From e7a73eb6b1b68f3193cdffa1c404642643dcb88d Mon Sep 17 00:00:00 2001 From: Livio Spring Date: Mon, 10 Feb 2025 14:46:28 +0100 Subject: [PATCH 1/2] fix(oidc / login v2): always us login v2 if x-zitadel-login-client header is sent (#9336) # Which Problems Are Solved As reported in #9311, even when providing a `x-zitadel-login-client` header, the auth request would be created as hosted login UI / V1 request. This is due to a change introduced with #9071, where the login UI version can be specified using the app configuration. The configuration set to V1 was not considering if the header was sent. # How the Problems Are Solved - Check presence of `x-zitadel-login-client` before the configuration. Use later only if no header is set. # Additional Changes None # Additional Context - closes #9311 - needs back ports to 2.67.x, 2.68.x and 2.69.x --- internal/api/oidc/auth_request.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go index 14a97e49ec..793001045c 100644 --- a/internal/api/oidc/auth_request.go +++ b/internal/api/oidc/auth_request.go @@ -46,6 +46,11 @@ func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest headers, _ := http_utils.HeadersFromCtx(ctx) loginClient := headers.Get(LoginClientHeader) + // for backwards compatibility we'll use the new login if the header is set (no matter the other configs) + if loginClient != "" { + return o.createAuthRequestLoginClient(ctx, req, userID, loginClient) + } + // if the instance requires the v2 login, use it no matter what the application configured if authz.GetFeatures(ctx).LoginV2.Required { return o.createAuthRequestLoginClient(ctx, req, userID, loginClient) @@ -64,10 +69,7 @@ func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest case domain.LoginVersionUnspecified: fallthrough default: - // if undefined, use the v2 login if the header is sent, to retain the current behavior - if loginClient != "" { - return o.createAuthRequestLoginClient(ctx, req, userID, loginClient) - } + // since we already checked for a login header, we can fall back to the v1 login return o.createAuthRequest(ctx, req, userID) } } From 824228736c8b80cda4a9efa49ee9a4b215828ad3 Mon Sep 17 00:00:00 2001 From: Jim Morrison Date: Mon, 10 Feb 2025 23:52:38 -0800 Subject: [PATCH 2/2] docs: Zitadel README.md Community Call Ref (#9339) # Which Problems Are Solved Removal of Community Call reference for the moment until further reviewed on next steps forward from group. # How the Problems Are Solved Removed table and text of Community call out. --- README.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/README.md b/README.md index f2f4d9a772..592952cdc2 100644 --- a/README.md +++ b/README.md @@ -28,10 +28,6 @@

-|Community Meeting| -|------------------| -|ZITADEL holds bi-weekly community calls. To join the community calls or to watch previous meeting notes and recordings, please visit the [meeting schedule](https://github.com/zitadel/zitadel/blob/main/MEETING_SCHEDULE.md).| - Are you searching for a user management tool that is quickly set up like Auth0 and open source like Keycloak? Do you have a project that requires multi-tenant user management with self-service for your customers?