Merge pull request #376 from zitadel/rm-env-id

fix: eliminate ZITADEL_SERVICE_USER_ID
zitadel · Feb 25, 2025 · 1553b76 · 1553b76
2 parents 19abbfc + 6468c60
commit 1553b76
Show file tree

Hide file tree

Showing 6 changed files with 4 additions and 32 deletions.
diff --git a/README.md b/README.md
@@ -203,13 +203,11 @@ Go to your instance and create a service user for the login application.
 The login application creates users on your primary organization and reads policy data.
 For the sake of simplicity, just make the service user an instance member with the role `IAM_OWNER`.
 Create a PAT and copy it to the file `apps/login/.env.local` using the key `ZITADEL_SERVICE_USER_TOKEN`.
-Also add the users ID to the file using the key `ZITADEL_SERVICE_USER_ID`.
 
 The file should look similar to this:
 
 ```
 ZITADEL_API_URL=https://zitadel-tlx3du.us1.zitadel.cloud
-ZITADEL_SERVICE_USER_ID=289106423158521850
 ZITADEL_SERVICE_USER_TOKEN=1S6w48thfWFI2klgfwkCnhXJLf9FQ457E-_3H74ePQxfO3Af0Tm4V5Xi-ji7urIl_xbn-Rk
 ```
 
@@ -253,9 +251,8 @@ pnpm test:acceptance
 ### Deploy to Vercel
 
 To deploy your own version on Vercel, navigate to your instance and create a service user.
-Copy its id from the overview and set it as ZITADEL_SERVICE_USER_ID.
 Then create a personal access token (PAT), copy and set it as ZITADEL_SERVICE_USER_TOKEN, then navigate to your instance
 settings and make sure it gets IAM_OWNER permissions.
 Finally set your instance url as ZITADEL_API_URL. Make sure to set it without trailing slash.
 
-[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Fzitadel%2Ftypescript&env=ZITADEL_API_URL,ZITADEL_SERVICE_USER_ID,ZITADEL_SERVICE_USER_TOKEN&root-directory=apps/login&envDescription=Setup%20a%20service%20account%20with%20IAM_OWNER%20membership%20on%20your%20instance%20and%20provide%20its%20id%20and%20personal%20access%20token.&project-name=zitadel-login&repository-name=zitadel-login)
+[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Fzitadel%2Ftypescript&env=ZITADEL_API_URL,ZITADEL_SERVICE_USER_TOKEN&root-directory=apps/login&envDescription=Setup%20a%20service%20account%20with%20IAM_LOGIN_CLIENT%20membership%20on%20your%20instance%20and%20provide%20its%20personal%20access%20token.&project-name=zitadel-login&repository-name=zitadel-login)
diff --git a/acceptance/setup.sh b/acceptance/setup.sh
@@ -17,16 +17,6 @@ if [ -z "${PAT}" ]; then
   PAT=$(cat ${PAT_FILE})
 fi
 
-if [ -z "${ZITADEL_SERVICE_USER_ID}" ]; then
-  echo "Reading ZITADEL_SERVICE_USER_ID from userinfo endpoint"
-  USERINFO_RESPONSE=$(curl -s --request POST \
-    --url "${ZITADEL_API_INTERNAL_URL}/oidc/v1/userinfo" \
-    --header "Authorization: Bearer ${PAT}" \
-    --header "Host: ${ZITADEL_API_DOMAIN}")
-  echo "Received userinfo response: ${USERINFO_RESPONSE}"
-  ZITADEL_SERVICE_USER_ID=$(echo "${USERINFO_RESPONSE}" | jq --raw-output '.sub')
-fi
-
 #################################################################
 # Environment files
 #################################################################
@@ -37,7 +27,6 @@ WRITE_TEST_ENVIRONMENT_FILE=${WRITE_TEST_ENVIRONMENT_FILE:-$(dirname "$0")/../ac
 echo "Writing environment file to ${WRITE_TEST_ENVIRONMENT_FILE} when done."
 
 echo "ZITADEL_API_URL=${ZITADEL_API_URL}
-ZITADEL_SERVICE_USER_ID=${ZITADEL_SERVICE_USER_ID}
 ZITADEL_SERVICE_USER_TOKEN=${PAT}
 SINK_NOTIFICATION_URL=${SINK_NOTIFICATION_URL}
 EMAIL_VERIFICATION=true

diff --git a/apps/login/.env.integration b/apps/login/.env.integration
@@ -1,5 +1,4 @@
 ZITADEL_API_URL=http://localhost:22222
-ZITADEL_SERVICE_USER_ID="yolo"
 ZITADEL_SERVICE_USER_TOKEN="yolo"
 EMAIL_VERIFICATION=true
 DEBUG=true

diff --git a/apps/login/next-env-vars.d.ts b/apps/login/next-env-vars.d.ts
@@ -10,16 +10,12 @@ declare namespace NodeJS {
     SYSTEM_USER_PRIVATE_KEY: string; // The fallback service user private key
 
     /**
-     * Self hosting: The Zitadel API url
+     * The Zitadel API url
      */
     ZITADEL_API_URL: string;
 
     /**
-     * Self hosting: The service user id
-     */
-    ZITADEL_SERVICE_USER_ID: string;
-    /**
-     * Self hosting: The service user token
+     * The service user token
      */
     ZITADEL_SERVICE_USER_TOKEN: string;
 

diff --git a/apps/login/src/middleware.ts b/apps/login/src/middleware.ts
@@ -13,11 +13,7 @@ export const config = {
 
 export async function middleware(request: NextRequest) {
   // escape proxy if the environment is setup for multitenancy
-  if (
-    !process.env.ZITADEL_API_URL ||
-    !process.env.ZITADEL_SERVICE_USER_ID ||
-    !process.env.ZITADEL_SERVICE_USER_TOKEN
-  ) {
+  if (!process.env.ZITADEL_API_URL || !process.env.ZITADEL_SERVICE_USER_TOKEN) {
     return NextResponse.next();
   }
 
@@ -28,10 +24,6 @@ export async function middleware(request: NextRequest) {
   const instanceHost = `${serviceUrl}`.replace("https://", "");
 
   const requestHeaders = new Headers(request.headers);
-  requestHeaders.set(
-    "x-zitadel-login-client",
-    process.env.ZITADEL_SERVICE_USER_ID,
-  );
 
   // this is a workaround for the next.js server not forwarding the host header
   // requestHeaders.set("x-zitadel-forwarded", `host="${request.nextUrl.host}"`);

diff --git a/turbo.json b/turbo.json
@@ -10,7 +10,6 @@
     "SYSTEM_USER_ID",
     "SYSTEM_USER_PRIVATE_KEY",
     "ZITADEL_API_URL",
-    "ZITADEL_SERVICE_USER_ID",
     "ZITADEL_SERVICE_USER_TOKEN",
     "NEXT_PUBLIC_BASE_PATH",
     "CUSTOM_REQUEST_HEADERS"