* docs(oidc): token exchange beta feature info
This change adds an info box to the token exchange documentation, informing the reader of the beta state of the feature and how to enable it.
* Update docs/docs/apis/openidoauth/endpoints.mdx
Co-authored-by: Fabi <fabienne@zitadel.com>
* Update docs/docs/guides/integrate/token-exchange.mdx
Co-authored-by: Fabi <fabienne@zitadel.com>
---------
Co-authored-by: Fabi <fabienne@zitadel.com>
* fix: add resource owner as query for user v2 ListUsers and clean up deprecated attribute
* fix: add resource owner as query for user v2 ListUsers and clean up deprecated attribute
* fix: add resource owner as query for user v2 ListUsers and clean up deprecated attribute
* fix: review changes
* fix: review changes
* fix: review changes
* fix: review changes
* fix: add password change required to user v2 get and list
* fix: update unit tests for query side with new column and projection
* fix: change projection in setup steps
* fix: change projection in setup steps
* fix: remove setup step 25
* fix: add password_change_required into ListUsers response
* fix: correct SetUserPassword parameters
* fix: rollback to change setup instead of projection directly
* fix: rollback to change setup instead of projection directly
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
* fix: remove resourceowner read from context in user v2 api
* fix: lint
* fix: remove orgID in addIDPLink
* fix: remove comment as unnecessary
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
* chore: use pgx v5
* chore: update go version
* remove direct pq dependency
* remove unnecessary type
* scan test
* map scanner
* converter
* uint8 number array
* duration
* most unit tests work
* unit tests work
* chore: coverage
* go 1.21
* linting
* int64 gopfertammi
* retry go 1.22
* retry go 1.22
* revert to go v1.21.5
* update go toolchain to 1.21.8
* go 1.21.8
* remove test flag
* go 1.21.5
* linting
* update toolchain
* use correct array
* use correct array
* add byte array
* correct value
* correct error message
* go 1.21 compatible
* docs(oidc): token exchange guide
This change adds a token exchange guide which includes "simple" and impersonation examples.
The endpoint, claims and grant type documentation also has been amended with token exchange specifics.
* solve suggestions
* fix impersonated event type
* add link to event store concept
* fix links build error
* add to sidebar and update some info boxes
This PR extends the user schema service (V3 API) with the possibility to ListUserSchemas and GetUserSchemaByID.
The previously started guide is extended to demonstrate how to retrieve the schema(s) and notes the generated revision property.
fix(oidc): define audience inside auth request instead off token creation
When using the v1 OIDC Code flow, tokens would not carry the correct audience when returned as JWT. This applies to access tokens as JWT and ID tokens.
Introspection would still show the correct audience.
This happened because project audience was appended at token creation time. This stored the appended audience, used later in introspection or token refresh. However, the OIDC library still only had a view of the original auth request with the original audience.
When signing JWTs it would use this outdated information.
This change moves audience modifications to the auth request creation. This is was already the way it was done for v2 login and now v1 follows the same method.
Co-authored-by: Livio Spring <livio.a@gmail.com>
Add organizationID as query for ListUsers and clean up the deprecated Organisation attributes in other queries.
This PR removes the following fields from API requests (user service v2):
organisation from AddHumanUser (deprecated some time ago, organization still exists)
organization from GetUserByID
A customer noted that the login by email was case-sensitive, which differs to the handling of the loginname.
This PR changes the email check to be case-insensitive (which it was already in same parts) and improve the search for this as well.
It was noticed multiple time (incl. customers) that the loginname is sometimes not rendered in the UI.
This PR fixes such an issue after registration of a new user from an IdP.
* add token exchange feature flag
* allow setting reason and actor to access tokens
* impersonation
* set token types and scopes in response
* upgrade oidc to working draft state
* fix tests
* audience and scope validation
* id toke and jwt as input
* return id tokens
* add grant type token exchange to app config
* add integration tests
* check and deny actors in api calls
* fix instance setting tests by triggering projection on write and cleanup
* insert sleep statements again
* solve linting issues
* add translations
* pin oidc v3.15.0
* resolve comments, add event translation
* fix refreshtoken test
* use ValidateAuthReqScopes from oidc
* apparently the linter can't make up its mind
* persist actor thru refresh tokens and check in tests
* remove unneeded triggers
* docs: add org id header in missing requests
* docs: add org id header to proto definitions
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
feat: updated russian translations by native speaker with a user polite approach
Co-authored-by: Pavel Girilyuk <pavel.girilyuk@digitalchief.ru>
Co-authored-by: Fabi <fabienne@zitadel.com>
* feat: add projections and query side to executions and targets
* feat: add list and get endpoints for targets
* feat: add integration tests for query endpoints target and execution
* fix: linting
* fix: linting
* fix: review changes, renames and corrections
* fix: review changes, renames and corrections
* fix: review changes, renames and corrections
* fix: review changes, renames and corrections
* fix: review changes, renames and corrections
* fix: review changes, renames and corrections
* fix: remove position from list details
* feat: add ExpirationDate to MachineKey JSON detail
* fix: include time in expiration date column for machine keys table
* fix: show expiration date in ShowKeyDialog if available
* fix: add machine key expiration date note
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
