Zitadel Implementation Status

Zitadel Implementation Status

This page tracks what has been implemented and what remains to be done for the Zitadel RBAC integration.

Completed

Authentication & OIDC

• OIDC token validation via JWKS with per-issuer keyset caching (OidcAuthMiddleware)
• Support for both HttpOnly cookie and Authorization: Bearer header authentication
• Role extraction from Zitadel token claims (urn:zitadel:iam:org:project:roles)
• OIDC availability checking with 503 fallback (OidcAvailabilityMiddleware)
• HTTPS enforcement for auth endpoints in staging/production
• Legacy JWT authentication preserved as fallback (JwtAuthMiddleware)

Zitadel Management API

• Full client for user management (list, search, fetch by ID) (ZitadelService)
• Role management (grant, revoke, check, update grants)
• Intelligent single-role revocation (preserves other roles on same grant)
• OIDC discovery document caching (1-hour TTL)
• Factory method for environment-based instantiation

Role Request Workflow

• Users submit role requests via POST /auth/role-requests
• Users view their requests via GET /auth/role-requests
• Admins list pending requests via GET /admin/role-requests
• Admins approve/reject via POST /admin/role-requests/{id}/approve|reject
• Approval triggers role grant in Zitadel via Management API
• Role revocation support (status: revoked)

Application & API Key Management

• Developers register applications with name, description, website
• Application approval workflow (pending → approved/rejected/revoked)
• Resubmission of rejected applications
• API key generation from approved applications (with requested scope)
• API key rotation and revocation
• Key prefix tracking for identification
• Scope control (read/write)
• Expiration support

Admin Features

• List and manage users with roles
• Revoke individual user roles
• Approve/reject/revoke applications
• Notification counts (pending role requests + pending applications)
• Email verification resend

Database & Repositories

• PostgreSQL schema with 5 migrations
• UUID primary keys via pgcrypto
• Repositories: RoleRequest, Application, ApiKey, PermissionRequest, CalendarPermission, AuditLog
• Audit logging of all administrative actions with IP and user agent

Security

• IP-based rate limiting on login endpoint
• Argon2id password hashing
• JWT placeholder detection in staging/production
• CORS origin validation
• HttpOnly cookie support with SameSite attributes

API Key Middleware & Rate Limiting

• ApiKeyMiddleware wired into Router middleware pipeline (#515)
• API key rate limiting enforcement (#516)

Infrastructure

• Docker Compose setup (Zitadel, Login V2, PostgreSQL, Adminer)
• Database initialization script with RBAC tables
• Production security documentation

Outstanding Work

API Backend

These items have open GitHub issues:

• #517 - Calendar-specific permission endpoints CalendarPermissionRepository and PermissionRequestRepository are implemented, but no API endpoints exist for users to request calendar-specific permissions or for admins to manage them.

Frontend

These items have open GitHub issues on the Frontend repository:

• #280 - Integrate Zitadel OIDC login flow OIDC Authorization Code Flow with PKCE, session management, login/register UI.

• #278 - Role request management UI User-facing role request form and admin role request management views.

• #279 - Application management dashboard Developer application registration, API key management, and admin application approval views.

• #281 - Admin user management UI Admin user list, role revocation, notification badges.

• #197 - Centralization of admin interfaces Overarching issue for unifying all admin interfaces into a coherent backend.