# Which Problems Are Solved
As of now, **automatic creation** and **automatic linking options** were
only considered if the corresponding **allowed option** (account
creation / linking allowed) was enabled.
With this PR, this is no longer needed and allows administrators to
address cases, where only an **automatic creation** is allowed, but
users themselves should not be allowed to **manually** create new
accounts using an identity provider or edit the information during the
process.
Also, allowing users to only link to the proposed existing account is
now possible with an enabled **automatic linking option**, while
disabling **account linking allowed**.
# How the Problems Are Solved
- Check for **automatic** options without the corresponding **allowed**
option.
- added technical advisory to notify about the possible behavior change
# Additional Changes
- display the error message on the IdP linking step in the login UI (in
case there is one)
- display an error in case no option is possible
- exchanged deprecated `eventstoreExpect` with `expectEventstore` in
touched test files
# Additional Context
closes https://github.com/zitadel/zitadel/issues/7393
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
^Since publishing the new V2 GA APi, we have a lot of broken links in
our docs
# How the Problems Are Solved
replace api links with v2 links
This reverts commit e126ccc9aab49fc37df1215e5b0c1137a6fd5d10.
# Which Problems Are Solved
#8295 introduced the possibility to handle idps on a single callback,
but broke current setups.
# How the Problems Are Solved
- Revert the change until a proper solution is found. Revert is needed
as docs were also changed.
# Additional Changes
None.
# Additional Context
- relates to #8295
# Which Problems Are Solved
Both the login UI and the IdP intent flow have their own IdP callback
endpoints.
This makes configuration hard to impossible (e.g. Github only allows one
endpoint) for customers.
# How the Problems Are Solved
- The login UI prefixes the `state` parameter when creating an auth /
SAML request.
- All requests now use the `/idp/callback` or the corresponding
variation (e.g. SAML)
- On callback, the state, resp. its prefix is checked. In case of the
login UI prefix, the request will be forwarded to the existing login UI
handler without the prefix state.
Existing setups will therefore not be affected and also requests started
before this release can be handled without any impact.
- Console only lists the "new" endpoint(s). Any
`/login/externalidp/callback` is removed.
# Additional Changes
- Cleaned up some images from the IdP documentation.
- fix the error handling in `handleExternalNotFoundOptionCheck`
# Additional Context
- closes#8236
# Which Problems Are Solved
- It is not possible to introspect service user token if
`urn:zitadel:iam:org:project🆔{projectid}:aud` scope is not added in
token request.
- Adding this note to the document could reduce confusion and debugging
time
-
https://discord.com/channels/927474939156643850/1168857403945660436/1168930850029707386
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
In the configuration of external idps we show SAML SP as provider which
is confusing, as it is a SAML IdP which is configured
# How the Problems Are Solved
Rename SAML SP to SAML IdP
# Which Problems Are Solved
- The console shows the Instance Settings title and a description.
Instance settings should be replaced with Default settings
# How the Problems Are Solved
- The DESCRIPTIONS.SETTINGS.INSTANCE.TITLE and
DESCRIPTIONS.SETTINGS.INSTANCE.DESCRIPTION have been replaced with
Default Settings and in the corresponding translation files.
Here's a screenshot:
# Additional Changes
- The docs have been updated to replace remaining texts mentioning
Instance Settings with Default Settings
- Two unused texts have been deleted from the translation files
- VSCode with Prettier have applied some markdown changes
# Additional Context
- Closes#7632
---------
Co-authored-by: Fabi <fabienne@zitadel.com>
# Which Problems Are Solved
an admin wants to know how to register a new user with some custom
fields
# How the Problems Are Solved
We already had examples about user metadata and onboard new users, but
the link between those and how to use it was missing.
# Additional Context
Replace this example with links to related issues, discussions, discord
threads, or other sources with more context.
Use the Closing #issue syntax for issues that are resolved with this PR.
- Closes#7951
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
Adds the possibility to mirror an existing database to a new one.
For that a new command was added `zitadel mirror`. Including it's
subcommands for a more fine grained mirror of the data.
Sub commands:
* `zitadel mirror eventstore`: copies only events and their unique
constraints
* `zitadel mirror system`: mirrors the data of the `system`-schema
* `zitadel mirror projections`: runs all projections
* `zitadel mirror auth`: copies auth requests
* `zitadel mirror verify`: counts the amount of rows in the source and
destination database and prints the diff.
The command requires one of the following flags:
* `--system`: copies all instances of the system
* `--instance <instance-id>`, `--instance <comma separated list of
instance ids>`: copies only the defined instances
The command is save to execute multiple times by adding the
`--replace`-flag. This replaces currently existing data except of the
`events`-table
# Additional Changes
A `--for-mirror`-flag was added to `zitadel setup` to prepare the new
database. The flag skips the creation of the first instances and initial
run of projections.
It is now possible to skip the creation of the first instance during
setup by setting `FirstInstance.Skip` to true in the steps
configuration.
# Additional info
It is currently not possible to merge multiple databases. See
https://github.com/zitadel/zitadel/issues/7964 for more details.
It is currently not possible to use files. See
https://github.com/zitadel/zitadel/issues/7966 for more information.
closes https://github.com/zitadel/zitadel/issues/7586
closes https://github.com/zitadel/zitadel/issues/7486
### Definition of Ready
- [x] I am happy with the code
- [x] Short description of the feature/issue is added in the pr
description
- [x] PR is linked to the corresponding user story
- [x] Acceptance criteria are met
- [x] All open todos and follow ups are defined in a new ticket and
justified
- [x] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [x] No debug or dead code
- [x] My code has no repetitions
- [x] Critical parts are tested automatically
- [ ] Where possible E2E tests are implemented
- [x] Documentation/examples are up-to-date
- [x] All non-functional requirements are met
- [x] Functionality of the acceptance criteria is checked manually on
the dev system.
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
- Misaligned heading
- Curl with auth header is hard to understand without the link
# How the Problems Are Solved
Instead of explaining how to create a proper encoding, just use --user
flag for client_id and client_secret
# Which Problems Are Solved
The session update requires the current session token as argument.
Since this adds extra complexity but no real additional security and
prevents case like magic links, we want to remove this requirement.
We still require the session token on other resouces / endpoints, e.g.
for finalizing the auth request or on idp intents.
# How the Problems Are Solved
- Removed the session token verifier in the Update Session GRPc call.
- Removed the session token from login UI examples session update calls
# Additional Changes
- none
# Additional Context
- Closes#7883
* docs(guides/integrate/service-users/private-key-jwt): adjust incomplete, outdated and incorrect parts of the python example.
* wrong variable name for kid in the header
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
* docs(oidc): token exchange beta feature info
This change adds an info box to the token exchange documentation, informing the reader of the beta state of the feature and how to enable it.
* Update docs/docs/apis/openidoauth/endpoints.mdx
Co-authored-by: Fabi <fabienne@zitadel.com>
* Update docs/docs/guides/integrate/token-exchange.mdx
Co-authored-by: Fabi <fabienne@zitadel.com>
---------
Co-authored-by: Fabi <fabienne@zitadel.com>
* docs(oidc): token exchange guide
This change adds a token exchange guide which includes "simple" and impersonation examples.
The endpoint, claims and grant type documentation also has been amended with token exchange specifics.
* solve suggestions
* fix impersonated event type
* add link to event store concept
* fix links build error
* add to sidebar and update some info boxes
* feat: add ExpirationDate to MachineKey JSON detail
* fix: include time in expiration date column for machine keys table
* fix: show expiration date in ShowKeyDialog if available
* fix: add machine key expiration date note
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
* docs: rename instance settings to default settings
* docs: correct local reference to docs
* docs: correct local reference to docs
---------
Co-authored-by: Max Peintner <max@caos.ch>
