feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702
2025-08-11 21:07:31 +00:00 · 2024-12-19 10:37:46 +01:00
parent b5e92a6144
commit 50d2b26a28
89 changed files with 1670 additions and 321 deletions
--- a/internal/command/project_application_oidc_model.go
+++ b/internal/command/project_application_oidc_model.go
@@ -37,6 +37,8 @@ type OIDCApplicationWriteModel struct {
 	AdditionalOrigins        []string
 	SkipNativeAppSuccessPage bool
 	BackChannelLogoutURI     string
+	LoginVersion             domain.LoginVersion
+	LoginBaseURI             string
 	oidc                     bool
 }

@@ -167,6 +169,8 @@ func (wm *OIDCApplicationWriteModel) appendAddOIDCEvent(e *project.OIDCConfigAdd
 	wm.AdditionalOrigins = e.AdditionalOrigins
 	wm.SkipNativeAppSuccessPage = e.SkipNativeAppSuccessPage
 	wm.BackChannelLogoutURI = e.BackChannelLogoutURI
+	wm.LoginVersion = e.LoginVersion
+	wm.LoginBaseURI = e.LoginBaseURI
 }

 func (wm *OIDCApplicationWriteModel) appendChangeOIDCEvent(e *project.OIDCConfigChangedEvent) {
@@ -218,6 +222,12 @@ func (wm *OIDCApplicationWriteModel) appendChangeOIDCEvent(e *project.OIDCConfig
 	if e.BackChannelLogoutURI != nil {
 		wm.BackChannelLogoutURI = *e.BackChannelLogoutURI
 	}
+	if e.LoginVersion != nil {
+		wm.LoginVersion = *e.LoginVersion
+	}
+	if e.LoginBaseURI != nil {
+		wm.LoginBaseURI = *e.LoginBaseURI
+	}
 }

 func (wm *OIDCApplicationWriteModel) Query() *eventstore.SearchQueryBuilder {
@@ -260,6 +270,8 @@ func (wm *OIDCApplicationWriteModel) NewChangedEvent(
 	additionalOrigins []string,
 	skipNativeAppSuccessPage bool,
 	backChannelLogoutURI string,
+	loginVersion domain.LoginVersion,
+	loginBaseURI string,
 ) (*project.OIDCConfigChangedEvent, bool, error) {
 	changes := make([]project.OIDCConfigChanges, 0)
 	var err error
@@ -312,6 +324,12 @@ func (wm *OIDCApplicationWriteModel) NewChangedEvent(
 	if wm.BackChannelLogoutURI != backChannelLogoutURI {
 		changes = append(changes, project.ChangeBackChannelLogoutURI(backChannelLogoutURI))
 	}
+	if wm.LoginVersion != loginVersion {
+		changes = append(changes, project.ChangeLoginVersion(loginVersion))
+	}
+	if wm.LoginBaseURI != loginBaseURI {
+		changes = append(changes, project.ChangeLoginBaseURI(loginBaseURI))
+	}

 	if len(changes) == 0 {
 		return nil, false, nil