wlinna
wlinna
PostsComments
ZZITADEL
Created by wlinna on 9/11/2024 in #questions-help-bugs
Errors in login interface are NOT customizable
I tried to find a way to customize "User could not be found". I scoured through Message Texts and Login Interface Texts in both Default Settings and org Settings, but there was no way to change them. To give an example why I want to change it is that we are unable to migrate passwords from our previous authentication system (Firebase Auth) , so users will have to re-register. However, many users will not read our announcement or even the login text and will try to user their old accounts. We would like to give them a friendly reminder in "User could not be found" message that they might have to register an account. Please make error messages customizable We use Zitadel v2.61.0
3 replies
ZZITADEL
Created by wlinna on 9/5/2024 in #questions-help-bugs
Please document login_hint in other contexts besides oidc endpoints
It took me a lot of effort to figure out how to redirect users to /ui/console/users/me from my software such that the correct user is automatically selected. This is because login_hint is not documented except in the context of oidc endpoints. It is also mentioned in passing in Configure ZITADEL with Caddy/Nginx guides but not explained at all. Please document parameters passable to /ui/console such as login_hint so that we may customize Zitadel's behavior.
1 replies
ZZITADEL
Created by wlinna on 9/4/2024 in #questions-help-bugs
Please make messages, especially the error messages, more attention-grabbing
Right now the error messages UI, at least when configuring 2-factor authentication, is not user friendly. The box is placed in the top-right edge, and often the message is so short that it is barely noticeable. Case in point, I just had a screen-sharing session with my boss when he was testing. He was configuring 2-factor authentication with an authenticator app and entered the code. The dialog closed and we didn't notice any error message, but the MFA method didn't appear on the table. We were very confused, until I noticed by a chance that there was a little error box at the corner with a short message that the code was invalid. He was using a laptop, so the screen wasn't even particularly large either and yet it confused both of us. I imagine our users will be even more confused when they try to set up their MFA the first time. So please make the messages more salient. Pop them in the middle of the page, or perhaps top edge as a compromise between the current design and the middle. Please make it larger, and maybe increase the font size a bit.
5 replies
ZZITADEL
Created by wlinna on 8/28/2024 in #questions-help-bugs
Can't remove an organization as an IAM owner (internal error V3-C8l3V)
I'm trying to delete an organization with all its users but all I'm getting is an An internal error occurred (V3-C8l3V). My user is an IAM Owner, but not the creator of the organization. The organization has 219 users. Many of them are broken because I removed the IDP they used to login. (It's okay — not in production yet) Here's the relevant part of the log. It seems to suggest that it has got to do with lack of memory, but there's plenty of RAM available. However, for the query the budget is set to 0 for some reason. 
07:27:37 03be66e673a8[783]: time="7:27:37Z" level=info msg="query failed" caller="/eventstore/repository/sql/query.go:129" error="timeout: context deadline exceeded"
07:27:37 03be66e673a8[783]: time="7:27:37Z" level=info msg="process events failed" caller="/eventstore/handler/v2/handler.go:413" error="ID=SQL-KyeAx Message=unable to filter events Parent=(timeout: context deadline exceeded)" projection=projections.idps3
07:27:37 03be66e673a8[783]: time="7:27:37Z" level=warning msg="delete unique constraint failed" caller="/eventstore/v3/unique_constraints.go:63" error="ERROR: sql: memory budget exceeded: 3348480 bytes requested, 997627327 currently allocated, 0 bytes in budget (SQLSTATE 53200)"
07:27:37 03be66e673a8[783]: time="7:27:37Z" level=info msg="query failed" caller="/eventstore/repository/sql/query.go:129" error="timeout: context deadline exceeded"
07:27:37 03be66e673a8[783]: time="7:27:37Z" level=info msg="process events failed" caller="/eventstore/handler/v2/handler.go:413" error="ID=SQL-KyeAx Message=unable to filter events Parent=(timeout: context deadline exceeded)" projection=projections.idps3
07:27:37 03be66e673a8[783]: time="7:27:37Z" level=warning msg="delete unique constraint failed" caller="/eventstore/v3/unique_constraints.go:63" error="ERROR: sql: memory budget exceeded: 3348480 bytes requested, 997627327 currently allocated, 0 bytes in budget (SQLSTATE 53200)"
The next message contains the query from CockroachDB. It is over 3000 lines long and is mostly just repetition (but probably with different parameters). Makes me wonder if a query that long could cause problems I'm using Zitadel 2.59.1 (but it also happened with 2.58.1) with CockroachDB v24.1.3
9 replies
ZZITADEL
Created by wlinna on 8/27/2024 in #questions-help-bugs
Now way to abort login if it has 2-factor authentication
No description
7 replies
ZZITADEL
Created by wlinna on 8/26/2024 in #questions-help-bugs
How to use email address as the username with IDPs
This is both a question and a report of a potential bug. I have added Google login as one login option for an organization. The problem with this is that the email is not included as a part of the username, and this can lead to name collisions. To solve this (and for some other reasons), I want to force the user's email domain as part of their username. So instead of creating alice, I would prefer alice@gmail.com (or whatever their email address is) to be used. Here is the part that I consider buggy: I also tried using actions, but setting email as a preferred user name does not work. Email IS there, but setPreferredUsername somehow erases (or the registration field) everything from @ forward. alice@gmail.com becomes alice. However, if I set it as first name, I see the full email as a first name. Notice that I have Add organization domain as suffix to loginnames enabled (and I need it). This action demonstrates the problem with actions: 
function emailAsUsername(ctx, api) {
  logger.log('SETTING USER EMAIL AS USERNAME');
  api.setFirstName(ctx.v1.externalUser.human.email) // first name will be alice@gmail.com
  api.setPreferredUsername(ctx.v1.externalUser.human.email) // email will be 'alice" + the organization suffix
}
function emailAsUsername(ctx, api) {
  logger.log('SETTING USER EMAIL AS USERNAME');
  api.setFirstName(ctx.v1.externalUser.human.email) // first name will be alice@gmail.com
  api.setPreferredUsername(ctx.v1.externalUser.human.email) // email will be 'alice" + the organization suffix
}
I use Zitadel v2.58.2 with Postgres
2 replies
ZZITADEL
Created by wlinna on 8/13/2024 in #questions-help-bugs
Zitadel forgets `urn:zitadel:iam:org:id:{orgId}` scope if you insert domain suffix of another org
Problem: Zitadel forgets the added organization scope of the authorize request and reverts to the default organization, and it's very easy to reproduce accidentally: 0. EnableAdd organization domain as suffix to loginnames in instance settings. 1. Have two orgs A and B. Set A to default. Create a user to A. Let's call it alice@myemail.com@A.localhost 2. Create projects and applications for both organizations (I use PKCE) 3. Set your applications to add urn:zitadel:iam:org:id:{orgIdOfB} to the scopes in authorization url. 4. Sign in. You will be greeted with Enter your login data. The user must be member of the B organization. 5. Click Other User 6. Input alice@myemail.com@A.localhost. Click next 7. Zitadel will take you to the "Registration options" screen (instead of the login by password screen as one might expect). At this point if there are branding differences, you might notice the change already 8. Click the back-arrow of Zitadel. You will be greeted with Enter your login data. The user must be member of the A organization. 9. Now input alice@myemail.com@A.localhost again and click Next. 10. Enter the password. If the password is correct, you will sign in successfully How can I avoid this behaviour? I'm using Zitadel v2.58.2
5 replies
ZZITADEL
Created by wlinna on 8/13/2024 in #questions-help-bugs
id_token missing in callback when `urn:zitadel:iam:org:id:{orgId}` added to the scope
UPDATE: This was my mistake. I added the additional scope with + because I saw that profile+email+openid also has a plus. Also, my plus turned into %2B while other + characters didn't change for some reason. However, after I replaced my own + (%2B) with whitespace, I get the id_token. I want to enforce that the user belongs to the specified organization so I add it to the scope when creating the url. However, when Zitadel calls the callback, id_token is missing (I only get an access token that looks opaque) . If I omit urn:zitadel:iam:org:id:{orgId}, I get the id_token as expected Is this expected behavior? If it is, where can I read more about it? Here is what the authorization url looks like http://localhost:4444/oauth/v2/authorize?response_type=code&client_id=280114109276553218&audience=&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fsession%2Fcallback&scope=profile+email+openid%2Burn%3Azitadel%3Aiam%3Aorg%3Aid%3A280113846494953474&state=_rhU4K3SX4C2JoO33tUUCA&code_challenge=OMUSKo6i5w0NocjXV_g-t50l1vxB7PD0eEcXlzC727Q&code_challenge_method=S256I I'm running Zitadel v2.58.2 in a Docker container
2 replies
ZZITADEL
Created by wlinna on 8/13/2024 in #questions-help-bugs
Inviting individual users from another org when "Check for Project on Authentication" is enabled?
Let's say I have two organizations, A with and B and they both have their own project (projectA, projectB) and an application (appA, appB) . In projectB I useCheck for Project on Authentication setting. Now only users of org B can access project B (as intended). How can I then allow some select individuals of organization A to log in to appB? I've tried creating a role in projectB and then authorizing users of A, but I keep getting Login not possible. The organization of the user must be granted to the project message.
14 replies
ZZITADEL
Created by wlinna on 5/17/2024 in #questions-help-bugs
How to disable "Initialize User" email?
Hello, I am migrating users from another system (Firebase Auth), and since Zitadel does not support the their modified scrypt algorithm, I have to set passwordChangeRequired = true for email+password users when I call Create/Import User. What I didn't know that this API would send an email to those users. This is awkward because - The Zitadel-based system is still in testing phase - Our email provider flags email addresses as spam if too many emails are sent within short period of time How can I disable the default behavior of sending "Initialize User" email? Is my only option (for now) to disable all email providers in Zitadel before migration?
29 replies