zitadel/internal/api/grpc/app/v2beta/convert/oidc_app.go

package convert

import (
	"github.com/muhlemmer/gu"
	"google.golang.org/protobuf/types/known/durationpb"

	"github.com/zitadel/zitadel/internal/domain"
	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
	"github.com/zitadel/zitadel/internal/query"
	app "github.com/zitadel/zitadel/pkg/grpc/app/v2beta"
)

func CreateOIDCAppRequestToDomain(name, projectID string, req *app.CreateOIDCApplicationRequest) (*domain.OIDCApp, error) {
	loginVersion, loginBaseURI, err := loginVersionToDomain(req.GetLoginVersion())
	if err != nil {
		return nil, err
	}
	return &domain.OIDCApp{
		ObjectRoot: models.ObjectRoot{
			AggregateID: projectID,
		},
		AppName:                  name,
		OIDCVersion:              gu.Ptr(domain.OIDCVersionV1),
		RedirectUris:             req.GetRedirectUris(),
		ResponseTypes:            oidcResponseTypesToDomain(req.GetResponseTypes()),
		GrantTypes:               oidcGrantTypesToDomain(req.GetGrantTypes()),
		ApplicationType:          gu.Ptr(oidcApplicationTypeToDomain(req.GetAppType())),
		AuthMethodType:           gu.Ptr(oidcAuthMethodTypeToDomain(req.GetAuthMethodType())),
		PostLogoutRedirectUris:   req.GetPostLogoutRedirectUris(),
		DevMode:                  &req.DevMode,
		AccessTokenType:          gu.Ptr(oidcTokenTypeToDomain(req.GetAccessTokenType())),
		AccessTokenRoleAssertion: gu.Ptr(req.GetAccessTokenRoleAssertion()),
		IDTokenRoleAssertion:     gu.Ptr(req.GetIdTokenRoleAssertion()),
		IDTokenUserinfoAssertion: gu.Ptr(req.GetIdTokenUserinfoAssertion()),
		ClockSkew:                gu.Ptr(req.GetClockSkew().AsDuration()),
		AdditionalOrigins:        req.GetAdditionalOrigins(),
		SkipNativeAppSuccessPage: gu.Ptr(req.GetSkipNativeAppSuccessPage()),
		BackChannelLogoutURI:     gu.Ptr(req.GetBackChannelLogoutUri()),
		LoginVersion:             loginVersion,
		LoginBaseURI:             loginBaseURI,
	}, nil
}

func UpdateOIDCAppConfigRequestToDomain(appID, projectID string, app *app.UpdateOIDCApplicationConfigurationRequest) (*domain.OIDCApp, error) {
	loginVersion, loginBaseURI, err := loginVersionToDomain(app.GetLoginVersion())
	if err != nil {
		return nil, err
	}
	return &domain.OIDCApp{
		ObjectRoot: models.ObjectRoot{
			AggregateID: projectID,
		},
		AppID:                    appID,
		RedirectUris:             app.RedirectUris,
		ResponseTypes:            oidcResponseTypesToDomain(app.ResponseTypes),
		GrantTypes:               oidcGrantTypesToDomain(app.GrantTypes),
		ApplicationType:          oidcApplicationTypeToDomainPtr(app.AppType),
		AuthMethodType:           oidcAuthMethodTypeToDomainPtr(app.AuthMethodType),
		PostLogoutRedirectUris:   app.PostLogoutRedirectUris,
		DevMode:                  app.DevMode,
		AccessTokenType:          oidcTokenTypeToDomainPtr(app.AccessTokenType),
		AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,
		IDTokenRoleAssertion:     app.IdTokenRoleAssertion,
		IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,
		ClockSkew:                gu.Ptr(app.GetClockSkew().AsDuration()),
		AdditionalOrigins:        app.AdditionalOrigins,
		SkipNativeAppSuccessPage: app.SkipNativeAppSuccessPage,
		BackChannelLogoutURI:     app.BackChannelLogoutUri,
		LoginVersion:             loginVersion,
		LoginBaseURI:             loginBaseURI,
	}, nil
}

func oidcResponseTypesToDomain(responseTypes []app.OIDCResponseType) []domain.OIDCResponseType {
	if len(responseTypes) == 0 {
		return []domain.OIDCResponseType{domain.OIDCResponseTypeCode}
	}
	oidcResponseTypes := make([]domain.OIDCResponseType, len(responseTypes))
	for i, responseType := range responseTypes {
		switch responseType {
		case app.OIDCResponseType_OIDC_RESPONSE_TYPE_UNSPECIFIED:
			oidcResponseTypes[i] = domain.OIDCResponseTypeUnspecified
		case app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE:
			oidcResponseTypes[i] = domain.OIDCResponseTypeCode
		case app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN:
			oidcResponseTypes[i] = domain.OIDCResponseTypeIDToken
		case app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN:
			oidcResponseTypes[i] = domain.OIDCResponseTypeIDTokenToken
		}
	}
	return oidcResponseTypes
}

func oidcGrantTypesToDomain(grantTypes []app.OIDCGrantType) []domain.OIDCGrantType {
	if len(grantTypes) == 0 {
		return []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode}
	}
	oidcGrantTypes := make([]domain.OIDCGrantType, len(grantTypes))
	for i, grantType := range grantTypes {
		switch grantType {
		case app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE:
			oidcGrantTypes[i] = domain.OIDCGrantTypeAuthorizationCode
		case app.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT:
			oidcGrantTypes[i] = domain.OIDCGrantTypeImplicit
		case app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN:
			oidcGrantTypes[i] = domain.OIDCGrantTypeRefreshToken
		case app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE:
			oidcGrantTypes[i] = domain.OIDCGrantTypeDeviceCode
		case app.OIDCGrantType_OIDC_GRANT_TYPE_TOKEN_EXCHANGE:
			oidcGrantTypes[i] = domain.OIDCGrantTypeTokenExchange
		}
	}
	return oidcGrantTypes
}

func oidcApplicationTypeToDomainPtr(appType *app.OIDCAppType) *domain.OIDCApplicationType {
	if appType == nil {
		return nil
	}

	res := oidcApplicationTypeToDomain(*appType)
	return &res
}

func oidcApplicationTypeToDomain(appType app.OIDCAppType) domain.OIDCApplicationType {
	switch appType {
	case app.OIDCAppType_OIDC_APP_TYPE_WEB:
		return domain.OIDCApplicationTypeWeb
	case app.OIDCAppType_OIDC_APP_TYPE_USER_AGENT:
		return domain.OIDCApplicationTypeUserAgent
	case app.OIDCAppType_OIDC_APP_TYPE_NATIVE:
		return domain.OIDCApplicationTypeNative
	}
	return domain.OIDCApplicationTypeWeb
}

func oidcAuthMethodTypeToDomainPtr(authType *app.OIDCAuthMethodType) *domain.OIDCAuthMethodType {
	if authType == nil {
		return nil
	}

	res := oidcAuthMethodTypeToDomain(*authType)
	return &res
}

func oidcAuthMethodTypeToDomain(authType app.OIDCAuthMethodType) domain.OIDCAuthMethodType {
	switch authType {
	case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC:
		return domain.OIDCAuthMethodTypeBasic
	case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST:
		return domain.OIDCAuthMethodTypePost
	case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE:
		return domain.OIDCAuthMethodTypeNone
	case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT:
		return domain.OIDCAuthMethodTypePrivateKeyJWT
	default:
		return domain.OIDCAuthMethodTypeBasic
	}
}

func oidcTokenTypeToDomainPtr(tokenType *app.OIDCTokenType) *domain.OIDCTokenType {
	if tokenType == nil {
		return nil
	}

	res := oidcTokenTypeToDomain(*tokenType)
	return &res
}

func oidcTokenTypeToDomain(tokenType app.OIDCTokenType) domain.OIDCTokenType {
	switch tokenType {
	case app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER:
		return domain.OIDCTokenTypeBearer
	case app.OIDCTokenType_OIDC_TOKEN_TYPE_JWT:
		return domain.OIDCTokenTypeJWT
	default:
		return domain.OIDCTokenTypeBearer
	}
}

func ComplianceProblemsToLocalizedMessages(complianceProblems []string) []*app.OIDCLocalizedMessage {
	converted := make([]*app.OIDCLocalizedMessage, len(complianceProblems))
	for i, p := range complianceProblems {
		converted[i] = &app.OIDCLocalizedMessage{Key: p}
	}

	return converted
}

func appOIDCConfigToPb(oidcApp *query.OIDCApp) *app.Application_OidcConfig {
	return &app.Application_OidcConfig{
		OidcConfig: &app.OIDCConfig{
			RedirectUris:             oidcApp.RedirectURIs,
			ResponseTypes:            oidcResponseTypesFromModel(oidcApp.ResponseTypes),
			GrantTypes:               oidcGrantTypesFromModel(oidcApp.GrantTypes),
			AppType:                  oidcApplicationTypeToPb(oidcApp.AppType),
			ClientId:                 oidcApp.ClientID,
			AuthMethodType:           oidcAuthMethodTypeToPb(oidcApp.AuthMethodType),
			PostLogoutRedirectUris:   oidcApp.PostLogoutRedirectURIs,
			Version:                  app.OIDCVersion_OIDC_VERSION_1_0,
			NoneCompliant:            len(oidcApp.ComplianceProblems) != 0,
			ComplianceProblems:       ComplianceProblemsToLocalizedMessages(oidcApp.ComplianceProblems),
			DevMode:                  oidcApp.IsDevMode,
			AccessTokenType:          oidcTokenTypeToPb(oidcApp.AccessTokenType),
			AccessTokenRoleAssertion: oidcApp.AssertAccessTokenRole,
			IdTokenRoleAssertion:     oidcApp.AssertIDTokenRole,
			IdTokenUserinfoAssertion: oidcApp.AssertIDTokenUserinfo,
			ClockSkew:                durationpb.New(oidcApp.ClockSkew),
			AdditionalOrigins:        oidcApp.AdditionalOrigins,
			AllowedOrigins:           oidcApp.AllowedOrigins,
			SkipNativeAppSuccessPage: oidcApp.SkipNativeAppSuccessPage,
			BackChannelLogoutUri:     oidcApp.BackChannelLogoutURI,
			LoginVersion:             loginVersionToPb(oidcApp.LoginVersion, oidcApp.LoginBaseURI),
		},
	}
}

func oidcResponseTypesFromModel(responseTypes []domain.OIDCResponseType) []app.OIDCResponseType {
	oidcResponseTypes := make([]app.OIDCResponseType, len(responseTypes))
	for i, responseType := range responseTypes {
		switch responseType {
		case domain.OIDCResponseTypeUnspecified:
			oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_UNSPECIFIED
		case domain.OIDCResponseTypeCode:
			oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE
		case domain.OIDCResponseTypeIDToken:
			oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN
		case domain.OIDCResponseTypeIDTokenToken:
			oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN
		}
	}
	return oidcResponseTypes
}

func oidcGrantTypesFromModel(grantTypes []domain.OIDCGrantType) []app.OIDCGrantType {
	oidcGrantTypes := make([]app.OIDCGrantType, len(grantTypes))
	for i, grantType := range grantTypes {
		switch grantType {
		case domain.OIDCGrantTypeAuthorizationCode:
			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE
		case domain.OIDCGrantTypeImplicit:
			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT
		case domain.OIDCGrantTypeRefreshToken:
			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN
		case domain.OIDCGrantTypeDeviceCode:
			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE
		case domain.OIDCGrantTypeTokenExchange:
			oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_TOKEN_EXCHANGE
		}
	}
	return oidcGrantTypes
}

func oidcApplicationTypeToPb(appType domain.OIDCApplicationType) app.OIDCAppType {
	switch appType {
	case domain.OIDCApplicationTypeWeb:
		return app.OIDCAppType_OIDC_APP_TYPE_WEB
	case domain.OIDCApplicationTypeUserAgent:
		return app.OIDCAppType_OIDC_APP_TYPE_USER_AGENT
	case domain.OIDCApplicationTypeNative:
		return app.OIDCAppType_OIDC_APP_TYPE_NATIVE
	default:
		return app.OIDCAppType_OIDC_APP_TYPE_WEB
	}
}

func oidcAuthMethodTypeToPb(authType domain.OIDCAuthMethodType) app.OIDCAuthMethodType {
	switch authType {
	case domain.OIDCAuthMethodTypeBasic:
		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC
	case domain.OIDCAuthMethodTypePost:
		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST
	case domain.OIDCAuthMethodTypeNone:
		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE
	case domain.OIDCAuthMethodTypePrivateKeyJWT:
		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT
	default:
		return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC
	}
}

func oidcTokenTypeToPb(tokenType domain.OIDCTokenType) app.OIDCTokenType {
	switch tokenType {
	case domain.OIDCTokenTypeBearer:
		return app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER
	case domain.OIDCTokenTypeJWT:
		return app.OIDCTokenType_OIDC_TOKEN_TYPE_JWT
	default:
		return app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER
	}
}
feat: App API v2 (#10077) # Which Problems Are Solved This PR partially addresses #9450 . Specifically, it implements the resource based API for the apps. APIs for app keys ARE not part of this PR. # How the Problems Are Solved - `CreateApplication`, `PatchApplication` (update) and `RegenerateClientSecret` endpoints are now unique for all app types: API, SAML and OIDC apps. - All new endpoints have integration tests - All new endpoints are using permission checks V2 # Additional Changes - The `ListApplications` endpoint allows to do sorting (see protobuf for details) and filtering by app type (see protobuf). - SAML and OIDC update endpoint can now receive requests for partial updates # Additional Context Partially addresses #9450 2025-06-27 17:25:44 +02:00			`package convert`

			`import (`
			`"github.com/muhlemmer/gu"`
			`"google.golang.org/protobuf/types/known/durationpb"`

			`"github.com/zitadel/zitadel/internal/domain"`
			`"github.com/zitadel/zitadel/internal/eventstore/v1/models"`
			`"github.com/zitadel/zitadel/internal/query"`
			`app "github.com/zitadel/zitadel/pkg/grpc/app/v2beta"`
			`)`

			`func CreateOIDCAppRequestToDomain(name, projectID string, req app.CreateOIDCApplicationRequest) (domain.OIDCApp, error) {`
			`loginVersion, loginBaseURI, err := loginVersionToDomain(req.GetLoginVersion())`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &domain.OIDCApp{`
			`ObjectRoot: models.ObjectRoot{`
			`AggregateID: projectID,`
			`},`
			`AppName: name,`
			`OIDCVersion: gu.Ptr(domain.OIDCVersionV1),`
			`RedirectUris: req.GetRedirectUris(),`
			`ResponseTypes: oidcResponseTypesToDomain(req.GetResponseTypes()),`
			`GrantTypes: oidcGrantTypesToDomain(req.GetGrantTypes()),`
			`ApplicationType: gu.Ptr(oidcApplicationTypeToDomain(req.GetAppType())),`
			`AuthMethodType: gu.Ptr(oidcAuthMethodTypeToDomain(req.GetAuthMethodType())),`
			`PostLogoutRedirectUris: req.GetPostLogoutRedirectUris(),`
			`DevMode: &req.DevMode,`
			`AccessTokenType: gu.Ptr(oidcTokenTypeToDomain(req.GetAccessTokenType())),`
			`AccessTokenRoleAssertion: gu.Ptr(req.GetAccessTokenRoleAssertion()),`
			`IDTokenRoleAssertion: gu.Ptr(req.GetIdTokenRoleAssertion()),`
			`IDTokenUserinfoAssertion: gu.Ptr(req.GetIdTokenUserinfoAssertion()),`
			`ClockSkew: gu.Ptr(req.GetClockSkew().AsDuration()),`
			`AdditionalOrigins: req.GetAdditionalOrigins(),`
			`SkipNativeAppSuccessPage: gu.Ptr(req.GetSkipNativeAppSuccessPage()),`
			`BackChannelLogoutURI: gu.Ptr(req.GetBackChannelLogoutUri()),`
			`LoginVersion: loginVersion,`
			`LoginBaseURI: loginBaseURI,`
			`}, nil`
			`}`

			`func UpdateOIDCAppConfigRequestToDomain(appID, projectID string, app app.UpdateOIDCApplicationConfigurationRequest) (domain.OIDCApp, error) {`
			`loginVersion, loginBaseURI, err := loginVersionToDomain(app.GetLoginVersion())`
			`if err != nil {`
			`return nil, err`
			`}`
			`return &domain.OIDCApp{`
			`ObjectRoot: models.ObjectRoot{`
			`AggregateID: projectID,`
			`},`
			`AppID: appID,`
			`RedirectUris: app.RedirectUris,`
			`ResponseTypes: oidcResponseTypesToDomain(app.ResponseTypes),`
			`GrantTypes: oidcGrantTypesToDomain(app.GrantTypes),`
			`ApplicationType: oidcApplicationTypeToDomainPtr(app.AppType),`
			`AuthMethodType: oidcAuthMethodTypeToDomainPtr(app.AuthMethodType),`
			`PostLogoutRedirectUris: app.PostLogoutRedirectUris,`
			`DevMode: app.DevMode,`
			`AccessTokenType: oidcTokenTypeToDomainPtr(app.AccessTokenType),`
			`AccessTokenRoleAssertion: app.AccessTokenRoleAssertion,`
			`IDTokenRoleAssertion: app.IdTokenRoleAssertion,`
			`IDTokenUserinfoAssertion: app.IdTokenUserinfoAssertion,`
			`ClockSkew: gu.Ptr(app.GetClockSkew().AsDuration()),`
			`AdditionalOrigins: app.AdditionalOrigins,`
			`SkipNativeAppSuccessPage: app.SkipNativeAppSuccessPage,`
			`BackChannelLogoutURI: app.BackChannelLogoutUri,`
			`LoginVersion: loginVersion,`
			`LoginBaseURI: loginBaseURI,`
			`}, nil`
			`}`

			`func oidcResponseTypesToDomain(responseTypes []app.OIDCResponseType) []domain.OIDCResponseType {`
			`if len(responseTypes) == 0 {`
			`return []domain.OIDCResponseType{domain.OIDCResponseTypeCode}`
			`}`
			`oidcResponseTypes := make([]domain.OIDCResponseType, len(responseTypes))`
			`for i, responseType := range responseTypes {`
			`switch responseType {`
			`case app.OIDCResponseType_OIDC_RESPONSE_TYPE_UNSPECIFIED:`
			`oidcResponseTypes[i] = domain.OIDCResponseTypeUnspecified`
			`case app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE:`
			`oidcResponseTypes[i] = domain.OIDCResponseTypeCode`
			`case app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN:`
			`oidcResponseTypes[i] = domain.OIDCResponseTypeIDToken`
			`case app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN:`
			`oidcResponseTypes[i] = domain.OIDCResponseTypeIDTokenToken`
			`}`
			`}`
			`return oidcResponseTypes`
			`}`

			`func oidcGrantTypesToDomain(grantTypes []app.OIDCGrantType) []domain.OIDCGrantType {`
			`if len(grantTypes) == 0 {`
			`return []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode}`
			`}`
			`oidcGrantTypes := make([]domain.OIDCGrantType, len(grantTypes))`
			`for i, grantType := range grantTypes {`
			`switch grantType {`
			`case app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE:`
			`oidcGrantTypes[i] = domain.OIDCGrantTypeAuthorizationCode`
			`case app.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT:`
			`oidcGrantTypes[i] = domain.OIDCGrantTypeImplicit`
			`case app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN:`
			`oidcGrantTypes[i] = domain.OIDCGrantTypeRefreshToken`
			`case app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE:`
			`oidcGrantTypes[i] = domain.OIDCGrantTypeDeviceCode`
			`case app.OIDCGrantType_OIDC_GRANT_TYPE_TOKEN_EXCHANGE:`
			`oidcGrantTypes[i] = domain.OIDCGrantTypeTokenExchange`
			`}`
			`}`
			`return oidcGrantTypes`
			`}`

			`func oidcApplicationTypeToDomainPtr(appType app.OIDCAppType) domain.OIDCApplicationType {`
			`if appType == nil {`
			`return nil`
			`}`

			`res := oidcApplicationTypeToDomain(*appType)`
			`return &res`
			`}`

			`func oidcApplicationTypeToDomain(appType app.OIDCAppType) domain.OIDCApplicationType {`
			`switch appType {`
			`case app.OIDCAppType_OIDC_APP_TYPE_WEB:`
			`return domain.OIDCApplicationTypeWeb`
			`case app.OIDCAppType_OIDC_APP_TYPE_USER_AGENT:`
			`return domain.OIDCApplicationTypeUserAgent`
			`case app.OIDCAppType_OIDC_APP_TYPE_NATIVE:`
			`return domain.OIDCApplicationTypeNative`
			`}`
			`return domain.OIDCApplicationTypeWeb`
			`}`

			`func oidcAuthMethodTypeToDomainPtr(authType app.OIDCAuthMethodType) domain.OIDCAuthMethodType {`
			`if authType == nil {`
			`return nil`
			`}`

			`res := oidcAuthMethodTypeToDomain(*authType)`
			`return &res`
			`}`

			`func oidcAuthMethodTypeToDomain(authType app.OIDCAuthMethodType) domain.OIDCAuthMethodType {`
			`switch authType {`
			`case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC:`
			`return domain.OIDCAuthMethodTypeBasic`
			`case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST:`
			`return domain.OIDCAuthMethodTypePost`
			`case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE:`
			`return domain.OIDCAuthMethodTypeNone`
			`case app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT:`
			`return domain.OIDCAuthMethodTypePrivateKeyJWT`
			`default:`
			`return domain.OIDCAuthMethodTypeBasic`
			`}`
			`}`

			`func oidcTokenTypeToDomainPtr(tokenType app.OIDCTokenType) domain.OIDCTokenType {`
			`if tokenType == nil {`
			`return nil`
			`}`

			`res := oidcTokenTypeToDomain(*tokenType)`
			`return &res`
			`}`

			`func oidcTokenTypeToDomain(tokenType app.OIDCTokenType) domain.OIDCTokenType {`
			`switch tokenType {`
			`case app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER:`
			`return domain.OIDCTokenTypeBearer`
			`case app.OIDCTokenType_OIDC_TOKEN_TYPE_JWT:`
			`return domain.OIDCTokenTypeJWT`
			`default:`
			`return domain.OIDCTokenTypeBearer`
			`}`
			`}`

			`func ComplianceProblemsToLocalizedMessages(complianceProblems []string) []*app.OIDCLocalizedMessage {`
			`converted := make([]*app.OIDCLocalizedMessage, len(complianceProblems))`
			`for i, p := range complianceProblems {`
			`converted[i] = &app.OIDCLocalizedMessage{Key: p}`
			`}`

			`return converted`
			`}`

			`func appOIDCConfigToPb(oidcApp query.OIDCApp) app.Application_OidcConfig {`
			`return &app.Application_OidcConfig{`
			`OidcConfig: &app.OIDCConfig{`
			`RedirectUris: oidcApp.RedirectURIs,`
			`ResponseTypes: oidcResponseTypesFromModel(oidcApp.ResponseTypes),`
			`GrantTypes: oidcGrantTypesFromModel(oidcApp.GrantTypes),`
			`AppType: oidcApplicationTypeToPb(oidcApp.AppType),`
			`ClientId: oidcApp.ClientID,`
			`AuthMethodType: oidcAuthMethodTypeToPb(oidcApp.AuthMethodType),`
			`PostLogoutRedirectUris: oidcApp.PostLogoutRedirectURIs,`
			`Version: app.OIDCVersion_OIDC_VERSION_1_0,`
			`NoneCompliant: len(oidcApp.ComplianceProblems) != 0,`
			`ComplianceProblems: ComplianceProblemsToLocalizedMessages(oidcApp.ComplianceProblems),`
			`DevMode: oidcApp.IsDevMode,`
			`AccessTokenType: oidcTokenTypeToPb(oidcApp.AccessTokenType),`
			`AccessTokenRoleAssertion: oidcApp.AssertAccessTokenRole,`
			`IdTokenRoleAssertion: oidcApp.AssertIDTokenRole,`
			`IdTokenUserinfoAssertion: oidcApp.AssertIDTokenUserinfo,`
			`ClockSkew: durationpb.New(oidcApp.ClockSkew),`
			`AdditionalOrigins: oidcApp.AdditionalOrigins,`
			`AllowedOrigins: oidcApp.AllowedOrigins,`
			`SkipNativeAppSuccessPage: oidcApp.SkipNativeAppSuccessPage,`
			`BackChannelLogoutUri: oidcApp.BackChannelLogoutURI,`
			`LoginVersion: loginVersionToPb(oidcApp.LoginVersion, oidcApp.LoginBaseURI),`
			`},`
			`}`
			`}`

			`func oidcResponseTypesFromModel(responseTypes []domain.OIDCResponseType) []app.OIDCResponseType {`
			`oidcResponseTypes := make([]app.OIDCResponseType, len(responseTypes))`
			`for i, responseType := range responseTypes {`
			`switch responseType {`
			`case domain.OIDCResponseTypeUnspecified:`
			`oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_UNSPECIFIED`
			`case domain.OIDCResponseTypeCode:`
			`oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_CODE`
			`case domain.OIDCResponseTypeIDToken:`
			`oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN`
			`case domain.OIDCResponseTypeIDTokenToken:`
			`oidcResponseTypes[i] = app.OIDCResponseType_OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN`
			`}`
			`}`
			`return oidcResponseTypes`
			`}`

			`func oidcGrantTypesFromModel(grantTypes []domain.OIDCGrantType) []app.OIDCGrantType {`
			`oidcGrantTypes := make([]app.OIDCGrantType, len(grantTypes))`
			`for i, grantType := range grantTypes {`
			`switch grantType {`
			`case domain.OIDCGrantTypeAuthorizationCode:`
			`oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_AUTHORIZATION_CODE`
			`case domain.OIDCGrantTypeImplicit:`
			`oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_IMPLICIT`
			`case domain.OIDCGrantTypeRefreshToken:`
			`oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_REFRESH_TOKEN`
			`case domain.OIDCGrantTypeDeviceCode:`
			`oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_DEVICE_CODE`
			`case domain.OIDCGrantTypeTokenExchange:`
			`oidcGrantTypes[i] = app.OIDCGrantType_OIDC_GRANT_TYPE_TOKEN_EXCHANGE`
			`}`
			`}`
			`return oidcGrantTypes`
			`}`

			`func oidcApplicationTypeToPb(appType domain.OIDCApplicationType) app.OIDCAppType {`
			`switch appType {`
			`case domain.OIDCApplicationTypeWeb:`
			`return app.OIDCAppType_OIDC_APP_TYPE_WEB`
			`case domain.OIDCApplicationTypeUserAgent:`
			`return app.OIDCAppType_OIDC_APP_TYPE_USER_AGENT`
			`case domain.OIDCApplicationTypeNative:`
			`return app.OIDCAppType_OIDC_APP_TYPE_NATIVE`
			`default:`
			`return app.OIDCAppType_OIDC_APP_TYPE_WEB`
			`}`
			`}`

			`func oidcAuthMethodTypeToPb(authType domain.OIDCAuthMethodType) app.OIDCAuthMethodType {`
			`switch authType {`
			`case domain.OIDCAuthMethodTypeBasic:`
			`return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC`
			`case domain.OIDCAuthMethodTypePost:`
			`return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_POST`
			`case domain.OIDCAuthMethodTypeNone:`
			`return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE`
			`case domain.OIDCAuthMethodTypePrivateKeyJWT:`
			`return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT`
			`default:`
			`return app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_BASIC`
			`}`
			`}`

			`func oidcTokenTypeToPb(tokenType domain.OIDCTokenType) app.OIDCTokenType {`
			`switch tokenType {`
			`case domain.OIDCTokenTypeBearer:`
			`return app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER`
			`case domain.OIDCTokenTypeJWT:`
			`return app.OIDCTokenType_OIDC_TOKEN_TYPE_JWT`
			`default:`
			`return app.OIDCTokenType_OIDC_TOKEN_TYPE_BEARER`
			`}`
			`}`