- Add federated logout endpoint that clears Auth.js session AND ends
Zitadel SSO session via OIDC end_session endpoint
- Move sign-in page from /auth/signin to /login to avoid Auth.js
route conflict causing ERR_TOO_MANY_REDIRECTS
- Add callbackUrl to all signIn calls so users land on /dashboard
- Store id_token in session for federated logout id_token_hint
- Fix Zitadel healthcheck using binary ready command (no curl needed)
- Update post_logout_redirect_uri in setup script
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add setup-zitadel.sh: idempotent script that creates PVM project
and OIDC app via Zitadel Management API using machine user PAT
- Add machine user + PAT auto-generation to docker-compose via
FIRSTINSTANCE env vars with bind-mounted machinekey directory
- Add SMTP configuration for email sending (verification, password reset)
- Fix JWT algorithm confusion attack: restrict to RS256/384/512 only
- Add docs/TODO_SECURITY.md tracking review findings
- Update .env.example files with correct local dev URLs
- Add docker/machinekey/ to .gitignore
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Switch image to ghcr.io/zitadel/zitadel:latest (v4.x)
- Disable login v2 (LOGINV2_REQUIRED: false) to use built-in login v1
- Add curl-based healthcheck for reliable container readiness
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The previous placeholder was 33 chars. Use a proper 32-char
placeholder and note the constraint in the example.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
