Commit Graph

3213 Commits

Author SHA1 Message Date
Miguel Cabrerizo
c8e168ac69
fix: remove non-existent colums in getMembershipFromQuery queries (#7869)
In issue #7841 @mahmoodfathy commented an issue when the API call for
Listing My ZITADEL Manager Roles is called with any kind of query
(orgQuery, projectQuery, projectGrantQuery...). A column XXXXXX does not
exist (SQLSTATE 42703) error is thrown.

The issue was focused in getMembershipFromQuery where filtering queries
functions are called: prepareOrgMember, prepareIAMMember,
prepareProjectMember and prepareProjectGrantMember

Those functions allow queries for columns that are not members of the
table to be queried so I've added a conditional clause to avoid using
the queries that cannot be called.

For example, for prepareOrgMember, member.id, member.project_id and
member.grant_id columns are not added to the filter queries

```
for _, q := range query.Queries {
		if q.Col().table.name == membershipAlias.name &&
			!slices.Contains([]string{membershipIAMID.name, membershipProjectID.name, membershipGrantID.name}, q.Col().name) {
			builder = q.toQuery(builder)
		}
	}
	return builder.MustSql()
```

Here I show one screenshot where the error "column XXXXXX does not exist
(SQLSTATE 42703)" is no longer thrown using an orgQuery.


![image](https://github.com/zitadel/zitadel/assets/30386061/77621e69-71df-42de-b3c5-fa9b4dbf1b89)

Should close #7841 

### Definition of Ready

- [X] I am happy with the code
- [X] Short description of the feature/issue is added in the pr
description
- [X] PR is linked to the corresponding user story
- [X] Acceptance criteria are met
- [ ] All open todos and follow ups are defined in a new ticket and
justified
- [ ] Deviations from the acceptance criteria and design are agreed with
the PO and documented.
- [X] No debug or dead code
- [X] My code has no repetitions
- [X] Critical parts are tested automatically
- [ ] Where possible E2E tests are implemented
- [ ] Documentation/examples are up-to-date
- [ ] All non-functional requirements are met
- [X] Functionality of the acceptance criteria is checked manually on
the dev system.

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-07-02 12:08:28 +00:00
Livio Spring
c7b8d6d97f
chore(stable): update to v2.50.6 (#8221) 2024-07-02 11:18:56 +02:00
Miguel Cabrerizo
cd6b452fc9
fix: add missing SAML type for GetActiveIdentityProviders (#8186)
# Which Problems Are Solved

- When the endpoint http://{CUSTOM-DOMAIN}/v2beta/settings/login/idps is
called the type for an activated SAML provider is not sent.
- The IDENTITY_PROVIDER_TYPE_SAML is missing

# How the Problems Are Solved

- Adds the missing IDENTITY_PROVIDER_TYPE_SAML to the
IdentityProviderType proto definition
- Adds the missing case for idpTypeToPb 
- Adds the missing test case for idpTypeToPb

Here's a screenshot showing the endpoint response:


![image](https://github.com/zitadel/zitadel/assets/30386061/6e3e9c41-543c-472e-96ab-3d40736a2699)

# Additional Context

- Closes #7885

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2024-06-28 15:00:56 +00:00
Stefan Benz
d92717a1c6
fix: encode ldap values to make valid UTF8 (#8210)
# Which Problems Are Solved

UUIDs stored in LDAP are Octet Strings and have to be parsed, so that
they can be stored as IDs as they are not valid UTF8.

# How the Problems Are Solved

Try to parse the RawValue from LDAP as UUID, otherwise try to base64
decode and then parse as UUID, else use the data as string as before.

# Additional Changes

None

# Additional Context

Closes #7601
2024-06-28 13:46:54 +00:00
Miguel Cabrerizo
728158298d
fix(console): filters on user's list ignored if you go back from user details (#8180)
# Which Problems Are Solved

- As @stebenz reported, if we apply some user filters and show user's
details clicking on the table's entry, if we go back again (maybe the
action has to be repeated many times to see the error in action) the
filter seems to be ignored and the table shows all users.

# How the Problems Are Solved

- There's an issue with getting data for the user's table. On ngOnInit
the data is retrieved but also the data is retrieved again when the
filter is applied after going back from the user details view. Due to
asynchronous calls there are some times when the getData, called from
ngOnInit, finishes after the call from applySearchQuery, which applies
the filter, and that's why the data in the tables shows unfiltered data.
In the screenshot we see that we get two results from ngOnInit call
after getting the filtered data (1 result) overwriting the filtered
results.

![Captura desde 2024-06-23
14-02-30](https://github.com/zitadel/zitadel/assets/30386061/fdfa8353-04c6-4892-bd39-aa75dd4d2049)

- I've added a check on ngOnInit that verifies if we have already a
filter (query params) which means that we don't need to getData there as
the filter and getData is going to be applied when applySearchQuery is
called. Here's a video checking that the issue no longer happens:


https://github.com/zitadel/zitadel/assets/30386061/9907d94f-1326-4975-8664-2a0ff51f4568

# Additional Changes

- I think it's better to change the button text to apply the filter from
Finish to Apply

# Additional Context

- Closes #8049
2024-06-28 13:04:05 +00:00
Miguel Cabrerizo
14aeb42cc2
fix: RFC1342 encode sender name that goes in from header (#8193)
# Which Problems Are Solved

- Some smtp server/client combination may have problems with non-ASCII
sender names for example using an umlaut

# How the Problems Are Solved

- The same RFC1342 mechanism that was added in
#https://github.com/zitadel/zitadel/pull/6637 and later improved by
@eliobischof with BEncoding has been added to the sender name that goes
in the From header

# Additional Context

- Closes #7976
2024-06-28 08:33:42 +00:00
Miguel Cabrerizo
da592ccf57
fix(console): minor UI issues (#8192)
# Which Problems Are Solved

- The console has some dialog UI issues reported in #7404 
- There's some horizontal scrolling in dialogs due to field errors width
overflow. In dialogs like Twilio or add flow the x-scroll show always.

![action_trigger_scroll](https://github.com/zitadel/zitadel/assets/30386061/6b574dd7-e309-4a21-a34a-6a1a98ef57ab)

![twilio_scroll](https://github.com/zitadel/zitadel/assets/30386061/48bf5af8-a8cd-4594-acf6-ef61b678443a)

- New Factor MFA title has no styles applied
![Captura desde 2024-06-25
08-37-40](https://github.com/zitadel/zitadel/assets/30386061/931419b4-7f37-4cd1-9b37-9b7fa9ff8453)

# How the Problems Are Solved

- A new style for field wrappers inside mat-dialog-component to
form-field scss that sets width to auto.
- This PR fix a missing MFA mat-dialog-title to apply styles to New
Factor title
- Issues with secret generators had been already fixed in #8141
- Issues with padding for Twilio and Actions were fixed by @peintnermax

# Additional Changes


# Additional Context

- Closes #7404

---------

Co-authored-by: Max Peintner <max@caos.ch>
2024-06-27 09:40:00 +00:00
Livio Spring
1b0e773ceb
fix(ldap): add more logs (#8197)
# Which Problems Are Solved

In case the user bind (user password check for LDAP IdP) fails, there's
no information about what went wrong.
This makes it hard to even impossible to find the cause.

# How the Problems Are Solved

Added logging of the error.

# Additional Changes

Additionally added a log in case no single user (none / multiple) are
found.

# Additional Context

- reported internally
2024-06-25 19:04:10 +00:00
Florian Forster
3af825a6f7
chore(devcontainer): improve devcontainer to work on windows and linux (#8194)
# Which Problems Are Solved

Working on windows with a devcontainer has line ending issues which are
solved with the .gitattributes file
2024-06-25 14:40:34 +00:00
Miguel Cabrerizo
88182f98ba
fix: replace Instance Settings with Default Settings in i18n and docs (#8143)
# Which Problems Are Solved

- The console shows the Instance Settings title and a description.
Instance settings should be replaced with Default settings

# How the Problems Are Solved

- The DESCRIPTIONS.SETTINGS.INSTANCE.TITLE and
DESCRIPTIONS.SETTINGS.INSTANCE.DESCRIPTION have been replaced with
Default Settings and in the corresponding translation files.

Here's a screenshot:


![image](https://github.com/zitadel/zitadel/assets/30386061/b404f209-2043-414c-b06d-3291771d54fb)

# Additional Changes

- The docs have been updated to replace remaining texts mentioning
Instance Settings with Default Settings
- Two unused texts have been deleted from the translation files
- VSCode with Prettier have applied some markdown changes

# Additional Context

- Closes #7632

---------

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-06-25 09:18:06 +00:00
Tim Möhlmann
dc170dc46e
feat(crypto): support md5 plain for imported password hashes (#8189)
# Which Problems Are Solved

Allow verification of imported passwords hashed with plain md5, without
salt. These are password digests typically created by one of:

- `printf "password" | md5sum` on most linux systems.
- PHP's `md5("password")`
- Python3's `hashlib.md5(b"password").hexdigest()`

# How the Problems Are Solved

- Upgrade passwap to
[v0.6.0](https://github.com/zitadel/passwap/releases/tag/v0.6.0)
- Add md5plain as a new verfier option in `defaults.yaml`

# Additional Changes

- Updated documentation to explain difference between `md5` (crypt) and
`md5plain` verifiers.

# Additional Context

- Requested by customer for import case
2024-06-25 11:10:49 +03:00
Livio Spring
bb609b642c
chore(stable): update to v2.49.5 (#8185)
Updates the stable tag to v2.49.5
2024-06-24 08:49:45 +00:00
Jasper van der Neut - Stulen
3e15b881d5
chore(doc): do not expose database to public networks in examples (#8175)
# Which Problems Are Solved

The docker-compose examples expose the database to the world.

# How the Problems Are Solved

Remove the `ports` config from the `db` service.
2024-06-21 15:02:04 +00:00
Fabi
11bdce5b53
docs: add phone scope to docs (#8174)
# Which Problems Are Solved

It is not clear that the phone number can be requested in a separat oidc
scope

# How the Problems Are Solved

Added the phone scope to the scope documentation
2024-06-21 16:19:21 +02:00
Miguel Cabrerizo
3635320ce8
feat: send test mail (#7968)
# Which Problems Are Solved

- Zitadel doesn't have a way to test SMTP settings either before
creating a new provider or once the SMTP provider has been created.
- Zitadel SMTP messages can be more informative for usual errors

# How the Problems Are Solved

- A new step is added to the new/update SMTP provider wizard that allows
us to test a configuration. The result is shown in a text area.
- From the table of SMTP providers you can test your settings too.
- The email address to send the email is by default the email address
for the logged in user as suggested.
- Some of the SMTP error messages have been changed to give more
information about the possible situation. For example: could not contact
with the SMTP server, check the port, firewall issues... instead of
could not dial

Here's a video showing this new option in action:


https://github.com/zitadel/zitadel/assets/30386061/50128ba1-c9fa-4481-8eec-e79a3ca69bda

# Additional Changes

Replace this example text with a concise list of additional changes that
this PR introduces, that are not directly solving the initial problem
but are related.
For example:
- The docs explicitly describe that the property XY is mandatory
- Adds missing translations for validations.

# Additional Context

- Closes #4504
2024-06-20 19:51:42 +00:00
Livio Spring
00b5e55565
fix: set certificate validity for SAML IdPs (#8170)
# Which Problems Are Solved

Certificates created for a SAML IdP (used for metadata and request
singing) did not have any validity set. While it's not required for
SAML, when trying to import the certificate into a (keychain) tool it
might fail.

# How the Problems Are Solved

The validity is set based on the `CertificateLifetime` set in the
runtime config.

## After the fix:
If an IdP was created with a certificate without validity, an admin can
regenerate the certificate:
- for instance wide IdPs:
https://zitadel.com/docs/apis/resources/admin/admin-service-regenerate-saml-provider-certificate#regenerate-saml-identity-provider-certificate
- for organization specific IdPs:
https://zitadel.com/docs/apis/resources/mgmt/management-service-regenerate-saml-provider-certificate#regenerate-saml-identity-provider-certificate

Due to the new certificate, the metadata will change and will need to be
updated at the external IdP.

# Additional Changes

Additionally the `CertificateSize` instead of the `Size` (used for keys)
is used for generating the certificate, resp. the underlying key pair.

# Additional Context

- noted by a customer
- needs backports

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
2024-06-20 14:09:20 +00:00
Tim Möhlmann
669ac6bda2
perf(import): do not check for existing grant ID (#8164)
# Which Problems Are Solved

Improve the performance of the `admin/v1/import` API endpoint.
Specifaclly the import of large amount of project grants.

# How the Problems Are Solved

`AddProjectGrantWithID` and `AddProjectGrantMember` methods of
`Commands` used to get the current state of the Writemodel to check if
the current GrantID or the combination of GrantID & UserID wasn't
already used. However, the Added events already have protection against
duplication by the `UniqueConstaint` methods.

The queries become very slow when there is a great amount of project
grants. Because all the events are pushed to the aggregate ID of the
project, we had to obtain all related project events, including events
of grantIDs we do not care about. This O(n) duration for bached import
jobs adding many organization granted to a single project.

This change removes the unnecesary state query to improve performance.

# Additional Changes

- Add integration tests for import

# Additional Context

- reported internally
2024-06-20 13:31:58 +00:00
Jan-Frederic Schubert
4101e1cd49
chore(docs): Migrate from Docusaurus v2 to v3 (#8036)
Migrate Docs to latest version of Docusaursu (3.3.2 as of time of
writing)

---------

Co-authored-by: Florian Forster <florian@zitadel.com>
2024-06-20 12:55:03 +00:00
Tim Möhlmann
f9742a58f4
fix(import): add tracing spans to all import related functions (#8160)
# Which Problems Are Solved

This fix adds tracing spans to all V1 API import related functions. This
is to troubleshoot import related performance issues reported to us.

# How the Problems Are Solved

Add a tracing span to `api/grpc/admin/import.go` and all related
functions that are called in the `command` package.

# Additional Changes

- none

# Additional Context

- Reported by internal communication
2024-06-19 12:56:33 +02:00
Livio Spring
fb8cd18f93
feat: password age policy (#8132)
# Which Problems Are Solved

Some organizations / customers have the requirement, that there users
regularly need to change their password.
ZITADEL already had the possibility to manage a `password age policy` (
thought the API) with the maximum amount of days a password should be
valid, resp. days after with the user should be warned of the upcoming
expiration.
The policy could not be managed though the Console UI and was not
checked in the Login UI.

# How the Problems Are Solved

- The policy can be managed in the Console UI's settings sections on an
instance and organization level.
- During an authentication in the Login UI, if a policy is set with an
expiry (>0) and the user's last password change exceeds the amount of
days set, the user will be prompted to change their password.
- The prompt message of the Login UI can be customized in the Custom
Login Texts though the Console and API on the instance and each
organization.
- The information when the user last changed their password is returned
in the Auth, Management and User V2 API.
- The policy can be retrieved in the settings service as `password
expiry settings`.

# Additional Changes

None.

# Additional Context

- closes #8081

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-06-18 11:27:44 +00:00
Silvan
65f787cc02
docs: add developing with dev containers (#8095)
# Which Problems Are Solved

Describes how to develop ZITADEL using dev containers.

# Additional Changes

Sets default env variables for using postgres as database in the dev
container.
2024-06-18 08:29:02 +00:00
Stefan Benz
04fc59f538
fix: empty custom text changes push no events (#8054)
# Which Problems Are Solved

If there is no custom text given, the call ends in an internal error as
no events have to be pushed.

# How the Problems Are Solved

If no events have to be pushed, no trying to push an empty list of
events.

# Additional Changes

No additional changes.

# Additional Context

Closes #6954
2024-06-17 12:47:38 +00:00
Miguel Cabrerizo
7576f09de6
fix: pat token overflow in dialog (#8131)
# Which Problems Are Solved

@mffap reported in issue #8084 that there was an oferflow error when the
PAT token was displayed which made copying it almost impossible

# How the Problems Are Solved

It seems there was an issue with the token text not wrapping well as the
token is a long word. Sometimes the token was displayed well but it was
only because the token contains hyphens that made the text go into a new
line but if no hyphen was there there was an overflow issue.

I've used a new class for the token to be displayed and used the css
properties explained in
[mdn](https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_text/Wrapping_breaking_text)

```
overflow-wrap: break-word;
word-break: break-all;

```

Here's a video showing the fix in action:


https://github.com/zitadel/zitadel/assets/30386061/096de18d-4424-46b8-a287-cce6539c2053

# Additional Context

- Closes #8084

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-06-17 12:19:19 +00:00
Daniel Moisa
efcb41398d
fix(8076): last name chip on text messages (#8147)
# Which Problems Are Solved

fix {{.Lastname}} chip on test message settings

# How the Problems Are Solved

{{.LastName}} should appear in the text field

# Additional Changes

No additional changes

# Additional Context

- Closes #8076

Co-authored-by: Daniel Moisa <dani93moisa@gmail.com>
Co-authored-by: Fabi <fabienne@zitadel.com>
2024-06-17 11:54:43 +00:00
Miguel Cabrerizo
a873d960d1
fix: show "Default settings" for small screens < 600px (#8144)
# Which Problems Are Solved

- For devices with screen width lower than 600 px the "Default Settings"
button is not shown unless you put the device in landscape mode

# How the Problems Are Solved

- I've modified the styles so this button is always displayed (I've
tested up to 350 px devices) but for devices width lower than 375px the
font size will be x-small. Thanks to the cog icon and the smaller text
if seems to work fine

Here are two screenshots for a 400 px device:

![Captura desde 2024-06-14
18-31-52](https://github.com/zitadel/zitadel/assets/30386061/1734dc77-312b-4c93-baa7-8d5e90ad68f3)

and a 360 px device:

![Captura desde 2024-06-14
18-32-45](https://github.com/zitadel/zitadel/assets/30386061/37876f26-e097-47af-bf06-b4cc67fcbfb8)

# Additional Context

- Closes #7574
2024-06-17 11:31:11 +00:00
Miguel Cabrerizo
8daaf3d199
fix: mdc dialog styles not being applied to secret generator module (#8141)
# Which Problems Are Solved

- Styles from the material design component dialog are not being applied
(no padding, wrong theme colors for titles...)

# How the Problems Are Solved

- The MatDialogModule has been added to secret-generator.module.ts so
the styles are applied

Here's a video showing the fix in action:


https://github.com/doncicuto/zitadel/assets/30386061/32567e58-b7d6-48da-8369-b48e23828a5c

# Additional Context

- Closes #8085

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-06-17 10:34:12 +00:00
Tim Möhlmann
1aa8c49e41
fix(oidc): store requested response_mode (#8145)
# Which Problems Are Solved

Zitadel never stored or returned the requested `response_mode` in oidc
Auth Requests. This caused the oidc library to fallback to the default
based on the response_type.

# How the Problems Are Solved

- Store the `response_mode` in the Auth request repo
- Store the `response_mode` in the Auth request v2 events
- Return the `resonse_mode` from the Auth Request v1 and v2
`ResponseMode()` methods. (Was hard-coded to an empty string)

# Additional Changes

- Populate the `response_modes_supported` to the oidc Discovery
Configuration. When it was empty, the standard specifies the default of
`query` and `fragment`. However, our oidc library also supports
`form_post` and by this fix, zitadel now also supports this.

# Additional Context

- Closes #6586
- Reported
https://discord.com/channels/927474939156643850/1151508313717084220

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-06-17 09:50:12 +00:00
Livio Spring
85d7536d44
fix(oauth): ensure client error is prioritized over token error (#8133)
# Which Problems Are Solved

Introduced with #6909, the authentication check (API client) and the
token verification on the introspection endpoint where parallelized to
improve performance. Only the first error would be considered and
returned (and the second completely ignored).
This could lead to situations where both the client authentication and
token verification failed and the response would result in a 200 OK with
`active: false`.

# How the Problems Are Solved

- The client authentication check error will always be prioritized.
- An error in the token check will no longer terminate the client
authentication check.

# Additional Changes

None.

# Additional Context

- reported in Discord:
https://discord.com/channels/927474939156643850/1242770807105781760
2024-06-17 09:09:00 +00:00
Nico Schett
ca69ba41ee
docs: add pylon framework to examples (#8115)
# Which Problems Are Solved

- Lack of documentation on integrating the Pylon framework with ZITADEL

# How the Problems Are Solved

- Adds examples to the ZITADEL documentation on how to integrate with
the Pylon framework.
- Provides clear, step-by-step instructions and code snippets for
seamless integration.

# Additional Changes

- Updates some formatting related issues. This includes changes to
trailing semicolons and array newlines in two or three instances without
significantly altering the previous formatting.
5b23416a8c

# Additional Context

Add the pylon framework to the ZITADEL documentation examples as
previously discussed with @fforootd.

- [Pylon](https://github.com/getcronit/pylon)
- [Pylon Documentation](https://pylon.cronit.io)

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-06-17 07:37:07 +00:00
Jesper We
18222008b6
feat: Contribute i18n swedish language (#8105)
# Which Problems Are Solved

- Swedish speakers cannot use their beautiful native language ;-)

# How the Problems Are Solved

- Contributes Swedish language for Login, Console, common texts and
Emails


# Additional Changes

- none

# Additional Context

- The PR currently provides all translation files according to
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#contribute-internationalization.

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-06-15 13:45:19 +00:00
Silvan
8b4531c28d
fix(v2): correct eventstore query (#8124)
# Which Problems Are Solved

Postgres versions < 16 require an alias for subqueries. The query
executed in the new eventstore didn't add this alias.

# How the Problems Are Solved

Added the alias to the subquery
2024-06-15 16:12:21 +03:00
Florian Forster
cf72bd6192
chore(docs): use vercel ci again because GH secret problem on forks (#8142)
# Fallback to Vercel CI

Since we cannot share the vercel_token on forks we cannot deploy by
vercel CLI.
This PR reverts to the last working state by using vercel CI.

I will look into a fix with an npm script or a turbo config to ignore
builds on folder changes.
2024-06-14 16:50:58 +02:00
Florian Forster
21ffe4f693
chore(docs): fix ci (#8135)
# Fixing Fork Previews

This PR tries to fix the upload of the docs preview to vercel which was
not working due to the not available secret.
2024-06-14 13:50:36 +00:00
Fabi
cc00ee89ff
docs: link user register to metadata for custom fields (#8117)
# Which Problems Are Solved

an admin wants to know how to register a new user with some custom
fields

# How the Problems Are Solved

We already had examples about user metadata and onboard new users, but
the link between those and how to use it was missing.

# Additional Context

Replace this example with links to related issues, discussions, discord
threads, or other sources with more context.
Use the Closing #issue syntax for issues that are resolved with this PR.
- Closes #7951

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-06-14 12:27:33 +00:00
Fabi
a000449986
docs: add list of files that need an extension for new language contribution (#8114)
Add a list of files to the contribution guidelines for a new language,
which also need an extension.

# Which Problems Are Solved

At the moment we state where a contributor needs to add new translation
files, but then some lists are missing and the language is not shown to
end users.

# How the Problems Are Solved

Add contribution guidelines

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-06-14 09:45:24 +00:00
Tim Möhlmann
120ed0af73
feat(oidc): organization roles scope (#8120)
# Which Problems Are Solved

An admin / application might want to be able to reduce the amount of
roles returned in the token, for example if a user is granted to many
organizations or for specific cases where the application want to narrow
down the access for that token to a specific organization or multiple.
This can now be achieved by providing a scope with the id of the
organization, resp. multiple scopes for every organization, which should
be included.

```
urn:zitadel:iam:org:roles🆔{orgID}
```

**Note:** the new scope does not work when Introspection / Userinfo are
set to legacy mode.

# How the Problems Are Solved

The user info query now has two variants:

1. Variant that returns all organization authorization grants if the new
scope wasn't provided for backward compatibility.
2. Variant that filters the organizations based on the IDs passed in one
or more of the above scopes and returns only those authorization grants.

The query is defined as a `text/template` and both variants are rendered
once in package `init()`.

# Additional Changes

- In the integration tests `assertProjectRoleClaims` now also checks the
org IDs in the roles.

# Additional Context

- Closes #7996
2024-06-14 10:00:43 +02:00
Elio Bischof
3fabe5a2f9
docs: link discussion (#8126)
# Which Problems Are Solved

If users create discussions about the new API on their own, it could
become hard to keep the overview.

# How the Problems Are Solved

We invite to participate in a single dedicated discussion.

# Additional Changes

Removes the link to the office hours event, as it took place already.
2024-06-13 14:58:30 +02:00
Tim Möhlmann
81cc7c62cb
fix(oidc): upgrade zitadel/oidc to allow scope without openid (#8109)
# Which Problems Are Solved

Drop the requirement of the `openid` scope in all auth and token request
types.

# How the Problems Are Solved

This change upgrades the oidc package to include
https://github.com/zitadel/oidc/pull/613.

# Additional Changes

- Fix a typo in a go doc string
- upgrade otel modules to match the version from oidc.

# Additional Context

- https://github.com/zitadel/zitadel/pull/7822 started doing scope
validation for machine user authentication on the token endpoint.
- https://github.com/zitadel/zitadel/discussions/8068 reports breakage
of machine authentication without `openid` scope.
- Merge after https://github.com/zitadel/oidc/pull/613 is released.
2024-06-13 09:32:27 +00:00
Florian Forster
f6a50db96c
chore(docs): fix prod build for vercel (#8121)
# Fix

Fixes a problem on main
2024-06-13 08:47:10 +00:00
Florian Forster
c9e352033e
chore(docs): use gh action to build docs (#8097)
# Which Problems Are Solved

This allows us to build multiple docs in parallel and only runs when
docs/proto are changed.

# Additional Changes

- [ ] Change "required" in GitHub from Vercel to the docs flow

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-06-13 08:07:39 +00:00
Yxnt
1374f17c8d
fix(login): ldap login page js file not found (#8101)
# Which Problems Are Solved
* fix ldap login page js file not found

![image](https://github.com/zitadel/zitadel/assets/10323352/47640ae9-3aa2-4a62-aa95-e23750cb8eb7)

Signed-off-by: Yxnt <jyxnt1@gmail.com>
Co-authored-by: Livio Spring <livio.a@gmail.com>
2024-06-13 07:05:59 +00:00
Livio Spring
206d947183
docs(api): add missing x-zitadel-orgid header to IdP request (#8113)
# Which Problems Are Solved

Some management requests did not state that the `x-zitadel-orgid` can /
needs to be sent as part of the request.

# How the Problems Are Solved

Added it as paart of the swagger / openAPI documentation.

# Additional Changes

None.

# Additional Context

- noted by a customer
2024-06-12 13:13:20 +00:00
Livio Spring
fb2b1610f9
fix(oidc): remove MFA requirement on ZITADEL API based on user auth methods (#8069)
# Which Problems Are Solved

Request to the ZITADEL API currently require multi factor authentication
if the user has set up any second factor.
However, the login UI will only prompt the user to check factors that
are allowed by the login policy.
This can lead to situations, where the user has set up a factor (e.g.
some OTP) which was not allowed by the policy, therefore will not have
to verify the factor, the ZITADEL API however will require the check
since the user has set it up.

# How the Problems Are Solved

The requirement for multi factor authentication based on the user's
authentication methods is removed when accessing the ZITADEL APIs.
Those requests will only require MFA in case the login policy does so
because of `requireMFA` or `requireMFAForLocalUsers`.

# Additional Changes

None.

# Additional Context

- a customer reached out to support
- discussed internally
- relates #7822 
- backport to 2.53.x
2024-06-12 12:24:17 +00:00
Livio Spring
fb95f4a8a2
fix(oidc): only return state in access token response for implicit flow (#8108)
# Which Problems Are Solved

Introduced with #7822 the access token response incorrectly returned the
`state` parameter.

# How the Problems Are Solved

The `state` will only be returned for access token responses in an
implicit_flow.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- relates to
https://github.com/zitadel/oidc/issues/446#issuecomment-2144999644
- backport to 2.53.x

---------

Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2024-06-12 11:53:56 +00:00
Andy Pilate
f4d32d98d3
docs: typo in oauth2-proxy.md (#8098)
# Which Problems Are Solved

This PR fixes a typo in the documentation

# How the Problems Are Solved

N/A

# Additional Changes

N/A

# Additional Context

N/A

Co-authored-by: Fabi <fabienne@zitadel.com>
2024-06-12 11:14:14 +00:00
Joakim Lodén
1d13d41139
fix: remove duplicate otel span processors (#8104) 2024-06-12 10:18:48 +00:00
Livio Spring
931a6c7cce
perf(authZ): improve oidc session check (#8091)
# Which Problems Are Solved

Access token checks make sure that there have not been any termination
events (user locked, deactivated, signed out, ...) in the meantime. This
events were filtered based on the creation date of the last session
event, which might cause latency issues in the database.

# How the Problems Are Solved

- Changed the query to use `position` instead of `created_at`.
- removed `AwaitOpenTransactions`

# Additional Changes

Added the `position` field to the `ReadModel`.

# Additional Context

- relates to #8088
- part of #7639
- backport to 2.53.x
2024-06-12 09:11:36 +00:00
Livio Spring
448f8f2c11
fix(oauth2): correctly return an error on client_credentials and jwt_profile (#8092)
# Which Problems Are Solved

When an error occurred during the oidc session creation from
client_credentials or jwt_profile, the error was ignored.

# How the Problems Are Solved

Return the error.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- noticed internally
- backport to 2.53.x
2024-06-12 06:42:50 +00:00
Livio Spring
b6c10c4c83
fix: consider oidc session events for authN milestones (#8089)
# Which Problems Are Solved

After migrating the access token events in #7822, milestones based on
authentication, resp. theses events would not be reached.

# How the Problems Are Solved

Additionally use the `oidc_session.Added` event to check for
`milestone.AuthenticationSucceededOnInstance` and
`milestone.AuthenticationSucceededOnApplication`.

# Additional Changes

None.

# Additional Context

- relates to #7822 
- noticed internally
2024-06-12 06:49:14 +02:00
mffap
b42a3ad309
docs(manage): update terraform provider (#8102)
# Which Problems Are Solved

Terraform provider docs without introcution and "here" links were hard
to search for.

# How the Problems Are Solved

Updated docs page

# Additional Changes

changed the slug for more clarity and added a redirect
2024-06-11 13:01:10 +02:00