…urable
# Which Problems Are Solved
BaseURI defined in environment variables or configuration files was
ignored for Login v2 feature flag.
# How the Problems Are Solved
Define BaseURI as string so that the environment variables and
configuration files can be parsed into it.
# Additional Changes
None
# Additional Context
Closes#10405
(cherry picked from commit 2a78fdfe1f)
# Which Problems Are Solved
Emails are still send only with URLs to login v1.
# How the Problems Are Solved
Add configuration for URLs as URL templates, so that links can point at
Login v2.
# Additional Changes
None
# Additional Context
Closes#10236
---------
Co-authored-by: Marco A. <marco@zitadel.com>
(cherry picked from commit 0a14c01412)
# Which Problems Are Solved
This change makes it easier to delete the integration database
# How the Problems Are Solved
Gives the integration database a volume you can address via name
`docker volume rm config_zitadel_integration_db`
(cherry picked from commit 2718d345b8)
# Which Problems Are Solved
We noticed that the startup for v4 was way slower than v3. A query
without an instanceID filter could be traced back to the systemID query
of the service ping.
# How the Problems Are Solved
A an empty instanceID to the query to ensure it used an appropriate
index.
# Additional Changes
None
# Additional Context
- Closes https://github.com/zitadel/zitadel/issues/10390
- backport to v4.x
(cherry picked from commit 9621d357c0)
# Which Problems Are Solved
The recently released NodeJS client libraries were missing
documentation, which made it difficult for developers to understand and
use the new features.
# How the Problems Are Solved
This pull request introduces the necessary documentation for the new
NodeJS client library, covering their installation and basic usage.
# Additional Changes
None.
# Additional Context
This documentation supports the recent client library release.
---------
Co-authored-by: Max Peintner <max@caos.ch>
(cherry picked from commit 20a213a3f2)
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Next.js's Image Optimization feature requires that hostnames for remote
images be explicitly defined in the `next.config.js` file via
`remotePatterns`. This configuration is static and evaluated at **build
time**.
However, the `ZITADEL_API_URL`, which is supposed to be used for
additional whitelisted hostnames, is a dynamic environment variable only
known at **run time**. This creates a fundamental conflict, making it
impossible to add the user-provided URL to the configuration when
building the public Docker image. Consequently, images like instance
logos fail to load.
The existing workaround uses a permissive wildcard pattern
(`*.zitadel.*`). This is a significant security risk, as it could allow
malicious actors to abuse the server as an open image-resizing proxy,
leading to potential denial-of-service (DDoS) attacks or excessive
costs.
# How the Problems Are Solved
This change disables the Next.js Image Optimization feature entirely by
setting `unoptimized: true` in the `images` configuration.
By doing this, Next.js will no longer attempt to optimize, cache, or
validate remote image sources. Instead, it will pass the original image
URL directly to the client. This approach resolves the issue by:
1. **Eliminating the need for `remotePatterns`**, which bypasses the
build-time vs. run-time configuration conflict.
2. **Improving security** by removing the overly permissive wildcard
pattern.
3. **Ensuring functionality**, as remote images now load correctly.
The trade-off is the loss of performance benefits from Next.js image
optimization, but I see this as an acceptable compromise to restore
essential functionality and secure the application.
Fixes#10456
Co-authored-by: Max Peintner <max@caos.ch>
(cherry picked from commit 7a9cc5c456)
old status page URL: status.zitadel.com
new status page URL: zitadelstatus.com
Co-authored-by: Florian Forster <florian@zitadel.com>
(cherry picked from commit 756f81534a)
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Links to technical advisories were broken.
# How the Problems Are Solved
* Update links in docs
* Add TA to our newsletter subscription form
* Update website to link to the subscription form
(cherry picked from commit 75fe4eb651)
# Which Problems Are Solved
Zitadel tools expects a PKCS1 key, but OpenSSL provides a PKCS8 key.
# How the Problems Are Solved
Add `-traditional` to the documentation OpenSSL command, to generate a
PKCS1 key.
# Additional Changes
None
# Additional Context
Closes#7268
(cherry picked from commit ef799b9a7e)
Adds a step-by-step guide for configuring SCIM provisioning from Okta
into ZITADEL using a service user with the Org User Manager role,
including authentication options and SCIM endpoint details.
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit 2abcec00e8)
Since the support form is deployed in the customer portal I updated the
instructions and screenshots.
---------
Co-authored-by: Maximilian <mpa@zitadel.com>
(cherry picked from commit 763825cd2c)
Introduce benchmark documentation and results for various endpoints in
the Zitadel v4 release, including performance metrics and test
configurations.
(cherry picked from commit 9a799a7c7b)
# Which Problems Are Solved
- The proxy examples are updated so a self-hosted login container is
deployed.
- The proxies are configured to direct traffic at /ui/v2/login to it.
# How the Problems Are Solved
The base compose file is extended by correctly configured login
containers for all three scenarios
- TLS disabled
- External TLS
- TLS Enabled
The proxy always connects to the login via HTTP.
# Additional Changes
- All proxies have the TLS disabled mode outcommented, because the login
container has state problems, maybe because it needs secure cookies. The
need for this is unclear, so we avoid creating a follow-up issue.
- The httpd external mode is incommented, as gRPC connections work with
this configuration.
- *ZITADEL* is replaced by *Zitadel*
# Additional Context
- Partially Closes#10016
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit 4930870504)
# Which Problems Are Solved
The Knative docs are removed, as they are not relevant enough.
# How the Problems Are Solved
- The docs page is removed
- The sidebar item is removed
# Additional Context
- Partially Closes#10016
(cherry picked from commit 5f7851768b)
# Which Problems Are Solved
This PR resolves#4845 by enhancing the OIDC Playground:
* set default instance domain to `http://localhost:8080`
* openid checkbox is now disabled
* add explanation texts for custom zitadel scopes
# How the Problems Are Solved
* The checkbox for the `openid` scope is set to `disabled`
* The default value for the instance domain is update by using
`setInstance`
* A new map with explanation texts for the custom scopes is introduced.
During the rendering process of the scope checkboxes the value from this
map is displayed, if the scope exists as key.
# Additional Changes
During the local setup of the documentation webapp I got some react
errors on the authrequest page. This issue has ben solved by refactoring
the usage of an `useEffect` block.
# Additional Context
- Closes#4845
PS.
I did not found any scripts for linting/formatting (e.g. eslint,
prettier) for the docs project. This is a bit annoying because when I
use my local configurations of eslint/prettier the whole file get's
refactored with unnecessary changes (change of import order, indention
etc.). It would be great to add some custom configurations to to make
the development process easier and enforce a consistent coding style :)
Co-authored-by: Markus Heinemann <markus@trustify.ch>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
(cherry picked from commit 1728297d3c)
# Which Problems Are Solved
partially #9342
# How the Problems Are Solved
Suggested changes.
"Resource Owner" will remain in a couple of places, since these are
terms that are used in console / APIs.
# Additional Changes
# Additional Context
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit f73b2fefd6)
# Which Problems Are Solved
The roadmap page is not up to date with the latest changes that have
been released with Zitadel v4.
# How the Problems Are Solved
Update the doc according to #10309
# Dependencies
- https://github.com/zitadel/zitadel/pull/10249 -> Update the API docs
with deprecated endpoints
- https://github.com/zitadel/zitadel/pull/10364 -> Actions v2 beta to v2
# Additional Context
- Closes#10309
(cherry picked from commit c6392e175f)
This PR sets the page title to the same title as the respective pages
and introduces a default title ("Login with Zitadel").
Closes#10282
# Which Problems Are Solved
Missing page title on pages.
# How the Problems Are Solved
Using the hosted translation service, we load and merge properties to
set the page title
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 772e9c5e3d)
# Which Problems Are Solved
This PR fixes an issue where all features where patched, instead of a
single one. This led to instance overrides which were not intended.
With this change, an update is executed whenever a toggle is hit, only
containing the respective feature, not all.
# How the Problems Are Solved
The console application was overriding the feature settings as an entire
request. A toggle change is now only changing the desired and targeted
feature using partial patches.
# Additional Context
Closes#10459
---------
Co-authored-by: Elio Bischof <elio@zitadel.com>
(cherry picked from commit d8518d48f2)
# Which Problems Are Solved
Typo in environment variable reference for
OIDC:DeviceAuth:UserCode:CharAmount config
`ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARARMOUNT` - _CHARA_**~~R~~**_MOUNT_
# How the Problems Are Solved
Fixed the typo `ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARAMOUNT`
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit 30175041c1)
# Which Problems Are Solved
Project Admins would get permission errors when trying to add project
roles
# How the Problems Are Solved
Fixed wrong parameters were being passed into the permission check
- Closes https://github.com/zitadel/zitadel/issues/10505
(cherry picked from commit 24a7d3ceb1)
# Which Problems Are Solved
EntraID userinfo gets incorrectly unmarshalled again in the
`RetrieveIdentityProviderIntent` endpoint.
# How the Problems Are Solved
Correctly use the already available information and not try to marshall
it into a `RawInformation` struct again.
# Additional Changes
None
# Additional Context
Closes https://github.com/zitadel/typescript/issues/578
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 93ea30ba2e)
Fix: Pin buf protoc plugin versions to resolve runtime protobuf
compatibility issues
# Which Problems Are Solved
The console application was experiencing a runtime error "requireUtf8 is
not a function" when the authentication service attempted to deserialize
protobuf messages. This error started occurring recently due to
automatic updates of buf protoc plugins.
# How the Problems Are Solved
pinning of the versions in buf.gen.yml and package.json
(cherry picked from commit cf02c4231a)
# Which Problems Are Solved
User enumeration was possible on the select account page by passing any userID as part of the form POST. Existing users could be selected even if they never authenticated on the same user agent (browser).
# How the Problems Are Solved
A check for an existing session on the same user agent was added to the select user function, resp. only required for the account selection page, since in other cases there doesn't have to be an existing session and the user agent integrity is already checked.
# Additional Changes
None
# Additional Context
None
(cherry picked from commit 7abe759c95)
# Which Problems Are Solved
While investigating a support ticket, it was discovered that some
queries using equals or not equals without case matching were not
correctly escaping the value to compare. If a value contained a
backslash (`\`) the row would not match.
# How the Problems Are Solved
- Fixed the escaping for backslash for `like` operations.
- Changed equals and not equals comparison without case matching to `=`
instead of `like`.
# Additional Changes
None
# Additional Context
- related to a support request
- requires backport to v.3 and v4.x
(cherry picked from commit 6c8d027e72)
The `/introspect` endpoint showed poor performance during v4 load
testing due to an inefficient database query in
`internal/query/introspection_client_by_id.sql`. This PR optimizes the
query structure to significantly improve performance.
## Query Optimizations
**UNION → UNION ALL**: Changed expensive `UNION` to `UNION ALL` since
`client_id` is unique across both API and OIDC config tables,
eliminating unnecessary deduplication overhead (30-50% improvement
expected).
**Simplified Keys CTE**: Optimized the keys lookup logic by using
`$2::text as client_id` instead of `identifier as client_id` with `group
by`, and added explicit `$3 = true` condition to the LEFT JOIN for
better query planning.
**Enhanced Readability**: Added consistent table aliases (c, a, p, o, k)
for better maintainability.
## Benefits
- **Zero-downtime deployment**: Uses existing database indexes, no
schema changes required
- **Secondary performance gains**: Other similar queries
(`oidc_client_by_id.sql`, `userinfo_client_by_id.sql`) will also benefit
from the optimizations
- **Minimal code changes**: Only 13 lines added, 9 lines removed in the
SQL query
- **Backward compatible**: Same result set and API behavior
The optimized query maintains the same functionality while providing
significant performance improvements for the introspection endpoint
under high concurrent load.
Fixes#10389.
<!-- START COPILOT CODING AGENT TIPS -->
---
💬 Share your feedback on Copilot coding agent for the chance to win a
$200 gift card! Click
[here](https://survey.alchemer.com/s3/8343779/Copilot-Coding-agent) to
start the survey.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: muhlemmer <5411563+muhlemmer@users.noreply.github.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
(cherry picked from commit a28950661c)
# Which Problems Are Solved
Some events that are now unused are clogging the event queue from time
to time.
# How the Problems Are Solved
Remove the events described in #10458
# Additional Changes
- Updated `stringer` and `enumer` in Makefile target `core_generate_all`
to resolve generated files compilation issues
# Notes
It looks like there are a lot of changes, but most of it is fixing
translation files. I suggest doing a review per-commit
# Additional Context
- Closes#10458
- Depends on https://github.com/zitadel/zitadel/pull/10513
(cherry picked from commit e8a9cd6964)
Closes#10413
This PR changes the logout success page of the V2 login to
`/logout/done` and accepts both `post_logout_redirect` as well as
`post_logout_redirect_uri` as a param for the post logout url.
# Which Problems Are Solved
The new Login V2 aligns with the login V1 now.
Accepts `post_logout_redirect` as well as `post_logout_redirect_uri` as
a param for the post logout url.
# How the Problems Are Solved
Both search params are now accepted.
(cherry picked from commit 98fb8b4209)
# Which Problems Are Solved
`ListAppKeys()` does not work properly, in that it does not return any
app keys.
# How the Problems Are Solved
The issue stems from a mistake SQL query not joining the
`projections.authn_keys2` table to `projections.projects4` instead of
joining to `projections.apps7`
# Additional Changes
`ListAppKeys()` returns the app key IDs in order of their creation
- Closes https://github.com/zitadel/zitadel/issues/10420
- backport to v4.x
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit a637ae5aa5)
## Which problems are solved
The execution of statements of projections did not have the context
present.
## How the problems were solved
Pass the context to the execute function
## Additional info
This change is required to use the repositories of the relational tables
in projections.
(cherry picked from commit 20e7807ee5)
Removes manual schema and application name setup via raw SQL and
switches to using River’s built-in schema configuration.
# Which Problems Are Solved
River provides a configuration flag to set the schema of the queue.
Zitadel sets the schema through database statements which is not needed
anymore.
# How the Problems Are Solved
Set the schema in the river configuration and removed old code
(cherry picked from commit b5f97d64b0)
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Don't show the external IdP section, if none are configured.
# How the Problems Are Solved
- Checks if the length of `identityProviders` is non-empty.
# Additional Changes
- Added 2 additional null-checks for `identityProviders`
# Additional Context
- Closes#10401
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit a718267191)
# Which Problems Are Solved
When a user with an `ORG_PROJECT_CREATOR` role tries to create a
project, the request fails with `No matching permissions found
(AUTH-AWfge)` error. This is because `project.write` was set as the
required permission instead of `project.create` during project creation.
# How the Problems Are Solved
By setting the right required permission (`project.create`) while
creating new projects.
# Additional Changes
N/A
# Additional Context
- Closes#10399
(cherry picked from commit 0929c4d235)
# Which Problems Are Solved
The new login UI user case sensitive matching for usernames and email
addresses. This is different from the v1 login and not expected by
customers, leading to not found user errors.
# How the Problems Are Solved
The user search is changed to case insensitive matching.
# Additional Changes
None
# Additional Context
- reported by a customer
- requires backport to 4.x
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 0318edcd3b)
This PR fixes an issue where a user was not redirected to an IDP
correctly if the user has entered the loginname and has an IDP as single
auth method
(cherry picked from commit a48cacfb02)
# Which Problems Are Solved
Currently, the prometheus endpoint metrics contain otel specific labels
that increase the overall metric size to the point that the exemplar
implementation in the underlying prom exporter library throws an error,
see https://github.com/zitadel/zitadel/issues/10047. The MaxRuneSize for
metric refs in exemplars is 128 and many of metrics cross this because
of `otel_scope_name`.
# How the Problems Are Solved
This change drops those otel specific labels on the prometheus exporter:
`otel_scope_name` and `otel_scope_version`
Current metrics example:
```
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_version="0.53.0",le="0"} 0
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_version="0.53.0",le="5"} 100
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_version="0.53.0",le="10"} 100
...
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/ListIAMMemberRoles",otel_scope_name="",otel_scope_version="",return_code="200"} 3
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/ListIAMMembers",otel_scope_name="",otel_scope_version="",return_code="200"} 3
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/ListMilestones",otel_scope_name="",otel_scope_version="",return_code="200"} 1
```
New example:
```
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",le="10"} 8
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",le="25"} 8
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",le="50"} 9
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",le="75"} 9
...
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/GetSupportedLanguages",return_code="200"} 1
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/ListMilestones",return_code="200"} 1
grpc_server_grpc_status_code_total{grpc_method="/zitadel.auth.v1.AuthService/GetMyLabelPolicy",return_code="200"} 3
```
# Additional Changes
None
# Additional Context
From my understanding, this change is fully spec compliant with
Prometheus and Otel:
*
https://opentelemetry.io/docs/specs/otel/compatibility/prometheus_and_openmetrics/#instrumentation-scope
However, these tags were originally added as optional labels to
disambiguate metrics. But I'm not sure we need to care about that right
now? My gut feeling is that exemplar support (the ability for traces to
reference metrics) would be a preferable tradeoff to this label
standard.
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
(cherry picked from commit 532932ef94)
