feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved To be able to migrate or test the new login UI, admins might want to (temporarily) switch individual apps. At a later point admin might want to make sure all applications use the new login UI. # How the Problems Are Solved - Added a feature flag `` on instance level to require all apps to use the new login and provide an optional base url. - if the flag is enabled, all (OIDC) applications will automatically use the v2 login. - if disabled, applications can decide based on their configuration - Added an option on OIDC apps to use the new login UI and an optional base url. - Removed the requirement to use `x-zitadel-login-client` to be redirected to the login V2 and retrieve created authrequest and link them to SSO sessions. - Added a new "IAM_LOGIN_CLIENT" role to allow management of users, sessions, grants and more without `x-zitadel-login-client`. # Additional Changes None # Additional Context closes https://github.com/zitadel/zitadel/issues/8702
2025-08-11 14:37:34 +00:00 · 2024-12-19 10:37:46 +01:00
parent b5e92a6144
commit 50d2b26a28
89 changed files with 1670 additions and 321 deletions
--- a/proto/zitadel/app.proto
+++ b/proto/zitadel/app.proto
@@ -174,6 +174,11 @@ message OIDCConfig {
            description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
        }
    ];
+    LoginVersion login_version = 22 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
+        }
+    ];
 }

 enum OIDCResponseType {
@@ -239,3 +244,17 @@ message APIConfig {
        }
    ];
 }
+
+message LoginVersion {
+    oneof version {
+        LoginV1 login_v1 = 1;
+        LoginV2 login_v2 = 2;
+    }
+}
+
+message LoginV1 {}
+
+message LoginV2 {
+    // Optionally specify a base uri of the login UI. If unspecified the default URI will be used.
+    optional string base_uri = 1;
+}
--- a/proto/zitadel/feature/v2/feature.proto
+++ b/proto/zitadel/feature/v2/feature.proto
@@ -49,6 +49,16 @@ message ImprovedPerformanceFeatureFlag {
  ];
 }

+message LoginV2FeatureFlag {
+  bool required = 1;
+  optional string base_uri = 2;
+  Source source = 3 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "The source where the setting of the feature was defined. The source may be the resource itself or a resource owner through inheritance.";
+    }
+  ];
+}
+
 enum ImprovedPerformance {
  IMPROVED_PERFORMANCE_UNSPECIFIED = 0;
  // Uses the eventstore to query the org by id
@@ -65,4 +75,11 @@ enum ImprovedPerformance {
  // users are checked against verified domains
  // from other organizations.
  IMPROVED_PERFORMANCE_ORG_DOMAIN_VERIFIED = 5;
+}
+
+message LoginV2 {
+  // Require that all users must use the new login UI. If enabled, all users will be redirected to the login V2 regardless of the application's preference.
+  bool required = 1;
+  // Optionally specify a base uri of the login UI. If unspecified the default URI will be used.
+  optional string base_uri = 2;
 }
--- a/proto/zitadel/feature/v2/instance.proto
+++ b/proto/zitadel/feature/v2/instance.proto
@@ -93,6 +93,12 @@ message SetInstanceFeaturesRequest{
      description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
    }
  ];
+
+  optional LoginV2 login_v2 = 13 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "Specify the login UI for all users and applications regardless of their preference.";
+    }
+  ];
 }

 message SetInstanceFeaturesResponse {
@@ -199,4 +205,11 @@ message GetInstanceFeaturesResponse {
      description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
    }
  ];
+
+  LoginV2FeatureFlag login_v2 = 14 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "If the flag is set, all users will be redirected to the login V2 regardless of the application's preference.";
+    }
+  ];
 }
--- a/proto/zitadel/feature/v2/system.proto
+++ b/proto/zitadel/feature/v2/system.proto
@@ -82,6 +82,12 @@ message SetSystemFeaturesRequest{
      description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
    }
  ];
+
+  optional LoginV2 login_v2 = 11 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "Specify the login UI for all users and applications regardless of their preference.";
+    }
+  ];
 }

 message SetSystemFeaturesResponse {
@@ -167,4 +173,11 @@ message GetSystemFeaturesResponse {
      description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
    }
  ];
+
+  LoginV2FeatureFlag login_v2 = 12 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "If the flag is set, all users will be redirected to the login V2 regardless of the application's preference.";
+    }
+  ];
 }
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -9808,6 +9808,11 @@ message AddOIDCAppRequest {
            description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
        }
    ];
+    zitadel.app.v1.LoginVersion login_version = 19 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
+        }
+    ];
 }

 message AddOIDCAppResponse {
@@ -9989,6 +9994,11 @@ message UpdateOIDCAppConfigRequest {
            description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
        }
    ];
+    zitadel.app.v1.LoginVersion login_version = 18 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
+        }
+    ];
 }

 message UpdateOIDCAppConfigResponse {