mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-07 23:32:05 +00:00
ff6d593922
# Which Problems Are Solved
Actions v2 is not a feature flag anymore, include functionality on
executions is not used and json tags of proto messages are handled
incorrectly.
# How the Problems Are Solved
- Remove actions from the feature flags on system and instance level
- Remove include type on executions, only in the API, later maybe in the
handling logic as well
- Use protojson in request and response handling of actions v2
# Additional Changes
- Correct integration tests for request and response handling
- Use json.RawMessage for events, so that the event payload is not
base64 encoded
- Added separate context for async webhook calls, that executions are
not cancelled when called async
# Additional Context
Related to #9759
Closes #9710
---------
Co-authored-by: Livio Spring <livio.a@gmail.com>
(cherry picked from commit b8ba7bd5ba)
234 lines
11 KiB
Protocol Buffer
234 lines
11 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package zitadel.feature.v2;
|
|
|
|
import "protoc-gen-openapiv2/options/annotations.proto";
|
|
import "validate/validate.proto";
|
|
|
|
import "zitadel/object/v2/object.proto";
|
|
import "zitadel/feature/v2/feature.proto";
|
|
|
|
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
|
|
|
|
message SetInstanceFeaturesRequest{
|
|
reserved 6;
|
|
reserved "actions";
|
|
optional bool login_default_org = 1 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "The login UI will use the settings of the default org (and not from the instance) if no organization context is set";
|
|
}
|
|
];
|
|
optional bool oidc_trigger_introspection_projections = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
|
|
}
|
|
];
|
|
optional bool oidc_legacy_introspection = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
|
|
}
|
|
];
|
|
|
|
optional bool user_schema = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
|
|
}
|
|
];
|
|
|
|
optional bool oidc_token_exchange = 5 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Enable the experimental `urn:ietf:params:oauth:grant-type:token-exchange` grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.";
|
|
}
|
|
];
|
|
|
|
repeated ImprovedPerformance improved_performance = 7 [
|
|
(validate.rules).repeated.unique = true,
|
|
(validate.rules).repeated.items.enum = {defined_only: true, not_in: [0]},
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "[1]";
|
|
description: "Improves performance of specified execution paths.";
|
|
}
|
|
];
|
|
|
|
optional bool web_key = 8 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.";
|
|
}
|
|
];
|
|
|
|
optional bool debug_oidc_parent_error = 9 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Return parent errors to OIDC clients for debugging purposes. Parent errors may contain sensitive data or unwanted details about the system status of zitadel. Only enable if really needed.";
|
|
}
|
|
];
|
|
|
|
optional bool oidc_single_v1_session_termination = 10 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
|
|
}
|
|
];
|
|
|
|
optional bool disable_user_token_event = 11 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
|
|
}
|
|
];
|
|
|
|
optional bool enable_back_channel_logout = 12 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
|
|
}
|
|
];
|
|
|
|
optional LoginV2 login_v2 = 13 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Specify the login UI for all users and applications regardless of their preference.";
|
|
}
|
|
];
|
|
|
|
optional bool permission_check_v2 = 14 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Enable a newer, more performant, permission check used for v2 and v3 resource based APIs.";
|
|
}
|
|
];
|
|
|
|
optional bool console_use_v2_user_api = 15 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "If this is enabled the console web client will use the new User v2 API for certain calls";
|
|
}
|
|
];
|
|
}
|
|
|
|
message SetInstanceFeaturesResponse {
|
|
zitadel.object.v2.Details details = 1;
|
|
}
|
|
|
|
message ResetInstanceFeaturesRequest {}
|
|
|
|
message ResetInstanceFeaturesResponse {
|
|
zitadel.object.v2.Details details = 1;
|
|
}
|
|
|
|
message GetInstanceFeaturesRequest {
|
|
bool inheritance = 1 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Inherit unset features from the resource owners. This option is recursive: if the flag is set, the resource's ancestors are consulted up to system defaults. If this option is disabled and the feature is not set on the instance, it will be omitted from the response or Not Found is returned when the instance has no features flags at all.";
|
|
}
|
|
];
|
|
}
|
|
|
|
message GetInstanceFeaturesResponse {
|
|
reserved 7;
|
|
reserved "actions";
|
|
zitadel.object.v2.Details details = 1;
|
|
FeatureFlag login_default_org = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "The login UI will use the settings of the default org (and not from the instance) if no organization context is set";
|
|
}
|
|
];
|
|
|
|
FeatureFlag oidc_trigger_introspection_projections = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag oidc_legacy_introspection = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag user_schema = 5 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag oidc_token_exchange = 6 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Enable the experimental `urn:ietf:params:oauth:grant-type:token-exchange` grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.";
|
|
}
|
|
];
|
|
|
|
ImprovedPerformanceFeatureFlag improved_performance = 8 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "[1]";
|
|
description: "Improves performance of specified execution paths.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag web_key = 9 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag debug_oidc_parent_error = 10 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Return parent errors to OIDC clients for debugging purposes. Parent errors may contain sensitive data or unwanted details about the system status of zitadel. Only enable if really needed.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag oidc_single_v1_session_termination = 11 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "If the flag is enabled, you'll be able to terminate a single session from the login UI by providing an id_token with a `sid` claim as id_token_hint on the end_session endpoint. Note that currently all sessions from the same user agent (browser) are terminated in the login UI. Sessions managed through the Session API already allow the termination of single sessions.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag disable_user_token_event = 12 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "Do not push user token meta-event user.token.v2.added to improve performance on many concurrent single (machine-)user logins";
|
|
}
|
|
];
|
|
|
|
FeatureFlag enable_back_channel_logout = 13 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "If the flag is enabled, you'll be able to use the OIDC Back-Channel Logout to be notified in your application about terminated user sessions.";
|
|
}
|
|
];
|
|
|
|
LoginV2FeatureFlag login_v2 = 14 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "If the flag is set, all users will be redirected to the login V2 regardless of the application's preference.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag permission_check_v2 = 15 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Enable a newer, more performant, permission check used for v2 and v3 resource based APIs.";
|
|
}
|
|
];
|
|
|
|
FeatureFlag console_use_v2_user_api = 16 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "true";
|
|
description: "If this is enabled the console web client will use the new User v2 API for certain calls";
|
|
}
|
|
];
|
|
}
|