feat: implement user schema management (#7416)

This PR adds the functionality to manage user schemas through the new user schema service. It includes the possibility to create a basic JSON schema and also provides a way on defining permissions (read, write) for owner and self context with an annotation. Further annotations for OIDC claims and SAML attribute mappings will follow. A guide on how to create a schema and assign permissions has been started. It will be extended though out the process of implementing the schema and users based on those. Note: This feature is in an early stage and therefore not enabled by default. To test it out, please enable the UserSchema feature flag on your instance / system though the feature service.
2025-08-11 21:27:42 +00:00 · 2024-03-12 14:50:13 +01:00
parent 2a39cc16f5
commit 0e181b218c
61 changed files with 3614 additions and 35 deletions
--- a/proto/zitadel/feature/v2beta/instance.proto
+++ b/proto/zitadel/feature/v2beta/instance.proto
@@ -23,13 +23,18 @@ message SetInstanceFeaturesRequest{
      description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
    }
  ];
-
  optional bool oidc_legacy_introspection = 3 [
    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
      example: "true";
      description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
    }
  ];
+  optional bool user_schema = 4 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
+    }
+  ];
 }

 message SetInstanceFeaturesResponse {
@@ -73,4 +78,11 @@ message GetInstanceFeaturesResponse {
      description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
    }
  ];
+
+  FeatureFlag user_schema = 5 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
+    }
+  ];
 }
--- a/proto/zitadel/feature/v2beta/system.proto
+++ b/proto/zitadel/feature/v2beta/system.proto
@@ -31,6 +31,13 @@ message SetSystemFeaturesRequest{
      description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
    }
  ];
+
+  optional bool user_schema = 4 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
+    }
+  ];
 }

 message SetSystemFeaturesResponse {
@@ -67,4 +74,11 @@ message GetSystemFeaturesResponse {
      description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
    }
  ];
+
+  FeatureFlag user_schema = 5 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "true";
+      description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
+    }
+  ];
 }
--- a/proto/zitadel/user/schema/v3alpha/user_schema_service.proto
+++ b/proto/zitadel/user/schema/v3alpha/user_schema_service.proto
@@ -365,7 +365,7 @@ message CreateUserSchemaRequest {
  }
  // Defines the possible types of authenticators.
  repeated AuthenticatorType possible_authenticators = 3 [
-    (validate.rules).repeated = {unique: true, items: {enum: {defined_only: true}}},
+    (validate.rules).repeated = {unique: true, items: {enum: {defined_only: true, not_in: [0]}}},
    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
      example: "[\"AUTHENTICATOR_TYPE_USERNAME\",\"AUTHENTICATOR_TYPE_PASSWORD\",\"AUTHENTICATOR_TYPE_WEBAUTHN\"]";
    }
@@ -407,7 +407,7 @@ message UpdateUserSchemaRequest {
  //
  // Removal of an authenticator does not remove the authenticator on a user.
  repeated AuthenticatorType possible_authenticators = 4 [
-    (validate.rules).repeated = {unique: true, items: {enum: {defined_only: true}}},
+    (validate.rules).repeated = {unique: true, items: {enum: {defined_only: true, not_in: [0]}}},
    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
      example: "[\"AUTHENTICATOR_TYPE_USERNAME\",\"AUTHENTICATOR_TYPE_PASSWORD\",\"AUTHENTICATOR_TYPE_WEBAUTHN\"]";
    }