# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR moves the remaining organization v2beta service endpoints to a
corresponding v2 version. The v2beta service and all endpoints are
deprecated.
- The v2beta endpoints are removed from the docs.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- When listing Organizations can now be sorted by creation date as well.
- The custom `org_id` parameter in the `AddOrganizationRequest` message
has been deprecated in favor of `organization_id`
# Additional Changes
None
# Additional Context
- relates to #10772
- Directly targeting v4.x since main needs to be cleaned up first with
the relation table and permission checks.
# Which Problems Are Solved
When auto-linking was enabled on an IdP, there was no check if linking to the found user is allowed, i.e. if the corresponding IdP is active in the user's organization or if external authentication in general was allowed.
# How the Problems Are Solved
- (Re)Check the login policy of the user's organization before linking the external identity.
# Additional Changes
None
# Additional Context
None
---------
Co-authored-by: Max Peintner <peintnerm@gmail.com>
(cherry picked from commit 33c51deb20)
# Which Problems Are Solved
The recent
[fix](2a7db64881)
made sure the Zitadel API always requires MFA if a user has set up so
even though not required by the login policy. After the deployment,
multiple users reached out that also users without any MFA set up got
the corresponding `[permission_denied] mfa required (AUTHZ-KI3p0)`error.
# How the Problems Are Solved
- Only check the set up factors with are verified and ready to use.
Ignore all unready auth methods.
# Additional Changes
None
# Additional Context
- relates to
2a7db64881
- closes https://github.com/zitadel/zitadel/issues/11055
- requires backport to v2.71.x, v3.x and v4.x
(cherry picked from commit e4a959c321)
# Which Problems Are Solved
- Solves the issue of app creation when selecting go, python, ruby, php,
java, spring and node
# How the Problems Are Solved
- Adds the appropriate configs for each app type
# Additional Context
- Closes#11052
(cherry picked from commit 449285fda3)
# Which Problems Are Solved
Some configuration can not be set directly through environment
variables.
# How the Problems Are Solved
Comment in the attributes, so that Zitadel uses the environment
variables.
# Additional Changes
None
# Additional Context
Closes#10913
(cherry picked from commit ae216120bd)
# Which Problems Are Solved
User profile updates were not propagated when using External OIDC IDP +
Login V2
# How the Problems Are Solved
* `UpdateHumanUserRequest` is added to
`RetrieveIdentityProviderIntentResponse`
* `UpdateHumanUserRequest` is returned in the
`RetrieveIdentityProviderIntentResponse` when the user already exists
during external IDP auth, which is then used in the frontend to update
the user info
# Additional Changes
* Moved integration tests related to user intent to a separate test file
* Fix redirection after external IDP user registration
# Additional Context
- Closes#10838
- Follow up: https://github.com/zitadel/zitadel/issues/11053
---------
Co-authored-by: Max Peintner <peintnerm@gmail.com>
(cherry picked from commit d7e9eddb76)
# Which Problems Are Solved
Typo in URL.
# How the Problems Are Solved
Additional binding to fix typo.
# Additional Changes
None
# Additional Context
Closes#8710
(cherry picked from commit a3390a0adb)
# Which Problems Are Solved
The latest fix to the organization v2beta service unintentionally
prevented actions v1 to retrieve organization metadata because of an
additional permission check.
# How the Problems Are Solved
- Implicitly allow the actions v1 org metadata query.
- V1 endpoints doing the same query also no longer require the
additional permission check as they already do the corresponding check
in the API. (same for organization domains).
# Additional Changes
None
# Additional Context
Reported by customers after the deployment of v4.6.3
# Which Problems Are Solved
When users authenticate via IDP (Identity Provider) without explicit
organization context, the flow could fail or create users without proper
organization assignment. This occurred when:
- No organization parameter was provided in the IDP callback
- Domain discovery didn't find a matching organization
- OIDC requests didn't include organization scopes
# How the Problems Are Solved
Implemented a fallback mechanism that ensures organization context is
always available:
- Centralized organization resolution in `resolveOrganizationForUser()`
- First: Use explicitly provided organization
- Second: Attempt domain discovery from username
- Third: Fallback to default organization (NEW)
- Explicit error handling: Users are never created without organization
context. If no organization can be determined (including no default
org), the flow fails gracefully with a clear error message.
- Applied to both creation flows:
- CASE 4: Auto-creation of users
- CASE 5: Manual user registration
Co-authored-by: Ramon <mail@conblem.me>
(cherry picked from commit 66e04b1dad)
# Which Problems Are Solved
The organozation v2beta service wrongly checked the permissions on the user's organization instead of the organization the user tried to access.
# How the Problems Are Solved
- Check permissions in business logic based on accessed organization rather than the user's organization.
- Queries now use permission v2 to ensure this.
- Also changed the / to use the same pattern even if the old was no direct issue.
# Additional Changes
None
# Additional Context
None
# Which Problems Are Solved
An IDP Intent could not be completed due to a missing change of
successUrl property in a recent PR.
# How the Problems Are Solved
The /success page has been replaced by /process to finish the IDP flow
in all occurences.
(cherry picked from commit c913904df3)
# Which Problems Are Solved
Zitadel enforces MFA if required by the organization's policy, but did not ensure in all cases, if a user voluntarily set it up.
# How the Problems Are Solved
Ensure 2FA/MFA is required in any call to Zitadel if set up by user even if policy does not require.
# Additional Changes
None
# Additional Context
- requires backports
(cherry picked from commit b284f8474e)
# Which Problems Are Solved
While the lockout policy was correctly applied on the session API and other authentication and management endpoints , it had no effect on the user service v2 endpoints.
# How the Problems Are Solved
- Correctly apply lockout policy on the user service v2 endpoints.
- Added tar pitting to auth factor checks (authentication and management API) to prevent brute-force attacks or denial of service because of user lockouts.
- Tar pitting is not active if `IgnoreUnknownUsername` option is active to prevent leaking information whether a user exists or not.
# Additional Changes
None
# Additional Context
- requires backports
* cleanup
(cherry picked from commit b8db8cdf9c)
# Which Problems Are Solved
Host headers used to identify the instance and further used in public responses such as OIDC discovery endpoints, email links and more were not correctly handled. While they were matched against existing instances, they were not properly sanitized.
# How the Problems Are Solved
Sanitize host header including port validation (if provided).
# Additional Changes
None
# Additional Context
- requires backports
(cherry picked from commit 72a5c33e6a)
# Which Problems Are Solved
- Integrates the Drupal 7 hash verifier from passwap
# Additional Changes
- The docs inform about the option to use the Drupal 7 hash verifier
- Updates passwap to version v0.10.0
# Additional Context
- Follow-up for PR
[#passwap/pull/70](https://github.com/zitadel/passwap/pull/70)
Co-authored-by: Marco A. <marco@zitadel.com>
(cherry picked from commit f4503e07cd)
# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR moves instance v2beta service and its endpoints to a
corresponding v2 version. The v2beta service and endpoints are
deprecated.
- The docs are moved to the new GA service and its endpoints. The v2beta
is not displayed anymore.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with (google.api.field_behavior)
= REQUIRED and validation rules have been added where missing
- `Domain` has been renamed to `CustomDomain` to align with naming
conventions
- `..Query` has been renamed to `..Filter` to align with other services
- The `instance_id` parameter can now passed on all endpoints and is
properly used, but requires `system` permissions. It can be omitted to
use the own instance (identified by context as any other service).
- The following endpoints are affected:
- GetInstance
- UpdateInstance
- ListCustomDomains
- AddTrustedDomain
- RemoveTrustedDomain
- ListTrustedDomains
- InstanceService has been added the InstanceInterceptor's
`explicitInstanceIdServices` to allow passing the id
- If the instance is not found by id, the error is not directly returned
to prevent enumeration.
- Permissions are checked in the API instead of the interceptor for
these calls.
- Setting the same instance name in the update no longer returns an
error, but the previous change date.
# Additional Changes
none
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/10772
- requires backport to v4.x
(cherry picked from commit c2a0b9d187)
# Which Problems Are Solved
The passkey login page was not rendering properly in production (Cloud
Run) deployments, with the submit button and component content not
appearing. Additionally, the automatic passkey prompt was not triggering
correctly.
# How the Problems Are Solved
Added the missing return statement before navigator.credentials.get() in
the submitLoginAndContinue function. This ensures the promise is
properly returned and chained in the useEffect hook, fixing the
automatic passkey prompt flow.
Removes the recently introduces guides to passkeys that could result in
a hydration error due to the <a> tag being rendered differently on
server / client environement
# Additional Changes
This issue was most probably introduced in PR #10971. The component uses
promise chaining (.then().catch().finally()) which requires the promise
to be returned, unlike the RegisterPasskey component which uses
async/await and works correctly without an explicit return.
(cherry picked from commit fa524e3b05)
# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR moves project v2beta service and its endpoints to a
corresponding v2 version. The v2beta service and endpoints are
deprecated.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with `(google.api.field_behavior)
= REQUIRED` and validation rules have been added where missing.
- Name ID of the project always `project_id`
- `UpdateProjectRequest` has been updated to align with the creation and
retrieval of a project:
- `project_role_check` has been renamed to `authorization_required`
- `has_project_check` has been renamed to `project_access_required`
- `ListProjectRequest` has been changed:
- `project_grant_resource_owner_filter`,
`project_grant_resource_owner_filter` and
`project_organization_id_filter` have been removed and merged into a
single `organization_id_filter` where a `type` can optionally be
specified to select `owned`, `granted` or both project types within a
specified organization.
- `ListProjectGrantReques` has been changed:
- `project_resource_owner_filter` has been renamed to
`project_organization_id_filter`
- `grant_resource_owner_filter` has been renamed to
`granted_organization_id_filter`
# Additional Changes
Replaced deprecated `intergration.WithAuthorization` with
`integration.WithAuthorizationToken` in integration tests.
# Additional Context
- part of #10772
- requires backport to v4.x
(cherry picked from commit 32500e3b0c)
# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR moves the authorization v2beta service and its endpoints to a
corresponding v2 version. The v2beta service and endpoints are
deprecated.
- The docs are moved to the new GA service and its endpoints. The v2beta
is not displayed anymore.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with (google.api.field_behavior)
= REQUIRED and validation rules have been added where missing.
- The `organization_id` to create an authorization is now required to be
always passed. There's no implicit fallback to the project's
organization anymore.
- The `user_id` filter has been removed in favor of the recently added
`in_user_ids` filter.
- The returned `Authorization` object has been reworked to return
`project`, `organization` and `roles` as objects like the granted `user`
already was.
- Additionally the `roles` now not only contain the granted `role_keys`,
but also the `display_name` and `group`. To implement this the query has
been updated internally. Existing APIs are unchanged and still return
just the keys.
# Additional Changes
None
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/10772
- closes#10746
- requires backport to v4.x
(cherry picked from commit c9ac1ce344)
# Which Problems Are Solved
A user from `org A` with `ORG_USER_MANAGER` role in `org B` is unable to
list user metadata for a user in `org B`.
# How the Problems Are Solved
The `auth.option` is set to a specific permission (`user.read`) in the
API definition of `ListUserMetadata`, which causes the interceptors to
check for this specific permission. In this case, there is no specific
check for org membership of a user (from org A) in a target organization
(org B), and hence the call fails even though the user has the necessary
permissions.
This has been fixed by setting the `auth.option` to `authenticated`, and
the necessary [permission checks are handled in the
query-layer](https://github.com/zitadel/zitadel/blob/main/internal/query/user_metadata.go#L173).
# Additional Changes
N/A
# Additional Context
- Closes#10925
---------
Co-authored-by: Marco A. <marco@zitadel.com>
(cherry picked from commit 196eaa84d2)
# Which Problems Are Solved
Requests without errors were mapped being mapped to GRPC status code
`Unknown`, which were then being mapped as HTTP `500` status code.
# How the Problems Are Solved
By deriving the grpc status codes from the error only when there's an
error.
When the error is `nil`, the grpc status code is set to 0 (`OK`).
# Additional Changes
N/A
# Additional Context
- Closes#10884
(cherry picked from commit da63abd1ad)
# Which Problems Are Solved
This PR enhances the passkey authentication flow with comprehensive
error handling, full internationalization support, and extensive test
coverage.
# How the Problems Are Solved
I18n:
- Replaced all hard-coded error messages with i18n translation keys
- Consistent error messaging throughout the passkey flow
- Added specific error handling for passkey cancellation
(NotAllowedError)
- Implemented fallback errors for undefined/missing responses
- Better error messages for:
- Session retrieval failures
- Challenge request failures
- User verification errors
- Redirect determination issues
Tests:
- Added `login-passkey.test.tsx` with 100+ test cases covering:
- Successful verification flows
- Error scenarios and edge cases
- Props handling
- Component lifecycle
- Added passkeys.test.ts with server-side function tests:
- Session cookie retrieval
- User validation
- Custom lifetime handling
- Critical fallback error paths
Try-catch blocks around critical user retrieval operations
Defensive checks for undefined responses from completeFlowOrGetUrl
Support for custom lifetime parameters
Cleaner error propagation
(cherry picked from commit d5d68aed4b)
Closes#10828
# Which Problems Are Solved
The IDP callback flow was calling retrieveIDPIntent() twice, causing
single-use token failures with error: "Intent Token is invalid". This
occurred due to Next.js 15's dynamicIO feature triggering double renders
# How the Problems Are Solved
Completely refactored the IDP callback architecture to ensure single-use
tokens are consumed exactly once:
- Centralized Business Logic: Moved all IDP callback logic into a single
server action (processIDPCallback) that:
- Consumes the token once
- Handles all 6 business scenarios (login, linking, auto-linking,
auto-creation, manual registration, account not found)
- Integrates session creation in the same action
- Returns `{ redirect?: string; error?: string }` for client-side
navigation
- Client Component Invocation: Created `IdpProcessHandler` client
component that:
- Calls the server action from browser context (enables cookie
modification)
- Prevents double execution with useRef
- Handles loading states and error display
- Clean Architecture:
- Removed 403-line success page with complex logic
- Removed component files from `/components/idps/pages/` folder
- Moved all UI directly into server pages
- Created dedicated result pages with minimal params
# Additional Changes
- Added translations to all 8 supported languages
---------
Co-authored-by: Ramon <mail@conblem.me>
(cherry picked from commit 9dc127ddb5)
# Which Problems Are Solved
When the passkey registration page (/passkey/set) is accessed externally
with only a loginName parameter, users encounter a "Missing code in
response" error. This occurs because the registration code is only
generated for invalid sessions, but external calls typically have valid
sessions.
# How the Problems Are Solved
- Moved registration code generation outside the session validity check
in `registerPasskeyLink()`
- Code is now generated for both valid and invalid sessions when not
provided
- Simplified logic: use provided code if available, otherwise generate a
new one
(cherry picked from commit 5d75e41d00)
Add complete Turkish (tr.json) translation for authentication UI,
including login, registration, password management, MFA setup
# Which Problems Are Solved
- Turkish language support is missing in the authentication UI
- Turkish-speaking users cannot use the application in their native
language
# How the Problems Are Solved
- Added complete Turkish (tr.json) translation file for the
authentication UI
- Translated all authentication-related strings including login,
registration, password management, MFA setup, error messages, and user
verification flows
- Technical terms (Passkey, SSO, LDAP, IDP, etc.) are kept in English
for consistency
# Additional Changes
- None
# Additional Context
- Closes#10851
- This translation follows the same structure as the existing en.json
file
- All user-facing strings in the authentication flow are now available
in Turkish
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Gayathri Vijayan <66356931+grvijayan@users.noreply.github.com>
(cherry picked from commit e7ec430dbc)
# Which Problems Are Solved
In the login we often check if a GRPC Duration is not defined however it
can also be set to 0. Using the API it's possible to set the password
check lifetime to zero which broke the login v2.
# How the Problems Are Solved
Also check if the GRPC Duration seconds field is not 0
# Additional Context
- May help if the issue here is actually accidentally setting password
lifetime check to 0 using the API #10865
Co-authored-by: Max Peintner <max@caos.ch>
(cherry picked from commit 16b21569db)
# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR deprecates all settings v2beta service and endpoints.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- `LoginSettings`:
- `AllowUsernamePassword` has been deprecated and a corresponding
`AllowLocalAuthentication` has been introduced
- `SECOND_FACTOR_TYPE_OTP` has been deprecated and a
`SECOND_FACTOR_TYPE_TOTP` has been introduced as enum alias
# Additional Changes
- cleanups of some unused structs
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/10772
- requires backport to v4.x
(cherry picked from commit dbf877e028)
# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR moves app v2beta service and its endpoints to a corresponding
to application v2 version. The v2beta service and endpoints are
deprecated.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with (google.api.field_behavior)
= REQUIRED and validation rules have been added where missing.
- Name ID of the application always `application_id`, previously was
also `id` and `app_id`.
- Get rid of all `app` abbreviations and name it `application` including
the service name, `AppState` -> `ApplicationState` and `AppSorting` ->
`ApplicationSorting`
- Updated `CreateApplicationRequest`:
- renamed `creation_request_type` to `application_type` and all its
options to `XY_configuration` instead of `XY_request`
- `RegenerateClientSecret`
- renamed method to `GenerateClientSecret`
- removed `app_type` from request
- `ListApplicationRequest`:
- removed required `project_id` and provided it as a filter
- Type `ApplicationNameQuery` has been renamed to
`ApplicationNameFilter` as its usage in the request
- Renamed all fields and types from `config` to `configuration`
- Updated `DeleteApplicationKeyRequest`
- removed `organization_id`
- Updated `GetApplicationKeyRequest`:
- removed `project_id`, `application_id` and `organization_id``
- Updated `ListApplicationKeysRequest`:
- removed oneOf `resource_id` and moved the options into filters
- Name ID of the application key always `key_id`.
- removed unnecessary package prefixed (`zitadel.application.v2`)
- formatted using `buf`
# Additional Changes
None
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/10772
- requires backport to v4.x
(cherry picked from commit 0281670030)
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Close#10623: The terms, language, and spelling used on the project and
application settings for receiving roles is unnecessarily complicated or
wrong.
# How the Problems Are Solved
Update Settings in English. Translations are currently not considered.
# Additional Changes
Align proto documentation
# Additional Context
(cherry picked from commit 7e11f7a032)
# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR moves the internal permission v2beta service and its endpoints
to a corresponding v2 version. The v2beta service and endpoints are
deprecated.
- The docs are moved to the new GA service and its endpoints. The v2beta
is not displayed anymore.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with (google.api.field_behavior)
= REQUIRED and validation rules have been added where missing.
- Listing administrators of a project grant can now be done with the
`ProjectGrant` (`project_id` and `organization_id`) instead of a
`project_id`, which corresponds to creation of the administrator ship of
such grant.
- formatted using `buf`
# Additional Changes
None
# Additional Context
- part of https://github.com/zitadel/zitadel/issues/10772
- requires backport to v4.x
---------
Co-authored-by: Gayathri Vijayan <66356931+grvijayan@users.noreply.github.com>
(cherry picked from commit 0f2a349ec1)
# Which Problems Are Solved
As part of our efforts to simplify the structure and versions of our
APIs, were moving all existing v2beta endpoints to v2 and deprecate
them. They will be removed in Zitadel V5.
# How the Problems Are Solved
- This PR deprecates all v2beta service and their endpoints, which have
already a corresponding v2 version and should not be used anymore.
- The comments and have been improved and, where not already done, moved
from swagger annotations to proto.
- All required fields have been marked with `(google.api.field_behavior)
= REQUIRED` and validation rules have been added where missing.
- Removed the "required flag" comments on the Action and WebKey service
endpoints, since they were removed in Zitadel v4.
- The `SetSession` endpoint already documented that the token does not
have to be provided anymore and will be ignored if still sent, but it
was actually still checked if provided. The corresponding check has been
removed and the field is now properly deprecated in the proto as well.
# Additional Changes
None
# Additional Context
- part of #10772
- requires backport to v4.x
(cherry picked from commit e25b21a6a4)
# Which Problems Are Solved
During normal operations, when listing authentication method types,
activated IDPs are added to the `userAuthMethodTypes` slice but there's
an error in the logs, causing false alarms in our alerting system which
has been configured to trigger on error-level logs:
```
{
"logDate": "2025-09-29T07:47:49.524794306Z",
"protocol": 0,
"requestUrl": "/zitadel.user.v2.UserService/ListAuthenticationMethodTypes",
"responseStatus": 0,
"requestHeaders": {
"authorization": [
"[REDACTED]"
],
"content-type": [
"application/grpc+proto"
],
"grpc-accept-encoding": [
"gzip,br"
],
"host": [
"zitadel.example.com"
],
"te": [
"trailers"
],
"user-agent": [
"connect-es/2.0.4"
]
},
"responseHeaders": {},
"instanceId": "329151080840616127",
"projectId": "329851980840157809",
"requestedDomain": "zitadel.example.com",
"requestedHost": "zitadel.example.com"
}
{
"caller": "/home/runner/work/zitadel/zitadel/internal/query/user_auth_method.go:478",
"level": "error",
"msg": "IDP1",
"time": "2025-09-29T07:47:49Z"
}
```
# How the Problems Are Solved
The log was changed to debug level and the log text was updated to
better describe what is happening.
Another possible solution would be to remove the log line completely.
Reviewers can decide if this is a better solution.
# Additional Changes
None.
# Additional Context
None.
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 812641ee9c)
# Which Problems Are Solved
- Users were unable to sign in via LDAP when their password contained
special characters (%, #, &), because URI validation rejected valid
credentials #10798
- This occurs specifically when using a custom login implementation for
LDAP authentication during the LDAP user intent flow.
# How the Problems Are Solved
Removed the URI validation from LDAP password handling, allowing all
special characters.
# Additional Changes
- Applied changes in v2 and v2beta LDAP flows.
- Verified other authentication flows remain unaffected.
# Additional Context
- Closes#10798
(cherry picked from commit 785512ea8b)
# Which Problems Are Solved
For testing purposes, we modified the .reseaserc.js. The test relevant
changes are reverted.
# How the Problems Are Solved
- The test branch is removed from the branches array.
- The default releaseBodyTemplate value is used again.
# Additional Context
- Cleanup for #10956
(cherry picked from commit 8693de8170)
# Which Problems Are Solved
This PR makes sure that the tarballs containing the API binary and the
standalone login are separately downloadable from the release pages
again.
# How the Problems Are Solved
Because the `Pack` workflow uploads a single GitHub artifact containing
all tarballs since #10571, we download this artifact so that it
correctly unpacks into the correct folder structure configured in
`.releaserc.js`
The changes are tested [with this action
run](https://github.com/eliobischof/zitadel/actions/runs/18745783976),
which [created this
release](https://github.com/eliobischof/zitadel/releases/tag/v1.0.0-release-archives.5).
# Additional Changes
- The term `standalone` is removed from the login tarball, as it should
be clear that it is a standalone build.
- The go builds and the login archiving are less verbose
- The pipelines go versions are pinned to *v1.25*, a minor above the
minimally required go version *v1.24.0* described in the go.mod file.
This makes sure that we build using newer patches for security and
performance.
# Additional Context
- The archives weren't published anymore since #10571
- Closes#10896
---------
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
(cherry picked from commit b080ed8884)
# Which Problems Are Solved
When a user with no authentication methods attempted to log in, the
system always set `invite=true` in the verification flow, regardless of
whether their email was already verified. This could cause errors when
trying to send invite codes to already initialized users.
# How the Problems Are Solved
Added conditional logic to determine whether to send an invite code
based on the user's email verification status:
This prevents errors when attempting to send invite codes to users who
have already verified their email and been initialized, while still
properly handling new users who need invitation flows.
(cherry picked from commit d10be4c09a)
Closes#10671
# Which Problems Are Solved
Users with password authentication disabled in their organization were
seeing "Username Password not allowed!" error instead of being
redirected to their organization's configured Identity Provider. This
affected domain discovery and multi-tenancy use cases in Login V2.
# How the Problems Are Solved
- Updated `redirectUserToIDP` to accept optional `userId` and
`organization` parameters
- Added fallback logic to check organization-level IDPs via
`getActiveIdentityProviders`
- Updated all call sites to pass appropriate organization context
- Added test coverage for the fallback behavior
# Additional Changes
- Consolidated duplicate logic by removing
`redirectUserToSingleIDPIfAvailable` function, which is now handled by
the unified `redirectUserToIDP` function
- improved error handling on verification page
---------
Co-authored-by: Ramon <mail@conblem.me>
(cherry picked from commit ff869482b1)
This PR fixes an issue in the IDP auto-linking feature where user
searches were performed globally instead of being scoped to the current
organization context. This could result in IDP links being created for
users in unintended organizations.
# Which Problems Are Solved
When IDP auto-linking was enabled (by email or username), the system
would search for existing users across all organizations instead of
restricting the search to the current organization context.
# How the Problems Are Solved
Added organization scoping to all three auto-linking code paths
(cherry picked from commit 2ad5cf141f)
Updates all direct dependencies to latests versions (apart from the one
where there are already issues to solve their updates)
(cherry picked from commit 61964f92be)
# Conflicts:
# go.mod
# go.sum
# Which Problems Are Solved
Sessions created through login UI (v1) automatically get assigned an ID
after creation. This change was introduced with the OIDC back-channel
logout implementation. Sessions created before that don't have an ID and
are updated on the next (re-)authentication.
A customer now reached out, that a logout from Console was resulting in
an error. This is due to at least one session not having an ID (<null>
in sql) in the same user agent.
# How the Problems Are Solved
Since the sessionID is not used in the specific situation, we just
assign the userID as sessionID. This way all sessions are properly
terminated.
# Additional Changes
None
# Additional Context
- relates to support request
- requires backport to v4.x
(cherry picked from commit fda19dc85b)
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
- Japanese users cannot use the Login UI in their native language, as
only other locales (English, German, Italian, Spanish, Polish, Chinese,
Russian, Turkish) are currently supported
- The Login UI language selection does not include Japanese as an option
# How the Problems Are Solved
- Updated the `LANGS` array in `apps/login/src/lib/i18n.ts` to include
Japanese (`{ name: "日本語", code: "ja" }`)
- Enables Japanese language selection in the Login UI through browser
language detection or manual locale setting
# Additional Changes
- No additional changes were necessary as other components (Console,
email notifications, common messages, Go templates) already have
Japanese locale support (`ja.json`/`ja.yaml` files exist)
# Additional Context
- This contribution enhances ZITADEL's internationalization support for
Japanese-speaking users
- The translation follows the same structure and key naming conventions
as existing locale files
- Testing can be performed by setting browser language to Japanese or
using `NEXT_LOCALE=ja` cookie
Co-authored-by: Max Peintner <max@caos.ch>
(cherry picked from commit 27c248fa11)
# Which Problems Are Solved
There is no CN (CommonName) defined in the certificates to use an
external SAML IDP.
# How the Problems Are Solved
Add Issuer and CommonName to the certificate information.
# Additional Changes
None
# Additional Context
Closes#9048
Co-authored-by: Gayathri Vijayan <66356931+grvijayan@users.noreply.github.com>
(cherry picked from commit 4c078c1474)
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
The api call for adding a mfa/2fa factor was running before creating a
login policy.
# How the Problems Are Solved
A new event emitter `beforeTypeAdd` is responsible for taking in a
callback, and then the parent component (login-policy) checks if a login
policy should be created, and then it is successfully created, calls the
callback.
The callback then adds the mfa/2fa factor as before.
# Additional Context
- Closes#9047
Co-authored-by: David Skewis <david@zitadel.com>
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit 381727e919)
