feat(api): add OIDC session service (#6157)

This PR starts the OIDC implementation for the API V2 including the Implicit and Code Flow. Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Tim Möhlmann <tim+github@zitadel.com> Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 23:57:31 +00:00 · 2023-07-10 15:27:00 +02:00
parent be1fe36776
commit 14b8cf4894
69 changed files with 5948 additions and 106 deletions
--- a/internal/api/grpc/oidc/v2/oidc.go
+++ b/internal/api/grpc/oidc/v2/oidc.go
@@ -0,0 +1,204 @@
+package oidc
+
+import (
+	"context"
+
+	"github.com/zitadel/logging"
+	"github.com/zitadel/oidc/v2/pkg/op"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	"github.com/zitadel/zitadel/internal/api/http"
+	"github.com/zitadel/zitadel/internal/api/oidc"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/query"
+	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2alpha"
+)
+
+func (s *Server) GetAuthRequest(ctx context.Context, req *oidc_pb.GetAuthRequestRequest) (*oidc_pb.GetAuthRequestResponse, error) {
+	authRequest, err := s.query.AuthRequestByID(ctx, true, req.GetAuthRequestId(), true)
+	if err != nil {
+		logging.WithError(err).Error("query authRequest by ID")
+		return nil, err
+	}
+	return &oidc_pb.GetAuthRequestResponse{
+		AuthRequest: authRequestToPb(authRequest),
+	}, nil
+}
+
+func authRequestToPb(a *query.AuthRequest) *oidc_pb.AuthRequest {
+	pba := &oidc_pb.AuthRequest{
+		Id:           a.ID,
+		CreationDate: timestamppb.New(a.CreationDate),
+		ClientId:     a.ClientID,
+		Scope:        a.Scope,
+		RedirectUri:  a.RedirectURI,
+		Prompt:       promptsToPb(a.Prompt),
+		UiLocales:    a.UiLocales,
+		LoginHint:    a.LoginHint,
+		HintUserId:   a.HintUserID,
+	}
+	if a.MaxAge != nil {
+		pba.MaxAge = durationpb.New(*a.MaxAge)
+	}
+	return pba
+}
+
+func promptsToPb(promps []domain.Prompt) []oidc_pb.Prompt {
+	out := make([]oidc_pb.Prompt, len(promps))
+	for i, p := range promps {
+		out[i] = promptToPb(p)
+	}
+	return out
+}
+
+func promptToPb(p domain.Prompt) oidc_pb.Prompt {
+	switch p {
+	case domain.PromptUnspecified:
+		return oidc_pb.Prompt_PROMPT_UNSPECIFIED
+	case domain.PromptNone:
+		return oidc_pb.Prompt_PROMPT_NONE
+	case domain.PromptLogin:
+		return oidc_pb.Prompt_PROMPT_LOGIN
+	case domain.PromptConsent:
+		return oidc_pb.Prompt_PROMPT_CONSENT
+	case domain.PromptSelectAccount:
+		return oidc_pb.Prompt_PROMPT_SELECT_ACCOUNT
+	case domain.PromptCreate:
+		return oidc_pb.Prompt_PROMPT_CREATE
+	default:
+		return oidc_pb.Prompt_PROMPT_UNSPECIFIED
+	}
+}
+
+func (s *Server) CreateCallback(ctx context.Context, req *oidc_pb.CreateCallbackRequest) (*oidc_pb.CreateCallbackResponse, error) {
+	switch v := req.GetCallbackKind().(type) {
+	case *oidc_pb.CreateCallbackRequest_Error:
+		return s.failAuthRequest(ctx, req.GetAuthRequestId(), v.Error)
+	case *oidc_pb.CreateCallbackRequest_Session:
+		return s.linkSessionToAuthRequest(ctx, req.GetAuthRequestId(), v.Session)
+	default:
+		return nil, errors.ThrowUnimplementedf(nil, "OIDCv2-zee7A", "verification oneOf %T in method CreateCallback not implemented", v)
+	}
+}
+
+func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *oidc_pb.AuthorizationError) (*oidc_pb.CreateCallbackResponse, error) {
+	details, aar, err := s.command.FailAuthRequest(ctx, authRequestID, errorReasonToDomain(ae.GetError()))
+	if err != nil {
+		return nil, err
+	}
+	authReq := &oidc.AuthRequestV2{CurrentAuthRequest: aar}
+	callback, err := oidc.CreateErrorCallbackURL(authReq, errorReasonToOIDC(ae.GetError()), ae.GetErrorDescription(), ae.GetErrorUri(), s.op)
+	if err != nil {
+		return nil, err
+	}
+	return &oidc_pb.CreateCallbackResponse{
+		Details:     object.DomainToDetailsPb(details),
+		CallbackUrl: callback,
+	}, nil
+}
+
+func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID string, session *oidc_pb.Session) (*oidc_pb.CreateCallbackResponse, error) {
+	details, aar, err := s.command.LinkSessionToAuthRequest(ctx, authRequestID, session.GetSessionId(), session.GetSessionToken(), true)
+	if err != nil {
+		return nil, err
+	}
+	authReq := &oidc.AuthRequestV2{CurrentAuthRequest: aar}
+	ctx = op.ContextWithIssuer(ctx, http.BuildOrigin(authz.GetInstance(ctx).RequestedHost(), s.externalSecure))
+	var callback string
+	if aar.ResponseType == domain.OIDCResponseTypeCode {
+		callback, err = oidc.CreateCodeCallbackURL(ctx, authReq, s.op)
+	} else {
+		callback, err = oidc.CreateTokenCallbackURL(ctx, authReq, s.op)
+	}
+	if err != nil {
+		return nil, err
+	}
+	return &oidc_pb.CreateCallbackResponse{
+		Details:     object.DomainToDetailsPb(details),
+		CallbackUrl: callback,
+	}, nil
+}
+
+func errorReasonToDomain(errorReason oidc_pb.ErrorReason) domain.OIDCErrorReason {
+	switch errorReason {
+	case oidc_pb.ErrorReason_ERROR_REASON_UNSPECIFIED:
+		return domain.OIDCErrorReasonUnspecified
+	case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST:
+		return domain.OIDCErrorReasonInvalidRequest
+	case oidc_pb.ErrorReason_ERROR_REASON_UNAUTHORIZED_CLIENT:
+		return domain.OIDCErrorReasonUnauthorizedClient
+	case oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED:
+		return domain.OIDCErrorReasonAccessDenied
+	case oidc_pb.ErrorReason_ERROR_REASON_UNSUPPORTED_RESPONSE_TYPE:
+		return domain.OIDCErrorReasonUnsupportedResponseType
+	case oidc_pb.ErrorReason_ERROR_REASON_INVALID_SCOPE:
+		return domain.OIDCErrorReasonInvalidScope
+	case oidc_pb.ErrorReason_ERROR_REASON_SERVER_ERROR:
+		return domain.OIDCErrorReasonServerError
+	case oidc_pb.ErrorReason_ERROR_REASON_TEMPORARY_UNAVAILABLE:
+		return domain.OIDCErrorReasonTemporaryUnavailable
+	case oidc_pb.ErrorReason_ERROR_REASON_INTERACTION_REQUIRED:
+		return domain.OIDCErrorReasonInteractionRequired
+	case oidc_pb.ErrorReason_ERROR_REASON_LOGIN_REQUIRED:
+		return domain.OIDCErrorReasonLoginRequired
+	case oidc_pb.ErrorReason_ERROR_REASON_ACCOUNT_SELECTION_REQUIRED:
+		return domain.OIDCErrorReasonAccountSelectionRequired
+	case oidc_pb.ErrorReason_ERROR_REASON_CONSENT_REQUIRED:
+		return domain.OIDCErrorReasonConsentRequired
+	case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_URI:
+		return domain.OIDCErrorReasonInvalidRequestURI
+	case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_OBJECT:
+		return domain.OIDCErrorReasonInvalidRequestObject
+	case oidc_pb.ErrorReason_ERROR_REASON_REQUEST_NOT_SUPPORTED:
+		return domain.OIDCErrorReasonRequestNotSupported
+	case oidc_pb.ErrorReason_ERROR_REASON_REQUEST_URI_NOT_SUPPORTED:
+		return domain.OIDCErrorReasonRequestURINotSupported
+	case oidc_pb.ErrorReason_ERROR_REASON_REGISTRATION_NOT_SUPPORTED:
+		return domain.OIDCErrorReasonRegistrationNotSupported
+	default:
+		return domain.OIDCErrorReasonUnspecified
+	}
+}
+
+func errorReasonToOIDC(reason oidc_pb.ErrorReason) string {
+	switch reason {
+	case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST:
+		return "invalid_request"
+	case oidc_pb.ErrorReason_ERROR_REASON_UNAUTHORIZED_CLIENT:
+		return "unauthorized_client"
+	case oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED:
+		return "access_denied"
+	case oidc_pb.ErrorReason_ERROR_REASON_UNSUPPORTED_RESPONSE_TYPE:
+		return "unsupported_response_type"
+	case oidc_pb.ErrorReason_ERROR_REASON_INVALID_SCOPE:
+		return "invalid_scope"
+	case oidc_pb.ErrorReason_ERROR_REASON_TEMPORARY_UNAVAILABLE:
+		return "temporarily_unavailable"
+	case oidc_pb.ErrorReason_ERROR_REASON_INTERACTION_REQUIRED:
+		return "interaction_required"
+	case oidc_pb.ErrorReason_ERROR_REASON_LOGIN_REQUIRED:
+		return "login_required"
+	case oidc_pb.ErrorReason_ERROR_REASON_ACCOUNT_SELECTION_REQUIRED:
+		return "account_selection_required"
+	case oidc_pb.ErrorReason_ERROR_REASON_CONSENT_REQUIRED:
+		return "consent_required"
+	case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_URI:
+		return "invalid_request_uri"
+	case oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_OBJECT:
+		return "invalid_request_object"
+	case oidc_pb.ErrorReason_ERROR_REASON_REQUEST_NOT_SUPPORTED:
+		return "request_not_supported"
+	case oidc_pb.ErrorReason_ERROR_REASON_REQUEST_URI_NOT_SUPPORTED:
+		return "request_uri_not_supported"
+	case oidc_pb.ErrorReason_ERROR_REASON_REGISTRATION_NOT_SUPPORTED:
+		return "registration_not_supported"
+	case oidc_pb.ErrorReason_ERROR_REASON_UNSPECIFIED, oidc_pb.ErrorReason_ERROR_REASON_SERVER_ERROR:
+		fallthrough
+	default:
+		return "server_error"
+	}
+}
--- a/internal/api/grpc/oidc/v2/oidc_integration_test.go
+++ b/internal/api/grpc/oidc/v2/oidc_integration_test.go
@@ -0,0 +1,249 @@
+//go:build integration
+
+package oidc_test
+
+import (
+	"context"
+	"net/url"
+	"os"
+	"regexp"
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2alpha"
+	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2alpha"
+	session "github.com/zitadel/zitadel/pkg/grpc/session/v2alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/user/v2alpha"
+)
+
+var (
+	CTX    context.Context
+	Tester *integration.Tester
+	Client oidc_pb.OIDCServiceClient
+	User   *user.AddHumanUserResponse
+)
+
+const (
+	redirectURI         = "oidcIntegrationTest://callback"
+	redirectURIImplicit = "http://localhost:9999/callback"
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, _, cancel := integration.Contexts(5 * time.Minute)
+		defer cancel()
+
+		Tester = integration.NewTester(ctx)
+		defer Tester.Done()
+		Client = Tester.Client.OIDCv2
+
+		CTX = Tester.WithAuthorization(ctx, integration.OrgOwner)
+		User = Tester.CreateHumanUser(CTX)
+		return m.Run()
+	}())
+}
+
+func TestServer_GetAuthRequest(t *testing.T) {
+	client, err := Tester.CreateOIDCNativeClient(CTX, redirectURI)
+	require.NoError(t, err)
+	authRequestID, err := Tester.CreateOIDCAuthRequest(client.GetClientId(), Tester.Users[integration.FirstInstanceUsersKey][integration.OrgOwner].ID, redirectURI)
+	require.NoError(t, err)
+	now := time.Now()
+
+	tests := []struct {
+		name          string
+		AuthRequestID string
+		want          *oidc_pb.GetAuthRequestResponse
+		wantErr       bool
+	}{
+		{
+			name:          "Not found",
+			AuthRequestID: "123",
+			wantErr:       true,
+		},
+		{
+			name:          "success",
+			AuthRequestID: authRequestID,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.GetAuthRequest(CTX, &oidc_pb.GetAuthRequestRequest{
+				AuthRequestId: tt.AuthRequestID,
+			})
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			authRequest := got.GetAuthRequest()
+			assert.NotNil(t, authRequest)
+			assert.Equal(t, authRequestID, authRequest.GetId())
+			assert.WithinRange(t, authRequest.GetCreationDate().AsTime(), now.Add(-time.Second), now.Add(time.Second))
+			assert.Contains(t, authRequest.GetScope(), "openid")
+		})
+	}
+}
+
+func TestServer_CreateCallback(t *testing.T) {
+	client, err := Tester.CreateOIDCNativeClient(CTX, redirectURI)
+	require.NoError(t, err)
+	sessionResp, err := Tester.Client.SessionV2.CreateSession(CTX, &session.CreateSessionRequest{
+		Checks: &session.Checks{
+			User: &session.CheckUser{
+				Search: &session.CheckUser_UserId{
+					UserId: Tester.Users[integration.FirstInstanceUsersKey][integration.OrgOwner].ID,
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+
+	tests := []struct {
+		name      string
+		req       *oidc_pb.CreateCallbackRequest
+		AuthError string
+		want      *oidc_pb.CreateCallbackResponse
+		wantURL   *url.URL
+		wantErr   bool
+	}{
+		{
+			name: "Not found",
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: "123",
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "session not found",
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					authRequestID, err := Tester.CreateOIDCAuthRequest(client.GetClientId(), Tester.Users[integration.FirstInstanceUsersKey][integration.OrgOwner].ID, redirectURI)
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    "foo",
+						SessionToken: "bar",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "session token invalid",
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					authRequestID, err := Tester.CreateOIDCAuthRequest(client.GetClientId(), Tester.Users[integration.FirstInstanceUsersKey][integration.OrgOwner].ID, redirectURI)
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: "bar",
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "fail callback",
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					authRequestID, err := Tester.CreateOIDCAuthRequest(client.GetClientId(), Tester.Users[integration.FirstInstanceUsersKey][integration.OrgOwner].ID, redirectURI)
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Error{
+					Error: &oidc_pb.AuthorizationError{
+						Error:            oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED,
+						ErrorDescription: gu.Ptr("nope"),
+						ErrorUri:         gu.Ptr("https://example.com/docs"),
+					},
+				},
+			},
+			want: &oidc_pb.CreateCallbackResponse{
+				CallbackUrl: regexp.QuoteMeta(`oidcintegrationtest://callback?error=access_denied&error_description=nope&error_uri=https%3A%2F%2Fexample.com%2Fdocs&state=state`),
+				Details: &object.Details{
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "code callback",
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					authRequestID, err := Tester.CreateOIDCAuthRequest(client.GetClientId(), Tester.Users[integration.FirstInstanceUsersKey][integration.OrgOwner].ID, redirectURI)
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			want: &oidc_pb.CreateCallbackResponse{
+				CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
+				Details: &object.Details{
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "implicit",
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					client, err := Tester.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit)
+					require.NoError(t, err)
+					authRequestID, err := Tester.CreateOIDCAuthRequestImplicit(client.GetClientId(), Tester.Users[integration.FirstInstanceUsersKey][integration.OrgOwner].ID, redirectURIImplicit)
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			want: &oidc_pb.CreateCallbackResponse{
+				CallbackUrl: `http:\/\/localhost:9999\/callback#access_token=(.*)&expires_in=(.*)&id_token=(.*)&state=state&token_type=Bearer`,
+				Details: &object.Details{
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.CreateCallback(CTX, tt.req)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+			if tt.want != nil {
+				assert.Regexp(t, regexp.MustCompile(tt.want.CallbackUrl), got.GetCallbackUrl())
+			}
+		})
+	}
+}
--- a/internal/api/grpc/oidc/v2/oidc_test.go
+++ b/internal/api/grpc/oidc/v2/oidc_test.go
@@ -0,0 +1,150 @@
+package oidc
+
+import (
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/durationpb"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query"
+	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2alpha"
+)
+
+func Test_authRequestToPb(t *testing.T) {
+	now := time.Now()
+	arg := &query.AuthRequest{
+		ID:           "authID",
+		CreationDate: now,
+		ClientID:     "clientID",
+		Scope:        []string{"a", "b", "c"},
+		RedirectURI:  "callbackURI",
+		Prompt: []domain.Prompt{
+			domain.PromptUnspecified,
+			domain.PromptNone,
+			domain.PromptLogin,
+			domain.PromptConsent,
+			domain.PromptSelectAccount,
+			domain.PromptCreate,
+			999,
+		},
+		UiLocales:  []string{"en", "fi"},
+		LoginHint:  gu.Ptr("foo@bar.com"),
+		MaxAge:     gu.Ptr(time.Minute),
+		HintUserID: gu.Ptr("userID"),
+	}
+	want := &oidc_pb.AuthRequest{
+		Id:           "authID",
+		CreationDate: timestamppb.New(now),
+		ClientId:     "clientID",
+		RedirectUri:  "callbackURI",
+		Prompt: []oidc_pb.Prompt{
+			oidc_pb.Prompt_PROMPT_UNSPECIFIED,
+			oidc_pb.Prompt_PROMPT_NONE,
+			oidc_pb.Prompt_PROMPT_LOGIN,
+			oidc_pb.Prompt_PROMPT_CONSENT,
+			oidc_pb.Prompt_PROMPT_SELECT_ACCOUNT,
+			oidc_pb.Prompt_PROMPT_CREATE,
+			oidc_pb.Prompt_PROMPT_UNSPECIFIED,
+		},
+		UiLocales:  []string{"en", "fi"},
+		Scope:      []string{"a", "b", "c"},
+		LoginHint:  gu.Ptr("foo@bar.com"),
+		MaxAge:     durationpb.New(time.Minute),
+		HintUserId: gu.Ptr("userID"),
+	}
+	got := authRequestToPb(arg)
+	if !proto.Equal(want, got) {
+		t.Errorf("authRequestToPb() =\n%v\nwant\n%v\n", got, want)
+	}
+}
+
+func Test_errorReasonToOIDC(t *testing.T) {
+	tests := []struct {
+		reason oidc_pb.ErrorReason
+		want   string
+	}{
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_UNSPECIFIED,
+			want:   "server_error",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST,
+			want:   "invalid_request",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_UNAUTHORIZED_CLIENT,
+			want:   "unauthorized_client",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED,
+			want:   "access_denied",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_UNSUPPORTED_RESPONSE_TYPE,
+			want:   "unsupported_response_type",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_INVALID_SCOPE,
+			want:   "invalid_scope",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_SERVER_ERROR,
+			want:   "server_error",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_TEMPORARY_UNAVAILABLE,
+			want:   "temporarily_unavailable",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_INTERACTION_REQUIRED,
+			want:   "interaction_required",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_LOGIN_REQUIRED,
+			want:   "login_required",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_ACCOUNT_SELECTION_REQUIRED,
+			want:   "account_selection_required",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_CONSENT_REQUIRED,
+			want:   "consent_required",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_URI,
+			want:   "invalid_request_uri",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_INVALID_REQUEST_OBJECT,
+			want:   "invalid_request_object",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_REQUEST_NOT_SUPPORTED,
+			want:   "request_not_supported",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_REQUEST_URI_NOT_SUPPORTED,
+			want:   "request_uri_not_supported",
+		},
+		{
+			reason: oidc_pb.ErrorReason_ERROR_REASON_REGISTRATION_NOT_SUPPORTED,
+			want:   "registration_not_supported",
+		},
+		{
+			reason: 99999,
+			want:   "server_error",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.reason.String(), func(t *testing.T) {
+			got := errorReasonToOIDC(tt.reason)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/internal/api/grpc/oidc/v2/server.go
+++ b/internal/api/grpc/oidc/v2/server.go
@@ -0,0 +1,59 @@
+package oidc
+
+import (
+	"github.com/zitadel/oidc/v2/pkg/op"
+	"google.golang.org/grpc"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/server"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/query"
+	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2alpha"
+)
+
+var _ oidc_pb.OIDCServiceServer = (*Server)(nil)
+
+type Server struct {
+	oidc_pb.UnimplementedOIDCServiceServer
+	command *command.Commands
+	query   *query.Queries
+
+	op             op.OpenIDProvider
+	externalSecure bool
+}
+
+type Config struct{}
+
+func CreateServer(
+	command *command.Commands,
+	query *query.Queries,
+	op op.OpenIDProvider,
+	externalSecure bool,
+) *Server {
+	return &Server{
+		command:        command,
+		query:          query,
+		op:             op,
+		externalSecure: externalSecure,
+	}
+}
+
+func (s *Server) RegisterServer(grpcServer *grpc.Server) {
+	oidc_pb.RegisterOIDCServiceServer(grpcServer, s)
+}
+
+func (s *Server) AppName() string {
+	return oidc_pb.OIDCService_ServiceDesc.ServiceName
+}
+
+func (s *Server) MethodPrefix() string {
+	return oidc_pb.OIDCService_ServiceDesc.ServiceName
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return oidc_pb.OIDCService_AuthMethods
+}
+
+func (s *Server) RegisterGateway() server.RegisterGatewayFunc {
+	return oidc_pb.RegisterOIDCServiceHandler
+}