This repository was archived by the owner on Oct 27, 2025. It is now read-only.
Closed
Conversation
# Which Problems Are Solved We are preparing to roll-out and stabilize webkeys in the next version of Zitadel. Before removing legacy signing-key code, we must ensure all existing instances have their webkeys generated. # How the Problems Are Solved Add a setup step which generate 2 webkeys for each existing instance that didn't have webkeys yet. # Additional Changes Return an error from the config type-switch, when the type is unknown. # Additional Context - Part 1/2 of zitadel/zitadel#10029 - Should be back-ported to v3
This pull request updates several dependencies in the `docs/package.json` file to their latest minor versions, ensuring compatibility and access to the latest features and fixes. Dependency updates: * Updated `@docusaurus/core`, `@docusaurus/faster`, `@docusaurus/preset-classic`, `@docusaurus/theme-mermaid`, and `@docusaurus/theme-search-algolia` from version `^3.8.0` to `^3.8.1` in the `dependencies` section. * Updated `@docusaurus/module-type-aliases` and `@docusaurus/types` from version `^3.8.0` to `^3.8.1` in the `devDependencies` section. Co-authored-by: Florian Forster <florian@zitadel>
# Which Problems Are Solved As documentation is published from the main branch and the releases get created from another branch, they are not always correctly equal. # How the Problems Are Solved Remove the unnecessary changes in the documentation for now, and create a second PR which can then be used to update the documentation. # Additional Changes Correct integration tests which also use the endpoints. # Additional Context Closes #10083 --------- Co-authored-by: Fabienne Bühler <fabienne@zitadel.com>
…gration (#10118) Added a step-by-step guide for the Auth0 to Zitadel migration in preparation for the upcoming workshop.
# Which Problems Are Solved Stabilize the optimized introspection code and cleanup unused code. # How the Problems Are Solved - `oidc_legacy_introspection` feature flag is removed and reserved. - `OPStorage` which are no longer needed have their bodies removed. - The method definitions need to remain in place so the interface remains implemented. - A panic is thrown in case any such method is still called # Additional Changes - A number of `OPStorage` methods related to token creation were already unused. These are also cleaned up. # Additional Context - Closes #10027 - #7822 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved Stabilize the usage of webkeys. # How the Problems Are Solved - Remove all legacy signing key code from the OIDC API - Remove the webkey feature flag from proto - Remove the webkey feature flag from console - Cleanup documentation # Additional Changes - Resolved some canonical header linter errors in OIDC - Use the constant for `projections.lock` in the saml package. # Additional Context - Closes #10029 - After #10105 - After #10061
# Which Problems Are Solved This PR *partially* addresses #9450 . Specifically, it implements the resource based API for the apps. APIs for app keys ARE not part of this PR. # How the Problems Are Solved - `CreateApplication`, `PatchApplication` (update) and `RegenerateClientSecret` endpoints are now unique for all app types: API, SAML and OIDC apps. - All new endpoints have integration tests - All new endpoints are using permission checks V2 # Additional Changes - The `ListApplications` endpoint allows to do sorting (see protobuf for details) and filtering by app type (see protobuf). - SAML and OIDC update endpoint can now receive requests for partial updates # Additional Context Partially addresses #9450
# Which Problems Are Solved Remove the feature flag that allowed triggers in introspection. This option was a fallback in case introspection would not function properly without triggers. The API documentation asked for anyone using this flag to raise an issue. No such issue was received, hence we concluded it is safe to remove it. # How the Problems Are Solved - Remove flags from the system and instance level feature APIs. - Remove trigger functions that are no longer used - Adjust tests that used the flag. # Additional Changes - none # Additional Context - Closes #10026 - Flag was introduced in #7356 --------- Co-authored-by: Silvan <27845747+adlerhurst@users.noreply.github.com>
Review finished for the account lockout policy. Main changes: - Revised wording - Removed free account from the policy scope - Fixed broken link to the support form in the customer portal --------- Co-authored-by: Maximilian <mpa@zitadel.com>
<!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved The current user V2 API returns a `[]byte` containing a whole HTML document including the form on `StartIdentifyProviderIntent` for intents based on form post (e.g. SAML POST bindings). This is not usable for most clients as they cannot handle that and render a whole page inside their app. For redirect based intents, the url to which the client needs to redirect is returned. # How the Problems Are Solved - Changed the returned type to a new `FormData` message containing the url and a `fields` map. - internal changes: - Session.GetAuth now returns an `Auth` interfacce and error instead of (content string, redirect bool) - Auth interface has two implementations: `RedirectAuth` and `FormAuth` - All use of the GetAuth function now type switch on the returned auth object - A template has been added to the login UI to execute the form post automatically (as is). # Additional Changes - Some intent integration test did not check the redirect url and were wrongly configured. # Additional Context - relates to #410
# Which Problems Are Solved This PR *partially* addresses #9450 . Specifically, it implements the resource based API for app keys. This PR, together with zitadel/zitadel#10077 completes #9450 . # How the Problems Are Solved - Implementation of the following endpoints: `CreateApplicationKey`, `DeleteApplicationKey`, `GetApplicationKey`, `ListApplicationKeys` - `ListApplicationKeys` can filter by project, app or organization ID. Sorting is also possible according to some criteria. - All endpoints use permissions V2 # TODO - [x] Deprecate old endpoints # Additional Context Closes #9450
# Which Problems Are Solved We move the login code to the zitadel repo. # How the Problems Are Solved The login repo is added to ./login as a git subtree pulled from the dockerize-ci branch. Apart from the login code, this PR contains the changes from #10116 # Additional Context - Closes #474 - Also merges #10116 - Merging is blocked by failing check because of: - zitadel/zitadel#10134 (comment) --------- Co-authored-by: Max Peintner <peintnerm@gmail.com> Co-authored-by: Max Peintner <max@caos.ch> Co-authored-by: Florian Forster <florian@zitadel.com>
# Which Problems Are Solved We provide a seamless way to initialize Zitadel and the login together. # How the Problems Are Solved Additionally to the `IAM_OWNER` role, a set up admin user also gets the `IAM_LOGIN_CLIENT` role if it is a machine user with a PAT. # Additional Changes - Simplifies the load balancing example, as the intermediate configuration step is not needed anymore. # Additional Context - Depends on #10116 - Contributes to zitadel/zitadel-charts#332 - Contributes to zitadel/zitadel#10016 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
This PR ensures that the correct locale context is set for the new login
… API (#10150) # Which Problems Are Solved To prevent presenting unusable WebAuthN credentials to the user / browser, we filtered out all credentials, which do not match the requested RP ID. Since credentials set up through Login V1 and Console do not have an RP ID stored, they never matched. This was previously intended, since the Login V2 could be served on a separate domain. The problem is, that if it is hosted on the same domain, the credentials would also be filtered out and user would not be able to login. # How the Problems Are Solved Change the filtering to return credentials, if no RP ID is stored and the requested RP ID matches the instance domain. # Additional Changes None # Additional Context Noted internally when testing the login v2
This PR is still WIP and needs changes to at least the tests. # Which Problems Are Solved To be able to report analytical / telemetry data from deployed Zitadel systems back to a central endpoint, we designed a "service ping" functionality. See also zitadel/zitadel#9706. This PR adds the first implementation to allow collection base data as well as report amount of resources such as organizations, users per organization and more. # How the Problems Are Solved - Added a worker to handle the different `ReportType` variations. - Schedule a periodic job to start a `ServicePingReport` - Configuration added to allow customization of what data will be reported - Setup step to generate and store a `systemID` # Additional Changes None # Additional Context relates to #9869
…gin/apps/login-test-acceptance/idp/oidc in the go_modules group across 1 directory (#10152) Bumps the go_modules group with 1 update in the /login/apps/login-test-acceptance/idp/oidc directory: [github.com/go-chi/chi/v5](https://github.com/go-chi/chi). Updates `github.com/go-chi/chi/v5` from 5.2.1 to 5.2.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/go-chi/chi/releases">github.com/go-chi/chi/v5's releases</a>.</em></p> <blockquote> <h2>v5.2.2</h2> <h2>What's Changed</h2> <ul> <li>Use strings.Cut in a few places by <a href="https://github.com/JRaspass"><code>@JRaspass</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/971">go-chi/chi#971</a></li> <li>Fix non-constant format strings in t.Fatalf by <a href="https://github.com/JRaspass"><code>@JRaspass</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/972">go-chi/chi#972</a></li> <li>Apply fieldalignment fixes to optimize struct memory layout by <a href="https://github.com/pixel365"><code>@pixel365</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/974">go-chi/chi#974</a></li> <li>go 1.24 by <a href="https://github.com/pkieltyka"><code>@pkieltyka</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/977">go-chi/chi#977</a></li> <li>chore: delint ioutil usage by <a href="https://github.com/costela"><code>@costela</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/962">go-chi/chi#962</a></li> <li>Fixed typo in Router interface definition by <a href="https://github.com/mithileshgupta12"><code>@mithileshgupta12</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/958">go-chi/chi#958</a></li> <li>Add support for TinyGo by <a href="https://github.com/efraimbart"><code>@efraimbart</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/978">go-chi/chi#978</a></li> <li>Exclude middleware/profiler.go in TinyGo, as there's no net/http/pprof pkg by <a href="https://github.com/cxjava"><code>@cxjava</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/982">go-chi/chi#982</a></li> <li>Make use of strings.Cut by <a href="https://github.com/scop"><code>@scop</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1005">go-chi/chi#1005</a></li> <li>Change install command format to code block by <a href="https://github.com/sglkc"><code>@sglkc</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/1001">go-chi/chi#1001</a></li> <li>Correct documentation by <a href="https://github.com/mrdomino"><code>@mrdomino</code></a> in <a href="https://redirect.github.com/go-chi/chi/pull/992">go-chi/chi#992</a></li> </ul> <h2>Security fix</h2> <ul> <li>Fixes <a href="https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93">GHSA-vrw8-fxc6-2r93</a> - "Host Header Injection Leads to Open Redirect in RedirectSlashes" <a href="https://github.com/go-chi/chi/commit/1be7ad938cc9c5b39a9dea01a5c518848928ab65">commit</a> <ul> <li>a lower-severity Open Redirect that can't be exploited in browser or email client, as it requires manipulation of a Host header</li> <li>reported by Anuraag Baishya, <a href="https://github.com/anuraagbaishya"><code>@anuraagbaishya</code></a>. Thank you!</li> </ul> </li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/pixel365"><code>@pixel365</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/974">go-chi/chi#974</a></li> <li><a href="https://github.com/mithileshgupta12"><code>@mithileshgupta12</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/958">go-chi/chi#958</a></li> <li><a href="https://github.com/efraimbart"><code>@efraimbart</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/978">go-chi/chi#978</a></li> <li><a href="https://github.com/cxjava"><code>@cxjava</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/982">go-chi/chi#982</a></li> <li><a href="https://github.com/sglkc"><code>@sglkc</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/1001">go-chi/chi#1001</a></li> <li><a href="https://github.com/mrdomino"><code>@mrdomino</code></a> made their first contribution in <a href="https://redirect.github.com/go-chi/chi/pull/992">go-chi/chi#992</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/go-chi/chi/compare/v5.2.1...v5.2.2">https://github.com/go-chi/chi/compare/v5.2.1...v5.2.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/go-chi/chi/commit/23c395f8524a30334126ca16fb4d37b88745b9b9"><code>23c395f</code></a> Correct documentation (<a href="https://redirect.github.com/go-chi/chi/issues/992">#992</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/5516d147c14a2b03824be7076fc6200bed906901"><code>5516d14</code></a> docs: change install code to code block (<a href="https://redirect.github.com/go-chi/chi/issues/1001">#1001</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/e235052c10146fb724439442fc9d9a23e19fe931"><code>e235052</code></a> Make use of strings.Cut (<a href="https://redirect.github.com/go-chi/chi/issues/1005">#1005</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/1be7ad938cc9c5b39a9dea01a5c518848928ab65"><code>1be7ad9</code></a> Merge commit from fork</li> <li><a href="https://github.com/go-chi/chi/commit/d7034fdfdaefd10f1bc1a7b813bc979f2eda3a36"><code>d7034fd</code></a> Exclude profiler when use tinygo (<a href="https://redirect.github.com/go-chi/chi/issues/982">#982</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/d04703412f631922c8dd1527c6500627174828c1"><code>d047034</code></a> support tinygo (<a href="https://redirect.github.com/go-chi/chi/issues/978">#978</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/fe2c065bc046056aecfa141022509a1e25bdd04b"><code>fe2c065</code></a> Fixed the typo (<a href="https://redirect.github.com/go-chi/chi/issues/958">#958</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/1aae5b2d2dc8f9e8ea1f68a7462693aaaa5f368c"><code>1aae5b2</code></a> chore: delint ioutil usage (<a href="https://redirect.github.com/go-chi/chi/issues/962">#962</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/c6225e35a4880a9a884c135b5f847a74e1e3a01e"><code>c6225e3</code></a> go 1.24 (<a href="https://redirect.github.com/go-chi/chi/issues/977">#977</a>)</li> <li><a href="https://github.com/go-chi/chi/commit/e846b8304c769c4f1a51c9de06bebfaa4576bd88"><code>e846b83</code></a> Apply fieldalignment fixes to optimize struct memory layout (<a href="https://redirect.github.com/go-chi/chi/issues/974">#974</a>)</li> <li>Additional commits viewable in <a href="https://github.com/go-chi/chi/compare/v5.2.1...v5.2.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/zitadel/zitadel/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…158) This PR fixes an issue where the orQuery for phone and email was not correctly set.
# Which Problems Are Solved Fixes the releasing of multi-architecture login images. # How the Problems Are Solved - The login-container workflow extends the bake definition with a file docker-bake-release.hcl wich adds the platforms linux/arm and linux/amd to all relevant build targets. The used technique is similar to how the docker metadata action allows to extend the bake definitions. - The local login tag is moved to the metadata bake target, which is always inherited and overwritten in the pipeline - Packages write permission is added # Additional Changes - The MIT license is noted in container labels and annotations - The Image is built from root so that the local proto files are used --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
# Which Problems Are Solved Solve dependabot alerts for Go packages. # How the Problems Are Solved - Upgrade to latest github.com/zitadel/oidc, which already pulls the fixed version of chi. - Upgrade mapstructure # Additional Changes - none # Additional Context - https://github.com/zitadel/zitadel/security/dependabot/323 - https://github.com/zitadel/zitadel/security/dependabot/324
…nterval (#10166) # Which Problems Are Solved The production endpoint of the service ping was wrong. Additionally we discussed in the sprint review, that we could randomize the default interval to prevent all systems to report data at the very same time and also require a minimal interval. # How the Problems Are Solved - fixed the endpoint - If the interval is set to @daily (default), we generate a random time (minute, hour) as a cron format. - Check if the interval is more than 30min and return an error if not. - Fixed yaml indent on `ResourceCount` # Additional Changes None # Additional Context as discussed internally
# Which Problems Are Solved The current maintained gRPC server in combination with a REST (grpc) gateway is getting harder and harder to maintain. Additionally, there have been and still are issues with supporting / displaying `oneOf`s correctly. We therefore decided to exchange the server implementation to connectRPC, which apart from supporting connect as protocol, also also "standard" gRCP clients as well as HTTP/1.1 / rest like clients, e.g. curl directly call the server without any additional gateway. # How the Problems Are Solved - All v2 services are moved to connectRPC implementation. (v1 services are still served as pure grpc servers) - All gRPC server interceptors were migrated / copied to a corresponding connectRPC interceptor. - API.ListGrpcServices and API. ListGrpcMethods were changed to include the connect services and endpoints. - gRPC server reflection was changed to a `StaticReflector` using the `ListGrpcServices` list. - The `grpc.Server` interfaces was split into different combinations to be able to handle the different cases (grpc server and prefixed gateway, connect server with grpc gateway, connect server only, ...) - Docs of services serving connectRPC only with no additional gateway (instance, webkey, project, app, org v2 beta) are changed to expose that - since the plugin is not yet available on buf, we download it using `postinstall` hook of the docs # Additional Changes - WebKey service is added as v2 service (in addition to the current v2beta) # Additional Context closes #9483 --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
# Which Problems Are Solved The commands for the resource based v2beta AuthorizationService API are added. Authorizations, previously knows as user grants, give a user in a specific organization and project context roles. The project can be owned or granted. The given roles can be used to restrict access within the projects applications. The commands for the resource based v2beta InteralPermissionService API are added. Administrators, previously knows as memberships, give a user in a specific organization and project context roles. The project can be owned or granted. The give roles give the user permissions to manage different resources in Zitadel. API definitions from zitadel/zitadel#9165 are implemented. Contains endpoints for user metadata. # How the Problems Are Solved ### New Methods - CreateAuthorization - UpdateAuthorization - DeleteAuthorization - ActivateAuthorization - DeactivateAuthorization - ListAuthorizations - CreateAdministrator - UpdateAdministrator - DeleteAdministrator - ListAdministrators - SetUserMetadata to set metadata on a user - DeleteUserMetadata to delete metadata on a user - ListUserMetadata to query for metadata of a user ## Deprecated Methods ### v1.ManagementService - GetUserGrantByID - ListUserGrants - AddUserGrant - UpdateUserGrant - DeactivateUserGrant - ReactivateUserGrant - RemoveUserGrant - BulkRemoveUserGrant ### v1.AuthService - ListMyUserGrants - ListMyProjectPermissions # Additional Changes - Permission checks for metadata functionality on query and command side - correct existence checks for resources, for example you can only be an administrator on an existing project - combined all member tables to singular query for the administrators - add permission checks for command an query side functionality - combined functions on command side where necessary for easier maintainability # Additional Context Closes #9165 --------- Co-authored-by: Elio Bischof <elio@zitadel.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com>
# Which Problems Are Solved The unreleased new resource apis have been removed from the docs: zitadel/zitadel#10015 # How the Problems Are Solved Add them to the docs sidenav again, since they're now released. # Additional Changes none # Additional Context none --------- Co-authored-by: Fabienne <fabienne.gerschwiler@gmail.com> Co-authored-by: Marco Ardizzone <marco@zitadel.com>
# Which Problems Are Solved To generate the docs, we rely on a protoc plugin to generate an openAPI definition from connectRPC / proto. Since the plugin is not available on buf.build, we currently download the released version. As the tar contains a licence and a readme, this overwrote existing internal files. # How the Problems Are Solved Download and extract the plugin in a separate folder and update buf.gen.yaml accordingly. # Additional Changes None # Additional Context relates to #9483
This PR implements a SAML cookie which is used to save information to complete the form post. It is primarily used to avoid sending the information as url search params and therefore reducing its length.
This pull request enhances the documentation site configuration by introducing a new plugin and making minor adjustments to existing settings. The primary focus is on integrating the `@signalwire/docusaurus-plugin-llms-txt` plugin to improve content handling and adding relevant dependencies. ### Plugin Integration: * [`docs/docusaurus.config.js`](diffhunk://#diff-28742c737e523f302e6de471b7fc27284dc8cf720be639e6afe4c17a550cd654R245-R255): Added the `@signalwire/docusaurus-plugin-llms-txt` plugin with configuration options, including a depth of 3, log level of 1, exclusion of certain routes, and enabling markdown file support. * [`docs/package.json`](diffhunk://#diff-adfa337ce44dc2902621da20152a048dac41878cf3716dfc4cc56d03aa212a56R33): Included the `@signalwire/docusaurus-plugin-llms-txt` dependency (version `^1.2.0`) to support the new plugin integration. ### Configuration Adjustments: * [`docs/docusaurus.config.js`](diffhunk://#diff-28742c737e523f302e6de471b7fc27284dc8cf720be639e6afe4c17a550cd654L221): Removed the `docItemComponent` property under the `module.exports` configuration.
…int (#10172) <!-- Please inform yourself about the contribution guidelines on submitting a PR here: https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr. Take note of how PR/commit titles should be written and replace the template texts in the sections below. Don't remove any of the sections. It is important that the commit history clearly shows what is changed and why. Important: By submitting a contribution you agree to the terms from our Licensing Policy as described here: https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions. --> # Which Problems Are Solved 1. The sorting columns in the gRPC endpoint `ListInstanceTrustedDomains()` are incorrect, and return the following error when invalid sorting options are chosen: ``` Unknown (2) ERROR: missing FROM-clause entry for table "instance_domains" (SQLSTATE 42P01) ``` The sorting columns that are valid to list `instance_trusted_domains` are * `trusted_domain_field_name_unspecified` * `trusted_domain_field_name_domain` * `trusted_domain_field_name_creation_date` However, the currently configured sorting columns are * `domain_field_name_unspecified` * `domain_field_name_domain` * `domain_field_name_primary` * `domain_field_name_generated` * `domain_field_name_creation_date` Configuring the actual columns of `instance_trusted_domains` makes this endpoint **backward incompatible**. Therefore, the fix in this PR is to no longer return an error when an invalid sorting column (non-existing column) is chosen and to sort the results by `creation_date` for invalid sorting columns. 2. This PR also fixes the `sorting_column` included in the responses of both `ListInstanceTrustedDomains()` and `ListInstanceDomains()` endpoints, as they now point to the default option irrespective of the chosen option in the request i.e., * `TRUSTED_DOMAIN_FIELD_NAME_UNSPECIFIED` in case of `ListInstanceTrustedDomains()`, and * `DOMAIN_FIELD_NAME_UNSPECIFIED` in case of `ListInstanceDomains()` # How the Problems Are Solved * Map the sorting columns to valid columns of `instance_trusted_domain` - If the sorting column is not one of the columns, the mapping defaults to `creation_date` * Set the `sorting_column` explicitly (from the request) in the `ListInstanceDomainsResponse` and `ListInstanceTrustedDomainsResponse` # Additional Changes A small fix to return the chosen `sorting_column` in the responses of the `ListInstanceTrustedDomains()` and `ListInstanceDomains()` endpoints # Additional Context - Closes #9839
make review comment more clear what is expected
…token context (#10221) # Which Problems Are Solved Customers reported, that if the session / access token in Console expired and they re-authenticated, the user list would be empty. While reproducing the issue, we discovered that the necessary organization information, would be missing in the access token, since this would already be missing in the OIDC session creation when using an id_token_hint. # How the Problems Are Solved - Ensure the user's organization is set in the login v1 auth request. This is used to create the OIDC and token information. # Additional Changes None # Additional Context - reported by customers - requires backport to v3.x
…r phone number (#10228) # Which Problems Are Solved When authenticating with email or phone number in the login V1, users were not able to request a password reset and would be given a "User not found" error. This was due to a check of the loginname of the auth request, which in those cases would not match the user's stored loginname. # How the Problems Are Solved Switch to a check of the resolved userID in the auth request. (We still check the user again, since the ID might be a placeholder for an unknown user and we do not want to disclose any information by omitting a check and reduce the response time.) # Additional Changes None # Additional Context - reported through support - requires backport to v3.x
# Which Problems Are Solved The close PR action currently fails because of unescaped backticks. # How the Problems Are Solved Backticks are escaped. # Additional Changes - Adding a login remote immediately fetches for better UX. - Adding a subtree is not necessary, as it is already added in the repo. - Fix and clarify PR migration steps. - Add workflow dispatch event
# Which Problems Are Solved The close PR action fails https://github.com/zitadel/typescript/actions/runs/16196332400/job/45723668837?pr=511 # How the Problems Are Solved A backtick is escaped. # Additional Context - Completes #10229
# Which Problems Are Solved When an organization domain is verified, e.g. also when creating a new organization (incl. generated domain), existing usernames are checked if the domain has been claimed. The query was not optimized for instances with many users and organizations. # How the Problems Are Solved - Replace the query, which was searching over the users projection with (computed loginnames) with a dedicated query checking the loginnames projection directly. - All occurrences have been updated to use the new query. # Additional Changes None # Additional Context - reported through support - requires backport to v3.x
…ed usernames (#10205)
# Which Problems Are Solved The CORS handler for the new connectRPC handlers was missing, leading to unhandled preflight requests and a unusable api for browser based calls, e.g. cross domain gRPC-web requests. # How the Problems Are Solved - Added the http CORS middleware to the connectRPC handlers. - Added `Grpc-Timeout`, `Connect-Protocol-Version`,`Connect-Timeout-Ms` to the default allowed headers (this improves also the old grpc-web handling) - Added `Grpc-Status`, `Grpc-Message`, `Grpc-Status-Details-Bin` to the default exposed headers (this improves also the old grpc-web handling) # Additional Changes None # Additional Context noticed internally while testing other issues
…n (#10197) # Which Problems Are Solved Fixes issue when users would get an error message when attempting to resend invitation code when logging in # How the Problems Are Solved Changing the permission check for looking for `org.write` to `ommand.checkPermissionUpdateUser()` # Additional Context - Closes zitadel/zitadel#10100 - backport to 3.x
…n (#10242) # Which Problems Are Solved After changing some internal logic, which should have failed the integration test, but didn't, I noticed that some integration tests were never executed. The make command lists all `integration_test` packages, but some are named `integration` # How the Problems Are Solved Correct wrong integration test package names. # Additional Changes None # Additional Context - noticed internally - backport to 3.x and 2.x
…adel into chore-fix-login-pull
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
Contributor
Thanks for your contribution @eliobischof! 🎉Please make sure you tick the following checkboxes before marking this Pull Request (PR) as ready for review:
|
Contributor
|
👋 Thanks for your contribution @eliobischof! This repository Your changes are not lost. Submitting them to the main repository is easy:
|
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Definition of Ready