fix: add publickey endpoints

internal/api/grpc/resources/user/v3alpha/integration_test/publickey_test.go

@@ -0,0 +1,458 @@
+//go:build integration
+
+package user_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/brianvoe/gofakeit/v6"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
+	resource_object "github.com/zitadel/zitadel/pkg/grpc/resources/object/v3alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func TestServer_AddPublicKey(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want *resource_object.Details
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.AddPublicKeyRequest) error
+		req     *user.AddPublicKeyRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "publickey add, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.AddPublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey add, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.AddPublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey add, publickey empty",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.AddPublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_PublicKey{PublicKey: &user.ProvidedPublicKey{PublicKey: []byte("")}},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey add, user not existing in org",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: "notexisting",
+					},
+				},
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey add, user not existing",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.AddPublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notexisting",
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey add, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "publickey add, no org, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPublicKeyRequest{
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "publickey add, expirationdate, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_PublicKey{PublicKey: &user.ProvidedPublicKey{PublicKey: []byte(gofakeit.BitcoinPrivateKey())}},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "publickey add, generated, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.AddPublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.AddPublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PublicKey: &user.SetPublicKey{
+					Type: &user.SetPublicKey_GeneratedKey{GeneratedKey: &user.GeneratedKey{}},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				assert.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.AddPublicKey(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+		})
+	}
+}
+
+func TestServer_DeletePublicKey(t *testing.T) {
+	t.Parallel()
+	instance := integration.NewInstance(CTX)
+	ensureFeatureEnabled(t, instance)
+	isolatedIAMOwnerCTX := instance.WithAuthorization(CTX, integration.UserTypeIAMOwner)
+
+	schema := []byte(`{
+		"$schema": "urn:zitadel:schema:v1",
+			"type": "object",
+			"properties": {
+			"name": {
+				"type": "string"
+			}
+		}
+	}`)
+	schemaResp := instance.CreateUserSchema(isolatedIAMOwnerCTX, schema)
+	orgResp := instance.CreateOrganization(isolatedIAMOwnerCTX, gofakeit.Name(), gofakeit.Email())
+
+	type res struct {
+		want *resource_object.Details
+	}
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		dep     func(req *user.RemovePublicKeyRequest) error
+		req     *user.RemovePublicKeyRequest
+		res     res
+		wantErr bool
+	}{
+		{
+			name: "publickey delete, no context",
+			ctx:  context.Background(),
+			dep: func(req *user.RemovePublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				publickeyResp := instance.AddAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId(), []byte(gofakeit.BitcoinPrivateKey()))
+				req.PublicKeyId = publickeyResp.GetPublicKeyId()
+				return nil
+			},
+			req: &user.RemovePublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey delete, no permission",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			dep: func(req *user.RemovePublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				publickeyResp := instance.AddAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId(), []byte(gofakeit.BitcoinPrivateKey()))
+				req.PublicKeyId = publickeyResp.GetPublicKeyId()
+				return nil
+			},
+			req: &user.RemovePublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey remove, id empty",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			req: &user.RemovePublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PublicKeyId: "notempty",
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey delete, userid empty",
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			req: &user.RemovePublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				Id: "notempty",
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey remove, not existing",
+			ctx:  isolatedIAMOwnerCTX,
+			req: &user.RemovePublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+				PublicKeyId: "notempty",
+				Id:          "notexisting",
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey remove, no publickey",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.RemovePublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				return nil
+			},
+			req: &user.RemovePublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "publickey remove, ok",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.RemovePublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				publickeyResp := instance.AddAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), userResp.GetDetails().GetId(), []byte(gofakeit.BitcoinPrivateKey()))
+				req.PublicKeyId = publickeyResp.GetPublicKeyId()
+				return nil
+			},
+			req: &user.RemovePublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			res: res{
+				want: &resource_object.Details{
+					Changed: timestamppb.Now(),
+					Owner: &object.Owner{
+						Type: object.OwnerType_OWNER_TYPE_ORG,
+						Id:   orgResp.GetOrganizationId(),
+					},
+				},
+			},
+		},
+		{
+			name: "publickey remove, already removed",
+			ctx:  isolatedIAMOwnerCTX,
+			dep: func(req *user.RemovePublicKeyRequest) error {
+				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
+				req.Id = userResp.GetDetails().GetId()
+				resp := instance.AddAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, []byte(gofakeit.BitcoinPrivateKey()))
+				req.PublicKeyId = resp.GetPublicKeyId()
+				instance.RemoveAuthenticatorPublicKey(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), req.Id, req.PublicKeyId)
+				return nil
+			},
+			req: &user.RemovePublicKeyRequest{
+				Organization: &object.Organization{
+					Property: &object.Organization_OrgId{
+						OrgId: orgResp.GetOrganizationId(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if tt.dep != nil {
+				err := tt.dep(tt.req)
+				assert.NoError(t, err)
+			}
+			got, err := instance.Client.UserV3Alpha.RemovePublicKey(tt.ctx, tt.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+
+			}
+			assert.NoError(t, err)
+			integration.AssertResourceDetails(t, tt.res.want, got.Details)
+
+		})
+	}
+}

internal/api/grpc/resources/user/v3alpha/publickey.go

@@ -0,0 +1,47 @@
+package user
+
+import (
+	"context"
+
+	resource_object "github.com/zitadel/zitadel/internal/api/grpc/resources/object/v3alpha"
+	"github.com/zitadel/zitadel/internal/command"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v3alpha"
+	user "github.com/zitadel/zitadel/pkg/grpc/resources/user/v3alpha"
+)
+
+func (s *Server) AddPublicKey(ctx context.Context, req *user.AddPublicKeyRequest) (_ *user.AddPublicKeyResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	pk := addPublicKeyRequestToAddPublicKey(req)
+	details, err := s.command.AddPublicKey(ctx, pk)
+	if err != nil {
+		return nil, err
+	}
+	return &user.AddPublicKeyResponse{
+		Details:     resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+		PublicKeyId: details.ID,
+		PrivateKey:  pk.PrivateKey,
+	}, nil
+}
+
+func addPublicKeyRequestToAddPublicKey(req *user.AddPublicKeyRequest) *command.AddPublicKey {
+	return &command.AddPublicKey{
+		ResourceOwner: organizationToUpdateResourceOwner(req.Organization),
+		UserID:        req.GetId(),
+		PublicKey:     req.GetPublicKey().GetPublicKey().GetPublicKey(),
+	}
+}
+
+func (s *Server) RemovePublicKey(ctx context.Context, req *user.RemovePublicKeyRequest) (_ *user.RemovePublicKeyResponse, err error) {
+	if err := checkUserSchemaEnabled(ctx); err != nil {
+		return nil, err
+	}
+	details, err := s.command.DeletePublicKey(ctx, organizationToUpdateResourceOwner(req.Organization), req.GetId(), req.GetPublicKeyId())
+	if err != nil {
+		return nil, err
+	}
+	return &user.RemovePublicKeyResponse{
+		Details: resource_object.DomainToDetailsPb(details, object.OwnerType_OWNER_TYPE_ORG, details.ResourceOwner),
+	}, nil
+}

internal/api/grpc/resources/userschema/v3alpha/query.go

@@ -146,8 +146,8 @@ func authenticatorTypeToPb(authenticator domain.AuthenticatorType) schema.Authen
 		return schema.AuthenticatorType_AUTHENTICATOR_TYPE_OTP_EMAIL
 	case domain.AuthenticatorTypeOTPSMS:
 		return schema.AuthenticatorType_AUTHENTICATOR_TYPE_OTP_SMS
-	case domain.AuthenticatorTypeAuthenticationKey:
+	case domain.AuthenticatorTypePublicKey:
-		return schema.AuthenticatorType_AUTHENTICATOR_TYPE_AUTHENTICATION_KEY
+		return schema.AuthenticatorType_AUTHENTICATOR_TYPE_PUBLIC_KEY
 	case domain.AuthenticatorTypeIdentityProvider:
 		return schema.AuthenticatorType_AUTHENTICATOR_TYPE_IDENTITY_PROVIDER
 	case domain.AuthenticatorTypeUnspecified:

internal/api/grpc/resources/userschema/v3alpha/userschema.go

@@ -149,8 +149,8 @@ func authenticatorTypeToDomain(authenticator schema.AuthenticatorType) domain.Au
 		return domain.AuthenticatorTypeOTPEmail
 	case schema.AuthenticatorType_AUTHENTICATOR_TYPE_OTP_SMS:
 		return domain.AuthenticatorTypeOTPSMS
-	case schema.AuthenticatorType_AUTHENTICATOR_TYPE_AUTHENTICATION_KEY:
+	case schema.AuthenticatorType_AUTHENTICATOR_TYPE_PUBLIC_KEY:
-		return domain.AuthenticatorTypeAuthenticationKey
+		return domain.AuthenticatorTypePublicKey
 	case schema.AuthenticatorType_AUTHENTICATOR_TYPE_IDENTITY_PROVIDER:
 		return domain.AuthenticatorTypeIdentityProvider
 	default:

internal/command/user_v3.go

@@ -207,3 +207,14 @@ func existingSchema(ctx context.Context, c *Commands, resourceOwner, id string)
 	}
 	return writeModel, nil
 }
+
+func existingSchemaWithAuthenticator(ctx context.Context, c *Commands, resourceOwner, id string, authenticator domain.AuthenticatorType) (*UserSchemaWriteModel, error) {
+	writeModel, err := c.getSchemaWriteModelByID(ctx, resourceOwner, id)
+	if err != nil {
+		return nil, err
+	}
+	if !writeModel.Exists() {
+		return nil, zerrors.ThrowNotFound(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists")
+	}
+	return writeModel, nil
+}

internal/command/user_v3_publickey.go

@@ -0,0 +1,99 @@
+package command
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+type AddPublicKey struct {
+	ResourceOwner string
+	UserID        string
+
+	ExpirationDate time.Time
+	PublicKey      []byte
+	PrivateKey     []byte
+}
+
+func (wm *AddPublicKey) GetExpirationDate() time.Time {
+	return wm.ExpirationDate
+}
+
+func (wm *AddPublicKey) SetExpirationDate(date time.Time) {
+	wm.ExpirationDate = date
+}
+
+func (wm *AddPublicKey) SetPublicKey(data []byte) {
+	wm.PublicKey = data
+}
+
+func (wm *AddPublicKey) SetPrivateKey(data []byte) {
+	wm.PrivateKey = data
+}
+
+func (c *Commands) AddPublicKey(ctx context.Context, pk *AddPublicKey) (*domain.ObjectDetails, error) {
+	if pk.UserID == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-14sGR7lTaj", "Errors.IDMissing")
+	}
+	schemauser, err := existingSchemaUser(ctx, c, pk.ResourceOwner, pk.UserID)
+	if err != nil {
+		return nil, err
+	}
+
+	_, err = existingSchema(ctx, c, "", schemauser.SchemaID)
+	if err != nil {
+		return nil, err
+	}
+	// TODO check for possible authenticators
+
+	id, err := c.idGenerator.Next()
+	if err != nil {
+		return nil, err
+	}
+	writeModel, err := c.getSchemaPublicKeyWM(ctx, schemauser.ResourceOwner, schemauser.AggregateID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(pk.PublicKey) == 0 {
+		if err := domain.SetNewAuthNKeyPair(pk, c.machineKeySize); err != nil {
+			return nil, err
+		}
+	}
+
+	events, err := writeModel.NewCreate(ctx, pk.ExpirationDate, pk.PublicKey)
+	if err != nil {
+		return nil, err
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
+
+func (c *Commands) DeletePublicKey(ctx context.Context, resourceOwner, userID, id string) (*domain.ObjectDetails, error) {
+	if userID == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-hzqeAXW1qP", "Errors.IDMissing")
+	}
+	if id == "" {
+		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-BNNYJz6Yxt", "Errors.IDMissing")
+	}
+
+	writeModel, err := c.getSchemaPublicKeyWM(ctx, resourceOwner, userID, id)
+	if err != nil {
+		return nil, err
+	}
+
+	events, err := writeModel.NewDelete(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
+}
+
+func (c *Commands) getSchemaPublicKeyWM(ctx context.Context, resourceOwner, userID, id string) (*PublicKeyV3WriteModel, error) {
+	writeModel := NewPublicKeyV3WriteModel(resourceOwner, userID, id, c.checkPermission)
+	if err := c.eventstore.FilterToQueryReducer(ctx, writeModel); err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}

internal/command/user_v3_publickey_model.go

@@ -0,0 +1,127 @@
+package command
+
+import (
+	"context"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/repository/user/authenticator"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+type PublicKeyV3WriteModel struct {
+	eventstore.WriteModel
+	UserID         string
+	ExpirationDate time.Time
+	PrivateKey     []byte
+	PublicKey      []byte
+
+	checkPermission domain.PermissionCheck
+}
+
+func (wm *PublicKeyV3WriteModel) GetWriteModel() *eventstore.WriteModel {
+	return &wm.WriteModel
+}
+
+func NewPublicKeyV3WriteModel(resourceOwner, userID, id string, checkPermission domain.PermissionCheck) *PublicKeyV3WriteModel {
+	return &PublicKeyV3WriteModel{
+		WriteModel: eventstore.WriteModel{
+			AggregateID:   id,
+			ResourceOwner: resourceOwner,
+		},
+		UserID:          userID,
+		checkPermission: checkPermission,
+	}
+}
+
+func (wm *PublicKeyV3WriteModel) Reduce() error {
+	for _, event := range wm.Events {
+		switch e := event.(type) {
+		case *authenticator.PublicKeyCreatedEvent:
+			if e.UserID != wm.UserID {
+				continue
+			}
+			wm.UserID = e.UserID
+			wm.PublicKey = e.PublicKey
+			wm.ExpirationDate = e.ExpirationDate
+		case *authenticator.PublicKeyDeletedEvent:
+			wm.UserID = ""
+			wm.PublicKey = nil
+			wm.ExpirationDate = time.Time{}
+		}
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *PublicKeyV3WriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent).
+		ResourceOwner(wm.ResourceOwner).
+		AddQuery().
+		AggregateTypes(authenticator.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		EventTypes(
+			authenticator.PublicKeyCreatedType,
+			authenticator.PublicKeyDeletedType,
+		).Builder()
+}
+
+func (wm *PublicKeyV3WriteModel) checkPermissionWrite(ctx context.Context) error {
+	if wm.UserID == authz.GetCtxData(ctx).UserID {
+		return nil
+	}
+	if err := wm.checkPermission(ctx, domain.PermissionUserWrite, wm.ResourceOwner, wm.UserID); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (wm *PublicKeyV3WriteModel) NewCreate(
+	ctx context.Context,
+	expirationDate time.Time,
+	publicKey []byte,
+) ([]eventstore.Command, error) {
+	if err := wm.NotExists(); err != nil {
+		return nil, err
+	}
+	if err := wm.checkPermissionWrite(ctx); err != nil {
+		return nil, err
+	}
+	return []eventstore.Command{
+		authenticator.NewPublicKeyCreatedEvent(ctx,
+			AuthenticatorAggregateFromWriteModel(wm.GetWriteModel()),
+			wm.UserID,
+			expirationDate,
+			publicKey,
+		),
+	}, nil
+}
+
+func (wm *PublicKeyV3WriteModel) NewDelete(ctx context.Context) ([]eventstore.Command, error) {
+	if err := wm.Exists(); err != nil {
+		return nil, err
+	}
+	if err := wm.checkPermissionWrite(ctx); err != nil {
+		return nil, err
+	}
+	return []eventstore.Command{
+		authenticator.NewPublicKeyDeletedEvent(ctx,
+			AuthenticatorAggregateFromWriteModel(wm.GetWriteModel()),
+		),
+	}, nil
+}
+
+func (wm *PublicKeyV3WriteModel) Exists() error {
+	if len(wm.PublicKey) == 0 {
+		return zerrors.ThrowNotFound(nil, "TODO", "TODO")
+	}
+	return nil
+}
+
+func (wm *PublicKeyV3WriteModel) NotExists() error {
+	if err := wm.Exists(); err != nil {
+		return nil
+	}
+	return zerrors.ThrowAlreadyExists(nil, "TODO", "TODO")
+}

internal/command/user_v3_publickey_test.go

@@ -0,0 +1,395 @@
+package command
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/id/mock"
+	"github.com/zitadel/zitadel/internal/repository/user/authenticator"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+func filterPublicKeyExisting() expect {
+	return expectFilter(
+		eventFromEventPusher(
+			authenticator.NewPublicKeyCreatedEvent(
+				context.Background(),
+				&authenticator.NewAggregate("pk1", "org1").Aggregate,
+				"user1",
+				time.Time{},
+				[]byte("something"),
+			),
+		),
+	)
+}
+
+func TestCommands_AddPublicKey(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		idGenerator     id.Generator
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		ctx  context.Context
+		user *AddPublicKey
+	}
+	type res struct {
+		details *domain.ObjectDetails
+		err     func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:  authz.NewMockContext("instanceID", "", ""),
+				user: &AddPublicKey{},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-14sGR7lTaj", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"user not existing, error",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPublicKey{
+					UserID: "notexisting",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-syHyCsGmvM", "Errors.User.NotFound"))
+				},
+			},
+		},
+		{
+			"no permission, error",
+			fields{
+				eventstore: expectEventstore(
+					filterSchemaUserExisting(),
+					filterSchemaExisting(),
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+				idGenerator:     mock.ExpectID(t, "pk1"),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPublicKey{
+					UserID:    "user1",
+					PublicKey: []byte("something"),
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"userschema not existing, error",
+			fields{
+				eventstore: expectEventstore(
+					filterSchemaUserExisting(),
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPublicKey{
+					UserID: "user1",
+				},
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "COMMAND-VLDTtxT3If", "Errors.UserSchema.NotExists"))
+				},
+			},
+		},
+		{
+			"publickey added, ok",
+			fields{
+				eventstore: expectEventstore(
+					filterSchemaUserExisting(),
+					filterSchemaExisting(),
+					expectFilter(),
+					expectPush(
+						authenticator.NewPublicKeyCreatedEvent(
+							context.Background(),
+							&authenticator.NewAggregate("pk1", "org1").Aggregate,
+							"user1",
+							time.Time{},
+							[]byte("something"),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				idGenerator:     mock.ExpectID(t, "pk1"),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPublicKey{
+					UserID:    "user1",
+					PublicKey: []byte("something"),
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+		{
+			"publickey added, expirationdate, ok",
+			fields{
+				eventstore: expectEventstore(
+					filterSchemaUserExisting(),
+					filterSchemaExisting(),
+					expectFilter(),
+					expectPush(
+						authenticator.NewPublicKeyCreatedEvent(
+							context.Background(),
+							&authenticator.NewAggregate("pk1", "org1").Aggregate,
+							"user1",
+							time.Date(2024, time.January, 1, 1, 1, 1, 1, time.UTC),
+							[]byte("something"),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+				idGenerator:     mock.ExpectID(t, "pk1"),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				user: &AddPublicKey{
+					UserID:         "user1",
+					PublicKey:      []byte("something"),
+					ExpirationDate: time.Date(2024, time.January, 1, 1, 1, 1, 1, time.UTC),
+				},
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				idGenerator:     tt.fields.idGenerator,
+				checkPermission: tt.fields.checkPermission,
+			}
+			details, err := c.AddPublicKey(tt.args.ctx, tt.args.user)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+			}
+		})
+	}
+}
+
+func TestCommands_DeletePublicKey(t *testing.T) {
+	type fields struct {
+		eventstore      func(t *testing.T) *eventstore.Eventstore
+		checkPermission domain.PermissionCheck
+	}
+	type args struct {
+		ctx           context.Context
+		resourceOwner string
+		userID        string
+		id            string
+	}
+	type res struct {
+		details *domain.ObjectDetails
+		err     func(error) bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"no userID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx: authz.NewMockContext("instanceID", "", ""),
+				id:  "",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-hzqeAXW1qP", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"no ID, error",
+			fields{
+				eventstore:      expectEventstore(),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowInvalidArgument(nil, "COMMAND-BNNYJz6Yxt", "Errors.IDMissing"))
+				},
+			},
+		},
+		{
+			"pk not existing, error",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "notexisting",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "TODO", "TODO"))
+				},
+			},
+		},
+		{
+			"pk already removed, error",
+			fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							authenticator.NewPublicKeyCreatedEvent(
+								context.Background(),
+								&authenticator.NewAggregate("pk1", "org1").Aggregate,
+								"user1",
+								time.Time{},
+								[]byte("something"),
+							),
+						),
+						eventFromEventPusher(
+							authenticator.NewPublicKeyDeletedEvent(
+								context.Background(),
+								&authenticator.NewAggregate("pk1", "org1").Aggregate,
+							),
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "notexisting",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowNotFound(nil, "TODO", "TODO"))
+				},
+			},
+		},
+		{
+			"no permission, error",
+			fields{
+				eventstore: expectEventstore(
+					filterPublicKeyExisting(),
+				),
+				checkPermission: newMockPermissionCheckNotAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "pk1",
+			},
+			res{
+				err: func(err error) bool {
+					return errors.Is(err, zerrors.ThrowPermissionDenied(nil, "AUTHZ-HKJD33", "Errors.PermissionDenied"))
+				},
+			},
+		},
+		{
+			"pk removed, ok",
+			fields{
+				eventstore: expectEventstore(
+					filterPublicKeyExisting(),
+					expectPush(
+						authenticator.NewPublicKeyDeletedEvent(
+							context.Background(),
+							&authenticator.NewAggregate("pk1", "org1").Aggregate,
+						),
+					),
+				),
+				checkPermission: newMockPermissionCheckAllowed(),
+			},
+			args{
+				ctx:    authz.NewMockContext("instanceID", "", ""),
+				userID: "user1",
+				id:     "pk1",
+			},
+			res{
+				details: &domain.ObjectDetails{
+					ResourceOwner: "org1",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Commands{
+				eventstore:      tt.fields.eventstore(t),
+				checkPermission: tt.fields.checkPermission,
+			}
+			details, err := c.DeletePublicKey(tt.args.ctx, tt.args.resourceOwner, tt.args.userID, tt.args.id)
+			if tt.res.err == nil {
+				assert.NoError(t, err)
+			}
+			if tt.res.err != nil && !tt.res.err(err) {
+				t.Errorf("got wrong err: %v ", err)
+			}
+			if tt.res.err == nil {
+				assertObjectDetails(t, tt.res.details, details)
+			}
+		})
+	}
+}

internal/command/user_v3_username.go

@@ -38,7 +38,6 @@ func (c *Commands) AddUsername(ctx context.Context, username *AddUsername) (*dom
 	if err != nil {
 		return nil, err
 	}
-
 	events, err := writeModel.NewCreate(ctx, username.IsOrgSpecific, username.Username)
 	if err != nil {
 		return nil, err
@@ -46,7 +45,7 @@ func (c *Commands) AddUsername(ctx context.Context, username *AddUsername) (*dom
 	return c.pushAppendAndReduceDetails(ctx, writeModel, events...)
 }
 
-func (c *Commands) DeleteUsername(ctx context.Context, resourceOwner, userID, id string) (_ *domain.ObjectDetails, err error) {
+func (c *Commands) DeleteUsername(ctx context.Context, resourceOwner, userID, id string) (*domain.ObjectDetails, error) {
 	if userID == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "COMMAND-J6ybG5WZiy", "Errors.IDMissing")
 	}
@@ -58,7 +57,6 @@ func (c *Commands) DeleteUsername(ctx context.Context, resourceOwner, userID, id
 	if err != nil {
 		return nil, err
 	}
-
 	events, err := writeModel.NewDelete(ctx)
 	if err != nil {
 		return nil, err

internal/domain/user_schema.go

@@ -20,7 +20,7 @@ const (
 	AuthenticatorTypeTOTP
 	AuthenticatorTypeOTPEmail
 	AuthenticatorTypeOTPSMS
-	AuthenticatorTypeAuthenticationKey
+	AuthenticatorTypePublicKey
 	AuthenticatorTypeIdentityProvider
 	authenticatorTypeCount
 )

internal/integration/client.go

@@ -830,6 +830,30 @@ func (i *Instance) RemoveAuthenticatorPassword(ctx context.Context, orgID string
 	return user
 }
 
+func (i *Instance) AddAuthenticatorPublicKey(ctx context.Context, orgID string, userID string, pk []byte) *user_v3alpha.AddPublicKeyResponse {
+	user, err := i.Client.UserV3Alpha.AddPublicKey(ctx, &user_v3alpha.AddPublicKeyRequest{
+		Organization: &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}},
+		Id:           userID,
+		PublicKey: &user_v3alpha.SetPublicKey{
+			Type: &user_v3alpha.SetPublicKey_PublicKey{PublicKey: &user_v3alpha.ProvidedPublicKey{
+				PublicKey: pk,
+			}},
+		},
+	})
+	logging.OnError(err).Fatal("create pk")
+	return user
+}
+
+func (i *Instance) RemoveAuthenticatorPublicKey(ctx context.Context, orgID string, userid, id string) *user_v3alpha.RemovePublicKeyResponse {
+	user, err := i.Client.UserV3Alpha.RemovePublicKey(ctx, &user_v3alpha.RemovePublicKeyRequest{
+		Organization: &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}},
+		Id:           userid,
+		PublicKeyId:  id,
+	})
+	logging.OnError(err).Fatal("remove pk")
+	return user
+}
+
 func (i *Instance) UpdateSchemaUserEmail(ctx context.Context, orgID string, userID string, email string) *user_v3alpha.SetContactEmailResponse {
 	user, err := i.Client.UserV3Alpha.SetContactEmail(ctx, &user_v3alpha.SetContactEmailRequest{
 		Organization: &object_v3alpha.Organization{Property: &object_v3alpha.Organization_OrgId{OrgId: orgID}},

proto/zitadel/resources/user/v3alpha/authenticator.proto

@@ -26,7 +26,7 @@ message Authenticators {
   // A list of the user's one-time-password (OTP) Email authenticators.
   repeated OTPEmail otp_email = 6;
   // A list of the user's authentication keys. They can be used to authenticate e.g. by JWT Profile.
-  repeated AuthenticationKey authentication_keys = 7;
+  repeated PublicKey public_keys = 7;
   // A list of the user's linked identity providers (IDPs).
   repeated IdentityProvider identity_providers = 8;
 }
@@ -52,29 +52,6 @@ message Username {
   bool is_organization_specific = 3;
 }
 
-message SetUsername {
-  // Set the user's username. This will be used for identification during authentication.
-  string username = 1 [
-    (validate.rules).string = {min_len: 1, max_len: 200},
-    (google.api.field_behavior) = REQUIRED,
-    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      min_length: 1,
-      max_length: 200,
-      example: "\"gigi-giraffe\"";
-    }
-  ];
-  // By default username must be unique across all organizations in an instance.
-  // This option allow to restrict the uniqueness to the user's own organization.
-  // As a result, this username can only be used if the authentication is limited
-  // to the corresponding organization.
-  //
-  // This can be useful if you provide multiple usernames for a single user, where one
-  // if specific to your organization, e.g.:
-  // - gigi-giraffe@zitadel.com (unique across organizations)
-  // - gigi-giraffe (unique only inside the ZITADEL organization)
-  bool is_organization_specific = 2;
-}
-
 message Password {
   // States the time the password was last changed.
   google.protobuf.Timestamp last_changed = 1 [
@@ -204,16 +181,16 @@ message TOTP {
   bool is_verified = 3;
 }
 
-message AuthenticationKey {
+message PublicKey {
-  // ID is the read-only unique identifier of the authentication key.
+  // ID is the read-only unique identifier of the public key.
-  string authentication_key_id = 1 [
+  string public_key_id = 1 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       example: "\"69629023906488334\"";
     }
   ];
   zitadel.resources.object.v3alpha.Details details = 2;
   // the file type of the key
-  AuthNKeyType type = 3 [
+  PublicKeyType type = 3 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
       example: "\"KEY_TYPE_JSON\"";
     }
@@ -226,9 +203,9 @@ message AuthenticationKey {
   ];
 }
 
-enum AuthNKeyType {
+enum PublicKeyType {
-  AUTHN_KEY_TYPE_UNSPECIFIED = 0;
+  PUBLIC_KEY_TYPE_UNSPECIFIED = 0;
-  AUTHN_KEY_TYPE_JSON = 1;
+  PUBLIC_KEY_TYPE_JSON = 1;
 }
 
 message IdentityProvider {
@@ -262,6 +239,30 @@ message IdentityProvider {
 message SetAuthenticators {
   repeated SetUsername usernames = 1;
   SetPassword password = 2;
+  SetPublicKey public_key = 3;
+}
+
+message SetUsername {
+  // Set the user's username. This will be used for identification during authentication.
+  string username = 1 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"gigi-giraffe\"";
+    }
+  ];
+  // By default username must be unique across all organizations in an instance.
+  // This option allow to restrict the uniqueness to the user's own organization.
+  // As a result, this username can only be used if the authentication is limited
+  // to the corresponding organization.
+  //
+  // This can be useful if you provide multiple usernames for a single user, where one
+  // if specific to your organization, e.g.:
+  // - gigi-giraffe@zitadel.com (unique across organizations)
+  // - gigi-giraffe (unique only inside the ZITADEL organization)
+  bool is_organization_specific = 2;
 }
 
 message SetPassword {
@@ -316,6 +317,37 @@ message SetPassword {
   }
 }
 
+message SetPublicKey {
+  // After the expiration date, the key will no longer be usable for authentication.
+  optional google.protobuf.Timestamp expiration_date = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"3019-04-01T08:45:00.000000Z\"";
+    }
+  ];
+
+  oneof type {
+    // Let ZITADEL generate the key and return the private key.
+    GeneratedKey generated_key = 2;
+    // Let ZITADEL send the link to the user via SMS.
+    ProvidedPublicKey public_key = 3;
+  }
+}
+
+message GeneratedKey {}
+message ProvidedPublicKey {
+  // Public key provided to persist.
+  bytes public_key = 2 [
+    (validate.rules).bytes = {min_len: 1, max_len: 4048},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1;
+      max_length: 4048;
+      example: "\"AAAAC3NzaC1lZDI1NTE5AAAAIGmP5kqmZFDw/FbYr+//2bC7OVSTqPqUKet8539icStf\"";
+    }
+  ];
+}
+
+
 message SendPasswordResetEmail {
   // Optionally set a url_template, which will be used in the password reset mail
   // sent by ZITADEL to guide the user to your password change page.

proto/zitadel/resources/user/v3alpha/user_service.proto

@@ -642,6 +642,57 @@ service ZITADELUsers {
     };
   }
 
+
+
+  // Add a public key
+  //
+  // Add a new public key to a user. The public key will be used to identify the user on authentication.
+  rpc AddPublicKey (AddPublicKeyRequest) returns (AddPublicKeyResponse) {
+    option (google.api.http) = {
+      post: "/resources/v3alpha/users/{id}/publickey"
+      body: "publickey"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200"
+        value: {
+          description: "Username successfully added";
+        }
+      };
+    };
+  }
+
+  // Remove a public key
+  //
+  // Remove an existing public key of a user, so it cannot be used for authentication anymore.
+  rpc RemovePublicKey (RemovePublicKeyRequest) returns (RemovePublicKeyResponse) {
+    option (google.api.http) = {
+      delete: "/resources/v3alpha/users/{id}/publickey/{publickey_id}"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200"
+        value: {
+          description: "Username successfully removed";
+        }
+      };
+    };
+  }
+
   // Start a WebAuthN registration
   //
   // Start the registration of a new WebAuthN device (e.g. Passkeys) for a user.
@@ -1645,6 +1696,74 @@ message RemovePasswordResponse {
   zitadel.resources.object.v3alpha.Details details = 1;
 }
 
+
+message AddPublicKeyRequest {
+  optional zitadel.object.v3alpha.Instance instance = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      default: "\"domain from HOST or :authority header\""
+    }
+  ];
+  // Optionally expect the user to be in this organization.
+  optional zitadel.object.v3alpha.Organization organization = 2;
+  // unique identifier of the user.
+  string id = 3 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629026806489455\"";
+    }
+  ];
+  // Set the user's new public key.
+  SetPublicKey public_key = 4;
+}
+
+message AddPublicKeyResponse {
+  zitadel.resources.object.v3alpha.Details details = 1;
+  // unique identifier of the public key.
+  string public_key_id = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"69629023906488334\"";
+    }
+  ];
+  bytes private_key = 3;
+}
+
+message RemovePublicKeyRequest {
+  optional zitadel.object.v3alpha.Instance instance = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      default: "\"domain from HOST or :authority header\""
+    }
+  ];
+  // Optionally expect the user to be in this organization.
+  optional zitadel.object.v3alpha.Organization organization = 2;
+  // unique identifier of the user.
+  string id = 3 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629026806489455\"";
+    }
+  ];
+  // unique identifier of the public key.
+  string public_key_id = 4 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1,
+      max_length: 200,
+      example: "\"69629023906488334\"";
+    }
+  ];
+}
+
+message RemovePublicKeyResponse {
+  zitadel.resources.object.v3alpha.Details details = 1;
+}
+
 message StartWebAuthNRegistrationRequest {
   optional zitadel.object.v3alpha.Instance instance = 1 [
     (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {

proto/zitadel/resources/userschema/v3alpha/user_schema.proto

@@ -206,6 +206,6 @@ enum AuthenticatorType {
   AUTHENTICATOR_TYPE_TOTP = 4;
   AUTHENTICATOR_TYPE_OTP_EMAIL = 5;
   AUTHENTICATOR_TYPE_OTP_SMS = 6;
-  AUTHENTICATOR_TYPE_AUTHENTICATION_KEY = 7;
+  AUTHENTICATOR_TYPE_PUBLIC_KEY = 7;
   AUTHENTICATOR_TYPE_IDENTITY_PROVIDER = 8;
 }