TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 21:17:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Domains problematic (#6564)

Browse Source 
* docs: disable validate org domains per default, and have a better label

* docs: rename to $CUSTOM-DOMAIN

* docs: translation

* docs: tranlsations

* docs: tranlsations

* docs: allow domain discovery

---------

Co-authored-by: Max Peintner <max@caos.ch>
This commit is contained in:
Fabi 2023-09-20 12:45:11 +02:00 committed by GitHub
parent 57d8ff1ef6
commit 7edc73bd5e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
41 changed files with 109 additions and 109 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/defaults.yaml
View File

@ -595,7 +595,7 @@ DefaultInstance:
MaxAgeDays: 0 # ZITADEL_DEFAULTINSTANCE_PASSWORDAGEPOLICY_MAXAGEDAYS
DomainPolicy:
UserLoginMustBeDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_USERLOGINMUSTBEDOMAIN
ValidateOrgDomains: true # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
ValidateOrgDomains: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS
SMTPSenderAddressMatchesInstanceDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN
LoginPolicy:
AllowUsernamePassword: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWUSERNAMEPASSWORD
@ -604,7 +604,7 @@ DefaultInstance:
ForceMFA: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_FORCEMFA
HidePasswordReset: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_HIDEPASSWORDRESET
IgnoreUnknownUsernames: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_IGNOREUNKNOWNUSERNAMES
AllowDomainDiscovery: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
AllowDomainDiscovery: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY
# 1 is allowed, 0 is not allowed
PasswordlessType: 1 # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_PASSWORDLESSTYPE
# DefaultRedirectURL is empty by default because we use the Console UI

4
console/src/assets/i18n/bg.json
View File

@ -789,7 +789,7 @@
},
"PAGES": {
"STATE": "Статус",
"DOMAINLIST": "Домейни"
"DOMAINLIST": "Лични домейни"
},
"STATE": {
"0": "Неуточнено",
@ -1344,7 +1344,7 @@
"MAXAGEDAYS": "Максимална възраст в дни",
"USERLOGINMUSTBEDOMAIN": "Добавяне на домейн на организация като суфикс към имената за вход",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Ако активирате тази настройка, всички имена за вход ще имат суфикс с домейна на организацията. ",
"VALIDATEORGDOMAINS": "Валидиране на организационни домейни",
"VALIDATEORGDOMAINS": "Верификация на домейна на организацията е необходима (DNS или HTTP предизвикателство)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP адресът на изпращача съвпада с домейна на екземпляра",
"ALLOWUSERNAMEPASSWORD": "Потребителско име Паролата е разрешена",
"ALLOWEXTERNALIDP": "Допуска се външен IDP",

10
console/src/assets/i18n/de.json
View File

@ -795,7 +795,7 @@
},
"PAGES": {
"STATE": "Status",
"DOMAINLIST": "Domains"
"DOMAINLIST": "Custom Domains"
},
"STATE": {
"0": "Unspezifisch",
@ -953,15 +953,15 @@
"DOMAINS": {
"NEW": "Domain hinzufügen",
"TITLE": "Domänen",
"DESCRIPTION": "Konfiguriere die Domains, mit denen sich Deine Benutzer anmelden können.",
"DESCRIPTION": "Konfiguriere die Domains, die für Domain discovery und als Suffix für die Benutzer verwendet werden können.",
"SETPRIMARY": "Primäre Domain setzen",
"DELETE": {
"TITLE": "Domain löschen?",
"DESCRIPTION": "Du bist im Begriff, eine Domain aus Deiner Organisation zu löschen. Deine Benutzer können diese nach dem Löschen nicht mehr für den Login nutzen."
"DESCRIPTION": "Du bist im Begriff, eine Domain aus deiner Organisation zu löschen."
},
"ADD": {
"TITLE": "Domain hinzufügen",
"DESCRIPTION": "Du bist im Begriff, Deiner Organisation eine Domain hinzuzufügen. Deine Benutzer können diese nach der erfolgreichen Ausführung für den Login nutzen."
"DESCRIPTION": "Du bist im Begriff, Deiner Organisation eine Domain hinzuzufügen. Die Domain kann für Domain discovery genutzt werden und als Suffix für deine Benutzernamen."
}
},
"STATE": {
@ -1350,7 +1350,7 @@
"MAXAGEDAYS": "Maximale Gültigkeit in Tagen",
"USERLOGINMUSTBEDOMAIN": "Organisationsdomain dem Loginname hinzufügen",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
"VALIDATEORGDOMAINS": "Org Domains validieren",
"VALIDATEORGDOMAINS": "Verifizierung des Organisations Domain erforderlich (DNS- oder HTTP-Herausforderung)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Adresse entspricht Instanzdomain",
"ALLOWUSERNAMEPASSWORD": "Benutzername Passwort erlaubt",
"ALLOWEXTERNALIDP": "Externer IDP erlaubt",

10
console/src/assets/i18n/en.json
View File

@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "Status",
"DOMAINLIST": "Domains"
"DOMAINLIST": "Custom Domains"
},
"STATE": {
"0": "Unspecified",
@ -954,15 +954,15 @@
"DOMAINS": {
"NEW": "Add Domain",
"TITLE": "Domains",
"DESCRIPTION": "Configure your domains. This domain can be used to log in with your users.",
"DESCRIPTION": "Configure your organization domains. This domain can be used for domain discovery and username suffixing.",
"SETPRIMARY": "Set as Primary",
"DELETE": {
"TITLE": "Delete Domain",
"DESCRIPTION": "You are about to delete one of your domains. Note that your users can no longer use this domain for their login."
"DESCRIPTION": "You are about to delete one of your domains."
},
"ADD": {
"TITLE": "Add Domain",
"DESCRIPTION": "You are about to add a domain for your organization. After successful process, you users will be able to use the domain for their login."
"DESCRIPTION": "You are about to add a domain for your organization. After successful process, the domain can be used for domain discovery and as suffix for your users."
}
},
"STATE": {
@ -1351,7 +1351,7 @@
"MAXAGEDAYS": "Max Age in days",
"USERLOGINMUSTBEDOMAIN": "Add organization domain as suffix to loginnames",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "If you enable this setting, all loginnames will be suffixed with the organization domain. If this settings is disabled, you have to ensure that usernames are unique over all organizations.",
"VALIDATEORGDOMAINS": "Validate Org domains",
"VALIDATEORGDOMAINS": "Organization domain verification required (DNS or HTTP challenge)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP Sender Address matches Instance Domain",
"ALLOWUSERNAMEPASSWORD": "Username Password allowed",
"ALLOWEXTERNALIDP": "External IDP allowed",

4
console/src/assets/i18n/es.json
View File

@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "Estado",
"DOMAINLIST": "Dominios"
"DOMAINLIST": "Dominios personalizados"
},
"STATE": {
"0": "No especificado",
@ -1351,7 +1351,7 @@
"MAXAGEDAYS": "Antigüedad máxima en días",
"USERLOGINMUSTBEDOMAIN": "Añadir el dominio de la organización como sufijo de los nombres de inicio de sesión",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si activas esta opción, todos los nombres de inicio de sesión tendrán como sufijo el dominio de esta organización. Si esta opción está desactivada, tendrás que asegurarte de que los nombres de usuario son únicos para todas las organizaciones.",
"VALIDATEORGDOMAINS": "Validar los dominios de la organización",
"VALIDATEORGDOMAINS": "Verificación de dominio de la organización requerida (desafío DNS o HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "La dirección del remitente SMTP coincide con el dominio de la instancia",
"ALLOWUSERNAMEPASSWORD": "Nombre de usuario y contraseña permitido",
"ALLOWEXTERNALIDP": "Permitido IDP externo",

4
console/src/assets/i18n/fr.json
View File

@ -795,7 +795,7 @@
},
"PAGES": {
"STATE": "Statut",
"DOMAINLIST": "Domaines"
"DOMAINLIST": "Domaines personnalisés"
},
"STATE": {
"0": "Inconnu",
@ -1350,7 +1350,7 @@
"MAXAGEDAYS": "Âge maximum en jours",
"USERLOGINMUSTBEDOMAIN": "Le nom de connexion de l'utilisateur doit contenir le nom de domaine de l'organisation",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Si vous activez ce paramètre, tous les noms de connexion seront suffixés avec le domaine de l'organisation. Si ce paramètre est désactivé, vous devez vous assurer que les noms d'utilisateur sont uniques pour toutes les organisations.",
"VALIDATEORGDOMAINS": "Valider les domaines d'Org",
"VALIDATEORGDOMAINS": "Vérification du domaine de l'organisation requise (challenge DNS ou HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'adresse de l'expéditeur SMTP correspond au domaine de l'instance",
"ALLOWUSERNAMEPASSWORD": "Nom d'utilisateur Mot de passe autorisé",
"ALLOWEXTERNALIDP": "IDP externe autorisé",

4
console/src/assets/i18n/it.json
View File

@ -794,7 +794,7 @@
},
"PAGES": {
"STATE": "Stato",
"DOMAINLIST": "Domini"
"DOMAINLIST": "Domini personalizzati"
},
"STATE": {
"0": "Non specifico",
@ -1350,7 +1350,7 @@
"MAXAGEDAYS": "Lunghezza massima in giorni",
"USERLOGINMUSTBEDOMAIN": "Nome utente deve contenere il dominio dell' organizzazione",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se abiliti questa impostazione, a tutti i nomi di accesso verrà aggiunto il suffisso del dominio dell'organizzazione. Se questa impostazione è disabilitata, devi assicurarti che i nomi utente siano univoci per tutte le organizzazioni.",
"VALIDATEORGDOMAINS": "Verifica domini dell' organizzazione",
"VALIDATEORGDOMAINS": "Verifica del dominio dell'organizzazione richiesta (challenge DNS o HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "L'indirizzo mittente SMTP corrisponde al dominio dell'istanza",
"ALLOWUSERNAMEPASSWORD": "Autenticazione classica con password consentita",
"ALLOWEXTERNALIDP": "IDP esterno consentito",

4
console/src/assets/i18n/ja.json
View File

@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "ステータス",
"DOMAINLIST": "ドメイン"
"DOMAINLIST": "カスタムドメイン"
},
"STATE": {
"0": "未定義",
@ -1346,7 +1346,7 @@
"MAXAGEDAYS": "最大有効期限",
"USERLOGINMUSTBEDOMAIN": "ログイン名の接尾辞として組織ドメインを追加する",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "この設定を有効にすると、すべてのログイン名が組織ドメインで接尾辞が付けられます。この設定が無効になっている場合、ユーザー名がすべての組織で一意であることを確認する必要があります。",
"VALIDATEORGDOMAINS": "組織ドメインを認証する",
"VALIDATEORGDOMAINS": "組織のドメイン検証が必要です (DNSまたはHTTPチャレンジ)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP送信者アドレスはインスタンスドメインに一致しています",
"ALLOWUSERNAMEPASSWORD": "ユーザー名とパスワードを許可",
"ALLOWEXTERNALIDP": "外部IDPを許可",

4
console/src/assets/i18n/mk.json
View File

@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "Статус",
"DOMAINLIST": "Домени"
"DOMAINLIST": "Прилагодени домени"
},
"STATE": {
"0": "Ненаведено",
@ -1352,7 +1352,7 @@
"MAXAGEDAYS": "Максимална возраст во денови",
"USERLOGINMUSTBEDOMAIN": "Додади организациски домен како суфикс на корисничките имиња",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Ако го овозможите ова подесување, сите кориснички имиња ќе имаат суфикс на организацискиот домен. Доколку ова подесување е оневозможено, морате да се осигурате дека корисничките имиња се уникатни низ сите организации.",
"VALIDATEORGDOMAINS": "Валидирај организациски домени",
"VALIDATEORGDOMAINS": "Потврда на доменот на организацијата е неопходна (DNS или HTTP предизвик)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP адресата на испраќачот се поклопува со доменот на инстанцата",
"ALLOWUSERNAMEPASSWORD": "Дозволено корисничко име и лозинка",
"ALLOWEXTERNALIDP": "Дозволен надворешен IDP",

4
console/src/assets/i18n/pl.json
View File

@ -795,7 +795,7 @@
},
"PAGES": {
"STATE": "Status",
"DOMAINLIST": "Domeny"
"DOMAINLIST": "Własne domeny"
},
"STATE": {
"0": "Nieokreślony",
@ -1350,7 +1350,7 @@
"MAXAGEDAYS": "Maksymalny wiek w dniach",
"USERLOGINMUSTBEDOMAIN": "Dodaj domenę organizacji jako przyrostek do nazw logowania",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Jeśli włączysz to ustawienie, wszystkie nazwy logowania będą miały przyrostek z domeną organizacji. Jeśli to ustawienie jest wyłączone, musisz zapewnić unikalność nazw użytkowników we wszystkich organizacjach.",
"VALIDATEORGDOMAINS": "Sprawdzanie ważności domen organizacji",
"VALIDATEORGDOMAINS": "Weryfikacja domeny organizacji jest wymagana (wyzwanie DNS lub HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "Adres nadawcy SMTP pasuje do domeny instancji",
"ALLOWUSERNAMEPASSWORD": "Zezwól na użycie nazwy użytkownika i hasła",
"ALLOWEXTERNALIDP": "Zezwól na zewnętrznego dostawcę tożsamości",

4
console/src/assets/i18n/pt.json
View File

@ -796,7 +796,7 @@
},
"PAGES": {
"STATE": "Status",
"DOMAINLIST": "Domínios"
"DOMAINLIST": "Domínios personalizados"
},
"STATE": {
"0": "Não especificado",
@ -1352,7 +1352,7 @@
"MAXAGEDAYS": "Idade máxima em dias",
"USERLOGINMUSTBEDOMAIN": "Adicionar domínio da organização como sufixo aos nomes de login",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "Se você habilitar essa configuração, todos os nomes de login serão sufixados com o domínio da organização. Se essa configuração estiver desabilitada, você deve garantir que os nomes de usuário sejam exclusivos em todas as organizações.",
"VALIDATEORGDOMAINS": "Validar domínios da organização",
"VALIDATEORGDOMAINS": "Verificação de domínio da organização necessária (desafio DNS ou HTTP)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "O endereço do remetente do SMTP corresponde ao domínio da Instância",
"ALLOWUSERNAMEPASSWORD": "Permitir usuário e senha",
"ALLOWEXTERNALIDP": "Permitir provedor de ID externo",

4
console/src/assets/i18n/zh.json
View File

@ -795,7 +795,7 @@
},
"PAGES": {
"STATE": "状态",
"DOMAINLIST": "域名"
"DOMAINLIST": "自定义域名"
},
"STATE": {
"0": "未指定",
@ -1349,7 +1349,7 @@
"MAXAGEDAYS": "Max Age in days",
"USERLOGINMUSTBEDOMAIN": "用户名必须包含组织域名",
"USERLOGINMUSTBEDOMAIN_DESCRIPTION": "如果启用此设置,所有登录名都将以组织域为后缀。如果禁用此设置,您必须确保用户名在所有组织中都是唯一的。",
"VALIDATEORGDOMAINS": "验证组织域名",
"VALIDATEORGDOMAINS": "组织域名验证需要 (DNS 或 HTTP 挑战)",
"SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN": "SMTP 发件人地址与实例域名匹配",
"ALLOWUSERNAMEPASSWORD": "允许用户名密码",
"ALLOWEXTERNALIDP": "允许外部身份提供者",

4
docs/docs/apis/openidoauth/authn-methods.md
View File

@ -46,7 +46,7 @@ JWT
| Claim | Example | Description |
|:------|:---------------------------|:----------------------------------------------------------------------------------------------------------------|
| aud | `"https://{your_domain}"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
| aud | `"https://$CUSTOM-DOMAIN"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
| exp | `1605183582` | Unix timestamp of the expiry |
| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
| iss | `"78366401571920522@acme"` | String which represents the requesting party (owner of the key), normally the `clientID` from the json key file |
@ -56,7 +56,7 @@ JWT
{
"iss": "78366401571920522@acme",
"sub": "78366401571920522@acme",
"aud": "https://{your_domain}",
"aud": "https://$CUSTOM-DOMAIN",
"exp": 1605183582,
"iat": 1605179982
}

2
docs/docs/apis/openidoauth/claims.md
View File

@ -55,7 +55,7 @@ Please check below the matrix for an overview where which scope is asserted.
| gender | `other` | Gender of the subject |
| given_name | `Road` | Given name of the subject |
| iat | `1311280970` | Time of the token was issued at (as unix time) |
| iss | `{your_domain}` | Issuing domain of a token |
| iss | `$CUSTOM-DOMAIN` | Issuing domain of a token |
| jti | `69234237813329048` | Unique id of the token |
| locale | `en` | Language from the subject |
| name | `Road Runner` | The subjects full name |

6
docs/docs/apis/openidoauth/grant-types.md
View File

@ -77,8 +77,8 @@ Key JSON
JWT
| Claim | Example | Description |
|:------|:--------------------------|:--------------------------------------------------------------------------------------------------------------|
| aud | `"https://{your_domain}"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
|:------|:-------------------------|:--------------------------------------------------------------------------------------------------------------|
| aud | `"https://$CUSTOM-DOMAIN"` | String or Array of intended audiences MUST include ZITADEL's issuing domain |
| exp | `1605183582` | Unix timestamp of the expiry |
| iat | `1605179982` | Unix timestamp of the creation singing time of the JWT, MUST NOT be older than 1h |
| iss | `"77479219772321307"` | String which represents the requesting party (owner of the key), normally the `userId` from the json key file |
@ -88,7 +88,7 @@ JWT
{
"iss": "77479219772321307",
"sub": "77479219772321307",
"aud": "https://{your_domain}",
"aud": "https://$CUSTOM-DOMAIN",
"exp": 1605183582,
"iat": 1605179982
}

6
docs/docs/apis/saml/endpoints.md
View File

@ -4,7 +4,7 @@ title: SAML Endpoints in ZITADEL
## SAML 2.0 metadata
The SAML Metadata is located within the issuer domain. This would give us {your_domain}/saml/v2/metadata.
The SAML Metadata is located within the issuer domain. This would give us $CUSTOM-DOMAIN/saml/v2/metadata.
This metadata contains all the information defined in the spec.
@ -13,14 +13,14 @@ spec.** [Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0
## Certificate endpoint
{your_domain}/saml/v2/certificate
$CUSTOM-DOMAIN/saml/v2/certificate
The certificate endpoint provides the certificate which is used to sign the responses for download, for easier use with
different service providers which want the certificate separately instead of inside the metadata.
## SSO endpoint
{your_domain}/saml/v2/SSO
$CUSTOM-DOMAIN/saml/v2/SSO
The SSO endpoint is the starting point for all initial user authentications. The user agent (browser) will be redirected
to this endpoint to authenticate the user.

2
docs/docs/concepts/features/audit-trail.md
View File

@ -27,7 +27,7 @@ The same view is available on several other objects such as organization or proj
### Event View
Administrators can see all events across an instance and filter them directly in [Console](/docs/guides/manage/console/overview).
Go to your instance settings and then click on the Tab **Events** to open the Event Viewer or browse to $YOUR_DOMAIN/ui/console/events
Go to your instance settings and then click on the Tab **Events** to open the Event Viewer or browse to $CUSTOM-DOMAIN/ui/console/events
![Event viewer](/img/concepts/audit-trail/event-viewer.png)

2
docs/docs/concepts/features/selfservice.md
View File

@ -139,7 +139,7 @@ A client can also implement this, by calling the [specific endpoint](/apis/openi
## Profile
These actions are available for authenticated users only.
ZITADEL provides a self-service UI for the user profile out-of-the box under the path _{your_domain}/ui/console/users/me_.
ZITADEL provides a self-service UI for the user profile out-of-the box under the path _$CUSTOM-DOMAIN/ui/console/users/me_.
You can also implement your own version in your application by using our APIs.
### Change password

2
docs/docs/examples/identity-proxy/oauth2-proxy.md
View File

@ -43,7 +43,7 @@ provider = "oidc"
user_id_claim = "sub" #uses the subject as ID instead of the email
provider_display_name = "ZITADEL"
redirect_url = "http://127.0.0.1:4180/oauth2/callback"
oidc_issuer_url = "https://{your_domain}.zitadel.cloud"
oidc_issuer_url = "https://$CUSTOM-DOMAIN"
upstreams = [
"https://example.corp.com"
]

2
docs/docs/guides/integrate/access-zitadel-apis.md
View File

@ -44,7 +44,7 @@ Use the scope `urn:zitadel:iam:org:project:id:zitadel:aud` to include the ZITADE
```bash
curl --request POST \
--url {your_domain}/oauth/v2/token \
--url $CUSTOM-DOMAIN/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
--data scope='openid profile email urn:zitadel:iam:org:project:id:zitadel:aud' \

4
docs/docs/guides/integrate/access-zitadel-system-api.md
View File

@ -59,7 +59,7 @@ The JWT payload will need to contain the following claims:
{
"iss": "<userid>",
"sub": "<userid>",
"aud": "<https://your_domain>",
"aud": "<https://$CUSTOM-DOMAIN>",
"exp": <now+1h>,
"iat": <now>
}
@ -95,7 +95,7 @@ Now that you configured ZITADEL and created a JWT, you can call the System API a
```bash
curl --request POST \
--url {your_domain}/system/v1/instances/_search \
--url $CUSTOM-DOMAIN/system/v1/instances/_search \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/json'
```

2
docs/docs/guides/integrate/authenticated-mongodb-charts.md
View File

@ -29,7 +29,7 @@ Configure ZITADEL as your _Custom JWT Provider_ following the [MongoDB docs](htt
Configure the following values:
- Signing Algorithm: RS256
- Signing Key: JWK or JWKS URL
- JWKS: https://{your_domain}.zitadel.cloud/oauth/v2/keys
- JWKS: https://$CUSTOM-DOMAIN/oauth/v2/keys
- Audience: Your app's client ID which you copied when you created the ZITADEL app
Your configuration should look similar to this:

4
docs/docs/guides/integrate/client-credentials.md
View File

@ -41,7 +41,7 @@ You will need to craft a POST request to ZITADEL's token endpoint:
```bash
curl --request POST \
--url https://{your_domain}.zitadel.cloud/oauth/v2/token \
--url https://$CUSTOM-DOMAIN/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic ${BASIC_AUTH}' \
--data grant_type=client_credentials \
@ -72,7 +72,7 @@ In this example we read the organization of the service user.
```bash
curl --request GET \
--url {your-domain}/management/v1/orgs/me \
--url $CUSTOM-DOMAIN/management/v1/orgs/me \
--header 'Authorization: Bearer ${TOKEN}'
```

12
docs/docs/guides/integrate/event-api.md
View File

@ -24,7 +24,7 @@ To further restrict your result you can add the following filters:
```bash
curl --request POST \
--url $YOUR-DOMAIN/admin/v1/events/_search \
--url $CUSTOM-DOMAIN/admin/v1/events/_search \
--header "Authorization: Bearer $TOKEN"
```
@ -34,7 +34,7 @@ To be able to filter for the different event types ZITADEL knows, you can reques
```bash
curl --request POST \
--url $YOUR-DOMAIN/admin/v1/events/types/_search \
--url $CUSTOM-DOMAIN/admin/v1/events/types/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
'
@ -70,7 +70,7 @@ To be able to filter for the different aggregate types (resources) ZITADEL knows
```bash
curl --request POST \
--url $YOUR-DOMAIN/admin/v1/aggregates/types/_search \
--url $CUSTOM-DOMAIN/admin/v1/aggregates/types/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json'
```
@ -101,7 +101,7 @@ This example shows you how to get all events from users, filtered with the creat
```bash
curl --request POST \
--url $YOUR-DOMAIN/admin/v1/events/_search \
--url $CUSTOM-DOMAIN/admin/v1/events/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{
@ -121,7 +121,7 @@ Also we include the refresh tokens in this example to know when the user has bec
```bash
curl --request POST \
--url $YOUR-DOMAIN/admin/v1/events/_search \
--url $CUSTOM-DOMAIN/admin/v1/events/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{
@ -147,7 +147,7 @@ In this case this are the following events:
```bash
curl --request POST \
--url $YOUR-DOMAIN/admin/v1/events/_search \
--url $CUSTOM-DOMAIN/admin/v1/events/_search \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{

2
docs/docs/guides/integrate/logout.md
View File

@ -37,7 +37,7 @@ If you have specified some post_logout_redirect_uris on your client you have to
So ZITADEL is able to read the configured redirect uris.
```
GET {your_domain}/oidc/v1/end_session
GET $CUSTOM-DOMAIN/oidc/v1/end_session
?id_token_hint={id_token}
&post_logout_redirect_uri=https://rp.example.com/logged_out
&state=random_string

2
docs/docs/guides/integrate/pat.md
View File

@ -41,6 +41,6 @@ In this example we read the organization of the service user.
```bash
curl --request GET \
--url {your-domain}/management/v1/orgs/me \
--url $CUSTOM-DOMAIN/management/v1/orgs/me \
--header 'Authorization: Bearer {PAT}'
```

8
docs/docs/guides/integrate/private-key-jwt.md
View File

@ -68,7 +68,7 @@ Payload
{
"iss": "100507859606888466",
"sub": "100507859606888466",
"aud": "https://{your_domain}.zitadel.cloud",
"aud": "https://$CUSTOM-DOMAIN",
"iat": [Current UTC timestamp, e.g. 1605179982, max. 1 hour ago],
"exp": [UTC timestamp, e.g. 1605183582]
}
@ -90,7 +90,7 @@ With the encoded JWT from the prior step, you will need to craft a POST request
```bash
curl --request POST \
--url https://{your_domain}.zitadel.cloud/oauth/v2/token \
--url https:/$CUSTOM-DOMAIN/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
--data scope='openid profile email' \
@ -122,7 +122,7 @@ For this example let's call the userinfo endpoint to verify that our access toke
```bash
curl --request POST \
--url https://{your_domain}.zitadel.cloud/oidc/v1/userinfo \
--url $CUSTOM-DOMAIN/oidc/v1/userinfo \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer MtjHodGy4zxKylDOhg6kW90WeEQs2q...'
```
@ -135,7 +135,7 @@ Content-Type: application/json
{
"name": "MyServiceUser",
"preferred_username": "service_user@{your_domain}.zitadel.cloud",
"preferred_username": "service_user@$CUSTOM-DOMAIN",
"updated_at": 1616417938
}
```

22
docs/docs/guides/integrate/retrieve-user-roles.md
View File

@ -83,7 +83,7 @@ Alternatively, you can include the claims `urn:iam:org:project:roles` or/and `ur
### Retrieve roles from the userinfo endpoint
The user info endpoint is **ZITADEL_DOMAIN/oidc/v1/userinfo**.
The user info endpoint is **$CUSTOM-DOMAIN/oidc/v1/userinfo**.
This endpoint will return information about the authenticated user.
Send the access token of the user as `Bearer Token` in the `Authorization` header:
@ -91,7 +91,7 @@ Send the access token of the user as `Bearer Token` in the `Authorization` heade
**cURL Request:**
```bash
curl --request GET \
--url $ZITADEL_DOMAIN/oidc/v1/userinfo
--url $CUSTOM-DOMAIN/oidc/v1/userinfo
--header 'Authorization: Bearer <TOKEN>'
```
@ -206,11 +206,11 @@ Lets start with a user who has multiple roles in different organizations in a
Returns a list of roles for the authenticated user and for the requesting project (based on the token).
**URL: https://$ZITADEL_DOMAIN/auth/v1/permissions/me/_search**
**URL: https://$CUSTOM-DOMAIN/auth/v1/permissions/me/_search**
**cURL request:**
```bash
curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/me/_search' \
curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/permissions/me/_search' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>'
```
@ -231,12 +231,12 @@ Returns a list of permissions the authenticated user has in ZITADEL based on the
This request can be used if you are building a management UI. For instance, if the UI is managing users, you can show the management functionality based on the permissions the user has. Heres an example: if the user has `user.read` and `user.write` permission you can show the edit buttons, if the user only has `user.read` permission, you can hide the edit buttons.
**URL: https://ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search**
**URL: https://$CUSTOM-DOMAIN/auth/v1/permissions/zitadel/me/_search**
**cURL Request:**
```bash
curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search' \
curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/permissions/zitadel/me/_search' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>'
```
@ -277,12 +277,12 @@ curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/permissions/zitadel/me/_search'
Returns a list of user grants the authenticated user has. User grants consist of an organization, a project and roles.
**URL: https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search**
**URL: https://$CUSTOM-DOMAIN/auth/v1/usergrants/me/_search**
**cURL request:**
```bash
curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search' \
curl -L -X POST 'https://$CUSTOM-DOMAIN/auth/v1/usergrants/me/_search' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
@ -379,7 +379,7 @@ curl -L -X POST 'https://$ZITADEL_DOMAIN/auth/v1/usergrants/me/_search' \
### Retrieve roles using the management API
Now we will use the management API to retrieve user roles under an admin user.
The base URL is: **https://$ZITADEL_DOMAIN/management/v1**
The base URL is: **https://$CUSTOM-DOMAIN/management/v1**
In [APIs listed under user grants in the management API](/docs/category/apis/resources/mgmt/user-grants), you will see that you can use the management API to retrieve and modify user grants. The two API paths that we are interested in to fetch user roles are given below.
@ -389,12 +389,12 @@ In [APIs listed under user grants in the management API](/docs/category/apis/res
Returns a list of user roles that match the search queries. A user with manager permissions will call this API and will also have to reside in the same organization as the user.
**URL: https://$ZITADEL_DOMAIN/management/v1/users/grants/_search**
**URL: https://$CUSTOM-DOMAIN/management/v1/users/grants/_search**
**cURL request:**
```bash
curl -L -X POST 'https://$ZITADEL_DOMAIN/management/v1/users/grants/_search' \
curl -L -X POST 'https://$CUSTOM-DOMAIN/management/v1/users/grants/_search' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \

2
docs/docs/guides/integrate/services/gitlab-saml.md
View File

@ -51,7 +51,7 @@ Check your application, if everything is correct, press "Create".
Complete the configuration as follows:
- `Identity provider single sign-on URL`: {your_instance_domain}/saml/v2/SSO
- `Identity provider single sign-on URL`: $CUSTOM-DOMAIN/saml/v2/SSO
- `Certificate fingerprint`: You need to download the certificate from {your_instance_domain}/saml/v2/certificate and create a SHA1 fingerprint
Save the changes.

4
docs/docs/guides/manage/cloud/instances.md
View File

@ -56,7 +56,7 @@ A free instance can be upgraded to a "pay as you go" instance. By upgrading your
### Add Custom Domain
We recommend register a custom domain to access your ZITADEL instance.
The primary domain of your ZITADEL instance will be the issuer of the instance. All other domains can be used to access the instance itself
The primary custom domain of your ZITADEL instance will be the issuer of the instance. All other custom domains can be used to access the instance itself
1. Browse to your instance
2. Click **Add custom domain**
@ -73,7 +73,7 @@ Be aware that it has some impacts if you change the primary domain of your insta
![Add custom domain](/img/manuals/portal/portal_add_domain.png)
#### Verify Domain
#### Verify Custom Domain
If you need a custom domain for your ZITADEL instance, you need to verify the domain.

2
docs/docs/guides/manage/console/organizations.mdx
View File

@ -23,7 +23,7 @@ If you choose your logged in user as organization manager, a membership for the
alt="Select Organization"
/>
If you want to enable your customers to create their organization by themselves, we provide a creation form for a organization. `<https://{your-domain}-{random string}.zitadel.cloud/ui/login/register/org`
If you want to enable your customers to create their organization by themselves, we provide a creation form for a organization. `<https://$CUSTOM-DOMAIN/ui/login/register/org`
The customer needs to fill in the form with the organization name and the contact details.
<img

6
docs/docs/guides/manage/customize/user-metadata.md
View File

@ -50,7 +50,7 @@ Request the user information by calling the [userinfo endpoint](/docs/apis/openi
```bash
curl --request GET \
--url "https://$ZITADEL_DOMAIN/oidc/v1/userinfo" \
--url "https://$CUSTOM-DOMAIN/oidc/v1/userinfo" \
--header "Authorization: Bearer $ACCESS_TOKEN"
```
@ -166,7 +166,7 @@ If you get the error "invalid audience (APP-Zxfako)", then you need to add the r
You can request the user's metadata with the [List My Metadata](/docs/apis/resources/auth/auth-service-list-my-metadata) method:
```bash
curl -L -X POST "https://$ZITADEL_DOMAIN/auth/v1/users/me/metadata/_search" \
curl -L -X POST "https://$CUSTOM-DOMAIN/auth/v1/users/me/metadata/_search" \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H "Authorization: Bearer $ACCESS_TOKEN" \
@ -188,7 +188,7 @@ curl -L -X POST "https://$ZITADEL_DOMAIN/auth/v1/users/me/metadata/_search" \
```
Replace `$ACCESS_TOKEN` with your user's access token.
Replace `$ZITADEL_DOMAIN` with your ZITADEL instance's url.
Replace `$CUSTOM-DOMAIN` with your ZITADEL instance's url.
Replace `$METADATA_KEY` with they key you want to search for (f.e. "ContractNumber")
:::info Get all metadata

6
proto/zitadel/admin.proto
View File

@ -130,7 +130,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/admin/v1";
external_docs: {
@ -150,8 +150,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";

6
proto/zitadel/auth.proto
View File

@ -77,7 +77,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
produces: "application/grpc";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/auth/v1";
external_docs: {
@ -97,8 +97,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";

6
proto/zitadel/management.proto
View File

@ -146,7 +146,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/management/v1";
external_docs: {
@ -166,8 +166,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";

6
proto/zitadel/oidc/v2beta/oidc_service.proto
View File

@ -39,7 +39,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
@ -52,8 +52,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";

6
proto/zitadel/org/v2beta/org_service.proto
View File

@ -48,7 +48,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
@ -61,8 +61,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";

6
proto/zitadel/session/v2beta/session_service.proto
View File

@ -42,7 +42,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
@ -55,8 +55,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";

6
proto/zitadel/settings/v2beta/settings_service.proto
View File

@ -44,7 +44,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
@ -57,8 +57,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";

2
proto/zitadel/system.proto
View File

@ -49,7 +49,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/system/v1";
external_docs: {

6
proto/zitadel/user/v2beta/user_service.proto
View File

@ -46,7 +46,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$ZITADEL_DOMAIN";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
@ -59,8 +59,8 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$ZITADEL_DOMAIN/oauth/v2/authorize";
token_url: "$ZITADEL_DOMAIN/oauth/v2/token";
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";