# Which Problems Are Solved
With the introduction of the service ping, we'll send data from all
systems back to a central endpoint for analytics and getting insights
about usage. To make it visible what data is sent and provide the users
an easy way to opt-out, we need a small documentation to tell them what
and how.
# How the Problems Are Solved
Document the service ping including what data is sent and how to opt-out
or configure most important settings.
# Additional Changes
None
# Additional Context
relates to #9869
# Which Problems Are Solved
The load balancing compose example uses a dedicated service
`use-new-login` that gives the set up machine user the login role and
requires the v2 login using an instance feature. This is cumbersome and
unnecessary.
# How the Problems Are Solved
- A login client machine user is set up and the token is passed to the
login by using the environment variable ZITADEL_SERVICE_USER_TOKEN_FILE.
- The unnecessary service is removed
# Additional Changes
- Uses the static `MasterkeyNeedsToHave32Characters` master key.
- The load balancing example replaces the previous Docker Compose
example.
- The login uses `network_mode: service:zitadel` so it can access the
zitadel service in the docker network via localhost.
- Uses the docker provider for Traefik.
# Additional Context
- Complements https://github.com/zitadel/zitadel/pull/9496
- Partially closes https://github.com/zitadel/zitadel/issues/10016
- When we release, we should update the image tags to latest, for
example with [this PR](https://github.com/zitadel/zitadel/pull/10249).
---------
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
# Which Problems Are Solved
The Actions v2beta API is not yet promoted to GA.
# How the Problems Are Solved
Promote Actions v2Beta API to Actions v2 API.
# Additional Changes
None
# Additional Context
None
# Which Problems Are Solved
The broken login image is fixed.
# How the Problems Are Solved
The most important learnings from
https://github.com/zitadel/zitadel/pull/10318 are applied:
- Path in entrypoint is fixed: `exec node /runtime/apps/login/server.js`
- .dockerignore is updated so CSS styles are built into the image
- `source: .` is passed to the docker-bake action. Without this,
docker-bake builds from a remote context, which seems to be slow and not
updated on new PR commits. Looks like the bake action uploads an
artifact that [conflicts with the compile
workflow](https://github.com/zitadel/zitadel/actions/runs/16620417216/job/47023478437).
Therefore, a pattern is added to the compile workflow so only relevant
artifacts are selected.
# Which Problems Are Solved
The documentation API regarding organization v2 beta is not up to date.
The documentation regarding SCIM v2 is not up to date.
# How the Problems Are Solved
- Deprecate the existing v2beta endpoints `CreateOrganization` and
`ListOrganizations` in favour of the v2 counterparst
- Remove the preview warning from SCIM v2 pages
# Additional Context
- Closes#10311 and #10310
---------
Co-authored-by: Marco Ardizzone <marco@zitadel.com>
# Which Problems Are Solved
#7573
# How the Problems Are Solved
Enabled mermaid support in the current version:
https://docusaurus.io/docs/next/markdown-features/diagrams
# Additional Changes
# Additional Context
test by adding to a page:
```mermaid
graph TD;
A-->B;
A-->C;
B-->D;
C-->D;
```
# Which Problems Are Solved
Building the login container in the pipeline without build layer caches
takes about 20 minutes.
# How the Problems Are Solved
We use cache-from and cache-to arguments to use the GitHub cache API.
Compare 1st and 2nd run [of this PRs
pipeline](https://github.com/zitadel/zitadel/actions/runs/16590808510/job/46927893304)
# Additional Context
- Follows up on #10343
# Which Problems Are Solved
[Permissions v2](https://github.com/zitadel/zitadel/issues/9972) is not
possible in the current implementation.
# How the Problems Are Solved
We remove Permissions v2 from project grants related API calls, to
alleviate this problems.
Resulting in some removals of testing, implementations and performance
impact
# Additional Changes
None
# Additional Context
None
# Which Problems Are Solved
There is no information contained in the context info sent to Actions
v2.
# How the Problems Are Solved
Add application information to the context information sent to Actions
v2, to give more information about the execution.
# Additional Changes
None
# Additional Context
Closes#9377
# Which Problems Are Solved
The OIDC session endpoint allows to pass a `id_token_hint` to identify
the session to terminate. In case the application is not able to pass
that, e.g. Console currently allows multiple sessions to be open, but
will only store the id_token of the current session, allowing to pass
the `logout_hint` to identify the user adds some new possibilities.
# How the Problems Are Solved
In case the end_session_endpoint is called with no `id_token_hint`, but
a `logout_hint` and the v2 login UI is configured, the information is
passed to the login UI also as `login_hint` parameter to allow the login
UI to determine the session to be terminated, resp. let the user decide.
# Additional Changes
Also added the `ui_locales` as parameter to handle and pass to the V2
login UI.
# Dependencies ⚠️
~These changes depend on https://github.com/zitadel/oidc/pull/774~
# Additional Context
closes#9847
---------
Co-authored-by: Marco Ardizzone <marco@zitadel.com>
Changed externalUser() to externalUser in external-authentication.md
file.
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Replace this example text with a concise list of problems that this PR
solves.
For example:
- External Authentication documentation states that to retrieve the
external user in the post authentication flow, use externalUser().
However, it needs to be externalUser (the method).
# How the Problems Are Solved
Replace this example text with a concise list of changes that this PR
introduces.
For example:
- Changing externalUser() to externalUser in the
external-authentication.md file solves this issue.
# Additional Changes
Replace this example text with a concise list of additional changes that
this PR introduces, that are not directly solving the initial problem
but are related.
For example:
- No additional changes were made.
# Additional Context
Replace this example with links to related issues, discussions, discord
threads, or other sources with more context.
Use the Closing #issue syntax for issues that are resolved with this PR.
- Closes#9893
# Which Problems Are Solved
Actions v2beta API does not adhere to the [API
design](https://github.com/zitadel/zitadel/blob/main/API_DESIGN.md)
fully.
# How the Problems Are Solved
- Correct body usage for ListExecutions
- Correct REST path for ListTargets and ListExecutions
- Correct attribute names for ListTargetsResponse and
ListExecutionsResponse
# Additional Changes
- Remove unused object import.
# Additional Context
Closes#10138
---------
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
Since #10305 we have the following two files in `/apps/login`
- /apps/login/README.md
- /apps/login/readme.md
This confused case insensitive file systems, causing strange Git
behavior.
# How the Problems Are Solved
We remove the obsolete /apps/login/README.md file.
# Which Problems Are Solved
- The previous monorepo in monorepo structure for the login app and its
related packages was fragmented, complicated and buggy.
- The process for building and testing the login container was
inconsistent between local development and CI.
- Lack of clear documentation as well as easy and reliable ways for
non-frontend developers to reproduce and fix failing PR checks locally.
# How the Problems Are Solved
- Consolidated the login app and its related npm packages by moving the
main package to `apps/login/apps/login` and merging
`apps/login/packages/integration` and `apps/login/packages/acceptance`
into the main `apps/login` package.
- Migrated from Docker Compose-based test setups to dev container-based
setups, adding support for multiple dev container configurations:
- `.devcontainer/base`
- `.devcontainer/turbo-lint-unit`
- `.devcontainer/turbo-lint-unit-debug`
- `.devcontainer/login-integration`
- `.devcontainer/login-integration-debug`
- Added npm scripts to run the new dev container setups, enabling exact
reproduction of GitHub PR checks locally, and updated the pipeline to
use these containers.
- Cleaned up Dockerfiles and docker-bake.hcl files to only build the
production image for the login app.
- Cleaned up compose files to focus on dev environments in dev
containers.
- Updated `CONTRIBUTING.md` with guidance on running and debugging PR
checks locally using the new dev container approach.
- Introduced separate Dockerfiles for the login app to distinguish
between using published client packages and building clients from local
protos.
- Ensured the login container is always built in the pipeline for use in
integration and acceptance tests.
- Updated Makefile and GitHub Actions workflows to use
`--frozen-lockfile` for installing pnpm packages, ensuring reproducible
installs.
- Disabled GitHub release creation by the changeset action.
- Refactored the `/build` directory structure for clarity and
maintainability.
- Added a `clean` command to `docks/package.json`.
- Experimentally added `knip` to the `zitadel-client` package for
improved linting of dependencies and exports.
# Additional Changes
- Fixed Makefile commands for consistency and reliability.
- Improved the structure and clarity of the `/build` directory to
support seamless integration of the login build.
- Enhanced documentation and developer experience for running and
debugging CI checks locally.
# Additional Context
- See updated `CONTRIBUTING.md` for new local development and debugging
instructions.
- These changes are a prerequisite for further improvements to the CI
pipeline and local development workflow.
- Closes#10276
<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->
# Which Problems Are Solved
Okta sends a random password in the request to create a user during SCIM
provisioning, irrespective of whether the `Sync Password` option is
enabled or disabled on Okta, and this password does not comply with the
default password complexity set in Zitadel. This PR adds a workaround to
create users without issues in such cases.
# How the Problems Are Solved
- A new metadata configuration called
`urn:zitadel:scim:ignorePasswordOnCreate` is added to the Machine User
that is used for provisioning
- During SCIM user creation requests, if the
`urn:zitadel:scim:ignorePasswordOnCreate` is set to `true` in the
Machine User's metadata, the password set in the create request is
ignored
# Additional Changes
# Additional Context
The random password is ignored (if set in the metadata) only during
customer creation. This change does not affect SCIM password updates.
- Closes#10009
---------
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
- Broken or incorrect links on the "SDK Examples" introduction page. The
links to the new client libraries section all reference the "java"
section. This fixes it.
# How the Problems Are Solved
- Fixed the links to ensure they correctly point to the relevant
sections in the documentation.
# Additional Changes
None.
# Additional Context
None.
This PR changes the cookie settings for the SAML post bindings. It sets
"secure": true and "SameSite" to "Strict" for production environments.
It removes the fallback serialization as we have proven this is not
required anymore.
# Which Problems Are Solved
The recently released client libraries were missing documentation, which
made it difficult for developers to understand and use the new features.
# How the Problems Are Solved
This pull request introduces the necessary documentation for the new
client libraries, covering their installation and basic usage.
# Additional Changes
None.
# Additional Context
This documentation supports the recent client library release.
- Turkish language support is added.
- Updated other language files to add Turkish selection.
# Which Problems Are Solved
- Zitadel was not supporting Turkish language. Now supporting.
# How the Problems Are Solved
- Turkish language files are added and updated other language files in
below paths to add Turkish support;
- /console/src/assets/i18n/
- /internal/api/ui/login/static/i18n
- /internal/notification/static/i18n
- /internal/static/i18n
# Additional Changes
- Made changes below files for codes/docs changes;
- /console/src/app/utils/language.ts
- /console/src/app/app.module.ts
- /docs/docs/guides/manage/customize/texts.md
- /internal/api/ui/login/static/templates/external_not_found_option.html
- /internal/query/v2-default.json
- /login/apps/login/src/lib/i18n.ts
---------
Co-authored-by: Marco A. <marco@zitadel.com>
# Which Problems Are Solved
- Role deletion or update API returns `404 Not Found` when the role key
contains a slash (`/`), even if URL encoded.
- This breaks management of hierarchical role keys like
`admin/org/reader`.
# How the Problems Are Solved
- Updated the HTTP binding in the protobuf definition for the affected
endpoints to use `{role_key=**}` instead of `{role_key}`.
- This change enables proper decoding and handling of slashes in role
keys as a single path variable.
# Additional Changes
None
# Additional Context
- Closes https://github.com/zitadel/zitadel/issues/9948
Co-authored-by: Masum Patel <patelmasum98@gmail.com>
Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
# Which Problems Are Solved
When adding 2 orgs with the same ID, you get a positive response from
the API, later when the org is projected, it errors due to the id
already in use
# How the Problems Are Solved
Check org with orgID specified does not already exist before adding
events
# Additional Changes
Added additional test case for adding same org with same name twice
# Additional Context
- Closes https://github.com/zitadel/zitadel/issues/10127
---------
Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
# Which Problems Are Solved
The SAML session (v2 login) currently does not push a
`AuthenticationSucceededOnApplication` milestone upon successful SAML
login for the first time. The changes in this PR address this issue.
# How the Problems Are Solved
Add a new function to set the appropriate milestone, and call this
function after a successful SAML request.
# Additional Changes
N/A
# Additional Context
- Closes#9592
---------
Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
# Which Problems Are Solved
- Dependabot creates noisy PRs to the mirror repo zitadel/typescript.
# How the Problems Are Solved
- We mark the dependabot file as an example, effectively disabling
dependabot.
- For cases this isn't intuitive enough, we add a guiding sentence to
the README.md
- Dependabot for the login [is already enabled in the zitadel
repo](https://github.com/zitadel/zitadel/blob/main/.github/dependabot.yml#L25-L37).
# Additional Changes
- Updates the CONTRIBUTING.md with instructions about how to submit
changes related to the mirror repo.
- @stebenz please dismiss the relevant Vanta checks if necessary.
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
# Which Problems Are Solved
Action runs on PRs from forks can't authenticate at depot.
# How the Problems Are Solved
- The GitHub secret DEPOT_TOKEN is statically passed as env variable to
the steps that use the depot CLI, as described
[here](https://github.com/depot/setup-action#authentication).
- Removed the oidc argument from the depot/setup-action, as we pass the
env statically to the relevant steps.
- The `id-token: write` permission is removed from all workflows, as
it's not needed anymore.
# Additional Changes
Removed the obsolete comment
```yaml
# latest if branch is main, otherwise image version which is the pull request number
```
# Additional Context
Required by these approved PRs so their checks can be executed:
- https://github.com/zitadel/zitadel/pull/9982
- https://github.com/zitadel/zitadel/pull/9958
# Which Problems Are Solved
The session API allowed any authenticated user to update sessions by their ID without any further check.
This was unintentionally introduced with version 2.53.0 when the requirement of providing the latest session token on every session update was removed and no other permission check (e.g. session.write) was ensured.
# How the Problems Are Solved
- Granted `session.write` to `IAM_OWNER` and `IAM_LOGIN_CLIENT` in the defaults.yaml
- Granted `session.read` to `IAM_ORG_MANAGER`, `IAM_USER_MANAGER` and `ORG_OWNER` in the defaults.yaml
- Pass the session token to the UpdateSession command.
- Check for `session.write` permission on session creation and update.
- Alternatively, the (latest) sessionToken can be used to update the session.
- Setting an auth request to failed on the OIDC Service `CreateCallback` endpoint now ensures it's either the same user as used to create the auth request (for backwards compatibilty) or requires `session.link` permission.
- Setting an device auth request to failed on the OIDC Service `AuthorizeOrDenyDeviceAuthorization` endpoint now requires `session.link` permission.
- Setting an auth request to failed on the SAML Service `CreateResponse` endpoint now requires `session.link` permission.
# Additional Changes
none
# Additional Context
none
(cherry picked from commit 4c942f3477)
# Which Problems Are Solved
The latest merge on main corrupted some unit tests.
# How the Problems Are Solved
Fix them as intended on the PR.
# Additional Changes
None
# Additional Context
relates to
4c942f3477
# Which Problems Are Solved
When changes are pulled or pushed from or to a login repository, they
can't be merged to zitadel, because the commit histories differ.
# How the Problems Are Solved
Changed the commands to allow diverging commit histories.
Pulling takes a lot of commits into the zitadel repo branch like this.
This is fine, as we anyway squash-merge PRs to a single commit.
So we don't care about a branches commit history.
# Additional Changes
Added an exception to the close-pr.yml workflow so sync PRs are not
auto-closed.
---------
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Florian Forster <florian@zitadel.com>
Co-authored-by: Max Peintner <peintnerm@gmail.com>
Co-authored-by: Max Peintner <max@caos.ch>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
# Which Problems Are Solved
Enhancing integration test for creating org; currently the test does not
check if the created org has the assigned custom id, this will resolve
this issue.
# Which Problems Are Solved
After changing some internal logic, which should have failed the
integration test, but didn't, I noticed that some integration tests were
never executed. The make command lists all `integration_test` packages,
but some are named `integration`
# How the Problems Are Solved
Correct wrong integration test package names.
# Additional Changes
None
# Additional Context
- noticed internally
- backport to 3.x and 2.x
# Which Problems Are Solved
Fixes issue when users would get an error message when attempting to
resend invitation code when logging in
# How the Problems Are Solved
Changing the permission check for looking for `org.write` to
`ommand.checkPermissionUpdateUser()`
# Additional Context
- Closes https://github.com/zitadel/zitadel/issues/10100
- backport to 3.x
# Which Problems Are Solved
The CORS handler for the new connectRPC handlers was missing, leading to
unhandled preflight requests and a unusable api for browser based calls,
e.g. cross domain gRPC-web requests.
# How the Problems Are Solved
- Added the http CORS middleware to the connectRPC handlers.
- Added `Grpc-Timeout`, `Connect-Protocol-Version`,`Connect-Timeout-Ms`
to the default allowed headers (this improves also the old grpc-web
handling)
- Added `Grpc-Status`, `Grpc-Message`, `Grpc-Status-Details-Bin` to the
default exposed headers (this improves also the old grpc-web handling)
# Additional Changes
None
# Additional Context
noticed internally while testing other issues
# Which Problems Are Solved
When an organization domain is verified, e.g. also when creating a new
organization (incl. generated domain), existing usernames are checked if
the domain has been claimed.
The query was not optimized for instances with many users and
organizations.
# How the Problems Are Solved
- Replace the query, which was searching over the users projection with
(computed loginnames) with a dedicated query checking the loginnames
projection directly.
- All occurrences have been updated to use the new query.
# Additional Changes
None
# Additional Context
- reported through support
- requires backport to v3.x
# Which Problems Are Solved
The close PR action currently fails because of unescaped backticks.
# How the Problems Are Solved
Backticks are escaped.
# Additional Changes
- Adding a login remote immediately fetches for better UX.
- Adding a subtree is not necessary, as it is already added in the repo.
- Fix and clarify PR migration steps.
- Add workflow dispatch event
# Which Problems Are Solved
When authenticating with email or phone number in the login V1, users
were not able to request a password reset and would be given a "User not
found" error.
This was due to a check of the loginname of the auth request, which in
those cases would not match the user's stored loginname.
# How the Problems Are Solved
Switch to a check of the resolved userID in the auth request. (We still
check the user again, since the ID might be a placeholder for an unknown
user and we do not want to disclose any information by omitting a check
and reduce the response time.)
# Additional Changes
None
# Additional Context
- reported through support
- requires backport to v3.x
