1004 Commits

Author SHA1 Message Date
Livio Spring
3022ca9e76
feat: JWT IdP intent (#9966)
# Which Problems Are Solved

The login v1 allowed to use JWTs as IdP using the JWT IDP. The login V2
uses idp intents for such cases, which were not yet able to handle JWT
IdPs.

# How the Problems Are Solved

- Added handling of JWT IdPs in `StartIdPIntent` and `RetrieveIdPIntent`
- The redirect returned by the start, uses the existing `authRequestID`
and `userAgentID` parameter names for compatibility reasons.
- Added `/idps/jwt` endpoint to handle the proxied (callback) endpoint ,
which extracts and validates the JWT against the configured endpoint.

# Additional Changes

None

# Additional Context

- closes #9758

(cherry picked from commit 4d66a786c88ba624bb8ca7bd67a128b920e0cb7f)
2025-06-12 07:08:02 +02:00
Iraq
dedb923f43
fix(settings): fix for setting restricted languages (#9947)
# Which Problems Are Solved

Zitadel encounters a migration error when setting `restricted languages`
and fails to start.

# How the Problems Are Solved

The problem is that there is a check that checks that at least one of
the restricted languages is the same as the `default language`, however,
in the `authz instance` (where the default language is pulled form) is
never set.

I've added code to set the `default language` in the `authz instance`

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9787

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit b46c41e4bf50af7f3873c6d0deb62206d77ec6e9)
2025-06-03 14:56:49 +02:00
Livio Spring
2efb2fec7a
fix: validate proto header and provide https enforcement (#9975)
# Which Problems Are Solved

ZITADEL uses the notification triggering requests Forwarded or
X-Forwarded-Proto header to build the button link sent in emails for
confirming a password reset with the emailed code. If this header is
overwritten and a user clicks the link to a malicious site in the email,
the secret code can be retrieved and used to reset the users password
and take over his account.

Accounts with MFA or Passwordless enabled can not be taken over by this
attack.

# How the Problems Are Solved

- The `X-Forwarded-Proto` and `proto` of the Forwarded headers are
validated (http / https).
- Additionally, when exposing ZITADEL through https. An overwrite to
http is no longer possible.

# Additional Changes

None

# Additional Context

None

(cherry picked from commit c097887bc5f680e12c998580fb56d98a15758f53)
2025-05-28 10:36:04 +02:00
Connor
8d40306ee2
fix(login): Copy to clipboard button in MFA login step now compatible in non-chrome browser (#9880)
related to issue [#9379](https://github.com/zitadel/zitadel/issues/9379)

# Which Problems Are Solved

Copy to clipboard button was not compatible with Webkit/ Firefox
browsers.

# How the Problems Are Solved

The previous function used addEventListener without a callback function
as a second argument. I simply added the callback function and left
existing code intact to fix the bug.

# Additional Changes

Added `type=button` to prevent submitting the form when clicking the
button.

# Additional Context

none

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 77b433367ef8ac643e5988d54d9a9ce30e127ddc)
2025-05-28 10:36:01 +02:00
Silvan
7c5480f94e
fix(eventstore): use decimal, correct mirror (#9916)
# Eventstore fixes

- `event.Position` used float64 before which can lead to [precision
loss](https://github.com/golang/go/issues/47300). The type got replaced
by [a type without precision
loss](https://github.com/jackc/pgx-shopspring-decimal)
- the handler reported the wrong error if the current state was updated
and therefore took longer to retry failed events.

# Mirror fixes

- max age of auth requests can be configured to speed up copying data
from `auth.auth_requests` table. Auth requests last updated before the
set age will be ignored. Default is 1 month
- notification projections are skipped because notifications should be
sent by the source system. The projections are set to the latest
position
- ensure that mirror can be executed multiple times
2025-05-27 17:13:17 +02:00
Livio Spring
b979923928
fix: allow invite codes for users with verified mails (#9962)
# Which Problems Are Solved

Users who started the invitation code verification, but haven't set up
any authentication method, need to be able to do so. This might require
a new invitation code, which was currently not possible since creation
was prevented for users with verified emails.

# How the Problems Are Solved

- Allow creation of invitation emails for users with verified emails.
- Merged the creation and resend into a single method, defaulting the
urlTemplate, applicatioName and authRequestID from the previous code (if
one exists). On the user service API, the `ResendInviteCode` endpoint
has been deprecated in favor of the `CreateInviteCode`

# Additional Changes

None

# Additional Context

- Noticed while investigating something internally.
- requires backport to 2.x and 3.x

(cherry picked from commit 833f6279e11c43652a579f2211311e2fc6c0e2a7)
2025-05-26 15:57:49 +02:00
Silvan
c9a0f0bc45
fix(api): correct mapping of user state queries (#9956)
# Which Problems Are Solved

the mapping of `ListUsers` was wrong for user states.

# How the Problems Are Solved

mapping of user state introduced to correctly map it

# Additional Changes

mapping of user type introduced to prevent same issue

# Additional Context

Requires backport to 2.x and 3.x

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit eb0eed21fa682774e476d0c720c501b37f0f7793)
2025-05-26 15:56:54 +02:00
Livio Spring
3c99cf82f8
feat: federated logout for SAML IdPs (#9931)
# Which Problems Are Solved

Currently if a user signs in using an IdP, once they sign out of
Zitadel, the corresponding IdP session is not terminated. This can be
the desired behavior. In some cases, e.g. when using a shared computer
it results in a potential security risk, since a follower user might be
able to sign in as the previous using the still open IdP session.

# How the Problems Are Solved

- Admins can enabled a federated logout option on SAML IdPs through the
Admin and Management APIs.
- During the termination of a login V1 session using OIDC end_session
endpoint, Zitadel will check if an IdP was used to authenticate that
session.
- In case there was a SAML IdP used with Federated Logout enabled, it
will intercept the logout process, store the information into the shared
cache and redirect to the federated logout endpoint in the V1 login.
- The V1 login federated logout endpoint checks every request on an
existing cache entry. On success it will create a SAML logout request
for the used IdP and either redirect or POST to the configured SLO
endpoint. The cache entry is updated with a `redirected` state.
- A SLO endpoint is added to the `/idp` handlers, which will handle the
SAML logout responses. At the moment it will check again for an existing
federated logout entry (with state `redirected`) in the cache. On
success, the user is redirected to the initially provided
`post_logout_redirect_uri` from the end_session request.

# Additional Changes

None

# Additional Context

- This PR merges the https://github.com/zitadel/zitadel/pull/9841 and
https://github.com/zitadel/zitadel/pull/9854 to main, additionally
updating the docs on Entra ID SAML.
- closes #9228
- backport to 3.x

---------

Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
Co-authored-by: Zach Hirschtritt <zachary.hirschtritt@klaviyo.com>
(cherry picked from commit 2cf3ef4de4ef993367daec6ff3974bdbdf70d2f3)
2025-05-23 14:59:34 +02:00
Livio Spring
fdb9bba6c7
chore: update dependencies (#9784)
# Which Problems Are Solved

Some dependencies are out of date and published new version including
(unaffected) vulnerability fixes.

# How the Problems Are Solved

- Updated at least all direct dependencies apart from i18n, webauthn
(existing issues),
  -  crewjam (https://github.com/zitadel/zitadel/issues/9783) and
- github.com/gorilla/csrf (https://github.com/gorilla/csrf/issues/190,
https://github.com/gorilla/csrf/issues/189,
https://github.com/gorilla/csrf/issues/188,
https://github.com/gorilla/csrf/issues/187,
https://github.com/gorilla/csrf/issues/186)
      -  noteworthy: https://github.com/golang/go/issues/73626
- Some dependencies require Go 1.24, which triggered an update for
zitadel to go 1.24 as well.

# Additional Changes

None

# Additional Context

None

(cherry picked from commit 968d91a3e0a745fda5b6dfbffdbf1dee8f1306a6)
2025-05-21 13:52:42 +02:00
Livio Spring
420b9854b2
fix(login): render error properly when auto creation fails (#9871)
# Which Problems Are Solved

If an IdP has the `automatic creation` option enabled without the
`account creation allowed (manually)` and does not provide all the
information required (given name, family name, ...) the wrong error
message was presented to the user.

# How the Problems Are Solved

Prevent overwrite of the error when rendering the error in the
`renderExternalNotFoundOption` function.

# Additional Changes

none

# Additional Context

- closes #9766
- requires backport to 2.x and 3.x

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a73acbcfc304b49642b3cf35cda0acb020cbc4f4)
2025-05-21 13:20:41 +02:00
Stefan Benz
30a4d6de23
test: fix list orgs test with sort (#9909)
# Which Problems Are Solved

List organization integration test fails sometimes due to incorrect
sorting of results.

# How the Problems Are Solved

Add sorting column to request on list organizations endpoint and sort
expected results.

# Additional Changes

None

# Additional Context

None

(cherry picked from commit 6b07e57e5c8caab0b4d95ceef0db579c61b756ca)
2025-05-21 13:20:35 +02:00
Livio Spring
c25548ea05
fix: idp user information mapping (#9892)
# Which Problems Are Solved

When retrieving the information of an IdP intent, depending on the IdP
type (e.g. Apple), there was issue when mapping the stored (event)
information back to the specific IdP type, potentially leading to a
panic.

# How the Problems Are Solved

- Correctly initialize the user struct to map the information to.

# Additional Changes

none

# Additional Context

- reported by a support request
- needs backport to 3.x and 2.x

(cherry picked from commit 1b2fd23e0b6fe21e144df85e449cf45b59bb4ed9)
2025-05-21 13:20:10 +02:00
Livio Spring
4c5769355b
fix: prevent intent token reuse and add expiry
(cherry picked from commit b1e60e7398d677f08b06fd7715227f70b7ca1162)
2025-05-02 13:52:28 +02:00
Elio Bischof
24cbeb64c8
fix(actions): default sorting column to creation date (#9795)
# Which Problems Are Solved

The sorting column of action targets and executions defaults to the ID
column instead of the creation date column.
This is only relevant, if the sorting column is explicitly passed as
unspecified.
If the sorting column is not passed, it correctly defaults to the
creation date.

```bash
#  Sorts by ID
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"sortingColumn": "TARGET_FIELD_NAME_UNSPECIFIED"}' localhost:8080 zitadel.action.v2beta.ActionService.ListTargets
#  Sorts by ID
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" -d '{"sortingColumn": 0}' localhost:8080 zitadel.action.v2beta.ActionService.ListTargets
#  Sorts by creation date
grpcurl -plaintext -H "Authorization: Bearer ${ZITADEL_ACCESS_TOKEN}" localhost:8080 zitadel.action.v2beta.ActionService.ListTargets
```

# How the Problems Are Solved

`action.TargetFieldName_TARGET_FIELD_NAME_UNSPECIFIED` maps to the
sorting column `query.TargetColumnCreationDate`.

# Additional Context

As IDs are also generated in ascending, like creation dates, the the bug
probably only causes unexpected behavior for cases, where the ID is
specified during target or execution creation. This is currently not
supported, so this bug probably has no impact at all. It doesn't need to
be backported.

Found during implementation of #9763

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 74ace1aec31eb6085c1b871c7465524f5f9d13cf)
2025-05-02 13:51:53 +02:00
Stefan Benz
496d69487f
fix: correct unmarshalling of IdP user when using Google (#9799)
# Which Problems Are Solved

Users from Google IDP's are not unmarshalled correctly in intent
endpoints and not returned to callers.

# How the Problems Are Solved

Provided correct type for unmarshalling of the information.

# Additional Changes

None

# Additional Context

None

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 3953879fe9c2533289dab8a67a5e1a0514500150)
2025-04-30 15:23:29 +02:00
Tim Möhlmann
19aacdab26
fix(instance): add web key generation to instance defaults (#9815)
# Which Problems Are Solved

Webkeys were not generated with new instances when the webkey feature
flag was enabled for instance defaults. This would cause a redirect loop
with console for new instances on QA / coud.

# How the Problems Are Solved

- uncomment the webkeys section on defaults.yaml
- Fix field naming of webkey config

# Additional Changes

- Add all available features as comments.
- Make the improved performance type enum parsable from the config,
untill now they were just ints.
- Running of the enumer command created missing enum entries for feature
keys.

# Additional Context

- Needs to be back-ported to v3 / next-rc

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 91bc71db74fbfd6945822418a5fa8df4439f5757)
2025-04-30 15:23:17 +02:00
Stefan Benz
ff6d593922
fix: remove action feature flag and include execution (#9727)
# Which Problems Are Solved

Actions v2 is not a feature flag anymore, include functionality on
executions is not used and json tags of proto messages are handled
incorrectly.

# How the Problems Are Solved

- Remove actions from the feature flags on system and instance level
- Remove include type on executions, only in the API, later maybe in the
handling logic as well
- Use protojson in request and response handling of actions v2

# Additional Changes

- Correct integration tests for request and response handling
- Use json.RawMessage for events, so that the event payload is not
base64 encoded
- Added separate context for async webhook calls, that executions are
not cancelled when called async

# Additional Context

Related to #9759
Closes #9710

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit b8ba7bd5badd8b9ee43316465ae5748e6fab0f50)
2025-04-29 13:05:22 +02:00
Stygmates
fcc2cb170d
fix: text buttons overflow in login page (#9637)
# Which Problems Are Solved

The text of some of the buttons in the login page overflows in some
languages

![image](https://github.com/user-attachments/assets/ef3d3bfe-8966-4be5-8d3b-3b0b72ce5e49)

# How the Problems Are Solved

Updated the css to set the overflow to hidden and text-overflow to
ellipsis, this is the simplest fix I could come up with, if you have a
better alternative feel free to tell me what you would prefer 🙏

![image](https://github.com/user-attachments/assets/cdfa1f7b-535a-419d-ba9d-a57ec332d976)

# Additional Changes

None

# Additional Context

I couldn't test the following case locally since I had trouble setting
up a SMTP provider locally, but the class affected by my change should
also target this case, if someone could test it before merging it
🙏:

![315957139-6a630056-82b9-42cd-85a6-8819f2e1873b](https://github.com/user-attachments/assets/f6860db3-d6a0-4e4d-b9e6-0b1968145047)

- Closes #7619

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit 257bef974a6d227e50142b3895b2e46cd42051f5)
2025-04-29 13:05:10 +02:00
Livio Spring
79a5585f91
fix(login): handle requests without auth request correctly (#9713)
# Which Problems Are Solved

We found some paths in the login UI, where requests without any
`AuthRequest` were not handled correctly and could potentially panic.
This also includes providing the `AuthRequest` as part of `ctx` object
in actions V1.

# How the Problems Are Solved

- Check for the existance of an `AuthRequest` were needed and return an
error otherwise.
- Provide correct state of the `AuthRequest` for actions V1

# Additional Changes

None

# Additional Context

- Noticed as part of a support request
- requires backport to at least 2.70.x

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-04-07 17:40:42 +02:00
Fabienne Bühler
07ce3b6905
chore!: Introduce ZITADEL v3 (#9645)
This PR summarizes multiple changes specifically only available with
ZITADEL v3:

- feat: Web Keys management
(https://github.com/zitadel/zitadel/pull/9526)
- fix(cmd): ensure proper working of mirror
(https://github.com/zitadel/zitadel/pull/9509)
- feat(Authz): system user support for permission check v2
(https://github.com/zitadel/zitadel/pull/9640)
- chore(license): change from Apache to AGPL
(https://github.com/zitadel/zitadel/pull/9597)
- feat(console): list v2 sessions
(https://github.com/zitadel/zitadel/pull/9539)
- fix(console): add loginV2 feature flag
(https://github.com/zitadel/zitadel/pull/9682)
- fix(feature flags): allow reading "own" flags
(https://github.com/zitadel/zitadel/pull/9649)
- feat(console): add Actions V2 UI
(https://github.com/zitadel/zitadel/pull/9591)

BREAKING CHANGE
- feat(webkey): migrate to v2beta API
(https://github.com/zitadel/zitadel/pull/9445)
- chore!: remove CockroachDB Support
(https://github.com/zitadel/zitadel/pull/9444)
- feat(actions): migrate to v2beta API
(https://github.com/zitadel/zitadel/pull/9489)

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
Co-authored-by: Ramon <mail@conblem.me>
Co-authored-by: Elio Bischof <elio@zitadel.com>
Co-authored-by: Kenta Yamaguchi <56732734+KEY60228@users.noreply.github.com>
Co-authored-by: Harsha Reddy <harsha.reddy@klaviyo.com>
Co-authored-by: Livio Spring <livio@zitadel.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Iraq <66622793+kkrime@users.noreply.github.com>
Co-authored-by: Florian Forster <florian@zitadel.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-04-02 16:53:06 +02:00
Livio Spring
315503beab
Merge commit from fork 2025-03-31 12:45:11 +02:00
Silvan
817670f1f7
perf: improve scalability of session api (#9635)
This pull request improves the scalability of the session API by
enhancing middleware tracing and refining SQL query behavior for user
authentication methods.

# Which Problems Are Solved

- Eventstore subscriptions locked each other during they wrote the
events to the event channels of the subscribers in push.
- `ListUserAuthMethodTypesRequired` query used `Bitmap heap scan` to
join the tables needed.
- The auth and oidc package triggered projections often when data were
read.
- The session API triggered the user projection each time a user was
searched to write the user check command.

# How the Problems Are Solved

- the `sync.Mutex` was replaced with `sync.RWMutex` to allow parallel
read of the map
- The query was refactored to use index scans only
- if the data should already be up-to-date `shouldTriggerBulk` is set to
false
- as the user should already exist for some time the trigger was
removed.

# Additional Changes

- refactoring of `tracing#Span.End` calls

# Additional Context

- part of https://github.com/zitadel/zitadel/issues/9239

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-03-28 12:36:05 +00:00
Stefan Benz
0e10ed0e0b
fix: SAML and OIDC issuer (in proxied use cases) (#9638)
# Which Problems Are Solved

When using implicit flow through the session API and a login UI on a
custom domain (proxy), the tokens were signed by the API domain of the
instance, rather than the public (proxy) domain.
The SAML response had the same issue. Additionally, the saml library had
an issue and lost the issuer context. This prevented also a successful
login through the hosted login UI.

# How the Problems Are Solved

- The issuer of the SAML and Auth request is persisted to provide the
information when signing the responses and tokens.
- The SAML library is updated to the latest version.

# Additional Changes

None

# Additional Context

None
2025-03-26 17:08:13 +00:00
Faey
833e654a07
feat(actions): Add refresh token to post authentication action context (#9493)
# Which Problems Are Solved

- Refresh Tokens issued by third party authentication providers are lost

# How the Problems Are Solved

- Allows the existing post authentication action to capture the refresh
token

# Additional Changes

- Docs updated to reflect the new property

# Additional Context

- Partially addresses #7851 by allowing the refresh token to be
captured.

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-03-20 09:00:36 +00:00
Stefan Benz
5486ef2627
test: correct sorting of scim list users integration tests (#9568)
# Which Problems Are Solved

SCIM integration test failed sometimes, as ListUsers with usernames-sort
was not reliable if the asserted list is not sorted as well.

# How the Problems Are Solved

Sort the list of results in the sorted integration tests.

# Additional Changes

None

# Additional Context

Relates to
https://github.com/zitadel/zitadel/actions/runs/13922326003/job/38960759621
2025-03-20 07:05:01 +00:00
Stefan Benz
5ca76af779
test: correct notifications integration test with eventual consistency (#9569)
# Which Problems Are Solved

Quota notification integration test failed sometimes due to eventual
consistency issues, which resulted in calls which should have been
counted to the quota not being added. This resulted in flaky integration
tests as the expected API calls to be limited were executed normally.

# How the Problems Are Solved

As there is no API call to query the currently applied Quota, there was
a sleep added as a last effort, to give some time that the event gets
processed into the projection.

# Additional Changes

None

# Additional Context

Related to
https://github.com/zitadel/zitadel/actions/runs/13922326003/job/38959595055

Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-03-20 07:47:19 +01:00
Stefan Benz
6cd5e717a4
chore: correct integration tests for query endpoints eventual consistent (#9554)
# Which Problems Are Solved

Integration tests for OIDC service failed irregularly.

# How the Problems Are Solved

Add eventual consistent checks for querying endpoints to the integration
tests for the OIDC service.

# Additional Changes

None

# Additional Context

None
2025-03-18 08:16:48 +01:00
Harsha Reddy
599850e7e8
fix: reduce cardinality in metrics and tracing for unknown paths (#9523)
# Which Problems Are Solved
Zitadel should not record 404 response counts of unknown paths (check
`/debug/metrics`).
This can lead to high cardinality on metrics endpoint and in traces.

```
GOOD http_server_return_code_counter_total{method="GET",otel_scope_name="",otel_scope_version="",return_code="200",uri="/.well-known/openid-configuration"} 2
GOOD http_server_return_code_counter_total{method="GET",otel_scope_name="",otel_scope_version="",return_code="200",uri="/oauth/v2/keys"} 2
BAD http_server_return_code_counter_total{method="GET",otel_scope_name="",otel_scope_version="",return_code="404",uri="/junk"} 2000
```

After
```
GOOD http_server_return_code_counter_total{method="GET",otel_scope_name="",otel_scope_version="",return_code="200",uri="/.well-known/openid-configuration"} 2
GOOD http_server_return_code_counter_total{method="GET",otel_scope_name="",otel_scope_version="",return_code="200",uri="/oauth/v2/keys"} 2
```

# How the Problems Are Solved

This PR makes sure, that any unknown path is recorded as `UNKNOWN_PATH`
instead of the actual path.

# Additional Changes

N/A

# Additional Context

On our production instance, when a penetration test was run, it caused
our metric count to blow up to many thousands due to Zitadel recording
404 response counts.

Next nice to have steps, remove 404 timer recordings which serve no
purpose

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
Co-authored-by: Livio Spring <livio@zitadel.com>
2025-03-17 17:37:59 +01:00
Kenta Yamaguchi
d57fa819cb
chore: Replace deprecated io/ioutil functions with recommended alternatives (#9542)
# Which Problems Are Solved

- The `io/ioutil` package was deprecated in Go 1.16.  
  - Reference: https://go.dev/doc/go1.16#ioutil  

# How the Problems Are Solved

- Replaced deprecated functions with their recommended alternatives:  
  - `ioutil.ReadFile` → `os.ReadFile`  
  - `ioutil.ReadAll` → `io.ReadAll`  
  - `ioutil.NopCloser` → `io.NopCloser`
2025-03-17 13:17:14 +00:00
Livio Spring
19f022e1cf
fix(login): cache scripts and other assets correctly (#9551)
# Which Problems Are Solved

Scripts and other assets for the hosted login UI are served with a
public cache with `max-age` and `s-maxage`. After changing scripts or
assets, old versions might be still used as they might be cached locally
or in a shared cache (CDN, proxy, ...). This can lead to unwanted
behaviour or even errors.

# How the Problems Are Solved

To ensure the correct file is served a query parameter with the build
time is added to the assets filename dynamically. (`?v=2025-03-17...`)

# Additional Changes

None

# Additional Context

- relates to #9485
- requires backport to at least 2.70.x
2025-03-17 11:13:24 +00:00
Silvan
e36f402e09
fix(perf): simplify eventstore queries by removing or in projection handlers (#9530)
# Which Problems Are Solved

[A recent performance
enhancement]((https://github.com/zitadel/zitadel/pull/9497)) aimed at
optimizing event store queries, specifically those involving multiple
aggregate type filters, has successfully improved index utilization.
While the query planner now correctly selects relevant indexes, it
employs [bitmap index
scans](https://www.postgresql.org/docs/current/indexes-bitmap-scans.html)
to retrieve data.

This approach, while beneficial in many scenarios, introduces a
potential I/O bottleneck. The bitmap index scan first identifies the
required database blocks and then utilizes a bitmap to access the
corresponding rows from the table's heap. This subsequent "bitmap heap
scan" can result in significant I/O overhead, particularly when queries
return a substantial number of rows across numerous data pages.

## Impact:

Under heavy load or with queries filtering for a wide range of events
across multiple aggregate types, this increased I/O activity may lead
to:

- Increased query latency.
- Elevated disk utilization.
- Potential performance degradation of the event store and dependent
systems.

# How the Problems Are Solved

To address this I/O bottleneck and further optimize query performance,
the projection handler has been modified. Instead of employing multiple
OR clauses for each aggregate type, the aggregate and event type filters
are now combined using IN ARRAY filters.

Technical Details:

This change allows the PostgreSQL query planner to leverage [index-only
scans](https://www.postgresql.org/docs/current/indexes-index-only-scans.html).
By utilizing IN ARRAY filters, the database can efficiently retrieve the
necessary data directly from the index, eliminating the need to access
the table's heap. This results in:

* Reduced I/O: Index-only scans significantly minimize disk I/O
operations, as the database avoids reading data pages from the main
table.
* Improved Query Performance: By reducing I/O, query execution times are
substantially improved, leading to lower latency.

# Additional Changes

- rollback of https://github.com/zitadel/zitadel/pull/9497

# Additional Information

## Query Plan of previous query

```sql
SELECT 
    created_at, event_type, "sequence", "position", payload, creator, "owner", instance_id, aggregate_type, aggregate_id, revision 
FROM 
    eventstore.events2 
WHERE 
    instance_id = '<INSTANCE_ID>'
    AND (
        (
            instance_id = '<INSTANCE_ID>'
            AND "position" > <POSITION>
            AND aggregate_type = 'project'
            AND event_type = ANY(ARRAY[
                                'project.application.added'
                                ,'project.application.changed'
                                ,'project.application.deactivated'
                                ,'project.application.reactivated'
                                ,'project.application.removed'
                                ,'project.removed'
                                ,'project.application.config.api.added'
                                ,'project.application.config.api.changed'
                                ,'project.application.config.api.secret.changed'
                ,'project.application.config.api.secret.updated'
                                ,'project.application.config.oidc.added'
                                ,'project.application.config.oidc.changed'
                                ,'project.application.config.oidc.secret.changed'
                ,'project.application.config.oidc.secret.updated'
                                ,'project.application.config.saml.added'
                                ,'project.application.config.saml.changed'
                        ])
        ) OR (
            instance_id = '<INSTANCE_ID>'
            AND "position" > <POSITION>
            AND aggregate_type = 'org'
            AND event_type = 'org.removed'
        ) OR (
            instance_id = '<INSTANCE_ID>'
            AND "position" > <POSITION>
            AND aggregate_type = 'instance'
            AND event_type = 'instance.removed'
        )
    ) 
    AND "position" > 1741600905.3495
    AND "position" < (
        SELECT 
            COALESCE(EXTRACT(EPOCH FROM min(xact_start)), EXTRACT(EPOCH FROM now())) 
        FROM 
            pg_stat_activity
        WHERE 
            datname = current_database() 
            AND application_name = ANY(ARRAY['zitadel_es_pusher_', 'zitadel_es_pusher', 'zitadel_es_pusher_<INSTANCE_ID>']) 
            AND state <> 'idle'
    ) 
ORDER BY "position", in_tx_order LIMIT 200 OFFSET 1;
```

```
Limit  (cost=120.08..120.09 rows=7 width=361) (actual time=2.167..2.172 rows=0 loops=1)
   Output: events2.created_at, events2.event_type, events2.sequence, events2."position", events2.payload, events2.creator, events2.owner, events2.instance_id, events2.aggregate_type, events2.aggregate_id, events2.revision, events2.in_tx_order
   InitPlan 1
     ->  Aggregate  (cost=2.74..2.76 rows=1 width=32) (actual time=1.813..1.815 rows=1 loops=1)
           Output: COALESCE(EXTRACT(epoch FROM min(s.xact_start)), EXTRACT(epoch FROM now()))
           ->  Nested Loop  (cost=0.00..2.74 rows=1 width=8) (actual time=1.803..1.805 rows=0 loops=1)
                 Output: s.xact_start
                 Join Filter: (d.oid = s.datid)
                 ->  Seq Scan on pg_catalog.pg_database d  (cost=0.00..1.07 rows=1 width=4) (actual time=0.016..0.021 rows=1 loops=1)
                       Output: d.oid, d.datname, d.datdba, d.encoding, d.datlocprovider, d.datistemplate, d.datallowconn, d.dathasloginevt, d.datconnlimit, d.datfrozenxid, d.datminmxid, d.dattablespace, d.datcollate, d.datctype, d.datlocale, d.daticurules, d.datcollversion, d.datacl
                       Filter: (d.datname = current_database())
                       Rows Removed by Filter: 4
                 ->  Function Scan on pg_catalog.pg_stat_get_activity s  (cost=0.00..1.63 rows=3 width=16) (actual time=1.781..1.781 rows=0 loops=1)
                       Output: s.datid, s.pid, s.usesysid, s.application_name, s.state, s.query, s.wait_event_type, s.wait_event, s.xact_start, s.query_start, s.backend_start, s.state_change, s.client_addr, s.client_hostname, s.client_port, s.backend_xid, s.backend_xmin, s.backend_type, s.ssl, s.sslversion, s.sslcipher, s.sslbits, s.ssl_client_dn, s.ssl_client_serial, s.ssl_issuer_dn, s.gss_auth, s.gss_princ, s.gss_enc, s.gss_delegation, s.leader_pid, s.query_id
                       Function Call: pg_stat_get_activity(NULL::integer)
                       Filter: ((s.state <> 'idle'::text) AND (s.application_name = ANY ('{zitadel_es_pusher_,zitadel_es_pusher,zitadel_es_pusher_<INSTANCE_ID>}'::text[])))
                       Rows Removed by Filter: 49
   ->  Sort  (cost=117.31..117.33 rows=8 width=361) (actual time=2.167..2.168 rows=0 loops=1)
         Output: events2.created_at, events2.event_type, events2.sequence, events2."position", events2.payload, events2.creator, events2.owner, events2.instance_id, events2.aggregate_type, events2.aggregate_id, events2.revision, events2.in_tx_order
         Sort Key: events2."position", events2.in_tx_order
         Sort Method: quicksort  Memory: 25kB
         ->  Bitmap Heap Scan on eventstore.events2  (cost=84.92..117.19 rows=8 width=361) (actual time=2.088..2.089 rows=0 loops=1)
               Output: events2.created_at, events2.event_type, events2.sequence, events2."position", events2.payload, events2.creator, events2.owner, events2.instance_id, events2.aggregate_type, events2.aggregate_id, events2.revision, events2.in_tx_order
               Recheck Cond: (((events2.instance_id = '<INSTANCE_ID>'::text) AND (events2.aggregate_type = 'project'::text) AND (events2.event_type = ANY ('{project.application.added,project.application.changed,project.application.deactivated,project.application.reactivated,project.application.removed,project.removed,project.application.config.api.added,project.application.config.api.changed,project.application.config.api.secret.changed,project.application.config.api.secret.updated,project.application.config.oidc.added,project.application.config.oidc.changed,project.application.config.oidc.secret.changed,project.application.config.oidc.secret.updated,project.application.config.saml.added,project.application.config.saml.changed}'::text[])) AND (events2."position" > <POSITION>) AND (events2."position" > 1741600905.3495) AND (events2."position" < (InitPlan 1).col1)) OR ((events2.instance_id = '<INSTANCE_ID>'::text) AND (events2.aggregate_type = 'org'::text) AND (events2.event_type = 'org.removed'::text) AND (events2."position" > <POSITION>) AND (events2."position" > 1741600905.3495) AND (events2."position" < (InitPlan 1).col1)) OR ((events2.instance_id = '<INSTANCE_ID>'::text) AND (events2.aggregate_type = 'instance'::text) AND (events2.event_type = 'instance.removed'::text) AND (events2."position" > <POSITION>) AND (events2."position" > 1741600905.3495) AND (events2."position" < (InitPlan 1).col1)))
               ->  BitmapOr  (cost=84.88..84.88 rows=8 width=0) (actual time=2.080..2.081 rows=0 loops=1)
                     ->  Bitmap Index Scan on es_projection  (cost=0.00..75.44 rows=8 width=0) (actual time=2.016..2.017 rows=0 loops=1)
                           Index Cond: ((events2.instance_id = '<INSTANCE_ID>'::text) AND (events2.aggregate_type = 'project'::text) AND (events2.event_type = ANY ('{project.application.added,project.application.changed,project.application.deactivated,project.application.reactivated,project.application.removed,project.removed,project.application.config.api.added,project.application.config.api.changed,project.application.config.api.secret.changed,project.application.config.api.secret.updated,project.application.config.oidc.added,project.application.config.oidc.changed,project.application.config.oidc.secret.changed,project.application.config.oidc.secret.updated,project.application.config.saml.added,project.application.config.saml.changed}'::text[])) AND (events2."position" > <POSITION>) AND (events2."position" > 1741600905.3495) AND (events2."position" < (InitPlan 1).col1))
                     ->  Bitmap Index Scan on es_projection  (cost=0.00..4.71 rows=1 width=0) (actual time=0.016..0.016 rows=0 loops=1)
                           Index Cond: ((events2.instance_id = '<INSTANCE_ID>'::text) AND (events2.aggregate_type = 'org'::text) AND (events2.event_type = 'org.removed'::text) AND (events2."position" > <POSITION>) AND (events2."position" > 1741600905.3495) AND (events2."position" < (InitPlan 1).col1))
                     ->  Bitmap Index Scan on es_projection  (cost=0.00..4.71 rows=1 width=0) (actual time=0.045..0.045 rows=0 loops=1)
                           Index Cond: ((events2.instance_id = '<INSTANCE_ID>'::text) AND (events2.aggregate_type = 'instance'::text) AND (events2.event_type = 'instance.removed'::text) AND (events2."position" > <POSITION>) AND (events2."position" > 1741600905.3495) AND (events2."position" < (InitPlan 1).col1))
 Query Identifier: 3194938266011254479
 Planning Time: 1.295 ms
 Execution Time: 2.832 ms
```

## Query Plan of new query

```sql
SELECT 
    created_at, event_type, "sequence", "position", payload, creator, "owner", instance_id, aggregate_type, aggregate_id, revision 
FROM 
    eventstore.events2 
WHERE 
    instance_id = '<INSTANCE_ID>'
    AND "position" > <POSITION>
    AND aggregate_type = ANY(ARRAY['project', 'instance', 'org'])
    AND event_type = ANY(ARRAY[
        'project.application.added'
        ,'project.application.changed'
        ,'project.application.deactivated'
        ,'project.application.reactivated'
        ,'project.application.removed'
        ,'project.removed'
        ,'project.application.config.api.added'
        ,'project.application.config.api.changed'
        ,'project.application.config.api.secret.changed'
        ,'project.application.config.api.secret.updated'
        ,'project.application.config.oidc.added'
        ,'project.application.config.oidc.changed'
        ,'project.application.config.oidc.secret.changed'
        ,'project.application.config.oidc.secret.updated'
        ,'project.application.config.saml.added'
        ,'project.application.config.saml.changed'
        ,'org.removed'
        ,'instance.removed'
    ])
    AND "position" < (
        SELECT 
            COALESCE(EXTRACT(EPOCH FROM min(xact_start)), EXTRACT(EPOCH FROM now())) 
        FROM 
            pg_stat_activity
        WHERE 
            datname = current_database() 
            AND application_name = ANY(ARRAY['zitadel_es_pusher_', 'zitadel_es_pusher', 'zitadel_es_pusher_<INSTANCE_ID>']) 
            AND state <> 'idle'
    ) 
ORDER BY "position", in_tx_order LIMIT 200 OFFSET 1;
```

```
Limit  (cost=293.34..293.36 rows=8 width=361) (actual time=4.686..4.689 rows=0 loops=1)
   Output: events2.created_at, events2.event_type, events2.sequence, events2."position", events2.payload, events2.creator, events2.owner, events2.instance_id, events2.aggregate_type, events2.aggregate_id, events2.revision, events2.in_tx_order
   InitPlan 1
     ->  Aggregate  (cost=2.74..2.76 rows=1 width=32) (actual time=1.717..1.719 rows=1 loops=1)
           Output: COALESCE(EXTRACT(epoch FROM min(s.xact_start)), EXTRACT(epoch FROM now()))
           ->  Nested Loop  (cost=0.00..2.74 rows=1 width=8) (actual time=1.658..1.659 rows=0 loops=1)
                 Output: s.xact_start
                 Join Filter: (d.oid = s.datid)
                 ->  Seq Scan on pg_catalog.pg_database d  (cost=0.00..1.07 rows=1 width=4) (actual time=0.026..0.028 rows=1 loops=1)
                       Output: d.oid, d.datname, d.datdba, d.encoding, d.datlocprovider, d.datistemplate, d.datallowconn, d.dathasloginevt, d.datconnlimit, d.datfrozenxid, d.datminmxid, d.dattablespace, d.datcollate, d.datctype, d.datlocale, d.daticurules, d.datcollversion, d.datacl
                       Filter: (d.datname = current_database())
                       Rows Removed by Filter: 4
                 ->  Function Scan on pg_catalog.pg_stat_get_activity s  (cost=0.00..1.63 rows=3 width=16) (actual time=1.628..1.628 rows=0 loops=1)
                       Output: s.datid, s.pid, s.usesysid, s.application_name, s.state, s.query, s.wait_event_type, s.wait_event, s.xact_start, s.query_start, s.backend_start, s.state_change, s.client_addr, s.client_hostname, s.client_port, s.backend_xid, s.backend_xmin, s.backend_type, s.ssl, s.sslversion, s.sslcipher, s.sslbits, s.ssl_client_dn, s.ssl_client_serial, s.ssl_issuer_dn, s.gss_auth, s.gss_princ, s.gss_enc, s.gss_delegation, s.leader_pid, s.query_id
                       Function Call: pg_stat_get_activity(NULL::integer)
                       Filter: ((s.state <> 'idle'::text) AND (s.application_name = ANY ('{zitadel_es_pusher_,zitadel_es_pusher,zitadel_es_pusher_<INSTANCE_ID>}'::text[])))
                       Rows Removed by Filter: 42
   ->  Sort  (cost=290.58..290.60 rows=9 width=361) (actual time=4.685..4.685 rows=0 loops=1)
         Output: events2.created_at, events2.event_type, events2.sequence, events2."position", events2.payload, events2.creator, events2.owner, events2.instance_id, events2.aggregate_type, events2.aggregate_id, events2.revision, events2.in_tx_order
         Sort Key: events2."position", events2.in_tx_order
         Sort Method: quicksort  Memory: 25kB
         ->  Index Scan using es_projection on eventstore.events2  (cost=0.70..290.43 rows=9 width=361) (actual time=4.616..4.617 rows=0 loops=1)
               Output: events2.created_at, events2.event_type, events2.sequence, events2."position", events2.payload, events2.creator, events2.owner, events2.instance_id, events2.aggregate_type, events2.aggregate_id, events2.revision, events2.in_tx_order
               Index Cond: ((events2.instance_id = '<INSTANCE_ID>'::text) AND (events2.aggregate_type = ANY ('{project,instance,org}'::text[])) AND (events2.event_type = ANY ('{project.application.added,project.application.changed,project.application.deactivated,project.application.reactivated,project.application.removed,project.removed,project.application.config.api.added,project.application.config.api.changed,project.application.config.api.secret.changed,project.application.config.api.secret.updated,project.application.config.oidc.added,project.application.config.oidc.changed,project.application.config.oidc.secret.changed,project.application.config.oidc.secret.updated,project.application.config.saml.added,project.application.config.saml.changed,org.removed,instance.removed}'::text[])) AND (events2."position" > <POSITION>) AND (events2."position" < (InitPlan 1).col1))
 Query Identifier: -8254550537132386499
 Planning Time: 2.864 ms
 Execution Time: 5.414 ms
 ```
2025-03-13 16:50:23 +01:00
Livio Spring
ed697bbd69
fix(OIDC): back channel logout work for custom UI (#9487)
# Which Problems Are Solved

When using a custom / new login UI and an OIDC application with
registered BackChannelLogoutUI, no logout requests were sent to the URI
when the user signed out.
Additionally, as described in #9427, an error was logged:
`level=error msg="event of type *session.TerminateEvent doesn't
implement OriginEvent"
caller="/home/runner/work/zitadel/zitadel/internal/notification/handlers/origin.go:24"`

# How the Problems Are Solved

- Properly pass `TriggerOrigin` information to session.TerminateEvent
creation and implement `OriginEvent` interface.
- Implemented `RegisterLogout` in `CreateOIDCSessionFromAuthRequest` and
`CreateOIDCSessionFromDeviceAuth`, both used when interacting with the
OIDC v2 API.
- Both functions now receive the `BackChannelLogoutURI` of the client
from the OIDC layer.

# Additional Changes

None

# Additional Context

- closes #9427
2025-03-11 14:19:09 +00:00
Livio Spring
e6ce1af003
fix(token exchange): properly return an error if membership is missing (#9468)
# Which Problems Are Solved

When requesting a JWT (`urn:ietf:params:oauth:token-type:jwt`) to be
returned in a Token Exchange request, ZITADEL would panic if the `actor`
was not granted the necessary permission.

# How the Problems Are Solved

Properly check the error and return it.

# Additional Changes

None

# Additional Context

- closes #9436
2025-03-11 11:14:18 +00:00
Max Peintner
27b319bd98
fix(login): passkey setup when pressing "Enter" key on login form (#9485)
# Which Problems Are Solved

When registering passkeys or u2f methods as second factor, some users
pressed the "Enter" key, rather than clicking the submit button. This
method has bypassed the execution of the device registration and
encoding scripts, resulting in the form being submitted without the
necessary encoded values.

# How the Problems Are Solved

This PR ensures that device registration is always executed and the
required information are submitted in the form regardless of pressing
"Enter" or clicking the button.

# Additional Changes

None

# Additional Context

- closes #6592
- closes #2910
2025-03-07 09:51:39 +00:00
Max Peintner
a82f5805b6
fix(login): improve webauthn error handling (#9474)
This PR improves error handling around webauthn functions in the login.
2025-03-05 14:47:48 +00:00
Iraq
b0fa974419
fix(actions): Linking external account doesn't trigger flow "External Authentication" on "Post Authentication" on first login (#9397)
# Which Problems Are Solved

When logging in using exeternal idp to Zitadel using SAML with action
setup to override existing Zitadel account attributes (first name/last
name/display name ect) with that of external linked idp account as
described here:
https://zitadel.com/docs/guides/integrate/identity-providers/azure-ad-saml#add-action-to-map-user-attributes,
does not happen until the next time the user logs in using the external
idp

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9133

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-03-05 11:21:23 +01:00
Mateusz Wolanowski
007c96d54a
feat: add Romanian language support (#9388)
# Which Problems Are Solved

- Lack of support for the Romanian language in the application.

# How the Problems Are Solved

- Added translations for the Romanian language

---------

Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
2025-03-04 17:09:21 +00:00
Stefan Benz
0c87a96e2c
feat: actions v2 for functions (#9420)
# Which Problems Are Solved

Actions v2 are not executed in different functions, as provided by the
actions v1.

# How the Problems Are Solved

Add functionality to call actions v2 through OIDC and SAML logic to
complement tokens and SAMLResponses.

# Additional Changes

- Corrected testing for retrieved intent information
- Added testing for IDP types
- Corrected handling of context for issuer in SAML logic

# Additional Context

- Closes #7247 
- Dependent on https://github.com/zitadel/saml/pull/97
- docs for migration are done in separate issue:
https://github.com/zitadel/zitadel/issues/9456

---------

Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
2025-03-04 11:09:30 +00:00
Tim Möhlmann
e670b9126c
fix(permissions): chunked synchronization of role permission events (#9403)
# Which Problems Are Solved

Setup fails to push all role permission events when running Zitadel with
CockroachDB. `TransactionRetryError`s were visible in logs which finally
times out the setup job with `timeout: context deadline exceeded`

# How the Problems Are Solved

As suggested in the [Cockroach documentation](timeout: context deadline
exceeded), _"break down larger transactions"_. The commands to be pushed
for the role permissions are chunked in 50 events per push. This
chunking is only done with CockroachDB.

# Additional Changes

- gci run fixed some unrelated imports
- access to `command.Commands` for the setup job, so we can reuse the
sync logic.

# Additional Context

Closes #9293

---------

Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
2025-02-26 16:06:50 +00:00
KevinRSI
70bddceda8
fix(user fields): missing creationDate in details (#9250)
# Which Problems Are Solved

The `creationDate` property on user search V2 endpoint was missing

# How the Problems Are Solved

Added property in v2 `object.proto` and in the function creating the
details on each call

# Additional Changes
- none
# Additional Context
closes #8552

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 13:00:04 +00:00
Livio Spring
8f88c4cf5b
feat: add PKCE option to generic OAuth2 / OIDC identity providers (#9373)
# Which Problems Are Solved

Some OAuth2 and OIDC providers require the use of PKCE for all their
clients. While ZITADEL already recommended the same for its clients, it
did not yet support the option on the IdP configuration.

# How the Problems Are Solved

- A new boolean `use_pkce` is added to the add/update generic OAuth/OIDC
endpoints.
- A new checkbox is added to the generic OAuth and OIDC provider
templates.
- The `rp.WithPKCE` option is added to the provider if the use of PKCE
has been set.
- The `rp.WithCodeChallenge` and `rp.WithCodeVerifier` options are added
to the OIDC/Auth BeginAuth and CodeExchange function.
- Store verifier or any other persistent argument in the intent or auth
request.
- Create corresponding session object before creating the intent, to be
able to store the information.
- (refactored session structs to use a constructor for unified creation
and better overview of actual usage)

Here's a screenshot showing the URI including the PKCE params:


![use_pkce_in_url](https://github.com/zitadel/zitadel/assets/30386061/eaeab123-a5da-4826-b001-2ae9efa35169)

# Additional Changes

None.

# Additional Context

- Closes #6449
- This PR replaces the existing PR (#8228) of @doncicuto. The base he
did was cherry picked. Thank you very much for that!

---------

Co-authored-by: Miguel Cabrerizo <doncicuto@gmail.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 12:20:47 +00:00
MAHANTH-wq
32ec7d0aa9
feat(\internal): sorting column on ListIAMMembersRequest (#9203)
# Which Problems Are Solved


SortingColumn functionality on system API ListIAMMembers

SortingColumn functionality on admin API ListIAMMembers

# How the Problems Are Solved

I have added enum MemberFieldColumnName in` member.proto `file ,
consists of names of the columns on which the request can be sorted.
    MEMBER_FIELD_NAME_UNSPECIFIED = 0;
    MEMBER_FIELD_NAME_USER_ID=1;
    MEMBER_FIELD_NAME_CREATION_DATE = 2;
    MEMBER_FIELD_NAME_CHANGE_DATE=3;
    MEMBER_FIELD_NAME_USER_RESOURCE_OWNER=4
I have added field Sorting Column for ListIAMMembersRequest in`
system.proto` file. I have added field Sorting Column for
ListIAMMembersRequest in` admin.proto` file.
I have modified ListIAMMembersRequestToQuery function in file
`internal/api/grpc/system/instance_converter.go `to include sorting
column in the query.SearchRequest{}.
I have modified ListIAMMembersRequestToQuery function in file
`internal/api/grpc/admin/iam_member_converter.go ` to include sorting
column in the query.SearchRequest{}.

# Additional Changes

Replace this example text with a concise list of additional changes that
this PR introduces, that are not directly solving the initial problem
but are related.
For example:
- The docs explicitly describe that the property XY is mandatory
- Adds missing translations for validations.

# Additional Context

Replace this example with links to related issues, discussions, discord
threads, or other sources with more context.
Use the Closing #issue syntax for issues that are resolved with this PR.
- Closes https://github.com/zitadel/zitadel/issues/5063
- Discussion #xxx
- Follow-up for PR #xxx
-
https://discordapp.com/channels/927474939156643850/1329872809488416789/1329872809488416789

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-02-26 11:48:51 +01:00
Livio Spring
911200aa9b
feat(api): allow Device Authorization Grant using custom login UI (#9387)
# Which Problems Are Solved

The OAuth2 Device Authorization Grant could not yet been handled through
the new login UI, resp. using the session API.
This PR adds the ability for the login UI to get the required
information to display the user and handle their decision (approve with
authorization or deny) using the OIDC Service API.

# How the Problems Are Solved

- Added a `GetDeviceAuthorizationRequest` endpoint, which allows getting
the `id`, `client_id`, `scope`, `app_name` and `project_name` of the
device authorization request
- Added a `AuthorizeOrDenyDeviceAuthorization` endpoint, which allows to
approve/authorize with the session information or deny the request. The
identification of the request is done by the `device_authorization_id` /
`id` returned in the previous request.
- To prevent leaking the `device_code` to the UI, but still having an
easy reference, it's encrypted and returned as `id`, resp. decrypted
when used.
- Fixed returned error types for device token responses on token
endpoint:
- Explicitly return `access_denied` (without internal error) when user
denied the request
  - Default to `invalid_grant` instead of `access_denied`
- Explicitly check on initial state when approving the reqeust
- Properly handle done case (also relates to initial check) 
- Documented the flow and handling in custom UIs (according to OIDC /
SAML)

# Additional Changes

- fixed some typos and punctuation in the corresponding OIDC / SAML
guides.
- added some missing translations for auth and saml request

# Additional Context

- closes #6239

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-02-25 07:33:13 +01:00
Iraq
f2e82d57ac
fix: adding code to test ListUsers with and without permission_check_v2 flag set (#9383)
# Which Problems Are Solved

Enhancing `v2/ListUsers()` tests by adding code to run all test with and
without `permission_check_v2` flag set

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9356

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-24 16:29:51 +00:00
Iraq
9aad207ee4
fix(permissions): return current user when calling ListUsers() when user does not have permissions (#9374)
# Which Problems Are Solved

When running `ListUsers()` with no permissions, the calling user shoud
be returned

# How the Problems Are Solved

Added additional clause to SQL search statement 

# Additional Changes

n/a

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/9355

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-20 15:39:48 +00:00
Stefan Benz
93466055ee
test: add sink functionality for idp intents (#9116)
# Which Problems Are Solved

New integration tests can't use command side to simulate successful
intents.

# How the Problems Are Solved

Add endpoints to only in integration tests available sink to create
already successful intents.

# Additional Changes

None

# Additional Context

Closes #8557

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-02-20 13:27:20 +01:00
Kenta Yamaguchi
9b35b98cae
fix(i18n): add some missing elements in Japanese (#9353)
# Which Problems Are Solved

Some i18n elements are not translated in Japanese yet.

# How the Problems Are Solved

Add some missing i18n elements to `console/src/assets/i18n/ja.json`,
`internal/api/ui/login/static/i18n/ja.yaml`, and
`internal/static/i18n/ja.yaml`.

More details are following:
- `console/src/assets/i18n/ja.json`
  - `POLICY.PRIVATELABELING.BACKGROUNDCOLOR`
  - `POLICY.PRIVATELABELING.PRIMARYCOLOR`
  - `POLICY.PRIVATELABELING.WARNCOLOR`
  - `POLICY.PRIVATELABELING.FONTCOLOR`
  - `POLICY.LOGIN_TEXTS.MESSAGE_TEXTS.TYPES.IU`
  - `IDP.CREATE.APPLE.TITLE`
  - `IDP.CREATE.APPLE.DESCRIPTION`
  - `IDP.CREATE.SAML.TITLE`
  - `IDP.CREATE.SAML.DESCRIPTION`
  - `IDP.APPLE.TEAMID`
  - `IDP.APPLE.KEYID`
  - `IDP.APPLE.PRIVATEKEY`
  - `IDP.APPLE.UPDATEPRIVATEKEY`
  - `IDP.APPLE.UPLOADPRIVATEKEY`
  - `IDP.KEYMAXSIZEEXCEEDED`
  - `IDP.SAML.METADATAXML`
  - `IDP.SAML.METADATAURL`
  - `IDP.SAML.BIDNING`
  - `IDP.SAML.SIGNEDREQUEST`
  - `IDP.SAML.NAMEIDFORMAT`
  - `IDP.SAML.TRANSIENTMAPPINGATTRIBUTENAME`
  - `IDP.SAML.TRANSIENTMAPPINGATTRIBUTENAME_DESC`
  - `SMTP.LIST.DIALOG.TEST_TITLE`
  - `SMTP.LIST.DIALOG.TEST_DESCRIPTION`
  - `SMTP.LIST.DIALOG.TEST_EMAIL`
  - `SMTP.LIST.DIALOG.TEST_RESULT`
- `internal/api/ui/login/static/i18n/ja.yaml`
  - `LDAP.Title`
  - `LDAP.Description`
  - `LDAP.LoginNameLabel`
  - `LDAP.PasswordLabel`
  - `LDAP.NextButtonText`
  - `PasswordChange.Footer`
  - `Footer.SupportEmail`
  - `Errors.User.AlreadyExists`
  - `Errors.User.Profile.NotFound`
  - `Errors.User.Profile.NotChanged`
  - `Errors.User.Profile.Empty`
  - `Errors.User.Profile.FirstNameEmpty`
  - `Errors.User.Profile.LastNameEmpty`
  - `Errors.User.Profile.IDMissing`
  - `Errors.User.Email.NotFound`
  - `Errors.User.Email.Invalid`
  - `Errors.User.Email.AlreadyVerified`
  - `Errors.User.Email.NotChanged`
  - `Errors.User.Email.Empty`
  - `Errors.User.Email.IDMissing`
  - `Errors.User.Phone.NotFound`
  - `Errors.User.Phone.Invalid`
  - `Errors.User.Phone.AlreadyVerified`
  - `Errors.User.Phone.Empty`
  - `Errors.User.Phone.NotChanged`
  - `Errors.User.Address.NotFound`
  - `Errors.User.Address.NotChanged`
  - `Errors.User.Username.AlreadyExists`
  - `Errors.User.Username.Reserved`
  - `Errors.User.Username.Empty`
  - `Errors.Org.LoginPolicy.RegistrationNotAllowed`
- `internal/static/i18n/ja.yaml`
  - `Errors.SMSConfig.NotExternalVerification`
  - `Errors.User.Profile.Empty`
  - `Errors.User.Profile.FirstNameEmpty`
  - `Errors.User.Profile.LastNameEmpty`
  - `Errors.User.Email.Empty`
  - `Errors.User.Email.IDMissing`
  - `Errors.User.Phone.Empty`
  - `Errors.User.Phone.NotChanged`
  - `Errors.User.Username.Empty`
  - `Errors.Org.LabelPolicy.NotFound`
  - `Errors.Org.LabelPolicy.NotChanged`
  - `EventTypes.project.application.oidc.key.added`
  - `EventTypes.project.application.oidc.key.removed`

# Additional Changes

- Change some order of the elements in `internal/static/i18n/ja.yaml`
  - `EventTypes.user.human.password.change.sent`
  - `EventTypes.user.human.password.hash.updated`
- Remove an element which is not used in the `us.yaml` from
`internal/static/i18n/ja.yaml`
  - `EventTypes.user.phone.removed`
- Correct a translation in `internal/static/i18n/ja.yaml`
  - `EventTypes.user.human.password.change.sent`
2025-02-19 12:51:53 +00:00
Iraq
5bbb953ffb
feat(ldap): adding root ca option to ldap config (#9292)
# Which Problems Are Solved

Adding ability to add a root CA to LDAP configs

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/7888

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
2025-02-18 10:06:50 +00:00
Ramon
3042bbb993
feat: Use V2 API's in Console (#9312)
# Which Problems Are Solved
Solves #8976

# Additional Changes
I have done some intensive refactorings and we are using the new
@zitadel/client package for GRPC access.

# Additional Context
- Closes #8976

---------

Co-authored-by: Max Peintner <peintnerm@gmail.com>
2025-02-17 19:25:46 +01:00
Iraq
0cb0380826
feat: updating eventstore.permitted_orgs sql function (#9309)
# Which Problems Are Solved

Performance issue for GRPC call `zitadel.user.v2.UserService.ListUsers`
due to lack of org filtering on `ListUsers`

# Additional Context

Replace this example with links to related issues, discussions, discord
threads, or other sources with more context.
Use the Closing #issue syntax for issues that are resolved with this PR.
- Closes https://github.com/zitadel/zitadel/issues/9191

---------

Co-authored-by: Iraq Jaber <IraqJaber@gmail.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-02-17 11:55:28 +02:00