ZITADEL - Identity Experience Platform

Zitadel Logo

semantic-release Release license release Go Report Card codecov

What Is ZITADEL

ZITADEL is a "Cloud Native Identity and Access Management" solution built for the cloud era. ZITADEL uses a modern software stack consisting of Golang, Angular and CockroachDB as sole storage and follows an event sourced pattern.

We built ZITADEL not only with the vision of becoming a great open source project but also as a superb platform to support developers building their applications, without need to handle secure user login and account management themselves.

How Does It Work

We built ZITADEL around the idea that the IAM should be easy to deploy and scale. That's why we tried to reduce external systems as much as possible. For example, ZITADEL is event sourced but it does not rely on a pub/sub system to function. Instead we built all the functionality right into one binary. ZITADEL only needs Kubernetes for orchestration and CockroachDB as storage.

Features of ZITADEL platform

  • Authentication
    • OpenID Connect 1.0 Protocol (OP)
    • Username / Password
    • Machine-to-machine (JWT profile)
    • Passwordless with FIDO2
  • Multifactor authentication with OTP, U2F
  • Federation with OpenID Connect 1.0 Protocol (RP), OAuth 2.0 Protocol (RP)
  • Authorization via Role Based Access Control (RBAC)
  • Identity Brokering
  • Delegation of roles to other organizations for self-management
  • Strong audit trail for all IAM resources
  • User interface for administration
  • APIs for Management, Administration, and Authentication
  • Policy configuration and enforcement
  • Private Labeling

Run ZITADEL anywhere

Self-Managed

You can run an automatically operated ZITADEL instance on a CNCF compliant Kubernetes cluster of your choice:

CAOS-Managed

  • ZITADEL Cloud: ZITADEL.ch is our shared cloud service hosted in Switzerland. Get started and try the free tier, including already unlimited users and all necessary security features.
  • ZITADEL Enterprise: We operate and support a private instance of ZITADEL for you. Get in touch!

Start using ZITADEL

Quickstarts

See our Documentation to get started with ZITADEL quickly. Let us know, if you are missing a language or framework in the Q&A.

Client libraries

  • Go client library
  • .NET client library
  • Dart client library

Help and Documentation

Showcase

Passwordless Login

Use our login widget to allow easy and sucure access to your applications and enjoy all the benefits of passwordless (FIDO 2 / WebAuthN):

  • works on all modern platforms, devices, and browsers
  • phishing resistant alternative
  • requires only one gesture by the user
  • easy enrollment of the device during registration

passwordless-windows-hello passwordless-iphone

Admin Console

Use Console or our APIs to setup organizations, projects and applications.

Register new applications OIDC-Client-Register

Delegate the right to assign roles to another organization projects_create_org_grant

Customize login and console with your design
private_labeling

How To Contribute

Details about how to contribute you can find in the Contribution Guide

Security

See the policy here

Other CAOS Projects

  • ORBOS - GitOps everything
  • OIDC for GO - OpenID Connect SDK (client and server) for Go
  • ZITADEL Tools - Go tool to convert key file to privately signed JWT

Usage Data

ZITADEL components send errors and usage data to CAOS Ltd., so that we are able to identify code improvement potential. If you don't want to send this data or don't have an internet connection, pass the global flag --disable-analytics when using zitadelctl. For disabling ingestion for already-running components, execute the takeoff command again with the --disable-analytics flag.

We try to distinguishing the environments from which events come from. As environment identifier, we enrich the events by the domain you have configured in zitadel.yml, as soon as it's available. When it's not available and you passed the --gitops flag, we defer the environment identifier from your git repository URL.

Besides from errors that don't clearly come from misconfiguration or cli misuage, we send an inital event when any binary is started. This is a " invoked" event along with the flags that are passed to it, except secret values of course.

We only ingest operational data. Your ZITADEL workload data from the IAM application itself is never sent anywhere unless you chose to integrate other systems yourself.

License

See the exact licensing terms here

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Owner
CAOS
Always run a changing system
CAOS
Comments
  • Quickstart not working on Linux

    Quickstart not working on Linux

    Describe the bug

    Cannot get started using the quickstart

    To Reproduce

    Steps to reproduce the behavior:

    I am following: https://github.com/caos/zitadel/blob/main/guides/quickstart.md

    My assumption with the quickstart is that, after running the command:

    COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 \
    && docker-compose -f ./build/local/docker-compose-local.yml --profile database -p zitadel up --exit-code-from db-migrations \
    && sleep 5 \
    && docker-compose -f ./build/local/docker-compose-local.yml --profile database --profile init-backend --profile init-frontend --profile backend --profile frontend --profile setup -p zitadel up -d
    

    Expected behavior

    I would see two things:

    1. the following text appears:
    ++=========++
    || ZITADEL ||
    || STARTED ||
    ++=========++
    
    1. At that point, I will be be able to go to http://localhost:4200/

    Is this correct?

    Desktop (please complete the following information):

    • OS: Ubuntu 20.04
    • Browser: Chrome, cURL
  • OAuthErrorEvent: unable to retrieve client by id since version 2.5.0

    OAuthErrorEvent: unable to retrieve client by id since version 2.5.0

    Describe the bug

    The server reports an error that the web browser shows in its console, when accessing the web UI at /ui/console whenever the user is logged in or not. The errors are reported from version 2.5.0 and onwards (to anybody reading this from the future, the current version is 2.10.0).

    In the not logged in state, the following OAuth message is reported by the server:

    (The JSON payload has been formatted for readability)

    Uncaught (in promise): OAuthErrorEvent: 
    {
        "type": "code_error",
        "reason": {},
        "params": {
            "error": "server_error",
            "error_description": "unable+to+retrieve+client+by+id",
            "state": "<redacted>"
        }
    }
    

    In the logged in state, seemingly related errors are returned by the server in the GRPC calls. A message in the browser console is:

    could not read projectid by clientid (AUTH-GHpw2)

    The payloads sent by the server don't have more information that I can copy-paste here for examination.

    To Reproduce The same client application behavior can be observed when logged in and not logged in, except for the messages reported in the browser console.

    1. Visit /ui/console
    2. The page visible to the user has no content (see screenshot).
    3. Open the browser dev tools console
    4. Notice the error(s)

    Expected behavior I expect to be redirected to the login page or have the console with the required data, whichever is relevant according to the login state of the user.

    Screenshots

    A "blank" page with no error presented to the user

    Desktop: Server side error, not applicable.

    Smartphone: Server side error, not applicable.

    Server: OS: Debian 11.5 Database: PostgreSQL 14

  • Unable to start zitadel using example

    Unable to start zitadel using example

    Describe the bug When container is started the following issue appears and the container is constantly restarting:

    time="2022-10-25T15:10:45Z" level=info msg="initialization started" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/init.go:72"
    time="2022-10-25T15:10:45Z" level=info msg="verify user" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/verify_user.go:38" username=zitadel_user
    time="2022-10-25T15:10:45Z" level=info msg="verify database" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/verify_database.go:38" database=zitadel
    time="2022-10-25T15:10:45Z" level=info msg="verify grant" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/verify_grant.go:33" database=zitadel user=zitadel_user
    time="2022-10-25T15:10:45Z" level=info msg="verify zitadel" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/verify_zitadel.go:69" database=zitadel
    time="2022-10-25T15:10:47Z" level=info msg="setup started" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:57"
    time="2022-10-25T15:10:47Z" level=info msg="verify migration 01_tables" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:33"
    time="2022-10-25T15:10:47Z" level=info msg="verify migration 02_assets" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:33"
    time="2022-10-25T15:10:47Z" level=info msg="verify migration 03_default_instance" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:33"
    time="2022-10-25T15:10:47Z" level=info msg="starting migration 03_default_instance" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:43"
    time="2022-10-25T15:10:47Z" level=error msg="migration failed" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:45" error="ID=COMMA-VoaRj Message=Errors.User.PasswordComplexityPolicy.HasUpper"
    time="2022-10-25T15:10:47Z" level=fatal msg="unable to migrate step 3" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:98" error="ID=COMMA-VoaRj Message=Errors.User.PasswordComplexityPolicy.HasUpper"
    time="2022-10-25T15:10:54Z" level=info msg="initialization started" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/init.go:72"
    time="2022-10-25T15:10:54Z" level=info msg="verify user" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/verify_user.go:38" username=zitadel_user
    time="2022-10-25T15:10:54Z" level=info msg="verify database" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/verify_database.go:38" database=zitadel
    time="2022-10-25T15:10:54Z" level=info msg="verify grant" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/verify_grant.go:33" database=zitadel user=zitadel_user
    time="2022-10-25T15:10:54Z" level=info msg="verify zitadel" caller="/home/runner/work/zitadel/zitadel/cmd/initialise/verify_zitadel.go:69" database=zitadel
    time="2022-10-25T15:10:56Z" level=info msg="setup started" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:57"
    time="2022-10-25T15:10:57Z" level=info msg="verify migration 01_tables" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:33"
    time="2022-10-25T15:10:57Z" level=info msg="verify migration 02_assets" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:33"
    time="2022-10-25T15:10:57Z" level=info msg="verify migration 03_default_instance" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:33"
    time="2022-10-25T15:10:57Z" level=info msg="starting migration 03_default_instance" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:43"
    time="2022-10-25T15:10:57Z" level=error msg="migration failed" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:45" error="ID=COMMA-VoaRj Message=Errors.User.PasswordComplexityPolicy.HasUpper"
    time="2022-10-25T15:10:57Z" level=fatal msg="unable to migrate step 3" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:98" error="ID=COMMA-VoaRj Message=Errors.User.PasswordComplexityPolicy.HasUpper"
    

    To Reproduce Steps to reproduce the behavior: Used the example here: https://docs.zitadel.com/docs/guides/deploy/loadbalancing-example

  • chore(deps): bump golang from 1.16 to 1.18.2 in /build/operator

    chore(deps): bump golang from 1.16 to 1.18.2 in /build/operator

    Bumps golang from 1.16 to 1.18.2.

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Redirect URI not working

    Redirect URI not working

    Describe the bug After entering the password, the user is redirected back to the login page (as if nothing happened), instead of the proper redirect URI. This is solved by removing the default login URI on the organization. The odd thing is that readding the default redirect URI on the organization doesn't reintroduce the bug.

    It seems like deleting and readding the default redirect URI on the organization changes some other state. The same happens if I initialize the organization without a default redirect (if add one and then remove it it works).

    I can't provide the Terraform spec to reproduce since i also involves instance configurations (not available yet), but happy to provide more details if needed.

    This used to work with previous versions, it might be tied to a recent release.

    The redirect URI is also set on the instance

    Additional context ZITADEL Cloud 2.8.0

  • Yubikey not working for passwordless on Firefox+Ubuntu

    Yubikey not working for passwordless on Firefox+Ubuntu

    Describe the bug

    On Firefox on linux (Ubuntu):

    • my Yubikeys are not recognized when trying to register in the console in passwordless section
    • cannot use a Yubikey to log in via passwordless (after successfully registered it via Chrome)

    During authentication, I got the following error: image

    Yubikey works:

    • perfectly for MFA on Firefox and Chrome
    • perfectly as passwordless method on Chrome
    • perfectly as passwordless method on Firefox+Windows11

    Note: I tried two different Yubikeys: Yubikey Bio, and YubiKey 5C

    Expected behavior Registering and using a Yubikey as passwordless method should work on Firefox.

    Screenshots If applicable, add screenshots to help explain your problem.

    Desktop (please complete the following information):

    • OS: Ubuntu 22.04
    • Browser: Firefox 103
    • Version: v2.0.0
  • chore(deps): bump github.com/minio/minio-go/v7 from 7.0.23 to 7.0.26

    chore(deps): bump github.com/minio/minio-go/v7 from 7.0.23 to 7.0.26

    Bumps github.com/minio/minio-go/v7 from 7.0.23 to 7.0.26.

    Release notes

    Sourced from github.com/minio/minio-go/v7's releases.

    Bugfix Release

    What's Changed

    • versioning: Add support for ExcludedPrefixes and ExcludeFolders by @​krisis in #1646

    Full Changelog: https://github.com/minio/minio-go/compare/v7.0.25...v7.0.26

    Bugfix Release

    What's Changed

    New Contributors

    Full Changelog: https://github.com/minio/minio-go/compare/v7.0.24...v7.0.25

    Bugfix Release

    What's Changed

    Full Changelog: https://github.com/minio/minio-go/compare/v7.0.23...v7.0.24

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/lib/pq from 1.10.4 to 1.10.5

    chore(deps): bump github.com/lib/pq from 1.10.4 to 1.10.5

    Bumps github.com/lib/pq from 1.10.4 to 1.10.5.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • chore(deps): bump github.com/cockroachdb/cockroach-go/v2 from 2.2.4 to 2.2.8

    chore(deps): bump github.com/cockroachdb/cockroach-go/v2 from 2.2.4 to 2.2.8

    Bumps github.com/cockroachdb/cockroach-go/v2 from 2.2.4 to 2.2.8.

    Commits
    • e1659d1 Merge pull request #126 from cockroachdb/retries
    • 0fd01e0 Make it possible to configure maximum retry count when
    • 3059636 Merge pull request #125 from aeneasr/use-error-as
    • c787987 fix: user errors.As for error type assertion
    • 7a4e302 Merge pull request #123 from rafiss/max-retry-error
    • f431ea8 Make max retry error show correct message
    • 561007c Merge pull request #119 from ashie1287/fix/rollback-on-panic
    • 142038c Fix comment, undo unnecessary var assignment
    • fb654e5 rollback on panic (need help with tests)
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Domain discovery (identity brokering) doesn't work

    Domain discovery (identity brokering) doesn't work

    Describe the bug I'm trying to set up domain discovery so that organizations can have different branding/IDPs but keeping a single login page.

    I followed the guide on identity brokering, but I can't get ZITADEL to show the correct login page after entering the username.

    To Reproduce I created the following resources (n.b.: private_labeling_setting and user_login)

    terraform {
      required_providers {
        zitadel = {
          source  = "zitadel/zitadel"
          version = "1.0.0-alpha.8"
        }
      }
    }
    
    resource "zitadel_org" "main_org" {
      name = "Main Org"
    }
    
    resource "zitadel_project" "main_project" {
      depends_on = [zitadel_org.main_org]
    
      org_id = zitadel_org.main_org.id
    
      name                     = "main-project"
      project_role_assertion   = true
      project_role_check       = true
      has_project_check        = true
      private_labeling_setting = "PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY"
    }
    
    resource "zitadel_application_oidc" "application_oidc" {
      depends_on = [zitadel_org.main_org, zitadel_project.main_project]
    
      org_id     = zitadel_org.main_org.id
      project_id = zitadel_project.main_project.id
    
      name                        = "webapp"
      redirect_uris               = ["http://localhost:8080"]
      response_types              = ["OIDC_RESPONSE_TYPE_CODE"]
      grant_types                 = ["OIDC_GRANT_TYPE_AUTHORIZATION_CODE", "OIDC_GRANT_TYPE_REFRESH_TOKEN"]
      post_logout_redirect_uris   = ["http://localhost:8080"]
      app_type                    = "OIDC_APP_TYPE_WEB"
      auth_method_type            = "OIDC_AUTH_METHOD_TYPE_NONE"
      version                     = "OIDC_VERSION_1_0"
      clock_skew                  = "0s"
      dev_mode                    = true
      access_token_type           = "OIDC_TOKEN_TYPE_BEARER"
      id_token_role_assertion     = true
      id_token_userinfo_assertion = true
    }
    
    variable "google_oidc_client_id" {
      type      = string
      sensitive = true
    }
    
    variable "google_oidc_client_secret" {
      type      = string
      sensitive = true
    }
    
    resource "zitadel_org_oidc_idp" "google_oidc" {
      depends_on = [zitadel_org.main_org]
    
      org_id               = zitadel_org.main_org.id
      name                 = "Google"
      styling_type         = "STYLING_TYPE_GOOGLE"
      client_id            = var.google_oidc_client_id
      client_secret        = var.google_oidc_client_secret
      issuer               = "https://accounts.google.com"
      scopes               = ["openid", "profile", "email"]
      display_name_mapping = "OIDC_MAPPING_FIELD_EMAIL"
      username_mapping     = "OIDC_MAPPING_FIELD_EMAIL"
      auto_register        = true
    }
    
    resource "zitadel_login_policy" "login_policy" {
      depends_on = [zitadel_org.main_org, zitadel_org_oidc_idp.google_oidc]
    
      org_id                        = zitadel_org.main_org.id
      allow_external_idp            = true
      allow_register                = true
      default_redirect_uri          = "localhost:8080"
      external_login_check_lifetime = "240h0m0s"
      force_mfa                     = false
      hide_password_reset           = true
      idps                          = [zitadel_org_oidc_idp.google_oidc.id]
      ignore_unknown_usernames      = true
      mfa_init_skip_lifetime        = "720h0m0s"
      multi_factor_check_lifetime   = "12h0m0s"
      multi_factors                 = ["MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION"]
      password_check_lifetime       = "240h0m0s"
      passwordless_type             = "PASSWORDLESS_TYPE_NOT_ALLOWED"
      second_factor_check_lifetime  = "18h0m0s"
      second_factors                = ["SECOND_FACTOR_TYPE_OTP", "SECOND_FACTOR_TYPE_U2F"]
      user_login                    = false
    }
    
    resource "zitadel_domain" "domain" {
      depends_on = [zitadel_org.main_org]
    
      org_id = zitadel_org.main_org.id
    
      name = "localhost.com"
    }
    
    resource "zitadel_human_user" "human_user" {
      depends_on = [zitadel_org.main_org]
    
      org_id = zitadel_org.main_org.id
    
      user_name         = "human"
      first_name        = "firstname"
      last_name         = "lastname"
      display_name      = "displayname"
      email             = "[email protected]"
      is_email_verified = true
      initial_password  = "Password1!"
    }
    

    Expected behaviour ZITADEL should match the domain localhost.com and present Google as IPD (as if passing the primary domain as a scope, which works)

    Screenshots

    Screenshot 2022-09-13 at 20 20 08 Screenshot 2022-09-13 at 20 20 14

    Additional context ZITADEL 2.4.0

  • chore(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.27.0 to 0.32.0

    chore(deps): bump go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.27.0 to 0.32.0

    Bumps go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc from 0.27.0 to 0.32.0.

    Changelog

    Sourced from go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc's changelog.

    [1.7.0/0.32.0] - 2022-04-28

    Added

    • Consistent probability sampler implementation. (#1379)

    Changed

    • Upgraded all semconv package use to v1.10.0. This includes a backwards incompatible change for the otelgocql package to conform with the specification change. The db.cassandra.keyspace attribute is now transmitted as the db.name attribute. (#2222)

    Fixed

    • Fix the otelmux middleware by using SpanKindServer when deciding the SpanStatus. This makes 4xx response codes to not be an error anymore. (#1973)
    • Fixed jaegerremote sampler not behaving properly with per operation strategy set. (#2137)
    • Stopped injecting propagation context into response headers in otelhttp. (#2180)

    [1.6.0/0.31.0] - 2022-03-28

    Added

    • The project is now tested against Go 1.18 (in addition to the existing 1.16 and 1.17) (#1976)

    Changed

    • Upgraded all dependencies on stable modules from go.opentelemetry.io/otel from v1.5.0 to v1.6.1. (#2134)
    • Upgraded all dependencies on metric modules from go.opentelemetry.io/otel from v0.27.0 to v0.28.0. (#1977)

    Fixed

    • otelhttp: Avoid panic by adding nil check to wrappedBody.Close (#2164)

    [1.5.0/0.30.0/0.1.0] - 2022-03-16

    Added

    • Added the go.opentelemetry.io/contrib/samplers/jaegerremote package. This package implements the Jaeger remote sampler for OpenTelemetry Go. (#936)
    • DynamoDB spans created with the go.opentelemetry.io/contrib/instrumentation/github.com/aws/aws-sdk-go-v2/otelaws package now have the appropriate database attributes added for the operation being performed. These attributes are detected automatically, but it is also now possible to provide a custom function to set attributes using WithAttributeSetter. (#1582)
    • Add resource detector for GCP cloud function. (#1584)
    • Add OpenTracing baggage extraction to the OpenTracing propagator in go.opentelemetry.io/contrib/propagators/ot. (#1880)

    Fixed

    • Fix the echo middleware by using SpanKind.SERVER when deciding the SpanStatus. This makes 4xx response codes to not be an error anymore. (#1848)

    ... (truncated)

    Commits
    • 9ed99eb Release v1.7.0/v0.32.0 (#2255)
    • aa8e611 Upgrade semconv to v1.10.0 (#2222)
    • 93b5a37 Return metric SDK testing using metrictest (#2224)
    • 8b86920 Add missing dependabot entry (#2225)
    • 5883a27 OTel-Go Consistent Probability Sampler and conformance tests (#1379)
    • 672ba73 build(deps): bump cloud.google.com/go/compute in /detectors/gcp (#2211)
    • 79fe774 build(deps): bump go.opentelemetry.io/proto/otlp (#2221)
    • 84c7a27 build(deps): bump google.golang.org/grpc (#2220)
    • 32f5ae3 build(deps): bump github.com/aws/aws-sdk-go in /detectors/aws/ec2 (#2219)
    • 813f956 build(deps): bump google.golang.org/grpc from 1.45.0 to 1.46.0 in /instrument...
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • Docs: Configuration options vs environment variables

    Docs: Configuration options vs environment variables

    As Dev I want to understand how to configure zitadel for testing/dev and production.

    Background: I was not able to fully understand how our system can be configured via code/variables for a dev and prod scenario, based on our documentation.

    Observations:

    • Docker compose uses env variables
    • LB example uses config files
    • Both options are explained in the Configuration Options page
    • The actual config parameters are in here and here
    • Some relevant configuration parameters are missing a comment (eg, machine user vs. human user)
    • Environment variables are not searchable in the docs, since we only point at the config files and explain how the variable names can be deduced from yaml files
    • Production Checklist makes no recommendation for envs vs config files

    Proposal (to be discussed)

    • Consistently use config with envs in the basic deploy examples
    • Provide most important variables (see below) in the Configuration Options as list (and link to the files for full reference)
    • Environment variables and their behavior should be described in more detail (variable name | mandatory (yes/no) | comments | defaults to)
    • Reference the basic env variables from the deploy examples, such that people understand more easily how to change default values, as immediate next step (eg, password for admin)
    • Make clear why our recommendation is config files in most cases (input from @fforootd about leaking values etc.)

    Variables (incomplete, to be discussed)

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/defaults.yaml#L21

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/defaults.yaml#L24

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/defaults.yaml#L29

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/defaults.yaml#L56

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/defaults.yaml#L57

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/defaults.yaml#L58

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/defaults.yaml#L65

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/setup/steps.yaml#L24

    https://github.com/zitadel/zitadel/blob/dc2a4ea92c6fefdea1648adb0983df11be90c5d8/cmd/setup/steps.yaml#L11

    Acceptance criteria

    • [ ] ...
    • [ ] ...
  • Update the documentation to avoid using the postgres user.

    Update the documentation to avoid using the postgres user.

    In some environments it is not possible to get access to the postgres user.

    This is in response to #4961.

    • [ ] I am happy with the code
    • [ ] Short description of the feature/issue is added in the pr description
    • [ ] PR is linked to the corresponding user story
    • [ ] Acceptance criteria are met
    • [ ] All open todos and follow ups are defined in a new ticket and justified
    • [ ] Deviations from the acceptance criteria and design are agreed with the PO and documented.
    • [ ] No debug or dead code
    • [ ] Critical parts are tested automatically
    • [ ] Where possible E2E tests are implemented
    • [ ] Documentation/examples are up-to-date
    • [ ] All non-functional requirements are met
    • [ ] Functionality of the acceptance criteria is checked manually on the dev system.
  • No request are possible on removed organisation

    No request are possible on removed organisation

    As an end user or and admin, I should not be able to create, update, change states of any object of a removed organization.

    Acceptance criteria

    • [ ] I am not able not create an object in a removed organization (user, project, etc)
    • [ ] I am not able not update an object in a removed organization (user, project, etc)
    • [ ] I am not able not delete an object in a removed organization (user, project, etc)
    • [ ] I am not able to activate a user with a link in the initial mail if the organisation is deleted
  • Finish Quotas Feature

    Finish Quotas Feature

    As a system api user, I want to be able to configure quotas so that usage can be blocked and actions on certain thresholds are sent.

    Acceptance criteria

    • [ ] Quota notifications are end-to-end tested
    • [ ] Action seconds limitation is end-to-end-tested
    • [ ] Quotas have their own aggregate type (moved away from instance aggregate)
    • [ ] Reporting usage just depends on write models, not read models
    • [ ] #4779 is merged
    • [ ] #4509 is closed
    • [ ] #4508 is closed

    Follow-up:

    • [ ] Test performance
    • [ ] Improve performance
  • Delete redirect urls in console

    Delete redirect urls in console

    As a administrator I want be able to remove redirect urls and post logout redirect urls per api from my applications.

    Acceptance criteria

    • [ ] I am able to delete the last redirect url from an application
    • [ ] I am able to delete the last post logout redirect url from an application
    • [ ] If I have deleted the last url, I get an empty list of urls on my application
Identity - An OAuth2 identity provider that operates over gRPC

Otter Social > Identity Provider An OAuth2 identity provider that operates over

May 2, 2022
It is a JWT based implement of identity server.

JWTAuth 安裝說明 基本需求 安裝 docker 服務 安裝 OpenSSL 安裝指令 建立 OS 系統的 jwtauth 帳號 sudo useradd -m jwtauth 給予 JWTAuth 帳號可以操作 docker 的權限 sudo usermod -aG docker jwtau

Aug 10, 2022
Demonstration of sharing secret data between an OAuth/OIDC client and an Identity Providers web client.

OAuth / OIDC Cubbyhole Share secret data between client applications. This is mostly a demonstration of some of the work I've been evaluating at Storj

Mar 21, 2022
Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions
Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions

Authenticating using Workload Identity Federation to Cloud Run, Cloud Functions This tutorial and code samples cover how customers that use Workload i

Dec 3, 2022
Platform-Agnostic Security Tokens implementation in GO (Golang)

Golang implementation of PASETO: Platform-Agnostic Security Tokens This is a 100% compatible pure Go (Golang) implementation of PASETO tokens. PASETO

Jan 2, 2023
Casdoor is a UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC.

A UI-first centralized authentication / Single-Sign-On (SSO) platform based on OAuth 2.0 / OIDC

Dec 29, 2022
Generate and verify JWT tokens with Trusted Platform Module (TPM)

golang-jwt for Trusted Platform Module (TPM) This is just an extension for go-jwt i wrote over thanksgiving that allows creating and verifying JWT tok

Oct 7, 2022
Go client library for the Auth0 platform.

Auth0 Go SDK Go client library for the Auth0 platform. Note: This SDK was previously maintained under go-auth0/auth0. Table of Contents Installation D

Dec 30, 2022
Terraform Provider for the Auth0 platform.

Auth0 Terraform Provider Terraform Provider for the Auth0 platform. Note: This Provider was previously maintained under alexkappa/terraform-provider-a

Dec 21, 2022
stratus is a cross-cloud identity broker that allows workloads with an identity issued by one cloud provider to exchange this identity for a workload identity issued by another cloud provider.
stratus is a cross-cloud identity broker that allows workloads with an identity issued by one cloud provider to exchange this identity for a workload identity issued by another cloud provider.

stratus stratus is a cross-cloud identity broker that allows workloads with an identity issued by one cloud provider to exchange this identity for a w

Dec 26, 2021
Identity-service - An OAuth2 identity provider that operates over gRPC

Identity-service - An OAuth2 identity provider that operates over gRPC

May 2, 2022
Identity - An OAuth2 identity provider that operates over gRPC

Otter Social > Identity Provider An OAuth2 identity provider that operates over

May 2, 2022
Attractify is a customer experience platform.
Attractify is a customer experience platform.

We are developers and we hate to integrate marketing tools into websites and apps. We want clean APIs and no tools that generate garbage HTML that we

Nov 16, 2022
An Enhanced Go Experience For The Atom Editor
An Enhanced Go Experience For The Atom Editor

go-plus An Improved Go Experience For The Atom Editor Github: https://github.com/joefitzgerald/go-plus Atom: https://atom.io/packages/go-plus Overview

Dec 26, 2022
red-tldr is a lightweight text search tool, which is used to help red team staff quickly find the commands and key points they want to execute, so it is more suitable for use by red team personnel with certain experience.
red-tldr is a lightweight text search tool, which is used to help red team staff quickly find the commands and key points they want to execute, so it is more suitable for use by red team personnel with certain experience.

Red Team TL;DR English | 中文简体 What is Red Team TL;DR ? red-tldr is a lightweight text search tool, which is used to help red team staff quickly find t

Jan 5, 2023
Flagr is an open source Go service that delivers the right experience to the right entity and monitors the impact.
Flagr is an open source Go service that delivers the right experience to the right entity and monitors the impact.

Flagr is an open source Go service that delivers the right experience to the right entity and monitors the impact. It provides feature flags, experimentation (A/B testing), and dynamic configuration. It has clear swagger REST APIs for flags management and flag evaluation.

Dec 25, 2022
A "passwordless" login experience for your AWS RDS
A

RDS Auth Proxy A two-layer proxy for connecting into RDS postgres databases based on IAM authentication. This tool allows you to keep your databases f

Dec 28, 2022
Devstack is Razorpay's Developer Experience Solution for cloud on laptop

devstack Devstack is Razorpay's Developer Experience Solution for cloud on laptop What is Devstack At razorpay, we run all our workloads on kubernetes

Dec 21, 2022
A unified graphical user experience toolkit for Go desktop applications

Unison A unified graphical user experience toolkit for Go desktop applications. macOS, Windows, and Linux are supported. Required setup Unison is buil

Dec 20, 2022
Used gRPC for the first time, and it was a amazing developer experience

gRPC Used gRPC for the first time, and it was a amazing developer experience. Edge points of using gPRC which I felt: Structured Code Uniform request

Oct 11, 2021