feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702
2025-08-11 21:17:32 +00:00 · 2024-12-19 10:37:46 +01:00
parent b5e92a6144
commit 50d2b26a28
89 changed files with 1670 additions and 321 deletions
--- a/internal/api/grpc/project/application.go
+++ b/internal/api/grpc/project/application.go
@@ -1,6 +1,8 @@
 package project

 import (
+	"net/url"
+
 	"google.golang.org/protobuf/types/known/durationpb"

 	object_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
@@ -62,10 +64,24 @@ func AppOIDCConfigToPb(app *query.OIDCApp) *app_pb.App_OidcConfig {
 			AllowedOrigins:           app.AllowedOrigins,
 			SkipNativeAppSuccessPage: app.SkipNativeAppSuccessPage,
 			BackChannelLogoutUri:     app.BackChannelLogoutURI,
+			LoginVersion:             loginVersionToPb(app.LoginVersion, app.LoginBaseURI),
 		},
 	}
 }

+func loginVersionToPb(version domain.LoginVersion, baseURI *string) *app_pb.LoginVersion {
+	switch version {
+	case domain.LoginVersionUnspecified:
+		return nil
+	case domain.LoginVersion1:
+		return &app_pb.LoginVersion{Version: &app_pb.LoginVersion_LoginV1{LoginV1: &app_pb.LoginV1{}}}
+	case domain.LoginVersion2:
+		return &app_pb.LoginVersion{Version: &app_pb.LoginVersion_LoginV2{LoginV2: &app_pb.LoginV2{BaseUri: baseURI}}}
+	default:
+		return nil
+	}
+}
+
 func AppSAMLConfigToPb(app *query.SAMLApp) app_pb.AppConfig {
 	return &app_pb.App_SamlConfig{
 		SamlConfig: &app_pb.SAMLConfig{
@@ -311,3 +327,17 @@ func AppQueryToModel(appQuery *app_pb.AppQuery) (query.SearchQuery, error) {
 		return nil, zerrors.ThrowInvalidArgument(nil, "APP-Add46", "List.Query.Invalid")
 	}
 }
+
+func LoginVersionToDomain(version *app_pb.LoginVersion) (domain.LoginVersion, string, error) {
+	switch v := version.GetVersion().(type) {
+	case nil:
+		return domain.LoginVersionUnspecified, "", nil
+	case *app_pb.LoginVersion_LoginV1:
+		return domain.LoginVersion1, "", nil
+	case *app_pb.LoginVersion_LoginV2:
+		_, err := url.Parse(v.LoginV2.GetBaseUri())
+		return domain.LoginVersion2, v.LoginV2.GetBaseUri(), err
+	default:
+		return domain.LoginVersionUnspecified, "", nil
+	}
+}