Adjust status checks across various functions to accept any 2xx HTTP
response instead of only 200, improving the robustness of the API
response validation.
fixes#10436
# Which Problems Are Solved
The current handling of event subscriptions for actions is bad, esp. on
instances with a lot of events
(https://github.com/zitadel/zitadel/issues/9832#issuecomment-2866236414).
This led to severe problems on zitadel.cloud for such instances.
# How the Problems Are Solved
As a workaround until the handling can be improved, we introduce an
option for projections to be disabled completely for specific instances:
`SkipInstanceIDs`
# Additional Changes
None
# Additional Context
- relates to https://github.com/zitadel/zitadel/issues/9832
# Which Problems Are Solved
- The proxy examples are updated so a self-hosted login container is
deployed.
- The proxies are configured to direct traffic at /ui/v2/login to it.
# How the Problems Are Solved
The base compose file is extended by correctly configured login
containers for all three scenarios
- TLS disabled
- External TLS
- TLS Enabled
The proxy always connects to the login via HTTP.
# Additional Changes
- All proxies have the TLS disabled mode outcommented, because the login
container has state problems, maybe because it needs secure cookies. The
need for this is unclear, so we avoid creating a follow-up issue.
- The httpd external mode is incommented, as gRPC connections work with
this configuration.
- *ZITADEL* is replaced by *Zitadel*
# Additional Context
- Partially Closes#10016
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
The Knative docs are removed, as they are not relevant enough.
# How the Problems Are Solved
- The docs page is removed
- The sidebar item is removed
# Additional Context
- Partially Closes#10016
# Which Problems Are Solved
Fields table entry is not removed when removing instance domain.
# How the Problems Are Solved
Remove the fields entry, instead of setting it.
# Additional Changes
None
# Additional Context
Needs to be backported to v3.x
# Which Problems Are Solved
Flakiness in integration tests regarding gofakeit functions, which
provided the same names on 2 different occasions.
# How the Problems Are Solved
Attach a random string to the provided names, so that they are not
dependent on the gofakeit code.
# Additional Changes
None
# Additional Context
None
---------
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
The deletion of expired sessions does not go through even though a
success response is returned to the user. These expired and supposedly
deleted (to the user) sessions are then returned when the `ListSessions`
API is called.
This PR fixes this issue by:
1. Allowing deletion of expired sessions
2. Providing an `expiration_date` filter in `ListSession` API to filter
sessions by expiration date
# How the Problems Are Solved
1. Remove expired session check during deletion
2. Add an `expiration_date` filter to the `ListSession` API
# Additional Changes
N/A
# Additional Context
- Closes#10045
---------
Co-authored-by: Marco A. <marco@zitadel.com>
## Problem
The mat-icon-button in the actions flow-type section had a shrinking
hover background. The hover effect was not displaying properly and
appeared constrained.
## Root Cause
The margin rules were being applied to all `span` elements, including
the Material button's internal elements (like `.mat-mdc-button-label`),
which interfered with the button's hover background positioning.
## Solution
- Changed the span selector from `span` to `> span` to target only
direct children
- Added specific margin reset for the button (`margin-right: 0`)
- Added margin reset for the icon inside the button
- This allows the Material button to use its default hover behavior
## Testing
- [x] No visual regressions in text spacing or layout
- [x] Button hover background now displays as a proper circle
- [x] Other buttons on the page remain unaffected
- [x] Matches the behavior of working buttons in trigger sections
## Type of Change
- [x] Bug fix (non-breaking change which fixes an UI issue)
Before :
<img width="427" height="411" alt="Screenshot 2025-07-15 at 6 08 35 PM"
src="https://github.com/user-attachments/assets/f728e1fa-6711-4e8b-ba24-2a84329f50d7"
/>
After fix :
<img width="406" height="404" alt="Screenshot 2025-07-15 at 6 09 36 PM"
src="https://github.com/user-attachments/assets/27d7b08d-684d-4094-8334-844a4e459025"
/>
Fixes hover background issue in actions flow-type section.
---------
Co-authored-by: Saurabh Thapliyal <saurabh@southguild.tech>
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
Login integration tests are not executed in the pipeline
# How the Problems Are Solved
The login integration tests are fixed and added as a pipeline workflow.
It tests against the built login docker image.
On pipeline failures, developers are guided on how to fix them using a
dev container configured for this purpose.
# Additional Changes
- email domains are replaced by example.com. In case the tests were
accidentally run against a cloud instance, it wouldn't cause bounces.
- pnpm is upgraded, because the --filter argument doesn't work for the
install command on the old version.
- The login Dockerfile is optimized for docker image builds
# Additional Changes From Review for
https://github.com/zitadel/zitadel/pull/10305
These changes were requested from @peintnermax
- The base dev container starts without any services besides the
database and the dev container itself
- CONTRIBUTING.md is restructured
- To reproduce pipeline checks, only the devcontainer CLI and Docker are
needed. This is described in the CONTRIBUTING.md
- The convenience npm script "generate" is added
# Additional Context
- Follow-up for PR https://github.com/zitadel/zitadel/pull/10305
- Base for https://github.com/zitadel/zitadel/issues/10277
# Which Problems Are Solved
Typo in environment variable reference for
OIDC:DeviceAuth:UserCode:CharAmount config
`ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARARMOUNT` - _CHARA_**~~R~~**_MOUNT_
# How the Problems Are Solved
Fixed the typo `ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARAMOUNT`
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
There is an outstanding bug wherein a session projection can fail to
complete and an session OTP challenge is blocked because the projection
doesn't exist. Not sure why the session projection can fail to persist -
I can't find any error logs or failed events to crosscheck. However, I
can clearly see the session events persisted with user/password checks
and the OTP challenged added on the session - but no session projection
on sessions8 table.
This only seems to come up under somewhat higher loads - about 5
logins/s and only for about 1% of cases. (where a "login" is:
authRequest, createSession, getAuthCodeWithSession, tokenExchange, and
finally, otpSmsChallenge...💥).
# How the Problems Are Solved
This is only half a fix, but an important one as it can block login for
affected users. Instead of triggering and checking the session
projection on notification enqueuing, build a write model directly from
the ES.
# Additional Changes
# Additional Context
This doesn't touch the "legacy" notification handler as to limit the
blast radius of this change. But might be worth adding there too.
The test is difficult to update correctly so is somewhat incomplete. Any
suggestions for refactoring or test helpers I'm missing would be
welcome.
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
# Which Problems Are Solved
This pr disables the client id in oidc configuration in console, as
mentioned in #10149.
# How the Problems Are Solved
I re-disabled the field from inside the form.
# Additional Context
- Closes#10149.
- Closes#8530
# Which Problems Are Solved
This PR resolves#4845 by enhancing the OIDC Playground:
* set default instance domain to `http://localhost:8080`
* openid checkbox is now disabled
* add explanation texts for custom zitadel scopes
# How the Problems Are Solved
* The checkbox for the `openid` scope is set to `disabled`
* The default value for the instance domain is update by using
`setInstance`
* A new map with explanation texts for the custom scopes is introduced.
During the rendering process of the scope checkboxes the value from this
map is displayed, if the scope exists as key.
# Additional Changes
During the local setup of the documentation webapp I got some react
errors on the authrequest page. This issue has ben solved by refactoring
the usage of an `useEffect` block.
# Additional Context
- Closes#4845
PS.
I did not found any scripts for linting/formatting (e.g. eslint,
prettier) for the docs project. This is a bit annoying because when I
use my local configurations of eslint/prettier the whole file get's
refactored with unnecessary changes (change of import order, indention
etc.). It would be great to add some custom configurations to to make
the development process easier and enforce a consistent coding style :)
Co-authored-by: Markus Heinemann <markus@trustify.ch>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
# Which Problems Are Solved
partially #9342
# How the Problems Are Solved
Suggested changes.
"Resource Owner" will remain in a couple of places, since these are
terms that are used in console / APIs.
# Additional Changes
# Additional Context
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
The roadmap page is not up to date with the latest changes that have
been released with Zitadel v4.
# How the Problems Are Solved
Update the doc according to #10309
# Dependencies
- https://github.com/zitadel/zitadel/pull/10249 -> Update the API docs
with deprecated endpoints
- https://github.com/zitadel/zitadel/pull/10364 -> Actions v2 beta to v2
# Additional Context
- Closes#10309
# Which Problems Are Solved
In the SAML responses from some IDPs (e.g. ADFS and Shibboleth), the
`<NameID>` part could be missing in `<Subject>`, and in some cases, the
`<Subject>` part might be missing as well. This causes Zitadel to fail
the SAML login with the following error message:
```
ID=SAML-EFG32 Message=Errors.Intent.ResponseInvalid
```
# How the Problems Are Solved
This is solved by adding a workaround to accept a transient mapping
attribute when the `NameID` or the `Subject` is missing in the SAML
response. This requires setting the custom transient mapping attribute
in the SAML IDP config in Zitadel, and it should be present in the SAML
response as well.
<img width="639" height="173" alt="image"
src="https://github.com/user-attachments/assets/cbb792f1-aa6c-4b16-ad31-bd126d164eae"
/>
# Additional Changes
N/A
# Additional Context
- Closes#10251
# Which Problems Are Solved
The Actions v2beta API is not yet promoted to GA.
# How the Problems Are Solved
Promote Actions v2Beta API to Actions v2 API.
# Additional Changes
None
# Additional Context
None
# Which Problems Are Solved
With the introduction of the service ping, we'll send data from all
systems back to a central endpoint for analytics and getting insights
about usage. To make it visible what data is sent and provide the users
an easy way to opt-out, we need a small documentation to tell them what
and how.
# How the Problems Are Solved
Document the service ping including what data is sent and how to opt-out
or configure most important settings.
# Additional Changes
None
# Additional Context
relates to #9869
# Which Problems Are Solved
The load balancing compose example uses a dedicated service
`use-new-login` that gives the set up machine user the login role and
requires the v2 login using an instance feature. This is cumbersome and
unnecessary.
# How the Problems Are Solved
- A login client machine user is set up and the token is passed to the
login by using the environment variable ZITADEL_SERVICE_USER_TOKEN_FILE.
- The unnecessary service is removed
# Additional Changes
- Uses the static `MasterkeyNeedsToHave32Characters` master key.
- The load balancing example replaces the previous Docker Compose
example.
- The login uses `network_mode: service:zitadel` so it can access the
zitadel service in the docker network via localhost.
- Uses the docker provider for Traefik.
# Additional Context
- Complements https://github.com/zitadel/zitadel/pull/9496
- Partially closes https://github.com/zitadel/zitadel/issues/10016
- When we release, we should update the image tags to latest, for
example with [this PR](https://github.com/zitadel/zitadel/pull/10249).
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
# Which Problems Are Solved
The broken login image is fixed.
# How the Problems Are Solved
The most important learnings from
https://github.com/zitadel/zitadel/pull/10318 are applied:
- Path in entrypoint is fixed: `exec node /runtime/apps/login/server.js`
- .dockerignore is updated so CSS styles are built into the image
- `source: .` is passed to the docker-bake action. Without this,
docker-bake builds from a remote context, which seems to be slow and not
updated on new PR commits. Looks like the bake action uploads an
artifact that [conflicts with the compile
workflow](https://github.com/zitadel/zitadel/actions/runs/16620417216/job/47023478437).
Therefore, a pattern is added to the compile workflow so only relevant
artifacts are selected.
# Which Problems Are Solved
Not all NPM packages are excluded from go linting.
# How the Problems Are Solved
Missing exclusions are added.
# Additional Context
Follows-up on #10331
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
# Which Problems Are Solved
The documentation API regarding organization v2 beta is not up to date.
The documentation regarding SCIM v2 is not up to date.
# How the Problems Are Solved
- Deprecate the existing v2beta endpoints `CreateOrganization` and
`ListOrganizations` in favour of the v2 counterparst
- Remove the preview warning from SCIM v2 pages
# Additional Context
- Closes#10311 and #10310
---------
Co-authored-by: Marco Ardizzone <marco@zitadel.com>
# Which Problems Are Solved
#7573
# How the Problems Are Solved
Enabled mermaid support in the current version:
https://docusaurus.io/docs/next/markdown-features/diagrams
# Additional Changes
# Additional Context
test by adding to a page:
```mermaid
graph TD;
A-->B;
A-->C;
B-->D;
C-->D;
```
# Which Problems Are Solved
Currently the username uniqueness is on instance level, we want to
achieve a way to set it at organization level.
# How the Problems Are Solved
Addition of endpoints and a resource on organization level, where this
setting can be managed. If nothing it set, the uniqueness is expected to
be at instance level, where only users with instance permissions should
be able to change this setting.
# Additional Changes
None
# Additional Context
Includes #10086Closes#9964
---------
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
Building the login container in the pipeline without build layer caches
takes about 20 minutes.
# How the Problems Are Solved
We use cache-from and cache-to arguments to use the GitHub cache API.
Compare 1st and 2nd run [of this PRs
pipeline](https://github.com/zitadel/zitadel/actions/runs/16590808510/job/46927893304)
# Additional Context
- Follows up on #10343
# Which Problems Are Solved
[Permissions v2](https://github.com/zitadel/zitadel/issues/9972) is not
possible in the current implementation.
# How the Problems Are Solved
We remove Permissions v2 from project grants related API calls, to
alleviate this problems.
Resulting in some removals of testing, implementations and performance
impact
# Additional Changes
None
# Additional Context
None
## Which problems are solved
The execution of statements of projections did not have the context
present.
## How the problems were solved
Pass the context to the execute function
## Additional info
This change is required to use the repositories of the relational tables
in projections.
Removes manual schema and application name setup via raw SQL and
switches to using River’s built-in schema configuration.
# Which Problems Are Solved
River provides a configuration flag to set the schema of the queue.
Zitadel sets the schema through database statements which is not needed
anymore.
# How the Problems Are Solved
Set the schema in the river configuration and removed old code
# Which Problems Are Solved
There is no information contained in the context info sent to Actions
v2.
# How the Problems Are Solved
Add application information to the context information sent to Actions
v2, to give more information about the execution.
# Additional Changes
None
# Additional Context
Closes#9377
# Which Problems Are Solved
The OIDC session endpoint allows to pass a `id_token_hint` to identify
the session to terminate. In case the application is not able to pass
that, e.g. Console currently allows multiple sessions to be open, but
will only store the id_token of the current session, allowing to pass
the `logout_hint` to identify the user adds some new possibilities.
# How the Problems Are Solved
In case the end_session_endpoint is called with no `id_token_hint`, but
a `logout_hint` and the v2 login UI is configured, the information is
passed to the login UI also as `login_hint` parameter to allow the login
UI to determine the session to be terminated, resp. let the user decide.
# Additional Changes
Also added the `ui_locales` as parameter to handle and pass to the V2
login UI.
# Dependencies ⚠️
~These changes depend on https://github.com/zitadel/oidc/pull/774~
# Additional Context
closes#9847
---------
Co-authored-by: Marco Ardizzone <marco@zitadel.com>
Changed externalUser() to externalUser in external-authentication.md
file.
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Replace this example text with a concise list of problems that this PR
solves.
For example:
- External Authentication documentation states that to retrieve the
external user in the post authentication flow, use externalUser().
However, it needs to be externalUser (the method).
# How the Problems Are Solved
Replace this example text with a concise list of changes that this PR
introduces.
For example:
- Changing externalUser() to externalUser in the
external-authentication.md file solves this issue.
# Additional Changes
Replace this example text with a concise list of additional changes that
this PR introduces, that are not directly solving the initial problem
but are related.
For example:
- No additional changes were made.
# Additional Context
Replace this example with links to related issues, discussions, discord
threads, or other sources with more context.
Use the Closing #issue syntax for issues that are resolved with this PR.
- Closes#9893
# Which Problems Are Solved
Actions v2beta API does not adhere to the [API
design](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md)
fully.
# How the Problems Are Solved
- Correct body usage for ListExecutions
- Correct REST path for ListTargets and ListExecutions
- Correct attribute names for ListTargetsResponse and
ListExecutionsResponse
# Additional Changes
- Remove unused object import.
# Additional Context
Closes#10138
---------
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
Since #10305 we have the following two files in `/apps/login`
- /apps/login/README.md
- /apps/login/readme.md
This confused case insensitive file systems, causing strange Git
behavior.
# How the Problems Are Solved
We remove the obsolete /apps/login/README.md file.
# Which Problems Are Solved
- The previous monorepo in monorepo structure for the login app and its
related packages was fragmented, complicated and buggy.
- The process for building and testing the login container was
inconsistent between local development and CI.
- Lack of clear documentation as well as easy and reliable ways for
non-frontend developers to reproduce and fix failing PR checks locally.
# How the Problems Are Solved
- Consolidated the login app and its related npm packages by moving the
main package to `apps/login/apps/login` and merging
`apps/login/packages/integration` and `apps/login/packages/acceptance`
into the main `apps/login` package.
- Migrated from Docker Compose-based test setups to dev container-based
setups, adding support for multiple dev container configurations:
- `.devcontainer/base`
- `.devcontainer/turbo-lint-unit`
- `.devcontainer/turbo-lint-unit-debug`
- `.devcontainer/login-integration`
- `.devcontainer/login-integration-debug`
- Added npm scripts to run the new dev container setups, enabling exact
reproduction of GitHub PR checks locally, and updated the pipeline to
use these containers.
- Cleaned up Dockerfiles and docker-bake.hcl files to only build the
production image for the login app.
- Cleaned up compose files to focus on dev environments in dev
containers.
- Updated `CONTRIBUTING.md` with guidance on running and debugging PR
checks locally using the new dev container approach.
- Introduced separate Dockerfiles for the login app to distinguish
between using published client packages and building clients from local
protos.
- Ensured the login container is always built in the pipeline for use in
integration and acceptance tests.
- Updated Makefile and GitHub Actions workflows to use
`--frozen-lockfile` for installing pnpm packages, ensuring reproducible
installs.
- Disabled GitHub release creation by the changeset action.
- Refactored the `/build` directory structure for clarity and
maintainability.
- Added a `clean` command to `docks/package.json`.
- Experimentally added `knip` to the `zitadel-client` package for
improved linting of dependencies and exports.
# Additional Changes
- Fixed Makefile commands for consistency and reliability.
- Improved the structure and clarity of the `/build` directory to
support seamless integration of the login build.
- Enhanced documentation and developer experience for running and
debugging CI checks locally.
# Additional Context
- See updated `CONTRIBUTING.md` for new local development and debugging
instructions.
- These changes are a prerequisite for further improvements to the CI
pipeline and local development workflow.
- Closes#10276
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Okta sends a random password in the request to create a user during SCIM
provisioning, irrespective of whether the `Sync Password` option is
enabled or disabled on Okta, and this password does not comply with the
default password complexity set in Zitadel. This PR adds a workaround to
create users without issues in such cases.
# How the Problems Are Solved
- A new metadata configuration called
`urn:zitadel:scim:ignorePasswordOnCreate` is added to the Machine User
that is used for provisioning
- During SCIM user creation requests, if the
`urn:zitadel:scim:ignorePasswordOnCreate` is set to `true` in the
Machine User's metadata, the password set in the create request is
ignored
# Additional Changes
# Additional Context
The random password is ignored (if set in the metadata) only during
customer creation. This change does not affect SCIM password updates.
- Closes#10009
---------
Co-authored-by: Marco A. <marco@zitadel.com>
