:/tmp/my-realm-users-0.json .
## Set up ZITADEL
-After creating a sample application that connects to Keycloak, you need to set up ZITADEL in order to migrate the application and users from Keycloak to ZITADEL. For this, ZITADEL offers a [Docker Compose](https://zitadel.com/docs/self-hosting/deploy/compose) installation guide. Follow the instructions under the [Docker compose](https://zitadel.com/docs/self-hosting/deploy/compose#docker-compose) section to run a ZITADEL instance locally.
+After creating a sample application that connects to Keycloak, you need to set up ZITADEL in order to migrate the application and users from Keycloak to ZITADEL. For this, ZITADEL offers a [Docker Compose](/docs/self-hosting/deploy/compose) installation guide. Follow the instructions under the [Docker compose](/docs/self-hosting/deploy/compose#docker-compose) section to run a ZITADEL instance locally.
Next, the application will be available at [http://localhost:8080/ui/console/](http://localhost:8080/ui/console/).
@@ -91,13 +91,13 @@ Now you can access the console with the following default credentials:
## Import Keycloak users into ZITADEL
-As explained in this [ZITADEL user migration guide](https://zitadel.com/docs/guides/migrate/users), you can import users individually or in bulk. Since we are looking at importing a single user from Keycloak, migrating that individual user to ZITADEL can be done with the [ImportHumanUser](https://zitadel.com/docs/apis/resources/mgmt/management-service-import-human-user) endpoint.
+As explained in this [ZITADEL user migration guide](/docs/guides/migrate/users), you can import users individually or in bulk. Since we are looking at importing a single user from Keycloak, migrating that individual user to ZITADEL can be done with the [ImportHumanUser](/docs/apis/resources/mgmt/management-service-import-human-user) endpoint.
> With this endpoint, an email will only be sent to the user if the email is marked as not verified or if there's no password set.
### Create a service user to consume ZITADEL API
-But first of all, in order to use this ZITADEL API, you need to create a [service user](https://zitadel.com/docs/guides/integrate/service-users/authenticate-service-users#exercise-create-a-service-user).
+But first of all, in order to use this ZITADEL API, you need to create a [service user](/docs/guides/integrate/service-users/authenticate-service-users#exercise-create-a-service-user).
Go to the **Users** menu and select the **Service Users** tab. And click the **+ New** button.
@@ -167,7 +167,7 @@ if your Keycloak Realm has a single user, your `my-realm-users-0.json` file, int
}
```
-Now, you need to transform the JSON to the ZITADEL data format by adhering to the ZITADEL API [specification](https://zitadel.com/docs/apis/resources/mgmt/management-service-import-human-user) to import a user. The minimal format would be as shown below:
+Now, you need to transform the JSON to the ZITADEL data format by adhering to the ZITADEL API [specification](/docs/apis/resources/mgmt/management-service-import-human-user) to import a user. The minimal format would be as shown below:
```js
{
diff --git a/docs/docs/guides/migrate/users.md b/docs/docs/guides/migrate/users.md
index bf8a2cb992..5eb8ceb694 100644
--- a/docs/docs/guides/migrate/users.md
+++ b/docs/docs/guides/migrate/users.md
@@ -42,7 +42,7 @@ Please also consult our [guide](/docs/guides/manage/user/reg-create-user) on how
## Bulk import
-For bulk import use the [import endpoint](https://zitadel.com/docs/apis/resources/admin/admin-service-import-data) on the admin API:
+For bulk import use the [import endpoint](/docs/apis/resources/admin/admin-service-import-data) on the admin API:
```json
{
@@ -191,7 +191,7 @@ Currently it is not possible to migrate passkeys directly from another system.
## Users linked to an external IDP
-A users `sub` is bound to the external [IDP's Client ID](https://zitadel.com/docs/guides/manage/console/default-settings#identity-providers).
+A users `sub` is bound to the external [IDP's Client ID](/docs/guides/manage/console/default-settings#identity-providers).
This means that the IDP Client ID configured in ZITADEL must be the same ID as in the legacy system.
Users should be imported with their `externalUserId`.
@@ -211,7 +211,7 @@ _snippet from [bulk-import](#bulk-import) example:_
}
```
-You can use an Action with [post-creation flow](https://zitadel.com/docs/apis/actions/external-authentication#post-creation) to pull information such as roles from the old system and apply them to the user in ZITADEL.
+You can use an Action with [post-creation flow](/docs/apis/actions/external-authentication#post-creation) to pull information such as roles from the old system and apply them to the user in ZITADEL.
## Metadata
@@ -220,7 +220,7 @@ Use metadata to store additional attributes of the users, such as organizational
:::info
Metadata must be added to users after the users were created. Currently metadata can't be added during user creation.
-[API reference: User Metadata](https://zitadel.com/docs/category/apis/resources/mgmt/user-metadata)
+[API reference: User Metadata](/docs/category/apis/resources/mgmt/user-metadata)
:::
Request metadata from the userinfo endpoint by passing the required [reserved scope](/docs/apis/openidoauth/scopes#reserved-scopes) in your auth request.
@@ -232,5 +232,5 @@ You can assign roles from owned or granted projects to a user.
:::info
Authorizations must be added to users after the users were created. Currently metadata can't be added during user creation.
-[API reference: User Authorization / Grants](https://zitadel.com/docs/category/apis/resources/auth/user-authorizations-grants)
+[API reference: User Authorization / Grants](/docs/category/apis/resources/auth/user-authorizations-grants)
:::
\ No newline at end of file
diff --git a/docs/docs/guides/overview.mdx b/docs/docs/guides/overview.mdx
index 3a42374e82..d01a4a6903 100644
--- a/docs/docs/guides/overview.mdx
+++ b/docs/docs/guides/overview.mdx
@@ -39,6 +39,10 @@ Join our [Discord chat](https://zitadel.com/chat) or open a [discussion](https:/
Cloud and enterprise customers can additionally reach us privately via our [support communication channels](/legal/service-description/support-services).
+## Office Hours
+
+ZITADEL holds bi-weekly community calls. To join the community calls use [this link](https://zitadel.com/office-hours), or find further information [here](https://github.com/zitadel/zitadel/blob/main/MEETING_SCHEDULE.md).
+
## Contribute
ZITADEL is open source — and so is the documentation.
diff --git a/docs/docs/guides/start/quickstart.mdx b/docs/docs/guides/start/quickstart.mdx
index e76c98bd05..99f193ddd5 100644
--- a/docs/docs/guides/start/quickstart.mdx
+++ b/docs/docs/guides/start/quickstart.mdx
@@ -353,7 +353,7 @@ The provided config extends the `UserManagerSettings` of the `oidc-client-ts` li
- redirect_uri (the URL to redirect to after the authorization flow is complete)
- post_logout_redirect_uri (the URL to redirect to after the user logs out)
- scope (the permissions requested from the user)
-- project_resource_id (To add a ZITADEL project scope. `urn:zitadel:iam:org:project:id:[projectId]:aud` and `urn:zitadel:iam:org:projects:roles` [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes).)
+- project_resource_id (To add a ZITADEL project scope. `urn:zitadel:iam:org:project:id:[projectId]:aud` and `urn:zitadel:iam:org:projects:roles` [scopes](/docs/apis/openidoauth/scopes#reserved-scopes).)
- prompt ([the OIDC prompt parameter](/apis/openidoauth/endpoints#additional-parameters))
2. Create a folder named components in the src directory. Create two files named Login.js and Callback.js.
@@ -412,4 +412,4 @@ And this brings us to the end of this quick start guide!
This tutorial covered how to configure ZITADEL and how to use React to build an app that communicates with ZITADEL to access secured resources.
-We hope you enjoyed the tutorial and encourage you to check out the ZITADEL [documentation](https://zitadel.com/docs) for more information on how to use the ZITADEL platform to its full potential. Thanks for joining us!
+We hope you enjoyed the tutorial and encourage you to check out the ZITADEL [documentation](/docs) for more information on how to use the ZITADEL platform to its full potential. Thanks for joining us!
diff --git a/docs/docs/legal/policies/brand-trademark-policy.md b/docs/docs/legal/policies/brand-trademark-policy.md
index b6b1c6aaff..8016760c58 100644
--- a/docs/docs/legal/policies/brand-trademark-policy.md
+++ b/docs/docs/legal/policies/brand-trademark-policy.md
@@ -34,7 +34,7 @@ To ensure the logo is used as intended, we provide specific examples below and r
- Use in architecture diagrams without implying affiliation or partnership
- Editorial and informational purposes such as blog posts or news articles
-- Linking back to our [website](https://zitadel.com), official [repositories](https://github.com/zitadel), or [documentation](https://zitadel.com/docs)
+- Linking back to our [website](https://zitadel.com), official [repositories](https://github.com/zitadel), or [documentation](/docs)
- Indicating that the software is available for use or installation without implying any affiliation or endorsement
### Not acceptable
diff --git a/docs/docs/legal/policies/rate-limit-policy.md b/docs/docs/legal/policies/rate-limit-policy.md
index 378bab28e4..6075b7e6ab 100644
--- a/docs/docs/legal/policies/rate-limit-policy.md
+++ b/docs/docs/legal/policies/rate-limit-policy.md
@@ -3,7 +3,7 @@ title: Rate Limit Policy
custom_edit_url: null
---
-Last updated on April 20, 2023
+Last updated on April 24, 2024
This policy is an annex to the [Terms of Service](../terms-of-service) and clarifies your obligations while using our Services, specifically how we will use rate limiting to enforce certain aspects of our [Acceptable Use Policy](acceptable-use-policy).
@@ -35,10 +35,12 @@ For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register
Rate limits are implemented with the following rules:
-| Path | Description | Rate Limiting | One Minute Banning |
-|--------------------------|----------------------------------------|--------------------------------------|----------------------------------------|
-| /ui/login* | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes |
-| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes |
+| Path | Description | Rate Limiting | One Minute Banning |
+| -------------------- | -------------------------------------------------------------- | ------------------------------------ | ------------------------------------- |
+| /ui/login\* | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes |
+| /oauth/v2/keys | OAuth/OpenID Public Keys Endpoint | 20 requests per second over a minute | 15 requests per second over 3 minutes |
+| /oauth/v2/introspect | OAuth Introspection Endpoint | 20 requests per second over a minute | 15 requests per second over 3 minutes |
+| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes |
## Load Testing
diff --git a/docs/docs/legal/policies/vulnerability-disclosure-policy.mdx b/docs/docs/legal/policies/vulnerability-disclosure-policy.mdx
index 1566655243..df8245d72e 100644
--- a/docs/docs/legal/policies/vulnerability-disclosure-policy.mdx
+++ b/docs/docs/legal/policies/vulnerability-disclosure-policy.mdx
@@ -57,7 +57,7 @@ We will not publish this information by default to protect your privacy.
### What not to report
- Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
-- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/default-settings#lockout)
+- DoS of users when [Lockout Policy is enabled](/docs/guides/manage/console/default-settings#lockout)
- Suggestions on Certificate Authority Authorization (CAA) rules
- Suggestions on DMARC/DKIM/SPF settings
- Suggestions on DNSSEC settings
diff --git a/docs/docs/self-hosting/deploy/troubleshooting/_instance_not_found.mdx b/docs/docs/self-hosting/deploy/troubleshooting/_instance_not_found.mdx
index 98785275b9..76b8e7b2f6 100644
--- a/docs/docs/self-hosting/deploy/troubleshooting/_instance_not_found.mdx
+++ b/docs/docs/self-hosting/deploy/troubleshooting/_instance_not_found.mdx
@@ -1,5 +1,5 @@
`ID=QUERY-n0wng Message=Instance not found`
If you're self hosting with a custom domain, you need to instruct ZITADEL to use the `ExternalDomain`.
-You can find further instructions in our guide about [custom domains](https://zitadel.com/docs/self-hosting/manage/custom-domain).
-We also provide a guide on how to [configure](https://zitadel.com/docs/self-hosting/manage/configure) ZITADEL with variables from files or environment variables.
+You can find further instructions in our guide about [custom domains](/docs/self-hosting/manage/custom-domain).
+We also provide a guide on how to [configure](/docs/self-hosting/manage/configure) ZITADEL with variables from files or environment variables.
diff --git a/docs/docs/self-hosting/manage/cli/mirror.mdx b/docs/docs/self-hosting/manage/cli/mirror.mdx
new file mode 100644
index 0000000000..8f96ed93df
--- /dev/null
+++ b/docs/docs/self-hosting/manage/cli/mirror.mdx
@@ -0,0 +1,232 @@
+---
+title: Mirror data to another database
+sidebar_label: Mirror command
+---
+
+The `mirror` command allows you to do database to database migrations. This functionality is useful to copy data from one database to another.
+
+The data can be mirrored to multiple database without influencing each other.
+
+## Use cases
+
+Migrate from cockroachdb to postgres or vice versa.
+
+Replicate data to a secondary environment for testing.
+
+## Prerequisites
+
+You need an existing source database, most probably the database ZITADEL currently serves traffic from.
+
+To mirror the data the destination database needs to be initialized and setup without an instance.
+
+### Start the destination database
+
+Follow one of the following guides to start the database:
+
+* [Linux](/docs/self-hosting/deploy/linux#run-postgresql)
+* [MacOS](/docs/self-hosting/deploy/macos#install-postgresql)
+
+Or use the following commands for [Docker Compose](/docs/self-hosting/deploy/compose)
+
+```bash
+# Download the docker compose example configuration.
+wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/deploy/docker-compose.yaml
+
+# Run the database and application containers.
+docker compose up db --detach
+```
+
+## Example
+
+The following commands setup the database as described above. See [configuration](#configuration) for more details about the configuration options.
+
+```bash
+zitadel init --config /path/to/your/new/config.yaml
+zitadel setup --for-init --config /path/to/your/new/config.yaml # make sure to set --tlsMode and masterkey analog to your current deployment
+zitadel mirror --system --config /path/to/your/mirror/config.yaml # make sure to set --tlsMode and masterkey analog to your current deployment
+```
+
+## Usage
+
+The general syntax for the mirror command is:
+
+```bash
+zitadel mirror [flags]
+
+Flags:
+ -h, --help help for mirror
+
+ --config stringArray path to config file to overwrite system defaults
+
+ --ignore-previous ignores previous migrations of the events table. This flag should be used if you manually dropped previously mirrored events.
+ --replace replaces all data of the following tables for the provided instances or all if the `--system`-flag is set:
+ * system.assets
+ * auth.auth_requests
+ * eventstore.unique_constraints
+ The should be provided if you want to execute the mirror command multiple times so that the static data are also mirrored to prevent inconsistent states.
+
+ --instance strings id or comma separated ids of the instance(s) to migrate. Either this or the `--system`-flag must be set. Make sure to always use the same flag if you execute the command multiple times.
+ --system migrates the whole system. Either this or the `--instance`-flag must be set. Make sure to always use the same flag if you execute the command multiple times.
+
+# For the flags below use the same configuration you also use in the current deployment
+
+ --masterkey string masterkey as argument for en/decryption keys
+ -m, --masterkeyFile string path to the masterkey for en/decryption keys
+ --masterkeyFromEnv read masterkey for en/decryption keys from environment variable (ZITADEL_MASTERKEY)
+ --tlsMode externalSecure start ZITADEL with (enabled), without (disabled) TLS or external component e.g. reverse proxy (external) terminating TLS, this flag will overwrite externalSecure and `tls.enabled` in configs files
+```
+
+## Configuration
+
+```yaml
+# The source database the data are copied from. Use either cockroach or postgres, by default cockroach is used
+Source:
+ cockroach:
+ Host: localhost # ZITADEL_SOURCE_COCKROACH_HOST
+ Port: 26257 # ZITADEL_SOURCE_COCKROACH_PORT
+ Database: zitadel # ZITADEL_SOURCE_COCKROACH_DATABASE
+ MaxOpenConns: 6 # ZITADEL_SOURCE_COCKROACH_MAXOPENCONNS
+ MaxIdleConns: 6 # ZITADEL_SOURCE_COCKROACH_MAXIDLECONNS
+ EventPushConnRatio: 0.33 # ZITADEL_SOURCE_COCKROACH_EVENTPUSHCONNRATIO
+ ProjectionSpoolerConnRatio: 0.33 # ZITADEL_SOURCE_COCKROACH_PROJECTIONSPOOLERCONNRATIO
+ MaxConnLifetime: 30m # ZITADEL_SOURCE_COCKROACH_MAXCONNLIFETIME
+ MaxConnIdleTime: 5m # ZITADEL_SOURCE_COCKROACH_MAXCONNIDLETIME
+ Options: "" # ZITADEL_SOURCE_COCKROACH_OPTIONS
+ User:
+ Username: zitadel # ZITADEL_SOURCE_COCKROACH_USER_USERNAME
+ Password: "" # ZITADEL_SOURCE_COCKROACH_USER_PASSWORD
+ SSL:
+ Mode: disable # ZITADEL_SOURCE_COCKROACH_USER_SSL_MODE
+ RootCert: "" # ZITADEL_SOURCE_COCKROACH_USER_SSL_ROOTCERT
+ Cert: "" # ZITADEL_SOURCE_COCKROACH_USER_SSL_CERT
+ Key: "" # ZITADEL_SOURCE_COCKROACH_USER_SSL_KEY
+ # Postgres is used as soon as a value is set
+ # The values describe the possible fields to set values
+ postgres:
+ Host: # ZITADEL_SOURCE_POSTGRES_HOST
+ Port: # ZITADEL_SOURCE_POSTGRES_PORT
+ Database: # ZITADEL_SOURCE_POSTGRES_DATABASE
+ MaxOpenConns: # ZITADEL_SOURCE_POSTGRES_MAXOPENCONNS
+ MaxIdleConns: # ZITADEL_SOURCE_POSTGRES_MAXIDLECONNS
+ MaxConnLifetime: # ZITADEL_SOURCE_POSTGRES_MAXCONNLIFETIME
+ MaxConnIdleTime: # ZITADEL_SOURCE_POSTGRES_MAXCONNIDLETIME
+ Options: # ZITADEL_SOURCE_POSTGRES_OPTIONS
+ User:
+ Username: # ZITADEL_SOURCE_POSTGRES_USER_USERNAME
+ Password: # ZITADEL_SOURCE_POSTGRES_USER_PASSWORD
+ SSL:
+ Mode: # ZITADEL_SOURCE_POSTGRES_USER_SSL_MODE
+ RootCert: # ZITADEL_SOURCE_POSTGRES_USER_SSL_ROOTCERT
+ Cert: # ZITADEL_SOURCE_POSTGRES_USER_SSL_CERT
+ Key: # ZITADEL_SOURCE_POSTGRES_USER_SSL_KEY
+
+# The destination database the data are copied to. Use either cockroach or postgres, by default cockroach is used
+Destination:
+ cockroach:
+ Host: localhost # ZITADEL_DESTINATION_COCKROACH_HOST
+ Port: 26257 # ZITADEL_DESTINATION_COCKROACH_PORT
+ Database: zitadel # ZITADEL_DESTINATION_COCKROACH_DATABASE
+ MaxOpenConns: 0 # ZITADEL_DESTINATION_COCKROACH_MAXOPENCONNS
+ MaxIdleConns: 0 # ZITADEL_DESTINATION_COCKROACH_MAXIDLECONNS
+ MaxConnLifetime: 30m # ZITADEL_DESTINATION_COCKROACH_MAXCONNLIFETIME
+ MaxConnIdleTime: 5m # ZITADEL_DESTINATION_COCKROACH_MAXCONNIDLETIME
+ EventPushConnRatio: 0.01 # ZITADEL_DESTINATION_COCKROACH_EVENTPUSHCONNRATIO
+ ProjectionSpoolerConnRatio: 0.5 # ZITADEL_DESTINATION_COCKROACH_PROJECTIONSPOOLERCONNRATIO
+ Options: "" # ZITADEL_DESTINATION_COCKROACH_OPTIONS
+ User:
+ Username: zitadel # ZITADEL_DESTINATION_COCKROACH_USER_USERNAME
+ Password: "" # ZITADEL_DESTINATION_COCKROACH_USER_PASSWORD
+ SSL:
+ Mode: disable # ZITADEL_DESTINATION_COCKROACH_USER_SSL_MODE
+ RootCert: "" # ZITADEL_DESTINATION_COCKROACH_USER_SSL_ROOTCERT
+ Cert: "" # ZITADEL_DESTINATION_COCKROACH_USER_SSL_CERT
+ Key: "" # ZITADEL_DESTINATION_COCKROACH_USER_SSL_KEY
+ # Postgres is used as soon as a value is set
+ # The values describe the possible fields to set values
+ postgres:
+ Host: # ZITADEL_DESTINATION_POSTGRES_HOST
+ Port: # ZITADEL_DESTINATION_POSTGRES_PORT
+ Database: # ZITADEL_DESTINATION_POSTGRES_DATABASE
+ MaxOpenConns: # ZITADEL_DESTINATION_POSTGRES_MAXOPENCONNS
+ MaxIdleConns: # ZITADEL_DESTINATION_POSTGRES_MAXIDLECONNS
+ MaxConnLifetime: # ZITADEL_DESTINATION_POSTGRES_MAXCONNLIFETIME
+ MaxConnIdleTime: # ZITADEL_DESTINATION_POSTGRES_MAXCONNIDLETIME
+ Options: # ZITADEL_DESTINATION_POSTGRES_OPTIONS
+ User:
+ Username: # ZITADEL_DESTINATION_POSTGRES_USER_USERNAME
+ Password: # ZITADEL_DESTINATION_POSTGRES_USER_PASSWORD
+ SSL:
+ Mode: # ZITADEL_DESTINATION_POSTGRES_USER_SSL_MODE
+ RootCert: # ZITADEL_DESTINATION_POSTGRES_USER_SSL_ROOTCERT
+ Cert: # ZITADEL_DESTINATION_POSTGRES_USER_SSL_CERT
+ Key: # ZITADEL_DESTINATION_POSTGRES_USER_SSL_KEY
+
+# As cockroachdb first copies the data into memory this parameter is used to iterate through the events table and fetch only the given amount of events per iteration
+EventBulkSize: 10000 # ZITADEL_EVENTBULKSIZE
+
+Projections:
+ # Defines how many projections are allowed to run in parallel
+ ConcurrentInstances: 7 # ZITADEL_PROJECTIONS_CONCURRENTINSTANCES
+ # Limits the amount of events projected by each iteration
+ EventBulkLimit: 1000 # ZITADEL_PROJECTIONS_EVENTBULKLIMIT
+
+Auth:
+ Spooler:
+ # Limits the amount of events projected by each iteration
+ BulkLimit: 1000 #ZITADEL_AUTH_SPOOLER_BULKLIMIT
+
+Admin:
+ Spooler:
+ # Limits the amount of events projected by each iteration
+ BulkLimit: 10 #ZITADEL_ADMIN_SPOOLER_BULKLIMIT
+
+Log:
+ Level: info
+```
+
+## Sub commands
+
+The provided sub commands allow more fine grained execution of copying the data.
+
+The following commands are safe to execute multiple times by adding the `--replace`-flag which replaces the data not provided by the events in the destination database.
+
+### `zitadel mirror auth`
+
+Copies the auth requests to the destination database.
+
+### `zitadel mirror eventstore`
+
+Copies the events since the last migration and unique constraints to the destination database.
+
+### `zitadel mirror projections`
+
+Executes all projections in the destination database.
+
+It is NOOP if the projections are already up-to-date.
+
+### `zitadel mirror system`
+
+Copies encryption keys and assets to the destination database.
+
+### `zitadel mirror verify`
+
+Prints the amount of rows of the source and destination database and the diff. Positive numbers indicate more rows in the destination table that in the source, negative numbers the opposite.
+
+The following tables will likely have an unequal count:
+
+* **projections.current_states**: If your deployment was upgraded several times, the number of entries in the destination will be lower
+* **projections.locks**: If your deployment was upgraded several times, the number of entries in the destination will be lower
+* **projections.keys4\***: Only not expired keys are inserted, the number of entries in the destination will be lower
+* **projections.failed_events**: Should be lower or equal.
+* **auth.users2**: Was replaced with auth.users3, the number of entries in the destination will be 0
+* **auth.users3**: Is the replacement of auth.users2, the number of entries in the destination will be equal or higher
+
+## Limitations
+
+It is not possible to use files as source or destination. See github issue [here](https://github.com/zitadel/zitadel/issues/7966)
+
+Currently the encryption keys of the source database must be copied to the destination database. See github issue [here](https://github.com/zitadel/zitadel/issues/7964)
+
+It is not possible to change the domain of the ZITADEL deployment.
+
+Once you mirrored an instance using the `--instance` flag, you have to make sure you don't mirror other preexisting instances. This means for example, you cannot mirror a few instances and then pass the `--system` flag. You have to pass all remaining instances explicitly, once you used the `--instance` flag
diff --git a/docs/docs/self-hosting/manage/cli/overview.mdx b/docs/docs/self-hosting/manage/cli/overview.mdx
new file mode 100644
index 0000000000..31fd71f4d0
--- /dev/null
+++ b/docs/docs/self-hosting/manage/cli/overview.mdx
@@ -0,0 +1,34 @@
+---
+title: ZITADEL Command Line Interface
+sidebar_label: Overview
+---
+
+This documentation serves as your guide to interacting with Zitadel through the command line interface (CLI). The Zitadel CLI empowers you to manage various aspects of your Zitadel system efficiently from your terminal.
+
+This introductory section provides a brief overview of what the Zitadel CLI offers and who can benefit from using it.
+
+Let's dive in!
+
+## Download the CLI
+
+Download the CLI for [Linux](/docs/self-hosting/deploy/linux#install-zitadel) or [MacOS](/docs/self-hosting/deploy/macos#install-zitadel).
+
+## Quick start
+
+The easiest way to start ZITADEL is by following the [docker compose example](/docs/self-hosting/deploy/compose) which executes the commands for you.
+
+## Initialize the database
+
+The `zitadel init`-command sets up the zitadel database. The statements executed need a user with `ADMIN`-privilege. See [init phase](/docs/self-hosting/manage/updating_scaling#the-init-phase) for more information.
+
+## Setup ZITADEL
+
+The `zitadel setup`-command further sets up the database created using `zitadel init`. This command only requires the user created in the previous step. See [setup phase](/docs/self-hosting/manage/updating_scaling#the-setup-phase) for more information.
+
+## Start ZITADEL
+
+The `zitadel start`-command runs the ZITADEL server. See [runtime phase](/docs/self-hosting/manage/updating_scaling#the-runtime-phase) for more information.
+
+The `zitadel start-from-setup`-command first executes [the setup phase](#setup-zitadel) and afterwards runs the ZITADEL server.
+
+The `zitadel start-from-init`-command first executes [the init phase](#Initialize-the-database), afterwards [the setup phase](#setup-zitadel) and lastly runs the ZITADEL server.
diff --git a/docs/docs/self-hosting/manage/database/_cockroachdb.mdx b/docs/docs/self-hosting/manage/database/_cockroachdb.mdx
index 2836640669..edc3f139fd 100644
--- a/docs/docs/self-hosting/manage/database/_cockroachdb.mdx
+++ b/docs/docs/self-hosting/manage/database/_cockroachdb.mdx
@@ -2,6 +2,8 @@
The default database of ZITADEL is [CockroachDB](https://www.cockroachlabs.com). The SQL database provides a bunch of features like horizontal scalability, data regionality and many more.
+Currently versions >= 23.2 are supported.
+
The default configuration of the database looks like this:
```yaml
diff --git a/docs/docs/self-hosting/manage/productionchecklist.md b/docs/docs/self-hosting/manage/productionchecklist.md
index aaf52d0de8..fb85557a23 100644
--- a/docs/docs/self-hosting/manage/productionchecklist.md
+++ b/docs/docs/self-hosting/manage/productionchecklist.md
@@ -25,7 +25,7 @@ To apply best practices to your production setup we created a step by step check
- [ ] Secure database connections from outside your network and/or use an internal subnet for database connectivity
- [ ] High Availability for critical infrastructure components (depending on your setup)
- [ ] Loadbalancer
- - [ ] [Reverse Proxies](https://zitadel.com/docs/self-hosting/manage/reverseproxy/reverse_proxy)
+ - [ ] [Reverse Proxies](/docs/self-hosting/manage/reverseproxy/reverse_proxy)
- [ ] Web Application Firewall
#### Networking
@@ -41,7 +41,7 @@ To apply best practices to your production setup we created a step by step check
- [ ] Add [Custom Branding](/docs/guides/manage/customize/branding) if required
- [ ] Configure a valid [SMS Service](/docs/guides/manage/console/default-settings#sms) such as Twilio if needed
- [ ] Configure your privacy policy, terms of service and a help Link if needed
-- [ ] Keep your [masterkey](https://zitadel.com/docs/self-hosting/manage/configure) in a secure storage
+- [ ] Keep your [masterkey](/docs/self-hosting/manage/configure) in a secure storage
- [ ] Declare and apply zitadel configuration using the zitadel terraform [provider](https://github.com/zitadel/terraform-provider-zitadel)
### Security
diff --git a/docs/docs/support/advisory/a10003.md b/docs/docs/support/advisory/a10003.md
index 9be32fbd78..b132e5738d 100644
--- a/docs/docs/support/advisory/a10003.md
+++ b/docs/docs/support/advisory/a10003.md
@@ -21,7 +21,7 @@ If users are redirected to the Login-UI without any organizational context, they
:::note
If the registration (and also authentication) needs to occur on a specified organization, apps can already
-specify this by providing [an organization scope](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes).
+specify this by providing [an organization scope](/docs/apis/openidoauth/scopes#reserved-scopes).
:::
## Statement
@@ -37,7 +37,7 @@ There's no action needed on your side currently as existing instances are not af
Once this update has been released and deployed, newly created instances will always use the default organization and its settings as default context for the login.
-Already existing instances will still use the instance settings by default and can switch to the new default by ["Activating the 'LoginDefaultOrg' feature"](https://zitadel.com/docs/apis/resources/admin/admin-service-activate-feature-login-default-org) through the Admin API.
+Already existing instances will still use the instance settings by default and can switch to the new default by ["Activating the 'LoginDefaultOrg' feature"](/docs/apis/resources/admin/admin-service-activate-feature-login-default-org) through the Admin API.
**This change is irreversible!**
:::note
diff --git a/docs/docs/support/advisory/a10009.md b/docs/docs/support/advisory/a10009.md
new file mode 100644
index 0000000000..014700760a
--- /dev/null
+++ b/docs/docs/support/advisory/a10009.md
@@ -0,0 +1,27 @@
+---
+title: Technical Advisory 10009
+---
+
+## Date and Version
+
+Version: 2.53.0
+
+Date: 2024-05-28
+
+## Description
+
+There were rare cases where Cockroachdb got blocked during runtime of ZITADEL and returned `WRITE_TOO_OLD`-errors to ZITADEL. The root cause of the problem is described in [this github issue of the database](https://github.com/cockroachdb/cockroach/issues/77119). The workaround provided by the database is enabling the `enable_durable_locking_for_serializable`-flag as described [here](https://github.com/cockroachdb/cockroach/issues/75456#issuecomment-1936277716).
+
+Because enabling flags requires admin privileges the statement must be executed manually or by executing `zitadel init` command.
+
+## Statement
+
+Ensure lock distribution for `FOR UPDATE`-statements on Cockroachdb.
+
+## Mitigation
+
+Cockroachdb version >= 23.2.
+
+## Impact
+
+Adding additional raft queries to `FOR UPDATE`-statements can impact performance slightly but ensures availability of the system.
diff --git a/docs/docs/support/advisory/a10010.md b/docs/docs/support/advisory/a10010.md
new file mode 100644
index 0000000000..c2fd95902e
--- /dev/null
+++ b/docs/docs/support/advisory/a10010.md
@@ -0,0 +1,30 @@
+---
+title: Technical Advisory 10010
+---
+
+## Date and Version
+
+Version: 2.53.0
+
+Date: 2024-05-28
+
+## Description
+
+Version 2.53.0 optimizes the way tokens are created and migrates them to the v2 implementation already used by OAuth / OIDC tokens created through the session API.
+
+Because of this tokens events are no longer created on the user itself. To be as backwards compatible as possible a separate event is created on the user for the audit log.
+
+## Statement
+
+This change was tracked in the following PR:
+[perf(oidc): optimize token creation](https://github.com/zitadel/zitadel/pull/7822), which was released in Version [2.53.0](https://github.com/zitadel/zitadel/releases/tag/v2.53.0)
+
+## Mitigation
+
+If you use the ListEvents API to check the audit trail of a user or being able to compute Daily or Monthly Active Users, be sure to also include the `user.token.v2.added` event type in your search
+if you already query for the `user.token.added` event type.
+
+## Impact
+
+Once this update has been released and deployed, the `user.token.added` event will no longer be created when a user access token is created, but instead a `user.token.v2.added`.
+Existing `user.token.added` events will be untouched.
diff --git a/docs/docs/support/software-release-cycles-support.md b/docs/docs/support/software-release-cycles-support.md
index 6524c489fd..162b428269 100644
--- a/docs/docs/support/software-release-cycles-support.md
+++ b/docs/docs/support/software-release-cycles-support.md
@@ -74,7 +74,7 @@ During this phase, support is limited as we focus on testing and bug fixing.
### General available
Generally available features are available to everyone and have the appropriate test coverage to be used for critical tasks.
-The software will be backwards-compatible with previous versions, for exceptions we will publish a [technical advisory](https://zitadel.com/docs/support/technical_advisory).
+The software will be backwards-compatible with previous versions, for exceptions we will publish a [technical advisory](/docs/support/technical_advisory).
Features in General Availability are not marked explicitly.
## Release types
diff --git a/docs/docs/support/technical_advisory.mdx b/docs/docs/support/technical_advisory.mdx
index d1a865f88d..e205b87683 100644
--- a/docs/docs/support/technical_advisory.mdx
+++ b/docs/docs/support/technical_advisory.mdx
@@ -149,11 +149,35 @@ We understand that these advisories may include breaking changes, and we aim to
| New flag to prefill projections during setup instead of after start |
Feature description |
- new flag `--init-projections` introduced to `zitadel setup` commands (`setup`, `start-from-setup`, `start-from-init`)
+ New flag `--init-projections` introduced to `zitadel setup` commands (`setup`, `start-from-setup`, `start-from-init`)
|
2.44.0, 2.43.6, 2.42.12 |
2024-01-25 |
+
+ |
+ A-10009
+ |
+ Ensure lock distribution for `FOR UPDATE`-statements on Cockroachdb |
+ Feature description |
+
+ Fixes rare cases where updating projections was blocked by a `WRITE_TOO_OLD`-error when using cockroachdb.
+ |
+ 2.53.0 |
+ 2024-05-28 |
+
+
+ |
+ A-10010
+ |
+ Event type of token added event changed |
+ Breaking Behavior Change |
+
+ Version 2.53.0 improves the token issuance. Due to this there are changes to the event types created on token creation.
+ |
+ 2.53.0 |
+ 2024-05-28 |
+
## Subscribe to our Mailing List
diff --git a/docs/sidebars.js b/docs/sidebars.js
index d0a0ab9cf0..d142431638 100644
--- a/docs/sidebars.js
+++ b/docs/sidebars.js
@@ -881,6 +881,18 @@ module.exports = {
"self-hosting/manage/database/database",
"self-hosting/manage/updating_scaling",
"self-hosting/manage/usage_control",
+ {
+ type: "category",
+ label: "Command Line Interface",
+ collapsed: false,
+ link: {
+ type: "doc",
+ id: "self-hosting/manage/cli/overview"
+ },
+ items: [
+ "self-hosting/manage/cli/mirror"
+ ],
+ },
],
},
],
diff --git a/go.mod b/go.mod
index 9d0da91cba..1f5bcc264e 100644
--- a/go.mod
+++ b/go.mod
@@ -22,7 +22,7 @@ require (
github.com/envoyproxy/protoc-gen-validate v1.0.4
github.com/fatih/color v1.16.0
github.com/gabriel-vasile/mimetype v1.4.3
- github.com/go-jose/go-jose/v4 v4.0.1
+ github.com/go-jose/go-jose/v4 v4.0.2
github.com/go-ldap/ldap/v3 v3.4.7
github.com/go-webauthn/webauthn v0.10.2
github.com/gorilla/csrf v1.7.2
@@ -31,7 +31,7 @@ require (
github.com/gorilla/securecookie v1.1.2
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
github.com/grpc-ecosystem/grpc-gateway v1.16.0
- github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1
+ github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0
github.com/h2non/gock v1.2.0
github.com/hashicorp/golang-lru/v2 v2.0.7
github.com/improbable-eng/grpc-web v0.15.0
@@ -58,31 +58,31 @@ require (
github.com/superseriousbusiness/exifremove v0.0.0-20210330092427-6acd27eac203
github.com/ttacon/libphonenumber v1.2.1
github.com/zitadel/logging v0.6.0
- github.com/zitadel/oidc/v3 v3.23.2
+ github.com/zitadel/oidc/v3 v3.25.0
github.com/zitadel/passwap v0.5.0
github.com/zitadel/saml v0.1.3
github.com/zitadel/schema v1.3.0
- go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0
- go.opentelemetry.io/otel v1.26.0
- go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0
- go.opentelemetry.io/otel/exporters/prometheus v0.48.0
- go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0
- go.opentelemetry.io/otel/metric v1.26.0
- go.opentelemetry.io/otel/sdk v1.26.0
- go.opentelemetry.io/otel/sdk/metric v1.26.0
- go.opentelemetry.io/otel/trace v1.26.0
+ go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0
+ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0
+ go.opentelemetry.io/otel v1.27.0
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0
+ go.opentelemetry.io/otel/exporters/prometheus v0.49.0
+ go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.27.0
+ go.opentelemetry.io/otel/metric v1.27.0
+ go.opentelemetry.io/otel/sdk v1.27.0
+ go.opentelemetry.io/otel/sdk/metric v1.27.0
+ go.opentelemetry.io/otel/trace v1.27.0
go.uber.org/mock v0.4.0
- golang.org/x/crypto v0.22.0
+ golang.org/x/crypto v0.24.0
golang.org/x/exp v0.0.0-20240409090435-93d18d7e34b8
- golang.org/x/net v0.24.0
- golang.org/x/oauth2 v0.19.0
+ golang.org/x/net v0.26.0
+ golang.org/x/oauth2 v0.21.0
golang.org/x/sync v0.7.0
- golang.org/x/text v0.14.0
+ golang.org/x/text v0.16.0
google.golang.org/api v0.172.0
- google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6
- google.golang.org/grpc v1.63.2
- google.golang.org/protobuf v1.34.0
+ google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3
+ google.golang.org/grpc v1.64.0
+ google.golang.org/protobuf v1.34.2
sigs.k8s.io/yaml v1.4.0
)
@@ -91,7 +91,7 @@ require (
github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
github.com/crewjam/httperr v0.2.0 // indirect
github.com/go-chi/chi/v5 v5.0.12 // indirect
- github.com/go-logr/logr v1.4.1 // indirect
+ github.com/go-logr/logr v1.4.2 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-sql-driver/mysql v1.7.1 // indirect
github.com/go-webauthn/x v0.1.9 // indirect
@@ -116,13 +116,12 @@ require (
go.uber.org/multierr v1.11.0 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56 // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3 // indirect
)
require (
cloud.google.com/go v0.112.2 // indirect
- cloud.google.com/go/compute v1.25.1 // indirect
- cloud.google.com/go/compute/metadata v0.2.3 // indirect
+ cloud.google.com/go/compute/metadata v0.3.0 // indirect
cloud.google.com/go/iam v1.1.7 // indirect
cloud.google.com/go/trace v1.10.6 // indirect
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
@@ -181,10 +180,10 @@ require (
github.com/muesli/clusters v0.0.0-20200529215643-2700303c1762 // indirect
github.com/muesli/kmeans v0.3.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
- github.com/prometheus/client_golang v1.19.0
+ github.com/prometheus/client_golang v1.19.1
github.com/prometheus/client_model v0.6.1 // indirect
- github.com/prometheus/common v0.53.0 // indirect
- github.com/prometheus/procfs v0.14.0 // indirect
+ github.com/prometheus/common v0.54.0 // indirect
+ github.com/prometheus/procfs v0.15.1 // indirect
github.com/rs/xid v1.5.0 // indirect
github.com/russellhaering/goxmldsig v1.4.0 // indirect
github.com/sirupsen/logrus v1.9.3
@@ -196,9 +195,9 @@ require (
github.com/x448/float16 v0.8.4 // indirect
github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect
go.opencensus.io v0.24.0 // indirect
- go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 // indirect
- go.opentelemetry.io/proto/otlp v1.2.0 // indirect
- golang.org/x/sys v0.19.0
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
+ go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+ golang.org/x/sys v0.21.0
gopkg.in/ini.v1 v1.67.0 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
diff --git a/go.sum b/go.sum
index dd1521bb3f..1ec896708a 100644
--- a/go.sum
+++ b/go.sum
@@ -2,10 +2,8 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
cloud.google.com/go v0.112.2 h1:ZaGT6LiG7dBzi6zNOvVZwacaXlmf3lRqnC4DQzqyRQw=
cloud.google.com/go v0.112.2/go.mod h1:iEqjp//KquGIJV/m+Pk3xecgKNhV+ry+vVTsy4TbDms=
-cloud.google.com/go/compute v1.25.1 h1:ZRpHJedLtTpKgr3RV1Fx23NuaAEN1Zfx9hw1u4aJdjU=
-cloud.google.com/go/compute v1.25.1/go.mod h1:oopOIR53ly6viBYxaDhBfJwzUAxf1zE//uf3IB011ls=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
cloud.google.com/go/iam v1.1.7 h1:z4VHOhwKLF/+UYXAJDFwGtNF0b6gjsW1Pk9Ml0U/IoM=
cloud.google.com/go/iam v1.1.7/go.mod h1:J4PMPg8TtyurAUvSmPj8FF3EDgY1SPRZxcUGrn7WXGA=
cloud.google.com/go/logging v1.9.0 h1:iEIOXFO9EmSiTjDmfpbRjOxECO7R8C7b8IXUGOj7xZw=
@@ -214,8 +212,8 @@ github.com/go-errors/errors v1.1.1/go.mod h1:psDX2osz5VnTOnFWbDeWwS7yejl+uV3FEWE
github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
-github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
@@ -226,8 +224,8 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
@@ -357,8 +355,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
github.com/h2non/filetype v1.1.3 h1:FKkx9QbD7HR/zjK1Ia5XiBsq9zdLi5Kf3zGyFTAFkGg=
github.com/h2non/filetype v1.1.3/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
@@ -603,8 +601,8 @@ github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod
github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
-github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -618,16 +616,16 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
-github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE=
-github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
+github.com/prometheus/common v0.54.0 h1:ZlZy0BgJhTwVZUn7dLOkwCZHUkrAqd3WYtcFCWnM1D8=
+github.com/prometheus/common v0.54.0/go.mod h1:/TQgMJP5CuVYveyT7n/0Ix8yLNNXy9yRSkhnLTHPDIQ=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
github.com/prometheus/procfs v0.3.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.14.0 h1:Lw4VdGGoKEZilJsayHf0B+9YgLGREba2C6xr+Fdfq6s=
-github.com/prometheus/procfs v0.14.0/go.mod h1:XL+Iwz8k8ZabyZfMFHPiilCniixqQarAy5Mu67pHlNQ=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
github.com/rakyll/statik v0.1.7 h1:OF3QCZUuyPxuGEP7B4ypUa7sB/iHtqOTDYZXGM8KOdQ=
github.com/rakyll/statik v0.1.7/go.mod h1:AlZONWzMtEnMs7W4e/1LURLiI49pIMmp6V9Unghqrcc=
github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
@@ -636,8 +634,8 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po=
github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
@@ -731,8 +729,8 @@ github.com/zenazn/goji v1.0.1 h1:4lbD8Mx2h7IvloP7r2C0D6ltZP6Ufip8Hn0wmSK5LR8=
github.com/zenazn/goji v1.0.1/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
github.com/zitadel/logging v0.6.0 h1:t5Nnt//r+m2ZhhoTmoPX+c96pbMarqJvW1Vq6xFTank=
github.com/zitadel/logging v0.6.0/go.mod h1:Y4CyAXHpl3Mig6JOszcV5Rqqsojj+3n7y2F591Mp/ow=
-github.com/zitadel/oidc/v3 v3.23.2 h1:vRUM6SKudr6WR/lqxue4cvCbgR+IdEJGVBklucKKXgk=
-github.com/zitadel/oidc/v3 v3.23.2/go.mod h1:9snlhm3W/GNURqxtchjL1AAuClWRZ2NTkn9sLs1WYfM=
+github.com/zitadel/oidc/v3 v3.25.0 h1:DosOUc31IPM9ZtKaT58+0iNicwDFTFk5Ctt7mgYtsA8=
+github.com/zitadel/oidc/v3 v3.25.0/go.mod h1:UDwD+PRFbUBzabyPd9JORrakty3/wec7VpKZYi9Ahh0=
github.com/zitadel/passwap v0.5.0 h1:kFMoRyo0GnxtOz7j9+r/CsRwSCjHGRaAKoUe69NwPvs=
github.com/zitadel/passwap v0.5.0/go.mod h1:uqY7D3jqdTFcKsW0Q3Pcv5qDMmSHpVTzUZewUKC1KZA=
github.com/zitadel/saml v0.1.3 h1:LI4DOCVyyU1qKPkzs3vrGcA5J3H4pH3+CL9zr9ShkpM=
@@ -746,30 +744,30 @@ go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 h1:A3SayB3rNyt+1S6qpI9mHPkeHTZbD7XILEqWnYZb2l0=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0/go.mod h1:27iA5uvhuRNmalO+iEUdVn5ZMj2qy10Mm+XRIpRmyuU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
-go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
-go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 h1:1u/AyyOqAWzy+SkPxDpahCNZParHV8Vid1RnI2clyDE=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0/go.mod h1:z46paqbJ9l7c9fIPCXTqTGwhQZ5XoTIsfeFYWboizjs=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0 h1:Waw9Wfpo/IXzOI8bCB7DIk+0JZcqqsyn1JFnAc+iam8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0/go.mod h1:wnJIG4fOqyynOnnQF/eQb4/16VlX2EJAHhHgqIqWfAo=
-go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s=
-go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0 h1:0W5o9SzoR15ocYHEQfvfipzcNog1lBxOLfnex91Hk6s=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0/go.mod h1:zVZ8nz+VSggWmnh6tTsJqXQ7rU4xLwRtna1M4x5jq58=
-go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30=
-go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4=
-go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8=
-go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs=
-go.opentelemetry.io/otel/sdk/metric v1.26.0 h1:cWSks5tfriHPdWFnl+qpX3P681aAYqlZHcAyHw5aU9Y=
-go.opentelemetry.io/otel/sdk/metric v1.26.0/go.mod h1:ClMFFknnThJCksebJwz7KIyEDHO+nTB6gK8obLy8RyE=
-go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
-go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
-go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94=
-go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4ba9kHbBol3Xin3leYJ+252h0zszDtBwyKe2A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0=
+go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg=
+go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0/go.mod h1:OQFyQVrDlbe+R7xrEyDr/2Wr67Ol0hRUgsfA+V5A95s=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
+go.opentelemetry.io/otel/exporters/prometheus v0.49.0 h1:Er5I1g/YhfYv9Affk9nJLfH/+qCCVVg1f2R9AbJfqDQ=
+go.opentelemetry.io/otel/exporters/prometheus v0.49.0/go.mod h1:KfQ1wpjf3zsHjzP149P4LyAwWRupc6c7t1ZJ9eXpKQM=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.27.0 h1:/0YaXu3755A/cFbtXp+21lkXgI0QE5avTWA2HjU9/WE=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.27.0/go.mod h1:m7SFxp0/7IxmJPLIY3JhOcU9CoFzDaCPL6xxQIxhA+o=
+go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik=
+go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak=
+go.opentelemetry.io/otel/sdk v1.27.0 h1:mlk+/Y1gLPLn84U4tI8d3GNJmGT/eXe3ZuOXN9kTWmI=
+go.opentelemetry.io/otel/sdk v1.27.0/go.mod h1:Ha9vbLwJE6W86YstIywK2xFfPjbWlCuwPtMkKdz/Y4A=
+go.opentelemetry.io/otel/sdk/metric v1.27.0 h1:5uGNOlpXi+Hbo/DRoI31BSb1v+OGcpv2NemcCrOL8gI=
+go.opentelemetry.io/otel/sdk/metric v1.27.0/go.mod h1:we7jJVrYN2kh3mVBlswtPU22K0SA+769l93J6bsyvqw=
+go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw=
+go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@@ -801,8 +799,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
@@ -863,13 +861,13 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg=
-golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -924,8 +922,8 @@ golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -941,8 +939,9 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
@@ -991,10 +990,10 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY
google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56 h1:LlcUFJ4BLmJVS4Kly+WCK7LQqcevmycHj88EPgyhNx8=
google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56/go.mod h1:n1CaIKYMIlxFt1zJE/1kU40YpSL0drGMbl0Idum1VSs=
-google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 h1:DTJM0R8LECCgFeUwApvcEJHz85HLagW8uRENYxHh1ww=
-google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6/go.mod h1:10yRODfgim2/T8csjQsMPgZOMvtytXKTDRzH6HRGzRw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 h1:DujSIu+2tC9Ht0aPNA7jgj23Iq8Ewi5sgkQ++wdvonE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3 h1:QW9+G6Fir4VcRXVH8x3LilNAb6cxBGLa6+GM4hRwexE=
+google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3/go.mod h1:kdrSS/OiLkPrNUpzD4aHgCq2rVuC/YRxok32HXZ4vRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3 h1:9Xyg6I9IWQZhRVfCWjKK+l6kI0jHcPesVlMnT//aHNo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
@@ -1010,8 +1009,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
-google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
+google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1022,8 +1021,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.34.0 h1:Qo/qEd2RZPCf2nKuorzksSknv0d3ERwp1vFG38gSmH4=
-google.golang.org/protobuf v1.34.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
diff --git a/internal/admin/repository/eventsourcing/handler/handler.go b/internal/admin/repository/eventsourcing/handler/handler.go
index e4791b70d9..06720144e1 100644
--- a/internal/admin/repository/eventsourcing/handler/handler.go
+++ b/internal/admin/repository/eventsourcing/handler/handler.go
@@ -41,14 +41,24 @@ func Register(ctx context.Context, config Config, view *view.View, static static
))
}
+func Projections() []*handler2.Handler {
+ return projections
+}
+
func Start(ctx context.Context) {
for _, projection := range projections {
projection.Start(ctx)
}
}
-func Projections() []*handler2.Handler {
- return projections
+func ProjectInstance(ctx context.Context) error {
+ for _, projection := range projections {
+ _, err := projection.Trigger(ctx)
+ if err != nil {
+ return err
+ }
+ }
+ return nil
}
func (config Config) overwrite(viewModel string) handler2.Config {
diff --git a/internal/api/grpc/admin/restrictions_integration_allow_public_org_registrations_test.go b/internal/api/grpc/admin/restrictions_integration_allow_public_org_registrations_test.go
index 30250e772a..5b29de19bb 100644
--- a/internal/api/grpc/admin/restrictions_integration_allow_public_org_registrations_test.go
+++ b/internal/api/grpc/admin/restrictions_integration_allow_public_org_registrations_test.go
@@ -22,7 +22,7 @@ import (
func TestServer_Restrictions_DisallowPublicOrgRegistration(t *testing.T) {
ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
defer cancel()
- domain, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, ctx, SystemCTX)
+ domain, _, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, ctx, SystemCTX)
regOrgUrl, err := url.Parse("http://" + domain + ":8080/ui/login/register/org")
require.NoError(t, err)
// The CSRF cookie must be sent with every request.
diff --git a/internal/api/grpc/admin/restrictions_integration_allowed_languages_test.go b/internal/api/grpc/admin/restrictions_integration_allowed_languages_test.go
index 277375f525..3e00978676 100644
--- a/internal/api/grpc/admin/restrictions_integration_allowed_languages_test.go
+++ b/internal/api/grpc/admin/restrictions_integration_allowed_languages_test.go
@@ -33,7 +33,7 @@ func TestServer_Restrictions_AllowedLanguages(t *testing.T) {
unsupportedLanguage = language.Afrikaans
)
- domain, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, ctx, SystemCTX)
+ domain, _, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, ctx, SystemCTX)
t.Run("assumed defaults are correct", func(tt *testing.T) {
tt.Run("languages are not restricted by default", func(ttt *testing.T) {
restrictions, err := Tester.Client.Admin.GetRestrictions(iamOwnerCtx, &admin.GetRestrictionsRequest{})
diff --git a/internal/api/grpc/feature/v2/converter.go b/internal/api/grpc/feature/v2/converter.go
index aa8b1287f4..259a6f8a42 100644
--- a/internal/api/grpc/feature/v2/converter.go
+++ b/internal/api/grpc/feature/v2/converter.go
@@ -16,6 +16,7 @@ func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command.
UserSchema: req.UserSchema,
Actions: req.Actions,
TokenExchange: req.OidcTokenExchange,
+ ImprovedPerformance: improvedPerformanceListToDomain(req.ImprovedPerformance),
}
}
@@ -28,6 +29,7 @@ func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesRe
UserSchema: featureSourceToFlagPb(&f.UserSchema),
OidcTokenExchange: featureSourceToFlagPb(&f.TokenExchange),
Actions: featureSourceToFlagPb(&f.Actions),
+ ImprovedPerformance: featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
}
}
@@ -39,6 +41,7 @@ func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *comm
UserSchema: req.UserSchema,
TokenExchange: req.OidcTokenExchange,
Actions: req.Actions,
+ ImprovedPerformance: improvedPerformanceListToDomain(req.ImprovedPerformance),
}
}
@@ -51,6 +54,14 @@ func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeat
UserSchema: featureSourceToFlagPb(&f.UserSchema),
OidcTokenExchange: featureSourceToFlagPb(&f.TokenExchange),
Actions: featureSourceToFlagPb(&f.Actions),
+ ImprovedPerformance: featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
+ }
+}
+
+func featureSourceToImprovedPerformanceFlagPb(fs *query.FeatureSource[[]feature.ImprovedPerformanceType]) *feature_pb.ImprovedPerformanceFeatureFlag {
+ return &feature_pb.ImprovedPerformanceFeatureFlag{
+ ExecutionPaths: improvedPerformanceTypesToPb(fs.Value),
+ Source: featureLevelToSourcePb(fs.Level),
}
}
@@ -81,3 +92,48 @@ func featureLevelToSourcePb(level feature.Level) feature_pb.Source {
return feature_pb.Source(level)
}
}
+
+func improvedPerformanceTypesToPb(types []feature.ImprovedPerformanceType) []feature_pb.ImprovedPerformance {
+ res := make([]feature_pb.ImprovedPerformance, len(types))
+
+ for i, typ := range types {
+ res[i] = improvedPerformanceTypeToPb(typ)
+ }
+
+ return res
+}
+
+func improvedPerformanceTypeToPb(typ feature.ImprovedPerformanceType) feature_pb.ImprovedPerformance {
+ switch typ {
+ case feature.ImprovedPerformanceTypeUnknown:
+ return feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_UNSPECIFIED
+ case feature.ImprovedPerformanceTypeOrgByID:
+ return feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID
+ default:
+ return feature_pb.ImprovedPerformance(typ)
+ }
+}
+
+func improvedPerformanceListToDomain(list []feature_pb.ImprovedPerformance) []feature.ImprovedPerformanceType {
+ if list == nil {
+ return nil
+ }
+ res := make([]feature.ImprovedPerformanceType, len(list))
+
+ for i, typ := range list {
+ res[i] = improvedPerformanceToDomain(typ)
+ }
+
+ return res
+}
+
+func improvedPerformanceToDomain(typ feature_pb.ImprovedPerformance) feature.ImprovedPerformanceType {
+ switch typ {
+ case feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_UNSPECIFIED:
+ return feature.ImprovedPerformanceTypeUnknown
+ case feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID:
+ return feature.ImprovedPerformanceTypeOrgByID
+ default:
+ return feature.ImprovedPerformanceTypeUnknown
+ }
+}
diff --git a/internal/api/grpc/feature/v2/converter_test.go b/internal/api/grpc/feature/v2/converter_test.go
index 78aea5eb15..35dbf98014 100644
--- a/internal/api/grpc/feature/v2/converter_test.go
+++ b/internal/api/grpc/feature/v2/converter_test.go
@@ -24,6 +24,7 @@ func Test_systemFeaturesToCommand(t *testing.T) {
UserSchema: gu.Ptr(true),
Actions: gu.Ptr(true),
OidcTokenExchange: gu.Ptr(true),
+ ImprovedPerformance: nil,
}
want := &command.SystemFeatures{
LoginDefaultOrg: gu.Ptr(true),
@@ -32,6 +33,7 @@ func Test_systemFeaturesToCommand(t *testing.T) {
UserSchema: gu.Ptr(true),
Actions: gu.Ptr(true),
TokenExchange: gu.Ptr(true),
+ ImprovedPerformance: nil,
}
got := systemFeaturesToCommand(arg)
assert.Equal(t, want, got)
@@ -68,6 +70,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
Level: feature.LevelSystem,
Value: false,
},
+ ImprovedPerformance: query.FeatureSource[[]feature.ImprovedPerformanceType]{
+ Level: feature.LevelSystem,
+ Value: []feature.ImprovedPerformanceType{feature.ImprovedPerformanceTypeOrgByID},
+ },
}
want := &feature_pb.GetSystemFeaturesResponse{
Details: &object.Details{
@@ -99,6 +105,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
Enabled: true,
Source: feature_pb.Source_SOURCE_SYSTEM,
},
+ ImprovedPerformance: &feature_pb.ImprovedPerformanceFeatureFlag{
+ ExecutionPaths: []feature_pb.ImprovedPerformance{feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID},
+ Source: feature_pb.Source_SOURCE_SYSTEM,
+ },
}
got := systemFeaturesToPb(arg)
assert.Equal(t, want, got)
@@ -112,6 +122,7 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
UserSchema: gu.Ptr(true),
OidcTokenExchange: gu.Ptr(true),
Actions: gu.Ptr(true),
+ ImprovedPerformance: nil,
}
want := &command.InstanceFeatures{
LoginDefaultOrg: gu.Ptr(true),
@@ -120,6 +131,7 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
UserSchema: gu.Ptr(true),
TokenExchange: gu.Ptr(true),
Actions: gu.Ptr(true),
+ ImprovedPerformance: nil,
}
got := instanceFeaturesToCommand(arg)
assert.Equal(t, want, got)
@@ -156,6 +168,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
Level: feature.LevelSystem,
Value: false,
},
+ ImprovedPerformance: query.FeatureSource[[]feature.ImprovedPerformanceType]{
+ Level: feature.LevelSystem,
+ Value: []feature.ImprovedPerformanceType{feature.ImprovedPerformanceTypeOrgByID},
+ },
}
want := &feature_pb.GetInstanceFeaturesResponse{
Details: &object.Details{
@@ -187,6 +203,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
Enabled: false,
Source: feature_pb.Source_SOURCE_SYSTEM,
},
+ ImprovedPerformance: &feature_pb.ImprovedPerformanceFeatureFlag{
+ ExecutionPaths: []feature_pb.ImprovedPerformance{feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID},
+ Source: feature_pb.Source_SOURCE_SYSTEM,
+ },
}
got := instanceFeaturesToPb(arg)
assert.Equal(t, want, got)
diff --git a/internal/api/grpc/server/gateway.go b/internal/api/grpc/server/gateway.go
index 6a3ac94bad..327865bd6c 100644
--- a/internal/api/grpc/server/gateway.go
+++ b/internal/api/grpc/server/gateway.go
@@ -10,9 +10,11 @@ import (
"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
"github.com/zitadel/logging"
"google.golang.org/grpc"
+ "google.golang.org/grpc/codes"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
healthpb "google.golang.org/grpc/health/grpc_health_v1"
+ "google.golang.org/grpc/status"
"google.golang.org/protobuf/encoding/protojson"
"google.golang.org/protobuf/proto"
@@ -36,6 +38,23 @@ var (
},
}
+ httpErrorHandler = runtime.RoutingErrorHandlerFunc(
+ func(ctx context.Context, mux *runtime.ServeMux, marshaler runtime.Marshaler, w http.ResponseWriter, r *http.Request, httpStatus int) {
+ if httpStatus != http.StatusMethodNotAllowed {
+ runtime.DefaultRoutingErrorHandler(ctx, mux, marshaler, w, r, httpStatus)
+ return
+ }
+
+ // Use HTTPStatusError to customize the DefaultHTTPErrorHandler status code
+ err := &runtime.HTTPStatusError{
+ HTTPStatus: httpStatus,
+ Err: status.Error(codes.Unimplemented, http.StatusText(httpStatus)),
+ }
+
+ runtime.DefaultHTTPErrorHandler(ctx, mux, marshaler, w, r, err)
+ },
+ )
+
serveMuxOptions = []runtime.ServeMuxOption{
runtime.WithMarshalerOption(jsonMarshaler.ContentType(nil), jsonMarshaler),
runtime.WithMarshalerOption(mimeWildcard, jsonMarshaler),
@@ -43,6 +62,7 @@ var (
runtime.WithIncomingHeaderMatcher(headerMatcher),
runtime.WithOutgoingHeaderMatcher(runtime.DefaultHeaderMatcher),
runtime.WithForwardResponseOption(responseForwarder),
+ runtime.WithRoutingErrorHandler(httpErrorHandler),
}
headerMatcher = runtime.HeaderMatcherFunc(
diff --git a/internal/api/grpc/session/v2/session_integration_test.go b/internal/api/grpc/session/v2/session_integration_test.go
index 9423eea9ae..92d3b0baf7 100644
--- a/internal/api/grpc/session/v2/session_integration_test.go
+++ b/internal/api/grpc/session/v2/session_integration_test.go
@@ -14,12 +14,15 @@ import (
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/zitadel/logging"
+ "google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
+ "google.golang.org/grpc/status"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/known/durationpb"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/zitadel/zitadel/internal/integration"
+ mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
object "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
session "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
@@ -27,6 +30,7 @@ import (
var (
CTX context.Context
+ IAMOwnerCTX context.Context
Tester *integration.Tester
Client session.SessionServiceClient
User *user.AddHumanUserResponse
@@ -44,6 +48,7 @@ func TestMain(m *testing.M) {
Client = Tester.Client.SessionV2
CTX, _ = Tester.WithAuthorization(ctx, integration.OrgOwner), errCtx
+ IAMOwnerCTX = Tester.WithAuthorization(ctx, integration.IAMOwner)
User = createFullUser(CTX)
DeactivatedUser = createDeactivatedUser(CTX)
LockedUser = createLockedUser(CTX)
@@ -341,6 +346,48 @@ func TestServer_CreateSession(t *testing.T) {
}
}
+func TestServer_CreateSession_lock_user(t *testing.T) {
+ // create a separate org so we don't interfere with any other test
+ org := Tester.CreateOrganization(IAMOwnerCTX,
+ fmt.Sprintf("TestServer_CreateSession_lock_user_%d", time.Now().UnixNano()),
+ fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()),
+ )
+ userID := org.CreatedAdmins[0].GetUserId()
+ Tester.SetUserPassword(IAMOwnerCTX, userID, integration.UserPassword, false)
+
+ // enable password lockout
+ maxAttempts := 2
+ ctxOrg := metadata.AppendToOutgoingContext(IAMOwnerCTX, "x-zitadel-orgid", org.GetOrganizationId())
+ _, err := Tester.Client.Mgmt.AddCustomLockoutPolicy(ctxOrg, &mgmt.AddCustomLockoutPolicyRequest{
+ MaxPasswordAttempts: uint32(maxAttempts),
+ })
+ require.NoError(t, err)
+
+ for i := 0; i <= maxAttempts; i++ {
+ _, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
+ Checks: &session.Checks{
+ User: &session.CheckUser{
+ Search: &session.CheckUser_UserId{
+ UserId: userID,
+ },
+ },
+ Password: &session.CheckPassword{
+ Password: "invalid",
+ },
+ },
+ })
+ assert.Error(t, err)
+ statusCode := status.Code(err)
+ expectedCode := codes.InvalidArgument
+ // as soon as we hit the limit the user is locked and following request will
+ // already deny any check with a precondition failed since the user is locked
+ if i >= maxAttempts {
+ expectedCode = codes.FailedPrecondition
+ }
+ assert.Equal(t, expectedCode, statusCode)
+ }
+}
+
func TestServer_CreateSession_webauthn(t *testing.T) {
// create new session with user and request the webauthn challenge
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
@@ -429,6 +476,14 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) {
func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
idpID := Tester.AddGenericOAuthProvider(t, CTX)
+ // successful intent without known / linked user
+ idpUserID := "id"
+ intentID, token, _, _ := Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, "", idpUserID)
+
+ // link the user (with info from intent)
+ Tester.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId())
+
+ // session with intent check must now succeed
createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
Checks: &session.Checks{
User: &session.CheckUser{
@@ -436,28 +491,6 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
UserId: User.GetUserId(),
},
},
- },
- })
- require.NoError(t, err)
- verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
-
- idpUserID := "id"
- intentID, token, _, _ := Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, "", idpUserID)
- updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{
- SessionId: createResp.GetSessionId(),
- Checks: &session.Checks{
- IdpIntent: &session.CheckIDPIntent{
- IdpIntentId: intentID,
- IdpIntentToken: token,
- },
- },
- })
- require.Error(t, err)
- Tester.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId())
- intentID, token, _, _ = Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, User.GetUserId(), idpUserID)
- updateResp, err = Client.SetSession(CTX, &session.SetSessionRequest{
- SessionId: createResp.GetSessionId(),
- Checks: &session.Checks{
IdpIntent: &session.CheckIDPIntent{
IdpIntentId: intentID,
IdpIntentToken: token,
@@ -465,7 +498,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
},
})
require.NoError(t, err)
- verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantIntentFactor)
+ verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantIntentFactor)
}
func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
@@ -916,15 +949,6 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
require.Nil(t, sessionResp)
}
-func Test_ZITADEL_API_missing_mfa(t *testing.T) {
- id, token, _, _ := Tester.CreatePasswordSession(t, CTX, User.GetUserId(), integration.UserPassword)
-
- ctx := Tester.WithAuthorizationToken(context.Background(), token)
- sessionResp, err := Tester.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
- require.Error(t, err)
- require.Nil(t, sessionResp)
-}
-
func Test_ZITADEL_API_success(t *testing.T) {
id, token, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId())
diff --git a/internal/api/grpc/system/instance_integration_test.go b/internal/api/grpc/system/instance_integration_test.go
index b4a6cea227..50d1dda50b 100644
--- a/internal/api/grpc/system/instance_integration_test.go
+++ b/internal/api/grpc/system/instance_integration_test.go
@@ -14,7 +14,7 @@ import (
)
func TestServer_ListInstances(t *testing.T) {
- domain, instanceID, _ := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+ domain, instanceID, _, _ := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
tests := []struct {
name string
diff --git a/internal/api/grpc/system/limits_integration_auditlogretention_test.go b/internal/api/grpc/system/limits_integration_auditlogretention_test.go
index 55ac76e998..b31ee818bf 100644
--- a/internal/api/grpc/system/limits_integration_auditlogretention_test.go
+++ b/internal/api/grpc/system/limits_integration_auditlogretention_test.go
@@ -21,7 +21,7 @@ import (
)
func TestServer_Limits_AuditLogRetention(t *testing.T) {
- _, instanceID, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+ _, instanceID, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
userID, projectID, appID, projectGrantID := seedObjects(iamOwnerCtx, t)
beforeTime := time.Now()
farPast := timestamppb.New(beforeTime.Add(-10 * time.Hour).UTC())
diff --git a/internal/api/grpc/system/limits_integration_block_test.go b/internal/api/grpc/system/limits_integration_block_test.go
index f007dd46c4..68426dd05e 100644
--- a/internal/api/grpc/system/limits_integration_block_test.go
+++ b/internal/api/grpc/system/limits_integration_block_test.go
@@ -27,7 +27,7 @@ import (
)
func TestServer_Limits_Block(t *testing.T) {
- domain, instanceID, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+ domain, instanceID, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
tests := []*test{
publicAPIBlockingTest(domain),
{
diff --git a/internal/api/grpc/system/quotas_enabled/quota_integration_test.go b/internal/api/grpc/system/quotas_enabled/quota_integration_test.go
index a6bd30707f..225b4a2daa 100644
--- a/internal/api/grpc/system/quotas_enabled/quota_integration_test.go
+++ b/internal/api/grpc/system/quotas_enabled/quota_integration_test.go
@@ -66,7 +66,7 @@ func TestServer_QuotaNotification_Limit(t *testing.T) {
}
func TestServer_QuotaNotification_NoLimit(t *testing.T) {
- _, instanceID, IAMOwnerCTX := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+ _, instanceID, _, IAMOwnerCTX := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
amount := 10
percent := 50
percentAmount := amount * percent / 100
@@ -148,7 +148,7 @@ func awaitNotification(t *testing.T, bodies chan []byte, unit quota.Unit, percen
}
func TestServer_AddAndRemoveQuota(t *testing.T) {
- _, instanceID, _ := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+ _, instanceID, _, _ := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
got, err := Tester.Client.System.SetQuota(SystemCTX, &system.SetQuotaRequest{
InstanceId: instanceID,
diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go
index 1abe59dc88..5d23a8bd98 100644
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -471,7 +471,7 @@ func (s *Server) CreateTokenCallbackURL(ctx context.Context, req op.AuthRequest)
if err != nil {
return "", err
}
- resp, err := s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion)
+ resp, err := s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion)
if err != nil {
return "", err
}
@@ -563,7 +563,7 @@ func (s *Server) authResponseToken(authReq *AuthRequest, authorizer op.Authorize
op.AuthRequestError(w, r, authReq, err, authorizer)
return err
}
- resp, err := s.accessTokenResponseFromSession(ctx, client, session, authReq.GetState(), client.client.ProjectID, client.client.ProjectRoleAssertion)
+ resp, err := s.accessTokenResponseFromSession(ctx, client, session, authReq.GetState(), client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion)
if err != nil {
op.AuthRequestError(w, r, authReq, err, authorizer)
return err
diff --git a/internal/api/oidc/auth_request_integration_test.go b/internal/api/oidc/auth_request_integration_test.go
index c36e06c6aa..630b20bc09 100644
--- a/internal/api/oidc/auth_request_integration_test.go
+++ b/internal/api/oidc/auth_request_integration_test.go
@@ -54,7 +54,7 @@ func TestOPStorage_CreateAccessToken_code(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, false)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// callback on a succeeded request must fail
linkResp, err = Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
@@ -108,7 +108,7 @@ func TestOPStorage_CreateAccessToken_implicit(t *testing.T) {
require.NoError(t, err)
claims, err := rp.VerifyTokens[*oidc.IDTokenClaims](context.Background(), accessToken, idToken, provider.IDTokenVerifier())
require.NoError(t, err)
- assertIDTokenClaims(t, claims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, claims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// callback on a succeeded request must fail
linkResp, err = Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
@@ -143,7 +143,7 @@ func TestOPStorage_CreateAccessAndRefreshTokens_code(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
}
func TestOPStorage_CreateAccessAndRefreshTokens_refresh(t *testing.T) {
@@ -168,14 +168,14 @@ func TestOPStorage_CreateAccessAndRefreshTokens_refresh(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// test actual refresh grant
newTokens, err := refreshTokens(t, clientID, tokens.RefreshToken)
require.NoError(t, err)
assertTokens(t, newTokens, true)
// auth time must still be the initial
- assertIDTokenClaims(t, newTokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, newTokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// refresh with an old refresh_token must fail
_, err = rp.RefreshTokens[*oidc.IDTokenClaims](CTX, provider, tokens.RefreshToken, "", "")
@@ -204,7 +204,7 @@ func TestOPStorage_RevokeToken_access_token(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// revoke access token
err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "access_token")
@@ -247,7 +247,7 @@ func TestOPStorage_RevokeToken_access_token_invalid_token_hint_type(t *testing.T
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// revoke access token
err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "refresh_token")
@@ -284,7 +284,7 @@ func TestOPStorage_RevokeToken_refresh_token(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// revoke refresh token -> invalidates also access token
err = rp.RevokeToken(CTX, provider, tokens.RefreshToken, "refresh_token")
@@ -327,7 +327,7 @@ func TestOPStorage_RevokeToken_refresh_token_invalid_token_type_hint(t *testing.
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// revoke refresh token even with a wrong hint
err = rp.RevokeToken(CTX, provider, tokens.RefreshToken, "access_token")
@@ -362,7 +362,7 @@ func TestOPStorage_RevokeToken_invalid_client(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// simulate second client (not part of the audience) trying to revoke the token
otherClientID, _ := createClient(t)
@@ -394,7 +394,7 @@ func TestOPStorage_TerminateSession(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, false)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// userinfo must not fail
_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
@@ -431,7 +431,7 @@ func TestOPStorage_TerminateSession_refresh_grant(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// userinfo must not fail
_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
@@ -475,7 +475,7 @@ func TestOPStorage_TerminateSession_empty_id_token_hint(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, false)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
postLogoutRedirect, err := rp.EndSession(CTX, provider, "", logoutRedirectURI, "state")
require.NoError(t, err)
@@ -528,10 +528,18 @@ func assertTokens(t *testing.T, tokens *oidc.Tokens[*oidc.IDTokenClaims], requir
} else {
assert.Empty(t, tokens.RefreshToken)
}
+ // since we test implicit flow directly, we can check that any token response must not
+ // return a `state` in the response
+ assert.Empty(t, tokens.Extra("state"))
}
-func assertIDTokenClaims(t *testing.T, claims *oidc.IDTokenClaims, userID string, arm []string, sessionStart, sessionChange time.Time) {
+func assertIDTokenClaims(t *testing.T, claims *oidc.IDTokenClaims, userID string, arm []string, sessionStart, sessionChange time.Time, sessionID string) {
assert.Equal(t, userID, claims.Subject)
assert.Equal(t, arm, claims.AuthenticationMethodsReferences)
assertOIDCTimeRange(t, claims.AuthTime, sessionStart, sessionChange)
+ assert.Equal(t, sessionID, claims.SessionID)
+ assert.Empty(t, claims.Name)
+ assert.Empty(t, claims.GivenName)
+ assert.Empty(t, claims.FamilyName)
+ assert.Empty(t, claims.PreferredUsername)
}
diff --git a/internal/api/oidc/client_integration_test.go b/internal/api/oidc/client_integration_test.go
index 58fdebef07..21d54a59dc 100644
--- a/internal/api/oidc/client_integration_test.go
+++ b/internal/api/oidc/client_integration_test.go
@@ -122,7 +122,7 @@ func TestServer_Introspect(t *testing.T) {
tokens, err := exchangeTokens(t, app.GetClientId(), code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// test actual introspection
introspection, err := rs.Introspect[*oidc.IntrospectionResponse](context.Background(), resourceServer, tokens.AccessToken)
@@ -317,7 +317,7 @@ func TestServer_VerifyClient(t *testing.T) {
}
require.NoError(t, err)
assertTokens(t, tokens, false)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
})
}
}
diff --git a/internal/api/oidc/introspect.go b/internal/api/oidc/introspect.go
index a2e59c9a45..b0881b6d65 100644
--- a/internal/api/oidc/introspect.go
+++ b/internal/api/oidc/introspect.go
@@ -11,6 +11,7 @@ import (
"github.com/zitadel/oidc/v3/pkg/op"
"github.com/zitadel/zitadel/internal/api/authz"
+ "github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/telemetry/tracing"
"github.com/zitadel/zitadel/internal/zerrors"
@@ -80,7 +81,11 @@ func (s *Server) Introspect(ctx context.Context, r *op.Request[op.IntrospectionR
// with active: false
defer func() {
if err != nil {
- s.getLogger(ctx).ErrorContext(ctx, "oidc introspection", "err", err)
+ if zerrors.IsInternal(err) {
+ s.getLogger(ctx).ErrorContext(ctx, "oidc introspection", "err", err)
+ } else {
+ s.getLogger(ctx).InfoContext(ctx, "oidc introspection", "err", err)
+ }
resp, err = op.NewResponse(new(oidc.IntrospectionResponse)), nil
}
}()
@@ -99,7 +104,14 @@ func (s *Server) Introspect(ctx context.Context, r *op.Request[op.IntrospectionR
if err = validateIntrospectionAudience(token.audience, client.clientID, client.projectID); err != nil {
return nil, err
}
- userInfo, err := s.userInfo(ctx, token.userID, token.scope, client.projectID, client.projectRoleAssertion, true)
+ userInfo, err := s.userInfo(
+ token.userID,
+ token.scope,
+ client.projectID,
+ client.projectRoleAssertion,
+ true,
+ true,
+ )(ctx, true, domain.TriggerTypePreUserinfoCreation)
if err != nil {
return nil, err
}
diff --git a/internal/api/oidc/oidc_integration_test.go b/internal/api/oidc/oidc_integration_test.go
index 09e76391bd..0baeb53363 100644
--- a/internal/api/oidc/oidc_integration_test.go
+++ b/internal/api/oidc/oidc_integration_test.go
@@ -18,6 +18,7 @@ import (
"github.com/zitadel/zitadel/internal/domain"
"github.com/zitadel/zitadel/internal/integration"
"github.com/zitadel/zitadel/pkg/grpc/auth"
+ mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
session "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
@@ -26,6 +27,7 @@ import (
var (
CTX context.Context
CTXLOGIN context.Context
+ CTXIAM context.Context
Tester *integration.Tester
User *user.AddHumanUserResponse
)
@@ -50,6 +52,7 @@ func TestMain(m *testing.M) {
Tester.SetUserPassword(CTX, User.GetUserId(), integration.UserPassword, false)
Tester.RegisterUserPasskey(CTX, User.GetUserId())
CTXLOGIN = Tester.WithAuthorization(ctx, integration.Login)
+ CTXIAM = Tester.WithAuthorization(ctx, integration.IAMOwner)
return m.Run()
}())
}
@@ -74,7 +77,7 @@ func Test_ZITADEL_API_missing_audience_scope(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, false)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
@@ -117,10 +120,13 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
require.Nil(t, myUserResp)
}
-func Test_ZITADEL_API_missing_mfa(t *testing.T) {
+func Test_ZITADEL_API_missing_mfa_policy(t *testing.T) {
clientID, _ := createClient(t)
+ org := Tester.CreateOrganization(CTXIAM, fmt.Sprintf("ZITADEL_API_MISSING_MFA_%d", time.Now().UnixNano()), fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()))
+ userID := org.CreatedAdmins[0].GetUserId()
+ Tester.SetUserPassword(CTXIAM, userID, integration.UserPassword, false)
authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope)
- sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTX, User.GetUserId(), integration.UserPassword)
+ sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTXLOGIN, userID, integration.UserPassword)
linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
AuthRequestId: authRequestID,
CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
@@ -136,11 +142,36 @@ func Test_ZITADEL_API_missing_mfa(t *testing.T) {
code := assertCodeResponse(t, linkResp.GetCallbackUrl())
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPassword, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, userID, armPassword, startTime, changeTime, sessionID)
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
+ // pre check if request would succeed
myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
+ require.NoError(t, err)
+ require.Equal(t, userID, myUserResp.GetUser().GetId())
+
+ // require MFA
+ ctxOrg := metadata.AppendToOutgoingContext(CTXIAM, "x-zitadel-orgid", org.GetOrganizationId())
+ _, err = Tester.Client.Mgmt.AddCustomLoginPolicy(ctxOrg, &mgmt.AddCustomLoginPolicyRequest{
+ ForceMfa: true,
+ })
+ require.NoError(t, err)
+
+ // make sure policy is projected
+ retryDuration := 5 * time.Second
+ if ctxDeadline, ok := CTX.Deadline(); ok {
+ retryDuration = time.Until(ctxDeadline)
+ }
+ require.EventuallyWithT(t, func(ttt *assert.CollectT) {
+ got, getErr := Tester.Client.Mgmt.GetLoginPolicy(ctxOrg, &mgmt.GetLoginPolicyRequest{})
+ assert.NoError(ttt, getErr)
+ assert.False(ttt, got.GetPolicy().IsDefault)
+
+ }, retryDuration, time.Millisecond*100, "timeout waiting for login policy")
+
+ // now it must fail
+ myUserResp, err = Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
require.Error(t, err)
require.Nil(t, myUserResp)
}
@@ -165,7 +196,7 @@ func Test_ZITADEL_API_success(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, false)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
@@ -199,7 +230,7 @@ func Test_ZITADEL_API_glob_redirects(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, false)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
@@ -228,7 +259,7 @@ func Test_ZITADEL_API_inactive_access_token(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// make sure token works
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
@@ -270,7 +301,7 @@ func Test_ZITADEL_API_terminated_session(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
// make sure token works
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
@@ -340,7 +371,7 @@ func Test_ZITADEL_API_terminated_session_user_disabled(t *testing.T) {
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, disabledUser.GetUserId(), armPassword, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, disabledUser.GetUserId(), armPassword, startTime, changeTime, sessionID)
// make sure token works
ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
diff --git a/internal/api/oidc/token.go b/internal/api/oidc/token.go
index c45eb98acb..be3a30ed73 100644
--- a/internal/api/oidc/token.go
+++ b/internal/api/oidc/token.go
@@ -29,8 +29,8 @@ In some cases step 1 till 3 are completely implemented in the command package,
for example the v2 code exchange and refresh token.
*/
-func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.Client, session *command.OIDCSession, state, projectID string, projectRoleAssertion bool) (_ *oidc.AccessTokenResponse, err error) {
- getUserInfo := s.getUserInfoOnce(session.UserID, projectID, projectRoleAssertion, session.Scope)
+func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.Client, session *command.OIDCSession, state, projectID string, projectRoleAssertion, accessTokenRoleAssertion, idTokenRoleAssertion, userInfoAssertion bool) (_ *oidc.AccessTokenResponse, err error) {
+ getUserInfo := s.getUserInfo(session.UserID, projectID, projectRoleAssertion, userInfoAssertion, session.Scope)
getSigner := s.getSignerOnce()
resp := &oidc.AccessTokenResponse{
@@ -43,7 +43,7 @@ func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.C
// If the session does not have a token ID, it is an implicit ID-Token only response.
if session.TokenID != "" {
if client.AccessTokenType() == op.AccessTokenTypeJWT {
- resp.AccessToken, err = s.createJWT(ctx, client, session, getUserInfo, getSigner)
+ resp.AccessToken, err = s.createJWT(ctx, client, session, getUserInfo, accessTokenRoleAssertion, getSigner)
} else {
resp.AccessToken, err = op.CreateBearerToken(session.TokenID, session.UserID, s.opCrypto)
}
@@ -53,7 +53,7 @@ func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.C
}
if slices.Contains(session.Scope, oidc.ScopeOpenID) {
- resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, getSigner, session.SessionID, resp.AccessToken, session.Audience, session.AuthMethods, session.AuthTime, session.Nonce, session.Actor)
+ resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, idTokenRoleAssertion, getSigner, session.SessionID, resp.AccessToken, session.Audience, session.AuthMethods, session.AuthTime, session.Nonce, session.Actor)
}
return resp, err
}
@@ -92,31 +92,22 @@ func (s *Server) getSignerOnce() signerFunc {
}
// userInfoFunc is a getter function that allows add-hoc retrieval of a user.
-type userInfoFunc func(ctx context.Context) (*oidc.UserInfo, error)
+type userInfoFunc func(ctx context.Context, roleAssertion bool, triggerType domain.TriggerType) (*oidc.UserInfo, error)
-// getUserInfoOnce returns a function which retrieves userinfo from the database once.
-// Repeated calls of the returned function return the same results.
-func (s *Server) getUserInfoOnce(userID, projectID string, projectRoleAssertion bool, scope []string) userInfoFunc {
- var (
- once sync.Once
- userInfo *oidc.UserInfo
- err error
- )
- return func(ctx context.Context) (*oidc.UserInfo, error) {
- once.Do(func() {
- ctx, span := tracing.NewSpan(ctx)
- defer func() { span.EndWithError(err) }()
- userInfo, err = s.userInfo(ctx, userID, scope, projectID, projectRoleAssertion, false)
- })
- return userInfo, err
+// getUserInfo returns a function which retrieves userinfo from the database once.
+// However, each time, role claims are asserted and also action flows will trigger.
+func (s *Server) getUserInfo(userID, projectID string, projectRoleAssertion, userInfoAssertion bool, scope []string) userInfoFunc {
+ userInfo := s.userInfo(userID, scope, projectID, projectRoleAssertion, userInfoAssertion, false)
+ return func(ctx context.Context, roleAssertion bool, triggerType domain.TriggerType) (*oidc.UserInfo, error) {
+ return userInfo(ctx, roleAssertion, triggerType)
}
}
-func (*Server) createIDToken(ctx context.Context, client op.Client, getUserInfo userInfoFunc, getSigningKey signerFunc, sessionID, accessToken string, audience []string, authMethods []domain.UserAuthMethodType, authTime time.Time, nonce string, actor *domain.TokenActor) (idToken string, exp uint64, err error) {
+func (*Server) createIDToken(ctx context.Context, client op.Client, getUserInfo userInfoFunc, roleAssertion bool, getSigningKey signerFunc, sessionID, accessToken string, audience []string, authMethods []domain.UserAuthMethodType, authTime time.Time, nonce string, actor *domain.TokenActor) (idToken string, exp uint64, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
- userInfo, err := getUserInfo(ctx)
+ userInfo, err := getUserInfo(ctx, roleAssertion, domain.TriggerTypePreUserinfoCreation)
if err != nil {
return "", 0, err
}
@@ -156,11 +147,11 @@ func timeToOIDCExpiresIn(exp time.Time) uint64 {
return uint64(time.Until(exp) / time.Second)
}
-func (*Server) createJWT(ctx context.Context, client op.Client, session *command.OIDCSession, getUserInfo userInfoFunc, getSigner signerFunc) (_ string, err error) {
+func (s *Server) createJWT(ctx context.Context, client op.Client, session *command.OIDCSession, getUserInfo userInfoFunc, assertRoles bool, getSigner signerFunc) (_ string, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
- userInfo, err := getUserInfo(ctx)
+ userInfo, err := getUserInfo(ctx, assertRoles, domain.TriggerTypePreAccessTokenCreation)
if err != nil {
return "", err
}
diff --git a/internal/api/oidc/token_client_credentials.go b/internal/api/oidc/token_client_credentials.go
index e0cb29770b..5d19e398a6 100644
--- a/internal/api/oidc/token_client_credentials.go
+++ b/internal/api/oidc/token_client_credentials.go
@@ -46,6 +46,9 @@ func (s *Server) ClientCredentialsExchange(ctx context.Context, r *op.ClientRequ
nil,
false,
)
+ if err != nil {
+ return nil, err
+ }
- return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false))
+ return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, false, false))
}
diff --git a/internal/api/oidc/token_client_credentials_integration_test.go b/internal/api/oidc/token_client_credentials_integration_test.go
index 3517438596..21a1c4de75 100644
--- a/internal/api/oidc/token_client_credentials_integration_test.go
+++ b/internal/api/oidc/token_client_credentials_integration_test.go
@@ -4,6 +4,7 @@ package oidc_test
import (
"testing"
+ "time"
"github.com/brianvoe/gofakeit/v6"
"github.com/stretchr/testify/assert"
@@ -18,10 +19,13 @@ import (
)
func TestServer_ClientCredentialsExchange(t *testing.T) {
- userID, clientID, clientSecret, err := Tester.CreateOIDCCredentialsClient(CTX)
+ machine, name, clientID, clientSecret, err := Tester.CreateOIDCCredentialsClient(CTX)
require.NoError(t, err)
type claims struct {
+ name string
+ username string
+ updated time.Time
resourceOwnerID any
resourceOwnerName any
resourceOwnerPrimaryDomain any
@@ -78,6 +82,17 @@ func TestServer_ClientCredentialsExchange(t *testing.T) {
clientSecret: clientSecret,
scope: []string{oidc.ScopeOpenID},
},
+ {
+ name: "openid, profile, email",
+ clientID: clientID,
+ clientSecret: clientSecret,
+ scope: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
+ wantClaims: claims{
+ name: name,
+ username: name,
+ updated: machine.GetDetails().GetChangeDate().AsTime(),
+ },
+ },
{
name: "org id and domain scope",
clientID: clientID,
@@ -132,12 +147,20 @@ func TestServer_ClientCredentialsExchange(t *testing.T) {
}
require.NoError(t, err)
require.NotNil(t, tokens)
- userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, userID, provider)
+ userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, machine.GetUserId(), provider)
require.NoError(t, err)
assert.Equal(t, tt.wantClaims.resourceOwnerID, userinfo.Claims[oidc_api.ClaimResourceOwnerID])
assert.Equal(t, tt.wantClaims.resourceOwnerName, userinfo.Claims[oidc_api.ClaimResourceOwnerName])
assert.Equal(t, tt.wantClaims.resourceOwnerPrimaryDomain, userinfo.Claims[oidc_api.ClaimResourceOwnerPrimaryDomain])
assert.Equal(t, tt.wantClaims.orgDomain, userinfo.Claims[domain.OrgDomainPrimaryClaim])
+ assert.Equal(t, tt.wantClaims.name, userinfo.Name)
+ assert.Equal(t, tt.wantClaims.username, userinfo.PreferredUsername)
+ assertOIDCTime(t, userinfo.UpdatedAt, tt.wantClaims.updated)
+ assert.Empty(t, userinfo.UserInfoProfile.FamilyName)
+ assert.Empty(t, userinfo.UserInfoProfile.GivenName)
+ assert.Empty(t, userinfo.UserInfoEmail)
+ assert.Empty(t, userinfo.UserInfoPhone)
+ assert.Empty(t, userinfo.Address)
})
}
}
diff --git a/internal/api/oidc/token_code.go b/internal/api/oidc/token_code.go
index 85aa847579..2e47c55641 100644
--- a/internal/api/oidc/token_code.go
+++ b/internal/api/oidc/token_code.go
@@ -34,41 +34,40 @@ func (s *Server) CodeExchange(ctx context.Context, r *op.ClientRequest[oidc.Acce
var (
session *command.OIDCSession
- state string
)
if strings.HasPrefix(plainCode, command.IDPrefixV2) {
- session, state, err = s.command.CreateOIDCSessionFromAuthRequest(
+ session, _, err = s.command.CreateOIDCSessionFromAuthRequest(
setContextUserSystem(ctx),
plainCode,
codeExchangeComplianceChecker(client, r.Data),
slices.Contains(client.GrantTypes(), oidc.GrantTypeRefreshToken),
)
} else {
- session, state, err = s.codeExchangeV1(ctx, client, r.Data, r.Data.Code)
+ session, err = s.codeExchangeV1(ctx, client, r.Data, r.Data.Code)
}
if err != nil {
return nil, err
}
- return response(s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion))
+ return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
}
// codeExchangeV1 creates a v2 token from a v1 auth request.
-func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.AccessTokenRequest, code string) (session *command.OIDCSession, state string, err error) {
+func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.AccessTokenRequest, code string) (session *command.OIDCSession, err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
authReq, err := s.getAuthRequestV1ByCode(ctx, code)
if err != nil {
- return nil, "", err
+ return nil, err
}
if challenge := authReq.GetCodeChallenge(); challenge != nil || client.AuthMethod() == oidc.AuthMethodNone {
if err = op.AuthorizeCodeChallenge(req.CodeVerifier, challenge); err != nil {
- return nil, "", err
+ return nil, err
}
}
if req.RedirectURI != authReq.GetRedirectURI() {
- return nil, "", oidc.ErrInvalidGrant().WithDescription("redirect_uri does not correspond")
+ return nil, oidc.ErrInvalidGrant().WithDescription("redirect_uri does not correspond")
}
scope := authReq.GetScopes()
@@ -88,9 +87,9 @@ func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.A
slices.Contains(scope, oidc.ScopeOfflineAccess),
)
if err != nil {
- return nil, "", err
+ return nil, err
}
- return session, authReq.TransferState, s.repo.DeleteAuthRequest(ctx, authReq.ID)
+ return session, s.repo.DeleteAuthRequest(ctx, authReq.ID)
}
// getAuthRequestV1ByCode finds the v1 auth request by code.
diff --git a/internal/api/oidc/token_device.go b/internal/api/oidc/token_device.go
index c70fa9c1e9..b574af1260 100644
--- a/internal/api/oidc/token_device.go
+++ b/internal/api/oidc/token_device.go
@@ -26,7 +26,7 @@ func (s *Server) DeviceToken(ctx context.Context, r *op.ClientRequest[oidc.Devic
}
session, err := s.command.CreateOIDCSessionFromDeviceAuth(ctx, r.Data.DeviceCode)
if err == nil {
- return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion))
+ return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
}
if errors.Is(err, context.DeadlineExceeded) {
return nil, oidc.ErrSlowDown().WithParent(err)
diff --git a/internal/api/oidc/token_exchange.go b/internal/api/oidc/token_exchange.go
index 31b1a37db3..c29b7eb80b 100644
--- a/internal/api/oidc/token_exchange.go
+++ b/internal/api/oidc/token_exchange.go
@@ -176,7 +176,7 @@ func (s *Server) jwtProfileUserCheck(ctx context.Context, resourceOwner *string,
}
func validateTokenExchangeScopes(client *Client, requestedScopes, subjectScopes, actorScopes []string) ([]string, error) {
- // Scope always has 1 empty string is the space delimited array was an empty string.
+ // Scope always has 1 empty string if the space delimited array was an empty string.
scopes := slices.DeleteFunc(requestedScopes, func(s string) bool {
return s == ""
})
@@ -218,7 +218,7 @@ func validateTokenExchangeAudience(requestedAudience, subjectAudience, actorAudi
// Both tokens may point to the same object (subjectToken) in case of a regular Token Exchange.
// When the subject and actor Tokens point to different objects, the new tokens will be for impersonation / delegation.
func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenType, client *Client, subjectToken, actorToken *exchangeToken, audience, scopes []string) (_ *oidc.TokenExchangeResponse, err error) {
- getUserInfo := s.getUserInfoOnce(subjectToken.userID, client.client.ProjectID, client.client.ProjectRoleAssertion, scopes)
+ getUserInfo := s.getUserInfo(subjectToken.userID, client.client.ProjectID, client.client.ProjectRoleAssertion, client.IDTokenUserinfoClaimsAssertion(), scopes)
getSigner := s.getSignerOnce()
resp := &oidc.TokenExchangeResponse{
@@ -240,12 +240,12 @@ func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenT
resp.IssuedTokenType = oidc.AccessTokenType
case oidc.JWTTokenType:
- resp.AccessToken, resp.RefreshToken, resp.ExpiresIn, err = s.createExchangeJWT(ctx, client, getUserInfo, getSigner, subjectToken.userID, subjectToken.resourceOwner, audience, scopes, actorToken.authMethods, actorToken.authTime, subjectToken.preferredLanguage, reason, actor)
+ resp.AccessToken, resp.RefreshToken, resp.ExpiresIn, err = s.createExchangeJWT(ctx, client, getUserInfo, client.client.AccessTokenRoleAssertion, getSigner, subjectToken.userID, subjectToken.resourceOwner, audience, scopes, actorToken.authMethods, actorToken.authTime, subjectToken.preferredLanguage, reason, actor)
resp.TokenType = oidc.BearerToken
resp.IssuedTokenType = oidc.JWTTokenType
case oidc.IDTokenType:
- resp.AccessToken, resp.ExpiresIn, err = s.createIDToken(ctx, client, getUserInfo, getSigner, "", resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor)
+ resp.AccessToken, resp.ExpiresIn, err = s.createIDToken(ctx, client, getUserInfo, client.client.IDTokenRoleAssertion, getSigner, "", resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor)
resp.TokenType = TokenTypeNA
resp.IssuedTokenType = oidc.IDTokenType
@@ -259,7 +259,7 @@ func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenT
}
if slices.Contains(scopes, oidc.ScopeOpenID) && tokenType != oidc.IDTokenType {
- resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, getSigner, sessionID, resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor)
+ resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, client.client.IDTokenRoleAssertion, getSigner, sessionID, resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor)
if err != nil {
return nil, err
}
@@ -313,6 +313,7 @@ func (s *Server) createExchangeJWT(
ctx context.Context,
client *Client,
getUserInfo userInfoFunc,
+ roleAssertion bool,
getSigner signerFunc,
userID,
resourceOwner string,
@@ -342,7 +343,7 @@ func (s *Server) createExchangeJWT(
actor,
slices.Contains(scope, oidc.ScopeOfflineAccess),
)
- accessToken, err = s.createJWT(ctx, client, session, getUserInfo, getSigner)
+ accessToken, err = s.createJWT(ctx, client, session, getUserInfo, roleAssertion, getSigner)
if err != nil {
return "", "", 0, err
}
diff --git a/internal/api/oidc/token_jwt_profile.go b/internal/api/oidc/token_jwt_profile.go
index b23a24f77f..399fa5302e 100644
--- a/internal/api/oidc/token_jwt_profile.go
+++ b/internal/api/oidc/token_jwt_profile.go
@@ -54,7 +54,10 @@ func (s *Server) JWTProfile(ctx context.Context, r *op.Request[oidc.JWTProfileGr
nil,
false,
)
- return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false))
+ if err != nil {
+ return nil, err
+ }
+ return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, false, false))
}
func (s *Server) verifyJWTProfile(ctx context.Context, req *oidc.JWTProfileGrantRequest) (user *query.User, tokenRequest *oidc.JWTTokenRequest, err error) {
diff --git a/internal/api/oidc/token_jwt_profile_integration_test.go b/internal/api/oidc/token_jwt_profile_integration_test.go
index b80ea09bcd..0ad8d76da2 100644
--- a/internal/api/oidc/token_jwt_profile_integration_test.go
+++ b/internal/api/oidc/token_jwt_profile_integration_test.go
@@ -4,6 +4,7 @@ package oidc_test
import (
"testing"
+ "time"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
@@ -16,10 +17,13 @@ import (
)
func TestServer_JWTProfile(t *testing.T) {
- userID, keyData, err := Tester.CreateOIDCJWTProfileClient(CTX)
+ user, name, keyData, err := Tester.CreateOIDCJWTProfileClient(CTX)
require.NoError(t, err)
type claims struct {
+ name string
+ username string
+ updated time.Time
resourceOwnerID any
resourceOwnerName any
resourceOwnerPrimaryDomain any
@@ -37,6 +41,16 @@ func TestServer_JWTProfile(t *testing.T) {
keyData: keyData,
scope: []string{oidc.ScopeOpenID},
},
+ {
+ name: "openid, profile, email",
+ keyData: keyData,
+ scope: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
+ wantClaims: claims{
+ name: name,
+ username: name,
+ updated: user.GetDetails().GetChangeDate().AsTime(),
+ },
+ },
{
name: "org id and domain scope",
keyData: keyData,
@@ -92,12 +106,20 @@ func TestServer_JWTProfile(t *testing.T) {
provider, err := rp.NewRelyingPartyOIDC(CTX, Tester.OIDCIssuer(), "", "", redirectURI, tt.scope)
require.NoError(t, err)
- userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, userID, provider)
+ userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, user.GetUserId(), provider)
require.NoError(t, err)
assert.Equal(t, tt.wantClaims.resourceOwnerID, userinfo.Claims[oidc_api.ClaimResourceOwnerID])
assert.Equal(t, tt.wantClaims.resourceOwnerName, userinfo.Claims[oidc_api.ClaimResourceOwnerName])
assert.Equal(t, tt.wantClaims.resourceOwnerPrimaryDomain, userinfo.Claims[oidc_api.ClaimResourceOwnerPrimaryDomain])
assert.Equal(t, tt.wantClaims.orgDomain, userinfo.Claims[domain.OrgDomainPrimaryClaim])
+ assert.Equal(t, tt.wantClaims.name, userinfo.Name)
+ assert.Equal(t, tt.wantClaims.username, userinfo.PreferredUsername)
+ assertOIDCTime(t, userinfo.UpdatedAt, tt.wantClaims.updated)
+ assert.Empty(t, userinfo.UserInfoProfile.FamilyName)
+ assert.Empty(t, userinfo.UserInfoProfile.GivenName)
+ assert.Empty(t, userinfo.UserInfoEmail)
+ assert.Empty(t, userinfo.UserInfoPhone)
+ assert.Empty(t, userinfo.Address)
})
}
}
diff --git a/internal/api/oidc/token_refresh.go b/internal/api/oidc/token_refresh.go
index 66a8b8a263..1dcce2879a 100644
--- a/internal/api/oidc/token_refresh.go
+++ b/internal/api/oidc/token_refresh.go
@@ -28,7 +28,7 @@ func (s *Server) RefreshToken(ctx context.Context, r *op.ClientRequest[oidc.Refr
session, err := s.command.ExchangeOIDCSessionRefreshAndAccessToken(ctx, r.Data.RefreshToken, r.Data.Scopes, refreshTokenComplianceChecker())
if err == nil {
- return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion))
+ return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
} else if errors.Is(err, zerrors.ThrowPreconditionFailed(nil, "OIDCS-JOI23", "Errors.OIDCSession.RefreshTokenInvalid")) {
// We try again for v1 tokens when we encountered specific parsing error
return s.refreshTokenV1(ctx, client, r)
@@ -78,7 +78,7 @@ func (s *Server) refreshTokenV1(ctx context.Context, client *Client, r *op.Clien
return nil, err
}
- return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion))
+ return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
}
// refreshTokenComplianceChecker validates that the requested scope is a subset of the original auth request scope.
diff --git a/internal/api/oidc/userinfo.go b/internal/api/oidc/userinfo.go
index c21b746c49..415c337c76 100644
--- a/internal/api/oidc/userinfo.go
+++ b/internal/api/oidc/userinfo.go
@@ -5,9 +5,11 @@ import (
"encoding/base64"
"encoding/json"
"fmt"
+ "maps"
"net/http"
"slices"
"strings"
+ "sync"
"github.com/dop251/goja"
"github.com/zitadel/logging"
@@ -55,7 +57,14 @@ func (s *Server) UserInfo(ctx context.Context, r *op.Request[oidc.UserInfoReques
}
}
- userInfo, err := s.userInfo(ctx, token.userID, token.scope, projectID, assertion, false)
+ userInfo, err := s.userInfo(
+ token.userID,
+ token.scope,
+ projectID,
+ assertion,
+ true,
+ false,
+ )(ctx, true, domain.TriggerTypePreUserinfoCreation)
if err != nil {
return nil, err
}
@@ -66,24 +75,53 @@ func (s *Server) UserInfo(ctx context.Context, r *op.Request[oidc.UserInfoReques
// The returned UserInfo contains standard and reserved claims, documented
// here: https://zitadel.com/docs/apis/openidoauth/claims.
//
+// User information is only retrieved once from the database.
+// However, each time, role claims are asserted and also action flows will trigger.
+//
// projectID is an optional parameter which defines the default audience when there are any (or all) role claims requested.
// projectRoleAssertion sets the default of returning all project roles, only if no specific roles were requested in the scope.
+// roleAssertion decides whether the roles will be returned (in the token or response)
+// userInfoAssertion decides whether the user information (profile data like name, email, ...) are returned
//
// currentProjectOnly can be set to use the current project ID only and ignore the audience from the scope.
// It should be set in cases where the client doesn't need to know roles outside its own project,
// for example an introspection client.
-func (s *Server) userInfo(ctx context.Context, userID string, scope []string, projectID string, projectRoleAssertion, currentProjectOnly bool) (_ *oidc.UserInfo, err error) {
- ctx, span := tracing.NewSpan(ctx)
- defer func() { span.EndWithError(err) }()
+func (s *Server) userInfo(
+ userID string,
+ scope []string,
+ projectID string,
+ projectRoleAssertion, userInfoAssertion, currentProjectOnly bool,
+) func(ctx context.Context, roleAssertion bool, triggerType domain.TriggerType) (_ *oidc.UserInfo, err error) {
+ var (
+ once sync.Once
+ rawUserInfo *oidc.UserInfo
+ qu *query.OIDCUserInfo
+ roleAudience, requestedRoles []string
+ )
+ return func(ctx context.Context, roleAssertion bool, triggerType domain.TriggerType) (_ *oidc.UserInfo, err error) {
+ once.Do(func() {
+ ctx, span := tracing.NewSpan(ctx)
+ defer func() { span.EndWithError(err) }()
- roleAudience, requestedRoles := prepareRoles(ctx, scope, projectID, projectRoleAssertion, currentProjectOnly)
- qu, err := s.query.GetOIDCUserInfo(ctx, userID, roleAudience)
- if err != nil {
- return nil, err
+ roleAudience, requestedRoles = prepareRoles(ctx, scope, projectID, projectRoleAssertion, currentProjectOnly)
+ qu, err = s.query.GetOIDCUserInfo(ctx, userID, roleAudience)
+ if err != nil {
+ return
+ }
+ rawUserInfo = userInfoToOIDC(qu, userInfoAssertion, scope, s.assetAPIPrefix(ctx))
+ })
+ // copy the userinfo to make sure the assert roles and actions use their own copy (e.g. map)
+ userInfo := &oidc.UserInfo{
+ Subject: rawUserInfo.Subject,
+ UserInfoProfile: rawUserInfo.UserInfoProfile,
+ UserInfoEmail: rawUserInfo.UserInfoEmail,
+ UserInfoPhone: rawUserInfo.UserInfoPhone,
+ Address: rawUserInfo.Address,
+ Claims: maps.Clone(rawUserInfo.Claims),
+ }
+ assertRoles(projectID, qu, roleAudience, requestedRoles, roleAssertion, userInfo)
+ return userInfo, s.userinfoFlows(ctx, qu, userInfo, triggerType)
}
-
- userInfo := userInfoToOIDC(projectID, qu, scope, roleAudience, requestedRoles, s.assetAPIPrefix(ctx))
- return userInfo, s.userinfoFlows(ctx, qu, userInfo)
}
// prepareRoles scans the requested scopes and builds the requested roles
@@ -120,20 +158,32 @@ func prepareRoles(ctx context.Context, scope []string, projectID string, project
return roleAudience, requestedRoles
}
-func userInfoToOIDC(projectID string, user *query.OIDCUserInfo, scope, roleAudience, requestedRoles []string, assetPrefix string) *oidc.UserInfo {
+func userInfoToOIDC(user *query.OIDCUserInfo, userInfoAssertion bool, scope []string, assetPrefix string) *oidc.UserInfo {
out := new(oidc.UserInfo)
for _, s := range scope {
switch s {
case oidc.ScopeOpenID:
out.Subject = user.User.ID
case oidc.ScopeEmail:
+ if !userInfoAssertion {
+ continue
+ }
out.UserInfoEmail = userInfoEmailToOIDC(user.User)
case oidc.ScopeProfile:
+ if !userInfoAssertion {
+ continue
+ }
out.UserInfoProfile = userInfoProfileToOidc(user.User, assetPrefix)
case oidc.ScopePhone:
+ if !userInfoAssertion {
+ continue
+ }
out.UserInfoPhone = userInfoPhoneToOIDC(user.User)
case oidc.ScopeAddress:
- //TODO: handle address for human users as soon as implemented
+ if !userInfoAssertion {
+ continue
+ }
+ // TODO: handle address for human users as soon as implemented
case ScopeUserMetaData:
setUserInfoMetadata(user.Metadata, out)
case ScopeResourceOwner:
@@ -148,12 +198,17 @@ func userInfoToOIDC(projectID string, user *query.OIDCUserInfo, scope, roleAudie
}
}
}
+ return out
+}
+func assertRoles(projectID string, user *query.OIDCUserInfo, roleAudience, requestedRoles []string, assertion bool, info *oidc.UserInfo) {
+ if !assertion {
+ return
+ }
// prevent returning obtained grants if none where requested
if (projectID != "" && len(requestedRoles) > 0) || len(roleAudience) > 0 {
- setUserInfoRoleClaims(out, newProjectRoles(projectID, user.UserGrants, requestedRoles))
+ setUserInfoRoleClaims(info, newProjectRoles(projectID, user.UserGrants, requestedRoles))
}
- return out
}
func userInfoEmailToOIDC(user *query.User) oidc.UserInfoEmail {
@@ -230,11 +285,11 @@ func setUserInfoRoleClaims(userInfo *oidc.UserInfo, roles *projectsRoles) {
}
}
-func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, userInfo *oidc.UserInfo) (err error) {
+func (s *Server) userinfoFlows(ctx context.Context, qu *query.OIDCUserInfo, userInfo *oidc.UserInfo, triggerType domain.TriggerType) (err error) {
ctx, span := tracing.NewSpan(ctx)
defer func() { span.EndWithError(err) }()
- queriedActions, err := s.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, domain.TriggerTypePreUserinfoCreation, qu.User.ResourceOwner)
+ queriedActions, err := s.query.GetActiveActionsByFlowAndTriggerType(ctx, domain.FlowTypeCustomiseToken, triggerType, qu.User.ResourceOwner)
if err != nil {
return err
}
diff --git a/internal/api/oidc/userinfo_integration_test.go b/internal/api/oidc/userinfo_integration_test.go
index 22e688ff4b..7f39ed38ba 100644
--- a/internal/api/oidc/userinfo_integration_test.go
+++ b/internal/api/oidc/userinfo_integration_test.go
@@ -231,9 +231,9 @@ func TestServer_UserInfo_Issue6662(t *testing.T) {
project, err := Tester.CreateProject(CTX)
projectID := project.GetId()
require.NoError(t, err)
- userID, clientID, clientSecret, err := Tester.CreateOIDCCredentialsClient(CTX)
+ user, _, clientID, clientSecret, err := Tester.CreateOIDCCredentialsClient(CTX)
require.NoError(t, err)
- addProjectRolesGrants(t, userID, projectID, roleFoo, roleBar)
+ addProjectRolesGrants(t, user.GetUserId(), projectID, roleFoo, roleBar)
scope := []string{oidc.ScopeProfile, oidc.ScopeOpenID, oidc.ScopeEmail, oidc.ScopeOfflineAccess,
oidc_api.ScopeProjectRolePrefix + roleFoo,
@@ -245,7 +245,7 @@ func TestServer_UserInfo_Issue6662(t *testing.T) {
tokens, err := rp.ClientCredentials(CTX, provider, nil)
require.NoError(t, err)
- userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, userID, provider)
+ userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, user.GetUserId(), provider)
require.NoError(t, err)
assertProjectRoleClaims(t, projectID, userinfo.Claims, false, roleFoo)
}
@@ -291,7 +291,7 @@ func getTokens(t *testing.T, clientID string, scope []string) *oidc.Tokens[*oidc
tokens, err := exchangeTokens(t, clientID, code, redirectURI)
require.NoError(t, err)
assertTokens(t, tokens, true)
- assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+ assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
return tokens
}
diff --git a/internal/api/oidc/userinfo_test.go b/internal/api/oidc/userinfo_test.go
index 65354a4040..741f7eed36 100644
--- a/internal/api/oidc/userinfo_test.go
+++ b/internal/api/oidc/userinfo_test.go
@@ -3,7 +3,6 @@ package oidc
import (
"context"
"encoding/base64"
- "fmt"
"testing"
"time"
@@ -267,11 +266,9 @@ func Test_userInfoToOIDC(t *testing.T) {
}
type args struct {
- projectID string
- user *query.OIDCUserInfo
- scope []string
- roleAudience []string
- requestedRoles []string
+ user *query.OIDCUserInfo
+ userInfoAssertion bool
+ scope []string
}
tests := []struct {
name string
@@ -281,25 +278,22 @@ func Test_userInfoToOIDC(t *testing.T) {
{
name: "human, empty",
args: args{
- projectID: "project1",
- user: humanUserInfo,
+ user: humanUserInfo,
},
want: &oidc.UserInfo{},
},
{
name: "machine, empty",
args: args{
- projectID: "project1",
- user: machineUserInfo,
+ user: machineUserInfo,
},
want: &oidc.UserInfo{},
},
{
name: "human, scope openid",
args: args{
- projectID: "project1",
- user: humanUserInfo,
- scope: []string{oidc.ScopeOpenID},
+ user: humanUserInfo,
+ scope: []string{oidc.ScopeOpenID},
},
want: &oidc.UserInfo{
Subject: "human1",
@@ -308,20 +302,19 @@ func Test_userInfoToOIDC(t *testing.T) {
{
name: "machine, scope openid",
args: args{
- projectID: "project1",
- user: machineUserInfo,
- scope: []string{oidc.ScopeOpenID},
+ user: machineUserInfo,
+ scope: []string{oidc.ScopeOpenID},
},
want: &oidc.UserInfo{
Subject: "machine1",
},
},
{
- name: "human, scope email",
+ name: "human, scope email, profileInfoAssertion",
args: args{
- projectID: "project1",
- user: humanUserInfo,
- scope: []string{oidc.ScopeEmail},
+ user: humanUserInfo,
+ userInfoAssertion: true,
+ scope: []string{oidc.ScopeEmail},
},
want: &oidc.UserInfo{
UserInfoEmail: oidc.UserInfoEmail{
@@ -331,22 +324,29 @@ func Test_userInfoToOIDC(t *testing.T) {
},
},
{
- name: "machine, scope email",
+ name: "human, scope email",
args: args{
- projectID: "project1",
- user: machineUserInfo,
- scope: []string{oidc.ScopeEmail},
+ user: humanUserInfo,
+ scope: []string{oidc.ScopeEmail},
+ },
+ want: &oidc.UserInfo{},
+ },
+ {
+ name: "machine, scope email, profileInfoAssertion",
+ args: args{
+ user: machineUserInfo,
+ scope: []string{oidc.ScopeEmail},
},
want: &oidc.UserInfo{
UserInfoEmail: oidc.UserInfoEmail{},
},
},
{
- name: "human, scope profile",
+ name: "human, scope profile, profileInfoAssertion",
args: args{
- projectID: "project1",
- user: humanUserInfo,
- scope: []string{oidc.ScopeProfile},
+ user: humanUserInfo,
+ userInfoAssertion: true,
+ scope: []string{oidc.ScopeProfile},
},
want: &oidc.UserInfo{
UserInfoProfile: oidc.UserInfoProfile{
@@ -363,11 +363,11 @@ func Test_userInfoToOIDC(t *testing.T) {
},
},
{
- name: "machine, scope profile",
+ name: "machine, scope profile, profileInfoAssertion",
args: args{
- projectID: "project1",
- user: machineUserInfo,
- scope: []string{oidc.ScopeProfile},
+ user: machineUserInfo,
+ userInfoAssertion: true,
+ scope: []string{oidc.ScopeProfile},
},
want: &oidc.UserInfo{
UserInfoProfile: oidc.UserInfoProfile{
@@ -378,11 +378,19 @@ func Test_userInfoToOIDC(t *testing.T) {
},
},
{
- name: "human, scope phone",
+ name: "machine, scope profile",
args: args{
- projectID: "project1",
- user: humanUserInfo,
- scope: []string{oidc.ScopePhone},
+ user: machineUserInfo,
+ scope: []string{oidc.ScopeProfile},
+ },
+ want: &oidc.UserInfo{},
+ },
+ {
+ name: "human, scope phone, profileInfoAssertion",
+ args: args{
+ user: humanUserInfo,
+ userInfoAssertion: true,
+ scope: []string{oidc.ScopePhone},
},
want: &oidc.UserInfo{
UserInfoPhone: oidc.UserInfoPhone{
@@ -391,12 +399,19 @@ func Test_userInfoToOIDC(t *testing.T) {
},
},
},
+ {
+ name: "human, scope phone",
+ args: args{
+ user: humanUserInfo,
+ scope: []string{oidc.ScopePhone},
+ },
+ want: &oidc.UserInfo{},
+ },
{
name: "machine, scope phone",
args: args{
- projectID: "project1",
- user: machineUserInfo,
- scope: []string{oidc.ScopePhone},
+ user: machineUserInfo,
+ scope: []string{oidc.ScopePhone},
},
want: &oidc.UserInfo{
UserInfoPhone: oidc.UserInfoPhone{},
@@ -405,9 +420,8 @@ func Test_userInfoToOIDC(t *testing.T) {
{
name: "human, scope metadata",
args: args{
- projectID: "project1",
- user: humanUserInfo,
- scope: []string{ScopeUserMetaData},
+ user: humanUserInfo,
+ scope: []string{ScopeUserMetaData},
},
want: &oidc.UserInfo{
Claims: map[string]any{
@@ -421,18 +435,16 @@ func Test_userInfoToOIDC(t *testing.T) {
{
name: "machine, scope metadata, none found",
args: args{
- projectID: "project1",
- user: machineUserInfo,
- scope: []string{ScopeUserMetaData},
+ user: machineUserInfo,
+ scope: []string{ScopeUserMetaData},
},
want: &oidc.UserInfo{},
},
{
name: "machine, scope resource owner",
args: args{
- projectID: "project1",
- user: machineUserInfo,
- scope: []string{ScopeResourceOwner},
+ user: machineUserInfo,
+ scope: []string{ScopeResourceOwner},
},
want: &oidc.UserInfo{
Claims: map[string]any{
@@ -445,9 +457,8 @@ func Test_userInfoToOIDC(t *testing.T) {
{
name: "human, scope org primary domain prefix",
args: args{
- projectID: "project1",
- user: humanUserInfo,
- scope: []string{domain.OrgDomainPrimaryScope + "foo.com"},
+ user: humanUserInfo,
+ scope: []string{domain.OrgDomainPrimaryScope + "foo.com"},
},
want: &oidc.UserInfo{
Claims: map[string]any{
@@ -458,9 +469,8 @@ func Test_userInfoToOIDC(t *testing.T) {
{
name: "machine, scope org id",
args: args{
- projectID: "project1",
- user: machineUserInfo,
- scope: []string{domain.OrgIDScope + "orgID"},
+ user: machineUserInfo,
+ scope: []string{domain.OrgIDScope + "orgID"},
},
want: &oidc.UserInfo{
Claims: map[string]any{
@@ -471,50 +481,11 @@ func Test_userInfoToOIDC(t *testing.T) {
},
},
},
- {
- name: "human, roleAudience",
- args: args{
- projectID: "project1",
- user: humanUserInfo,
- roleAudience: []string{"project1"},
- },
- want: &oidc.UserInfo{
- Claims: map[string]any{
- ClaimProjectRoles: projectRoles{
- "role1": {"orgID": "orgDomain"},
- "role2": {"orgID": "orgDomain"},
- },
- fmt.Sprintf(ClaimProjectRolesFormat, "project1"): projectRoles{
- "role1": {"orgID": "orgDomain"},
- "role2": {"orgID": "orgDomain"},
- },
- },
- },
- },
- {
- name: "human, requested roles",
- args: args{
- projectID: "project1",
- user: humanUserInfo,
- roleAudience: []string{"project1"},
- requestedRoles: []string{"role2"},
- },
- want: &oidc.UserInfo{
- Claims: map[string]any{
- ClaimProjectRoles: projectRoles{
- "role2": {"orgID": "orgDomain"},
- },
- fmt.Sprintf(ClaimProjectRolesFormat, "project1"): projectRoles{
- "role2": {"orgID": "orgDomain"},
- },
- },
- },
- },
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
assetPrefix := "https://foo.com/assets"
- got := userInfoToOIDC(tt.args.projectID, tt.args.user, tt.args.scope, tt.args.roleAudience, tt.args.requestedRoles, assetPrefix)
+ got := userInfoToOIDC(tt.args.user, tt.args.userInfoAssertion, tt.args.scope, assetPrefix)
assert.Equal(t, tt.want, got)
})
}
diff --git a/internal/api/ui/login/auth_request.go b/internal/api/ui/login/auth_request.go
index f2dcce57da..4da045efac 100644
--- a/internal/api/ui/login/auth_request.go
+++ b/internal/api/ui/login/auth_request.go
@@ -7,6 +7,7 @@ import (
http_mw "github.com/zitadel/zitadel/internal/api/http/middleware"
"github.com/zitadel/zitadel/internal/domain"
+ "github.com/zitadel/zitadel/internal/zerrors"
)
const (
@@ -23,6 +24,14 @@ func (l *Login) getAuthRequest(r *http.Request) (*domain.AuthRequest, error) {
return l.authRepo.AuthRequestByID(r.Context(), authRequestID, userAgentID)
}
+func (l *Login) ensureAuthRequest(r *http.Request) (*domain.AuthRequest, error) {
+ authRequest, err := l.getAuthRequest(r)
+ if authRequest != nil || err != nil {
+ return authRequest, err
+ }
+ return nil, zerrors.ThrowInvalidArgument(nil, "LOGIN-OLah9", "invalid or missing auth request")
+}
+
func (l *Login) getAuthRequestAndParseData(r *http.Request, data interface{}) (*domain.AuthRequest, error) {
authReq, err := l.getAuthRequest(r)
if err != nil {
@@ -32,6 +41,15 @@ func (l *Login) getAuthRequestAndParseData(r *http.Request, data interface{}) (*
return authReq, err
}
+func (l *Login) ensureAuthRequestAndParseData(r *http.Request, data interface{}) (*domain.AuthRequest, error) {
+ authReq, err := l.ensureAuthRequest(r)
+ if err != nil {
+ return authReq, err
+ }
+ err = l.parser.Parse(r, data)
+ return authReq, err
+}
+
func (l *Login) getParseData(r *http.Request, data interface{}) error {
return l.parser.Parse(r, data)
}
diff --git a/internal/api/ui/login/change_password_handler.go b/internal/api/ui/login/change_password_handler.go
index 1eacdcebd5..5c36d0f74f 100644
--- a/internal/api/ui/login/change_password_handler.go
+++ b/internal/api/ui/login/change_password_handler.go
@@ -20,7 +20,7 @@ type changePasswordData struct {
func (l *Login) handleChangePassword(w http.ResponseWriter, r *http.Request) {
data := new(changePasswordData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/device_auth.go b/internal/api/ui/login/device_auth.go
index 659f2ac144..0d5349903e 100644
--- a/internal/api/ui/login/device_auth.go
+++ b/internal/api/ui/login/device_auth.go
@@ -14,7 +14,6 @@ import (
"github.com/zitadel/zitadel/internal/api/authz"
"github.com/zitadel/zitadel/internal/api/http/middleware"
"github.com/zitadel/zitadel/internal/domain"
- "github.com/zitadel/zitadel/internal/zerrors"
)
const (
@@ -145,9 +144,8 @@ func (l *Login) redirectDeviceAuthStart(w http.ResponseWriter, r *http.Request,
// When the action of "allowed" or "denied", the device authorization is updated accordingly.
// Else the user is presented with a page where they can choose / submit either action.
func (l *Login) handleDeviceAuthAction(w http.ResponseWriter, r *http.Request) {
- authReq, err := l.getAuthRequest(r)
- if authReq == nil {
- err = zerrors.ThrowInvalidArgument(err, "LOGIN-OLah8", "invalid or missing auth request")
+ authReq, err := l.ensureAuthRequest(r)
+ if err != nil {
l.redirectDeviceAuthStart(w, r, err.Error())
return
}
diff --git a/internal/api/ui/login/external_provider_handler.go b/internal/api/ui/login/external_provider_handler.go
index e03b32086f..ab0d98b997 100644
--- a/internal/api/ui/login/external_provider_handler.go
+++ b/internal/api/ui/login/external_provider_handler.go
@@ -127,7 +127,7 @@ func (l *Login) handleExternalLogin(w http.ResponseWriter, r *http.Request) {
// handleExternalRegister is called when a user selects the idp on the register options page
func (l *Login) handleExternalRegister(w http.ResponseWriter, r *http.Request) {
data := new(externalIDPData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authReq, err)
return
@@ -657,7 +657,7 @@ func (l *Login) renderExternalNotFoundOption(w http.ResponseWriter, r *http.Requ
// and either links or creates an externalUser
func (l *Login) handleExternalNotFoundOptionCheck(w http.ResponseWriter, r *http.Request) {
data := new(externalNotFoundOptionFormData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, err)
return
diff --git a/internal/api/ui/login/init_password_handler.go b/internal/api/ui/login/init_password_handler.go
index d57d1f83ff..91a197ef64 100644
--- a/internal/api/ui/login/init_password_handler.go
+++ b/internal/api/ui/login/init_password_handler.go
@@ -91,16 +91,18 @@ func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *dom
func (l *Login) resendPasswordSet(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, data *initPasswordFormData) {
userOrg := data.OrgID
userID := data.UserID
+ var authReqID string
if authReq != nil {
userOrg = authReq.UserOrgID
userID = authReq.UserID
+ authReqID = authReq.ID
}
passwordCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypePasswordResetCode, l.userCodeAlg)
if err != nil {
l.renderInitPassword(w, r, authReq, userID, "", err)
return
}
- _, err = l.command.RequestSetPassword(setContext(r.Context(), userOrg), userID, userOrg, domain.NotificationTypeEmail, passwordCodeGenerator, authReq.ID)
+ _, err = l.command.RequestSetPassword(setContext(r.Context(), userOrg), userID, userOrg, domain.NotificationTypeEmail, passwordCodeGenerator, authReqID)
l.renderInitPassword(w, r, authReq, userID, "", err)
}
diff --git a/internal/api/ui/login/ldap_handler.go b/internal/api/ui/login/ldap_handler.go
index 93590458f6..0fd47c5a6a 100644
--- a/internal/api/ui/login/ldap_handler.go
+++ b/internal/api/ui/login/ldap_handler.go
@@ -42,7 +42,7 @@ func (l *Login) renderLDAPLogin(w http.ResponseWriter, r *http.Request, authReq
func (l *Login) handleLDAPCallback(w http.ResponseWriter, r *http.Request) {
data := new(ldapFormData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/link_prompt_handler.go b/internal/api/ui/login/link_prompt_handler.go
index 04293bd864..30ac186298 100644
--- a/internal/api/ui/login/link_prompt_handler.go
+++ b/internal/api/ui/login/link_prompt_handler.go
@@ -44,7 +44,7 @@ func (l *Login) renderLinkingUserPrompt(w http.ResponseWriter, r *http.Request,
func (l *Login) handleLinkingUserPrompt(w http.ResponseWriter, r *http.Request) {
data := new(linkingUserPromptFormData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderLogin(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/login_handler.go b/internal/api/ui/login/login_handler.go
index ae21d84d87..059048eecb 100644
--- a/internal/api/ui/login/login_handler.go
+++ b/internal/api/ui/login/login_handler.go
@@ -69,7 +69,7 @@ func (l *Login) handleLoginNameCheck(w http.ResponseWriter, r *http.Request) {
return
}
if data.Register {
- if authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowExternalIDP && authReq.AllowedExternalIDPs != nil && len(authReq.AllowedExternalIDPs) > 0 {
+ if authReq != nil && authReq.LoginPolicy != nil && authReq.LoginPolicy.AllowExternalIDP && authReq.AllowedExternalIDPs != nil && len(authReq.AllowedExternalIDPs) > 0 {
l.handleRegisterOption(w, r)
return
}
diff --git a/internal/api/ui/login/mail_verify_handler.go b/internal/api/ui/login/mail_verify_handler.go
index 327b8a1182..aa14969008 100644
--- a/internal/api/ui/login/mail_verify_handler.go
+++ b/internal/api/ui/login/mail_verify_handler.go
@@ -58,16 +58,17 @@ func (l *Login) handleMailVerificationCheck(w http.ResponseWriter, r *http.Reque
l.checkMailCode(w, r, authReq, data.UserID, data.Code)
return
}
- userOrg := ""
+ var userOrg, authReqID string
if authReq != nil {
userOrg = authReq.UserOrgID
+ authReqID = authReq.ID
}
emailCodeGenerator, err := l.query.InitEncryptionGenerator(r.Context(), domain.SecretGeneratorTypeVerifyEmailCode, l.userCodeAlg)
if err != nil {
l.checkMailCode(w, r, authReq, data.UserID, data.Code)
return
}
- _, err = l.command.CreateHumanEmailVerificationCode(setContext(r.Context(), userOrg), data.UserID, userOrg, emailCodeGenerator, authReq.ID)
+ _, err = l.command.CreateHumanEmailVerificationCode(setContext(r.Context(), userOrg), data.UserID, userOrg, emailCodeGenerator, authReqID)
l.renderMailVerification(w, r, authReq, data.UserID, err)
}
diff --git a/internal/api/ui/login/mfa_init_sms.go b/internal/api/ui/login/mfa_init_sms.go
index 9aaa744a39..03f2c32014 100644
--- a/internal/api/ui/login/mfa_init_sms.go
+++ b/internal/api/ui/login/mfa_init_sms.go
@@ -71,7 +71,7 @@ func (l *Login) renderRegisterSMS(w http.ResponseWriter, r *http.Request, authRe
// and a successful OTP SMS check will be added to the auth request.
func (l *Login) handleRegisterSMSCheck(w http.ResponseWriter, r *http.Request) {
formData := new(smsInitFormData)
- authReq, err := l.getAuthRequestAndParseData(r, formData)
+ authReq, err := l.ensureAuthRequestAndParseData(r, formData)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/mfa_init_u2f.go b/internal/api/ui/login/mfa_init_u2f.go
index 0b7718bb80..c84948796c 100644
--- a/internal/api/ui/login/mfa_init_u2f.go
+++ b/internal/api/ui/login/mfa_init_u2f.go
@@ -42,7 +42,7 @@ func (l *Login) renderRegisterU2F(w http.ResponseWriter, r *http.Request, authRe
func (l *Login) handleRegisterU2F(w http.ResponseWriter, r *http.Request) {
data := new(webAuthNFormData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/mfa_init_verify_handler.go b/internal/api/ui/login/mfa_init_verify_handler.go
index 0b66451434..cd6a9091e2 100644
--- a/internal/api/ui/login/mfa_init_verify_handler.go
+++ b/internal/api/ui/login/mfa_init_verify_handler.go
@@ -26,7 +26,7 @@ type mfaInitVerifyData struct {
func (l *Login) handleMFAInitVerify(w http.ResponseWriter, r *http.Request) {
data := new(mfaInitVerifyData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/mfa_prompt_handler.go b/internal/api/ui/login/mfa_prompt_handler.go
index ade1b53229..ce1b7240ec 100644
--- a/internal/api/ui/login/mfa_prompt_handler.go
+++ b/internal/api/ui/login/mfa_prompt_handler.go
@@ -18,7 +18,7 @@ type mfaPromptData struct {
func (l *Login) handleMFAPrompt(w http.ResponseWriter, r *http.Request) {
data := new(mfaPromptData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/mfa_verify_handler.go b/internal/api/ui/login/mfa_verify_handler.go
index 80f1c94e25..cfffc6fced 100644
--- a/internal/api/ui/login/mfa_verify_handler.go
+++ b/internal/api/ui/login/mfa_verify_handler.go
@@ -19,7 +19,7 @@ type mfaVerifyFormData struct {
func (l *Login) handleMFAVerify(w http.ResponseWriter, r *http.Request) {
data := new(mfaVerifyFormData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/mfa_verify_otp_handler.go b/internal/api/ui/login/mfa_verify_otp_handler.go
index 2c0d5d8568..b39605e667 100644
--- a/internal/api/ui/login/mfa_verify_otp_handler.go
+++ b/internal/api/ui/login/mfa_verify_otp_handler.go
@@ -75,8 +75,8 @@ func (l *Login) renderOTPVerification(w http.ResponseWriter, r *http.Request, au
// A user is also able to request a code resend or choose another provider.
func (l *Login) handleOTPVerificationCheck(w http.ResponseWriter, r *http.Request) {
formData := new(mfaOTPFormData)
- authReq, err := l.getAuthRequestAndParseData(r, formData)
- if authReq == nil || err != nil {
+ authReq, err := l.ensureAuthRequestAndParseData(r, formData)
+ if err != nil {
l.renderError(w, r, authReq, err)
return
}
diff --git a/internal/api/ui/login/mfa_verify_u2f_handler.go b/internal/api/ui/login/mfa_verify_u2f_handler.go
index 3afa416823..7873468616 100644
--- a/internal/api/ui/login/mfa_verify_u2f_handler.go
+++ b/internal/api/ui/login/mfa_verify_u2f_handler.go
@@ -50,7 +50,7 @@ func (l *Login) renderU2FVerification(w http.ResponseWriter, r *http.Request, au
func (l *Login) handleU2FVerification(w http.ResponseWriter, r *http.Request) {
formData := new(mfaU2FFormData)
- authReq, err := l.getAuthRequestAndParseData(r, formData)
+ authReq, err := l.ensureAuthRequestAndParseData(r, formData)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/password_handler.go b/internal/api/ui/login/password_handler.go
index 28baf4a1e1..026963bbde 100644
--- a/internal/api/ui/login/password_handler.go
+++ b/internal/api/ui/login/password_handler.go
@@ -34,7 +34,7 @@ func (l *Login) renderPassword(w http.ResponseWriter, r *http.Request, authReq *
func (l *Login) handlePasswordCheck(w http.ResponseWriter, r *http.Request) {
data := new(passwordFormData)
- authReq, err := l.getAuthRequestAndParseData(r, data)
+ authReq, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/password_reset_handler.go b/internal/api/ui/login/password_reset_handler.go
index ff57321e92..bc9a5069d1 100644
--- a/internal/api/ui/login/password_reset_handler.go
+++ b/internal/api/ui/login/password_reset_handler.go
@@ -12,7 +12,7 @@ const (
)
func (l *Login) handlePasswordReset(w http.ResponseWriter, r *http.Request) {
- authReq, err := l.getAuthRequest(r)
+ authReq, err := l.ensureAuthRequest(r)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/passwordless_login_handler.go b/internal/api/ui/login/passwordless_login_handler.go
index 8373a8fbdb..52b9d06fed 100644
--- a/internal/api/ui/login/passwordless_login_handler.go
+++ b/internal/api/ui/login/passwordless_login_handler.go
@@ -49,7 +49,7 @@ func (l *Login) renderPasswordlessVerification(w http.ResponseWriter, r *http.Re
func (l *Login) handlePasswordlessVerification(w http.ResponseWriter, r *http.Request) {
formData := new(passwordlessFormData)
- authReq, err := l.getAuthRequestAndParseData(r, formData)
+ authReq, err := l.ensureAuthRequestAndParseData(r, formData)
if err != nil {
l.renderError(w, r, authReq, err)
return
diff --git a/internal/api/ui/login/passwordless_registration_handler.go b/internal/api/ui/login/passwordless_registration_handler.go
index 0346374cee..976a9277b2 100644
--- a/internal/api/ui/login/passwordless_registration_handler.go
+++ b/internal/api/ui/login/passwordless_registration_handler.go
@@ -114,11 +114,11 @@ func (l *Login) renderPasswordlessRegistration(w http.ResponseWriter, r *http.Re
}
if authReq == nil {
policy, err := l.query.ActiveLabelPolicyByOrg(r.Context(), orgID, false)
- logging.Log("HANDL-XjWKE").OnError(err).Error("unable to get active label policy")
+ logging.OnError(err).Error("unable to get active label policy")
data.LabelPolicy = labelPolicyToDomain(policy)
if err == nil {
texts, err := l.authRepo.GetLoginText(r.Context(), orgID)
- logging.Log("LOGIN-HJK4t").OnError(err).Warn("could not get custom texts")
+ logging.OnError(err).Warn("could not get custom texts")
l.addLoginTranslations(translator, texts)
}
}
diff --git a/internal/api/ui/login/renderer.go b/internal/api/ui/login/renderer.go
index 2154248bae..e6234d9894 100644
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -342,7 +342,11 @@ func (l *Login) renderInternalError(w http.ResponseWriter, r *http.Request, auth
if authReq != nil {
log = log.WithField("auth_req_id", authReq.ID)
}
- log.Error()
+ if zerrors.IsInternal(err) {
+ log.Error()
+ } else {
+ log.Info()
+ }
_, msg = l.getErrorMessage(r, err)
}
diff --git a/internal/api/ui/login/select_user_handler.go b/internal/api/ui/login/select_user_handler.go
index 3febbaed7a..98c3993376 100644
--- a/internal/api/ui/login/select_user_handler.go
+++ b/internal/api/ui/login/select_user_handler.go
@@ -36,7 +36,7 @@ func (l *Login) renderUserSelection(w http.ResponseWriter, r *http.Request, auth
func (l *Login) handleSelectUser(w http.ResponseWriter, r *http.Request) {
data := new(userSelectionFormData)
- authSession, err := l.getAuthRequestAndParseData(r, data)
+ authSession, err := l.ensureAuthRequestAndParseData(r, data)
if err != nil {
l.renderError(w, r, authSession, err)
return
diff --git a/internal/api/ui/login/static/i18n/bg.yaml b/internal/api/ui/login/static/i18n/bg.yaml
index 12f5e57bd6..61ef709f69 100644
--- a/internal/api/ui/login/static/i18n/bg.yaml
+++ b/internal/api/ui/login/static/i18n/bg.yaml
@@ -27,19 +27,22 @@ SelectAccount:
SessionState0: активен
SessionState1: Не сте в профила си
MustBeMemberOfOrg: 'Потребителят трябва да е член на {{.OrgName}} организация.'
+
Password:
Title: Парола
- Description: Въведете вашите данни за вход.
+ Description: Въведете данните си за вход.
PasswordLabel: Парола
- MinLength: Минимална дължина
- HasUppercase: Главна буква
- HasLowercase: Малка буква
- HasNumber: Номер
- HasSymbol: Символ
- Confirmation: Съвпадение за потвърждение
- ResetLinkText: нулиране на парола
- BackButtonText: обратно
- NextButtonText: следващия
+ MinLength: Трябва да е поне
+ MinLengthp2: символа дълга.
+ MaxLength: Трябва да е по-малко от 70 символа.
+ HasUppercase: Трябва да включва главна буква.
+ HasLowercase: Трябва да включва малка буква.
+ HasNumber: Трябва да включва число.
+ HasSymbol: Трябва да включва символ.
+ Confirmation: Потвърждението на паролата съвпада.
+ ResetLinkText: Нулиране на паролата
+ BackButtonText: Назад
+ NextButtonText: Напред
UsernameChange:
Title: Промяна на потребителското име
Description: Задайте новото си потребителско име
diff --git a/internal/api/ui/login/static/i18n/cs.yaml b/internal/api/ui/login/static/i18n/cs.yaml
index 3b97b14bf2..52e88e526b 100644
--- a/internal/api/ui/login/static/i18n/cs.yaml
+++ b/internal/api/ui/login/static/i18n/cs.yaml
@@ -32,12 +32,14 @@ Password:
Title: Heslo
Description: Zadejte své přihlašovací údaje.
PasswordLabel: Heslo
- MinLength: Minimální délka
- HasUppercase: Velké písmeno
- HasLowercase: Malé písmeno
- HasNumber: Číslo
- HasSymbol: Symbol
- Confirmation: Potvrzení shody
+ MinLength: Musí být alespoň
+ MinLengthp2: znaků dlouhé.
+ MaxLength: Musí být kratší než 70 znaků.
+ HasUppercase: Musí obsahovat velké písmeno.
+ HasLowercase: Musí obsahovat malé písmeno.
+ HasNumber: Musí obsahovat číslo.
+ HasSymbol: Musí obsahovat symbol.
+ Confirmation: Potvrzení hesla odpovídá.
ResetLinkText: Obnovit heslo
BackButtonText: Zpět
NextButtonText: Další
diff --git a/internal/api/ui/login/static/i18n/de.yaml b/internal/api/ui/login/static/i18n/de.yaml
index d258f09aa6..4022abfa74 100644
--- a/internal/api/ui/login/static/i18n/de.yaml
+++ b/internal/api/ui/login/static/i18n/de.yaml
@@ -29,15 +29,17 @@ SelectAccount:
MustBeMemberOfOrg: Der Benutzer muss der Organisation {{.OrgName}} angehören.
Password:
- Title: Willkommen zurück!
- Description: Gib deine Benutzerdaten ein.
+ Title: Passwort
+ Description: Geben Sie Ihre Anmeldedaten ein.
PasswordLabel: Passwort
- MinLength: Mindestlänge
- HasUppercase: Großbuchstaben
- HasLowercase: Kleinbuchstaben
- HasNumber: Nummer
- HasSymbol: Symbol
- Confirmation: Wiederholung stimmt überein
+ MinLength: Muss mindestens
+ MinLengthp2: Zeichen lang sein.
+ MaxLength: Muss weniger als 70 Zeichen lang sein.
+ HasUppercase: Muss einen Großbuchstaben enthalten.
+ HasLowercase: Muss einen Kleinbuchstaben enthalten.
+ HasNumber: Muss eine Zahl enthalten.
+ HasSymbol: Muss ein Symbol enthalten.
+ Confirmation: Passwortbestätigung stimmt überein.
ResetLinkText: Passwort zurücksetzen
BackButtonText: Zurück
NextButtonText: Weiter
diff --git a/internal/api/ui/login/static/i18n/en.yaml b/internal/api/ui/login/static/i18n/en.yaml
index 338107060d..b3f6cd4793 100644
--- a/internal/api/ui/login/static/i18n/en.yaml
+++ b/internal/api/ui/login/static/i18n/en.yaml
@@ -32,12 +32,14 @@ Password:
Title: Password
Description: Enter your login data.
PasswordLabel: Password
- MinLength: Minimum length
- HasUppercase: Uppercase letter
- HasLowercase: Lowercase letter
- HasNumber: Number
- HasSymbol: Symbol
- Confirmation: Confirmation match
+ MinLength: Must be at least
+ MinLengthp2: characters long.
+ MaxLength: Must be less than 70 characters long.
+ HasUppercase: Must include an uppercase letter.
+ HasLowercase: Must include a lowercase letter.
+ HasNumber: Must include a number.
+ HasSymbol: Must include a symbol.
+ Confirmation: Password confirmation matched.
ResetLinkText: Reset Password
BackButtonText: Back
NextButtonText: Next
diff --git a/internal/api/ui/login/static/i18n/es.yaml b/internal/api/ui/login/static/i18n/es.yaml
index ef091f2910..29336ab5a2 100644
--- a/internal/api/ui/login/static/i18n/es.yaml
+++ b/internal/api/ui/login/static/i18n/es.yaml
@@ -30,17 +30,19 @@ SelectAccount:
Password:
Title: Contraseña
- Description: Introduce tus datos de inicio de sesión.
+ Description: Introduce tus datos de acceso.
PasswordLabel: Contraseña
- MinLength: Longitud mínima
- HasUppercase: Una letra mayúscula
- HasLowercase: Una letra minúscula
- HasNumber: Número
- HasSymbol: Símbolo
- Confirmation: Las contraseñas coinciden
- ResetLinkText: restablecer contraseña
- BackButtonText: atrás
- NextButtonText: siguiente
+ MinLength: Debe tener al menos
+ MinLengthp2: caracteres de longitud.
+ MaxLength: Debe tener menos de 70 caracteres de longitud.
+ HasUppercase: Debe incluir una letra mayúscula.
+ HasLowercase: Debe incluir una letra minúscula.
+ HasNumber: Debe incluir un número.
+ HasSymbol: Debe incluir un símbolo.
+ Confirmation: La confirmación de la contraseña coincide.
+ ResetLinkText: Restablecer contraseña
+ BackButtonText: Atrás
+ NextButtonText: Siguiente
UsernameChange:
Title: Cambiar nombre de usuario
diff --git a/internal/api/ui/login/static/i18n/fr.yaml b/internal/api/ui/login/static/i18n/fr.yaml
index 44532ca8de..69cd70518a 100644
--- a/internal/api/ui/login/static/i18n/fr.yaml
+++ b/internal/api/ui/login/static/i18n/fr.yaml
@@ -32,12 +32,14 @@ Password:
Title: Mot de passe
Description: Entrez vos identifiants.
PasswordLabel: Mot de passe
- MinLength: Longueur minimale
- HasUppercase: Lettre majuscule
- HasLowercase: Lettre minuscule
- HasNumber: Numéro
- HasSymbol: Symbole
- Confirmation: Les mots de passe sont identiques
+ MinLength: Doit contenir au moins
+ MinLengthp2: caractères.
+ MaxLength: Doit contenir moins de 70 caractères.
+ HasUppercase: Doit inclure une lettre majuscule.
+ HasLowercase: Doit inclure une lettre minuscule.
+ HasNumber: Doit inclure un chiffre.
+ HasSymbol: Doit inclure un symbole.
+ Confirmation: La confirmation du mot de passe correspond.
ResetLinkText: Réinitialiser le mot de passe
BackButtonText: Retour
NextButtonText: Suivant
diff --git a/internal/api/ui/login/static/i18n/it.yaml b/internal/api/ui/login/static/i18n/it.yaml
index 24e9733943..8b969e6c6f 100644
--- a/internal/api/ui/login/static/i18n/it.yaml
+++ b/internal/api/ui/login/static/i18n/it.yaml
@@ -32,14 +32,16 @@ Password:
Title: Password
Description: Inserisci i tuoi dati di accesso.
PasswordLabel: Password
- MinLength: Lunghezza minima
- HasUppercase: Lettera maiuscola
- HasLowercase: Lettera minuscola
- HasNumber: Numero
- HasSymbol: Simbolo
- Confirmation: Conferma password
- ResetLinkText: Password dimenticata?
- BackButtonText: indietro
+ MinLength: Deve contenere almeno
+ MinLengthp2: caratteri.
+ MaxLength: Deve contenere meno di 70 caratteri.
+ HasUppercase: Deve includere una lettera maiuscola.
+ HasLowercase: Deve includere una lettera minuscola.
+ HasNumber: Deve includere un numero.
+ HasSymbol: Deve includere un simbolo.
+ Confirmation: La conferma della password corrisponde.
+ ResetLinkText: Reimposta password
+ BackButtonText: Indietro
NextButtonText: Avanti
UsernameChange:
diff --git a/internal/api/ui/login/static/i18n/ja.yaml b/internal/api/ui/login/static/i18n/ja.yaml
index e4ca75bad7..da55ccb523 100644
--- a/internal/api/ui/login/static/i18n/ja.yaml
+++ b/internal/api/ui/login/static/i18n/ja.yaml
@@ -22,16 +22,18 @@ SelectAccount:
MustBeMemberOfOrg: ユーザーは組織 {{.OrgName}} のメンバーである必要があります。
Password:
- Title: パスワードの入力
- Description: ログインデータを入力します。
+ Title: パスワード
+ Description: ログインデータを入力してください。
PasswordLabel: パスワード
- MinLength: 文字列の長さ
- HasUppercase: 大文字
- HasLowercase: 小文字
- HasNumber: 数字
- HasSymbol: シンボル
- Confirmation: パスワードの確認
- ResetLinkText: パスワードを再設定する
+ MinLength: 少なくとも
+ MinLengthp2: 文字でなければなりません。
+ MaxLength: 70文字以下でなければなりません。
+ HasUppercase: 大文字を含む必要があります。
+ HasLowercase: 小文字を含む必要があります。
+ HasNumber: 数字を含む必要があります。
+ HasSymbol: 記号を含む必要があります。
+ Confirmation: パスワードの確認が一致しました。
+ ResetLinkText: パスワードをリセット
BackButtonText: 戻る
NextButtonText: 次へ
diff --git a/internal/api/ui/login/static/i18n/mk.yaml b/internal/api/ui/login/static/i18n/mk.yaml
index dafc520d56..c05af2b691 100644
--- a/internal/api/ui/login/static/i18n/mk.yaml
+++ b/internal/api/ui/login/static/i18n/mk.yaml
@@ -32,15 +32,17 @@ Password:
Title: Лозинка
Description: Внесете ги вашите податоци за најава.
PasswordLabel: Лозинка
- MinLength: Минимална должина
- HasUppercase: Голема буква
- HasLowercase: Мала буква
- HasNumber: Број
- HasSymbol: Симбол
- Confirmation: Потврда на лозинка
- ResetLinkText: ресетирај лозинка
- BackButtonText: назад
- NextButtonText: следно
+ MinLength: Мора да биде најмалку
+ MinLengthp2: карактери долго.
+ MaxLength: Мора да биде помалку од 70 карактери.
+ HasUppercase: Мора да вклучи голема буква.
+ HasLowercase: Мора да вклучи мала буква.
+ HasNumber: Мора да вклучи број.
+ HasSymbol: Мора да вклучи симбол.
+ Confirmation: Потврдата за лозинката се совпаѓа.
+ ResetLinkText: Ресетирај лозинка
+ BackButtonText: Назад
+ NextButtonText: Напред
UsernameChange:
Title: Промена на корисничко име
diff --git a/internal/api/ui/login/static/i18n/nl.yaml b/internal/api/ui/login/static/i18n/nl.yaml
index 68d8ffa4a1..5b76ee4179 100644
--- a/internal/api/ui/login/static/i18n/nl.yaml
+++ b/internal/api/ui/login/static/i18n/nl.yaml
@@ -32,13 +32,15 @@ Password:
Title: Wachtwoord
Description: Voer uw inloggegevens in.
PasswordLabel: Wachtwoord
- MinLength: Minimum lengte
- HasUppercase: Hoofdletter
- HasLowercase: Kleine letter
- HasNumber: Nummer
- HasSymbol: Symbool
- Confirmation: Bevestiging komt overeen
- ResetLinkText: Reset Wachtwoord
+ MinLength: Moet minstens
+ MinLengthp2: tekens lang zijn.
+ MaxLength: Moet minder dan 70 tekens lang zijn.
+ HasUppercase: Moet een hoofdletter bevatten.
+ HasLowercase: Moet een kleine letter bevatten.
+ HasNumber: Moet een nummer bevatten.
+ HasSymbol: Moet een symbool bevatten.
+ Confirmation: Wachtwoordbevestiging komt overeen.
+ ResetLinkText: Wachtwoord resetten
BackButtonText: Terug
NextButtonText: Volgende
diff --git a/internal/api/ui/login/static/i18n/pl.yaml b/internal/api/ui/login/static/i18n/pl.yaml
index e23ce3fa71..3f9def93a2 100644
--- a/internal/api/ui/login/static/i18n/pl.yaml
+++ b/internal/api/ui/login/static/i18n/pl.yaml
@@ -32,15 +32,17 @@ Password:
Title: Hasło
Description: Wprowadź swoje dane logowania.
PasswordLabel: Hasło
- MinLength: Minimalna długość
- HasUppercase: Duża litera
- HasLowercase: Mała litera
- HasNumber: Liczba
- HasSymbol: Symbol
- Confirmation: Potwierdzenie zgodności
- ResetLinkText: zresetuj hasło
- BackButtonText: wróć
- NextButtonText: dalej
+ MinLength: Musi zawierać co najmniej
+ MinLengthp2: znaków.
+ MaxLength: Musi zawierać mniej niż 70 znaków.
+ HasUppercase: Musi zawierać dużą literę.
+ HasLowercase: Musi zawierać małą literę.
+ HasNumber: Musi zawierać numer.
+ HasSymbol: Musi zawierać symbol.
+ Confirmation: Potwierdzenie hasła pasuje.
+ ResetLinkText: Zresetuj hasło
+ BackButtonText: Wstecz
+ NextButtonText: Dalej
UsernameChange:
Title: Zmiana nazwy użytkownika
diff --git a/internal/api/ui/login/static/i18n/pt.yaml b/internal/api/ui/login/static/i18n/pt.yaml
index 19d00c72f4..99aff3a8c3 100644
--- a/internal/api/ui/login/static/i18n/pt.yaml
+++ b/internal/api/ui/login/static/i18n/pt.yaml
@@ -32,15 +32,17 @@ Password:
Title: Senha
Description: Insira seus dados de login.
PasswordLabel: Senha
- MinLength: Comprimento mínimo
- HasUppercase: Letra maiúscula
- HasLowercase: Letra minúscula
- HasNumber: Número
- HasSymbol: Símbolo
- Confirmation: Confirmação corresponde
- ResetLinkText: redefinir senha
- BackButtonText: voltar
- NextButtonText: próximo
+ MinLength: Deve ter pelo menos
+ MinLengthp2: caracteres.
+ MaxLength: Deve ter menos de 70 caracteres.
+ HasUppercase: Deve incluir uma letra maiúscula.
+ HasLowercase: Deve incluir uma letra minúscula.
+ HasNumber: Deve incluir um número.
+ HasSymbol: Deve incluir um símbolo.
+ Confirmation: A confirmação da senha corresponde.
+ ResetLinkText: Redefinir senha
+ BackButtonText: Voltar
+ NextButtonText: Próximo
UsernameChange:
Title: Alterar nome de usuário
diff --git a/internal/api/ui/login/static/i18n/ru.yaml b/internal/api/ui/login/static/i18n/ru.yaml
index fb88312486..cd756cbdd8 100644
--- a/internal/api/ui/login/static/i18n/ru.yaml
+++ b/internal/api/ui/login/static/i18n/ru.yaml
@@ -29,17 +29,19 @@ SelectAccount:
Password:
Title: Пароль
- Description: Введите ваши данные.
+ Description: Введите свои данные для входа.
PasswordLabel: Пароль
- MinLength: Минимальная длина
- HasUppercase: Заглавная буква
- HasLowercase: Строчная буква
- HasNumber: Цифра
- HasSymbol: Символ
- Confirmation: Подтверждение пароля
- ResetLinkText: сброс пароля
- BackButtonText: назад
- NextButtonText: далее
+ MinLength: Должно быть не менее
+ MinLengthp2: символов.
+ MaxLength: Должно быть меньше 70 символов.
+ HasUppercase: Должно содержать заглавную букву.
+ HasLowercase: Должно содержать строчную букву.
+ HasNumber: Должно содержать число.
+ HasSymbol: Должно содержать символ.
+ Confirmation: Подтверждение пароля совпадает.
+ ResetLinkText: Сбросить пароль
+ BackButtonText: Назад
+ NextButtonText: Вперед
UsernameChange:
Title: Изменение логина
diff --git a/internal/api/ui/login/static/i18n/zh.yaml b/internal/api/ui/login/static/i18n/zh.yaml
index bf31d270bb..85230efe0f 100644
--- a/internal/api/ui/login/static/i18n/zh.yaml
+++ b/internal/api/ui/login/static/i18n/zh.yaml
@@ -32,15 +32,17 @@ Password:
Title: 密码
Description: 输入您的登录数据。
PasswordLabel: 密码
- MinLength: 密码
- HasUppercase: 大写字母
- HasLowercase: 小写字母
- HasNumber: 数字
- HasSymbol: 符号
- Confirmation: 确认匹配
- ResetLinkText: 重设密码
- BackButtonText: 后退
- NextButtonText: 继续
+ MinLength: 必须至少有
+ MinLengthp2: 个字符。
+ MaxLength: 必须少于70个字符。
+ HasUppercase: 必须包含一个大写字母。
+ HasLowercase: 必须包含一个小写字母。
+ HasNumber: 必须包含一个数字。
+ HasSymbol: 必须包含一个符号。
+ Confirmation: 密码确认匹配。
+ ResetLinkText: 重置密码
+ BackButtonText: 返回
+ NextButtonText: 下一步
UsernameChange:
Title: 更改用户名
diff --git a/internal/api/ui/login/static/resources/scripts/password_policy_check.js b/internal/api/ui/login/static/resources/scripts/password_policy_check.js
index ce5936b32b..4a9712f815 100644
--- a/internal/api/ui/login/static/resources/scripts/password_policy_check.js
+++ b/internal/api/ui/login/static/resources/scripts/password_policy_check.js
@@ -15,6 +15,14 @@ function ComplexityPolicyCheck(passwordElement, passwordConfirmationElement) {
invalid++;
}
+ const maxLengthElem = document.getElementById("maxlength");
+ if (passwordElement.value.length <= 70) {
+ ValidPolicyFlipped(maxLengthElem);
+ } else {
+ InvalidPolicyFlipped(maxLengthElem);
+ invalid++;
+ }
+
const upper = document.getElementById("uppercase");
if (upperRegex !== "") {
if (RegExp(upperRegex).test(passwordElement.value)) {
@@ -84,6 +92,14 @@ function ValidPolicy(element) {
element.getElementsByTagName("i")[0].classList.add("lgn-valid");
}
+function ValidPolicyFlipped(element) {
+ element.classList.add("valid");
+ element.getElementsByTagName("i")[0].classList.remove("lgn-warn");
+ element.getElementsByTagName("i")[0].classList.remove("lgn-icon-times-solid");
+ element.getElementsByTagName("i")[0].classList.add("lgn-valid");
+ element.getElementsByTagName("i")[0].classList.add("lgn-icon-check-solid");
+}
+
function InvalidPolicy(element) {
element.classList.add("invalid");
element.getElementsByTagName("i")[0].classList.remove("lgn-valid");
@@ -91,3 +107,11 @@ function InvalidPolicy(element) {
element.getElementsByTagName("i")[0].classList.add("lgn-warn");
element.getElementsByTagName("i")[0].classList.add("lgn-icon-times-solid");
}
+
+function InvalidPolicyFlipped(element) {
+ element.classList.remove("valid");
+ element.getElementsByTagName("i")[0].classList.remove("lgn-icon-check-solid");
+ element.getElementsByTagName("i")[0].classList.remove("lgn-valid");
+ element.getElementsByTagName("i")[0].classList.add("lgn-icon-times-solid");
+ element.getElementsByTagName("i")[0].classList.add("lgn-warn");
+}
diff --git a/internal/api/ui/login/static/templates/ldap_login.html b/internal/api/ui/login/static/templates/ldap_login.html
index 850bf27e57..1f91f14051 100644
--- a/internal/api/ui/login/static/templates/ldap_login.html
+++ b/internal/api/ui/login/static/templates/ldap_login.html
@@ -34,7 +34,7 @@
+|Community Meeting|
+|------------------|
+|ZITADEL holds bi-weekly community calls. To join the community calls or to watch previous meeting notes and recordings, please visit the [meeting schedule](https://github.com/zitadel/zitadel/blob/main/MEETING_SCHEDULE.md).|
Are you searching for a user management tool that is quickly set up like Auth0 and open source like Keycloak?
diff --git a/cmd/initialise/init.go b/cmd/initialise/init.go
index 7451f73ad3..917e6a2d93 100644
--- a/cmd/initialise/init.go
+++ b/cmd/initialise/init.go
@@ -19,6 +19,7 @@ var (
createUserStmt string
grantStmt string
+ settingsStmt string
databaseStmt string
createEventstoreStmt string
createProjectionsStmt string
@@ -39,7 +40,7 @@ func New() *cobra.Command {
Long: `Sets up the minimum requirements to start ZITADEL.
Prerequisites:
-- cockroachDB
+- database (PostgreSql or cockroachdb)
The user provided by flags needs privileges to
- create the database if it does not exist
@@ -53,7 +54,7 @@ The user provided by flags needs privileges to
},
}
- cmd.AddCommand(newZitadel(), newDatabase(), newUser(), newGrant())
+ cmd.AddCommand(newZitadel(), newDatabase(), newUser(), newGrant(), newSettings())
return cmd
}
@@ -62,6 +63,7 @@ func InitAll(ctx context.Context, config *Config) {
VerifyUser(config.Database.Username(), config.Database.Password()),
VerifyDatabase(config.Database.DatabaseName()),
VerifyGrant(config.Database.DatabaseName(), config.Database.Username()),
+ VerifySettings(config.Database.DatabaseName(), config.Database.Username()),
)
logging.OnError(err).Fatal("unable to initialize the database")
@@ -147,6 +149,11 @@ func ReadStmts(typ string) (err error) {
return err
}
+ settingsStmt, err = readStmt(typ, "11_settings")
+ if err != nil {
+ return err
+ }
+
return nil
}
diff --git a/cmd/initialise/sql/cockroach/11_settings.sql b/cmd/initialise/sql/cockroach/11_settings.sql
new file mode 100644
index 0000000000..5fa9dd72f6
--- /dev/null
+++ b/cmd/initialise/sql/cockroach/11_settings.sql
@@ -0,0 +1,4 @@
+-- replace the first %[1]q with the database in double quotes
+-- replace the second \%[2]q with the user in double quotes$
+-- For more information see technical advisory 10009 (https://zitadel.com/docs/support/advisory/a10009)
+ALTER ROLE %[2]q IN DATABASE %[1]q SET enable_durable_locking_for_serializable = on;
\ No newline at end of file
diff --git a/cmd/initialise/sql/postgres/11_settings.sql b/cmd/initialise/sql/postgres/11_settings.sql
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/cmd/initialise/verify_settings.go b/cmd/initialise/verify_settings.go
new file mode 100644
index 0000000000..75e811663f
--- /dev/null
+++ b/cmd/initialise/verify_settings.go
@@ -0,0 +1,44 @@
+package initialise
+
+import (
+ _ "embed"
+ "fmt"
+
+ "github.com/spf13/cobra"
+ "github.com/spf13/viper"
+ "github.com/zitadel/logging"
+
+ "github.com/zitadel/zitadel/internal/database"
+)
+
+func newSettings() *cobra.Command {
+ return &cobra.Command{
+ Use: "settings",
+ Short: "Ensures proper settings on the database",
+ Long: `Ensures proper settings on the database.
+
+Prerequisites:
+- cockroachDB or postgreSQL
+
+Cockroach
+- Sets enable_durable_locking_for_serializable to on for the zitadel user and database
+`,
+ Run: func(cmd *cobra.Command, args []string) {
+ config := MustNewConfig(viper.GetViper())
+
+ err := initialise(config.Database, VerifySettings(config.Database.DatabaseName(), config.Database.Username()))
+ logging.OnError(err).Fatal("unable to set settings")
+ },
+ }
+}
+
+func VerifySettings(databaseName, username string) func(*database.DB) error {
+ return func(db *database.DB) error {
+ if db.Type() == "postgres" {
+ return nil
+ }
+ logging.WithFields("user", username, "database", databaseName).Info("verify settings")
+
+ return exec(db, fmt.Sprintf(settingsStmt, databaseName, username), nil)
+ }
+}
diff --git a/cmd/mirror/auth.go b/cmd/mirror/auth.go
new file mode 100644
index 0000000000..df94708e71
--- /dev/null
+++ b/cmd/mirror/auth.go
@@ -0,0 +1,91 @@
+package mirror
+
+import (
+ "context"
+ _ "embed"
+ "io"
+ "time"
+
+ "github.com/jackc/pgx/v5/stdlib"
+ "github.com/spf13/cobra"
+ "github.com/spf13/viper"
+ "github.com/zitadel/logging"
+
+ "github.com/zitadel/zitadel/internal/database"
+ "github.com/zitadel/zitadel/internal/database/dialect"
+)
+
+func authCmd() *cobra.Command {
+ cmd := &cobra.Command{
+ Use: "auth",
+ Short: "mirrors the auth requests table from one database to another",
+ Long: `mirrors the auth requests table from one database to another
+ZITADEL needs to be initialized and set up with the --for-mirror flag
+Only auth requests are mirrored`,
+ Run: func(cmd *cobra.Command, args []string) {
+ config := mustNewMigrationConfig(viper.GetViper())
+ copyAuth(cmd.Context(), config)
+ },
+ }
+
+ cmd.Flags().BoolVar(&shouldReplace, "replace", false, "allow delete auth requests of defined instances before copy")
+
+ return cmd
+}
+
+func copyAuth(ctx context.Context, config *Migration) {
+ sourceClient, err := database.Connect(config.Source, false, dialect.DBPurposeQuery)
+ logging.OnError(err).Fatal("unable to connect to source database")
+ defer sourceClient.Close()
+
+ destClient, err := database.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+ logging.OnError(err).Fatal("unable to connect to destination database")
+ defer destClient.Close()
+
+ copyAuthRequests(ctx, sourceClient, destClient)
+}
+
+func copyAuthRequests(ctx context.Context, source, dest *database.DB) {
+ start := time.Now()
+
+ sourceConn, err := source.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire connection")
+ defer sourceConn.Close()
+
+ r, w := io.Pipe()
+ errs := make(chan error, 1)
+
+ go func() {
+ err = sourceConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+ _, err := conn.PgConn().CopyTo(ctx, w, "COPY (SELECT id, regexp_replace(request::TEXT, '\\\\u0000', '', 'g')::JSON request, code, request_type, creation_date, change_date, instance_id FROM auth.auth_requests "+instanceClause()+") TO STDOUT")
+ w.Close()
+ return err
+ })
+ errs <- err
+ }()
+
+ destConn, err := dest.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire connection")
+ defer destConn.Close()
+
+ var affected int64
+ err = destConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+
+ if shouldReplace {
+ _, err := conn.Exec(ctx, "DELETE FROM auth.auth_requests "+instanceClause())
+ if err != nil {
+ return err
+ }
+ }
+
+ tag, err := conn.PgConn().CopyFrom(ctx, r, "COPY auth.auth_requests FROM STDIN")
+ affected = tag.RowsAffected()
+
+ return err
+ })
+ logging.OnError(err).Fatal("unable to copy auth requests to destination")
+ logging.OnError(<-errs).Fatal("unable to copy auth requests from source")
+ logging.WithFields("took", time.Since(start), "count", affected).Info("auth requests migrated")
+}
diff --git a/cmd/mirror/config.go b/cmd/mirror/config.go
new file mode 100644
index 0000000000..5d2ec8fac7
--- /dev/null
+++ b/cmd/mirror/config.go
@@ -0,0 +1,80 @@
+package mirror
+
+import (
+ _ "embed"
+ "time"
+
+ "github.com/mitchellh/mapstructure"
+ "github.com/spf13/viper"
+ "github.com/zitadel/logging"
+
+ "github.com/zitadel/zitadel/cmd/hooks"
+ "github.com/zitadel/zitadel/internal/actions"
+ internal_authz "github.com/zitadel/zitadel/internal/api/authz"
+ "github.com/zitadel/zitadel/internal/command"
+ "github.com/zitadel/zitadel/internal/config/hook"
+ "github.com/zitadel/zitadel/internal/database"
+ "github.com/zitadel/zitadel/internal/domain"
+ "github.com/zitadel/zitadel/internal/id"
+)
+
+type Migration struct {
+ Source database.Config
+ Destination database.Config
+
+ EventBulkSize uint32
+
+ Log *logging.Config
+ Machine *id.Config
+}
+
+var (
+ //go:embed defaults.yaml
+ defaultConfig []byte
+)
+
+func mustNewMigrationConfig(v *viper.Viper) *Migration {
+ config := new(Migration)
+ mustNewConfig(v, config)
+
+ err := config.Log.SetLogger()
+ logging.OnError(err).Fatal("unable to set logger")
+
+ id.Configure(config.Machine)
+
+ return config
+}
+
+func mustNewProjectionsConfig(v *viper.Viper) *ProjectionsConfig {
+ config := new(ProjectionsConfig)
+ mustNewConfig(v, config)
+
+ err := config.Log.SetLogger()
+ logging.OnError(err).Fatal("unable to set logger")
+
+ id.Configure(config.Machine)
+
+ return config
+}
+
+func mustNewConfig(v *viper.Viper, config any) {
+ err := v.Unmarshal(config,
+ viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
+ hooks.SliceTypeStringDecode[*domain.CustomMessageText],
+ hooks.SliceTypeStringDecode[*command.SetQuota],
+ hooks.SliceTypeStringDecode[internal_authz.RoleMapping],
+ hooks.MapTypeStringDecode[string, *internal_authz.SystemAPIUser],
+ hooks.MapTypeStringDecode[domain.Feature, any],
+ hooks.MapHTTPHeaderStringDecode,
+ hook.Base64ToBytesHookFunc(),
+ hook.TagToLanguageHookFunc(),
+ mapstructure.StringToTimeDurationHookFunc(),
+ mapstructure.StringToTimeHookFunc(time.RFC3339),
+ mapstructure.StringToSliceHookFunc(","),
+ database.DecodeHook,
+ actions.HTTPConfigDecodeHook,
+ hook.EnumHookFunc(internal_authz.MemberTypeString),
+ )),
+ )
+ logging.OnError(err).Fatal("unable to read default config")
+}
diff --git a/cmd/mirror/defaults.yaml b/cmd/mirror/defaults.yaml
new file mode 100644
index 0000000000..7db91ecc0b
--- /dev/null
+++ b/cmd/mirror/defaults.yaml
@@ -0,0 +1,114 @@
+Source:
+ cockroach:
+ Host: localhost # ZITADEL_DATABASE_COCKROACH_HOST
+ Port: 26257 # ZITADEL_DATABASE_COCKROACH_PORT
+ Database: zitadel # ZITADEL_DATABASE_COCKROACH_DATABASE
+ MaxOpenConns: 6 # ZITADEL_DATABASE_COCKROACH_MAXOPENCONNS
+ MaxIdleConns: 6 # ZITADEL_DATABASE_COCKROACH_MAXIDLECONNS
+ EventPushConnRatio: 0.33 # ZITADEL_DATABASE_COCKROACH_EVENTPUSHCONNRATIO
+ ProjectionSpoolerConnRatio: 0.33 # ZITADEL_DATABASE_COCKROACH_PROJECTIONSPOOLERCONNRATIO
+ MaxConnLifetime: 30m # ZITADEL_DATABASE_COCKROACH_MAXCONNLIFETIME
+ MaxConnIdleTime: 5m # ZITADEL_DATABASE_COCKROACH_MAXCONNIDLETIME
+ Options: "" # ZITADEL_DATABASE_COCKROACH_OPTIONS
+ User:
+ Username: zitadel # ZITADEL_DATABASE_COCKROACH_USER_USERNAME
+ Password: "" # ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
+ SSL:
+ Mode: disable # ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE
+ RootCert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT
+ Cert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT
+ Key: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY
+ # Postgres is used as soon as a value is set
+ # The values describe the possible fields to set values
+ postgres:
+ Host: # ZITADEL_DATABASE_POSTGRES_HOST
+ Port: # ZITADEL_DATABASE_POSTGRES_PORT
+ Database: # ZITADEL_DATABASE_POSTGRES_DATABASE
+ MaxOpenConns: # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS
+ MaxIdleConns: # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS
+ MaxConnLifetime: # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME
+ MaxConnIdleTime: # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME
+ Options: # ZITADEL_DATABASE_POSTGRES_OPTIONS
+ User:
+ Username: # ZITADEL_DATABASE_POSTGRES_USER_USERNAME
+ Password: # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
+ SSL:
+ Mode: # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
+ RootCert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
+ Cert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
+ Key: # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
+
+Destination:
+ cockroach:
+ Host: localhost # ZITADEL_DATABASE_COCKROACH_HOST
+ Port: 26257 # ZITADEL_DATABASE_COCKROACH_PORT
+ Database: zitadel # ZITADEL_DATABASE_COCKROACH_DATABASE
+ MaxOpenConns: 0 # ZITADEL_DATABASE_COCKROACH_MAXOPENCONNS
+ MaxIdleConns: 0 # ZITADEL_DATABASE_COCKROACH_MAXIDLECONNS
+ MaxConnLifetime: 30m # ZITADEL_DATABASE_COCKROACH_MAXCONNLIFETIME
+ MaxConnIdleTime: 5m # ZITADEL_DATABASE_COCKROACH_MAXCONNIDLETIME
+ EventPushConnRatio: 0.01 # ZITADEL_DATABASE_COCKROACH_EVENTPUSHCONNRATIO
+ ProjectionSpoolerConnRatio: 0.5 # ZITADEL_DATABASE_COCKROACH_PROJECTIONSPOOLERCONNRATIO
+ Options: "" # ZITADEL_DATABASE_COCKROACH_OPTIONS
+ User:
+ Username: zitadel # ZITADEL_DATABASE_COCKROACH_USER_USERNAME
+ Password: "" # ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
+ SSL:
+ Mode: disable # ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE
+ RootCert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT
+ Cert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT
+ Key: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY
+ # Postgres is used as soon as a value is set
+ # The values describe the possible fields to set values
+ postgres:
+ Host: # ZITADEL_DATABASE_POSTGRES_HOST
+ Port: # ZITADEL_DATABASE_POSTGRES_PORT
+ Database: # ZITADEL_DATABASE_POSTGRES_DATABASE
+ MaxOpenConns: # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS
+ MaxIdleConns: # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS
+ MaxConnLifetime: # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME
+ MaxConnIdleTime: # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME
+ Options: # ZITADEL_DATABASE_POSTGRES_OPTIONS
+ User:
+ Username: # ZITADEL_DATABASE_POSTGRES_USER_USERNAME
+ Password: # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
+ SSL:
+ Mode: # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
+ RootCert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
+ Cert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
+ Key: # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
+
+EventBulkSize: 10000
+
+Projections:
+ # The maximum duration a transaction remains open
+ # before it spots left folding additional events
+ # and updates the table.
+ TransactionDuration: 0s # ZITADEL_PROJECTIONS_TRANSACTIONDURATION
+ # turn off scheduler during operation
+ RequeueEvery: 0s
+ ConcurrentInstances: 7
+ EventBulkLimit: 1000
+ Customizations:
+ notifications:
+ MaxFailureCount: 1
+
+Eventstore:
+ MaxRetries: 3
+
+Auth:
+ Spooler:
+ TransactionDuration: 0s #ZITADEL_AUTH_SPOOLER_TRANSACTIONDURATION
+ BulkLimit: 1000 #ZITADEL_AUTH_SPOOLER_BULKLIMIT
+
+Admin:
+ Spooler:
+ TransactionDuration: 0s #ZITADEL_AUTH_SPOOLER_TRANSACTIONDURATION
+ BulkLimit: 10 #ZITADEL_AUTH_SPOOLER_BULKLIMIT
+
+FirstInstance:
+ # We only need to create an empty zitadel database so this step must be skipped
+ Skip: true
+
+Log:
+ Level: info
diff --git a/cmd/mirror/event.go b/cmd/mirror/event.go
new file mode 100644
index 0000000000..2bb0d52f45
--- /dev/null
+++ b/cmd/mirror/event.go
@@ -0,0 +1,96 @@
+package mirror
+
+import (
+ "context"
+
+ "github.com/zitadel/zitadel/internal/v2/eventstore"
+ "github.com/zitadel/zitadel/internal/v2/projection"
+ "github.com/zitadel/zitadel/internal/v2/readmodel"
+ "github.com/zitadel/zitadel/internal/v2/system"
+ mirror_event "github.com/zitadel/zitadel/internal/v2/system/mirror"
+)
+
+func queryLastSuccessfulMigration(ctx context.Context, destinationES *eventstore.EventStore, source string) (*readmodel.LastSuccessfulMirror, error) {
+ lastSuccess := readmodel.NewLastSuccessfulMirror(source)
+ if shouldIgnorePrevious {
+ return lastSuccess, nil
+ }
+ _, err := destinationES.Query(
+ ctx,
+ eventstore.NewQuery(
+ system.AggregateInstance,
+ lastSuccess,
+ eventstore.SetFilters(lastSuccess.Filter()),
+ ),
+ )
+ if err != nil {
+ return nil, err
+ }
+
+ return lastSuccess, nil
+}
+
+func writeMigrationStart(ctx context.Context, sourceES *eventstore.EventStore, id string, destination string) (_ float64, err error) {
+ var cmd *eventstore.Command
+ if len(instanceIDs) > 0 {
+ cmd, err = mirror_event.NewStartedInstancesCommand(destination, instanceIDs)
+ if err != nil {
+ return 0, err
+ }
+ } else {
+ cmd = mirror_event.NewStartedSystemCommand(destination)
+ }
+
+ var position projection.HighestPosition
+
+ err = sourceES.Push(
+ ctx,
+ eventstore.NewPushIntent(
+ system.AggregateInstance,
+ eventstore.AppendAggregate(
+ system.AggregateOwner,
+ system.AggregateType,
+ id,
+ eventstore.CurrentSequenceMatches(0),
+ eventstore.AppendCommands(cmd),
+ ),
+ eventstore.PushReducer(&position),
+ ),
+ )
+ if err != nil {
+ return 0, err
+ }
+ return position.Position, nil
+}
+
+func writeMigrationSucceeded(ctx context.Context, destinationES *eventstore.EventStore, id, source string, position float64) error {
+ return destinationES.Push(
+ ctx,
+ eventstore.NewPushIntent(
+ system.AggregateInstance,
+ eventstore.AppendAggregate(
+ system.AggregateOwner,
+ system.AggregateType,
+ id,
+ eventstore.CurrentSequenceMatches(0),
+ eventstore.AppendCommands(mirror_event.NewSucceededCommand(source, position)),
+ ),
+ ),
+ )
+}
+
+func writeMigrationFailed(ctx context.Context, destinationES *eventstore.EventStore, id, source string, err error) error {
+ return destinationES.Push(
+ ctx,
+ eventstore.NewPushIntent(
+ system.AggregateInstance,
+ eventstore.AppendAggregate(
+ system.AggregateOwner,
+ system.AggregateType,
+ id,
+ eventstore.CurrentSequenceMatches(0),
+ eventstore.AppendCommands(mirror_event.NewFailedCommand(source, err)),
+ ),
+ ),
+ )
+}
diff --git a/cmd/mirror/event_store.go b/cmd/mirror/event_store.go
new file mode 100644
index 0000000000..358f878d77
--- /dev/null
+++ b/cmd/mirror/event_store.go
@@ -0,0 +1,250 @@
+package mirror
+
+import (
+ "context"
+ "database/sql"
+ _ "embed"
+ "errors"
+ "io"
+ "time"
+
+ "github.com/jackc/pgx/v5/stdlib"
+ "github.com/spf13/cobra"
+ "github.com/spf13/viper"
+ "github.com/zitadel/logging"
+
+ db "github.com/zitadel/zitadel/internal/database"
+ "github.com/zitadel/zitadel/internal/database/dialect"
+ "github.com/zitadel/zitadel/internal/id"
+ "github.com/zitadel/zitadel/internal/v2/database"
+ "github.com/zitadel/zitadel/internal/v2/eventstore"
+ "github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
+ "github.com/zitadel/zitadel/internal/zerrors"
+)
+
+var shouldIgnorePrevious bool
+
+func eventstoreCmd() *cobra.Command {
+ cmd := &cobra.Command{
+ Use: "eventstore",
+ Short: "mirrors the eventstore of an instance from one database to another",
+ Long: `mirrors the eventstore of an instance from one database to another
+ZITADEL needs to be initialized and set up with the --for-mirror flag
+Migrate only copies events2 and unique constraints`,
+ Run: func(cmd *cobra.Command, args []string) {
+ config := mustNewMigrationConfig(viper.GetViper())
+ copyEventstore(cmd.Context(), config)
+ },
+ }
+
+ cmd.Flags().BoolVar(&shouldReplace, "replace", false, "allow delete unique constraints of defined instances before copy")
+ cmd.Flags().BoolVar(&shouldIgnorePrevious, "ignore-previous", false, "ignores previous migrations of the events table")
+
+ return cmd
+}
+
+func copyEventstore(ctx context.Context, config *Migration) {
+ sourceClient, err := db.Connect(config.Source, false, dialect.DBPurposeQuery)
+ logging.OnError(err).Fatal("unable to connect to source database")
+ defer sourceClient.Close()
+
+ destClient, err := db.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+ logging.OnError(err).Fatal("unable to connect to destination database")
+ defer destClient.Close()
+
+ copyEvents(ctx, sourceClient, destClient, config.EventBulkSize)
+ copyUniqueConstraints(ctx, sourceClient, destClient)
+}
+
+func positionQuery(db *db.DB) string {
+ switch db.Type() {
+ case "postgres":
+ return "SELECT EXTRACT(EPOCH FROM clock_timestamp())"
+ case "cockroach":
+ return "SELECT cluster_logical_timestamp()"
+ default:
+ logging.WithFields("db_type", db.Type()).Fatal("database type not recognized")
+ return ""
+ }
+}
+
+func copyEvents(ctx context.Context, source, dest *db.DB, bulkSize uint32) {
+ start := time.Now()
+ reader, writer := io.Pipe()
+
+ migrationID, err := id.SonyFlakeGenerator().Next()
+ logging.OnError(err).Fatal("unable to generate migration id")
+
+ sourceConn, err := source.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire source connection")
+
+ destConn, err := dest.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire dest connection")
+
+ sourceES := eventstore.NewEventstoreFromOne(postgres.New(source, &postgres.Config{
+ MaxRetries: 3,
+ }))
+ destinationES := eventstore.NewEventstoreFromOne(postgres.New(dest, &postgres.Config{
+ MaxRetries: 3,
+ }))
+
+ previousMigration, err := queryLastSuccessfulMigration(ctx, destinationES, source.DatabaseName())
+ logging.OnError(err).Fatal("unable to query latest successful migration")
+
+ maxPosition, err := writeMigrationStart(ctx, sourceES, migrationID, dest.DatabaseName())
+ logging.OnError(err).Fatal("unable to write migration started event")
+
+ logging.WithFields("from", previousMigration.Position, "to", maxPosition).Info("start event migration")
+
+ nextPos := make(chan bool, 1)
+ pos := make(chan float64, 1)
+ errs := make(chan error, 3)
+
+ go func() {
+ err := sourceConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+ nextPos <- true
+ var i uint32
+ for position := range pos {
+ var stmt database.Statement
+ stmt.WriteString("COPY (SELECT instance_id, aggregate_type, aggregate_id, event_type, sequence, revision, created_at, regexp_replace(payload::TEXT, '\\\\u0000', '', 'g')::JSON payload, creator, owner, ")
+ stmt.WriteArg(position)
+ stmt.WriteString(" position, row_number() OVER (PARTITION BY instance_id ORDER BY position, in_tx_order) AS in_tx_order FROM eventstore.events2 ")
+ stmt.WriteString(instanceClause())
+ stmt.WriteString(" AND ")
+ database.NewNumberAtMost(maxPosition).Write(&stmt, "position")
+ stmt.WriteString(" AND ")
+ database.NewNumberGreater(previousMigration.Position).Write(&stmt, "position")
+ stmt.WriteString(" ORDER BY instance_id, position, in_tx_order")
+ stmt.WriteString(" LIMIT ")
+ stmt.WriteArg(bulkSize)
+ stmt.WriteString(" OFFSET ")
+ stmt.WriteArg(bulkSize * i)
+ stmt.WriteString(") TO STDOUT")
+
+ // Copy does not allow args so we use we replace the args in the statement
+ tag, err := conn.PgConn().CopyTo(ctx, writer, stmt.Debug())
+ if err != nil {
+ return zerrors.ThrowUnknownf(err, "MIGRA-KTuSq", "unable to copy events from source during iteration %d", i)
+ }
+ if tag.RowsAffected() < int64(bulkSize) {
+ return nil
+ }
+
+ nextPos <- true
+ i++
+ }
+ return nil
+ })
+ writer.Close()
+ close(nextPos)
+ errs <- err
+ }()
+
+ // generate next position for
+ go func() {
+ defer close(pos)
+ for range nextPos {
+ var position float64
+ err := dest.QueryRowContext(
+ ctx,
+ func(row *sql.Row) error {
+ return row.Scan(&position)
+ },
+ positionQuery(dest),
+ )
+ if err != nil {
+ errs <- zerrors.ThrowUnknown(err, "MIGRA-kMyPH", "unable to query next position")
+ return
+ }
+ pos <- position
+ }
+ }()
+
+ var eventCount int64
+ errs <- destConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+
+ tag, err := conn.PgConn().CopyFrom(ctx, reader, "COPY eventstore.events2 FROM STDIN")
+ eventCount = tag.RowsAffected()
+ if err != nil {
+ return zerrors.ThrowUnknown(err, "MIGRA-DTHi7", "unable to copy events into destination")
+ }
+
+ return nil
+ })
+
+ close(errs)
+ writeCopyEventsDone(ctx, destinationES, migrationID, source.DatabaseName(), maxPosition, errs)
+
+ logging.WithFields("took", time.Since(start), "count", eventCount).Info("events migrated")
+}
+
+func writeCopyEventsDone(ctx context.Context, es *eventstore.EventStore, id, source string, position float64, errs <-chan error) {
+ joinedErrs := make([]error, 0, len(errs))
+ for err := range errs {
+ joinedErrs = append(joinedErrs, err)
+ }
+ err := errors.Join(joinedErrs...)
+
+ if err != nil {
+ logging.WithError(err).Error("unable to mirror events")
+ err := writeMigrationFailed(ctx, es, id, source, err)
+ logging.OnError(err).Fatal("unable to write failed event")
+ return
+ }
+
+ err = writeMigrationSucceeded(ctx, es, id, source, position)
+ logging.OnError(err).Fatal("unable to write failed event")
+}
+
+func copyUniqueConstraints(ctx context.Context, source, dest *db.DB) {
+ start := time.Now()
+ reader, writer := io.Pipe()
+ errs := make(chan error, 1)
+
+ sourceConn, err := source.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire source connection")
+
+ go func() {
+ err := sourceConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+ var stmt database.Statement
+ stmt.WriteString("COPY (SELECT instance_id, unique_type, unique_field FROM eventstore.unique_constraints ")
+ stmt.WriteString(instanceClause())
+ stmt.WriteString(") TO stdout")
+
+ _, err := conn.PgConn().CopyTo(ctx, writer, stmt.String())
+ writer.Close()
+ return err
+ })
+ errs <- err
+ }()
+
+ destConn, err := dest.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire dest connection")
+
+ var eventCount int64
+ err = destConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+
+ if shouldReplace {
+ var stmt database.Statement
+ stmt.WriteString("DELETE FROM eventstore.unique_constraints ")
+ stmt.WriteString(instanceClause())
+
+ _, err := conn.Exec(ctx, stmt.String())
+ if err != nil {
+ return err
+ }
+ }
+
+ tag, err := conn.PgConn().CopyFrom(ctx, reader, "COPY eventstore.unique_constraints FROM stdin")
+ eventCount = tag.RowsAffected()
+
+ return err
+ })
+ logging.OnError(err).Fatal("unable to copy unique constraints to destination")
+ logging.OnError(<-errs).Fatal("unable to copy unique constraints from source")
+ logging.WithFields("took", time.Since(start), "count", eventCount).Info("unique constraints migrated")
+}
diff --git a/cmd/mirror/mirror.go b/cmd/mirror/mirror.go
new file mode 100644
index 0000000000..69e830658a
--- /dev/null
+++ b/cmd/mirror/mirror.go
@@ -0,0 +1,94 @@
+package mirror
+
+import (
+ "bytes"
+ _ "embed"
+ "strings"
+
+ "github.com/spf13/cobra"
+ "github.com/spf13/viper"
+ "github.com/zitadel/logging"
+
+ "github.com/zitadel/zitadel/cmd/key"
+)
+
+var (
+ instanceIDs []string
+ isSystem bool
+ shouldReplace bool
+)
+
+func New() *cobra.Command {
+ cmd := &cobra.Command{
+ Use: "mirror",
+ Short: "mirrors all data of ZITADEL from one database to another",
+ Long: `mirrors all data of ZITADEL from one database to another
+ZITADEL needs to be initialized and set up with --for-mirror
+
+The command does mirror all data needed and recomputes the projections.
+For more details call the help functions of the sub commands.
+
+Order of execution:
+1. mirror system tables
+2. mirror auth tables
+3. mirror event store tables
+4. recompute projections
+5. verify`,
+ PersistentPreRun: func(cmd *cobra.Command, args []string) {
+ err := viper.MergeConfig(bytes.NewBuffer(defaultConfig))
+ logging.OnError(err).Fatal("unable to read default config")
+ },
+ Run: func(cmd *cobra.Command, args []string) {
+ config := mustNewMigrationConfig(viper.GetViper())
+ projectionConfig := mustNewProjectionsConfig(viper.GetViper())
+
+ masterKey, err := key.MasterKey(cmd)
+ logging.OnError(err).Fatal("unable to read master key")
+
+ copySystem(cmd.Context(), config)
+ copyAuth(cmd.Context(), config)
+ copyEventstore(cmd.Context(), config)
+
+ projections(cmd.Context(), projectionConfig, masterKey)
+ verifyMigration(cmd.Context(), config)
+ },
+ }
+
+ mirrorFlags(cmd)
+ cmd.Flags().BoolVar(&shouldIgnorePrevious, "ignore-previous", false, "ignores previous migrations of the events table")
+ cmd.Flags().BoolVar(&shouldReplace, "replace", false, `replaces all data of the following tables for the provided instances or all if the "--system"-flag is set:
+* system.assets
+* auth.auth_requests
+* eventstore.unique_constraints
+The flag should be provided if you want to execute the mirror command multiple times so that the static data are also mirrored to prevent inconsistent states.`)
+ migrateProjectionsFlags(cmd)
+
+ cmd.AddCommand(
+ eventstoreCmd(),
+ systemCmd(),
+ projectionsCmd(),
+ authCmd(),
+ verifyCmd(),
+ )
+
+ return cmd
+}
+
+func mirrorFlags(cmd *cobra.Command) {
+ cmd.PersistentFlags().StringSliceVar(&instanceIDs, "instance", nil, "id or comma separated ids of the instance(s) to migrate. Either this or the `--system`-flag must be set. Make sure to always use the same flag if you execute the command multiple times.")
+ cmd.PersistentFlags().BoolVar(&isSystem, "system", false, "migrates the whole system. Either this or the `--instance`-flag must be set. Make sure to always use the same flag if you execute the command multiple times.")
+ cmd.MarkFlagsOneRequired("system", "instance")
+ cmd.MarkFlagsMutuallyExclusive("system", "instance")
+}
+
+func instanceClause() string {
+ if isSystem {
+ return "WHERE instance_id <> ''"
+ }
+ for i := range instanceIDs {
+ instanceIDs[i] = "'" + instanceIDs[i] + "'"
+ }
+
+ // COPY does not allow parameters so we need to set them directly
+ return "WHERE instance_id IN (" + strings.Join(instanceIDs, ", ") + ")"
+}
diff --git a/cmd/mirror/projections.go b/cmd/mirror/projections.go
new file mode 100644
index 0000000000..af7ba98c5c
--- /dev/null
+++ b/cmd/mirror/projections.go
@@ -0,0 +1,316 @@
+package mirror
+
+import (
+ "context"
+ "database/sql"
+ "net/http"
+ "sync"
+ "time"
+
+ "github.com/spf13/cobra"
+ "github.com/spf13/viper"
+ "github.com/zitadel/logging"
+
+ "github.com/zitadel/zitadel/cmd/encryption"
+ "github.com/zitadel/zitadel/cmd/key"
+ "github.com/zitadel/zitadel/cmd/tls"
+ admin_es "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing"
+ admin_handler "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing/handler"
+ admin_view "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing/view"
+ internal_authz "github.com/zitadel/zitadel/internal/api/authz"
+ "github.com/zitadel/zitadel/internal/api/oidc"
+ "github.com/zitadel/zitadel/internal/api/ui/login"
+ auth_es "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
+ auth_handler "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/handler"
+ auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view"
+ "github.com/zitadel/zitadel/internal/authz"
+ authz_es "github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore"
+ "github.com/zitadel/zitadel/internal/command"
+ "github.com/zitadel/zitadel/internal/config/systemdefaults"
+ crypto_db "github.com/zitadel/zitadel/internal/crypto/database"
+ "github.com/zitadel/zitadel/internal/database"
+ "github.com/zitadel/zitadel/internal/database/dialect"
+ "github.com/zitadel/zitadel/internal/domain"
+ "github.com/zitadel/zitadel/internal/eventstore"
+ old_es "github.com/zitadel/zitadel/internal/eventstore/repository/sql"
+ new_es "github.com/zitadel/zitadel/internal/eventstore/v3"
+ "github.com/zitadel/zitadel/internal/i18n"
+ "github.com/zitadel/zitadel/internal/id"
+ "github.com/zitadel/zitadel/internal/notification"
+ "github.com/zitadel/zitadel/internal/notification/handlers"
+ "github.com/zitadel/zitadel/internal/query"
+ "github.com/zitadel/zitadel/internal/query/projection"
+ static_config "github.com/zitadel/zitadel/internal/static/config"
+ es_v4 "github.com/zitadel/zitadel/internal/v2/eventstore"
+ es_v4_pg "github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
+ "github.com/zitadel/zitadel/internal/webauthn"
+)
+
+func projectionsCmd() *cobra.Command {
+ cmd := &cobra.Command{
+ Use: "projections",
+ Short: "calls the projections synchronously",
+ Run: func(cmd *cobra.Command, args []string) {
+ config := mustNewProjectionsConfig(viper.GetViper())
+
+ masterKey, err := key.MasterKey(cmd)
+ logging.OnError(err).Fatal("unable to read master key")
+
+ projections(cmd.Context(), config, masterKey)
+ },
+ }
+
+ migrateProjectionsFlags(cmd)
+
+ return cmd
+}
+
+type ProjectionsConfig struct {
+ Destination database.Config
+ Projections projection.Config
+ EncryptionKeys *encryption.EncryptionKeyConfig
+ SystemAPIUsers map[string]*internal_authz.SystemAPIUser
+ Eventstore *eventstore.Config
+
+ Admin admin_es.Config
+ Auth auth_es.Config
+
+ Log *logging.Config
+ Machine *id.Config
+
+ ExternalPort uint16
+ ExternalDomain string
+ ExternalSecure bool
+ InternalAuthZ internal_authz.Config
+ SystemDefaults systemdefaults.SystemDefaults
+ Telemetry *handlers.TelemetryPusherConfig
+ Login login.Config
+ OIDC oidc.Config
+ WebAuthNName string
+ DefaultInstance command.InstanceSetup
+ AssetStorage static_config.AssetStorageConfig
+}
+
+func migrateProjectionsFlags(cmd *cobra.Command) {
+ key.AddMasterKeyFlag(cmd)
+ tls.AddTLSModeFlag(cmd)
+}
+
+func projections(
+ ctx context.Context,
+ config *ProjectionsConfig,
+ masterKey string,
+) {
+ start := time.Now()
+
+ client, err := database.Connect(config.Destination, false, dialect.DBPurposeQuery)
+ logging.OnError(err).Fatal("unable to connect to database")
+
+ keyStorage, err := crypto_db.NewKeyStorage(client, masterKey)
+ logging.OnError(err).Fatal("cannot start key storage")
+
+ keys, err := encryption.EnsureEncryptionKeys(ctx, config.EncryptionKeys, keyStorage)
+ logging.OnError(err).Fatal("unable to read encryption keys")
+
+ staticStorage, err := config.AssetStorage.NewStorage(client.DB)
+ logging.OnError(err).Fatal("unable create static storage")
+
+ config.Eventstore.Querier = old_es.NewCRDB(client)
+ esPusherDBClient, err := database.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+ logging.OnError(err).Fatal("unable to connect eventstore push client")
+ config.Eventstore.Pusher = new_es.NewEventstore(esPusherDBClient)
+ es := eventstore.NewEventstore(config.Eventstore)
+ esV4 := es_v4.NewEventstoreFromOne(es_v4_pg.New(client, &es_v4_pg.Config{
+ MaxRetries: config.Eventstore.MaxRetries,
+ }))
+
+ sessionTokenVerifier := internal_authz.SessionTokenVerifier(keys.OIDC)
+
+ queries, err := query.StartQueries(
+ ctx,
+ es,
+ esV4.Querier,
+ client,
+ client,
+ config.Projections,
+ config.SystemDefaults,
+ keys.IDPConfig,
+ keys.OTP,
+ keys.OIDC,
+ keys.SAML,
+ config.InternalAuthZ.RolePermissionMappings,
+ sessionTokenVerifier,
+ func(q *query.Queries) domain.PermissionCheck {
+ return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+ return internal_authz.CheckPermission(ctx, &authz_es.UserMembershipRepo{Queries: q}, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
+ }
+ },
+ 0,
+ config.SystemAPIUsers,
+ false,
+ )
+ logging.OnError(err).Fatal("unable to start queries")
+
+ authZRepo, err := authz.Start(queries, es, client, keys.OIDC, config.ExternalSecure)
+ logging.OnError(err).Fatal("unable to start authz repo")
+
+ webAuthNConfig := &webauthn.Config{
+ DisplayName: config.WebAuthNName,
+ ExternalSecure: config.ExternalSecure,
+ }
+ commands, err := command.StartCommands(
+ es,
+ config.SystemDefaults,
+ config.InternalAuthZ.RolePermissionMappings,
+ staticStorage,
+ webAuthNConfig,
+ config.ExternalDomain,
+ config.ExternalSecure,
+ config.ExternalPort,
+ keys.IDPConfig,
+ keys.OTP,
+ keys.SMTP,
+ keys.SMS,
+ keys.User,
+ keys.DomainVerification,
+ keys.OIDC,
+ keys.SAML,
+ &http.Client{},
+ func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+ return internal_authz.CheckPermission(ctx, authZRepo, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
+ },
+ sessionTokenVerifier,
+ config.OIDC.DefaultAccessTokenLifetime,
+ config.OIDC.DefaultRefreshTokenExpiration,
+ config.OIDC.DefaultRefreshTokenIdleExpiration,
+ config.DefaultInstance.SecretGenerators,
+ )
+ logging.OnError(err).Fatal("unable to start commands")
+
+ err = projection.Create(ctx, client, es, config.Projections, keys.OIDC, keys.SAML, config.SystemAPIUsers)
+ logging.OnError(err).Fatal("unable to start projections")
+
+ i18n.MustLoadSupportedLanguagesFromDir()
+
+ notification.Register(
+ ctx,
+ config.Projections.Customizations["notifications"],
+ config.Projections.Customizations["notificationsquotas"],
+ config.Projections.Customizations["telemetry"],
+ *config.Telemetry,
+ config.ExternalDomain,
+ config.ExternalPort,
+ config.ExternalSecure,
+ commands,
+ queries,
+ es,
+ config.Login.DefaultOTPEmailURLV2,
+ config.SystemDefaults.Notifications.FileSystemPath,
+ keys.User,
+ keys.SMTP,
+ keys.SMS,
+ )
+
+ config.Auth.Spooler.Client = client
+ config.Auth.Spooler.Eventstore = es
+ authView, err := auth_view.StartView(config.Auth.Spooler.Client, keys.OIDC, queries, config.Auth.Spooler.Eventstore)
+ logging.OnError(err).Fatal("unable to start auth view")
+ auth_handler.Register(ctx, config.Auth.Spooler, authView, queries)
+
+ config.Admin.Spooler.Client = client
+ config.Admin.Spooler.Eventstore = es
+ adminView, err := admin_view.StartView(config.Admin.Spooler.Client)
+ logging.OnError(err).Fatal("unable to start admin view")
+
+ admin_handler.Register(ctx, config.Admin.Spooler, adminView, staticStorage)
+
+ instances := make(chan string, config.Projections.ConcurrentInstances)
+ failedInstances := make(chan string)
+ wg := sync.WaitGroup{}
+ wg.Add(int(config.Projections.ConcurrentInstances))
+
+ go func() {
+ for instance := range failedInstances {
+ logging.WithFields("instance", instance).Error("projection failed")
+ }
+ }()
+
+ for i := 0; i < int(config.Projections.ConcurrentInstances); i++ {
+ go execProjections(ctx, instances, failedInstances, &wg)
+ }
+
+ for _, instance := range queryInstanceIDs(ctx, client) {
+ instances <- instance
+ }
+ close(instances)
+ wg.Wait()
+
+ close(failedInstances)
+
+ logging.WithFields("took", time.Since(start)).Info("projections executed")
+}
+
+func execProjections(ctx context.Context, instances <-chan string, failedInstances chan<- string, wg *sync.WaitGroup) {
+ for instance := range instances {
+ logging.WithFields("instance", instance).Info("start projections")
+ ctx = internal_authz.WithInstanceID(ctx, instance)
+
+ err := projection.ProjectInstance(ctx)
+ if err != nil {
+ logging.WithFields("instance", instance).OnError(err).Info("trigger failed")
+ failedInstances <- instance
+ continue
+ }
+
+ err = admin_handler.ProjectInstance(ctx)
+ if err != nil {
+ logging.WithFields("instance", instance).OnError(err).Info("trigger admin handler failed")
+ failedInstances <- instance
+ continue
+ }
+
+ err = auth_handler.ProjectInstance(ctx)
+ if err != nil {
+ logging.WithFields("instance", instance).OnError(err).Info("trigger auth handler failed")
+ failedInstances <- instance
+ continue
+ }
+
+ err = notification.ProjectInstance(ctx)
+ if err != nil {
+ logging.WithFields("instance", instance).OnError(err).Info("trigger notification failed")
+ failedInstances <- instance
+ continue
+ }
+ logging.WithFields("instance", instance).Info("projections done")
+ }
+ wg.Done()
+}
+
+// returns the instance configured by flag
+// or all instances which are not removed
+func queryInstanceIDs(ctx context.Context, source *database.DB) []string {
+ if len(instanceIDs) > 0 {
+ return instanceIDs
+ }
+
+ instances := []string{}
+ err := source.QueryContext(
+ ctx,
+ func(r *sql.Rows) error {
+ for r.Next() {
+ var instance string
+
+ if err := r.Scan(&instance); err != nil {
+ return err
+ }
+ instances = append(instances, instance)
+ }
+ return r.Err()
+ },
+ "SELECT DISTINCT instance_id FROM eventstore.events2 WHERE instance_id <> '' AND aggregate_type = 'instance' AND event_type = 'instance.added' AND instance_id NOT IN (SELECT instance_id FROM eventstore.events2 WHERE instance_id <> '' AND aggregate_type = 'instance' AND event_type = 'instance.removed')",
+ )
+ logging.OnError(err).Fatal("unable to query instances")
+
+ return instances
+}
diff --git a/cmd/mirror/system.go b/cmd/mirror/system.go
new file mode 100644
index 0000000000..e16836aa8c
--- /dev/null
+++ b/cmd/mirror/system.go
@@ -0,0 +1,139 @@
+package mirror
+
+import (
+ "context"
+ _ "embed"
+ "io"
+ "time"
+
+ "github.com/jackc/pgx/v5/stdlib"
+ "github.com/spf13/cobra"
+ "github.com/spf13/viper"
+ "github.com/zitadel/logging"
+
+ "github.com/zitadel/zitadel/internal/database"
+ "github.com/zitadel/zitadel/internal/database/dialect"
+)
+
+func systemCmd() *cobra.Command {
+ cmd := &cobra.Command{
+ Use: "system",
+ Short: "mirrors the system tables of ZITADEL from one database to another",
+ Long: `mirrors the system tables of ZITADEL from one database to another
+ZITADEL needs to be initialized
+Only keys and assets are mirrored`,
+ Run: func(cmd *cobra.Command, args []string) {
+ config := mustNewMigrationConfig(viper.GetViper())
+ copySystem(cmd.Context(), config)
+ },
+ }
+
+ cmd.Flags().BoolVar(&shouldReplace, "replace", false, "allow delete ALL keys and assets of defined instances before copy")
+
+ return cmd
+}
+
+func copySystem(ctx context.Context, config *Migration) {
+ sourceClient, err := database.Connect(config.Source, false, dialect.DBPurposeQuery)
+ logging.OnError(err).Fatal("unable to connect to source database")
+ defer sourceClient.Close()
+
+ destClient, err := database.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+ logging.OnError(err).Fatal("unable to connect to destination database")
+ defer destClient.Close()
+
+ copyAssets(ctx, sourceClient, destClient)
+ copyEncryptionKeys(ctx, sourceClient, destClient)
+}
+
+func copyAssets(ctx context.Context, source, dest *database.DB) {
+ start := time.Now()
+
+ sourceConn, err := source.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire source connection")
+ defer sourceConn.Close()
+
+ r, w := io.Pipe()
+ errs := make(chan error, 1)
+
+ go func() {
+ err = sourceConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+ // ignore hash column because it's computed
+ _, err := conn.PgConn().CopyTo(ctx, w, "COPY (SELECT instance_id, asset_type, resource_owner, name, content_type, data, updated_at FROM system.assets "+instanceClause()+") TO stdout")
+ w.Close()
+ return err
+ })
+ errs <- err
+ }()
+
+ destConn, err := dest.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire dest connection")
+ defer destConn.Close()
+
+ var eventCount int64
+ err = destConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+
+ if shouldReplace {
+ _, err := conn.Exec(ctx, "DELETE FROM system.assets "+instanceClause())
+ if err != nil {
+ return err
+ }
+ }
+
+ tag, err := conn.PgConn().CopyFrom(ctx, r, "COPY system.assets (instance_id, asset_type, resource_owner, name, content_type, data, updated_at) FROM stdin")
+ eventCount = tag.RowsAffected()
+
+ return err
+ })
+ logging.OnError(err).Fatal("unable to copy assets to destination")
+ logging.OnError(<-errs).Fatal("unable to copy assets from source")
+ logging.WithFields("took", time.Since(start), "count", eventCount).Info("assets migrated")
+}
+
+func copyEncryptionKeys(ctx context.Context, source, dest *database.DB) {
+ start := time.Now()
+
+ sourceConn, err := source.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire source connection")
+ defer sourceConn.Close()
+
+ r, w := io.Pipe()
+ errs := make(chan error, 1)
+
+ go func() {
+ err = sourceConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+ // ignore hash column because it's computed
+ _, err := conn.PgConn().CopyTo(ctx, w, "COPY system.encryption_keys TO stdout")
+ w.Close()
+ return err
+ })
+ errs <- err
+ }()
+
+ destConn, err := dest.Conn(ctx)
+ logging.OnError(err).Fatal("unable to acquire dest connection")
+ defer destConn.Close()
+
+ var eventCount int64
+ err = destConn.Raw(func(driverConn interface{}) error {
+ conn := driverConn.(*stdlib.Conn).Conn()
+
+ if shouldReplace {
+ _, err := conn.Exec(ctx, "TRUNCATE system.encryption_keys")
+ if err != nil {
+ return err
+ }
+ }
+
+ tag, err := conn.PgConn().CopyFrom(ctx, r, "COPY system.encryption_keys FROM stdin")
+ eventCount = tag.RowsAffected()
+
+ return err
+ })
+ logging.OnError(err).Fatal("unable to copy encryption keys to destination")
+ logging.OnError(<-errs).Fatal("unable to copy encryption keys from source")
+ logging.WithFields("took", time.Since(start), "count", eventCount).Info("encryption keys migrated")
+}
diff --git a/cmd/mirror/verify.go b/cmd/mirror/verify.go
new file mode 100644
index 0000000000..7b90ad89aa
--- /dev/null
+++ b/cmd/mirror/verify.go
@@ -0,0 +1,111 @@
+package mirror
+
+import (
+ "context"
+ "database/sql"
+ _ "embed"
+ "fmt"
+
+ "github.com/spf13/cobra"
+ "github.com/spf13/viper"
+ "github.com/zitadel/logging"
+
+ "github.com/zitadel/zitadel/internal/database"
+ "github.com/zitadel/zitadel/internal/database/dialect"
+)
+
+func verifyCmd() *cobra.Command {
+ return &cobra.Command{
+ Use: "verify",
+ Short: "counts if source and dest have the same amount of entries",
+ Run: func(cmd *cobra.Command, args []string) {
+ config := mustNewMigrationConfig(viper.GetViper())
+ verifyMigration(cmd.Context(), config)
+ },
+ }
+}
+
+var schemas = []string{
+ "adminapi",
+ "auth",
+ "eventstore",
+ "projections",
+ "system",
+}
+
+func verifyMigration(ctx context.Context, config *Migration) {
+ sourceClient, err := database.Connect(config.Source, false, dialect.DBPurposeQuery)
+ logging.OnError(err).Fatal("unable to connect to source database")
+ defer sourceClient.Close()
+
+ destClient, err := database.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+ logging.OnError(err).Fatal("unable to connect to destination database")
+ defer destClient.Close()
+
+ for _, schema := range schemas {
+ for _, table := range append(getTables(ctx, destClient, schema), getViews(ctx, destClient, schema)...) {
+ sourceCount := countEntries(ctx, sourceClient, table)
+ destCount := countEntries(ctx, destClient, table)
+
+ entry := logging.WithFields("table", table, "dest", destCount, "source", sourceCount)
+ if sourceCount == destCount {
+ entry.Debug("equal count")
+ continue
+ }
+ entry.WithField("diff", destCount-sourceCount).Info("unequal count")
+ }
+ }
+}
+
+func getTables(ctx context.Context, dest *database.DB, schema string) (tables []string) {
+ err := dest.QueryContext(
+ ctx,
+ func(r *sql.Rows) error {
+ for r.Next() {
+ var table string
+ if err := r.Scan(&table); err != nil {
+ return err
+ }
+ tables = append(tables, table)
+ }
+ return r.Err()
+ },
+ "SELECT CONCAT(schemaname, '.', tablename) FROM pg_tables WHERE schemaname = $1",
+ schema,
+ )
+ logging.WithFields("schema", schema).OnError(err).Fatal("unable to query tables")
+ return tables
+}
+
+func getViews(ctx context.Context, dest *database.DB, schema string) (tables []string) {
+ err := dest.QueryContext(
+ ctx,
+ func(r *sql.Rows) error {
+ for r.Next() {
+ var table string
+ if err := r.Scan(&table); err != nil {
+ return err
+ }
+ tables = append(tables, table)
+ }
+ return r.Err()
+ },
+ "SELECT CONCAT(schemaname, '.', viewname) FROM pg_views WHERE schemaname = $1",
+ schema,
+ )
+ logging.WithFields("schema", schema).OnError(err).Fatal("unable to query views")
+ return tables
+}
+
+func countEntries(ctx context.Context, client *database.DB, table string) (count int) {
+ err := client.QueryRowContext(
+ ctx,
+ func(r *sql.Row) error {
+ return r.Scan(&count)
+ },
+ fmt.Sprintf("SELECT COUNT(*) FROM %s %s", table, instanceClause()),
+ )
+ logging.WithFields("table", table, "db", client.DatabaseName()).OnError(err).Error("unable to count")
+
+ return count
+}
diff --git a/cmd/setup/03.go b/cmd/setup/03.go
index 0d8c988688..4860ae3eec 100644
--- a/cmd/setup/03.go
+++ b/cmd/setup/03.go
@@ -26,6 +26,8 @@ type FirstInstance struct {
PatPath string
Features *command.InstanceFeatures
+ Skip bool
+
instanceSetup command.InstanceSetup
userEncryptionKey *crypto.KeyConfig
smtpEncryptionKey *crypto.KeyConfig
@@ -42,6 +44,9 @@ type FirstInstance struct {
}
func (mig *FirstInstance) Execute(ctx context.Context, _ eventstore.Event) error {
+ if mig.Skip {
+ return nil
+ }
keyStorage, err := mig.verifyEncryptionKeys(ctx)
if err != nil {
return err
diff --git a/cmd/setup/config.go b/cmd/setup/config.go
index 1ba85804ab..81ec6f2332 100644
--- a/cmd/setup/config.go
+++ b/cmd/setup/config.go
@@ -28,6 +28,7 @@ import (
)
type Config struct {
+ ForMirror bool
Database database.Config
SystemDefaults systemdefaults.SystemDefaults
InternalAuthZ internal_authz.Config
diff --git a/cmd/setup/setup.go b/cmd/setup/setup.go
index bb0111d5be..6ed0cc4dc7 100644
--- a/cmd/setup/setup.go
+++ b/cmd/setup/setup.go
@@ -34,6 +34,8 @@ import (
notify_handler "github.com/zitadel/zitadel/internal/notification"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/query/projection"
+ es_v4 "github.com/zitadel/zitadel/internal/v2/eventstore"
+ es_v4_pg "github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
"github.com/zitadel/zitadel/internal/webauthn"
)
@@ -57,13 +59,16 @@ Requirements:
err = BindInitProjections(cmd)
logging.OnError(err).Fatal("unable to bind \"init-projections\" flag")
+ err = bindForMirror(cmd)
+ logging.OnError(err).Fatal("unable to bind \"for-mirror\" flag")
+
config := MustNewConfig(viper.GetViper())
steps := MustNewSteps(viper.New())
masterKey, err := key.MasterKey(cmd)
logging.OnError(err).Panic("No master key provided")
- Setup(config, steps, masterKey)
+ Setup(cmd.Context(), config, steps, masterKey)
},
}
@@ -77,6 +82,7 @@ Requirements:
func Flags(cmd *cobra.Command) {
cmd.PersistentFlags().StringArrayVar(&stepFiles, "steps", nil, "paths to step files to overwrite default steps")
cmd.Flags().Bool("init-projections", viper.GetBool("InitProjections"), "beta feature: initializes projections after they are created, allows smooth start as projections are up to date")
+ cmd.Flags().Bool("for-mirror", viper.GetBool("ForMirror"), "use this flag if you want to mirror your existing data")
key.AddMasterKeyFlag(cmd)
tls.AddTLSModeFlag(cmd)
}
@@ -85,8 +91,11 @@ func BindInitProjections(cmd *cobra.Command) error {
return viper.BindPFlag("InitProjections.Enabled", cmd.Flags().Lookup("init-projections"))
}
-func Setup(config *Config, steps *Steps, masterKey string) {
- ctx := context.Background()
+func bindForMirror(cmd *cobra.Command) error {
+ return viper.BindPFlag("ForMirror", cmd.Flags().Lookup("for-mirror"))
+}
+
+func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string) {
logging.Info("setup started")
i18n.MustLoadSupportedLanguagesFromDir()
@@ -102,10 +111,14 @@ func Setup(config *Config, steps *Steps, masterKey string) {
config.Eventstore.Pusher = new_es.NewEventstore(esPusherDBClient)
eventstoreClient := eventstore.NewEventstore(config.Eventstore)
logging.OnError(err).Fatal("unable to start eventstore")
+ eventstoreV4 := es_v4.NewEventstoreFromOne(es_v4_pg.New(queryDBClient, &es_v4_pg.Config{
+ MaxRetries: config.Eventstore.MaxRetries,
+ }))
steps.s1ProjectionTable = &ProjectionTable{dbClient: queryDBClient.DB}
steps.s2AssetsTable = &AssetTable{dbClient: queryDBClient.DB}
+ steps.FirstInstance.Skip = config.ForMirror || steps.FirstInstance.Skip
steps.FirstInstance.instanceSetup = config.DefaultInstance
steps.FirstInstance.userEncryptionKey = config.EncryptionKeys.User
steps.FirstInstance.smtpEncryptionKey = config.EncryptionKeys.SMTP
@@ -197,10 +210,11 @@ func Setup(config *Config, steps *Steps, masterKey string) {
}
// projection initialization must be done last, since the steps above might add required columns to the projections
- if config.InitProjections.Enabled {
+ if !config.ForMirror && config.InitProjections.Enabled {
initProjections(
ctx,
eventstoreClient,
+ eventstoreV4,
queryDBClient,
projectionDBClient,
masterKey,
@@ -222,6 +236,7 @@ func readStmt(fs embed.FS, folder, typ, filename string) (string, error) {
func initProjections(
ctx context.Context,
eventstoreClient *eventstore.Eventstore,
+ eventstoreV4 *es_v4.EventStore,
queryDBClient,
projectionDBClient *database.DB,
masterKey string,
@@ -278,6 +293,7 @@ func initProjections(
queries, err := query.StartQueries(
ctx,
eventstoreClient,
+ eventstoreV4.Querier,
queryDBClient,
projectionDBClient,
config.Projections,
diff --git a/cmd/setup/steps.yaml b/cmd/setup/steps.yaml
index 5e7805f24d..03476c6648 100644
--- a/cmd/setup/steps.yaml
+++ b/cmd/setup/steps.yaml
@@ -1,5 +1,7 @@
# By using the FirstInstance section, you can overwrite the DefaultInstance configuration for the first instance created by zitadel setup.
FirstInstance:
+ # If set to true zitadel is setup without initial data
+ Skip: false
# The machine key from the section FirstInstance.Org.Machine.MachineKey is written to the MachineKeyPath.
MachineKeyPath: # ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH
# The personal access token from the section FirstInstance.Org.Machine.Pat is written to the PatPath.
diff --git a/cmd/start/start.go b/cmd/start/start.go
index 49de4d2073..a7688a83cb 100644
--- a/cmd/start/start.go
+++ b/cmd/start/start.go
@@ -78,6 +78,8 @@ import (
"github.com/zitadel/zitadel/internal/notification"
"github.com/zitadel/zitadel/internal/query"
"github.com/zitadel/zitadel/internal/static"
+ es_v4 "github.com/zitadel/zitadel/internal/v2/eventstore"
+ es_v4_pg "github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
"github.com/zitadel/zitadel/internal/webauthn"
"github.com/zitadel/zitadel/openapi"
)
@@ -153,12 +155,16 @@ func startZitadel(ctx context.Context, config *Config, masterKey string, server
config.Eventstore.Pusher = new_es.NewEventstore(esPusherDBClient)
config.Eventstore.Querier = old_es.NewCRDB(queryDBClient)
eventstoreClient := eventstore.NewEventstore(config.Eventstore)
+ eventstoreV4 := es_v4.NewEventstoreFromOne(es_v4_pg.New(queryDBClient, &es_v4_pg.Config{
+ MaxRetries: config.Eventstore.MaxRetries,
+ }))
sessionTokenVerifier := internal_authz.SessionTokenVerifier(keys.OIDC)
queries, err := query.StartQueries(
ctx,
eventstoreClient,
+ eventstoreV4.Querier,
queryDBClient,
projectionDBClient,
config.Projections,
diff --git a/cmd/start/start_from_init.go b/cmd/start/start_from_init.go
index 78c0be719d..38a6a6c4d1 100644
--- a/cmd/start/start_from_init.go
+++ b/cmd/start/start_from_init.go
@@ -36,7 +36,7 @@ Requirements:
setupConfig := setup.MustNewConfig(viper.GetViper())
setupSteps := setup.MustNewSteps(viper.New())
- setup.Setup(setupConfig, setupSteps, masterKey)
+ setup.Setup(cmd.Context(), setupConfig, setupSteps, masterKey)
startConfig := MustNewConfig(viper.GetViper())
diff --git a/cmd/start/start_from_setup.go b/cmd/start/start_from_setup.go
index ec26f47414..a8b7295f2a 100644
--- a/cmd/start/start_from_setup.go
+++ b/cmd/start/start_from_setup.go
@@ -34,7 +34,7 @@ Requirements:
setupConfig := setup.MustNewConfig(viper.GetViper())
setupSteps := setup.MustNewSteps(viper.New())
- setup.Setup(setupConfig, setupSteps, masterKey)
+ setup.Setup(cmd.Context(), setupConfig, setupSteps, masterKey)
startConfig := MustNewConfig(viper.GetViper())
diff --git a/cmd/zitadel.go b/cmd/zitadel.go
index fdddfed007..c855dd4495 100644
--- a/cmd/zitadel.go
+++ b/cmd/zitadel.go
@@ -15,6 +15,7 @@ import (
"github.com/zitadel/zitadel/cmd/build"
"github.com/zitadel/zitadel/cmd/initialise"
"github.com/zitadel/zitadel/cmd/key"
+ "github.com/zitadel/zitadel/cmd/mirror"
"github.com/zitadel/zitadel/cmd/ready"
"github.com/zitadel/zitadel/cmd/setup"
"github.com/zitadel/zitadel/cmd/start"
@@ -55,6 +56,7 @@ func New(out io.Writer, in io.Reader, args []string, server chan<- *start.Server
start.New(server),
start.NewStartFromInit(server),
start.NewStartFromSetup(server),
+ mirror.New(),
key.New(),
ready.New(),
)
diff --git a/console/src/app/modules/password-complexity-view/password-complexity-view.component.html b/console/src/app/modules/password-complexity-view/password-complexity-view.component.html
index 7183bff70e..0a5649dabb 100644
--- a/console/src/app/modules/password-complexity-view/password-complexity-view.component.html
+++ b/console/src/app/modules/password-complexity-view/password-complexity-view.component.html
@@ -50,4 +50,12 @@
{{ 'ERRORS.LOWERCASEMISSING' | translate }}
+