Removes manual schema and application name setup via raw SQL and
switches to using River’s built-in schema configuration.
# Which Problems Are Solved
River provides a configuration flag to set the schema of the queue.
Zitadel sets the schema through database statements which is not needed
anymore.
# How the Problems Are Solved
Set the schema in the river configuration and removed old code
(cherry picked from commit b5f97d64b0)
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Don't show the external IdP section, if none are configured.
# How the Problems Are Solved
- Checks if the length of `identityProviders` is non-empty.
# Additional Changes
- Added 2 additional null-checks for `identityProviders`
# Additional Context
- Closes#10401
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit a718267191)
# Which Problems Are Solved
When a user with an `ORG_PROJECT_CREATOR` role tries to create a
project, the request fails with `No matching permissions found
(AUTH-AWfge)` error. This is because `project.write` was set as the
required permission instead of `project.create` during project creation.
# How the Problems Are Solved
By setting the right required permission (`project.create`) while
creating new projects.
# Additional Changes
N/A
# Additional Context
- Closes#10399
(cherry picked from commit 0929c4d235)
# Which Problems Are Solved
The new login UI user case sensitive matching for usernames and email
addresses. This is different from the v1 login and not expected by
customers, leading to not found user errors.
# How the Problems Are Solved
The user search is changed to case insensitive matching.
# Additional Changes
None
# Additional Context
- reported by a customer
- requires backport to 4.x
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit 0318edcd3b)
This PR fixes an issue where a user was not redirected to an IDP
correctly if the user has entered the loginname and has an IDP as single
auth method
(cherry picked from commit a48cacfb02)
# Which Problems Are Solved
Currently, the prometheus endpoint metrics contain otel specific labels
that increase the overall metric size to the point that the exemplar
implementation in the underlying prom exporter library throws an error,
see https://github.com/zitadel/zitadel/issues/10047. The MaxRuneSize for
metric refs in exemplars is 128 and many of metrics cross this because
of `otel_scope_name`.
# How the Problems Are Solved
This change drops those otel specific labels on the prometheus exporter:
`otel_scope_name` and `otel_scope_version`
Current metrics example:
```
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_version="0.53.0",le="0"} 0
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_version="0.53.0",le="5"} 100
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",otel_scope_name="go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp",otel_scope_version="0.53.0",le="10"} 100
...
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/ListIAMMemberRoles",otel_scope_name="",otel_scope_version="",return_code="200"} 3
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/ListIAMMembers",otel_scope_name="",otel_scope_version="",return_code="200"} 3
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/ListMilestones",otel_scope_name="",otel_scope_version="",return_code="200"} 1
```
New example:
```
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",le="10"} 8
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",le="25"} 8
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",le="50"} 9
http_server_duration_milliseconds_bucket{http_method="GET",http_status_code="200",le="75"} 9
...
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/GetSupportedLanguages",return_code="200"} 1
grpc_server_grpc_status_code_total{grpc_method="/zitadel.admin.v1.AdminService/ListMilestones",return_code="200"} 1
grpc_server_grpc_status_code_total{grpc_method="/zitadel.auth.v1.AuthService/GetMyLabelPolicy",return_code="200"} 3
```
# Additional Changes
None
# Additional Context
From my understanding, this change is fully spec compliant with
Prometheus and Otel:
*
https://opentelemetry.io/docs/specs/otel/compatibility/prometheus_and_openmetrics/#instrumentation-scope
However, these tags were originally added as optional labels to
disambiguate metrics. But I'm not sure we need to care about that right
now? My gut feeling is that exemplar support (the ability for traces to
reference metrics) would be a preferable tradeoff to this label
standard.
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
(cherry picked from commit 532932ef94)
# Which Problems Are Solved
The PR ensures that the `console_dependencies` Make recipe installs all
dependencies needed to build the console. This makes for example `make
compile` work again.
# How the Problems Are Solved
- For the current pnpm version 10, dependency overrides must be moved
from the package.json to the pnpm-workspace.yaml.
- The syntax for selecting a pnpm package and its workspace dependencies
is fixed.
# Additional Context
- Closes https://github.com/zitadel/zitadel/issues/10435
---------
Co-authored-by: Marco A. <marco@zitadel.com>
(cherry picked from commit 0dffb27fcf)
# Which Problems Are Solved
It should not be possible to start 2 projections with the same name.
If this happens, it can cause issues with the event store such as events
being skipped/unprocessed and can be very hard/time-consuming to
diagnose.
# How the Problems Are Solved
A check was added to make sure no 2 projections have the same table
Closes https://github.com/zitadel/zitadel/issues/10453
---------
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
(cherry picked from commit 10bd747105)
# Which Problems Are Solved
The login integration action page load in the idp test times out
sometimes.
Also, the debug steps fail, which cause confusion about why the pipeline
check failed.
# How the Problems Are Solved
- We retry failed tests twice, which should alleviate flakiness because
of eventual consistency. This is fine for now, because typically, a user
doesn't send input as fast as the tests do.
- The compose file path is fixed.
- ~~As suggested in the cypress error logs, we increase the
pageLoadTimeout.~~ The increased pageLoadTimeout didn't help.
# Additional Context
- Example of a failing check:
https://github.com/zitadel/zitadel/actions/runs/16829948857/attempts/1
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Max Peintner <max@caos.ch>
(cherry picked from commit c5080463aa)
# Which Problems Are Solved
Updates the pnpm lockfile for the login repo.
# How the Problems Are Solved
Used the login dev container and ran `pnpm i`
# Additional Context
From this branch, `make login_push
LOGIN_REMOTE_BRANCH=mirror-zitadel-repo` was executed to sync the login
code with https://github.com/zitadel/typescript/pull/573
Co-authored-by: Max Peintner <max@caos.ch>
(cherry picked from commit b02a68f7cf)
# Which Problems Are Solved
When searching for an existing external userID from an IdP response, the
comparison is case sensitive. This can lead to issues esp. when using
SAML, since the `NameID`'s value case could change. The existing user
would not be found and the login would try to create a new one, but fail
since the uniqueness check of IdP ID and external userID is not case
insensitive.
# How the Problems Are Solved
Search case insensitive for external useriDs.
# Additional Changes
None
# Additional Context
- closes#10457, #10387
- backport to v3.x
(cherry picked from commit 4630b53313)
# Which Problems Are Solved
When `Permission Check V2` is enabled, calls to the `ListPasskeys` and
`ListAuthenticationFactors` APIs fail with the following error:
```
ERROR: missing FROM-clause entry for table "users14"
```
# How the Problems Are Solved
By using the right UserID column
(`projections.user_auth_methods5.user_id`) in the permission clause in
the `userAuthMethod` query
# Additional Changes
N/A
# Additional Context
- Closes#10386
(cherry picked from commit 45cc6e9bb1)
# Which Problems Are Solved
User information in the context is necessary through the addition of the
resource based API endpoints for user metadata, for the permission
check.
# How the Problems Are Solved
Add user information to the action execution to add metadata to users.
# Additional Changes
None
# Additional Context
Needs to be added to v4 releases, to provide the functionality to add
metadata through actions v1 and actions v2 functions.
Co-authored-by: Marco A. <marco@zitadel.com>
(cherry picked from commit 1579bbc8db)
Adjust status checks across various functions to accept any 2xx HTTP
response instead of only 200, improving the robustness of the API
response validation.
fixes#10436
(cherry picked from commit f13529b31f)
# Which Problems Are Solved
The current handling of event subscriptions for actions is bad, esp. on
instances with a lot of events
(https://github.com/zitadel/zitadel/issues/9832#issuecomment-2866236414).
This led to severe problems on zitadel.cloud for such instances.
# How the Problems Are Solved
As a workaround until the handling can be improved, we introduce an
option for projections to be disabled completely for specific instances:
`SkipInstanceIDs`
# Additional Changes
None
# Additional Context
- relates to https://github.com/zitadel/zitadel/issues/9832
(cherry picked from commit 67efddcbc6)
Querying an organization by id allowed to trigger the org projection.
This could lead to performance impacts if the projection gets triggered
too often.
Instead of executing the trigger the organization by id query is now
always executed on the eventstore and reduces all event types required
of the organization requested.
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved
Fields table entry is not removed when removing instance domain.
# How the Problems Are Solved
Remove the fields entry, instead of setting it.
# Additional Changes
None
# Additional Context
Needs to be backported to v3.x
# Which Problems Are Solved
Flakiness in integration tests regarding gofakeit functions, which
provided the same names on 2 different occasions.
# How the Problems Are Solved
Attach a random string to the provided names, so that they are not
dependent on the gofakeit code.
# Additional Changes
None
# Additional Context
None
---------
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
The deletion of expired sessions does not go through even though a
success response is returned to the user. These expired and supposedly
deleted (to the user) sessions are then returned when the `ListSessions`
API is called.
This PR fixes this issue by:
1. Allowing deletion of expired sessions
2. Providing an `expiration_date` filter in `ListSession` API to filter
sessions by expiration date
# How the Problems Are Solved
1. Remove expired session check during deletion
2. Add an `expiration_date` filter to the `ListSession` API
# Additional Changes
N/A
# Additional Context
- Closes#10045
---------
Co-authored-by: Marco A. <marco@zitadel.com>
## Problem
The mat-icon-button in the actions flow-type section had a shrinking
hover background. The hover effect was not displaying properly and
appeared constrained.
## Root Cause
The margin rules were being applied to all `span` elements, including
the Material button's internal elements (like `.mat-mdc-button-label`),
which interfered with the button's hover background positioning.
## Solution
- Changed the span selector from `span` to `> span` to target only
direct children
- Added specific margin reset for the button (`margin-right: 0`)
- Added margin reset for the icon inside the button
- This allows the Material button to use its default hover behavior
## Testing
- [x] No visual regressions in text spacing or layout
- [x] Button hover background now displays as a proper circle
- [x] Other buttons on the page remain unaffected
- [x] Matches the behavior of working buttons in trigger sections
## Type of Change
- [x] Bug fix (non-breaking change which fixes an UI issue)
Before :
<img width="427" height="411" alt="Screenshot 2025-07-15 at 6 08 35 PM"
src="https://github.com/user-attachments/assets/f728e1fa-6711-4e8b-ba24-2a84329f50d7"
/>
After fix :
<img width="406" height="404" alt="Screenshot 2025-07-15 at 6 09 36 PM"
src="https://github.com/user-attachments/assets/27d7b08d-684d-4094-8334-844a4e459025"
/>
Fixes hover background issue in actions flow-type section.
---------
Co-authored-by: Saurabh Thapliyal <saurabh@southguild.tech>
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
Login integration tests are not executed in the pipeline
# How the Problems Are Solved
The login integration tests are fixed and added as a pipeline workflow.
It tests against the built login docker image.
On pipeline failures, developers are guided on how to fix them using a
dev container configured for this purpose.
# Additional Changes
- email domains are replaced by example.com. In case the tests were
accidentally run against a cloud instance, it wouldn't cause bounces.
- pnpm is upgraded, because the --filter argument doesn't work for the
install command on the old version.
- The login Dockerfile is optimized for docker image builds
# Additional Changes From Review for
https://github.com/zitadel/zitadel/pull/10305
These changes were requested from @peintnermax
- The base dev container starts without any services besides the
database and the dev container itself
- CONTRIBUTING.md is restructured
- To reproduce pipeline checks, only the devcontainer CLI and Docker are
needed. This is described in the CONTRIBUTING.md
- The convenience npm script "generate" is added
# Additional Context
- Follow-up for PR https://github.com/zitadel/zitadel/pull/10305
- Base for https://github.com/zitadel/zitadel/issues/10277
# Which Problems Are Solved
There is an outstanding bug wherein a session projection can fail to
complete and an session OTP challenge is blocked because the projection
doesn't exist. Not sure why the session projection can fail to persist -
I can't find any error logs or failed events to crosscheck. However, I
can clearly see the session events persisted with user/password checks
and the OTP challenged added on the session - but no session projection
on sessions8 table.
This only seems to come up under somewhat higher loads - about 5
logins/s and only for about 1% of cases. (where a "login" is:
authRequest, createSession, getAuthCodeWithSession, tokenExchange, and
finally, otpSmsChallenge...💥).
# How the Problems Are Solved
This is only half a fix, but an important one as it can block login for
affected users. Instead of triggering and checking the session
projection on notification enqueuing, build a write model directly from
the ES.
# Additional Changes
# Additional Context
This doesn't touch the "legacy" notification handler as to limit the
blast radius of this change. But might be worth adding there too.
The test is difficult to update correctly so is somewhat incomplete. Any
suggestions for refactoring or test helpers I'm missing would be
welcome.
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
# Which Problems Are Solved
This pr disables the client id in oidc configuration in console, as
mentioned in #10149.
# How the Problems Are Solved
I re-disabled the field from inside the form.
# Additional Context
- Closes#10149.
- Closes#8530
# Which Problems Are Solved
In the SAML responses from some IDPs (e.g. ADFS and Shibboleth), the
`<NameID>` part could be missing in `<Subject>`, and in some cases, the
`<Subject>` part might be missing as well. This causes Zitadel to fail
the SAML login with the following error message:
```
ID=SAML-EFG32 Message=Errors.Intent.ResponseInvalid
```
# How the Problems Are Solved
This is solved by adding a workaround to accept a transient mapping
attribute when the `NameID` or the `Subject` is missing in the SAML
response. This requires setting the custom transient mapping attribute
in the SAML IDP config in Zitadel, and it should be present in the SAML
response as well.
<img width="639" height="173" alt="image"
src="https://github.com/user-attachments/assets/cbb792f1-aa6c-4b16-ad31-bd126d164eae"
/>
# Additional Changes
N/A
# Additional Context
- Closes#10251
# Which Problems Are Solved
Not all NPM packages are excluded from go linting.
# How the Problems Are Solved
Missing exclusions are added.
# Additional Context
Follows-up on #10331
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
# Which Problems Are Solved
With the introduction of the service ping, we'll send data from all
systems back to a central endpoint for analytics and getting insights
about usage. To make it visible what data is sent and provide the users
an easy way to opt-out, we need a small documentation to tell them what
and how.
# How the Problems Are Solved
Document the service ping including what data is sent and how to opt-out
or configure most important settings.
# Additional Changes
None
# Additional Context
relates to #9869
# Which Problems Are Solved
The load balancing compose example uses a dedicated service
`use-new-login` that gives the set up machine user the login role and
requires the v2 login using an instance feature. This is cumbersome and
unnecessary.
# How the Problems Are Solved
- A login client machine user is set up and the token is passed to the
login by using the environment variable ZITADEL_SERVICE_USER_TOKEN_FILE.
- The unnecessary service is removed
# Additional Changes
- Uses the static `MasterkeyNeedsToHave32Characters` master key.
- The load balancing example replaces the previous Docker Compose
example.
- The login uses `network_mode: service:zitadel` so it can access the
zitadel service in the docker network via localhost.
- Uses the docker provider for Traefik.
# Additional Context
- Complements https://github.com/zitadel/zitadel/pull/9496
- Partially closes https://github.com/zitadel/zitadel/issues/10016
- When we release, we should update the image tags to latest, for
example with [this PR](https://github.com/zitadel/zitadel/pull/10249).
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
# Which Problems Are Solved
The Actions v2beta API is not yet promoted to GA.
# How the Problems Are Solved
Promote Actions v2Beta API to Actions v2 API.
# Additional Changes
None
# Additional Context
None
# Which Problems Are Solved
The broken login image is fixed.
# How the Problems Are Solved
The most important learnings from
https://github.com/zitadel/zitadel/pull/10318 are applied:
- Path in entrypoint is fixed: `exec node /runtime/apps/login/server.js`
- .dockerignore is updated so CSS styles are built into the image
- `source: .` is passed to the docker-bake action. Without this,
docker-bake builds from a remote context, which seems to be slow and not
updated on new PR commits. Looks like the bake action uploads an
artifact that [conflicts with the compile
workflow](https://github.com/zitadel/zitadel/actions/runs/16620417216/job/47023478437).
Therefore, a pattern is added to the compile workflow so only relevant
artifacts are selected.
# Which Problems Are Solved
The documentation API regarding organization v2 beta is not up to date.
The documentation regarding SCIM v2 is not up to date.
# How the Problems Are Solved
- Deprecate the existing v2beta endpoints `CreateOrganization` and
`ListOrganizations` in favour of the v2 counterparst
- Remove the preview warning from SCIM v2 pages
# Additional Context
- Closes#10311 and #10310
---------
Co-authored-by: Marco Ardizzone <marco@zitadel.com>
# Which Problems Are Solved
#7573
# How the Problems Are Solved
Enabled mermaid support in the current version:
https://docusaurus.io/docs/next/markdown-features/diagrams
# Additional Changes
# Additional Context
test by adding to a page:
```mermaid
graph TD;
A-->B;
A-->C;
B-->D;
C-->D;
```
# Which Problems Are Solved
Building the login container in the pipeline without build layer caches
takes about 20 minutes.
# How the Problems Are Solved
We use cache-from and cache-to arguments to use the GitHub cache API.
Compare 1st and 2nd run [of this PRs
pipeline](https://github.com/zitadel/zitadel/actions/runs/16590808510/job/46927893304)
# Additional Context
- Follows up on #10343
# Which Problems Are Solved
[Permissions v2](https://github.com/zitadel/zitadel/issues/9972) is not
possible in the current implementation.
# How the Problems Are Solved
We remove Permissions v2 from project grants related API calls, to
alleviate this problems.
Resulting in some removals of testing, implementations and performance
impact
# Additional Changes
None
# Additional Context
None
# Which Problems Are Solved
There is no information contained in the context info sent to Actions
v2.
# How the Problems Are Solved
Add application information to the context information sent to Actions
v2, to give more information about the execution.
# Additional Changes
None
# Additional Context
Closes#9377
# Which Problems Are Solved
The OIDC session endpoint allows to pass a `id_token_hint` to identify
the session to terminate. In case the application is not able to pass
that, e.g. Console currently allows multiple sessions to be open, but
will only store the id_token of the current session, allowing to pass
the `logout_hint` to identify the user adds some new possibilities.
# How the Problems Are Solved
In case the end_session_endpoint is called with no `id_token_hint`, but
a `logout_hint` and the v2 login UI is configured, the information is
passed to the login UI also as `login_hint` parameter to allow the login
UI to determine the session to be terminated, resp. let the user decide.
# Additional Changes
Also added the `ui_locales` as parameter to handle and pass to the V2
login UI.
# Dependencies ⚠️
~These changes depend on https://github.com/zitadel/oidc/pull/774~
# Additional Context
closes#9847
---------
Co-authored-by: Marco Ardizzone <marco@zitadel.com>
Changed externalUser() to externalUser in external-authentication.md
file.
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Replace this example text with a concise list of problems that this PR
solves.
For example:
- External Authentication documentation states that to retrieve the
external user in the post authentication flow, use externalUser().
However, it needs to be externalUser (the method).
# How the Problems Are Solved
Replace this example text with a concise list of changes that this PR
introduces.
For example:
- Changing externalUser() to externalUser in the
external-authentication.md file solves this issue.
# Additional Changes
Replace this example text with a concise list of additional changes that
this PR introduces, that are not directly solving the initial problem
but are related.
For example:
- No additional changes were made.
# Additional Context
Replace this example with links to related issues, discussions, discord
threads, or other sources with more context.
Use the Closing #issue syntax for issues that are resolved with this PR.
- Closes#9893
# Which Problems Are Solved
Actions v2beta API does not adhere to the [API
design](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md)
fully.
# How the Problems Are Solved
- Correct body usage for ListExecutions
- Correct REST path for ListTargets and ListExecutions
- Correct attribute names for ListTargetsResponse and
ListExecutionsResponse
# Additional Changes
- Remove unused object import.
# Additional Context
Closes#10138
---------
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
Since #10305 we have the following two files in `/apps/login`
- /apps/login/README.md
- /apps/login/readme.md
This confused case insensitive file systems, causing strange Git
behavior.
# How the Problems Are Solved
We remove the obsolete /apps/login/README.md file.
