Commit Graph

3044 Commits

Author SHA1 Message Date
Livio Spring
63c7364159
chore(workflow): run e2e on non standard runners (#7698)
Co-authored-by: Elio Bischof <elio@zitadel.com>
(cherry picked from commit f862e43ede)
2024-04-09 14:01:58 +02:00
Tim Möhlmann
ad9422a7d0
fix(crypto): check for nil client secret (#7729)
When creating an app without secret or other type of authentication method,
like JWT, and the authentication type is switched afterwards the app would remain without generated secret.
If then client authentication with secret is attempted, for example on the token endpoint, the handler would panic in the crypto.CompareHash function on the nile pointer to the CryptoValue.

This fix introduces a nil pointer check in crypt.CompareHash and returns a error.

The issue was reported over discord: https://discord.com/channels/927474939156643850/1222971118730875020
Possible fix was suggested here: https://github.com/zitadel/zitadel/pull/6999#discussion_r1553503088
This bug only applies to zitadel versions <=2.49.1.
2024-04-09 08:44:52 +02:00
Livio Spring
323425aa30
fix(oidc): correctly return new refresh token on refresh token grant (#7707)
* fix(oidc): correctly return new refresh token on refresh token grant

* fix import

(cherry picked from commit 29ad51b0e3)
2024-04-04 18:02:42 +02:00
Livio Spring
7704dd18c6
Merge branch 'main' into next
# Conflicts:
#	cmd/setup/25.go
#	cmd/setup/25.sql
#	cmd/setup/config.go
#	cmd/setup/setup.go
#	go.mod
#	internal/api/grpc/user/v2/query_integration_test.go
#	internal/api/oidc/client.go
#	internal/command/user.go
#	internal/query/user_grant_test.go
2024-04-02 07:26:00 +02:00
Tijl
2d25244c77
fix: docs: keycloak user migration api error (#7626)
fix user importing api error

Co-authored-by: Florian Forster <florian@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-03-28 18:40:54 +00:00
Elio Bischof
6ca35009be
fix(console): show callback urls on update idp (#7668)
* fix(console): show callback urls on update idp

* styles

* lint

* center links
2024-03-28 16:22:08 +00:00
Tim Möhlmann
3ca80d637d
docs(oidc): token exchange beta feature info (#7670)
* docs(oidc): token exchange beta feature info

This change adds an info box to the token exchange documentation, informing the reader of the beta state of the feature and how to enable it.

* Update docs/docs/apis/openidoauth/endpoints.mdx

Co-authored-by: Fabi <fabienne@zitadel.com>

* Update docs/docs/guides/integrate/token-exchange.mdx

Co-authored-by: Fabi <fabienne@zitadel.com>

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-03-28 13:02:54 +00:00
Silvan
bed0f6293b
fix: check error before using token (#7664) 2024-03-28 12:19:03 +00:00
Vignesh Sankar Iyer
dcb1c7fa75
fix: Incorrect button positioning on email verification (#7579)
change mail verification page styling

Co-authored-by: Max Peintner <max@caos.ch>
2024-03-28 09:52:29 +00:00
Max Peintner
20fb032743
docs: typescript login (#7621)
* typescript docs

* docs

* self service part

* deploy part

* headers

* update description

* illustration description

* endpoints

* Update docs/docs/guides/integrate/login-ui/typescript-repo.mdx

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Update docs/docs/guides/integrate/login-ui/typescript-repo.mdx

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Update docs/docs/guides/integrate/login-ui/typescript-repo.mdx

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Update docs/docs/guides/integrate/login-ui/typescript-repo.mdx

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Update docs/docs/guides/integrate/login-ui/typescript-repo.mdx

Co-authored-by: Livio Spring <livio.a@gmail.com>

* Update docs/docs/guides/integrate/login-ui/typescript-repo.mdx

Co-authored-by: Livio Spring <livio.a@gmail.com>

* rm scope

* Update docs/docs/guides/integrate/login-ui/typescript-repo.mdx

Co-authored-by: Livio Spring <livio.a@gmail.com>

* screenshot deploy to vercel

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-03-28 08:19:36 +00:00
Livio Spring
4c945f8bdc
chore(workflow): stop previous GH action pipeline on new changes and move back to public runners (#7659)
* chore(workflow): stop previous GH action pipeline on new changes

* skip previous code ql actions

* try running e2e on gh runner again
2024-03-28 07:15:03 +00:00
Stefan Benz
217703395e
feat: add user v2 pw change required information on query (#7603)
* fix: add resource owner as query for user v2 ListUsers and clean up deprecated attribute

* fix: add resource owner as query for user v2 ListUsers and clean up deprecated attribute

* fix: add resource owner as query for user v2 ListUsers and clean up deprecated attribute

* fix: review changes

* fix: review changes

* fix: review changes

* fix: review changes

* fix: add password change required to user v2 get and list

* fix: update unit tests for query side with new column and projection

* fix: change projection in setup steps

* fix: change projection in setup steps

* fix: remove setup step 25

* fix: add password_change_required into ListUsers response

* fix: correct SetUserPassword parameters

* fix: rollback to change setup instead of projection directly

* fix: rollback to change setup instead of projection directly

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-03-28 06:21:21 +00:00
Elio Bischof
d26391a642
feat(console): guide users when configuring IDPs (#7572)
* feat(console): show external idp remote config

* reuse copy-row

* finish google and saml sp

* finish apps

* add next steps modal

* rollout

* activate

* fix saml urls

* fix saml provider

* complete providers

* translate

* update google docs

* update entra id oidc docs

* update entra id saml docs

* update github docs

* update gitlab docs

* update apple docs

* update okta oidc docs

* update okta saml docs

* update keycloak docs

* update mocksaml

* cleanup

* lint

* lint

* fix overriden classes

* encapsulate styles

* fix icon classes

---------

Co-authored-by: peintnermax <max@caos.ch>
2024-03-27 20:10:31 +00:00
Stefan Benz
84644214d7
fix: remove resourceowner read from context in user v2 api (#7641)
* fix: remove resourceowner read from context in user v2 api

* fix: lint

* fix: remove orgID in addIDPLink

* fix: remove comment as unnecessary

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-03-27 18:22:17 +00:00
Livio Spring
1e53aab4b4
fix: properly handle otp sms challenge notification in session api (#7653)
* fix: properly handle otp sms challenge notification in session api

* small fix
2024-03-27 19:48:14 +02:00
Silvan
56df515e5f
chore: use pgx v5 (#7577)
* chore: use pgx v5

* chore: update go version

* remove direct pq dependency

* remove unnecessary type

* scan test

* map scanner

* converter

* uint8 number array

* duration

* most unit tests work

* unit tests work

* chore: coverage

* go 1.21

* linting

* int64 gopfertammi

* retry go 1.22

* retry go 1.22

* revert to go v1.21.5

* update go toolchain to 1.21.8

* go 1.21.8

* remove test flag

* go 1.21.5

* linting

* update toolchain

* use correct array

* use correct array

* add byte array

* correct value

* correct error message

* go 1.21 compatible
2024-03-27 15:48:22 +02:00
Dakshitha Ratnayake
2ea0b520fd
docs: Added a new intro page for configuring external IdPs. (#7595)
* Added a new intro page for configuring external IdPs.

* Fixed broken links

* Resolved build errors.

* Update docs/docs/guides/integrate/identity-providers/introduction.md

Co-authored-by: Fabi <fabienne@zitadel.com>

* Update docs/docs/guides/integrate/identity-providers/introduction.md

Co-authored-by: Fabi <fabienne@zitadel.com>

* Addressed review comments.

* Update docs/docs/guides/integrate/identity-providers/introduction.md

Co-authored-by: Fabi <fabienne@zitadel.com>

* Update docs/docs/guides/integrate/identity-providers/introduction.md

Co-authored-by: Fabi <fabienne@zitadel.com>

* Addressed review comments.

* Update docs/docs/guides/integrate/identity-providers/introduction.md

Co-authored-by: Fabi <fabienne@zitadel.com>

* Update docs/docs/guides/integrate/identity-providers/introduction.md

Co-authored-by: Fabi <fabienne@zitadel.com>

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-03-27 15:49:08 +05:30
Livio Spring
4c2c9c22c4
fix: detect mime type of uploaded asset (#7648)
(cherry picked from commit 841e79357a)
2024-03-27 10:54:20 +01:00
Livio Spring
ad0589d21d
fix: prevent custom urn:zitadel:iam claims (#7647)
(cherry picked from commit 1121ebfdb8)
2024-03-27 10:52:16 +01:00
Livio Spring
5929575df8
chore(workflow): fix homebrew update (#7630)
(cherry picked from commit 2bcc42c4cd)
2024-03-27 10:51:12 +01:00
Livio Spring
841e79357a
fix: detect mime type of uploaded asset (#7648) 2024-03-27 10:41:10 +01:00
Livio Spring
1121ebfdb8
fix: prevent custom urn:zitadel:iam claims (#7647) 2024-03-27 08:26:14 +01:00
Livio Spring
a83829b5ff
fix(API): remove deprecated organisation_id from user factor in session service (#7631) 2024-03-26 11:25:40 +00:00
Tim Möhlmann
2021bad0ad
docs(oidc): token exchange guide (#7625)
* docs(oidc): token exchange guide

This change adds a token exchange guide which includes "simple" and impersonation examples.
The endpoint, claims and grant type documentation also has been amended with token exchange specifics.

* solve suggestions

* fix impersonated event type

* add link to event store concept

* fix links build error

* add to sidebar and update some info boxes
2024-03-26 06:28:17 +00:00
Fabi
62652f4f91
docs: add linkedin guide (#7600)
* docs: add linkedin guide

* docs: change pictures and settings
2024-03-25 18:34:49 +02:00
mffap
376c3a3fff
docs(integrate): improve service user authentication (#7492)
* service users

* wip

* wip

* wip

* lower case titles

* wip

* wip

* private key jwt

* wip

* wip

* token introspection

* zitadel apis

* expiration

* replace mermaid with svg

* Apply suggestions from code review

Co-authored-by: Fabi <fabienne@zitadel.com>

* Apply suggestions from code review

* boulevard of broken links

* my hrefs will go on

* docs: add token type to client credential

* Update docs/docs/apis/introduction.mdx

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/service-users/authenticate-service-users.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/service-users/authenticate-service-users.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/service-users/authenticate-service-users.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/service-users/private-key-jwt.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/service-users/private-key-jwt.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/service-users/authenticate-service-users.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/service-users/client-credentials.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/service-users/client-credentials.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/_accessing_zitadel_api.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* Update docs/docs/guides/integrate/zitadel-apis/access-zitadel-apis.md

Co-authored-by: Florian Forster <florian@zitadel.com>

* docs: add token type to client credential

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com>
Co-authored-by: Florian Forster <florian@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-03-25 10:30:43 +01:00
dependabot[bot]
47e5533f0f
chore(deps): bump actions/add-to-project from 0.6.0 to 0.6.1 (#7628)
Bumps [actions/add-to-project](https://github.com/actions/add-to-project) from 0.6.0 to 0.6.1.
- [Release notes](https://github.com/actions/add-to-project/releases)
- [Commits](https://github.com/actions/add-to-project/compare/v0.6.0...v0.6.1)

---
updated-dependencies:
- dependency-name: actions/add-to-project
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-03-25 09:07:57 +00:00
Livio Spring
30ff0dd1ed
chore: update stable to 2.42.16 (#7629) 2024-03-25 08:53:04 +00:00
Livio Spring
2bcc42c4cd
chore(workflow): fix homebrew update (#7630) 2024-03-25 09:29:54 +01:00
Livio Spring
cef9e49ff9
fix(setup): enable init-projection by default (#7616)
* fix(setup): enable init-projection by default

* update A10008

(cherry picked from commit d313e6d498)
2024-03-25 07:24:34 +01:00
Silvan
20ef744c4d
chore: trigger update homebrew tap on latest release (#7618)
(cherry picked from commit 5b301c7f96)
2024-03-25 07:24:34 +01:00
Silvan
b55551643a
chore(build): update dependencies (#7606)
(cherry picked from commit c3cb010d2a)
2024-03-25 07:24:33 +01:00
Tim Möhlmann
7816644964
fix(oidc): define audience inside auth request instead of token creation (#7610)
fix(oidc): define audience inside auth request instead off token creation

When using the v1 OIDC Code flow, tokens would not carry the correct audience when returned as JWT. This applies to access tokens as JWT and ID tokens.
Introspection would still show the correct audience.
This happened because project audience was appended at token creation time. This stored the appended audience, used later in introspection or token refresh. However, the OIDC library still only had a view of the original auth request with the original audience.
When signing JWTs it would use this outdated information.

This change moves audience modifications to the auth request creation. This is was already the way it was done for v2 login and now v1 follows the same method.

Co-authored-by: Livio Spring <livio.a@gmail.com>

(cherry picked from commit 9d5cd12cd4)
2024-03-25 07:24:21 +01:00
Silvan
e9b8bb7d14
fix(api): correct mapping of metadata queries (#7609)
(cherry picked from commit 6eb982e368)
2024-03-25 07:18:14 +01:00
Livio Spring
d313e6d498
fix(setup): enable init-projection by default (#7616)
* fix(setup): enable init-projection by default

* update A10008
2024-03-23 12:52:52 +01:00
Livio Spring
7494a7b6d9
feat(api): add possibility to retrieve user schemas (#7614)
This PR extends the user schema service (V3 API) with the possibility to ListUserSchemas and GetUserSchemaByID.
The previously started guide is extended to demonstrate how to retrieve the schema(s) and notes the generated revision property.
2024-03-22 13:26:13 +00:00
Silvan
5b301c7f96
chore: trigger update homebrew tap on latest release (#7618) 2024-03-22 13:38:18 +01:00
Silvan
c3cb010d2a
chore(build): update dependencies (#7606) 2024-03-22 07:10:34 +00:00
Tim Möhlmann
9d5cd12cd4
fix(oidc): define audience inside auth request instead of token creation (#7610)
fix(oidc): define audience inside auth request instead off token creation

When using the v1 OIDC Code flow, tokens would not carry the correct audience when returned as JWT. This applies to access tokens as JWT and ID tokens.
Introspection would still show the correct audience.
This happened because project audience was appended at token creation time. This stored the appended audience, used later in introspection or token refresh. However, the OIDC library still only had a view of the original auth request with the original audience.
When signing JWTs it would use this outdated information.

This change moves audience modifications to the auth request creation. This is was already the way it was done for v2 login and now v1 follows the same method.

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-03-21 19:42:44 +02:00
Silvan
6eb982e368
fix(api): correct mapping of metadata queries (#7609) 2024-03-21 14:56:58 +00:00
Stefan Benz
8f3c91a393
fix: fill resourceowner of project into usergrant projection (#7605)
(cherry picked from commit 517398bba6)
2024-03-21 13:00:37 +01:00
Stefan Benz
0416153e8e
fix: add organizationID query for user v2 ListUsers and clean up depeprecated attribute (#7593)
Add organizationID as query for ListUsers and clean up the deprecated Organisation attributes in other queries.

This PR removes the following fields from API requests (user service v2):

organisation from AddHumanUser (deprecated some time ago, organization still exists)
organization from GetUserByID

(cherry picked from commit 319ebe7898)
2024-03-21 13:00:37 +01:00
Livio Spring
3c2789c7cc
fix: allow login by email case-insensitive (#7578)
A customer noted that the login by email was case-sensitive, which differs to the handling of the loginname.

This PR changes the email check to be case-insensitive (which it was already in same parts) and improve the search for this as well.

(cherry picked from commit 7e24a1adbc)
2024-03-21 13:00:36 +01:00
Livio Spring
09fcbb6841
fix(login): display username after registration with idp (#7598)
It was noticed multiple time (incl. customers) that the loginname is sometimes not rendered in the UI.

This PR fixes such an issue after registration of a new user from an IdP.

(cherry picked from commit b2d7352a5a)
2024-03-21 12:59:59 +01:00
Stefan Benz
517398bba6
fix: fill resourceowner of project into usergrant projection (#7605) 2024-03-21 10:31:06 +00:00
Stefan Benz
319ebe7898
fix: add organizationID query for user v2 ListUsers and clean up depeprecated attribute (#7593)
Add organizationID as query for ListUsers and clean up the deprecated Organisation attributes in other queries.

This PR removes the following fields from API requests (user service v2):

organisation from AddHumanUser (deprecated some time ago, organization still exists)
organization from GetUserByID
2024-03-21 08:07:00 +00:00
Livio Spring
7e24a1adbc
fix: allow login by email case-insensitive (#7578)
A customer noted that the login by email was case-sensitive, which differs to the handling of the loginname.

This PR changes the email check to be case-insensitive (which it was already in same parts) and improve the search for this as well.
2024-03-20 15:51:26 +00:00
Livio Spring
b2d7352a5a
fix(login): display username after registration with idp (#7598)
It was noticed multiple time (incl. customers) that the loginname is sometimes not rendered in the UI.

This PR fixes such an issue after registration of a new user from an IdP.
2024-03-20 15:02:57 +01:00
Tim Möhlmann
6398349c24
feat(oidc): token exchange impersonation (#7516)
* add token exchange feature flag

* allow setting reason and actor to access tokens

* impersonation

* set token types and scopes in response

* upgrade oidc to working draft state

* fix tests

* audience and scope validation

* id toke and jwt as input

* return id tokens

* add grant type  token exchange to app config

* add integration tests

* check and deny actors in api calls

* fix instance setting tests by triggering projection on write and cleanup

* insert sleep statements again

* solve linting issues

* add translations

* pin oidc v3.15.0

* resolve comments, add event translation

* fix refreshtoken test

* use ValidateAuthReqScopes from oidc

* apparently the linter can't make up its mind

* persist actor thru refresh tokens and check in tests

* remove unneeded triggers
2024-03-20 10:18:46 +00:00
Silvan
b338171585
docs: move jwt idp to guides (#7570) 2024-03-20 10:46:05 +01:00