Commit Graph

3503 Commits

Author SHA1 Message Date
Tim Möhlmann
869ebceac6
fix(oidc): upgrade zitadel/oidc to allow scope without openid (#8109)
# Which Problems Are Solved

Drop the requirement of the `openid` scope in all auth and token request
types.

# How the Problems Are Solved

This change upgrades the oidc package to include
https://github.com/zitadel/oidc/pull/613.

# Additional Changes

- Fix a typo in a go doc string
- upgrade otel modules to match the version from oidc.

# Additional Context

- https://github.com/zitadel/zitadel/pull/7822 started doing scope
validation for machine user authentication on the token endpoint.
- https://github.com/zitadel/zitadel/discussions/8068 reports breakage
of machine authentication without `openid` scope.
- Merge after https://github.com/zitadel/oidc/pull/613 is released.

(cherry picked from commit 81cc7c62cb)
2024-06-13 13:55:05 +02:00
Yxnt
2450736a34
fix(login): ldap login page js file not found (#8101)
# Which Problems Are Solved
* fix ldap login page js file not found

![image](https://github.com/zitadel/zitadel/assets/10323352/47640ae9-3aa2-4a62-aa95-e23750cb8eb7)

Signed-off-by: Yxnt <jyxnt1@gmail.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 1374f17c8d)
2024-06-13 13:55:05 +02:00
Livio Spring
a3fcf6431a
fix(oidc): remove MFA requirement on ZITADEL API based on user auth methods (#8069)
# Which Problems Are Solved

Request to the ZITADEL API currently require multi factor authentication
if the user has set up any second factor.
However, the login UI will only prompt the user to check factors that
are allowed by the login policy.
This can lead to situations, where the user has set up a factor (e.g.
some OTP) which was not allowed by the policy, therefore will not have
to verify the factor, the ZITADEL API however will require the check
since the user has set it up.

# How the Problems Are Solved

The requirement for multi factor authentication based on the user's
authentication methods is removed when accessing the ZITADEL APIs.
Those requests will only require MFA in case the login policy does so
because of `requireMFA` or `requireMFAForLocalUsers`.

# Additional Changes

None.

# Additional Context

- a customer reached out to support
- discussed internally
- relates #7822
- backport to 2.53.x

(cherry picked from commit fb2b1610f9)
2024-06-13 13:55:05 +02:00
Livio Spring
e927eeaaed
fix(oidc): only return state in access token response for implicit flow (#8108)
# Which Problems Are Solved

Introduced with #7822 the access token response incorrectly returned the
`state` parameter.

# How the Problems Are Solved

The `state` will only be returned for access token responses in an
implicit_flow.

# Additional Changes

None.

# Additional Context

- relates to #7822
- relates to
https://github.com/zitadel/oidc/issues/446#issuecomment-2144999644
- backport to 2.53.x

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
(cherry picked from commit fb95f4a8a2)
2024-06-13 13:55:04 +02:00
Joakim Lodén
2cbcdf4ba9
fix: remove duplicate otel span processors (#8104)
(cherry picked from commit 1d13d41139)
2024-06-13 13:55:04 +02:00
Livio Spring
9361a7f0dd
perf(authZ): improve oidc session check (#8091)
# Which Problems Are Solved

Access token checks make sure that there have not been any termination
events (user locked, deactivated, signed out, ...) in the meantime. This
events were filtered based on the creation date of the last session
event, which might cause latency issues in the database.

# How the Problems Are Solved

- Changed the query to use `position` instead of `created_at`.
- removed `AwaitOpenTransactions`

# Additional Changes

Added the `position` field to the `ReadModel`.

# Additional Context

- relates to #8088
- part of #7639
- backport to 2.53.x

(cherry picked from commit 931a6c7cce)
2024-06-13 13:55:04 +02:00
Tim Möhlmann
81cc7c62cb
fix(oidc): upgrade zitadel/oidc to allow scope without openid (#8109)
# Which Problems Are Solved

Drop the requirement of the `openid` scope in all auth and token request
types.

# How the Problems Are Solved

This change upgrades the oidc package to include
https://github.com/zitadel/oidc/pull/613.

# Additional Changes

- Fix a typo in a go doc string
- upgrade otel modules to match the version from oidc.

# Additional Context

- https://github.com/zitadel/zitadel/pull/7822 started doing scope
validation for machine user authentication on the token endpoint.
- https://github.com/zitadel/zitadel/discussions/8068 reports breakage
of machine authentication without `openid` scope.
- Merge after https://github.com/zitadel/oidc/pull/613 is released.
2024-06-13 09:32:27 +00:00
Florian Forster
f6a50db96c
chore(docs): fix prod build for vercel (#8121)
# Fix

Fixes a problem on main
2024-06-13 08:47:10 +00:00
Florian Forster
c9e352033e
chore(docs): use gh action to build docs (#8097)
# Which Problems Are Solved

This allows us to build multiple docs in parallel and only runs when
docs/proto are changed.

# Additional Changes

- [ ] Change "required" in GitHub from Vercel to the docs flow

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-06-13 08:07:39 +00:00
Yxnt
1374f17c8d
fix(login): ldap login page js file not found (#8101)
# Which Problems Are Solved
* fix ldap login page js file not found

![image](https://github.com/zitadel/zitadel/assets/10323352/47640ae9-3aa2-4a62-aa95-e23750cb8eb7)

Signed-off-by: Yxnt <jyxnt1@gmail.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-06-13 07:05:59 +00:00
Livio Spring
206d947183
docs(api): add missing x-zitadel-orgid header to IdP request (#8113)
# Which Problems Are Solved

Some management requests did not state that the `x-zitadel-orgid` can /
needs to be sent as part of the request.

# How the Problems Are Solved

Added it as paart of the swagger / openAPI documentation.

# Additional Changes

None.

# Additional Context

- noted by a customer
2024-06-12 13:13:20 +00:00
Livio Spring
fb2b1610f9
fix(oidc): remove MFA requirement on ZITADEL API based on user auth methods (#8069)
# Which Problems Are Solved

Request to the ZITADEL API currently require multi factor authentication
if the user has set up any second factor.
However, the login UI will only prompt the user to check factors that
are allowed by the login policy.
This can lead to situations, where the user has set up a factor (e.g.
some OTP) which was not allowed by the policy, therefore will not have
to verify the factor, the ZITADEL API however will require the check
since the user has set it up.

# How the Problems Are Solved

The requirement for multi factor authentication based on the user's
authentication methods is removed when accessing the ZITADEL APIs.
Those requests will only require MFA in case the login policy does so
because of `requireMFA` or `requireMFAForLocalUsers`.

# Additional Changes

None.

# Additional Context

- a customer reached out to support
- discussed internally
- relates #7822 
- backport to 2.53.x
2024-06-12 12:24:17 +00:00
Livio Spring
fb95f4a8a2
fix(oidc): only return state in access token response for implicit flow (#8108)
# Which Problems Are Solved

Introduced with #7822 the access token response incorrectly returned the
`state` parameter.

# How the Problems Are Solved

The `state` will only be returned for access token responses in an
implicit_flow.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- relates to
https://github.com/zitadel/oidc/issues/446#issuecomment-2144999644
- backport to 2.53.x

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-06-12 11:53:56 +00:00
Andy Pilate
f4d32d98d3
docs: typo in oauth2-proxy.md (#8098)
# Which Problems Are Solved

This PR fixes a typo in the documentation

# How the Problems Are Solved

N/A

# Additional Changes

N/A

# Additional Context

N/A

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-06-12 11:14:14 +00:00
Joakim Lodén
1d13d41139
fix: remove duplicate otel span processors (#8104) 2024-06-12 10:18:48 +00:00
Livio Spring
931a6c7cce
perf(authZ): improve oidc session check (#8091)
# Which Problems Are Solved

Access token checks make sure that there have not been any termination
events (user locked, deactivated, signed out, ...) in the meantime. This
events were filtered based on the creation date of the last session
event, which might cause latency issues in the database.

# How the Problems Are Solved

- Changed the query to use `position` instead of `created_at`.
- removed `AwaitOpenTransactions`

# Additional Changes

Added the `position` field to the `ReadModel`.

# Additional Context

- relates to #8088
- part of #7639
- backport to 2.53.x
2024-06-12 09:11:36 +00:00
Livio Spring
fb5b4cff58
fix(oauth2): correctly return an error on client_credentials and jwt_profile (#8092)
# Which Problems Are Solved

When an error occurred during the oidc session creation from
client_credentials or jwt_profile, the error was ignored.

# How the Problems Are Solved

Return the error.

# Additional Changes

None.

# Additional Context

- relates to #7822
- noticed internally
- backport to 2.53.x

(cherry picked from commit 448f8f2c11)
2024-06-12 08:43:48 +02:00
Livio Spring
663484e1fb
fix: consider oidc session events for authN milestones (#8089)
# Which Problems Are Solved

After migrating the access token events in #7822, milestones based on
authentication, resp. theses events would not be reached.

# How the Problems Are Solved

Additionally use the `oidc_session.Added` event to check for
`milestone.AuthenticationSucceededOnInstance` and
`milestone.AuthenticationSucceededOnApplication`.

# Additional Changes

None.

# Additional Context

- relates to #7822
- noticed internally

(cherry picked from commit b6c10c4c83)
2024-06-12 08:43:48 +02:00
Silvan
eb8f61d1c1
fix: read correct defaults (#8090)
# Which Problems Are Solved

Corrects reading of default configuration, despite reading all default
configs only required defaults are read.

# How the Problems Are Solved

Reading the defualt config of the `mirror`-command was moved to a
pre-run step of the command instead of doing it during initialization of
the executable.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/8059
- https://discord.com/channels/927474939156643850/1248594307267559535

(cherry picked from commit 7d852ad0df)
2024-06-12 08:43:48 +02:00
Livio Spring
4552fe7d99
fix: potential panics in login and return proper http 405 (#8065)
# Which Problems Are Solved

We identified some parts in the code, which could panic with a nil
pointer when accessed without auth request.
Additionally, if a GRPC method was called with an unmapped HTTP method,
e.g. POST instead of GET a 501 instead of a 405 was returned.

# How the Problems Are Solved

- Additional checks for existing authRequest
- custom http status code mapper for gateway

# Additional Changes

None.

# Additional Context

- noted internally in OPS

(cherry picked from commit 26c7d95c88)
2024-06-12 08:43:47 +02:00
Livio Spring
448f8f2c11
fix(oauth2): correctly return an error on client_credentials and jwt_profile (#8092)
# Which Problems Are Solved

When an error occurred during the oidc session creation from
client_credentials or jwt_profile, the error was ignored.

# How the Problems Are Solved

Return the error.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- noticed internally
- backport to 2.53.x
2024-06-12 06:42:50 +00:00
Livio Spring
b6c10c4c83
fix: consider oidc session events for authN milestones (#8089)
# Which Problems Are Solved

After migrating the access token events in #7822, milestones based on
authentication, resp. theses events would not be reached.

# How the Problems Are Solved

Additionally use the `oidc_session.Added` event to check for
`milestone.AuthenticationSucceededOnInstance` and
`milestone.AuthenticationSucceededOnApplication`.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- noticed internally
2024-06-12 06:49:14 +02:00
mffap
b42a3ad309
docs(manage): update terraform provider (#8102)
# Which Problems Are Solved

Terraform provider docs without introcution and "here" links were hard
to search for.

# How the Problems Are Solved

Updated docs page

# Additional Changes

changed the slug for more clarity and added a redirect
2024-06-11 13:01:10 +02:00
Elio Bischof
b055d1d9e6
feat(init): configurable existing postgres db (#8045)
# Which Problems Are Solved

The init job fails if no database called *postgres* or *defaultdb* for
cockroach respectively exists.

# How the Problems Are Solved

The value is now configurable, for example by env variable
*ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE*

# Additional Context

- Closes #5810
2024-06-10 10:49:30 +00:00
Silvan
7d852ad0df
fix: read correct defaults (#8090)
# Which Problems Are Solved

Corrects reading of default configuration, despite reading all default
configs only required defaults are read.

# How the Problems Are Solved

Reading the defualt config of the `mirror`-command was moved to a
pre-run step of the command instead of doing it during initialization of
the executable.

# Additional Context

- Closes https://github.com/zitadel/zitadel/issues/8059
- https://discord.com/channels/927474939156643850/1248594307267559535
2024-06-10 11:46:28 +02:00
Livio Spring
26c7d95c88
fix: potential panics in login and return proper http 405 (#8065)
# Which Problems Are Solved

We identified some parts in the code, which could panic with a nil
pointer when accessed without auth request.
Additionally, if a GRPC method was called with an unmapped HTTP method,
e.g. POST instead of GET a 501 instead of a 405 was returned.

# How the Problems Are Solved

- Additional checks for existing authRequest
- custom http status code mapper for gateway

# Additional Changes

None.

# Additional Context

- noted internally in OPS
2024-06-07 07:30:04 +00:00
Elio Bischof
9b16c61038
docs: link office hours (#8079) 2024-06-06 11:30:16 +00:00
Silvan
d10f3e0918
docs(office-hours): add new resource api (#8077)
Added new info for next office hours
2024-06-06 10:16:36 +00:00
Elio Bischof
cedd992ab9
docs: describe new API concepts (#7975)
# Which Problems Are Solved

We have not enough internal and external input about our ideas for the
new API design.

# How the Problems Are Solved

We make the concepts easily accessible by publishing them in our docs
and making them concise.

# Additional Context

- Contributes to #6305
- Replaces the PR #7821 which defines protos in more detail

Only resources and settings are in the scope of this concept.
A possible solution for defining the outscoped methods could for example
look like this:

## ZITADELInsights

query services for auditing, analytics and data synchronization.

- Events
- Milestones

## ZITADELOperations

- Health
- Failed Events
- Views
- Metrics (version, uptime etc.)
2024-06-05 13:46:48 +00:00
Elio Bischof
b543404af5
docs: fix typo in mirror.mdx (#8056) 2024-05-31 19:18:49 +02:00
Livio Spring
33235a5cbe fix(oidc): make sure id_token does not contain any info from access token actions (#8053)
# Which Problems Are Solved

During tests of 2.53.3 we noticed that in cases where the
`idTokenRoleAssertion` was disabled, claims set in the
preAccessTokenTrigger where also set in the id_token.

# How the Problems Are Solved

The userinfo of the id_token now uses a correct copy of their own.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- relates to #8046
2024-05-31 15:08:00 +02:00
Livio Spring
4fa9de4314
fix(oidc): make sure id_token does not contain any info from access token actions (#8053)
# Which Problems Are Solved

During tests of 2.53.3 we noticed that in cases where the
`idTokenRoleAssertion` was disabled, claims set in the
preAccessTokenTrigger where also set in the id_token.

# How the Problems Are Solved

The userinfo of the id_token now uses a correct copy of their own.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- relates to #8046
2024-05-31 13:06:59 +00:00
Livio Spring
50e0e7d564
Merge branch 'main' into next 2024-05-31 12:12:02 +02:00
Livio Spring
f065b42a97
fix(oidc): respect role assertion and idTokenInfo flags and trigger preAccessToken trigger (#8046)
# Which Problems Are Solved

After deployment of 2.53.x, customers noted that the roles claims where
always present in the tokens even if the corresponding option on the
client (accessTokenRoleAssertion, idTokenRoleAsseriton) was disabled.
Only the project flag (assertRolesOnAuthentication) would be considered.

Further it was noted, that the action on the preAccessTokenCreation
trigger would not be executed.

Additionally, while testing those issues we found out, that the user
information (name, givenname, family name, ...) where always present in
the id_token even if the option (idTokenUserInfo) was not enabled.

# How the Problems Are Solved

- The `getUserinfoOnce` which was used for access and id_tokens is
refactored to `getUserInfo` and no longer only queries the info once
from the database, but still provides a mechanism to be reused for
access and id_token where the corresponding `roleAssertion` and action
`triggerType` can be passed.
- `userInfo` on the other hand now directly makes sure the information
is only queried once from the database. Role claims are asserted every
time and action triggers are executed on every call.
- `userInfo` now also checks if the profile information need to be
returned.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- reported by customers
2024-05-31 10:10:18 +00:00
Livio Spring
bc885632fb
fix(logging): reduce log level of errors in introspection and login UI (#8047)
# Which Problems Are Solved

Introspection errors such as invalid audience and errors in the login UI
such as invalid user agents where all logged as severity error.

# How the Problems Are Solved

Log level for both general loggers is changed to `info`.

# Additional Changes

None

# Additional Context

- internal discussion
2024-05-31 08:11:32 +00:00
Livio Spring
aabefb9382
feat(session api): respect lockout policy (#8027)
# Which Problems Are Solved

The session API was designed to be flexible enough for multiple use
cases / login scenarios, where the login could respect the login policy
or not. The session API itself does not have a corresponding policy and
would not check for a required MFA or alike. It therefore also did not
yet respect the lockout policy and would leave it to the login UI to
handle that.
Since the lockout policy is related to the user and not the login
itself, we decided to handle the lockout also on calls of the session
API.

# How the Problems Are Solved

If a lockout policy is set for either password or (T)OTP checks, the
corresponding check on the session API be run against the lockout check.
This means that any failed check, regardless if occurred in the session
API or the current hosted login will be counted against the maximum
allowed checks of that authentication mechanism. TOTP, OTP SMS and OTP
Email are each treated as a separate mechanism.

For implementation:
- The existing lockout check functions were refactored to be usable for
session API calls.
- `SessionCommand` type now returns not only an error, but also
`[]eventstore.Command`
  - these will be executed in case of an error

# Additional Changes

None.

# Additional Context

Closes #7967

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-05-30 22:08:48 +00:00
Max Peintner
7ede3ec189
fix(console): projects descriptions (#8037)
# Which Problems Are Solved

This PR fixes a visualization issue for the projects description
<img width="826" alt="Screenshot 2024-05-29 at 17 05 50"
src="https://github.com/zitadel/zitadel/assets/10165752/18407fad-1e11-47f2-a1df-ba9a5ebf4e69">

# How the Problems Are Solved

The [innerHTML] directive renders the `<br/>` line breaks in the
translation.

# Additional Context

-
https://discord.com/channels/927474939156643850/1245354943926374422/1245354943926374422

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-05-30 15:40:37 +00:00
adlerhurst
e3523ea0f2 Merge branch 'main' into next 2024-05-30 11:42:47 +02:00
Silvan
2243306ef6
feat(cmd): mirror (#7004)
# Which Problems Are Solved

Adds the possibility to mirror an existing database to a new one. 

For that a new command was added `zitadel mirror`. Including it's
subcommands for a more fine grained mirror of the data.

Sub commands:

* `zitadel mirror eventstore`: copies only events and their unique
constraints
* `zitadel mirror system`: mirrors the data of the `system`-schema
*  `zitadel mirror projections`: runs all projections
*  `zitadel mirror auth`: copies auth requests
* `zitadel mirror verify`: counts the amount of rows in the source and
destination database and prints the diff.

The command requires one of the following flags:
* `--system`: copies all instances of the system
* `--instance <instance-id>`, `--instance <comma separated list of
instance ids>`: copies only the defined instances

The command is save to execute multiple times by adding the
`--replace`-flag. This replaces currently existing data except of the
`events`-table

# Additional Changes

A `--for-mirror`-flag was added to `zitadel setup` to prepare the new
database. The flag skips the creation of the first instances and initial
run of projections.

It is now possible to skip the creation of the first instance during
setup by setting `FirstInstance.Skip` to true in the steps
configuration.

# Additional info

It is currently not possible to merge multiple databases. See
https://github.com/zitadel/zitadel/issues/7964 for more details.

It is currently not possible to use files. See
https://github.com/zitadel/zitadel/issues/7966 for more information.

closes https://github.com/zitadel/zitadel/issues/7586
closes https://github.com/zitadel/zitadel/issues/7486

### Definition of Ready

- [x] I am happy with the code
- [x] Short description of the feature/issue is added in the pr
description
- [x] PR is linked to the corresponding user story
- [x] Acceptance criteria are met
- [x] All open todos and follow ups are defined in a new ticket and
justified
- [x] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [x] No debug or dead code
- [x] My code has no repetitions
- [x] Critical parts are tested automatically
- [ ] Where possible E2E tests are implemented
- [x] Documentation/examples are up-to-date
- [x] All non-functional requirements are met
- [x] Functionality of the acceptance criteria is checked manually on
the dev system.

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-30 09:35:30 +00:00
Livio Spring
4f114e4bf3
fix: session idp intent check (#8040)
# Which Problems Are Solved

If an IdP intent succeeded with the user was not linked yet, the IdP
link was then added, the following IdP check on the session API would
then fail with `Intent meant for another user (COMMAND-O8xk3w)`.
This issue was introduced with when allowing IdP intents from other
organizations (https://github.com/zitadel/zitadel/pull/7871)

# How the Problems Are Solved

The IdP link is now correctly checked in the session API (using the
user's organization instead of the one from the intent).

# Additional Changes

- Improved the corresponding integration test to cover the exact
bahvior.
- Tests, which had to be updated with newer cases where additionally
changed to use expectEventstore instead of deprecated eventstoreExpect
and the two eventstore mocks of the session_tests.go where combined.

# Additional Context

- Relates to #7871
- This issue was reported by a customer.
- will be back ported to 2.52.x

(cherry picked from commit d254828d47)
2024-05-30 09:25:56 +02:00
Livio Spring
d254828d47
fix: session idp intent check (#8040)
# Which Problems Are Solved

If an IdP intent succeeded with the user was not linked yet, the IdP
link was then added, the following IdP check on the session API would
then fail with `Intent meant for another user (COMMAND-O8xk3w)`.
This issue was introduced with when allowing IdP intents from other
organizations (https://github.com/zitadel/zitadel/pull/7871)

# How the Problems Are Solved

The IdP link is now correctly checked in the session API (using the
user's organization instead of the one from the intent).

# Additional Changes

- Improved the corresponding integration test to cover the exact
bahvior.
- Tests, which had to be updated with newer cases where additionally
changed to use expectEventstore instead of deprecated eventstoreExpect
and the two eventstore mocks of the session_tests.go where combined.

# Additional Context

- Relates to #7871 
- This issue was reported by a customer.
- will be back ported to 2.52.x
2024-05-30 07:06:32 +00:00
Livio Spring
fa5e6d1914
docs(advisory): add technical advisory for token type change (#8029)
# Which Problems Are Solved

Among others #7822 changed the event type of the `user.token.added` to
`user.token.v2.added`. To make customers aware of this in case they use
it for calculating DAU / MAU, resp. for an audit trail, we want to raise
awareness.

# How the Problems Are Solved

Technical advisory to state the change.

# Additional Changes

None.

# Additional Context

Relates to #7822

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-05-29 16:14:46 +00:00
Livio Spring
0b82fc1ed0
fix(login): correctly set preferred login name in the login ui (#8038)
# Which Problems Are Solved

A customer noted that after upgrade to 2.53.0, users were no longer able
to reset their passwords through the login UI.
This was due to a accidental change in
https://github.com/zitadel/zitadel/pull/7969

# How the Problems Are Solved

The `preferred_login_name` is now correctly read from the database.

# Additional Changes

None.

# Additional Context

relates to #7969

(cherry picked from commit eca8ffda70)
2024-05-29 17:47:37 +02:00
Livio Spring
eca8ffda70
fix(login): correctly set preferred login name in the login ui (#8038)
# Which Problems Are Solved

A customer noted that after upgrade to 2.53.0, users were no longer able
to reset their passwords through the login UI.
This was due to a accidental change in
https://github.com/zitadel/zitadel/pull/7969

# How the Problems Are Solved

The `preferred_login_name` is now correctly read from the database.

# Additional Changes

None.

# Additional Context

relates to #7969
2024-05-29 15:45:46 +00:00
mffap
3f77b49a41
docs(service users): improve client id and client secret docs (#7990)
# Which Problems Are Solved

- Misaligned heading
- Curl with auth header is hard to understand without the link

# How the Problems Are Solved

Instead of explaining how to create a proper encoding, just use --user
flag for client_id and client_secret
2024-05-29 09:14:27 +00:00
Silvan
571015703e
docs: add office hours (#7999) 2024-05-29 07:34:37 +00:00
Livio Spring
8ce3af2f9d
Merge branch 'main' into next 2024-05-28 14:33:54 +02:00
Livio Spring
ec222a13d7
fix(oidc): IDP and passwordless user auth methods (#7998)
# Which Problems Are Solved

As already mentioned and (partially) fixed in #7992 we discovered,
issues with v2 tokens that where obtained through an IDP, with
passwordless authentication or with password authentication (wihtout any
2FA set up) using the v1 login for zitadel API calls
- (Previous) authentication through an IdP is now correctly treated as
auth method in case of a reauth even when the user is not redirected to
the IdP
- There were some cases where passwordless authentication was
successfully checked but not correctly set as auth method, which denied
access to ZITADEL API
- Users with password and passwordless, but no 2FA set up which
authenticate just wich password can access the ZITADEL API again

Additionally while testing we found out that because of #7969 the login
UI could completely break / block with the following error:
`sql: Scan error on column index 3, name "state": converting NULL to
int32 is unsupported (Internal)`
# How the Problems Are Solved

- IdP checks are treated the same way as other factors and it's ensured
that a succeeded check within the configured timeframe will always
provide the idp auth method
- `MFATypesAllowed` checks for possible passwordless authentication
- As with the v1 login, the token check now only requires MFA if the
policy is set or the user has 2FA set up
- UserAuthMethodsRequirements now always uses the correctly policy to
check for MFA enforcement
- `State` column is handled as nullable and additional events set the
state to active (as before #7969)

# Additional Changes

- Console now also checks for 403 (mfa required) errors (e.g. after
setting up the first 2FA in console) and redirects the user to the login
UI (with the current id_token as id_token_hint)
- Possible duplicates in auth methods / AMRs are removed now as well.

# Additional Context

- Bugs were introduced in #7822 and # and 7969 and only part of a
pre-release.
- partially already fixed with #7992
- Reported internally.
2024-05-28 08:59:49 +00:00
Livio Spring
1ac7a37e62 fix(login): ensure auth request (#8004)
# Which Problems Are Solved

Potential nil pointers leading to a panic in the login UI.

# How the Problems Are Solved

As of now the login UI did not always check if the authRequest was
actually retrieved form the database, which is ok for some endpoints
which can also be called outside of an auth request.
There are now methods added to ensure the request is loaded.

# Additional Changes

None

# Additional Context

Closes https://github.com/zitadel/DevOps/issues/55
2024-05-28 08:51:15 +02:00
Silvan
43404d960c fix(eventstore): order by sequence if filter by aggregate id (#8019)
# Which Problems Are Solved

Queriying events by an aggregate id can produce high loads on the
database if the aggregate id contains many events (count > 1000000).

# How the Problems Are Solved

Instead of using the postion and in_tx_order columns we use the sequence
column which guarantees correct ordering in a single aggregate and uses
more optimised indexes.

# Additional Context

Closes https://github.com/zitadel/DevOps/issues/50

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-05-28 08:50:42 +02:00