Changelog

ZITADEL
Back to all versions

4.12.0

2025-02-12
Contains Breaking Changes
minor

Breaking Changes 1

  • Revert renaming of Management Console feature flag (#11706) breaking
    Reverted the rename of the feature flag 'Console' to 'Management Console'. This is a breaking change for users who had already transitioned to the new key 'KeyManagementConsoleUseV2UserApi'.
    Console API

Features 9

  • Current password field in password reset flow (#11534, #11533)
    Users are now required to confirm their current password before setting a new one in the password change form.
    Login V2
  • Configure trusted domains in first instance setup (#11169, #11153)
    It is now possible to configure multiple trusted domains during the initial instance bootstrapping (e.g., via steps.yaml).
    Setup
  • Access token type for machine users in V2 API (#11599, #10850)
    Added the ability to specify the access token type when creating or updating machine users in the V2 User Service.
    User Service V2 API
  • AutoFocus for login input components (#11566, #11565)
    The first input field on login form components now automatically receives focus for better accessibility and user experience.
    Login V2
  • JWT authentication via LOGIN_SERVICE_KEY_FILE (#11572, #10693)
    Added support for JWT authentication using a PEM private key file via the LOGIN_SERVICE_KEY_FILE environment variable.
    Login V2
  • TLS termination support in login container (#11663, #11473)
    The login container now supports optional HTTPS termination directly via ZITADEL_TLS_ENABLED, ZITADEL_TLS_CERTPATH, and ZITADEL_TLS_KEYPATH.
    Login V2
  • Dynamic language configuration in Login V2 (#11372, #11199)
    The login application now dynamically loads allowed and default languages from settings. Cookie and header locales are strictly validated against these settings.
    Login V2
  • Redirect configuration for multi-domain setups (#11527)
    Enhanced security for Server Actions and fallback logic for redirects in complex multi-domain environments via SERVER_ACTION_ALLOWED_ORIGINS.
    Login V2
  • OpenSSL CA store for TLS validation (#11562, #11563)
    Node.js is now configured to use the OpenSSL CA store, allowing for custom CA certificates via SSL_CERT_FILE.
    Login V2

Bug Fixes 14

  • Revert renaming of Management Console feature flag (#11706) breaking
    Reverted the rename of the feature flag 'Console' to 'Management Console'. This is a breaking change for users who had already transitioned to the new key 'KeyManagementConsoleUseV2UserApi'.
    Console API
  • Add login_hint to IDP intent flow (#11552, #11392)
    The `login_hint` is now passed to external Identity Providers during the intent flow, preventing users from having to re-enter their username.
    Login V2 External IDP
  • Allow creating new invite code before expiration (#11649, #10718)
    Fixed a check that prevented creating a new invite code if an existing one was still valid when the code was requested as a return value.
    User Service
  • Correct audience for token introspection in benchmarks (#11586, #11585)
    Ensures the introspection token has the correct audience by passing generated project IDs as scopes.
    Benchmark
  • Correct help link for Generic OIDC IdP (#11605, #11505)
    Fixed the help button URL for Generic OIDC providers which previously pointed to Google configuration.
    Console
  • Fix Login V2 links in email notifications (#10711, #10643)
    Ensures email links for passkey registration and domain claims correctly point to Login V2 routes when enabled.
    Notification Login V2
  • Fix instance error translations in API (#11708)
    Merged IAM and Instance translation sections to resolve duplicate key errors in the API.
    I18n API
  • List all supported frameworks in Management Console (#11716)
    Console
  • Check primary auth methods during user discovery (#11689)
    Users with only secondary authentication methods (like TOTP) no longer receive a 'user not found' error and are instead prompted for verification or setup.
    Login V2
  • Runtime resolution of CSP img-src (#11603, #11088, #11602)
    CSP `img-src` is now resolved at runtime, allowing branding logos to load correctly on different domains in self-hosted environments.
    Login V2 Security
  • Fix email and phone login gated logic (#11618, #11518)
    Fixed a logic error where disabling phone/email login prevented valid users from being found.
    Login V2
  • Session termination on user deactivation/deletion (#11644, #10307)
    Sessions are now automatically terminated/deleted via projection reducers when a user is deactivated, locked, or removed.
    Session Management
  • Support refresh tokens in IDP intent flows (#11613, #11047)
    Added support for refresh tokens in the RetrieveIdentityIntentResponse to persist tokens from external providers.
    External IDP API
  • Resolve nil-pointer panics and flakiness in tests (#11695)
    Testing

Contributors 10

B @bastionstack L @livio-a M @mridang P @peintnermax W @wim07101993 M @muhlemmer R @rajatcing S @stebenz F @fforootd G @grvijayan