TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-04 23:45:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

docs: restructure and add more content (#2232)

Browse Source 
* docs: restructure quickstarts

* docs: quickstart libs

* docs: add exlixir lib

* docs: restructure

* docs: restructure

* docs: customization

* use tabs in oauth/oidc endpoints.md

* improve authorize_endpoint

* improve token_endpoint and introspection_endpoint

* docs: saas use case

* styling

* styling

* begin login users

* login users

* login users

* fix table

* fix: links

* fix: links

* start go api

* fix: policy structure

* fix: saas description

* fix: saas description

* fix: saas description

* Update docs/docs/concepts/policies.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* Update docs/docs/concepts/usecases/saas.md

Co-authored-by: mffap <mpa@caos.ch>

* docs: organisation --> organization

* docs: fixes

* docs: fixes

* Update docs/docs/apis/openidoauth/endpoints.md

Co-authored-by: Florian Forster <florian@caos.ch>

* Update docs/docs/concepts/policies.md

Co-authored-by: Florian Forster <florian@caos.ch>

* Update docs/docs/concepts/policies.md

Co-authored-by: Florian Forster <florian@caos.ch>

* Update docs/docs/concepts/policies.md

Co-authored-by: Florian Forster <florian@caos.ch>

* Update docs/docs/apis/openidoauth/endpoints.md

Co-authored-by: Florian Forster <florian@caos.ch>

* Apply suggestions from code review

Co-authored-by: Florian Forster <florian@caos.ch>

* docs: intro

* Update docs/docs/guides/customization/branding.md

Co-authored-by: Florian Forster <florian@caos.ch>

* fix: typo

* add mermaid

Co-authored-by: Livio Amstutz <livio.a@gmail.com>
Co-authored-by: mffap <mpa@caos.ch>
Co-authored-by: Florian Forster <florian@caos.ch>
This commit is contained in:
Fabi 2021-09-23 10:34:06 +02:00 committed by GitHub
parent 63231540a8
commit c8d59ee488
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
46 changed files with 1431 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -49,7 +49,7 @@ You can run an automatically operated **ZITADEL** instance on a CNCF compliant K
### CAOS-Managed
* **ZITADEL Cloud:** [**ZITADEL.ch**](https://zitadel.ch) is our shared cloud service hosted in Switzerland. [Get started](https://docs.zitadel.ch/docs/guides/usage/get-started) and try the free tier, including already unlimited users and all necessary security features.
* **ZITADEL Cloud:** [**ZITADEL.ch**](https://zitadel.ch) is our shared cloud service hosted in Switzerland. [Get started](https://docs.zitadel.ch/docs/guides/basics/get-started) and try the free tier, including already unlimited users and all necessary security features.
* **ZITADEL Enterprise:** We operate and support a private instance of **ZITADEL** for you. [Get in touch!](https://zitadel.ch/contact/)
## Start using ZITADEL

2
docs/README.md
View File

@ -30,5 +30,5 @@ This command generates static content into the `build` directory and can be serv
## Deployment
Each PR will be automaticly built with a preview link from cloudflare pages.
Each PR will be automatically built with a preview link from cloudflare pages.
Visit the checks / comments on the PR for the link.

4
docs/docs/apis/apis.md
View File

@ -29,8 +29,8 @@ The user id is taken from the sub claim in the token.
## Management API
The management API is as the name states the interface where systems can mutate IAM objects like, organisations, projects, clients, users and so on if they have the necessary access rights.
To identify the current organisation you can send a header `x-zitadel-orgid` or if no header is set, the organisation of the authenticated user is set.
The management API is as the name states the interface where systems can mutate IAM objects like, organizations, projects, clients, users and so on if they have the necessary access rights.
To identify the current organization you can send a header `x-zitadel-orgid` or if no header is set, the organization of the authenticated user is set.
| Service | URI |
|:--------|:----------------------------------------------------------------------------------------------------------------------------------------------------|

2
docs/docs/apis/introduction.md
View File

@ -2,8 +2,6 @@
title: Introduction
---
> All documentations are under active work and subject to change soon!
## APIs
---

292
docs/docs/apis/openidoauth/endpoints.md
View File

@ -2,6 +2,9 @@
title: Endpoints
---
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
## OpenID Connect 1.0 Discovery
The OpenID Connect Discovery Endpoint is located within the issuer domain.
@ -13,71 +16,143 @@ For example with [zitadel.ch](https://zitadel.ch), issuer.zitadel.ch would be th
[https://accounts.zitadel.ch/oauth/v2/authorize](https://accounts.zitadel.ch/oauth/v2/authorize)
> The authorization_endpoint is located with the login page, due to the need of accessing the same cookie domain
:::note
The authorization_endpoint is located with the login page, due to the need of accessing the same cookie domain
:::
Required request Parameters
The authorization_endpoint is the starting point for all initial user authentications. The user agent (browser) will be redirected to this endpoint to
authenticate the user in exchange for an authorization_code (authorization code flow) or tokens (implicit flow).
<details>
<summary>Links to specs</summary>
<ul>
<li><a href="https://datatracker.ietf.org/doc/html/rfc6749#section-3.1">Section 3.1 of OAuth2.0 (RFC6749)</a></li>
<li><a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint">Section 3.1.2 of OpenID Connect Core 1.0 incorporating errata set 1</a></li>
</ul>
</details>
### Required request parameters
| Parameter | Description |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
| client_id | The id of your client as shown in Console. |
| redirect_uri | Callback uri of the authorization request where the code or tokens will be sent to. Must match exactly one of the preregistered in Console. |
| response_type | Determines whether a `code`, `id_token token` or just `id_token` will be returned. Most use cases will need `code`. See flow guide for more info. |
| scope | `openid` is required, see [Scopes](scopes) for more possible values. Scopes are space delimited, e.g. `openid email profile` |
| scope | `openid` is required, see [Scopes](scopes) for more possible values. Scopes are space delimited, e.g. `openid email profile` |
Required parameters for PKCE (see PKCE guide for more information)
:::important
Following the [OIDC Core 1.0 specs](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) whenever an access_token is issued,
the id_token will not contain any claims of the scopes `profile`, `email`, `phone` and `address`.
Send the access_token to the [userinfo_endpoint](#userinfo_endpoint) or [introspection_endpoint](#introspection_endpoint) the retrieve these claims
or set the `id_token_userinfo_assertion` Option ("User Info inside ID Token" in Console) to true.
:::
Depending on your authorization method you will have to provide additional parameters or headers:
<Tabs
groupId="token-auth-methods"
defaultValue="client_secret_basic"
values={[
{label: 'client_secret_basic', value: 'client_secret_basic'},
{label: 'client_secret_post', value: 'client_secret_post'},
{label: 'none (PKCE)', value: 'none'},
{label: 'private_key_jwt', value: 'private_key_jwt'},
]}
>
<TabItem value="client_secret_basic">
no additional parameters required
</TabItem>
<TabItem value="client_secret_post">
no additional parameters required
</TabItem>
<TabItem value="none">
| Parameter | Description |
| --------------------- | ----------------------------------------------------- |
| code_challenge | The SHA-256 value of the generated code_verifier |
| code_challenge | The SHA-256 value of the generated `code_verifier` |
| code_challenge_method | Method used to generate the challenge, must be `S256` |
Optional parameters
see PKCE guide for more information
| Parameter | Description |
| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| id_token_hint | Valid `id_token` (of an existing session) used to identity the subject. Should be provided when using prompt `none`. |
| login_hint | A valid logon name of a user. Will be used for username inputs or preselecting a user on `select_account` |
| max_age | Seconds since the last active successful authentication of the user |
| nonce | Random string value to associate the client session with the ID Token and for replay attacks mitigation. |
</TabItem>
<TabItem value="private_key_jwt">
no additional parameters required
</TabItem>
</Tabs>
### Additional parameters
| Parameter | Description |
| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| id_token_hint | Valid `id_token` (of an existing session) used to identity the subject. **SHOULD** be provided when using prompt `none`. |
| login_hint | A valid logon name of a user. Will be used for username inputs or preselecting a user on `select_account` |
| max_age | Seconds since the last active successful authentication of the user |
| nonce | Random string value to associate the client session with the ID Token and for replay attacks mitigation. **MUST** be provided when using **implicit flow**. |
| prompt | If the Auth Server prompts the user for (re)authentication. <br />no prompt: the user will have to choose a session if more than one session exists<br />`none`: user must be authenticated without interaction, an error is returned otherwise <br />`login`: user must reauthenticate / provide a user name <br />`select_account`: user is prompted to select one of the existing sessions or create a new one <br />`create`: the registration form will be displayed to the user directly |
| state | Opaque value used to maintain state between the request and the callback. Used for Cross-Site Request Forgery (CSRF) mitigation as well. |
| state | Opaque value used to maintain state between the request and the callback. Used for Cross-Site Request Forgery (CSRF) mitigation as well, therefore highly **recommended**. |
| ui_locales | Spaces delimited list of preferred locales for the login UI, e.g. `de-CH de en`. If none is provided or matches the possible locales provided by the login UI, the `accept-language` header of the browser will be taken into account. |
Successful Code Response
### Successful Code Response
When your `response_type` was `code` and no error occurred, the following response will be returned:
| Property | Description |
| -------- | ----------------------------------------------------------------------------- |
| code | Opaque string which will be necessary to request tokens on the token endpoint |
| state | Unmodified `state` parameter from the request |
Successful Implicit Response
### Successful Implicit Response
| Property | Description |
| ------------ | ----------------------------------------------------------- |
| access_token | Only returned if `response_type` included `token` |
| expires_in | Number of second until the expiration of the `access_token` |
| id_token | Only returned if `response_type` included `id_token` |
| token_type | Type of the `access_token`. Value is always `Bearer` |
When your `response_type` was either `it_token` or `id_token token` and no error occurred, the following response will be returned:
Error Response
| Property | Description |
| ------------ | ------------------------------------------------------------------------------------- |
| access_token | Only returned if `response_type` included `token` |
| expires_in | Number of second until the expiration of the `access_token` |
| id_token | An `id_token` of the authorized user |
| token_type | Type of the `access_token`. Value is always `Bearer` |
| scope | Scopes of the `access_token`. These might differ from the provided `scope` parameter. |
| state | Unmodified `state` parameter from the request |
### Error Response
Regardless of the authorization flow chosen, if an error occurs the following response will be returned to the redirect_uri.
> If the redirect_uri is not provided, was not registered or anything other prevents the auth server form returning the response to the client,
:::note
If the redirect_uri is not provided, was not registered or anything other prevents the auth server form returning the response to the client,
the error will be display directly to the user on the auth server
:::
| Property | Description |
| ----------------- | -------------------------------------------------------------------- |
| error | An OAuth / OIDC error_type |
| error | An OAuth / OIDC [error_type](#authorize-errors) |
| error_description | Description of the error type or additional information of the error |
| state | Unmodified `state` parameter from the request |
#### Possible errors {#authorize-errors}
| error_type | Possible reason |
| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| invalid_request | The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. |
| invalid_scope | The requested scope is invalid. Typically the required `openid` value is missing. |
| unauthorized_client | The client is not authorized to request an access_token using this method. Check in Console that the requested `response_type` is allowed in your application configuration. |
| unsupported_response_type | The authorization server does not support the requested response_type. |
| server_error | The authorization server encountered an unexpected condition that prevented it from fulfilling the request. |
## token_endpoint
[https://api.zitadel.ch/oauth/v2/token](https://api.zitadel.ch/oauth/v2/token)
The token_endpoint will as the name suggests return various tokens (access, id and refresh) depending on the used `grant_type`.
When using [`authorization_code`](#authorization-code-grant-code-exchange) flow call this endpoint after receiving the code from the authorization_endpoint.
When using [`refresh_token`](#authorization-code-grant-code-exchange) or [`urn:ietf:params:oauth:grant-type:jwt-bearer` (JWT Profile)](#jwt-profile-grant) you will call this endpoint directly.
### Authorization Code Grant (Code Exchange)
Required request Parameters
As mention above, when using `authorization_code` grant, this endpoint will be your second request for authorizing a user with its user agent (browser).
#### Required request Parameters
| Parameter | Description |
| ------------ | ------------------------------------------------------------------------------------------------------------- |
@ -87,11 +162,22 @@ Required request Parameters
Depending on your authorization method you will have to provide additional parameters or headers:
When using `client_secret_basic`
<Tabs
groupId="token-auth-methods"
defaultValue="client_secret_basic"
values={[
{label: 'client_secret_basic', value: 'client_secret_basic'},
{label: 'client_secret_post', value: 'client_secret_post'},
{label: 'none (PKCE)', value: 'none'},
{label: 'private_key_jwt', value: 'private_key_jwt'},
]}
>
<TabItem value="client_secret_basic">
Send your `client_id` and `client_secret` as Basic Auth Header. Check [Client Secret Basic Auth Method](authn-methods#client-secret-basic) on how to build it correctly.
When using `client_secret_post`
</TabItem>
<TabItem value="client_secret_post">
Send your `client_id` and `client_secret` as parameters in the body:
@ -100,15 +186,17 @@ Send your `client_id` and `client_secret` as parameters in the body:
| client_id | client_id of the application |
| client_secret | client_secret of the application |
When using `none` (PKCE)
</TabItem>
<TabItem value="none">
Send your code_verifier for us to recompute the code_challenge of the authorization request.
Send your `code_verifier` for us to recompute the `code_challenge` of the authorization request.
| Parameter | Description |
| ------------- | ------------------------------------------------------------ |
| code_verifier | code_verifier previously used to generate the code_challenge |
When using `private_key_jwt`
</TabItem>
<TabItem value="private_key_jwt">
Send a client assertion as JWT for us to validate the signature against the registered public key.
@ -117,17 +205,29 @@ Send a client assertion as JWT for us to validate the signature against the regi
| client_assertion | JWT built and signed according to [Using JWTs for Client Authentication](authn-methods#jwt-with-private-key) |
| client_assertion_type | Must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` |
</TabItem>
</Tabs>
#### Successful code response {#token-code-response}
| Property | Description |
| ------------- | ------------------------------------------------------------------------------------- |
| access_token | An `access_token` as JWT or opaque token |
| expires_in | Number of second until the expiration of the `access_token` |
| id_token | An `id_token` of the authorized user |
| scope | Scopes of the `access_token`. These might differ from the provided `scope` parameter. |
| refresh_token | An opaque token. Only returned if `offline_access` scope was requested |
| token_type | Type of the `access_token`. Value is always `Bearer` |
### JWT Profile Grant
---
Required request Parameters
#### Required request Parameters
| Parameter | Description |
| ---------- | ----------------------------------------------------------------------------------------------------------------------------- |
| grant_type | Must be `urn:ietf:params:oauth:grant-type:jwt-bearer` |
| assertion | JWT built and signed according to [Using JWTs for Client Authentication](#Using JWTs for Client Authentication) |
| scope | [Scopes](Scopes) you would like to request from ZITADEL. Scopes are space delimited, e.g. `openid email profile` |
| assertion | JWT built and signed according to [Using JWTs for Authorization Grants](grant-types#using-jwts-as-authorization-grants) |
| scope | [Scopes](Scopes) you would like to request from ZITADEL. Scopes are space delimited, e.g. `openid email profile` |
```BASH
curl --request POST \
@ -137,25 +237,47 @@ curl --request POST \
--data assertion=eyJhbGciOiJSUzI1Ni...
```
#### Successful JWT Profile response {#token-jwt-response}
| Property | Description |
| ------------- | ------------------------------------------------------------------------------------- |
| access_token | An `access_token` as JWT or opaque token |
| expires_in | Number of second until the expiration of the `access_token` |
| id_token | An `id_token` of the authorized service user |
| scope | Scopes of the `access_token`. These might differ from the provided `scope` parameter. |
| token_type | Type of the `access_token`. Value is always `Bearer` |
### Refresh Token Grant
---
To request a new `access_token` without user interaction, you can use the `refresh_token` grant.
See [offline_access Scope](Scopes#standard-scopes) for how to request a `refresh_token` in the authorization request.
Required request Parameters
#### Required request Parameters
| Parameter | Description |
| ------------- | ----------------------------------------------------------------------------------- |
| grant_type | Must be `refresh_token` |
| refresh_token | The refresh_token previously issued in the last auth code or refresh token request. |
| Parameter | Description |
| ------------- | -------------------------------------------------------------------------------------------- |
| grant_type | Must be `refresh_token` |
| refresh_token | The refresh_token previously issued in the last authorization_code or refresh_token request. |
| scope | [Scopes](Scopes) you would like to request from ZITADEL for the new access_token. Must be a subset of the scope originally requested by the corresponding auth request. When omitted, the scopes requested by the original auth request will be reused. Scopes are space delimited, e.g. `openid email profile` |
Depending on your authorization method you will have to provide additional parameters or headers:
When using `client_secret_basic`
<Tabs
groupId="token-auth-methods"
defaultValue="client_secret_basic"
values={[
{label: 'client_secret_basic', value: 'client_secret_basic'},
{label: 'client_secret_post', value: 'client_secret_post'},
{label: 'none (PKCE)', value: 'none'},
{label: 'private_key_jwt', value: 'private_key_jwt'},
]}
>
<TabItem value="client_secret_basic">
Send your `client_id` and `client_secret` as Basic Auth Header. Check [Client Secret Basic Auth Method](authn-methods#client-secret-basic) on how to build it correctly.
When using `client_secret_post`
</TabItem>
<TabItem value="client_secret_post">
Send your `client_id` and `client_secret` as parameters in the body:
@ -164,38 +286,69 @@ Send your `client_id` and `client_secret` as parameters in the body:
| client_id | client_id of the application |
| client_secret | client_secret of the application |
When using `none` (PKCE)
</TabItem>
<TabItem value="none">
Send your `client_id` as parameter in the body. No authentication is required.
When using `private_key_jwt`
</TabItem>
<TabItem value="private_key_jwt">
Send a client assertion as JWT for us to validate the signature against the registered public key.
Send a `client_assertion` as JWT for us to validate the signature against the registered public key.
| Parameter | Description |
| --------------------- | --------------------------------------------------------------------------------------------------------------- |
| client_assertion | JWT built and signed according to [Using JWTs for Client Authentication](authn-methods#jwt-with-private-key) |
| client_assertion_type | Must be `urn:ietf:params:oauth:client-assertion-type:jwt-bearer` |
</TabItem>
</Tabs>
#### Successful refresh token response {#token-refresh-response}
| Property | Description |
| ------------- | ------------------------------------------------------------------------------------- |
| access_token | An `access_token` as JWT or opaque token |
| expires_in | Number of second until the expiration of the `access_token` |
| id_token | An `id_token` of the authorized user |
| scope | Scopes of the `access_token`. These might differ from the provided `scope` parameter. |
| refresh_token | An new opaque refresh_token. |
| token_type | Type of the `access_token`. Value is always `Bearer` |
### Error response
> //TODO: errors
## introspection_endpoint
[https://api.zitadel.ch/oauth/v2/introspect](https://api.zitadel.ch/oauth/v2/introspect)
This endpoint enables client to validate an `acccess_token`, either opaque or JWT. Unlike client side JWT validation,
this endpoint will check if the token is not revoked (by client or logout).
| Parameter | Description |
| --------- | --------------- |
| token | An access token |
Depending on your authorization method you will have to provide additional parameters or headers:
When using `client_secret_basic`
<Tabs
groupId="introspect-auth-methods"
defaultValue="client_secret_basic"
values={[
{label: 'client_secret_basic', value: 'client_secret_basic'},
{label: 'private_key_jwt', value: 'private_key_jwt'},
]}
>
<TabItem value="client_secret_basic">
Send your `client_id` and `client_secret` as Basic Auth Header. Check [Client Secret Basic Auth Method](authn-methods#client-secret-basic) on how to build it correctly.
---
</TabItem>
When using `private_key_jwt`
<TabItem value="private_key_jwt">
Send a client assertion as JWT for us to validate the signature against the registered public key.
Send a `client_assertion` as JWT for us to validate the signature against the registered public key.
| Parameter | Description |
| --------------------- | ----------------------------------------------------------------------------------------------------------- |
@ -211,10 +364,49 @@ curl --request POST \
--data token=VjVxyCZmRmWYqd3_F5db9Pb9mHR5fqzhn...
```
</TabItem>
</Tabs>
### Successful introspection response {#introspect-response}
Upon successful authorization of the client a response with the boolean `active` is returned, indicating if the provided token
is active and the requesting client is part of the token audience.
If `active` is **true**, further information will be provided:
| Property | Description |
| --------- | ---------------------------------------------------- |
| scope | Space delimited list of scopes granted to the token. |
Additionally and depending on the granted scopes, information about the authorized user is provided.
Check the [Claims](claims) page if a specific claims might be returned and for detailed description.
### Error response {#introspect-error-response}
If the authorization fails, an HTTP 401 with `invalid_client` will be returned.
## userinfo_endpoint
[https://api.zitadel.ch/oauth/v2/userinfo](https://api.zitadel.ch/oauth/v2/userinfo)
This endpoint will return information about the authorized user.
Send the `access_token` of the **user** (not the client) as Bearer Token in the `authorization` header:
```BASH
curl --request GET \
--url https://api.zitadel.ch/oauth/v2/userinfo
--header 'Authorization: Bearer dsfdsjk29fm2as...'
```
### Successful userinfo response {#userinfo-response}
If the `access_token` is valid, the information about the user depending on the granted scopes is returned.
Check the [Claims](claims) page if a specific claims might be returned and for detailed description.
### Error response {#userinfo-error-response}
If the token is invalid or expired, an HTTP 401 will be returned.
## end_session_endpoint
[https://accounts.zitadel.ch/oauth/v2/endsession](https://accounts.zitadel.ch/oauth/v2/endsession)

2
docs/docs/apis/openidoauth/scopes.md
View File

@ -24,7 +24,7 @@ In addition to the standard compliant scopes we utilize the following scopes.
| Scopes | Example | Description |
|:-------------------------------------------------|:-------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| urn:zitadel:iam:org:project:role:{rolename} | `urn:zitadel:iam:org:project:role:user` | By using this scope a client can request the claim urn:zitadel:iam:roles:rolename} to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the [project](../../guides/usage/projects) a client belongs to. |
| urn:zitadel:iam:org:project:role:{rolename} | `urn:zitadel:iam:org:project:role:user` | By using this scope a client can request the claim urn:zitadel:iam:roles:rolename} to be asserted when possible. As an alternative approach you can enable all roles to be asserted from the [project](../../guides/basics/projects) a client belongs to. |
| urn:zitadel:iam:org:domain:primary:{domainname} | `urn:zitadel:iam:org:domain:primary:acme.ch` | When requesting this scope **ZITADEL** will enforce that the user is a member of the selected organization. If the organization does not exist a failure is displayed |
| urn:zitadel:iam:role:{rolename} | | |
| `urn:zitadel:iam:org:project:id:{projectid}:aud` | ZITADEL's Project id is `urn:zitadel:iam:org:project:id:69234237810729019:aud` | By adding this scope, the requested projectid will be added to the audience of the access and id token |

2
docs/docs/apis/proto/policy.md
View File

@ -17,7 +17,7 @@ title: zitadel/policy.proto
| ----- | ---- | ----------- | ----------- |
| details | zitadel.v1.ObjectDetails | - | |
| primary_color | string | hex value for primary color | |
| is_default | bool | defines if the organisation's admin changed the policy | |
| is_default | bool | defines if the organization's admin changed the policy | |
| hide_login_name_suffix | bool | hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set. Details about this scope in https://docs.zitadel.ch/concepts#Reserved_Scopes | |
| warn_color | string | hex value for secondary color | |
| background_color | string | hex value for background color | |

7
docs/docs/concepts/introduction.md
View File

@ -2,11 +2,6 @@
title: Introduction
---
> All documentations are under active work and subject to change soon!
This part of the **ZITADEL** documentation comprises twoo major subject areas:
1. ZITADEL Architecture
2. Principles
This part of the **ZITADEL** documentation contains ZITADEL specific or general concepts required to understand the system or our guides.
Please be reminded that ZITADEL is open source — and so is the documentation. Should you happen to stumble over an incorrectness, a spelling mistake, a hard-to-understand text passage, please dont hesitate to leave a comment or propose a corresponding change.

23
docs/docs/manuals/admin-managers.md → docs/docs/concepts/managers.md
View File

@ -2,30 +2,29 @@
title: ZITADEL Managers
---
ZITADEL Managers are Users who have permission to manage ZITADEL itself. There are some different levels for managers.
- **IAM Managers**: This is the highest level. Users with IAM Manager roles are able to manage the whole IAM.
- **Org Managers**: Managers in the Organisation Level are able to manage everything within the granted Organisation.
- **Org Managers**: Managers in the Organization Level are able to manage everything within the granted Organization.
- **Project Mangers**: In this level the user is able to manage a project.
- **Project Grant Manager**: The project grant manager is for projects, which are granted of another organisation.
- **Project Grant Manager**: The project grant manager is for projects, which are granted of another organization.
To configure managers in ZITADEL go to the resource where you like to add it (e.g IAM, Organisation, Project, GrantedProject).
To configure managers in ZITADEL go to the resource where you like to add it (e.g IAM, Organization, Project, GrantedProject).
In the right part of the console you can finde **MANAGERS** in the details part. Here you have a list of the current managers and can add a new one.
## Roles
| Role | Description |
|---|---|
| IAM_OWNER | Manage the IAM, manage all organisations with their content |
| IAM_OWNER_VIEWER | View the IAM and view all organisations with their content |
| ORG_OWNER | Manage everything within an organisation |
| ORG_OWNER_VIEWER | View everything within an organisation |
| IAM_OWNER | Manage the IAM, manage all organizations with their content |
| IAM_OWNER_VIEWER | View the IAM and view all organizations with their content |
| ORG_OWNER | Manage everything within an organization |
| ORG_OWNER_VIEWER | View everything within an organization |
| ORG_USER_PERMISSION_EDITOR | Manage user grants and view everything needed for this |
| ORG_PROJECT_PERMISSION_EDITOR | Grant Projects to other organisations and view everything needed for this |
| ORG_PROJECT_CREATOR | This role is used for users in the global organisation. They are allowed to create projects and manage them. |
| ORG_PROJECT_PERMISSION_EDITOR | Grant Projects to other organizations and view everything needed for this |
| ORG_PROJECT_CREATOR | This role is used for users in the global organization. They are allowed to create projects and manage them. |
| PROJECT_OWNER | Manage everything within a project. This includes to grant users for the project. |
| PROJECT_OWNER_VIEWER | View everything within a project.|
| PROJECT_OWNER_GLOBAL | Same as PROJECT_OWNER, but in the global organisation. |
| PROJECT_OWNER_VIEWER_GLOBAL | Same as PROJECT_OWNER_VIEWER, but in the global organisation. |
| PROJECT_OWNER_GLOBAL | Same as PROJECT_OWNER, but in the global organization. |
| PROJECT_OWNER_VIEWER_GLOBAL | Same as PROJECT_OWNER_VIEWER, but in the global organization. |
| PROJECT_GRANT_OWNER | Same as PROJECT_OWNER but for a granted proejct. |

32
docs/docs/manuals/admin-policies.md → docs/docs/concepts/policies.md
View File

@ -7,14 +7,14 @@ The default configuration can be overridden for each organization.
## General
You can find these settings in the menu organisation in the section polcies.
Each policy can be overriden and resetted to the default.
You can find these settings in the menu organization in the section polcies.
Each policy can be overridden and reset to the default.
## Password Complexity
With the password complexity policy you can define the requirements for a users password.
The following properties can be set:
The following properties can be set:
- Minimum Length
- Has Uppercase
- Has Lowercase
@ -37,23 +37,13 @@ The Login Policy defines how the login process should look like and which authen
![Login Policy](/img/manuals/policies/console_org_login.png)
## Lockout Policy
Define when a user should be blocked.
The following properties are possible:
- Maximum Password Attempts: When the user has reached the maximum password attempts the user will be locked
If a user is locked, an administrator has to unlock it in the ZITADEL console
### Multifactors / Second Factors
In the multifactors section you can configure what kind of multifactors should be allowed. For passwordless to work, it's required to enable U2F (Universial Second Factor) with PIN. There is no other option at the moment.
Multifactors:
Multifactors:
- U2F (Universal Second Factor) with PIN
Secondfactors:
Secondfactors:
- OTP (One Time Password)
- U2F (Universal Second Factor)
@ -65,7 +55,17 @@ You can configure all kinds of external identity providers for identity brokerin
Create a new identity provider configuration and enable it in the list afterwards.
For a detailed guide about how to configure a new identity provider for identity brokering have a look at our guide:
[Identity Brokering](../guides/usage/identity-brokering)
[Identity Brokering](../guides/authentication/identity-brokering)
## Lockout Policy
Define when an account should be locked.
The following settings are available:
- Maximum Password Attempts: When the user has reached the maximum password attempts the account will be locked
If an account is locked, the administrator has to unlock it in the ZITADEL console
## Private Labeling / Branding

79
docs/docs/concepts/usecases/saas.md Normal file
View File

@ -0,0 +1,79 @@
---
title: Saas Product with Authentication and Authorization
---
This is an example architecture for a typical SaaS product.
To illustrate it, a fictional organization and project is used.
## Example Case
The Timing Company has a product called Time.
They have two environments, the development and the production environment.
In this case Time uses authentication and authorizations from ZITADEL.
This means that the users and also their authorizations will be managed within ZITADEL.
![Architecture](/img/concepts/usecase/saas.png)
## Organization
An organization is the ZITADEL resource which contains users, projects, applications, policies and so on.
In an organization projects and users are managed by the organization.
You need at least one organization for your own company in our case "The Timing Company".
For your customers you have different possibilities:
1. Your customer already owns an organization in ZITADEL
2. Your customer creates a new organization in ZITADEL by itself
3. You create an organization for your customer (If you like to verify the domain, the customer has to do it)
:::info
Subscriptions are organization based. This means, that each organization can choose their own tier based on the needed features.
:::
## Project
The idea of projects is to have a vessel for all components who are closely related to each other.
In this use case we would have two different projects, for each environment one. So lets call it "Time Dev" and "Time Prod".
These projects should be created in "The Timing Company" organization, because it is the owner of the project.
In the project you will configure all your roles and applications (clients and APIs).
### Project Settings
You can configure `check roles on authentication` on the project, if you want to restrict access to users that have the correct authorization for the project.
### Project Grant
To give a customer permissions to a project, a project grant to the customers organization is needed (search the granted organization by its domain).
It is also possible to delegate only specific roles of the project to a certain customer.
As soon as a project grant exists, the customer will see the project in the granted projects section of his organization and will be able to authorize his own users to the given project.
## Authorizations
To give a user permission to a project an authorization is needed.
All organizations which own the project or received a grant are able to authorize users.
It is also possible to authorize users outside the own company if the exact login name of the user is known.
## Project Login
There are some different use cases how the login should behave and look like:
1. Restrict Organization
With the primary domain scope the organization will be restricted to the requested domain, this means only users of the requestd organization will be able to login.
The private labeling (branding) and the login policy of the requested organization will be set automatically.
:::note
More about the [Scopes](../../apis/openidoauth/scopes)
:::
2. Show private labeling (branding) of the project organization
You can configure on project-level which branding should be shown to users.
In the default the design of ZITADEL will be shown, but as soon as the user is identified, the policy of the users organization will be triggered.
If the setting is set to `Ensure Project Resource Owner Setting`, the private labeling of the project organization will always be triggered.
The last possibility is to show the private labeling of the project organization and as soon as the user is identitfied the user organization settings will be triggered.
For this the Allow User Resource Owner Setting should be set.
:::note
More about [Private Labeling](../../guides/customization/branding)
:::

16
docs/docs/guides/usage/access-zitadel-apis.md → docs/docs/guides/api/access-zitadel-apis.md
View File

@ -21,8 +21,8 @@ title: Access ZITADEL APIs
<td>Prerequisites</td>
<td>
<ul>
<li>Knowledge of <a href="/docs/guides/usage/oauth-recommended-flows">Recommended Authorization Flows</a></li>
<li>Knowledge of <a href="/docs/guides/usage/serviceusers">Service Users</a></li>
<li>Knowledge of <a href="/docs/guides/authorization/oauth-recommended-flows">Recommended Authorization Flows</a></li>
<li>Knowledge of <a href="/docs/guides/authentication/serviceusers">Service Users</a></li>
</ul>
</td>
</tr>
@ -33,18 +33,18 @@ title: Access ZITADEL APIs
ZITADEL Managers are Users who have permission to manage ZITADEL itself. There are some different levels for managers.
- **IAM Managers**: This is the highest level. Users with IAM Manager roles are able to manage the whole IAM.
- **Org Managers**: Managers in the Organisation Level are able to manage everything within the granted Organisation.
- **Org Managers**: Managers in the Organization Level are able to manage everything within the granted Organization.
- **Project Mangers**: In this level the user is able to manage a project.
- **Project Grant Manager**: The project grant manager is for projects, which are granted of another organisation.
- **Project Grant Manager**: The project grant manager is for projects, which are granted of another organization.
On each level we have some different Roles. Here you can find more about the different roles: [ZITADEL Manager Roles](../../manuals/admin-managers)
On each level we have some different Roles. Here you can find more about the different roles: [ZITADEL Manager Roles](../../concepts/managers)
## Exercise: Add ORG_OWNER to Service User
Make sure you have a Service User with a Key. (For more detailed informations about creating a service user go to [Service User](serviceusers))
Make sure you have a Service User with a Key. (For more detailed informations about creating a service user go to [Service User](../authentication/serviceusers))
1. Navigate to Organisation Detail
1. Navigate to Organization Detail
2. Click the **+** button in the right part of console, in the managers part of details
3. Search the user and select it
4. Choose the role ORG_OWNER
@ -54,7 +54,7 @@ Make sure you have a Service User with a Key. (For more detailed informations ab
## Authenticating a service user
In ZITADEL we use the `private_jwt` (**“JWT bearer token with private key”**, [RFC7523](https://tools.ietf.org/html/rfc7523)) authorization grant for this non-interactive authentication.
This is already described in the [Service User](serviceusers), so make sure you follow this guide.
This is already described in the [Service User](../authentication/serviceusers), so make sure you follow this guide.
### Request an OAuth token, with audience for ZITADEL

8
docs/docs/guides/usage/identity-brokering.md → docs/docs/guides/authentication/identity-brokering.md
View File

@ -22,7 +22,7 @@ title: Identity Brokering
<td>Prerequisites</td>
<td>
<ul>
<li>Knowledge of <a href="/docs/guides/usage/organizations">Organizations</a></li>
<li>Knowledge of <a href="/docs/guides/basics/organizations">Organizations</a></li>
</ul>
</td>
</tr>
@ -66,9 +66,9 @@ Google Example:
![Add new oAuth credentials in Google Console](/img/google_add_credentials.gif)
### 2. Add custom login policy on your organisation
### 2. Add custom login policy on your organization
1. Go to your organisation settings by clicking on "Organisation" in the menu or using the following link: <https://console.zitadel.ch/org>
1. Go to your organization settings by clicking on "Organization" in the menu or using the following link: <https://console.zitadel.ch/org>
2. Modify your login policy
3. As long as you have the default policy, you can't change the policy. Click create custom policy to set your on settings.
@ -83,7 +83,7 @@ Google Example:
- You can choose what fields you like to map as the display name and as username. The fields you can choose are preferred_username and email
(Example: For Google you should choose email for both fields)
3. Save your configuration
4. Link your new configuration to your login policy. By searching in the organisation category you will get you own configuration. If you choose system you can link all predefined providers.
4. Link your new configuration to your login policy. By searching in the organization category you will get you own configuration. If you choose system you can link all predefined providers.
![Configure identity provider](/img/console_org_identity_provider.gif)

340
docs/docs/guides/authentication/login-users.md Normal file
View File

@ -0,0 +1,340 @@
---
title: Login Users into your Application
---
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
import CodeFlowChart from '../../imports/_code-flow-chart.md';
## Overview
This guide will show you how to use ZITADEL to login users into your application (authentication).
It will guide you step-by-step through the basics and point out on how to customize process.
## OIDC / OAuth Flow
OAuth and therefore OIDC know three different application types:
- Web (Server-side web applications such as java, .net, ...)
- Native (native, mobile or desktop applications)
- User Agent (single page applications / SPA, generally JavaScript executed in the browser)
Depending on the app type you're trying to register, there are small differences.
But regardless of the app type we recommend using Proof Key for Code Exchange (PKCE).
Please read the following guide about the [different-client-profiles](../authorization/oauth-recommended-flows#different-client-profiles) and why to use PKCE.
### Code Flow
For a basic understanding of OAuth and its flows, we'll briefly describe the most important flow: **Authorization Code**.
The following diagram demonstrates a basic authorization_code flow:
<CodeFlowChart />
1. When an unauthenticated user visits your application,
2. you will create an authorization request to the authorization endpoint.
3. The Authorization Server (ZITADEL) will send an HTTP 302 to the user's browser, which will redirect him to the login UI.
4. The user will have to authenticate using the demanded auth mechanics.
5. Your application will be called on the registered callback path (redirect_uri) and be provided an authorization_code.
6. This authorization_code must then be sent together with you applications authentication (client_id + client_secret) to the token_endpoint
7. In exchange the Authorization Server (ZITADEL) will return an access_token and if requested a refresh_token and in the case of OIDC an id_token as well
This flow is the same when using PKCE or JWT with Private Key for authentication.
## Create Application
To create an application, open your project in Console and start by clicking on the "New" button in the Application section.
#### Application type
This will start a wizard asking you for an application name and a type.
<Tabs
groupId="app-type"
default="web"
values={[
{'label': 'Web Application', 'value': 'web'},
{'label': 'Native Application', 'value': 'native'},
{'label': 'Single Page Application', 'value': 'spa'},
]}
>
<TabItem value="web">
#### Authentication method
After selecting WEB, you'll next have to choose an authentication method. As mentioned before we recommend using PKCE.
For even better security you could switch to JWT or just rely on the standard Code Flow. For security reasons we don't
recommend using POST and will not cover it in this guide.
Please change the authentication method here as well, if you did so in the wizard, so we can better guide you through the process:
<Tabs
groupId="auth-type"
default="pkce"
values={[
{'label': 'PKCE', 'value': 'pkce'},
{'label': 'Basic Auth', 'value': 'basic'},
{'label': 'JWT with Private Key', 'value': 'jwt'},
]}
>
</Tabs>
#### redirect_uri
After selecting the authentication method, you can register a redirect_uri and post_logout_redirect_uri.
The redirect_uri will be called after user authentication for code exchange.
You can even register multiple, but typically one will be enough. If you need to distinguish between different scenarios
or environments we recommend using the `state` parameter for the former and multiple projects for the latter.
</TabItem>
<TabItem value="native">
#### Authentication method
When selecting Native the authentication method always needs to be PKCE.
<Tabs
groupId="auth-type"
default="pkce"
values={[
{'label': 'PKCE', 'value': 'pkce'},
]}
>
</Tabs>
#### redirect_uri
Native clients might have to register multiple redirect_uris as operating system have different requirements.
Typically, you register a redirect_uri starting with a custom protocol, e.g. `ch.zitadel.app://callback`.
You're also allowed to use http://localhost, http://127.0.0.1 and http:[::1] without specifying a port: `http://locahost/callback`.
#### post creation actions
After the application creation, you might want to set additional options like `refresh_token` and `additional origins`.
If you want to request refresh_tokens and use them to renew the user's access_tokens without their interaction,
enable them in the OIDC Configuration section by ticking the checkbox.
When calling the userinfo_endpoint or any ZITADEL API, we will check if an origin header is sent. This is automatically done
by the user agent. If one is sent we will check if the origin is allowed for your application. By default, all computed
origins of the redirect_uri list are allowed.
So if your native app is built with a JavaScript base framework like ReactNative and you only specified redirect_uris
with a custom protocol, you will need to add the origin where the app is served from, e.g. `http://localhost:8100`.
</TabItem>
<TabItem value="spa">
#### Authentication method
When selecting SPA the recommended authentication method is again PKCE. All common Frameworks like Angular, React, Vue.js and so on
are able to successfully authenticate with PKCE. Our Managament UI Console for instance uses PKCE as well.
<Tabs
groupId="auth-type"
default="pkce"
values={[
{'label': 'PKCE', 'value': 'pkce'},
{'label': 'Implicit', 'value': 'implicit'},
]}
>
<TabItem value="pkce"></TabItem>
<TabItem value="implicit">
:::caution Security Notice
In contrast to the Code Flow, where you'll receive a code for token exchange, with the implicit flow you'll receive
the tokens directly from the authorization endpoint. This is unsecure and might lead to token leakage and replay attacks.
It will further be removed in OAuth 2.1 for the exact same reason.
We therefore discourage the use of Implicit Flow and do not cover the flow in this guide.
:::
If you still need to rely on the implicit flow, simply keep in mind that the response on the authorization_endpoint is
the same you would be given on the token_endpoint and check the [OAuth / OIDC endpoint documentation](../../apis/openidoauth/endpoints.md) for more information.
</TabItem>
</Tabs>
#### redirect_uri
After selecting the authentication method, you can register a redirect_uri and post_logout_redirect_uri.
The redirect_uri will be called after user authentication for code exchange.
You can even register multiple, but typically one will be enough. If you need to distinguish between different scenarios
or environments we recommend using the `state` parameter for the former and multiple projects for the latter.
</TabItem>
</Tabs>
## Auth Request
To initialize the user authentication, you will have to create an authorization request using HTTP GET in the user agent (browser)
on /authorize with at least the following parameters:
- `client_id`: this tells the authorization server which application it is, copy from Console
- `redirect_uri`: where the authorization code is sent to after the user authentication, must be one of the registered in the previous step
- `response_type`: if you want to have a code (authorization code flow) or directly a token (implicit flow), so when ever possible use `code`
- `scope`: what scope you want to grant to the access_token / id_token, minimum is `openid`, if you're unsure what you need you might start with `openid profile email`
We recommend always using two additional parameters `state` and `nonce`. The former enables you to transfer a state through
the authentication process. The latter is used to bind the client session with the id_token and to mitigate replay attacks.
Depending on your authentication method you might need to provide additional parameters:
<Tabs
groupId="auth-type"
default="pkce"
values={[
{'label': 'PKCE', 'value': 'pkce'},
{'label': 'Basic Auth', 'value': 'basic'},
{'label': 'JWT with Private Key', 'value': 'jwt'},
]}
>
<TabItem value="pkce">
PKCE stands for Proof Key for Code Exchange. So other than "normal" code exchange, the does not authenticate using
client_id and client_secret but an additional code. You will have to generate a random string, hash it and send this hash
on the authorization_endpoint. On the token_endpoint you will then send the plain string for the authorization to compute
the hash as well and to verify it's correct. In order to do so you're required to send the following two parameters as well:
- `code_challenge`: the base64url representation of the (sha256) hash of your random string
- `code_challenge_method`: must always be `S256` standing for sha256, this is the only algorithm we support
For example for `random-string` the code_challenge would be `9az09PjcfuENS7oDK7jUd2xAWRb-B3N7Sr3kDoWECOY`
The request would finally look like (linebreaks and whitespace for display reasons):
```curl
curl --request GET \
--url 'https://accounts.zitadel.ch/oauth/v2/authorize
?client_id=${client_id}
&redirect_uri=${redirect_uri}
&response_type=code
&scope=openid%20email%20profile
&code_challenge=${code_challenge}
&code_challenge_method=S256'
```
</TabItem>
<TabItem value="basic">
You don't need any additional parameter for this request. We're identifying the app by the `client_id` parameter.
So your request might look like this (linebreaks and whitespace for display reasons):
```curl
curl --request GET \
--url 'https://accounts.zitadel.ch/oauth/v2/authorize
?client_id=${client_id}
&redirect_uri=${redirect_uri}
&response_type=code
&scope=openid%20email%20profile'
```
</TabItem>
<TabItem value="jwt">
You don't need any additional parameter for this request. We're identifying the app by the `client_id` parameter.
So your request might look like this (linebreaks and whitespace for display reasons):
```curl
curl --request GET \
--url 'https://accounts.zitadel.ch/oauth/v2/authorize
?client_id=${client_id}
&redirect_uri=${redirect_uri}
&response_type=code
&scope=openid%20email%20profile'
```
</TabItem>
</Tabs>
### Additional parameters and customization
There are additional parameters and values you can provide to satisfy your use case and to customize the user's authentication flow.
Please check the [authorization_endpoint reference](../../apis/openidoauth/endpoints.md#authorization_endpoint) in the OAuth / OIDC documentation.
## Callback
Regardless of a successful or error response from the authorization_endpoint, the authorization server will call your
callback endpoint you provided by the `redirect_uri`.
:::note
If the redirect_uri is not provided, was not registered or anything other prevents the auth server form returning the response to the client,
the error will be display directly to the user on the auth server.
:::
Upon successful authentication you'll be given a `code` and if provided the unmodified `state` parameter.
You will need this `code` in the token request.
If a parameter was missing, malformed or any other error occurred, your answer will contain an `error` stating the error type,
possibly an `error_description` providing some information about the error and its reason and the `state` parameter.
Check the [error response section](../../apis/openidoauth/endpoints#error-response) in the authorization_endpoint reference.
## Token request
Next you will have to exchange the given `code` for the tokens. For this HTTP POST request (form-urlencoded) you will need to provide the following:
- code: the code that was issued from the authorization request
- grant_type: must be `authorization_code`
- redirect_uri: callback uri where the code was sent to. Must match exactly the redirect_uri of the authorization request
Depending on your authentication method you'll need additional headers and parameters:
<Tabs
groupId="auth-type"
defaultValue="pkce"
values={[
{label: 'PKCE', value: 'pkce'},
{label: 'Basic Auth', value: 'basic'},
{label: 'JWT with Private Key', value: 'jwt'},
]}
>
<TabItem value="pkce">
Send your `client_id` and the previously generated string as `code_verifier` for us to recompute the `code_challenge` of the authorization request:
```curl
curl --request POST \
--url https://api.zitadel.ch/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=authorization_code \
--data code=${code} \
--data redirect_uri=${redirect_uri} \
--data client_id=${client_id} \
--data code_verifier=${code_verifier}
```
</TabItem>
<TabItem value="basic">
Send your `client_id` and `client_secret` as Basic Auth Header. Note that OAuth2 requires client_id and client_secret to be form url encoded.
So check [Client Secret Basic Auth Method](../../apis/openidoauth/authn-methods#client-secret-basic) on how to build it correctly.
```curl
curl --request POST \
--url https://api.zitadel.ch/oauth/v2/token \
--header 'Authorization: Basic ${basic}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=authorization_code \
--data code=${code} \
--data redirect_uri=${redirect_uri}
```
</TabItem>
<TabItem value="jwt">
Send a JWT in the `client_assertion` and set the `client_assertion_type` to `urn:ietf:params:oauth:client-assertion-type:jwt-bearer`
for us to validate the signature against the registered public key:
```curl
curl --request POST \
--url https://api.zitadel.ch/oauth/v2/token \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data grant_type=authorization_code \
--data code=${code} \
--data redirect_uri=${redirect_uri} \
--data client_assertion=${client_assertion} \
--data client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
```
</TabItem>
</Tabs>

2
docs/docs/guides/usage/serviceusers.md → docs/docs/guides/authentication/serviceusers.md
View File

@ -22,7 +22,7 @@ title: Service Users
<td>Prerequisites</td>
<td>
<ul>
<li>Knowledge of <a href="/docs/guides/usage/oauth-recommended-flows">Recommended Authorization Flows</a></li>
<li>Knowledge of <a href="/docs/guides/authorization/oauth-recommended-flows">Recommended Authorization Flows</a></li>
</ul>
</td>
</tr>

29
docs/docs/guides/usage/oauth-recommended-flows.md → docs/docs/guides/authorization/oauth-recommended-flows.md
View File

@ -2,11 +2,30 @@
title: Recommended authorization flows
---
| | |
| --- | --- |
| Description | Learn about the different authentication flows and which flow we recommend you should use for your application. |
| Learning Outcomes | In this module you will: <ul><li>Learn the basics of federated identities</li><li>Understand the basics of OAuth 2.x client profiles and their importance for authorization flows</li><li>Get a recommended flow for Web, Native, User-Agent, and API</li></ul> |
| Prerequisites | Basic knowledge about federated identities. |
<table class="table-wrapper">
<tr>
<td>Description</td>
<td>Learn about the different authentication flows and which flow we recommend you should use for your application.</td>
</tr>
<tr>
<td>Learning Outcomes</td>
<td>
In this module you will:
<ul>
<li>Learn the basics of federated identities</li>
<li>Understand the basics of OAuth 2.x client profiles and their importance for authorization flows</li>
<li>Get a recommended flow for Web, Native, User-Agent, and API</li>
</ul>
</td>
</tr>
<tr>
<td>Prerequisites</td>
<td>
Basic knowledge about federated identities
</td>
</tr>
</table>
## Introduction

0
docs/docs/guides/usage/get-started.md → docs/docs/guides/basics/get-started.md
View File

0
docs/docs/guides/usage/organizations.md → docs/docs/guides/basics/organizations.md
View File

0
docs/docs/guides/usage/projects.md → docs/docs/guides/basics/projects.md
View File

45
docs/docs/guides/customization/branding.md Normal file
View File

@ -0,0 +1,45 @@
---
title: Brand Customization
---
ZITADEL offers various customization options for your projects brand design.
Head over to the Private Labeling Policy on your Organization Page.
## How it works
You are able to customize the light and a dark mode separately.
All your changes will be shown in the preview window on the right side.
As soon as you are happy with your configuration click the "Apply configuration" button.
After this your settings will trigger in your system. The login and the emails will be sent with your branding.
## Settings
![Private Labeling](/img/console_private_labeling.png)
### Logo
Upload your logo for the chosen theme, as soon as it is uploaded the preview on the right side of the screen should show it.
### Colors
In the next part you can configure your colors.
Background colour is self-explanatory, the primary color will be used for buttons, links and some highlights.
The warn color is used for all the error messages and warnings and the font colour for texts.
### Font
Last step to apply to your branding is the font upload.
The best way is to upload a ttf file after a successful upload you will see it in the font part, but not in the preview.
### Advanced Settings
In the advanced behavior you can choose if the loginname suffix (domain e.g road.runner@acme.caos.ch) should be shown in the loginname screen or not and if the “ZITADEL watermark” should be hidden.
## Trigger the private labeling for the login
If you like to trigger your settings for your applications you have different possibilities.
### 1. Primary Domain Scope
Send a primary domain scope with your authorization request to trigger your organization.
The primary domain scope will restrict the login to your organization, so only users of your own organization will be able to login.
### 2. Setting on your Project
Set the private labeling setting on your project to define which branding should trigger.
## Reset to default
If you don't like your customization anymore click the "reset policy" button.
All your settings will be removed and the default settings of the system will trigger.

29
docs/docs/guides/customization/texts.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Customized Texts
---
You are able to customize the texts used from ZITADEL.
## Message Texts
Sometimes the users will get an email or phone message from ZITADEL (e.g Password Reset Request).
ZITADEL already has some good standard texts, but maybe you would like to customize it for your organization.
Go to the message text policy on your organization and you will find the different kinds of messages that are sent from ZITADEL.
Choose the template and the language you like to edit.
You can now change all the texts from a message.
As soon as you click into a input field you will see some attribute chips below the field.
These are the parameters you can include on this specific message.
![Message Texts](/img/console_message_texts.png)
## Login Texts
Like the message texts you are also able to change the texts on the login interface.
First choose the screen and the language you like to edit.
You will see the default texts in the input field and you can overwrite them by typing into the box.
![Message Texts](/img/console_login_texts.png)
## Reset to default
If you don't like your customization anymore click the "reset policy" button.
All your settings will be removed and the default settings of the system will trigger.

4
docs/docs/guides/installation/shared-cloud.md
View File

@ -6,6 +6,6 @@ title: Shared Cloud at zitadel.ch
I'd like to simply use ZITADEL without having to take care of any operational tasks.
:::
Just register your [Organization](../usage/organizations) at [zitadel.ch](https://console.zitadel.ch) and start by using [ZITADEL Free](https://zitadel.ch/pricing). You will immediately be able to integrate as many applications with as many users as you want. Serve your users multiple secure login methods for free.
Just register your [Organization](../basics/organizations) at [zitadel.ch](https://console.zitadel.ch) and start by using [ZITADEL Free](https://zitadel.ch/pricing). You will immediately be able to integrate as many applications with as many users as you want. Serve your users multiple secure login methods for free.
[Jump](../usage/get-started) to the more detailed docs.
[Jump](../basics/get-started) to the more detailed docs.

2
docs/docs/guides/introduction.md
View File

@ -4,6 +4,6 @@ title: Introduction
With our guides you will learn everything you need to know about specific topics. You get step-by-step instructions for certain tasks and have a knowledge check at the end.
You can either use our cloud-instance [zitadel.ch](https://zitadel.ch) or deploy a dedicated **ZITADEL** instance. To get started, we recommend you to try out our free tier first. Jump directly to the [get started](./usage/get-started) docs.
You can either use our cloud-instance [zitadel.ch](https://zitadel.ch) or deploy a dedicated **ZITADEL** instance. To get started, we recommend you to try out our free tier first. Jump directly to the [get started](./basics/get-started) docs.
When you are familiar with the ZITADEL usage, you can choose to stay on [zitadel.ch](./installation/shared-cloud), order your own [dedicated instance](./installation/shared-cloud) which is also availabe on premise, or install ZITADEL easily on your own using [Custom Kubernetes Resources](./installation/crd), [GitOps](./installation/gitops) or [ORBOS](./installation/orbos).

14
docs/docs/imports/_code-flow-chart.md Normal file
View File

@ -0,0 +1,14 @@
```mermaid
sequenceDiagram
autonumber
participant RO as Resource Owner (User)
participant App
participant AS as Authorization Server (ZITADEL)
RO-->>App: Open App
App->>AS: Authorization Rrequest to /authorize
AS->>RO: redirect to login
RO->>AS: user authentication
AS->>App: authorization code response
App->>AS: authorization code + client authentication to /token
AS->>App: access_token (refresh_token, id_token)
```

2
docs/docs/legal/terms-of-service.md
View File

@ -8,7 +8,7 @@ custom_edit_url: null
CAOS Ltd. (**"We"**, **CAOS AG**, or simply **CAOS**), with head office in Teufener Strasse 19, 9000 St. Gallen, Switzerland, offers "Identity and Access Management as service" with the brand name "ZITADEL Cloud Services" and all of our Websites (**Services** or **ZITADEL Cloud**).
The customer relationship (**Framework Agreement** or **The Agreement**) is created by the **Customer** (**"you"**) by creating a user or organisation within the ZITADEL Cloud Service. On the basis of this Framework Agreement you may then choose to make use of payable services (**Subscription**) as you wish, i.e. you may book services, options and packages yourself at any time (**Booking**, **Purchase Order**) and subsequently terminate them.
The customer relationship (**Framework Agreement** or **The Agreement**) is created by the **Customer** (**"you"**) by creating a user or organization within the ZITADEL Cloud Service. On the basis of this Framework Agreement you may then choose to make use of payable services (**Subscription**) as you wish, i.e. you may book services, options and packages yourself at any time (**Booking**, **Purchase Order**) and subsequently terminate them.
The terms of service (**"TOS"**) outlined in this document establish the most important points of this Framework Agreement independently of the use of any services.

10
docs/docs/quickstarts/dot-net.md → docs/docs/quickstarts/call-zitadel-api/dot-net.md
View File

@ -5,7 +5,7 @@ title: .NET
This integration guide shows you how to integrate **ZITADEL** into your .NET application.
It demonstrates how to fetch some data from the ZITADEL management API.
At the end of the guide you should have an application able to read the details of your organisation.
At the end of the guide you should have an application able to read the details of your organization.
If you need any other information about the .NET SDK go to the [documentation](https://caos.github.io/zitadel-net/) of the SDK itself.
## Prerequisites
@ -13,9 +13,9 @@ If you need any other information about the .NET SDK go to the [documentation](h
The client [SDK](https://github.com/caos/zitadel-net) will handle all necessary OAuth 2.0 requests and send the required headers to the ZITADEL API.
All that is required, is a service account with an Org Owner (or another role, depending on the needed api requests) role assigned and its key JSON.
However, we recommend you read the guide on [how to access ZITADEL API](../guides/usage/access-zitadel-apis) and the associated guides for a basic knowledge of :
- [Recommended Authorization Flows](../guides/usage/oauth-recommended-flows)
- [Service Users](../guides/usage/serviceusers)
However, we recommend you read the guide on [how to access ZITADEL API](../../guides/api/access-zitadel-apis) and the associated guides for a basic knowledge of :
- [Recommended Authorization Flows](../../guides/authorization/oauth-recommended-flows)
- [Service Users](../../guides/authentication/serviceusers)
> Be sure to have a valid key JSON and that its service account is either ORG_OWNER or at least ORG_OWNER_VIEWER before you continue with this guide.
@ -117,6 +117,6 @@ If you've run into any other problem, don't hesitate to contact us or raise an i
Now you can proceed implementing our APIs by adding more calls.
Checkout more [examples from the SDK](https://github.com/caos/zitadel-go/blob/main/example) or refer to our [API Docs](../apis/introduction).
Checkout more [examples from the SDK](https://github.com/caos/zitadel-go/blob/main/example) or refer to our [API Docs](../../apis/introduction).
> This guide will be updated soon to show you how to use the SDK for your own API as well.

12
docs/docs/quickstarts/go.md → docs/docs/quickstarts/call-zitadel-api/go.md
View File

@ -5,16 +5,16 @@ title: Go
This integration guide shows you how to integrate **ZITADEL** into your Go application.
It demonstrates how to fetch some data from the ZITADEL management API.
At the end of the guide you should have an application able to read the details of your organisation.
At the end of the guide you should have an application able to read the details of your organization.
## Prerequisites
The client [SDK](https://github.com/caos/zitadel-go) will handle all necessary OAuth 2.0 requests and send the required headers to the ZITADEL API using our [OIDC client library](https://github.com/caos/oidc).
All that is required, is a service account with an Org Owner (or another role, depending on the needed api requests) role assigned and its key JSON.
However, we recommend you read the guide on [how to access ZITADEL API](../guides/usage/access-zitadel-apis) and the associated guides for a basic knowledge of :
- [Recommended Authorization Flows](../guides/usage/oauth-recommended-flows)
- [Service Users](../guides/usage/serviceusers)
However, we recommend you read the guide on [how to access ZITADEL API](../../guides/api/access-zitadel-apis) and the associated guides for a basic knowledge of :
- [Recommended Authorization Flows](../../guides/authorization/oauth-recommended-flows)
- [Service Users](../../guides/authentication/serviceusers)
> Be sure to have a valid key JSON and that its service account is either ORG_OWNER or at least ORG_OWNER_VIEWER before you continue with this guide.
@ -127,7 +127,7 @@ If you've run into any other problem, don't hesitate to contact us or raise an i
### Whats next?
Now you can proceed implementing our APIs by adding more calls or trying to overwrite the organisation context:
Now you can proceed implementing our APIs by adding more calls or trying to overwrite the organization context:
```go
respOverwrite, err := client.GetMyOrg(middleware.SetOrgID(ctx, "74161146763996133"), &pb.GetMyOrgRequest{})
@ -137,6 +137,6 @@ Now you can proceed implementing our APIs by adding more calls or trying to over
log.Printf("%s was created on: %s", respOverwrite.Org.Name, respOverwrite.Org.Details.CreationDate.AsTime())
}
```
Checkout more [examples from the SDK](https://github.com/caos/zitadel-go/blob/main/example) or refer to our [API Docs](../apis/introduction).
Checkout more [examples from the SDK](https://github.com/caos/zitadel-go/blob/main/example) or refer to our [API Docs](../../apis/introduction).
> This guide will be updated soon to show you how to use the SDK for your own API as well.

2
docs/docs/quickstarts/oauth2-proxy.md → docs/docs/quickstarts/identity-proxy/oauth2-proxy.md
View File

@ -11,7 +11,7 @@ title: OAuth 2.0 Proxy
Before we can start building our application we have do do a few configuration steps in ZITADEL Console.
You will need to provide some information about your app. We recommend creating a new app to start from scratch. Navigate to your [Project](https://console.zitadel.ch/projects) and add a new application at the top of the page.
Select Web Application and continue.
We recommend that you use [Authorization Code](../apis/openidoauth/grant-types#authorization-code) for the OAuth 2.0 Proxy.
We recommend that you use [Authorization Code](../../apis/openidoauth/grant-types#authorization-code) for the OAuth 2.0 Proxy.
> Make sure Authentication Method is set to `BASIC` and the Application Type is set to `Web`.

4
docs/docs/quickstarts/introduction.md
View File

@ -2,4 +2,6 @@
title: Introduction
---
Start with ZITADEL quickly by choosing your language.
Start with ZITADEL quickly by choosing your language.
You can find some example applications [here](https://github.com/caos/zitadel-examples)

12
docs/docs/quickstarts/libs.md Normal file
View File

@ -0,0 +1,12 @@
---
title: Libraries
---
| Language | Description | Link |
| ------------ | ---------------------|-------------|
| Go | Go client library for ZITADEL. | [https://github.com/caos/zitadel-go](https://github.com/caos/zitadel-go)
| .Net | Authentication / Authorization library written in dotnet for the asp.net web application package. | [https://github.com/caos/zitadel-net](https://github.com/caos/zitadel-net)
| Dart | Dart library for ZITADEL, contains gRPC and API access elements. | [https://github.com/caos/zitadel-dart](https://github.com/caos/zitadel-dart) |
| Elixir | API Client for the ZITADEL API. | [https://github.com/jshmrtn/zitadel_api](https://github.com/jshmrtn/zitadel_api) |

4
docs/docs/quickstarts/angular.md → docs/docs/quickstarts/login/angular.md
View File

@ -14,7 +14,7 @@ At the end of the guide you should have an application able to login a user and
Before we can start building our application we have do do a few configuration steps in ZITADEL Console.
You will need to provide some information about your app. We recommend creating a new app to start from scratch. Navigate to your [Project](https://console.zitadel.ch/projects) and add a new application at the top of the page.
Select Web Application and continue.
We recommend that you use [Authorization Code](../apis/openidoauth/grant-types#authorization-code) in combination with [Proof Key for Code Exchange](../apis/openidoauth/grant-types#proof-key-for-code-exchange) for all web applications.
We recommend that you use [Authorization Code](../../apis/openidoauth/grant-types#authorization-code) in combination with [Proof Key for Code Exchange](../../apis/openidoauth/grant-types#proof-key-for-code-exchange) for all web applications.
![Create app in console](/img/angular/app-create-light.png)
@ -300,6 +300,6 @@ If you get stuck consider checking out our [template](https://github.com/caos/zi
### Whats next?
Now you can proceed implementing our APIs to include Authorization. Refer to our [Docs](../apis/apis) or checkout our Console Code on [Github](https://github.com/caos/zitadel) which is using GRPC to access data.
Now you can proceed implementing our APIs to include Authorization. Refer to our [Docs](../../apis/apis) or checkout our Console Code on [Github](https://github.com/caos/zitadel) which is using GRPC to access data.
For more information about creating an angular application we refer to [Angular](https://angular.io/start) and for more information about the used oauth/oidc library consider reading their docs at [angular-oauth2-oidc](https://github.com/manfredsteyer/angular-oauth2-oidc).

0
docs/docs/quickstarts/flutter.md → docs/docs/quickstarts/login/flutter.md
View File

0
docs/docs/quickstarts/nextjs.md → docs/docs/quickstarts/login/nextjs.md
View File

6
docs/docs/quickstarts/react.md → docs/docs/quickstarts/login/react.md
View File

@ -11,8 +11,8 @@ At the end of the guide you should have an application able to login a user and
Before we can start building our application we have to do a few configuration steps in ZITADEL Console.
You will need to provide some information about your app. We recommend creating a new app to start from scratch. Navigate to your [Project](https://console.zitadel.ch/projects) and add a new application at the top of the page.
Select User Agent and continue. More about the different app types can you find [here](https://docs.zitadel.ch/docs/guides/usage/oauth-recommended-flows#different-client-profiles).
We recommend that you use [Authorization Code](../apis/openidoauth/grant-types#authorization-code) in combination with [Proof Key for Code Exchange](../apis/openidoauth/grant-types#proof-key-for-code-exchange) for all web applications.
Select User Agent and continue. More about the different app types can you find [here](https://docs.zitadel.ch/docs/guides/authorization/oauth-recommended-flows#different-client-profiles).
We recommend that you use [Authorization Code](../../apis/openidoauth/grant-types#authorization-code) in combination with [Proof Key for Code Exchange](../../apis/openidoauth/grant-types#proof-key-for-code-exchange) for all web applications.
### Redirect URLs
@ -110,6 +110,6 @@ You have successfully integrated ZITADEL in your React Application!
### Whats next?
Now you can proceed implementing our APIs to include Authorization. You can find our API Docs [here](../apis/apis)
Now you can proceed implementing our APIs to include Authorization. You can find our API Docs [here](../../apis/apis)
For more information about creating a React application we refer to [React](https://reactjs.org/docs/getting-started.html) and for more information about the used oauth/oidc library consider reading their docs at [oidc-react](https://www.npmjs.com/package/oidc-react).

4
docs/docs/quickstarts/secure-api/dot-net.md Normal file
View File

@ -0,0 +1,4 @@
---
title: .NET
---
Coming soon

154
docs/docs/quickstarts/secure-api/go.md Normal file
View File

@ -0,0 +1,154 @@
---
title: Go
---
This integration guide shows you how to integrate **ZITADEL** into your Go API. It demonstrates how to secure your API using
OAuth 2 Token Introspection.
At the end of the guide you should have an API with a protected endpoint.
## Prerequisites
The client [SDK](https://github.com/caos/zitadel-go) will provides an interceptor for both GRPC and HTTP.
This will handle the OAuth 2.0 introspection request including authentication using JWT with Private Key using our [OIDC client library](https://github.com/caos/oidc).
All that is required, is an API and its key JSON. But for complete
## Go Setup
### Add Go SDK to your project
You need to add the SDK into Go Modules by:
```bash
go get github.com/caos/zitadel-go
```
### Create example API
Create a new go file with the content below. This will create an API with two endpoints. On path `/public` it will always write
back `ok` and the current timestamp. On `/protected` it will respond the same but only if a valid access_token is sent. The token
must not be expired and the API has to be part of the audience (either client_id or project_id).
```go
package main
import (
"log"
"net/http"
"time"
api_mw "github.com/caos/zitadel-go/pkg/api/middleware"
http_mw "github.com/caos/zitadel-go/pkg/api/middleware/http"
"github.com/caos/zitadel-go/pkg/client"
"github.com/caos/zitadel-go/pkg/client/middleware"
)
func main() {
introspection, err := http_mw.NewIntrospectionInterceptor(client.Issuer, middleware.OSKeyPath())
if err != nil {
log.Fatal(err)
}
router := http.NewServeMux()
router.HandleFunc("/public", writeOK)
router.HandleFunc("/protected", introspection.HandlerFunc(writeOK))
lis := "127.0.0.1:5001"
log.Fatal(http.ListenAndServe(lis, router))
}
func writeOK(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("OK " + time.Now().String()))
}
```
#### Key JSON
To provide the key JSON to the SDK, simply set an environment variable `ZITADEL_KEY_PATH` with the path to the JSON as value.
```bash
export ZITADEL_KEY_PATH=/Users/test/apikey.json
```
For development purposes you should be able to set this in your IDE.
If you're not able to set it via environment variable, you can also exchange the `middleware.OSKeyPath()` and pass it directly:
```go
introspection, err := http_mw.NewIntrospectionInterceptor(
client.Issuer,
"/Users/test/apikey.json",
)
```
#### Custom ZITADEL instance
If your client will not use ZITADEL Cloud (zitadel.ch), be sure to provide the correct Issuer:
```go
introspection, err := http_mw.NewIntrospectionInterceptor(
"https://issuer.custom.ch",
middleware.OSKeyPath(),
)
```
### Test API
After you have configured everything correctly, you can simply start the example by:
```bash
go run main.go
```
You can now call the API by browser or curl. Try the public endpoint first:
```bash
curl -i localhost:5001/public
```
it should return something like:
```
HTTP/1.1 200 OK
Date: Tue, 24 Aug 2021 11:11:17 GMT
Content-Length: 59
Content-Type: text/plain; charset=utf-8
OK 2021-08-24 13:11:17.135719 +0200 CEST m=+30704.913892168
```
and the protected:
```bash
curl -i localhost:5001/protected
```
it will return:
```
HTTP/1.1 401 Unauthorized
Content-Type: application/json
Date: Tue, 24 Aug 2021 11:13:10 GMT
Content-Length: 21
"auth header missing"
```
Get a valid access_token for the API. You can achieve this by login into an application of the same project or
by explicitly requesting the project_id for the audience by scope `urn:zitadel:iam:org:project:id:{projectid}:aud`.
If you provide a valid Bearer Token:
```bash
curl -i -H "Authorization: Bearer ${token}" localhost:5001/protected
```
it will return an OK response as well:
```
HTTP/1.1 200 OK
Date: Tue, 24 Aug 2021 11:13:33 GMT
Content-Length: 59
Content-Type: text/plain; charset=utf-8
OK 2021-08-24 13:13:33.131943 +0200 CEST m=+30840.911149251
```

17
docs/docusaurus.config.js
View File

@ -19,8 +19,8 @@ module.exports = {
items: [
{
type: 'doc',
docId: 'manuals/introduction',
label: 'Manuals',
label: 'Guides',
docId: 'guides/introduction',
position: 'left',
},
{
@ -29,12 +29,6 @@ module.exports = {
docId: 'quickstarts/introduction',
position: 'left',
},
{
type: 'doc',
label: 'Guides',
docId: 'guides/introduction',
position: 'left',
},
{
type: 'doc',
label: 'APIs',
@ -47,6 +41,12 @@ module.exports = {
label: 'Concepts',
position: 'left',
},
{
type: 'doc',
docId: 'manuals/introduction',
label: 'Help',
position: 'left',
},
{
type: 'doc',
docId: 'legal/introduction',
@ -131,6 +131,7 @@ module.exports = {
docs: {
sidebarPath: require.resolve('./sidebars.js'),
editUrl: 'https://github.com/caos/zitadel/edit/main/docs/',
remarkPlugins: [require('mdx-mermaid')],
},
theme: {
customCss: require.resolve('./src/css/custom.css'),

2
docs/package.json
View File

@ -19,6 +19,8 @@
"@mdx-js/react": "^1.6.22",
"clsx": "^1.1.1",
"docusaurus-plugin-plausible": "^0.0.5",
"mdx-mermaid": "^1.1.0",
"mermaid": "^8.12.1",
"react": "^17.0.2",
"react-dom": "^17.0.2"
},

94
docs/sidebars.js
View File

@ -1,43 +1,29 @@
module.exports = {
manuals: [
'manuals/introduction',
{
type: 'category',
label: 'User',
items: ['manuals/user-register', 'manuals/user-login', 'manuals/user-password', 'manuals/user-factors', 'manuals/user-email', 'manuals/user-phone', 'manuals/user-social-login',],
collapsed: false,
},
{
type: 'category',
label: 'Administrator',
items: ['manuals/admin-managers', 'manuals/admin-policies'],
collapsed: false,
},
],
quickstarts: [
'quickstarts/introduction',
{
type: 'category',
label: 'Single Page Applications',
items: ['quickstarts/angular', 'quickstarts/react'],
label: 'Integrate ZITADEL Login in your App',
items: ['quickstarts/login/angular', 'quickstarts/login/react', 'quickstarts/login/flutter', 'quickstarts/login/nextjs'],
collapsed: false,
},
{
type: 'category',
label: 'Backends',
items: ['quickstarts/go', 'quickstarts/dot-net'],
label: 'Secure your API',
items: ['quickstarts/secure-api/go', 'quickstarts/secure-api/dot-net'],
collapsed: false,
},
{
type: 'category',
label: 'Frameworks',
items: ['quickstarts/flutter', 'quickstarts/nextjs'],
label: 'Call the ZITADEL API',
items: ['quickstarts/call-zitadel-api/go', 'quickstarts/call-zitadel-api/dot-net'],
collapsed: false,
},
'quickstarts/libs',
{
type: 'category',
label: 'Identity Aware Proxy',
items: ['quickstarts/oauth2-proxy'],
items: ['quickstarts/identity-proxy/oauth2-proxy'],
collapsed: false,
}
],
@ -48,13 +34,44 @@ module.exports = {
label: 'Get to know ZITADEL',
collapsed: false,
items: [
'guides/usage/get-started',
'guides/usage/organizations',
'guides/usage/projects',
'guides/usage/oauth-recommended-flows',
'guides/usage/serviceusers',
'guides/usage/access-zitadel-apis',
'guides/usage/identity-brokering',
'guides/basics/get-started',
'guides/basics/organizations',
'guides/basics/projects',
],
},
{
type: 'category',
label: 'Authentication',
collapsed: false,
items: [
'guides/authentication/login-users',
'guides/authentication/identity-brokering',
'guides/authentication/serviceusers',
],
},
{
type: 'category',
label: 'Authorization',
collapsed: false,
items: [
'guides/authorization/oauth-recommended-flows',
],
},
{
type: 'category',
label: 'API',
collapsed: false,
items: [
'guides/api/access-zitadel-apis'
],
},
{
type: 'category',
label: 'Customization',
collapsed: false,
items: [
'guides/customization/branding',
'guides/customization/texts',
],
},
{
@ -173,8 +190,27 @@ module.exports = {
concepts: [
'concepts/introduction',
'concepts/architecture',
'concepts/policies',
'concepts/managers',
'concepts/principles',
'concepts/eventstore',
{
type: 'category',
label: 'Use Cases',
collapsed: true,
items: [
'concepts/usecases/saas'
],
},
],
manuals: [
'manuals/introduction',
{
type: 'category',
label: 'User',
items: ['manuals/user-register', 'manuals/user-login', 'manuals/user-password', 'manuals/user-factors', 'manuals/user-email', 'manuals/user-phone', 'manuals/user-social-login',],
collapsed: false,
},
],
legal: [
'legal/introduction',

6
docs/src/css/custom.css
View File

@ -22,6 +22,7 @@
--ifm-hero-text-color: var(--ifm-font-color-base-inverse);
--get-started: #FF2069;
--get-started-bg-hover: var(--ifm-hero-background-color);
--ifm-color-info: #4cb3d4;
}
:root[data-theme="dark"] {
@ -31,6 +32,11 @@
--get-started-bg: --ifm-font-color-base;
}
.menu li li a {
font-size: 14px;
padding: 2px 14px;
}
.docusaurus-highlight-code-line {
background-color: rgb(72, 77, 91);
display: block;

29
docs/src/pages/index.js
View File

@ -9,13 +9,13 @@ import ThemedImage from '@theme/ThemedImage';
const features = [
{
title: 'Manuals',
darkImageUrl: 'img/index/Manual-dark.svg',
lightImageUrl: 'img/index/Manual-light.svg',
link: 'docs/manuals/introduction',
title: 'Guides',
darkImageUrl: 'img/index/Guides-dark.svg',
lightImageUrl: 'img/index/Guides-light.svg',
link: 'docs/guides/introduction',
description: (
<>
Follow this guide to get started with ZITADEL as a user.
Read our guides on how to manage your data and role associations in ZITADEL and on what we recommend.
</>
),
},
@ -25,20 +25,9 @@ const features = [
lightImageUrl: 'img/index/Quickstarts-light.svg',
link: 'docs/quickstarts/introduction',
description: (
<>
Learn how to integrate your applications and build secure workflows and APIs with ZITADEL
</>
),
},
{
title: 'Guides',
darkImageUrl: 'img/index/Guides-dark.svg',
lightImageUrl: 'img/index/Guides-light.svg',
link: 'docs/guides/introduction',
description: (
<>
Read our guides on how to manage your data and role associations in ZITADEL and on what we recommend.
</>
<>
Learn how to integrate your applications and build secure workflows and APIs with ZITADEL
</>
),
},
{
@ -107,7 +96,7 @@ export default function Home() {
'button button--outline button--lg get-started',
styles.getStarted,
)}
to={useBaseUrl('docs/guides/usage/get-started')}>
to={useBaseUrl('docs/guides/basics/get-started')}>
Get Started
</Link>
</div>

BIN
docs/static/img/concepts/usecase/saas.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 163 KiB

BIN
docs/static/img/console_login_texts.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 190 KiB

BIN
docs/static/img/console_message_texts.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 170 KiB

BIN
docs/static/img/console_private_labeling.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 253 KiB

329
docs/yarn.lock
View File

@ -1145,6 +1145,11 @@
"@babel/helper-validator-identifier" "^7.14.5"
to-fast-properties "^2.0.0"
"@braintree/sanitize-url@^3.1.0":
version "3.1.0"
resolved "https://registry.yarnpkg.com/@braintree/sanitize-url/-/sanitize-url-3.1.0.tgz#8ff71d51053cd5ee4981e5a501d80a536244f7fd"
integrity sha512-GcIY79elgB+azP74j8vqkiXz8xLFfIzbQJdlwOPisgbKT00tviJQuEghOXSMVxJ00HoYJbGswr4kcllUc4xCcg==
"@docsearch/css@3.0.0-alpha.40":
version "3.0.0-alpha.40"
resolved "https://registry.npmjs.org/@docsearch/css/-/css-3.0.0-alpha.40.tgz"
@ -2796,7 +2801,7 @@ comma-separated-tokens@^1.0.0:
resolved "https://registry.npmjs.org/comma-separated-tokens/-/comma-separated-tokens-1.0.8.tgz"
integrity sha512-GHuDRO12Sypu2cV70d1dkA2EUmXHgntrzbpvOB+Qy+49ypNfGgFQIC2fhhXbnyrJRynDCAARsT7Ou0M6hirpfw==
commander@^2.20.0:
commander@2, commander@^2.20.0:
version "2.20.3"
resolved "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz"
integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==
@ -3182,6 +3187,272 @@ csso@^4.0.2, csso@^4.2.0:
dependencies:
css-tree "^1.1.2"
d3-array@1, d3-array@^1.1.1, d3-array@^1.2.0:
version "1.2.4"
resolved "https://registry.yarnpkg.com/d3-array/-/d3-array-1.2.4.tgz#635ce4d5eea759f6f605863dbcfc30edc737f71f"
integrity sha512-KHW6M86R+FUPYGb3R5XiYjXPq7VzwxZ22buHhAEVG5ztoEcZZMLov530mmccaqA1GghZArjQV46fuc8kUqhhHw==
d3-axis@1:
version "1.0.12"
resolved "https://registry.yarnpkg.com/d3-axis/-/d3-axis-1.0.12.tgz#cdf20ba210cfbb43795af33756886fb3638daac9"
integrity sha512-ejINPfPSNdGFKEOAtnBtdkpr24c4d4jsei6Lg98mxf424ivoDP2956/5HDpIAtmHo85lqT4pruy+zEgvRUBqaQ==
d3-brush@1:
version "1.1.6"
resolved "https://registry.yarnpkg.com/d3-brush/-/d3-brush-1.1.6.tgz#b0a22c7372cabec128bdddf9bddc058592f89e9b"
integrity sha512-7RW+w7HfMCPyZLifTz/UnJmI5kdkXtpCbombUSs8xniAyo0vIbrDzDwUJB6eJOgl9u5DQOt2TQlYumxzD1SvYA==
dependencies:
d3-dispatch "1"
d3-drag "1"
d3-interpolate "1"
d3-selection "1"
d3-transition "1"
d3-chord@1:
version "1.0.6"
resolved "https://registry.yarnpkg.com/d3-chord/-/d3-chord-1.0.6.tgz#309157e3f2db2c752f0280fedd35f2067ccbb15f"
integrity sha512-JXA2Dro1Fxw9rJe33Uv+Ckr5IrAa74TlfDEhE/jfLOaXegMQFQTAgAw9WnZL8+HxVBRXaRGCkrNU7pJeylRIuA==
dependencies:
d3-array "1"
d3-path "1"
d3-collection@1:
version "1.0.7"
resolved "https://registry.yarnpkg.com/d3-collection/-/d3-collection-1.0.7.tgz#349bd2aa9977db071091c13144d5e4f16b5b310e"
integrity sha512-ii0/r5f4sjKNTfh84Di+DpztYwqKhEyUlKoPrzUFfeSkWxjW49xU2QzO9qrPrNkpdI0XJkfzvmTu8V2Zylln6A==
d3-color@1:
version "1.4.1"
resolved "https://registry.yarnpkg.com/d3-color/-/d3-color-1.4.1.tgz#c52002bf8846ada4424d55d97982fef26eb3bc8a"
integrity sha512-p2sTHSLCJI2QKunbGb7ocOh7DgTAn8IrLx21QRc/BSnodXM4sv6aLQlnfpvehFMLZEfBc6g9pH9SWQccFYfJ9Q==
d3-contour@1:
version "1.3.2"
resolved "https://registry.yarnpkg.com/d3-contour/-/d3-contour-1.3.2.tgz#652aacd500d2264cb3423cee10db69f6f59bead3"
integrity sha512-hoPp4K/rJCu0ladiH6zmJUEz6+u3lgR+GSm/QdM2BBvDraU39Vr7YdDCicJcxP1z8i9B/2dJLgDC1NcvlF8WCg==
dependencies:
d3-array "^1.1.1"
d3-dispatch@1:
version "1.0.6"
resolved "https://registry.yarnpkg.com/d3-dispatch/-/d3-dispatch-1.0.6.tgz#00d37bcee4dd8cd97729dd893a0ac29caaba5d58"
integrity sha512-fVjoElzjhCEy+Hbn8KygnmMS7Or0a9sI2UzGwoB7cCtvI1XpVN9GpoYlnb3xt2YV66oXYb1fLJ8GMvP4hdU1RA==
d3-drag@1:
version "1.2.5"
resolved "https://registry.yarnpkg.com/d3-drag/-/d3-drag-1.2.5.tgz#2537f451acd39d31406677b7dc77c82f7d988f70"
integrity sha512-rD1ohlkKQwMZYkQlYVCrSFxsWPzI97+W+PaEIBNTMxRuxz9RF0Hi5nJWHGVJ3Om9d2fRTe1yOBINJyy/ahV95w==
dependencies:
d3-dispatch "1"
d3-selection "1"
d3-dsv@1:
version "1.2.0"
resolved "https://registry.yarnpkg.com/d3-dsv/-/d3-dsv-1.2.0.tgz#9d5f75c3a5f8abd611f74d3f5847b0d4338b885c"
integrity sha512-9yVlqvZcSOMhCYzniHE7EVUws7Fa1zgw+/EAV2BxJoG3ME19V6BQFBwI855XQDsxyOuG7NibqRMTtiF/Qup46g==
dependencies:
commander "2"
iconv-lite "0.4"
rw "1"
d3-ease@1:
version "1.0.7"
resolved "https://registry.yarnpkg.com/d3-ease/-/d3-ease-1.0.7.tgz#9a834890ef8b8ae8c558b2fe55bd57f5993b85e2"
integrity sha512-lx14ZPYkhNx0s/2HX5sLFUI3mbasHjSSpwO/KaaNACweVwxUruKyWVcb293wMv1RqTPZyZ8kSZ2NogUZNcLOFQ==
d3-fetch@1:
version "1.2.0"
resolved "https://registry.yarnpkg.com/d3-fetch/-/d3-fetch-1.2.0.tgz#15ce2ecfc41b092b1db50abd2c552c2316cf7fc7"
integrity sha512-yC78NBVcd2zFAyR/HnUiBS7Lf6inSCoWcSxFfw8FYL7ydiqe80SazNwoffcqOfs95XaLo7yebsmQqDKSsXUtvA==
dependencies:
d3-dsv "1"
d3-force@1:
version "1.2.1"
resolved "https://registry.yarnpkg.com/d3-force/-/d3-force-1.2.1.tgz#fd29a5d1ff181c9e7f0669e4bd72bdb0e914ec0b"
integrity sha512-HHvehyaiUlVo5CxBJ0yF/xny4xoaxFxDnBXNvNcfW9adORGZfyNF1dj6DGLKyk4Yh3brP/1h3rnDzdIAwL08zg==
dependencies:
d3-collection "1"
d3-dispatch "1"
d3-quadtree "1"
d3-timer "1"
d3-format@1:
version "1.4.5"
resolved "https://registry.yarnpkg.com/d3-format/-/d3-format-1.4.5.tgz#374f2ba1320e3717eb74a9356c67daee17a7edb4"
integrity sha512-J0piedu6Z8iB6TbIGfZgDzfXxUFN3qQRMofy2oPdXzQibYGqPB/9iMcxr/TGalU+2RsyDO+U4f33id8tbnSRMQ==
d3-geo@1:
version "1.12.1"
resolved "https://registry.yarnpkg.com/d3-geo/-/d3-geo-1.12.1.tgz#7fc2ab7414b72e59fbcbd603e80d9adc029b035f"
integrity sha512-XG4d1c/UJSEX9NfU02KwBL6BYPj8YKHxgBEw5om2ZnTRSbIcego6dhHwcxuSR3clxh0EpE38os1DVPOmnYtTPg==
dependencies:
d3-array "1"
d3-hierarchy@1:
version "1.1.9"
resolved "https://registry.yarnpkg.com/d3-hierarchy/-/d3-hierarchy-1.1.9.tgz#2f6bee24caaea43f8dc37545fa01628559647a83"
integrity sha512-j8tPxlqh1srJHAtxfvOUwKNYJkQuBFdM1+JAUfq6xqH5eAqf93L7oG1NVqDa4CpFZNvnNKtCYEUC8KY9yEn9lQ==
d3-interpolate@1:
version "1.4.0"
resolved "https://registry.yarnpkg.com/d3-interpolate/-/d3-interpolate-1.4.0.tgz#526e79e2d80daa383f9e0c1c1c7dcc0f0583e987"
integrity sha512-V9znK0zc3jOPV4VD2zZn0sDhZU3WAE2bmlxdIwwQPPzPjvyLkd8B3JUVdS1IDUFDkWZ72c9qnv1GK2ZagTZ8EA==
dependencies:
d3-color "1"
d3-path@1:
version "1.0.9"
resolved "https://registry.yarnpkg.com/d3-path/-/d3-path-1.0.9.tgz#48c050bb1fe8c262493a8caf5524e3e9591701cf"
integrity sha512-VLaYcn81dtHVTjEHd8B+pbe9yHWpXKZUC87PzoFmsFrJqgFwDe/qxfp5MlfsfM1V5E/iVt0MmEbWQ7FVIXh/bg==
d3-polygon@1:
version "1.0.6"
resolved "https://registry.yarnpkg.com/d3-polygon/-/d3-polygon-1.0.6.tgz#0bf8cb8180a6dc107f518ddf7975e12abbfbd38e"
integrity sha512-k+RF7WvI08PC8reEoXa/w2nSg5AUMTi+peBD9cmFc+0ixHfbs4QmxxkarVal1IkVkgxVuk9JSHhJURHiyHKAuQ==
d3-quadtree@1:
version "1.0.7"
resolved "https://registry.yarnpkg.com/d3-quadtree/-/d3-quadtree-1.0.7.tgz#ca8b84df7bb53763fe3c2f24bd435137f4e53135"
integrity sha512-RKPAeXnkC59IDGD0Wu5mANy0Q2V28L+fNe65pOCXVdVuTJS3WPKaJlFHer32Rbh9gIo9qMuJXio8ra4+YmIymA==
d3-random@1:
version "1.1.2"
resolved "https://registry.yarnpkg.com/d3-random/-/d3-random-1.1.2.tgz#2833be7c124360bf9e2d3fd4f33847cfe6cab291"
integrity sha512-6AK5BNpIFqP+cx/sreKzNjWbwZQCSUatxq+pPRmFIQaWuoD+NrbVWw7YWpHiXpCQ/NanKdtGDuB+VQcZDaEmYQ==
d3-scale-chromatic@1:
version "1.5.0"
resolved "https://registry.yarnpkg.com/d3-scale-chromatic/-/d3-scale-chromatic-1.5.0.tgz#54e333fc78212f439b14641fb55801dd81135a98"
integrity sha512-ACcL46DYImpRFMBcpk9HhtIyC7bTBR4fNOPxwVSl0LfulDAwyiHyPOTqcDG1+t5d4P9W7t/2NAuWu59aKko/cg==
dependencies:
d3-color "1"
d3-interpolate "1"
d3-scale@2:
version "2.2.2"
resolved "https://registry.yarnpkg.com/d3-scale/-/d3-scale-2.2.2.tgz#4e880e0b2745acaaddd3ede26a9e908a9e17b81f"
integrity sha512-LbeEvGgIb8UMcAa0EATLNX0lelKWGYDQiPdHj+gLblGVhGLyNbaCn3EvrJf0A3Y/uOOU5aD6MTh5ZFCdEwGiCw==
dependencies:
d3-array "^1.2.0"
d3-collection "1"
d3-format "1"
d3-interpolate "1"
d3-time "1"
d3-time-format "2"
d3-selection@1, d3-selection@^1.1.0:
version "1.4.2"
resolved "https://registry.yarnpkg.com/d3-selection/-/d3-selection-1.4.2.tgz#dcaa49522c0dbf32d6c1858afc26b6094555bc5c"
integrity sha512-SJ0BqYihzOjDnnlfyeHT0e30k0K1+5sR3d5fNueCNeuhZTnGw4M4o8mqJchSwgKMXCNFo+e2VTChiSJ0vYtXkg==
d3-shape@1:
version "1.3.7"
resolved "https://registry.yarnpkg.com/d3-shape/-/d3-shape-1.3.7.tgz#df63801be07bc986bc54f63789b4fe502992b5d7"
integrity sha512-EUkvKjqPFUAZyOlhY5gzCxCeI0Aep04LwIRpsZ/mLFelJiUfnK56jo5JMDSE7yyP2kLSb6LtF+S5chMk7uqPqw==
dependencies:
d3-path "1"
d3-time-format@2:
version "2.3.0"
resolved "https://registry.yarnpkg.com/d3-time-format/-/d3-time-format-2.3.0.tgz#107bdc028667788a8924ba040faf1fbccd5a7850"
integrity sha512-guv6b2H37s2Uq/GefleCDtbe0XZAuy7Wa49VGkPVPMfLL9qObgBST3lEHJBMUp8S7NdLQAGIvr2KXk8Hc98iKQ==
dependencies:
d3-time "1"
d3-time@1:
version "1.1.0"
resolved "https://registry.yarnpkg.com/d3-time/-/d3-time-1.1.0.tgz#b1e19d307dae9c900b7e5b25ffc5dcc249a8a0f1"
integrity sha512-Xh0isrZ5rPYYdqhAVk8VLnMEidhz5aP7htAADH6MfzgmmicPkTo8LhkLxci61/lCB7n7UmE3bN0leRt+qvkLxA==
d3-timer@1:
version "1.0.10"
resolved "https://registry.yarnpkg.com/d3-timer/-/d3-timer-1.0.10.tgz#dfe76b8a91748831b13b6d9c793ffbd508dd9de5"
integrity sha512-B1JDm0XDaQC+uvo4DT79H0XmBskgS3l6Ve+1SBCfxgmtIb1AVrPIoqd+nPSv+loMX8szQ0sVUhGngL7D5QPiXw==
d3-transition@1:
version "1.3.2"
resolved "https://registry.yarnpkg.com/d3-transition/-/d3-transition-1.3.2.tgz#a98ef2151be8d8600543434c1ca80140ae23b398"
integrity sha512-sc0gRU4PFqZ47lPVHloMn9tlPcv8jxgOQg+0zjhfZXMQuvppjG6YuwdMBE0TuqCZjeJkLecku/l9R0JPcRhaDA==
dependencies:
d3-color "1"
d3-dispatch "1"
d3-ease "1"
d3-interpolate "1"
d3-selection "^1.1.0"
d3-timer "1"
d3-voronoi@1:
version "1.1.4"
resolved "https://registry.yarnpkg.com/d3-voronoi/-/d3-voronoi-1.1.4.tgz#dd3c78d7653d2bb359284ae478645d95944c8297"
integrity sha512-dArJ32hchFsrQ8uMiTBLq256MpnZjeuBtdHpaDlYuQyjU0CVzCJl/BVW+SkszaAeH95D/8gxqAhgx0ouAWAfRg==
d3-zoom@1:
version "1.8.3"
resolved "https://registry.yarnpkg.com/d3-zoom/-/d3-zoom-1.8.3.tgz#b6a3dbe738c7763121cd05b8a7795ffe17f4fc0a"
integrity sha512-VoLXTK4wvy1a0JpH2Il+F2CiOhVu7VRXWF5M/LroMIh3/zBAC3WAt7QoIvPibOavVo20hN6/37vwAsdBejLyKQ==
dependencies:
d3-dispatch "1"
d3-drag "1"
d3-interpolate "1"
d3-selection "1"
d3-transition "1"
d3@^5.14, d3@^5.16.0:
version "5.16.0"
resolved "https://registry.yarnpkg.com/d3/-/d3-5.16.0.tgz#9c5e8d3b56403c79d4ed42fbd62f6113f199c877"
integrity sha512-4PL5hHaHwX4m7Zr1UapXW23apo6pexCgdetdJ5kTmADpG/7T9Gkxw0M0tf/pjoB63ezCCm0u5UaFYy2aMt0Mcw==
dependencies:
d3-array "1"
d3-axis "1"
d3-brush "1"
d3-chord "1"
d3-collection "1"
d3-color "1"
d3-contour "1"
d3-dispatch "1"
d3-drag "1"
d3-dsv "1"
d3-ease "1"
d3-fetch "1"
d3-force "1"
d3-format "1"
d3-geo "1"
d3-hierarchy "1"
d3-interpolate "1"
d3-path "1"
d3-polygon "1"
d3-quadtree "1"
d3-random "1"
d3-scale "2"
d3-scale-chromatic "1"
d3-selection "1"
d3-shape "1"
d3-time "1"
d3-time-format "2"
d3-timer "1"
d3-transition "1"
d3-voronoi "1"
d3-zoom "1"
dagre-d3@^0.6.4:
version "0.6.4"
resolved "https://registry.yarnpkg.com/dagre-d3/-/dagre-d3-0.6.4.tgz#0728d5ce7f177ca2337df141ceb60fbe6eeb7b29"
integrity sha512-e/6jXeCP7/ptlAM48clmX4xTZc5Ek6T6kagS7Oz2HrYSdqcLZFLqpAfh7ldbZRFfxCZVyh61NEPR08UQRVxJzQ==
dependencies:
d3 "^5.14"
dagre "^0.8.5"
graphlib "^2.1.8"
lodash "^4.17.15"
dagre@^0.8.5:
version "0.8.5"
resolved "https://registry.yarnpkg.com/dagre/-/dagre-0.8.5.tgz#ba30b0055dac12b6c1fcc247817442777d06afee"
integrity sha512-/aTqmnRta7x7MCCpExk7HQL2O4owCT2h8NT//9I1OQ9vt29Pa0BzSAkR5lwFUcQ7491yVi/3CXU9jQ5o0Mn2Sw==
dependencies:
graphlib "^2.1.8"
lodash "^4.17.15"
debug@2.6.9, debug@^2.2.0, debug@^2.3.3, debug@^2.6.0:
version "2.6.9"
resolved "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz"
@ -3437,6 +3708,11 @@ domhandler@^4.0.0, domhandler@^4.2.0:
dependencies:
domelementtype "^2.2.0"
dompurify@2.3.1:
version "2.3.1"
resolved "https://registry.yarnpkg.com/dompurify/-/dompurify-2.3.1.tgz#a47059ca21fd1212d3c8f71fdea6943b8bfbdf6a"
integrity sha512-xGWt+NHAQS+4tpgbOAI08yxW0Pr256Gu/FNE2frZVTbgrBUn8M7tz7/ktS/LZ2MHeGqz6topj0/xY+y8R5FBFw==
domutils@1.5.1:
version "1.5.1"
resolved "https://registry.npmjs.org/domutils/-/domutils-1.5.1.tgz"
@ -4253,6 +4529,13 @@ graceful-fs@^4.1.11, graceful-fs@^4.1.2, graceful-fs@^4.1.6, graceful-fs@^4.2.0,
resolved "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.6.tgz"
integrity sha512-nTnJ528pbqxYanhpDYsi4Rd8MAeaBA67+RZ10CM1m3bTAVFEDcd5AuA4a6W5YkGZ1iNXHzZz8T6TBKLeBuNriQ==
graphlib@^2.1.8:
version "2.1.8"
resolved "https://registry.yarnpkg.com/graphlib/-/graphlib-2.1.8.tgz#5761d414737870084c92ec7b5dbcb0592c9d35da"
integrity sha512-jcLLfkpoVGmH7/InMC/1hIvOPSUh38oJtGhvrOFGzioE1DZ+0YW16RgmOJhHiuWTvGiJQ9Z1Ik43JvkRPRvE+A==
dependencies:
lodash "^4.17.15"
gray-matter@^4.0.3:
version "4.0.3"
resolved "https://registry.npmjs.org/gray-matter/-/gray-matter-4.0.3.tgz"
@ -4601,7 +4884,7 @@ human-signals@^2.1.0:
resolved "https://registry.npmjs.org/human-signals/-/human-signals-2.1.0.tgz"
integrity sha512-B4FFZ6q/T2jhhksgkbEW3HBvWIfDW85snkQgawt07S7J5QXTk6BkNV+0yAeZrM5QpMAdYlocGoljn0sJ/WQkFw==
iconv-lite@0.4.24:
iconv-lite@0.4, iconv-lite@0.4.24:
version "0.4.24"
resolved "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz"
integrity sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==
@ -5207,6 +5490,11 @@ keyv@^3.0.0:
dependencies:
json-buffer "3.0.0"
khroma@^1.4.1:
version "1.4.1"
resolved "https://registry.yarnpkg.com/khroma/-/khroma-1.4.1.tgz#ad6a5b6a972befc5112ce5129887a1a83af2c003"
integrity sha512-+GmxKvmiRuCcUYDgR7g5Ngo0JEDeOsGdNONdU2zsiBQaK4z19Y2NvXqfEDE0ZiIrg45GTZyAnPLVsLZZACYm3Q==
killable@^1.0.1:
version "1.0.1"
resolved "https://registry.npmjs.org/killable/-/killable-1.0.1.tgz"
@ -5393,7 +5681,7 @@ lodash.uniq@4.5.0, lodash.uniq@^4.5.0:
resolved "https://registry.npmjs.org/lodash.uniq/-/lodash.uniq-4.5.0.tgz"
integrity sha1-0CJTc662Uq3BvILklFM5qEJ1R3M=
lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.19, lodash@^4.17.20, lodash@^4.17.21:
lodash@^4.17.11, lodash@^4.17.14, lodash@^4.17.15, lodash@^4.17.19, lodash@^4.17.20, lodash@^4.17.21:
version "4.17.21"
resolved "https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz"
integrity sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==
@ -5506,6 +5794,11 @@ mdurl@^1.0.0:
resolved "https://registry.npmjs.org/mdurl/-/mdurl-1.0.1.tgz"
integrity sha1-/oWy7HWlkDfyrf7BAP1sYBdhFS4=
mdx-mermaid@^1.1.0:
version "1.1.0"
resolved "https://registry.yarnpkg.com/mdx-mermaid/-/mdx-mermaid-1.1.0.tgz#687bcec767fe7b142a065463f3ec6ede53bd7b9e"
integrity sha512-hmY1KWu7YqIfNSOnrsnxCUTq2sRklnNc9OyHz+SRSQDJuYo2ZCQP2PHciR2oK9sPAwHSvpnTep6w5ha2Gl98WQ==
media-typer@0.3.0:
version "0.3.0"
resolved "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz"
@ -5534,6 +5827,21 @@ merge2@^1.3.0:
resolved "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz"
integrity sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==
mermaid@^8.12.1:
version "8.12.1"
resolved "https://registry.yarnpkg.com/mermaid/-/mermaid-8.12.1.tgz#6b55617bcfc970a7bf724e027368b281feb62539"
integrity sha512-0UCcSF0FLoNcPBsRF4f9OIV32t41fV18//z8o3S+FDz2PbDA1CRGKdQF9IX84VP4Tv9kcgJI/oqJdcBEtB/GPA==
dependencies:
"@braintree/sanitize-url" "^3.1.0"
d3 "^5.16.0"
dagre "^0.8.5"
dagre-d3 "^0.6.4"
dompurify "2.3.1"
graphlib "^2.1.8"
khroma "^1.4.1"
moment-mini "^2.24.0"
stylis "^4.0.10"
methods@~1.1.2:
version "1.1.2"
resolved "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz"
@ -5674,6 +5982,11 @@ module-alias@^2.2.2:
resolved "https://registry.npmjs.org/module-alias/-/module-alias-2.2.2.tgz"
integrity sha512-A/78XjoX2EmNvppVWEhM2oGk3x4lLxnkEA4jTbaK97QKSDjkIoOsKQlfylt/d3kKKi596Qy3NP5XrXJ6fZIC9Q==
moment-mini@^2.24.0:
version "2.24.0"
resolved "https://registry.yarnpkg.com/moment-mini/-/moment-mini-2.24.0.tgz#fa68d98f7fe93ae65bf1262f6abb5fb6983d8d18"
integrity sha512-9ARkWHBs+6YJIvrIp0Ik5tyTTtP9PoV0Ssu2Ocq5y9v8+NOOpWiRshAp8c4rZVWTOe+157on/5G+zj5pwIQFEQ==
ms@2.0.0:
version "2.0.0"
resolved "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz"
@ -7243,6 +7556,11 @@ run-parallel@^1.1.9:
dependencies:
queue-microtask "^1.2.2"
rw@1:
version "1.3.3"
resolved "https://registry.yarnpkg.com/rw/-/rw-1.3.3.tgz#3f862dfa91ab766b14885ef4d01124bfda074fb4"
integrity sha1-P4Yt+pGrdmsUiF700BEkv9oHT7Q=
rxjs@^6.6.3:
version "6.6.7"
resolved "https://registry.npmjs.org/rxjs/-/rxjs-6.6.7.tgz"
@ -7833,6 +8151,11 @@ stylehacks@^5.0.1:
browserslist "^4.16.0"
postcss-selector-parser "^6.0.4"
stylis@^4.0.10:
version "4.0.10"
resolved "https://registry.yarnpkg.com/stylis/-/stylis-4.0.10.tgz#446512d1097197ab3f02fb3c258358c3f7a14240"
integrity sha512-m3k+dk7QeJw660eIKRRn3xPF6uuvHs/FFzjX3HQ5ove0qYsiygoAhwn5a3IYKaZPo5LrYD0rfVmtv1gNY1uYwg==
supports-color@^5.3.0:
version "5.5.0"
resolved "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz"