feat(idp): provide auto only options (#8420)

# Which Problems Are Solved As of now, **automatic creation** and **automatic linking options** were only considered if the corresponding **allowed option** (account creation / linking allowed) was enabled. With this PR, this is no longer needed and allows administrators to address cases, where only an **automatic creation** is allowed, but users themselves should not be allowed to **manually** create new accounts using an identity provider or edit the information during the process. Also, allowing users to only link to the proposed existing account is now possible with an enabled **automatic linking option**, while disabling **account linking allowed**. # How the Problems Are Solved - Check for **automatic** options without the corresponding **allowed** option. - added technical advisory to notify about the possible behavior change # Additional Changes - display the error message on the IdP linking step in the login UI (in case there is one) - display an error in case no option is possible - exchanged deprecated `eventstoreExpect` with `expectEventstore` in touched test files # Additional Context closes https://github.com/zitadel/zitadel/issues/7393 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 21:37:32 +00:00 · 2024-08-14 15:04:26 +02:00
parent d32e22734f
commit e2e1100124
41 changed files with 776 additions and 180 deletions
--- a/docs/docs/apis/_v3_idp.proto
+++ b/docs/docs/apis/_v3_idp.proto
@@ -66,14 +66,14 @@ enum AutoLinkingOption {
 }

 message Options {
-  bool is_linking_allowed = 1 [
+  bool is_manual_linking_allowed = 1 [
    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      description: "Enable if users should be able to link an existing ZITADEL user with an external account.";
+      description: "Enable if users should be able to link an existing ZITADEL user with an external account. Disable if users should only be allowed to link the proposed account in case of active auto_linking.";
    }
  ];
-  bool is_creation_allowed = 2 [
+  bool is_manual_creation_allowed = 2 [
    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      description: "Enable if users should be able to create a new account in ZITADEL when using an external account.";
+      description: "Enable if users should be able to create a new account in ZITADEL when using an external account. Disable if users should not be able to edit account information when auto_creation is enabled.";
    }
  ];
  bool is_auto_creation = 3 [
--- a/docs/docs/guides/integrate/identity-providers/introduction.md
+++ b/docs/docs/guides/integrate/identity-providers/introduction.md
@@ -147,9 +147,11 @@ When configuring external IdP templates in ZITADEL, several common settings enab

 - **Automatic update**: This feature, when activated, allows ZITADEL to automatically update a user's profile information whenever changes are detected in the user's account on the external IdP. For example, if a user changes their last name in their Google or Microsoft account, ZITADEL will reflect this update in the user's account upon their next login.

- **Account creation allowed**: Determines whether new user accounts can be created in ZITADEL through the external IdP authentication process. Enabling this setting is crucial for allowing users who are new to your application to register and create accounts seamlessly via their existing external IdP accounts.
+- **Account creation allowed (manually)**: Determines whether new user accounts can be created in ZITADEL through the external IdP authentication process. Enabling this setting is crucial for allowing users who are new to your application to register and create accounts seamlessly via their existing external IdP accounts. However, if you rely on the **automatic creation** and want to prevent users to manually create their accounts or edit information during the automatic process, you need to disable this option.

- **Account linking allowed**: Enables existing ZITADEL accounts to be linked with identities from external IdPs. It requires that a linkable ZITADEL account already exists for the user attempting to log in with an external IdP. Account linking is beneficial for users who wish to associate multiple login methods with their ZITADEL account, providing flexibility and convenience in how they access your application.
+- **Account linking allowed (manually)**: Enables existing ZITADEL accounts to be linked with identities from external IdPs. It requires that a linkable ZITADEL account already exists for the user attempting to log in with an external IdP. Account linking is beneficial for users who wish to associate multiple login methods with their ZITADEL account, providing flexibility and convenience in how they access your application. However, if you rely on an **automatic linking option** and want to prevent users to manually link their accounts, you need to disable this option.
+
+- **Automatic linking options**: Enables existing ZITADEL accounts to be linked with identities from external IdPs. If not disabled, ZITADEL will check for an existing account with the configured criteria (username or email) and prompt the user to link the account.



--- a/docs/docs/support/advisory/a10011.md
+++ b/docs/docs/support/advisory/a10011.md
@@ -0,0 +1,29 @@
+---
+title: Technical Advisory 10011
+---
+
+## Date and Version
+
+Version: 2.60.0
+
+Date: TBD
+
+## Description
+
+Version 2.60.0 allows more combinations in the identity provider options. As of now, **automatic creation** and **automatic linking options** were only considered if the corresponding **allowed option** (account creation / linking allowed) was enabled.
+
+Starting with this release, this is no longer needed and allows administrators to address cases, where only an **automatic creation** is allowed, but users themselves should not be allowed to **manually** create new accounts using an identity provider or edit the information during the process.
+Also, allowing users to only link to the proposed existing account is now possible with an enabled **automatic linking option**, while disabling **account linking allowed**. 
+
+## Statement
+
+This change was tracked in the following PR:
+[feat(idp): provide auto only options](https://github.com/zitadel/zitadel/pull/8420), which was released in Version [2.60.0](https://github.com/zitadel/zitadel/releases/tag/v2.60.0)
+
+## Mitigation
+
+If you previously enabled one of the **automatic** options with the corresponding **allowed** option, be sure that this is the intended behavior.
+
+## Impact
+
+Once this update has been released and deployed, the **automatic** options can be activated with the corresponding **allowed** option.
--- a/docs/docs/support/technical_advisory.mdx
+++ b/docs/docs/support/technical_advisory.mdx
@@ -178,6 +178,18 @@ We understand that these advisories may include breaking changes, and we aim to
    <td>2.53.0</td>
    <td>2024-05-28</td>
  </tr>
+  <tr>
+    <td>
+      <a href="./advisory/a10011">A-10011</a>
+    </td>
+    <td>Identity Provider options: allow "auto" only</td>
+    <td>Breaking Behavior Change</td>
+    <td>
+      Version 2.60.0 allows more combinations in the identity provider options. Due to this there might be unexpected behavior changes.
+    </td>
+    <td>2.53.0</td>
+    <td>2024-05-28</td>
+  </tr>
 </table>

 ## Subscribe to our Mailing List