feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702
2025-08-12 04:07:31 +00:00 · 2024-12-19 10:37:46 +01:00
parent b5e92a6144
commit 50d2b26a28
89 changed files with 1670 additions and 321 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -1289,6 +1289,7 @@ InternalAuthZ:
        - "project.grant.member.delete"
        - "events.read"
        - "milestones.read"
+        - "session.read"
        - "session.delete"
        - "action.target.read"
        - "action.target.write"
@@ -1481,6 +1482,43 @@ InternalAuthZ:
        - "project.grant.member.write"
        - "project.grant.member.delete"
        - "session.delete"
+    - Role: "IAM_LOGIN_CLIENT"
+      Permissions:
+        - "iam.read"
+        - "iam.policy.read"
+        - "iam.member.read"
+        - "iam.member.write"
+        - "iam.idp.read"
+        - "iam.feature.read"
+        - "iam.restrictions.read"
+        - "org.read"
+        - "org.member.read"
+        - "org.member.write"
+        - "org.idp.read"
+        - "org.feature.read"
+        - "user.read"
+        - "user.write"
+        - "user.grant.read"
+        - "user.grant.write"
+        - "user.membership.read"
+        - "user.credential.write"
+        - "user.passkey.write"
+        - "user.feature.read"
+        - "policy.read"
+        - "project.read"
+        - "project.member.read"
+        - "project.member.write"
+        - "project.role.read"
+        - "project.app.read"
+        - "project.member.read"
+        - "project.member.write"
+        - "project.grant.read"
+        - "project.grant.member.read"
+        - "project.grant.member.write"
+        - "session.read"
+        - "session.link"
+        - "session.delete"
+        - "userschema.read"
    - Role: "ORG_USER_MANAGER"
      Permissions:
        - "org.read"