feat: trusted (instance) domains (#8369)

# Which Problems Are Solved ZITADEL currently selects the instance context based on a HTTP header (see https://github.com/zitadel/zitadel/issues/8279#issue-2399959845 and checks it against the list of instance domains. Let's call it instance or API domain. For any context based URL (e.g. OAuth, OIDC, SAML endpoints, links in emails, ...) the requested domain (instance domain) will be used. Let's call it the public domain. In cases of proxied setups, all exposed domains (public domains) require the domain to be managed as instance domain. This can either be done using the "ExternalDomain" in the runtime config or via system API, which requires a validation through CustomerPortal on zitadel.cloud. # How the Problems Are Solved - Two new headers / header list are added: - `InstanceHostHeaders`: an ordered list (first sent wins), which will be used to match the instance. (For backward compatibility: the `HTTP1HostHeader`, `HTTP2HostHeader` and `forwarded`, `x-forwarded-for`, `x-forwarded-host` are checked afterwards as well) - `PublicHostHeaders`: an ordered list (first sent wins), which will be used as public host / domain. This will be checked against a list of trusted domains on the instance. - The middleware intercepts all requests to the API and passes a `DomainCtx` object with the hosts and protocol into the context (previously only a computed `origin` was passed) - HTTP / GRPC server do not longer try to match the headers to instances themself, but use the passed `http.DomainContext` in their interceptors. - The `RequestedHost` and `RequestedDomain` from authz.Instance are removed in favor of the `http.DomainContext` - When authenticating to or signing out from Console UI, the current `http.DomainContext(ctx).Origin` (already checked by instance interceptor for validity) is used to compute and dynamically add a `redirect_uri` and `post_logout_redirect_uri`. - Gateway passes all configured host headers (previously only did `x-zitadel-*`) - Admin API allows to manage trusted domain # Additional Changes None # Additional Context - part of #8279 - open topics: - "single-instance" mode - Console UI
2025-08-11 18:07:31 +00:00 · 2024-07-31 17:00:38 +02:00
parent cc3ec1e2a7
commit 3d071fc505
94 changed files with 1693 additions and 674 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -83,9 +83,17 @@ TLS:
  Cert: # ZITADEL_TLS_CERT

 # Header name of HTTP2 (incl. gRPC) calls from which the instance will be matched
+# Deprecated: Use the InstanceHostHeaders instead
 HTTP2HostHeader: ":authority" # ZITADEL_HTTP2HOSTHEADER
 # Header name of HTTP1 calls from which the instance will be matched
+# Deprecated: Use the InstanceHostHeaders instead
 HTTP1HostHeader: "host" # ZITADEL_HTTP1HOSTHEADER
+# Ordered header name list, which will be used to match the instance
+InstanceHostHeaders: # ZITADEL_INSTANCEHOSTHEADERS
+  - "x-zitadel-instance-host"
+# Ordered header name list, which will be used as the public host
+PublicHostHeaders: # ZITADEL_PUBLICHOSTHEADERS
+  - "x-zitadel-public-host"

 WebAuthNName: ZITADEL # ZITADEL_WEBAUTHNNAME

--- a/cmd/start/config.go
+++ b/cmd/start/config.go
@@ -35,40 +35,42 @@ import (
 )

 type Config struct {
-	Log               *logging.Config
-	Port              uint16
-	ExternalPort      uint16
-	ExternalDomain    string
-	ExternalSecure    bool
-	TLS               network.TLS
-	HTTP2HostHeader   string
-	HTTP1HostHeader   string
-	WebAuthNName      string
-	Database          database.Config
-	Tracing           tracing.Config
-	Metrics           metrics.Config
-	Projections       projection.Config
-	Auth              auth_es.Config
-	Admin             admin_es.Config
-	UserAgentCookie   *middleware.UserAgentCookieConfig
-	OIDC              oidc.Config
-	SAML              saml.Config
-	Login             login.Config
-	Console           console.Config
-	AssetStorage      static_config.AssetStorageConfig
-	InternalAuthZ     internal_authz.Config
-	SystemDefaults    systemdefaults.SystemDefaults
-	EncryptionKeys    *encryption.EncryptionKeyConfig
-	DefaultInstance   command.InstanceSetup
-	AuditLogRetention time.Duration
-	SystemAPIUsers    map[string]*internal_authz.SystemAPIUser
-	CustomerPortal    string
-	Machine           *id.Config
-	Actions           *actions.Config
-	Eventstore        *eventstore.Config
-	LogStore          *logstore.Configs
-	Quotas            *QuotasConfig
-	Telemetry         *handlers.TelemetryPusherConfig
+	Log                 *logging.Config
+	Port                uint16
+	ExternalPort        uint16
+	ExternalDomain      string
+	ExternalSecure      bool
+	TLS                 network.TLS
+	InstanceHostHeaders []string
+	PublicHostHeaders   []string
+	HTTP2HostHeader     string
+	HTTP1HostHeader     string
+	WebAuthNName        string
+	Database            database.Config
+	Tracing             tracing.Config
+	Metrics             metrics.Config
+	Projections         projection.Config
+	Auth                auth_es.Config
+	Admin               admin_es.Config
+	UserAgentCookie     *middleware.UserAgentCookieConfig
+	OIDC                oidc.Config
+	SAML                saml.Config
+	Login               login.Config
+	Console             console.Config
+	AssetStorage        static_config.AssetStorageConfig
+	InternalAuthZ       internal_authz.Config
+	SystemDefaults      systemdefaults.SystemDefaults
+	EncryptionKeys      *encryption.EncryptionKeyConfig
+	DefaultInstance     command.InstanceSetup
+	AuditLogRetention   time.Duration
+	SystemAPIUsers      map[string]*internal_authz.SystemAPIUser
+	CustomerPortal      string
+	Machine             *id.Config
+	Actions             *actions.Config
+	Eventstore          *eventstore.Config
+	LogStore            *logstore.Configs
+	Quotas              *QuotasConfig
+	Telemetry           *handlers.TelemetryPusherConfig
 }

 type QuotasConfig struct {
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -59,6 +59,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/robots_txt"
 	"github.com/zitadel/zitadel/internal/api/saml"
 	"github.com/zitadel/zitadel/internal/api/ui/console"
+	"github.com/zitadel/zitadel/internal/api/ui/console/path"
 	"github.com/zitadel/zitadel/internal/api/ui/login"
 	auth_es "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
 	"github.com/zitadel/zitadel/internal/authz"
@@ -346,7 +347,7 @@ func startAPIs(
 	}
 	oidcPrefixes := []string{"/.well-known/openid-configuration", "/oidc/v1", "/oauth/v2"}
 	// always set the origin in the context if available in the http headers, no matter for what protocol
-	router.Use(middleware.WithOrigin(config.ExternalSecure))
+	router.Use(middleware.WithOrigin(config.ExternalSecure, config.HTTP1HostHeader, config.HTTP2HostHeader, config.InstanceHostHeaders, config.PublicHostHeaders))
 	systemTokenVerifier, err := internal_authz.StartSystemTokenVerifierFromConfig(http_util.BuildHTTP(config.ExternalDomain, config.ExternalPort, config.ExternalSecure), config.SystemAPIUsers)
 	if err != nil {
 		return nil, err
@@ -374,7 +375,7 @@ func startAPIs(
 		http_util.WithMaxAge(int(math.Floor(config.Quotas.Access.ExhaustedCookieMaxAge.Seconds()))),
 	)
 	limitingAccessInterceptor := middleware.NewAccessInterceptor(accessSvc, exhaustedCookieHandler, &config.Quotas.Access.AccessConfig)
-	apis, err := api.New(ctx, config.Port, router, queries, verifier, config.InternalAuthZ, tlsConfig, config.HTTP2HostHeader, config.HTTP1HostHeader, config.ExternalDomain, limitingAccessInterceptor)
+	apis, err := api.New(ctx, config.Port, router, queries, verifier, config.InternalAuthZ, tlsConfig, config.ExternalDomain, append(config.InstanceHostHeaders, config.PublicHostHeaders...), limitingAccessInterceptor)
 	if err != nil {
 		return nil, fmt.Errorf("error creating api %w", err)
 	}
@@ -396,25 +397,25 @@ func startAPIs(
 	if err := apis.RegisterServer(ctx, system.CreateServer(commands, queries, config.Database.DatabaseName(), config.DefaultInstance, config.ExternalDomain), tlsConfig); err != nil {
 		return nil, err
 	}
-	if err := apis.RegisterServer(ctx, admin.CreateServer(config.Database.DatabaseName(), commands, queries, config.SystemDefaults, config.ExternalSecure, keys.User, config.AuditLogRetention), tlsConfig); err != nil {
+	if err := apis.RegisterServer(ctx, admin.CreateServer(config.Database.DatabaseName(), commands, queries, keys.User, config.AuditLogRetention), tlsConfig); err != nil {
 		return nil, err
 	}
-	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User, config.ExternalSecure), tlsConfig); err != nil {
+	if err := apis.RegisterServer(ctx, management.CreateServer(commands, queries, config.SystemDefaults, keys.User), tlsConfig); err != nil {
 		return nil, err
 	}
-	if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, keys.User, config.ExternalSecure), tlsConfig); err != nil {
+	if err := apis.RegisterServer(ctx, auth.CreateServer(commands, queries, authRepo, config.SystemDefaults, keys.User), tlsConfig); err != nil {
 		return nil, err
 	}
-	if err := apis.RegisterService(ctx, user_v2beta.CreateServer(commands, queries, keys.User, keys.IDPConfig, idp.CallbackURL(config.ExternalSecure), idp.SAMLRootURL(config.ExternalSecure), assets.AssetAPI(config.ExternalSecure), permissionCheck)); err != nil {
+	if err := apis.RegisterService(ctx, user_v2beta.CreateServer(commands, queries, keys.User, keys.IDPConfig, idp.CallbackURL(), idp.SAMLRootURL(), assets.AssetAPI(), permissionCheck)); err != nil {
 		return nil, err
 	}
-	if err := apis.RegisterService(ctx, user_v2.CreateServer(commands, queries, keys.User, keys.IDPConfig, idp.CallbackURL(config.ExternalSecure), idp.SAMLRootURL(config.ExternalSecure), assets.AssetAPI(config.ExternalSecure), permissionCheck)); err != nil {
+	if err := apis.RegisterService(ctx, user_v2.CreateServer(commands, queries, keys.User, keys.IDPConfig, idp.CallbackURL(), idp.SAMLRootURL(), assets.AssetAPI(), permissionCheck)); err != nil {
 		return nil, err
 	}
 	if err := apis.RegisterService(ctx, session_v2beta.CreateServer(commands, queries)); err != nil {
 		return nil, err
 	}
-	if err := apis.RegisterService(ctx, settings_v2beta.CreateServer(commands, queries, config.ExternalSecure)); err != nil {
+	if err := apis.RegisterService(ctx, settings_v2beta.CreateServer(commands, queries)); err != nil {
 		return nil, err
 	}
 	if err := apis.RegisterService(ctx, org_v2beta.CreateServer(commands, queries, permissionCheck)); err != nil {
@@ -426,7 +427,7 @@ func startAPIs(
 	if err := apis.RegisterService(ctx, session_v2.CreateServer(commands, queries)); err != nil {
 		return nil, err
 	}
-	if err := apis.RegisterService(ctx, settings_v2.CreateServer(commands, queries, config.ExternalSecure)); err != nil {
+	if err := apis.RegisterService(ctx, settings_v2.CreateServer(commands, queries)); err != nil {
 		return nil, err
 	}
 	if err := apis.RegisterService(ctx, org_v2.CreateServer(commands, queries, permissionCheck)); err != nil {
@@ -441,11 +442,11 @@ func startAPIs(
 	if err := apis.RegisterService(ctx, user_schema_v3_alpha.CreateServer(commands, queries)); err != nil {
 		return nil, err
 	}
-	instanceInterceptor := middleware.InstanceInterceptor(queries, config.HTTP1HostHeader, config.ExternalDomain, login.IgnoreInstanceEndpoints...)
+	instanceInterceptor := middleware.InstanceInterceptor(queries, config.ExternalDomain, login.IgnoreInstanceEndpoints...)
 	assetsCache := middleware.AssetsCacheInterceptor(config.AssetStorage.Cache.MaxAge, config.AssetStorage.Cache.SharedMaxAge)
 	apis.RegisterHandlerOnPrefix(assets.HandlerPrefix, assets.NewHandler(commands, verifier, config.InternalAuthZ, id.SonyFlakeGenerator(), store, queries, middleware.CallDurationHandler, instanceInterceptor.Handler, assetsCache.Handler, limitingAccessInterceptor.Handle))

-	apis.RegisterHandlerOnPrefix(idp.HandlerPrefix, idp.NewHandler(commands, queries, keys.IDPConfig, config.ExternalSecure, instanceInterceptor.Handler))
+	apis.RegisterHandlerOnPrefix(idp.HandlerPrefix, idp.NewHandler(commands, queries, keys.IDPConfig, instanceInterceptor.Handler))

 	userAgentInterceptor, err := middleware.NewUserAgentHandler(config.UserAgentCookie, keys.UserAgentCookieKey, id.SonyFlakeGenerator(), config.ExternalSecure, login.EndpointResources, login.EndpointExternalLoginCallbackFormPost, login.EndpointSAMLACS)
 	if err != nil {
@@ -482,8 +483,8 @@ func startAPIs(
 	if err != nil {
 		return nil, fmt.Errorf("unable to start console: %w", err)
 	}
-	apis.RegisterHandlerOnPrefix(console.HandlerPrefix, c)
-	consolePath := console.HandlerPrefix + "/"
+	apis.RegisterHandlerOnPrefix(path.HandlerPrefix, c)
+	consolePath := path.HandlerPrefix + "/"
 	l, err := login.CreateLogin(
 		config.Login,
 		commands,