fix: eliminate ZITADEL_SERVICE_USER_ID

README.md

@@ -203,13 +203,11 @@ Go to your instance and create a service user for the login application.
 The login application creates users on your primary organization and reads policy data.
 For the sake of simplicity, just make the service user an instance member with the role `IAM_OWNER`.
 Create a PAT and copy it to the file `apps/login/.env.local` using the key `ZITADEL_SERVICE_USER_TOKEN`.
-Also add the users ID to the file using the key `ZITADEL_SERVICE_USER_ID`.
 
 The file should look similar to this:
 
 ```
 ZITADEL_API_URL=https://zitadel-tlx3du.us1.zitadel.cloud
-ZITADEL_SERVICE_USER_ID=289106423158521850
 ZITADEL_SERVICE_USER_TOKEN=1S6w48thfWFI2klgfwkCnhXJLf9FQ457E-_3H74ePQxfO3Af0Tm4V5Xi-ji7urIl_xbn-Rk
 ```
 
@@ -253,9 +251,8 @@ pnpm test:acceptance
 ### Deploy to Vercel
 
 To deploy your own version on Vercel, navigate to your instance and create a service user.
-Copy its id from the overview and set it as ZITADEL_SERVICE_USER_ID.
 Then create a personal access token (PAT), copy and set it as ZITADEL_SERVICE_USER_TOKEN, then navigate to your instance
 settings and make sure it gets IAM_OWNER permissions.
 Finally set your instance url as ZITADEL_API_URL. Make sure to set it without trailing slash.
 
-[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Fzitadel%2Ftypescript&env=ZITADEL_API_URL,ZITADEL_SERVICE_USER_ID,ZITADEL_SERVICE_USER_TOKEN&root-directory=apps/login&envDescription=Setup%20a%20service%20account%20with%20IAM_OWNER%20membership%20on%20your%20instance%20and%20provide%20its%20id%20and%20personal%20access%20token.&project-name=zitadel-login&repository-name=zitadel-login)
+[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Fzitadel%2Ftypescript&env=ZITADEL_API_URL,ZITADEL_SERVICE_USER_TOKEN&root-directory=apps/login&envDescription=Setup%20a%20service%20account%20with%20IAM_LOGIN_CLIENT%20membership%20on%20your%20instance%20and%20provide%20its%20personal%20access%20token.&project-name=zitadel-login&repository-name=zitadel-login)

acceptance/setup.sh

@@ -17,15 +17,15 @@ if [ -z "${PAT}" ]; then
   PAT=$(cat ${PAT_FILE})
 fi
 
-if [ -z "${ZITADEL_SERVICE_USER_ID}" ]; then
+# if [ -z "${ZITADEL_SERVICE_USER_ID}" ]; then
-  echo "Reading ZITADEL_SERVICE_USER_ID from userinfo endpoint"
+#   echo "Reading ZITADEL_SERVICE_USER_ID from userinfo endpoint"
-  USERINFO_RESPONSE=$(curl -s --request POST \
+#   USERINFO_RESPONSE=$(curl -s --request POST \
-    --url "${ZITADEL_API_INTERNAL_URL}/oidc/v1/userinfo" \
+#     --url "${ZITADEL_API_INTERNAL_URL}/oidc/v1/userinfo" \
-    --header "Authorization: Bearer ${PAT}" \
+#     --header "Authorization: Bearer ${PAT}" \
-    --header "Host: ${ZITADEL_API_DOMAIN}")
+#     --header "Host: ${ZITADEL_API_DOMAIN}")
-  echo "Received userinfo response: ${USERINFO_RESPONSE}"
+#   echo "Received userinfo response: ${USERINFO_RESPONSE}"
-  ZITADEL_SERVICE_USER_ID=$(echo "${USERINFO_RESPONSE}" | jq --raw-output '.sub')
+#   ZITADEL_SERVICE_USER_ID=$(echo "${USERINFO_RESPONSE}" | jq --raw-output '.sub')
-fi
+# fi
 
 #################################################################
 # Environment files
@@ -37,7 +37,6 @@ WRITE_TEST_ENVIRONMENT_FILE=${WRITE_TEST_ENVIRONMENT_FILE:-$(dirname "$0")/../ac
 echo "Writing environment file to ${WRITE_TEST_ENVIRONMENT_FILE} when done."
 
 echo "ZITADEL_API_URL=${ZITADEL_API_URL}
-ZITADEL_SERVICE_USER_ID=${ZITADEL_SERVICE_USER_ID}
 ZITADEL_SERVICE_USER_TOKEN=${PAT}
 SINK_NOTIFICATION_URL=${SINK_NOTIFICATION_URL}
 EMAIL_VERIFICATION=true

apps/login/.env.integration

@@ -1,5 +1,4 @@
 ZITADEL_API_URL=http://localhost:22222
-ZITADEL_SERVICE_USER_ID="yolo"
 ZITADEL_SERVICE_USER_TOKEN="yolo"
 EMAIL_VERIFICATION=true
 DEBUG=true

apps/login/next-env-vars.d.ts

@@ -22,10 +22,6 @@ declare namespace NodeJS {
      */
     ZITADEL_INSTANCE_HOST_HEADER: string;
 
-    /**
-     * Self hosting: The service user id
-     */
-    ZITADEL_SERVICE_USER_ID: string;
     /**
      * Self hosting: The service user token
      */

apps/login/src/middleware.ts

@@ -13,11 +13,7 @@ export const config = {
 
 export async function middleware(request: NextRequest) {
   // escape proxy if the environment is setup for multitenancy
-  if (
+  if (!process.env.ZITADEL_API_URL || !process.env.ZITADEL_SERVICE_USER_TOKEN) {
-    !process.env.ZITADEL_API_URL ||
-    !process.env.ZITADEL_SERVICE_USER_ID ||
-    !process.env.ZITADEL_SERVICE_USER_TOKEN
-  ) {
     return NextResponse.next();
   }
 
@@ -28,10 +24,6 @@ export async function middleware(request: NextRequest) {
   const instanceHost = `${serviceUrl}`.replace("https://", "");
 
   const requestHeaders = new Headers(request.headers);
-  requestHeaders.set(
-    "x-zitadel-login-client",
-    process.env.ZITADEL_SERVICE_USER_ID,
-  );
 
   // this is a workaround for the next.js server not forwarding the host header
   // requestHeaders.set("x-zitadel-forwarded", `host="${request.nextUrl.host}"`);

turbo.json

@@ -10,7 +10,6 @@
     "SYSTEM_USER_ID",
     "SYSTEM_USER_PRIVATE_KEY",
     "ZITADEL_API_URL",
-    "ZITADEL_SERVICE_USER_ID",
     "ZITADEL_SERVICE_USER_TOKEN",
     "NEXT_PUBLIC_BASE_PATH",
     "ZITADEL_INSTANCE_HOST_HEADER"