fix: add publickey endpoints

proto/zitadel/resources/user/v3alpha/authenticator.proto

@@ -26,7 +26,7 @@ message Authenticators {
   // A list of the user's one-time-password (OTP) Email authenticators.
   repeated OTPEmail otp_email = 6;
   // A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.
-  repeated AuthenticationKey authentication_keys = 7;
+  repeated PublicKey public_keys = 7;
   // A list of the user's linked identity providers (IDPs).
   repeated IdentityProvider identity_providers = 8;
 }
@@ -52,29 +52,6 @@ message Username {
   bool is_organization_specific = 3;
 }
 
-message SetUsername {
-  // Set the user's username. This will be used for identification during authentication.
-  string username = 1 [
-    (validate.rules).string = {min_len: 1, max_len: 200},
-    (google.api.field_behavior) = REQUIRED,
-    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      min_length: 1,
-      max_length: 200,
-      example: "\"gigi-giraffe\"";
-    }
-  ];
-  // By default username must be unique across all organizations in an instance.
-  // This option allow to restrict the uniqueness to the user's own organization.
-  // As a result, this username can only be used if the authentication is limited
-  // to the corresponding organization.
-  //
-  // This can be useful if you provide multiple usernames for a single user, where one
-  // if specific to your organization, e.g.:
-  // - gigi-giraffe@zitadel.com (unique across organizations)
-  // - gigi-giraffe (unique only inside the ZITADEL organization)
-  bool is_organization_specific = 2;
-}
-
 message Password {
   // States the time the password was last changed.
   google.protobuf.Timestamp last_changed = 1 [
@@ -204,16 +181,16 @@ message TOTP {
   bool is_verified = 3;
 }
 
-message AuthenticationKey {
-  // ID is the read-only unique identifier of the authentication key.
-  string authentication_key_id = 1 [
+message PublicKey {
+  // ID is the read-only unique identifier of the public key.
+  string public_key_id = 1 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       example: "\"69629023906488334\"";
     }
   ];
   zitadel.resources.object.v3alpha.Details details = 2;
   // the file type of the key
-  AuthNKeyType type = 3 [
+  PublicKeyType type = 3 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       example: "\"KEY_TYPE_JSON\"";
     }
@@ -226,9 +203,9 @@ message AuthenticationKey {
   ];
 }
 
-enum AuthNKeyType {
-  AUTHN_KEY_TYPE_UNSPECIFIED = 0;
-  AUTHN_KEY_TYPE_JSON = 1;
+enum PublicKeyType {
+  PUBLIC_KEY_TYPE_UNSPECIFIED = 0;
+  PUBLIC_KEY_TYPE_JSON = 1;
 }
 
 message IdentityProvider {
@@ -262,6 +239,30 @@ message IdentityProvider {
 message SetAuthenticators {
   repeated SetUsername usernames = 1;
   SetPassword password = 2;
+  SetPublicKey public_key = 3;
+}
+
+message SetUsername {
+  // Set the user's username. This will be used for identification during authentication.
+  string username = 1 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"gigi-giraffe\"";
+    }
+  ];
+  // By default username must be unique across all organizations in an instance.
+  // This option allow to restrict the uniqueness to the user's own organization.
+  // As a result, this username can only be used if the authentication is limited
+  // to the corresponding organization.
+  //
+  // This can be useful if you provide multiple usernames for a single user, where one
+  // if specific to your organization, e.g.:
+  // - gigi-giraffe@zitadel.com (unique across organizations)
+  // - gigi-giraffe (unique only inside the ZITADEL organization)
+  bool is_organization_specific = 2;
 }
 
 message SetPassword {
@@ -316,6 +317,37 @@ message SetPassword {
   }
 }
 
+message SetPublicKey {
+  // After the expiration date, the key will no longer be usable for authentication.
+  optional google.protobuf.Timestamp expiration_date = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"3019-04-01T08:45:00.000000Z\"";
+    }
+  ];
+
+  oneof type {
+    // Let ZITADEL generate the key and return the private key.
+    GeneratedKey generated_key = 2;
+    // Let ZITADEL send the link to the user via SMS.
+    ProvidedPublicKey public_key = 3;
+  }
+}
+
+message GeneratedKey {}
+message ProvidedPublicKey {
+  // Public key provided to persist.
+  bytes public_key = 2 [
+    (validate.rules).bytes = {min_len: 1, max_len: 4048},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1;
+      max_length: 4048;
+      example: "\"AAAAC3NzaC1lZDI1NTE5AAAAIGmP5kqmZFDw/FbYr+//2bC7OVSTqPqUKet8539icStf\"";
+    }
+  ];
+}
+
+
 message SendPasswordResetEmail {
   // Optionally set a url_template, which will be used in the password reset mail
   // sent by ZITADEL to guide the user to your password change page.

proto/zitadel/resources/user/v3alpha/user_service.proto

@@ -642,6 +642,57 @@ service ZITADELUsers {
     };
   }
 
+
+
+  // Add a public key
+  //
+  // Add a new public key to a user. The public key will be used to identify the user on authentication.
+  rpc AddPublicKey (AddPublicKeyRequest) returns (AddPublicKeyResponse) {
+    option (google.api.http) = {
+      post: "/resources/v3alpha/users/{id}/publickey"
+      body: "publickey"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200"
+        value: {
+          description: "Username successfully added";
+        }
+      };
+    };
+  }
+
+  // Remove a public key
+  //
+  // Remove an existing public key of a user, so it cannot be used for authentication anymore.
+  rpc RemovePublicKey (RemovePublicKeyRequest) returns (RemovePublicKeyResponse) {
+    option (google.api.http) = {
+      delete: "/resources/v3alpha/users/{id}/publickey/{publickey_id}"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200"
+        value: {
+          description: "Username successfully removed";
+        }
+      };
+    };
+  }
+
   // Start a WebAuthN registration
   //
   // Start the registration of a new WebAuthN device (e.g. Passkeys) for a user.
@@ -1645,6 +1696,74 @@ message RemovePasswordResponse {
   zitadel.resources.object.v3alpha.Details details = 1;
 }
 
+
+message AddPublicKeyRequest {
+  optional zitadel.object.v3alpha.Instance instance = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      default: "\"domain from HOST or :authority header\""
+    }
+  ];
+  // Optionally expect the user to be in this organization.
+  optional zitadel.object.v3alpha.Organization organization = 2;
+  // unique identifier of the user.
+  string id = 3 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629026806489455\"";
+    }
+  ];
+  // Set the user's new public key.
+  SetPublicKey public_key = 4;
+}
+
+message AddPublicKeyResponse {
+  zitadel.resources.object.v3alpha.Details details = 1;
+  // unique identifier of the public key.
+  string public_key_id = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"69629023906488334\"";
+    }
+  ];
+  bytes private_key = 3;
+}
+
+message RemovePublicKeyRequest {
+  optional zitadel.object.v3alpha.Instance instance = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      default: "\"domain from HOST or :authority header\""
+    }
+  ];
+  // Optionally expect the user to be in this organization.
+  optional zitadel.object.v3alpha.Organization organization = 2;
+  // unique identifier of the user.
+  string id = 3 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629026806489455\"";
+    }
+  ];
+  // unique identifier of the public key.
+  string public_key_id = 4 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629023906488334\"";
+    }
+  ];
+}
+
+message RemovePublicKeyResponse {
+  zitadel.resources.object.v3alpha.Details details = 1;
+}
+
 message StartWebAuthNRegistrationRequest {
   optional zitadel.object.v3alpha.Instance instance = 1 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {

proto/zitadel/resources/userschema/v3alpha/user_schema.proto

@@ -206,6 +206,6 @@ enum AuthenticatorType {
   AUTHENTICATOR_TYPE_TOTP = 4;
   AUTHENTICATOR_TYPE_OTP_EMAIL = 5;
   AUTHENTICATOR_TYPE_OTP_SMS = 6;
-  AUTHENTICATOR_TYPE_AUTHENTICATION_KEY = 7;
+  AUTHENTICATOR_TYPE_PUBLIC_KEY = 7;
   AUTHENTICATOR_TYPE_IDENTITY_PROVIDER = 8;
 }