feat: add default redirect uri and handling of unknown usernames (#3616)

* feat: add possibility to ignore username errors on first login screen * console changes * fix: handling of unknown usernames (#3445) * fix: handling of unknown usernames * fix: handle HideLoginNameSuffix on unknown users * feat: add default redirect uri on login policy (#3607) * feat: add default redirect uri on login policy * fix tests * feat: Console login policy default redirect (#3613) * console default redirect * placeholder * validate default redirect uri * allow empty default redirect uri Co-authored-by: Max Peintner <max@caos.ch> * remove wonrgly cherry picked migration Co-authored-by: Max Peintner <max@caos.ch>
2025-08-12 01:37:31 +00:00 · 2022-05-16 15:39:09 +02:00
parent f1fa74a2c0
commit 411d7c6c5c
69 changed files with 655 additions and 107 deletions
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@@ -3478,7 +3478,7 @@ message AddCustomDomainPolicyRequest {
 			required: ["org_id"]
 		};
 	};
-    
+
    string org_id = 1 [
        (validate.rules).string = {min_len: 1, max_len: 200},
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -3677,11 +3677,21 @@ message UpdateLoginPolicyRequest {
            description: "defines if password reset link should be shown in the login screen"
        }
    ];
-    google.protobuf.Duration password_check_lifetime = 7;
-    google.protobuf.Duration external_login_check_lifetime = 8;
-    google.protobuf.Duration mfa_init_skip_lifetime = 9;
-    google.protobuf.Duration second_factor_check_lifetime = 10;
-    google.protobuf.Duration multi_factor_check_lifetime = 11;
+    bool ignore_unknown_usernames = 7 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines if unknown username on login screen directly return an error or always display the password screen"
+        }
+    ];
+    string default_redirect_uri = 8 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines where the user will be redirected to if the login is started without app context (e.g. from mail)"
+        }
+    ];
+    google.protobuf.Duration password_check_lifetime = 9;
+    google.protobuf.Duration external_login_check_lifetime = 10;
+    google.protobuf.Duration mfa_init_skip_lifetime = 11;
+    google.protobuf.Duration second_factor_check_lifetime = 12;
+    google.protobuf.Duration multi_factor_check_lifetime = 13;
 }

 message UpdateLoginPolicyResponse {
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -4344,11 +4344,21 @@ message AddCustomLoginPolicyRequest {
    bool force_mfa = 4;
    zitadel.policy.v1.PasswordlessType passwordless_type = 5 [(validate.rules).enum = {defined_only: true}];
    bool hide_password_reset = 6;
-    google.protobuf.Duration password_check_lifetime = 7;
-    google.protobuf.Duration external_login_check_lifetime = 8;
-    google.protobuf.Duration mfa_init_skip_lifetime = 9;
-    google.protobuf.Duration second_factor_check_lifetime = 10;
-    google.protobuf.Duration multi_factor_check_lifetime = 11;
+    bool ignore_unknown_usernames = 7 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines if unknown username on login screen directly return an error or always display the password screen"
+        }
+    ];
+    string default_redirect_uri = 8 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines where the user will be redirected to if the login is started without app context (e.g. from mail)"
+        }
+    ];
+    google.protobuf.Duration password_check_lifetime = 9;
+    google.protobuf.Duration external_login_check_lifetime = 10;
+    google.protobuf.Duration mfa_init_skip_lifetime = 11;
+    google.protobuf.Duration second_factor_check_lifetime = 12;
+    google.protobuf.Duration multi_factor_check_lifetime = 13;
 }

 message AddCustomLoginPolicyResponse {
@@ -4362,11 +4372,21 @@ message UpdateCustomLoginPolicyRequest {
    bool force_mfa = 4;
    zitadel.policy.v1.PasswordlessType passwordless_type = 5 [(validate.rules).enum = {defined_only: true}];
    bool hide_password_reset = 6;
-    google.protobuf.Duration password_check_lifetime = 7;
-    google.protobuf.Duration external_login_check_lifetime = 8;
-    google.protobuf.Duration mfa_init_skip_lifetime = 9;
-    google.protobuf.Duration second_factor_check_lifetime = 10;
-    google.protobuf.Duration multi_factor_check_lifetime = 11;
+    bool ignore_unknown_usernames = 7 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines if unknown username on login screen directly return an error or always display the password screen"
+        }
+    ];
+    string default_redirect_uri = 8 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines where the user will be redirected to if the login is started without app context (e.g. from mail)"
+        }
+    ];
+    google.protobuf.Duration password_check_lifetime = 9;
+    google.protobuf.Duration external_login_check_lifetime = 10;
+    google.protobuf.Duration mfa_init_skip_lifetime = 11;
+    google.protobuf.Duration second_factor_check_lifetime = 12;
+    google.protobuf.Duration multi_factor_check_lifetime = 13;
 }

 message UpdateCustomLoginPolicyResponse {
--- a/proto/zitadel/policy.proto
+++ b/proto/zitadel/policy.proto
@@ -149,11 +149,21 @@ message LoginPolicy {
            description: "defines if password reset link should be shown in the login screen"
        }
    ];
-    google.protobuf.Duration password_check_lifetime = 9;
-    google.protobuf.Duration external_login_check_lifetime = 10;
-    google.protobuf.Duration mfa_init_skip_lifetime = 11;
-    google.protobuf.Duration second_factor_check_lifetime = 12;
-    google.protobuf.Duration multi_factor_check_lifetime = 13;
+    bool ignore_unknown_usernames = 9 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines if unknown username on login screen directly return an error or always display the password screen"
+        }
+    ];
+    string default_redirect_uri = 10 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "defines where the user will be redirected to if the login is started without app context (e.g. from mail)"
+        }
+    ];
+    google.protobuf.Duration password_check_lifetime = 11;
+    google.protobuf.Duration external_login_check_lifetime = 12;
+    google.protobuf.Duration mfa_init_skip_lifetime = 13;
+    google.protobuf.Duration second_factor_check_lifetime = 14;
+    google.protobuf.Duration multi_factor_check_lifetime = 15;

 }