feat: restrict login to specific org by id (scope) (#4294)

* feat: add new org scope * change default of UserLoginMustBeDomain to false * return resource owner claims * fix: use email style for first user * fix: ensure email style for default users (backwards compatibility) * change to external domain (as it was before UserLoginMustBeDomain change) * update e2e tests to use email style usernames * document new scope * lint e2e Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
2025-08-11 21:37:32 +00:00 · 2022-09-23 14:08:10 +02:00
parent c98170c19b
commit 7dfa1925cc
17 changed files with 114 additions and 19 deletions
--- a/cmd/defaults.yaml
+++ b/cmd/defaults.yaml
@@ -310,6 +310,9 @@ DefaultInstance:
  Org:
    Name:
    Human:
+      # in case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email,
+      # it will be suffixed by the org domain (org-name + domain from config).
+      # for example: zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld
      UserName: zitadel-admin
      FirstName: ZITADEL
      LastName: Admin
@@ -383,7 +386,7 @@ DefaultInstance:
    ExpireWarnDays: 0
    MaxAgeDays: 0
  DomainPolicy:
-    UserLoginMustBeDomain: true
+    UserLoginMustBeDomain: false
    ValidateOrgDomains: true
    SMTPSenderAddressMatchesInstanceDomain: false
  LoginPolicy: