feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702
2025-08-12 04:57:33 +00:00 · 2024-12-19 10:37:46 +01:00
parent b5e92a6144
commit 50d2b26a28
89 changed files with 1670 additions and 321 deletions
--- a/internal/api/grpc/feature/v2/converter_test.go
+++ b/internal/api/grpc/feature/v2/converter_test.go
@@ -1,6 +1,7 @@
 package feature

 import (
+	"net/url"
 	"testing"
 	"time"

@@ -26,6 +27,10 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		OidcTokenExchange:                   gu.Ptr(true),
 		ImprovedPerformance:                 nil,
 		OidcSingleV1SessionTermination:      gu.Ptr(true),
+		LoginV2: &feature_pb.LoginV2{
+			Required: true,
+			BaseUri:  gu.Ptr("https://login.com"),
+		},
 	}
 	want := &command.SystemFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -36,9 +41,14 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		TokenExchange:                   gu.Ptr(true),
 		ImprovedPerformance:             nil,
 		OIDCSingleV1SessionTermination:  gu.Ptr(true),
+		LoginV2: &feature.LoginV2{
+			Required: true,
+			BaseURI:  &url.URL{Scheme: "https", Host: "login.com"},
+		},
 	}
-	got := systemFeaturesToCommand(arg)
+	got, err := systemFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
+	assert.NoError(t, err)
 }

 func Test_systemFeaturesToPb(t *testing.T) {
@@ -84,6 +94,13 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Level: feature.LevelSystem,
 			Value: true,
 		},
+		LoginV2: query.FeatureSource[*feature.LoginV2]{
+			Level: feature.LevelSystem,
+			Value: &feature.LoginV2{
+				Required: true,
+				BaseURI:  &url.URL{Scheme: "https", Host: "login.com"},
+			},
+		},
 	}
 	want := &feature_pb.GetSystemFeaturesResponse{
 		Details: &object.Details{
@@ -131,6 +148,11 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Enabled: true,
 			Source:  feature_pb.Source_SOURCE_SYSTEM,
 		},
+		LoginV2: &feature_pb.LoginV2FeatureFlag{
+			Required: true,
+			BaseUri:  gu.Ptr("https://login.com"),
+			Source:   feature_pb.Source_SOURCE_SYSTEM,
+		},
 	}
 	got := systemFeaturesToPb(arg)
 	assert.Equal(t, want, got)
@@ -149,6 +171,10 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		DebugOidcParentError:                gu.Ptr(true),
 		OidcSingleV1SessionTermination:      gu.Ptr(true),
 		EnableBackChannelLogout:             gu.Ptr(true),
+		LoginV2: &feature_pb.LoginV2{
+			Required: true,
+			BaseUri:  gu.Ptr("https://login.com"),
+		},
 	}
 	want := &command.InstanceFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -162,9 +188,14 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		DebugOIDCParentError:            gu.Ptr(true),
 		OIDCSingleV1SessionTermination:  gu.Ptr(true),
 		EnableBackChannelLogout:         gu.Ptr(true),
+		LoginV2: &feature.LoginV2{
+			Required: true,
+			BaseURI:  &url.URL{Scheme: "https", Host: "login.com"},
+		},
 	}
-	got := instanceFeaturesToCommand(arg)
+	got, err := instanceFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
+	assert.NoError(t, err)
 }

 func Test_instanceFeaturesToPb(t *testing.T) {
@@ -214,6 +245,13 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Level: feature.LevelInstance,
 			Value: true,
 		},
+		LoginV2: query.FeatureSource[*feature.LoginV2]{
+			Level: feature.LevelInstance,
+			Value: &feature.LoginV2{
+				Required: true,
+				BaseURI:  &url.URL{Scheme: "https", Host: "login.com"},
+			},
+		},
 	}
 	want := &feature_pb.GetInstanceFeaturesResponse{
 		Details: &object.Details{
@@ -269,6 +307,11 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Enabled: true,
 			Source:  feature_pb.Source_SOURCE_INSTANCE,
 		},
+		LoginV2: &feature_pb.LoginV2FeatureFlag{
+			Required: true,
+			BaseUri:  gu.Ptr("https://login.com"),
+			Source:   feature_pb.Source_SOURCE_INSTANCE,
+		},
 	}
 	got := instanceFeaturesToPb(arg)
 	assert.Equal(t, want, got)