example-zitadel-config.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/example-zitadel-config.yaml
# Download and adjust the example configuration file containing secret configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/example-zitadel-secrets.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/example-zitadel-secrets.yaml
# Download and adjust the example configuration file containing database initialization configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/example-zitadel-init-steps.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/example-zitadel-init-steps.yaml
# A single ZITADEL instance always needs the same 32 characters long masterkey
# If you haven't done so already, you can generate a new one

6
docs/docs/guides/installation/configure/_helm.mdx → docs/docs/guides/manage/self-hosted/configure/_helm.mdx
View File

@ -5,7 +5,7 @@ import ExampleZITADELValuesSecretsSource from '!!raw-loader!./example-zitadel-va
By default, the chart installs a secure ZITADEL and CockroachDB.
The example files makes an insecure ZITADEL accessible by port forwarding the ZITADEL service to localhost.
For more configuration options, [go to the chart repo descriptions](https://github.com/zitadel/zitadel-charts).
For a secure installation with Docker Compose, [go to the loadbalancing example](/docs/guides/installation/loadbalancing-example)
For a secure installation with Docker Compose, [go to the loadbalancing example](../../deploy/loadbalancing-example)
By executing the commands below, you will download the following files:
@ -18,10 +18,10 @@ By executing the commands below, you will download the following files:
```bash
# Download and adjust the example configuration file containing standard configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/example-zitadel-values.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/example-zitadel-values.yaml
# Download and adjust the example configuration file containing secret configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/example-zitadel-values-secrets.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/example-zitadel-values-secrets.yaml
# Install an insecure zitadel release that works with localhost
helm install --namespace zitadel --create-namespace my-zitadel zitadel/zitadel \

6
docs/docs/guides/installation/configure/_linuxunix.mdx → docs/docs/guides/manage/self-hosted/configure/_linuxunix.mdx
View File

@ -19,13 +19,13 @@ By executing the commands below, you will download the following files:
```bash
# Download and adjust the example configuration file containing standard configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/example-zitadel-config.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/example-zitadel-config.yaml
# Download and adjust the example configuration file containing secret configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/example-zitadel-secrets.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/example-zitadel-secrets.yaml
# Download and adjust the example configuration file containing database initialization configuration
wget https://raw.githubusercontent.com/zitadel/zitadel/v2-alpha/docs/docs/guides/installation/configure/example-zitadel-init-steps.yaml
wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/guides/manage/self-hosted/configure/example-zitadel-init-steps.yaml
# A single ZITADEL instance always needs the same 32 characters long masterkey
# If you haven't done so already, you can generate a new one

16
docs/docs/guides/installation/configure/configure.mdx → docs/docs/guides/manage/self-hosted/configure/configure.mdx
View File

@ -1,5 +1,5 @@
---
title: Configure
title: Configuration Options
---
import Tabs from "@theme/Tabs";
@ -10,16 +10,16 @@ import Helm from './_helm.mdx'
# Configure ZITADEL
This guide assumes you are already familiar with [running ZITADEL with the most minimal configuration possible](./run).
This guide assumes you are already familiar with [running ZITADEL with the most minimal configuration possible](../../deploy/overview).
## Configuration Files
### Runtime Configuration
See a description of all possible _runtime configuration_ options with their defaults [in the source code](https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml).
See a description of all possible _runtime configuration_ options with their defaults [in the source code](https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml).
The `zitadel` binary expects the `--config` flag for this configuration.
### Database Initialization
Apart from these options, ZITADEL uses a [different configuration](https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/admin/setup/steps.yaml) for _database initialization steps_.
Apart from these options, ZITADEL uses a [different configuration](https://github.com/zitadel/zitadel/blob/main/cmd/admin/setup/steps.yaml) for _database initialization steps_.
The `zitadel` binary expects the `--steps` flag for this configuration.
### Split Configuration
@ -72,12 +72,12 @@ This is the IAM admin users login according to your configuration in the [exampl
## What's next
- Read more about [the login process](../../manuals/user-login).
- Read more about [the login process](../../../manuals/user-login).
- If you want to run ZITADEL in production, you most certainly need to [customize your own domain](./custom-domain).
- Check out all possible [runtime configuration properties and their defaults in the source code](https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml)
- Check out all possible [setup step configuration properties and their defaults in the source code](https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/setup/steps.yaml)
- Check out all possible [runtime configuration properties and their defaults in the source code](https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml)
- Check out all possible [setup step configuration properties and their defaults in the source code](https://github.com/zitadel/zitadel/blob/main/cmd/setup/steps.yaml)
:::caution
<!-- TODO: Better mark the link in the UI -->
The ZITADEL management console [requires end-to-end HTTP/2 support](./http2-support)
The ZITADEL management console [requires end-to-end HTTP/2 support](/docs/guides/manage/self-hosted/http2)

2
docs/docs/guides/installation/configure/docker-compose.yaml → docs/docs/guides/manage/self-hosted/configure/docker-compose.yaml
View File

@ -6,7 +6,7 @@ services:
restart: 'always'
networks:
- 'zitadel'
image: 'ghcr.io/zitadel/zitadel:v2.0.0-v2-alpha.39-amd64'
image: 'ghcr.io/zitadel/zitadel:v2.0.0-amd64'
command: 'start-from-init --config /example-zitadel-config.yaml --config /example-zitadel-secrets.yaml --steps /example-zitadel-init-steps.yaml --masterkey "${ZITADEL_MASTERKEY}" --tlsMode disabled'
depends_on:
chown:

2
docs/docs/guides/installation/configure/example-zitadel-config.yaml → docs/docs/guides/manage/self-hosted/configure/example-zitadel-config.yaml
View File

@ -1,4 +1,4 @@
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
Log:
Level: 'info'

2
docs/docs/guides/installation/configure/example-zitadel-init-steps.yaml → docs/docs/guides/manage/self-hosted/configure/example-zitadel-init-steps.yaml
View File

@ -1,4 +1,4 @@
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/adminn/setup/steps.yaml
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/adminn/setup/steps.yaml
FirstInstance:
Org:
Human:

2
docs/docs/guides/installation/configure/example-zitadel-secrets.yaml → docs/docs/guides/manage/self-hosted/configure/example-zitadel-secrets.yaml
View File

@ -1,4 +1,4 @@
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
# If not using the docker compose example, adjust these values for connecting ZITADEL to your CockroachDB
Database:

2
docs/docs/guides/installation/configure/example-zitadel-values-secrets.yaml → docs/docs/guides/manage/self-hosted/configure/example-zitadel-values-secrets.yaml
View File

@ -1,4 +1,4 @@
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
zitadel:
masterkey: 'MasterkeyNeedsToHave32Characters'

2
docs/docs/guides/installation/configure/example-zitadel-values.yaml → docs/docs/guides/manage/self-hosted/configure/example-zitadel-values.yaml
View File

@ -1,4 +1,4 @@
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/v2-alpha/cmd/defaults.yaml
# All possible options and their defaults: https://github.com/zitadel/zitadel/blob/main/cmd/defaults.yaml
zitadel:
configmapConfig:
Log:

2
docs/docs/guides/installation/custom-domain.md → docs/docs/guides/manage/self-hosted/custom-domain.md
View File

@ -27,4 +27,4 @@ In this case the `ExternalDomain`-field of the configuration is used.
## Example
Go to the [loadbalancing example with Traefik](./loadbalancing-example) for seeing a working example configuration.
Go to the [loadbalancing example with Traefik](../../deploy/loadbalancing-example) for seeing a working example configuration.

15
docs/docs/guides/manage/self-hosted/http2.mdx Normal file
View File

@ -0,0 +1,15 @@
---
title: HTTP/2 Support
---
ZITADEL follows a strict API first approach and makes heavy use of the modern API framework called [gRPC](https://grpc.io/).
Besides gRPC all APIs are also available in an openapi Rest fashion as well as in gRPC-web for compatibilty towards browser integrations.
To make us of gRPC it is vital to allow your clients to communicate with ZITADEL with [HTTP/2](https://en.wikipedia.org/wiki/HTTP/2).
Sometimes you need to configure explicitly that you want to use HTTP/2 if you run ZITADEL behind a proxy and below you should find examples for different vendors and projects.
Furthermore it is important to notice that by default HTTP/2 is always encrypted, but if you want to run ZITADEL without TLS from your proxy or service mesh this is possible through [h2c](https://httpd.apache.org/docs/2.4/howto/http2.html).
Oftentimes when you run ZITADEL inside a service mesh, or a servelerss offering (e.g. Google Cloud Run, Knative, ...) you will need h2c.
You can read more about ZITADEL's [TLSs modes here](/docs/guides/manage/self-hosted/tls_modes).

25
docs/docs/guides/manage/self-hosted/proxy/_caddy.mdx Normal file
View File

@ -0,0 +1,25 @@
## TLS mode external
```bash
https://localhost {
reverse_proxy h2c://localhost:8080
tls internal #only non production
}
```
## TLS mode enabled
```bash
https://localhost {
reverse_proxy https://localhost:8080
tls internal #only non production
}
```
## TLS mode disabled
```bash
http://localhost {
reverse_proxy h2c://localhost:8080
}
```

18
docs/docs/guides/manage/self-hosted/proxy/_cloudflare.mdx Normal file
View File

@ -0,0 +1,18 @@
## Settings
- [Make sure HTTP/2 is enabled](https://support.cloudflare.com/hc/en-us/articles/200168076-Understanding-Cloudflare-HTTP-2-and-HTTP-3-Support)
- [Verify that gRPC is enabled](https://support.cloudflare.com/hc/en-us/articles/360050483011-Understanding-Cloudflare-gRPC-support)
- [Verify that traffic is proxied through cloudflare](https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/)
- [Configure ZITADEL to use the TLS Mode enabled](./tls_modes#enabled)
:::info
[Cloudflare does only support gRPC with TLS!](https://support.cloudflare.com/hc/en-us/articles/360050483011-Understanding-Cloudflare-gRPC-support)
:::
## Troubleshooting
If something is not working please check the cloudflare WAF rules for potential violations.
These two rules are known to be triggered:
- 100001 Anomaly:Header:User-Agent - Missing Cloudflare Specials
- 100004 Anomaly:Header:User-Agent, Anomaly:Header:Referer - Missing or empty

3
docs/docs/guides/manage/self-hosted/proxy/_cloudflare_tunnel.mdx Normal file
View File

@ -0,0 +1,3 @@
:::caution
[The Cloudflare tunnel client currently has an issue which allows it not to force HTTP/2 usage towards the origin.](https://github.com/cloudflare/cloudflared/issues/682)

4
docs/docs/guides/manage/self-hosted/proxy/_more.mdx Normal file
View File

@ -0,0 +1,4 @@
## More information
- [You can read here about the TLS Modes](./tls_modes)
- [And here about how ZITADEL makes use of HTTP/2](./http2)

65
docs/docs/guides/manage/self-hosted/proxy/_nginx.mdx Normal file
View File

@ -0,0 +1,65 @@
## TLS mode external
```bash
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 443;
ssl_certificate ssl/certificate.pem;
ssl_certificate_key ssl/key.pem;
location / {
grpc_pass grpc://localhost:8080;
grpc_set_header Host $host:$server_port;
}
}
}
```
## TLS mode enabled
```bash
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 443;
ssl_certificate ssl/certificate.pem;
ssl_certificate_key ssl/key.pem;
location / {
grpc_pass grpcs://localhost:8080;
grpc_set_header Host $host:$server_port;
}
}
}
```
## TLS mode disabled
```bash
worker_processes 1;
events {
worker_connections 1024;
}
http {
server {
listen 80;
location / {
grpc_pass grpc://localhost:8080;
grpc_set_header Host $host:$server_port;
}
}
}
```

144
docs/docs/guides/manage/self-hosted/proxy/_traefik.mdx Normal file
View File

@ -0,0 +1,144 @@
## TLS mode external
```yaml
entrypoints:
web:
address: ":80"
websecure:
address: ":443"
tls:
stores:
default:
defaultCertificate:
providers:
file:
filename: /etc/traefik/traefik.yaml
http:
middlewares:
zitadel:
headers:
isDevelopment: false
allowedHosts:
- 'localhost'
redirect-to-https:
redirectScheme:
scheme: https
port: 443
permanent: true
routers:
router0:
entryPoints:
- web
middlewares:
- redirect-to-https
rule: 'HostRegexp(`localhost`, `{subdomain:[a-z]+}.localhost`)'
service: zitadel
router1:
entryPoints:
- websecure
service: zitadel
middlewares:
- zitadel
rule: 'HostRegexp(`localhost`, `{subdomain:[a-z]+}.localhost`)'
tls:
domains:
- main: "localhost"
sans:
- "*.localhost"
- "localhost"
services:
zitadel:
loadBalancer:
servers:
- url: h2c://localhost:8080
passHostHeader: true
```
## TLS mode enabled
```yaml
entrypoints:
web:
address: ":80"
websecure:
address: ":443"
tls:
stores:
default:
defaultCertificate:
providers:
file:
filename: /etc/traefik/traefik.yaml
http:
middlewares:
zitadel:
headers:
isDevelopment: false
allowedHosts:
- 'localhost'
redirect-to-https:
redirectScheme:
scheme: https
port: 443
permanent: true
routers:
router0:
entryPoints:
- web
middlewares:
- redirect-to-https
rule: 'HostRegexp(`localhost`, `{subdomain:[a-z]+}.localhost`)'
service: zitadel
# The actual ZITADEL router
router1:
entryPoints:
- websecure
service: zitadel
middlewares:
- zitadel
rule: 'HostRegexp(`localhost`, `{subdomain:[a-z]+}.localhost`)'
tls:
domains:
- main: "localhost"
sans:
- "*.localhost"
- "localhost"
services:
zitadel:
loadBalancer:
servers:
- url: https://localhost:8080
passHostHeader: true
```
## TLS mode disabled
```yaml
entrypoints:
web:
address: ":80"
providers:
file:
filename: /etc/traefik/traefik.yaml
http:
middlewares:
zitadel:
headers:
isDevelopment: false
allowedHosts:
- 'localhost'
routers:
router0:
entryPoints:
- web
middlewares:
- redirect-to-https
rule: 'HostRegexp(`localhost`, `{subdomain:[a-z]+}.localhost`)'
service: zitadel
services:
zitadel:
loadBalancer:
servers:
- url: h2c://localhost:8080
passHostHeader: true
```

Some files were not shown because too many files have changed in this diff Show More