feat(api): feature flags (#7356)

* feat(api): feature API proto definitions

* update proto based on discussion with @livio-a

* cleanup old feature flag stuff

* authz instance queries

* align defaults

* projection definitions

* define commands and event reducers

* implement system and instance setter APIs

* api getter implementation

* unit test repository package

* command unit tests

* unit test Get queries

* grpc converter unit tests

* migrate the V1 features

* migrate oidc to dynamic features

* projection unit test

* fix instance by host

* fix instance by id data type in sql

* fix linting errors

* add system projection test

* fix behavior inversion

* resolve proto file comments

* rename SystemDefaultLoginInstanceEventType to SystemLoginDefaultOrgEventType so it's consistent with the instance level event

* use write models and conditional set events

* system features integration tests

* instance features integration tests

* error on empty request

* documentation entry

* typo in feature.proto

* fix start unit tests

* solve linting error on key case switch

* remove system defaults after discussion with @eliobischof

* fix system feature projection

* resolve comments in defaults.yaml

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/api/grpc/admin/feature.go

@@ -3,13 +3,17 @@ package admin
 import (
 	"context"
 
+	"github.com/muhlemmer/gu"
+
 	object_pb "github.com/zitadel/zitadel/internal/api/grpc/object"
-	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/command"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
 )
 
 func (s *Server) ActivateFeatureLoginDefaultOrg(ctx context.Context, _ *admin_pb.ActivateFeatureLoginDefaultOrgRequest) (*admin_pb.ActivateFeatureLoginDefaultOrgResponse, error) {
-	details, err := s.command.SetBooleanInstanceFeature(ctx, domain.FeatureLoginDefaultOrg, true)
+	details, err := s.command.SetInstanceFeatures(ctx, &command.InstanceFeatures{
+		LoginDefaultOrg: gu.Ptr(true),
+	})
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/feature/v2/converter.go

@@ -0,0 +1,71 @@
+package feature
+
+import (
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/feature"
+	"github.com/zitadel/zitadel/internal/query"
+	feature_pb "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta"
+)
+
+func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command.SystemFeatures {
+	return &command.SystemFeatures{
+		LoginDefaultOrg:                 req.LoginDefaultOrg,
+		TriggerIntrospectionProjections: req.OidcTriggerIntrospectionProjections,
+		LegacyIntrospection:             req.OidcLegacyIntrospection,
+	}
+}
+
+func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesResponse {
+	return &feature_pb.GetSystemFeaturesResponse{
+		Details:                             object.DomainToDetailsPb(f.Details),
+		LoginDefaultOrg:                     featureSourceToFlagPb(&f.LoginDefaultOrg),
+		OidcTriggerIntrospectionProjections: featureSourceToFlagPb(&f.TriggerIntrospectionProjections),
+		OidcLegacyIntrospection:             featureSourceToFlagPb(&f.LegacyIntrospection),
+	}
+}
+
+func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *command.InstanceFeatures {
+	return &command.InstanceFeatures{
+		LoginDefaultOrg:                 req.LoginDefaultOrg,
+		TriggerIntrospectionProjections: req.OidcTriggerIntrospectionProjections,
+		LegacyIntrospection:             req.OidcLegacyIntrospection,
+	}
+}
+
+func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeaturesResponse {
+	return &feature_pb.GetInstanceFeaturesResponse{
+		Details:                             object.DomainToDetailsPb(f.Details),
+		LoginDefaultOrg:                     featureSourceToFlagPb(&f.LoginDefaultOrg),
+		OidcTriggerIntrospectionProjections: featureSourceToFlagPb(&f.TriggerIntrospectionProjections),
+		OidcLegacyIntrospection:             featureSourceToFlagPb(&f.LegacyIntrospection),
+	}
+}
+
+func featureSourceToFlagPb(fs *query.FeatureSource[bool]) *feature_pb.FeatureFlag {
+	return &feature_pb.FeatureFlag{
+		Enabled: fs.Value,
+		Source:  featureLevelToSourcePb(fs.Level),
+	}
+}
+
+func featureLevelToSourcePb(level feature.Level) feature_pb.Source {
+	switch level {
+	case feature.LevelUnspecified:
+		return feature_pb.Source_SOURCE_UNSPECIFIED
+	case feature.LevelSystem:
+		return feature_pb.Source_SOURCE_SYSTEM
+	case feature.LevelInstance:
+		return feature_pb.Source_SOURCE_INSTANCE
+	case feature.LevelOrg:
+		return feature_pb.Source_SOURCE_ORGANIZATION
+	case feature.LevelProject:
+		return feature_pb.Source_SOURCE_PROJECT
+	case feature.LevelApp:
+		return feature_pb.Source_SOURCE_APP
+	case feature.LevelUser:
+		return feature_pb.Source_SOURCE_USER
+	default:
+		return feature_pb.Source(level)
+	}
+}

internal/api/grpc/feature/v2/converter_test.go

@@ -0,0 +1,188 @@
+package feature
+
+import (
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/feature"
+	"github.com/zitadel/zitadel/internal/query"
+	feature_pb "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
+)
+
+func Test_systemFeaturesToCommand(t *testing.T) {
+	arg := &feature_pb.SetSystemFeaturesRequest{
+		LoginDefaultOrg:                     gu.Ptr(true),
+		OidcTriggerIntrospectionProjections: gu.Ptr(false),
+		OidcLegacyIntrospection:             nil,
+	}
+	want := &command.SystemFeatures{
+		LoginDefaultOrg:                 gu.Ptr(true),
+		TriggerIntrospectionProjections: gu.Ptr(false),
+		LegacyIntrospection:             nil,
+	}
+	got := systemFeaturesToCommand(arg)
+	assert.Equal(t, want, got)
+}
+
+func Test_systemFeaturesToPb(t *testing.T) {
+	arg := &query.SystemFeatures{
+		Details: &domain.ObjectDetails{
+			Sequence:      22,
+			EventDate:     time.Unix(123, 0),
+			ResourceOwner: "SYSTEM",
+		},
+		LoginDefaultOrg: query.FeatureSource[bool]{
+			Level: feature.LevelSystem,
+			Value: true,
+		},
+		TriggerIntrospectionProjections: query.FeatureSource[bool]{
+			Level: feature.LevelUnspecified,
+			Value: false,
+		},
+		LegacyIntrospection: query.FeatureSource[bool]{
+			Level: feature.LevelSystem,
+			Value: true,
+		},
+	}
+	want := &feature_pb.GetSystemFeaturesResponse{
+		Details: &object.Details{
+			Sequence:      22,
+			ChangeDate:    &timestamppb.Timestamp{Seconds: 123},
+			ResourceOwner: "SYSTEM",
+		},
+		LoginDefaultOrg: &feature_pb.FeatureFlag{
+			Enabled: true,
+			Source:  feature_pb.Source_SOURCE_SYSTEM,
+		},
+		OidcTriggerIntrospectionProjections: &feature_pb.FeatureFlag{
+			Enabled: false,
+			Source:  feature_pb.Source_SOURCE_UNSPECIFIED,
+		},
+		OidcLegacyIntrospection: &feature_pb.FeatureFlag{
+			Enabled: true,
+			Source:  feature_pb.Source_SOURCE_SYSTEM,
+		},
+	}
+	got := systemFeaturesToPb(arg)
+	assert.Equal(t, want, got)
+}
+
+func Test_instanceFeaturesToCommand(t *testing.T) {
+	arg := &feature_pb.SetInstanceFeaturesRequest{
+		LoginDefaultOrg:                     gu.Ptr(true),
+		OidcTriggerIntrospectionProjections: gu.Ptr(false),
+		OidcLegacyIntrospection:             nil,
+	}
+	want := &command.InstanceFeatures{
+		LoginDefaultOrg:                 gu.Ptr(true),
+		TriggerIntrospectionProjections: gu.Ptr(false),
+		LegacyIntrospection:             nil,
+	}
+	got := instanceFeaturesToCommand(arg)
+	assert.Equal(t, want, got)
+}
+
+func Test_instanceFeaturesToPb(t *testing.T) {
+	arg := &query.InstanceFeatures{
+		Details: &domain.ObjectDetails{
+			Sequence:      22,
+			EventDate:     time.Unix(123, 0),
+			ResourceOwner: "instance1",
+		},
+		LoginDefaultOrg: query.FeatureSource[bool]{
+			Level: feature.LevelSystem,
+			Value: true,
+		},
+		TriggerIntrospectionProjections: query.FeatureSource[bool]{
+			Level: feature.LevelUnspecified,
+			Value: false,
+		},
+		LegacyIntrospection: query.FeatureSource[bool]{
+			Level: feature.LevelInstance,
+			Value: true,
+		},
+	}
+	want := &feature_pb.GetInstanceFeaturesResponse{
+		Details: &object.Details{
+			Sequence:      22,
+			ChangeDate:    &timestamppb.Timestamp{Seconds: 123},
+			ResourceOwner: "instance1",
+		},
+		LoginDefaultOrg: &feature_pb.FeatureFlag{
+			Enabled: true,
+			Source:  feature_pb.Source_SOURCE_SYSTEM,
+		},
+		OidcTriggerIntrospectionProjections: &feature_pb.FeatureFlag{
+			Enabled: false,
+			Source:  feature_pb.Source_SOURCE_UNSPECIFIED,
+		},
+		OidcLegacyIntrospection: &feature_pb.FeatureFlag{
+			Enabled: true,
+			Source:  feature_pb.Source_SOURCE_INSTANCE,
+		},
+	}
+	got := instanceFeaturesToPb(arg)
+	assert.Equal(t, want, got)
+}
+
+func Test_featureLevelToSourcePb(t *testing.T) {
+	tests := []struct {
+		name  string
+		level feature.Level
+		want  feature_pb.Source
+	}{
+		{
+			name:  "unspecified",
+			level: feature.LevelUnspecified,
+			want:  feature_pb.Source_SOURCE_UNSPECIFIED,
+		},
+		{
+			name:  "system",
+			level: feature.LevelSystem,
+			want:  feature_pb.Source_SOURCE_SYSTEM,
+		},
+		{
+			name:  "instance",
+			level: feature.LevelInstance,
+			want:  feature_pb.Source_SOURCE_INSTANCE,
+		},
+		{
+			name:  "org",
+			level: feature.LevelOrg,
+			want:  feature_pb.Source_SOURCE_ORGANIZATION,
+		},
+		{
+			name:  "project",
+			level: feature.LevelProject,
+			want:  feature_pb.Source_SOURCE_PROJECT,
+		},
+		{
+			name:  "app",
+			level: feature.LevelApp,
+			want:  feature_pb.Source_SOURCE_APP,
+		},
+		{
+			name:  "user",
+			level: feature.LevelUser,
+			want:  feature_pb.Source_SOURCE_USER,
+		},
+		{
+			name:  "unknown",
+			level: 99,
+			want:  99,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := featureLevelToSourcePb(tt.level)
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}

internal/api/grpc/feature/v2/feature.go

@@ -0,0 +1,86 @@
+package feature
+
+import (
+	"context"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	feature "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta"
+)
+
+func (s *Server) SetSystemFeatures(ctx context.Context, req *feature.SetSystemFeaturesRequest) (_ *feature.SetSystemFeaturesResponse, err error) {
+	details, err := s.command.SetSystemFeatures(ctx, systemFeaturesToCommand(req))
+	if err != nil {
+		return nil, err
+	}
+	return &feature.SetSystemFeaturesResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) ResetSystemFeatures(ctx context.Context, req *feature.ResetSystemFeaturesRequest) (_ *feature.ResetSystemFeaturesResponse, err error) {
+	details, err := s.command.ResetSystemFeatures(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &feature.ResetSystemFeaturesResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) GetSystemFeatures(ctx context.Context, req *feature.GetSystemFeaturesRequest) (_ *feature.GetSystemFeaturesResponse, err error) {
+	f, err := s.query.GetSystemFeatures(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return systemFeaturesToPb(f), nil
+}
+
+func (s *Server) SetInstanceFeatures(ctx context.Context, req *feature.SetInstanceFeaturesRequest) (_ *feature.SetInstanceFeaturesResponse, err error) {
+	details, err := s.command.SetInstanceFeatures(ctx, instanceFeaturesToCommand(req))
+	if err != nil {
+		return nil, err
+	}
+	return &feature.SetInstanceFeaturesResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) ResetInstanceFeatures(ctx context.Context, req *feature.ResetInstanceFeaturesRequest) (_ *feature.ResetInstanceFeaturesResponse, err error) {
+	details, err := s.command.ResetInstanceFeatures(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &feature.ResetInstanceFeaturesResponse{
+		Details: object.DomainToDetailsPb(details),
+	}, nil
+}
+
+func (s *Server) GetInstanceFeatures(ctx context.Context, req *feature.GetInstanceFeaturesRequest) (_ *feature.GetInstanceFeaturesResponse, err error) {
+	f, err := s.query.GetInstanceFeatures(ctx, req.GetInheritance())
+	if err != nil {
+		return nil, err
+	}
+	return instanceFeaturesToPb(f), nil
+}
+
+func (s *Server) SetOrganizationFeatures(ctx context.Context, req *feature.SetOrganizationFeaturesRequest) (_ *feature.SetOrganizationFeaturesResponse, err error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SetOrganizationFeatures not implemented")
+}
+func (s *Server) ResetOrganizationFeatures(ctx context.Context, req *feature.ResetOrganizationFeaturesRequest) (_ *feature.ResetOrganizationFeaturesResponse, err error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ResetOrganizationFeatures not implemented")
+}
+func (s *Server) GetOrganizationFeatures(ctx context.Context, req *feature.GetOrganizationFeaturesRequest) (_ *feature.GetOrganizationFeaturesResponse, err error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetOrganizationFeatures not implemented")
+}
+func (s *Server) SetUserFeatures(ctx context.Context, req *feature.SetUserFeatureRequest) (_ *feature.SetUserFeaturesResponse, err error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SetUserFeatures not implemented")
+}
+func (s *Server) ResetUserFeatures(ctx context.Context, req *feature.ResetUserFeaturesRequest) (_ *feature.ResetUserFeaturesResponse, err error) {
+	return nil, status.Errorf(codes.Unimplemented, "method ResetUserFeatures not implemented")
+}
+func (s *Server) GetUserFeatures(ctx context.Context, req *feature.GetUserFeaturesRequest) (_ *feature.GetUserFeaturesResponse, err error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetUserFeatures not implemented")
+}

internal/api/grpc/feature/v2/feature_integration_test.go

@@ -0,0 +1,470 @@
+//go:build integration
+
+package feature_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/muhlemmer/gu"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	feature "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta"
+	object "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
+)
+
+var (
+	SystemCTX context.Context
+	IamCTX    context.Context
+	OrgCTX    context.Context
+	Tester    *integration.Tester
+	Client    feature.FeatureServiceClient
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, _, cancel := integration.Contexts(5 * time.Minute)
+		defer cancel()
+		Tester = integration.NewTester(ctx)
+		SystemCTX = Tester.WithAuthorization(ctx, integration.SystemUser)
+		IamCTX = Tester.WithAuthorization(ctx, integration.IAMOwner)
+		OrgCTX = Tester.WithAuthorization(ctx, integration.OrgOwner)
+
+		defer Tester.Done()
+		Client = Tester.Client.FeatureV2
+
+		return m.Run()
+	}())
+}
+
+func TestServer_SetSystemFeatures(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *feature.SetSystemFeaturesRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *feature.SetSystemFeaturesResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: IamCTX,
+				req: &feature.SetSystemFeaturesRequest{
+					OidcTriggerIntrospectionProjections: gu.Ptr(true),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "no changes error",
+			args: args{
+				ctx: SystemCTX,
+				req: &feature.SetSystemFeaturesRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success",
+			args: args{
+				ctx: SystemCTX,
+				req: &feature.SetSystemFeaturesRequest{
+					OidcTriggerIntrospectionProjections: gu.Ptr(true),
+				},
+			},
+			want: &feature.SetSystemFeaturesResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: "SYSTEM",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Cleanup(func() {
+				// make sure we have a clean state after each test
+				_, err := Client.ResetSystemFeatures(SystemCTX, &feature.ResetSystemFeaturesRequest{})
+				require.NoError(t, err)
+			})
+			got, err := Client.SetSystemFeatures(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_ResetSystemFeatures(t *testing.T) {
+	_, err := Client.SetSystemFeatures(SystemCTX, &feature.SetSystemFeaturesRequest{
+		LoginDefaultOrg: gu.Ptr(true),
+	})
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		want    *feature.ResetSystemFeaturesResponse
+		wantErr bool
+	}{
+		{
+			name:    "permission error",
+			ctx:     IamCTX,
+			wantErr: true,
+		},
+		{
+			name: "success",
+			ctx:  SystemCTX,
+			want: &feature.ResetSystemFeaturesResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: "SYSTEM",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.ResetSystemFeatures(tt.ctx, &feature.ResetSystemFeaturesRequest{})
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_GetSystemFeatures(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *feature.GetSystemFeaturesRequest
+	}
+	tests := []struct {
+		name    string
+		prepare func(t *testing.T)
+		args    args
+		want    *feature.GetSystemFeaturesResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: IamCTX,
+				req: &feature.GetSystemFeaturesRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "nothing set",
+			args: args{
+				ctx: SystemCTX,
+				req: &feature.GetSystemFeaturesRequest{},
+			},
+			want: &feature.GetSystemFeaturesResponse{},
+		},
+		{
+			name: "some features",
+			prepare: func(t *testing.T) {
+				_, err := Client.SetSystemFeatures(SystemCTX, &feature.SetSystemFeaturesRequest{
+					LoginDefaultOrg:                     gu.Ptr(true),
+					OidcTriggerIntrospectionProjections: gu.Ptr(false),
+				})
+				require.NoError(t, err)
+			},
+			args: args{
+				ctx: SystemCTX,
+				req: &feature.GetSystemFeaturesRequest{},
+			},
+			want: &feature.GetSystemFeaturesResponse{
+				LoginDefaultOrg: &feature.FeatureFlag{
+					Enabled: true,
+					Source:  feature.Source_SOURCE_SYSTEM,
+				},
+				OidcTriggerIntrospectionProjections: &feature.FeatureFlag{
+					Enabled: false,
+					Source:  feature.Source_SOURCE_SYSTEM,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Cleanup(func() {
+				// make sure we have a clean state after each test
+				_, err := Client.ResetSystemFeatures(SystemCTX, &feature.ResetSystemFeaturesRequest{})
+				require.NoError(t, err)
+			})
+			if tt.prepare != nil {
+				tt.prepare(t)
+			}
+			got, err := Client.GetSystemFeatures(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assertFeatureFlag(t, tt.want.LoginDefaultOrg, got.LoginDefaultOrg)
+			assertFeatureFlag(t, tt.want.OidcTriggerIntrospectionProjections, got.OidcTriggerIntrospectionProjections)
+			assertFeatureFlag(t, tt.want.OidcLegacyIntrospection, got.OidcLegacyIntrospection)
+		})
+	}
+}
+
+func TestServer_SetInstanceFeatures(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *feature.SetInstanceFeaturesRequest
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *feature.SetInstanceFeaturesResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: OrgCTX,
+				req: &feature.SetInstanceFeaturesRequest{
+					OidcTriggerIntrospectionProjections: gu.Ptr(true),
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "no changes error",
+			args: args{
+				ctx: IamCTX,
+				req: &feature.SetInstanceFeaturesRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "success",
+			args: args{
+				ctx: IamCTX,
+				req: &feature.SetInstanceFeaturesRequest{
+					OidcTriggerIntrospectionProjections: gu.Ptr(true),
+				},
+			},
+			want: &feature.SetInstanceFeaturesResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Cleanup(func() {
+				// make sure we have a clean state after each test
+				_, err := Client.ResetInstanceFeatures(IamCTX, &feature.ResetInstanceFeaturesRequest{})
+				require.NoError(t, err)
+			})
+			got, err := Client.SetInstanceFeatures(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_ResetInstanceFeatures(t *testing.T) {
+	_, err := Client.SetInstanceFeatures(IamCTX, &feature.SetInstanceFeaturesRequest{
+		LoginDefaultOrg: gu.Ptr(true),
+	})
+	require.NoError(t, err)
+
+	tests := []struct {
+		name    string
+		ctx     context.Context
+		want    *feature.ResetInstanceFeaturesResponse
+		wantErr bool
+	}{
+		{
+			name:    "permission error",
+			ctx:     OrgCTX,
+			wantErr: true,
+		},
+		{
+			name: "success",
+			ctx:  IamCTX,
+			want: &feature.ResetInstanceFeaturesResponse{
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Tester.Instance.InstanceID(),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := Client.ResetInstanceFeatures(tt.ctx, &feature.ResetInstanceFeaturesRequest{})
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			integration.AssertDetails(t, tt.want, got)
+		})
+	}
+}
+
+func TestServer_GetInstanceFeatures(t *testing.T) {
+	_, err := Client.SetSystemFeatures(SystemCTX, &feature.SetSystemFeaturesRequest{
+		OidcLegacyIntrospection: gu.Ptr(true),
+	})
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_, err := Client.ResetSystemFeatures(SystemCTX, &feature.ResetSystemFeaturesRequest{})
+		require.NoError(t, err)
+	})
+
+	type args struct {
+		ctx context.Context
+		req *feature.GetInstanceFeaturesRequest
+	}
+	tests := []struct {
+		name    string
+		prepare func(t *testing.T)
+		args    args
+		want    *feature.GetInstanceFeaturesResponse
+		wantErr bool
+	}{
+		{
+			name: "permission error",
+			args: args{
+				ctx: OrgCTX,
+				req: &feature.GetInstanceFeaturesRequest{},
+			},
+			wantErr: true,
+		},
+		{
+			name: "defaults, no inheritance",
+			args: args{
+				ctx: IamCTX,
+				req: &feature.GetInstanceFeaturesRequest{},
+			},
+			want: &feature.GetInstanceFeaturesResponse{},
+		},
+		{
+			name: "defaults, inheritance",
+			args: args{
+				ctx: IamCTX,
+				req: &feature.GetInstanceFeaturesRequest{
+					Inheritance: true,
+				},
+			},
+			want: &feature.GetInstanceFeaturesResponse{
+				LoginDefaultOrg: &feature.FeatureFlag{
+					Enabled: false,
+					Source:  feature.Source_SOURCE_UNSPECIFIED,
+				},
+				OidcTriggerIntrospectionProjections: &feature.FeatureFlag{
+					Enabled: false,
+					Source:  feature.Source_SOURCE_UNSPECIFIED,
+				},
+				OidcLegacyIntrospection: &feature.FeatureFlag{
+					Enabled: true,
+					Source:  feature.Source_SOURCE_SYSTEM,
+				},
+			},
+		},
+		{
+			name: "some features, no inheritance",
+			prepare: func(t *testing.T) {
+				_, err := Client.SetInstanceFeatures(IamCTX, &feature.SetInstanceFeaturesRequest{
+					LoginDefaultOrg:                     gu.Ptr(true),
+					OidcTriggerIntrospectionProjections: gu.Ptr(false),
+				})
+				require.NoError(t, err)
+			},
+			args: args{
+				ctx: IamCTX,
+				req: &feature.GetInstanceFeaturesRequest{},
+			},
+			want: &feature.GetInstanceFeaturesResponse{
+				LoginDefaultOrg: &feature.FeatureFlag{
+					Enabled: true,
+					Source:  feature.Source_SOURCE_INSTANCE,
+				},
+				OidcTriggerIntrospectionProjections: &feature.FeatureFlag{
+					Enabled: false,
+					Source:  feature.Source_SOURCE_INSTANCE,
+				},
+			},
+		},
+		{
+			name: "one feature, inheritance",
+			prepare: func(t *testing.T) {
+				_, err := Client.SetInstanceFeatures(IamCTX, &feature.SetInstanceFeaturesRequest{
+					LoginDefaultOrg: gu.Ptr(true),
+				})
+				require.NoError(t, err)
+			},
+			args: args{
+				ctx: IamCTX,
+				req: &feature.GetInstanceFeaturesRequest{
+					Inheritance: true,
+				},
+			},
+			want: &feature.GetInstanceFeaturesResponse{
+				LoginDefaultOrg: &feature.FeatureFlag{
+					Enabled: true,
+					Source:  feature.Source_SOURCE_INSTANCE,
+				},
+				OidcTriggerIntrospectionProjections: &feature.FeatureFlag{
+					Enabled: false,
+					Source:  feature.Source_SOURCE_UNSPECIFIED,
+				},
+				OidcLegacyIntrospection: &feature.FeatureFlag{
+					Enabled: true,
+					Source:  feature.Source_SOURCE_SYSTEM,
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Cleanup(func() {
+				// make sure we have a clean state after each test
+				_, err := Client.ResetInstanceFeatures(IamCTX, &feature.ResetInstanceFeaturesRequest{})
+				require.NoError(t, err)
+			})
+			if tt.prepare != nil {
+				tt.prepare(t)
+			}
+			got, err := Client.GetInstanceFeatures(tt.args.ctx, tt.args.req)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assertFeatureFlag(t, tt.want.LoginDefaultOrg, got.LoginDefaultOrg)
+			assertFeatureFlag(t, tt.want.OidcTriggerIntrospectionProjections, got.OidcTriggerIntrospectionProjections)
+			assertFeatureFlag(t, tt.want.OidcLegacyIntrospection, got.OidcLegacyIntrospection)
+		})
+	}
+}
+
+func assertFeatureFlag(t *testing.T, expected, actual *feature.FeatureFlag) {
+	t.Helper()
+	assert.Equal(t, expected.GetEnabled(), actual.GetEnabled(), "enabled")
+	assert.Equal(t, expected.GetSource(), actual.GetSource(), "source")
+}

internal/api/grpc/feature/v2/server.go

@@ -0,0 +1,47 @@
+package feature
+
+import (
+	"google.golang.org/grpc"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/server"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/query"
+	feature "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta"
+)
+
+type Server struct {
+	feature.UnimplementedFeatureServiceServer
+	command *command.Commands
+	query   *query.Queries
+}
+
+func CreateServer(
+	command *command.Commands,
+	query *query.Queries,
+) *Server {
+	return &Server{
+		command: command,
+		query:   query,
+	}
+}
+
+func (s *Server) RegisterServer(grpcServer *grpc.Server) {
+	feature.RegisterFeatureServiceServer(grpcServer, s)
+}
+
+func (s *Server) AppName() string {
+	return feature.FeatureService_ServiceDesc.ServiceName
+}
+
+func (s *Server) MethodPrefix() string {
+	return feature.FeatureService_ServiceDesc.ServiceName
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return feature.FeatureService_AuthMethods
+}
+
+func (s *Server) RegisterGateway() server.RegisterGatewayFunc {
+	return feature.RegisterFeatureServiceHandler
+}

internal/api/grpc/instance/converter.go

@@ -22,9 +22,9 @@ func InstanceToPb(instance *query.Instance) *instance_pb.Instance {
 			instance.Sequence,
 			instance.CreationDate,
 			instance.ChangeDate,
-			instance.InstanceID(),
+			instance.ID,
 		),
-		Id:      instance.InstanceID(),
+		Id:      instance.ID,
 		Name:    instance.Name,
 		Domains: DomainsToPb(instance.Domains),
 		Version: build.Version(),
@@ -38,9 +38,9 @@ func InstanceDetailToPb(instance *query.Instance) *instance_pb.InstanceDetail {
 			instance.Sequence,
 			instance.CreationDate,
 			instance.ChangeDate,
-			instance.InstanceID(),
+			instance.ID,
 		),
-		Id:      instance.InstanceID(),
+		Id:      instance.ID,
 		Name:    instance.Name,
 		Domains: DomainsToPb(instance.Domains),
 		Version: build.Version(),

internal/api/grpc/server/middleware/instance_interceptor_test.go

@@ -12,6 +12,7 @@ import (
 	"google.golang.org/grpc/metadata"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/feature"
 )
 
 func Test_hostNameFromContext(t *testing.T) {
@@ -208,3 +209,7 @@ func (m *mockInstance) RequestedHost() string {
 func (m *mockInstance) SecurityPolicyAllowedOrigins() []string {
 	return nil
 }
+
+func (m *mockInstance) Features() feature.Features {
+	return feature.Features{}
+}

internal/api/grpc/system/feature.go

@@ -4,6 +4,7 @@ import (
 	"context"
 
 	object_pb "github.com/zitadel/zitadel/internal/api/grpc/object"
+	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/zerrors"
 	system_pb "github.com/zitadel/zitadel/pkg/grpc/system"
@@ -22,12 +23,14 @@ func (s *Server) SetInstanceFeature(ctx context.Context, req *system_pb.SetInsta
 
 func (s *Server) setInstanceFeature(ctx context.Context, req *system_pb.SetInstanceFeatureRequest) (*domain.ObjectDetails, error) {
 	feat := domain.Feature(req.FeatureId)
-	if !feat.IsAFeature() {
+	if feat != domain.FeatureLoginDefaultOrg {
 		return nil, zerrors.ThrowInvalidArgument(nil, "SYST-SGV45", "Errors.Feature.NotExisting")
 	}
 	switch t := req.Value.(type) {
 	case *system_pb.SetInstanceFeatureRequest_Bool:
-		return s.command.SetBooleanInstanceFeature(ctx, feat, t.Bool)
+		return s.command.SetInstanceFeatures(ctx, &command.InstanceFeatures{
+			LoginDefaultOrg: &t.Bool,
+		})
 	default:
 		return nil, zerrors.ThrowInvalidArgument(nil, "SYST-dag5g", "Errors.Feature.TypeNotSupported")
 	}

internal/api/grpc/system/instance.go

@@ -151,7 +151,7 @@ func (s *Server) ListDomains(ctx context.Context, req *system_pb.ListDomainsRequ
 }
 
 func (s *Server) AddDomain(ctx context.Context, req *system_pb.AddDomainRequest) (*system_pb.AddDomainResponse, error) {
-	instance, err := s.query.Instance(ctx, true)
+	instance, err := s.query.InstanceByID(ctx)
 	if err != nil {
 		return nil, err
 	}