ZITADEL - Identity infrastructure, simplified for you.
Go to file
Livio Spring 3c7d12834e
fix: prevent error reason leakage in case of IgnoreUnknownUsernames (#8372)
# Which Problems Are Solved

ZITADEL administrators can enable a setting called "Ignoring unknown
usernames" which helps mitigate attacks that try to guess/enumerate
usernames. If enabled, ZITADEL will show the password prompt even if the
user doesn't exist and report "Username or Password invalid".
Due to a implementation change to prevent deadlocks calling the
database, the flag would not be correctly respected in all cases and an
attacker would gain information if an account exist within ZITADEL,
since the error message shows "object not found" instead of the generic
error message.

# How the Problems Are Solved

- Proper check of the error using an error function / type and
`errors.Is`

# Additional Changes

None.

# Additional Context

- raised in a support request

Co-authored-by: Silvan <silvan.reusser@gmail.com>

(cherry picked from commit a1d24353db)
2024-07-31 15:56:20 +02:00
.codecov chore(codecov): make codecov configurable in repo (#40) 2020-04-08 07:37:24 +02:00
.devcontainer chore(deps): update all go deps (#7773) 2024-04-15 09:17:36 +00:00
.github chore: tag author in ready for review comment (#8009) 2024-05-24 18:45:06 +02:00
build merge main into next 2023-10-19 12:34:00 +02:00
cmd fix(init): add setting to enable durable locks on crdb (#7982) 2024-05-27 09:03:34 +00:00
console fix: sanitize output for email (#8373) 2024-07-31 15:33:22 +02:00
deploy/knative docs: fix knative docs (#7752) 2024-04-18 13:45:15 +00:00
docs fix(oidc): store requested response_mode (#8145) 2024-06-21 13:40:47 +02:00
e2e feat(console): add new step to activate SMTP provider (#7956) 2024-05-22 11:23:35 +02:00
internal fix: prevent error reason leakage in case of IgnoreUnknownUsernames (#8372) 2024-07-31 15:56:20 +02:00
load-test chore: init load tests (#7635) 2024-04-18 12:21:07 +03:00
openapi ci: improve performance (#5953) 2023-07-17 10:08:20 +02:00
pkg/grpc chore(build): update dependencies (#7606) 2024-03-22 07:10:34 +00:00
proto refactor(query): use new packages for org by id query (#7826) 2024-05-24 13:32:57 +02:00
statik fix(zitadel-image): refactor dockerfiles and gh action (#2027) 2021-07-27 14:34:56 +02:00
.dockerignore ci: improve performance (#5953) 2023-07-17 10:08:20 +02:00
.gitignore chore: init load tests (#7635) 2024-04-18 12:21:07 +03:00
.golangci.yaml chore(deps): update all go deps (#7773) 2024-04-15 09:17:36 +00:00
.releaserc.js create maintenance branch 2024-05-31 12:13:54 +02:00
buf.gen.yaml ci: improve performance (#5953) 2023-07-17 10:08:20 +02:00
buf.work.yaml chore(console): buf stub build (#5215) 2023-02-17 14:09:11 +00:00
changelog.config.js feat: Merge master (#1260) 2021-02-08 16:48:41 +01:00
CODE_OF_CONDUCT.md chore: rename docs links (#3668) 2022-05-20 14:32:06 +00:00
CONTRIBUTING.md fix: Unrecognized Authentication Type Error when SMTP LOGIN Auth method is required (#7761) 2024-04-30 07:31:07 +00:00
go.mod perf(import): do not check for existing grant ID (#8164) 2024-06-21 13:41:44 +02:00
go.sum fix(oidc): upgrade zitadel/oidc to allow scope without openid (#8109) 2024-06-13 13:56:00 +02:00
LICENSE chore: Update LICENSE (#1087) 2020-12-14 09:40:09 +01:00
main.go chore: test server for direct resource access 2023-04-24 20:40:31 +03:00
Makefile feat(crypto): use passwap for machine and app secrets (#7657) 2024-04-05 09:35:49 +00:00
README.md chore: Update readme with new features and links (#7798) 2024-04-18 19:48:29 +00:00
release-channels.yaml chore(stable): update to v2.48.5 (#8020) 2024-05-28 05:03:50 +00:00
SECURITY.md docs: rename instance settings to default settings (#7484) 2024-03-06 10:36:04 +00:00

Zitadel Logo Zitadel Logo

GitHub Workflow Status (with event) Dynamic YAML Badge GitHub contributors

Are you searching for a user management tool that is quickly set up like Auth0 and open source like Keycloak?

Do you have a project that requires multi-tenant user management with self-service for your customers?

Look no further — ZITADEL is the identity infrastructure, simplified for you.

We provide you with a wide range of out-of-the-box features to accelerate your project, including:

Multi-tenancy with team management
Secure login
Self-service
OpenID Connect
OAuth2.x
SAML2
LDAP
Passkeys / FIDO2
OTP
and an unlimited audit trail is there for you, ready to use.

With ZITADEL, you are assured of a robust and customizable turnkey solution for all your authentication and authorization needs.


🏡 Website 💬 Chat 📋 Docs 🧑‍💻 Blog 📞 Contact

Get started

👉 Quick Start Guide

Deploy ZITADEL (Self-Hosted)

Deploying ZITADEL locally takes less than 3 minutes. Go ahead and give it a try!

See all guides here

If you are interested to get professional support for your self-hosted ZITADEL please reach out to us!

Setup ZITADEL Cloud (SaaS)

If you want to experience a hands-free ZITADEL, you should use ZITADEL Cloud.

ZITADEL Cloud comes with a free tier, providing you with all the same features as the open-source version. Learn more about the pay-as-you-go pricing.

Example applications

Clone one of our example applications or deploy them directly to Vercel.

SDKs

Use our SDKs for your favorite language and framework.

Why choose ZITADEL

We built ZITADEL with a complex multi-tenancy architecture in mind and provide the best solution to handle B2B customers and partners. Yet it offers everything you need for a customer identity (CIAM) use case.

Features

Authentication

Multi-Tenancy

Integration

Self-Service

Deployment

Track upcoming features on our roadmap.

How To Contribute

Find details about how you can contribute in our Contribution Guide

Contributors

Made with contrib.rocks.

Showcase

Quick Start Guide

Secure a React Application using OpenID Connect Authorization Code with PKCE

Quick Start Guide

Login with Passkeys

Use our login widget to allow easy and secure access to your applications and enjoy all the benefits of Passkeys (FIDO 2 / WebAuthN):

Passkeys

Admin Console

Use Console or our APIs to setup organizations, projects and applications.

Console Showcase

Security

You can find our security policy here.

Technical Advisories are published regarding major issues with the ZITADEL platform that could potentially impact security or stability in production environments.

License

here are our exact licensing terms.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See our license for detailed information governing permissions and limitations on use.