fix: correct oidcsettings management (#4413)

* fix(oidcsettings): corrected projection, unittests and added the add endpoint * fix(oidcsettings): corrected default handling and instance setup * fix: set oidc settings correctly in console * cleanup * e2e test * improve e2e test * lint e2e Co-authored-by: Livio Spring <livio.a@gmail.com> Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>
2025-08-14 02:17:34 +00:00 · 2022-09-27 11:53:49 +01:00
parent b32c02a39b
commit 2957407b5b
21 changed files with 654 additions and 93 deletions
--- a/internal/api/grpc/admin/oidc_settings.go
+++ b/internal/api/grpc/admin/oidc_settings.go
@@ -18,6 +18,16 @@ func (s *Server) GetOIDCSettings(ctx context.Context, _ *admin_pb.GetOIDCSetting
 	}, nil
 }

+func (s *Server) AddOIDCSettings(ctx context.Context, req *admin_pb.AddOIDCSettingsRequest) (*admin_pb.AddOIDCSettingsResponse, error) {
+	result, err := s.command.AddOIDCSettings(ctx, AddOIDCConfigToConfig(req))
+	if err != nil {
+		return nil, err
+	}
+	return &admin_pb.AddOIDCSettingsResponse{
+		Details: object.DomainToChangeDetailsPb(result),
+	}, nil
+}
+
 func (s *Server) UpdateOIDCSettings(ctx context.Context, req *admin_pb.UpdateOIDCSettingsRequest) (*admin_pb.UpdateOIDCSettingsResponse, error) {
 	result, err := s.command.ChangeOIDCSettings(ctx, UpdateOIDCConfigToConfig(req))
 	if err != nil {
--- a/internal/api/grpc/admin/oidc_settings_converter.go
+++ b/internal/api/grpc/admin/oidc_settings_converter.go
@@ -1,12 +1,13 @@
 package admin

 import (
+	"google.golang.org/protobuf/types/known/durationpb"
+
 	obj_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
 	settings_pb "github.com/zitadel/zitadel/pkg/grpc/settings"
-	"google.golang.org/protobuf/types/known/durationpb"
 )

 func OIDCSettingsToPb(config *query.OIDCSettings) *settings_pb.OIDCSettings {
@@ -19,6 +20,15 @@ func OIDCSettingsToPb(config *query.OIDCSettings) *settings_pb.OIDCSettings {
 	}
 }

+func AddOIDCConfigToConfig(req *admin_pb.AddOIDCSettingsRequest) *domain.OIDCSettings {
+	return &domain.OIDCSettings{
+		AccessTokenLifetime:        req.AccessTokenLifetime.AsDuration(),
+		IdTokenLifetime:            req.IdTokenLifetime.AsDuration(),
+		RefreshTokenIdleExpiration: req.RefreshTokenIdleExpiration.AsDuration(),
+		RefreshTokenExpiration:     req.RefreshTokenExpiration.AsDuration(),
+	}
+}
+
 func UpdateOIDCConfigToConfig(req *admin_pb.UpdateOIDCSettingsRequest) *domain.OIDCSettings {
 	return &domain.OIDCSettings{
 		AccessTokenLifetime:        req.AccessTokenLifetime.AsDuration(),
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -88,7 +88,13 @@ func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest)
 		applicationID = authReq.ApplicationID
 		userOrgID = authReq.UserOrgID
 	}
-	resp, err := o.command.AddUserToken(setContextUserSystem(ctx), userOrgID, userAgentID, applicationID, req.GetSubject(), req.GetAudience(), req.GetScopes(), o.defaultAccessTokenLifetime) //PLANNED: lifetime from client
+
+	accessTokenLifetime, _, _, _, err := o.getOIDCSettings(ctx)
+	if err != nil {
+		return "", time.Time{}, err
+	}
+
+	resp, err := o.command.AddUserToken(setContextUserSystem(ctx), userOrgID, userAgentID, applicationID, req.GetSubject(), req.GetAudience(), req.GetScopes(), accessTokenLifetime) //PLANNED: lifetime from client
 	if err != nil {
 		return "", time.Time{}, err
 	}
@@ -106,9 +112,15 @@ func (o *OPStorage) CreateAccessAndRefreshTokens(ctx context.Context, req op.Tok
 	if request, ok := req.(op.RefreshTokenRequest); ok {
 		request.SetCurrentScopes(scopes)
 	}
+
+	accessTokenLifetime, _, refreshTokenIdleExpiration, refreshTokenExpiration, err := o.getOIDCSettings(ctx)
+	if err != nil {
+		return "", "", time.Time{}, err
+	}
+
 	resp, token, err := o.command.AddAccessAndRefreshToken(setContextUserSystem(ctx), userOrgID, userAgentID, applicationID, req.GetSubject(),
-		refreshToken, req.GetAudience(), scopes, authMethodsReferences, o.defaultAccessTokenLifetime,
-		o.defaultRefreshTokenIdleExpiration, o.defaultRefreshTokenExpiration, authTime) //PLANNED: lifetime from client
+		refreshToken, req.GetAudience(), scopes, authMethodsReferences, accessTokenLifetime,
+		refreshTokenIdleExpiration, refreshTokenExpiration, authTime) //PLANNED: lifetime from client
 	if err != nil {
 		if errors.IsErrorInvalidArgument(err) {
 			err = oidc.ErrInvalidGrant().WithParent(err)
@@ -248,3 +260,15 @@ func setContextUserSystem(ctx context.Context) context.Context {
 	}
 	return authz.SetCtxData(ctx, data)
 }
+
+func (o *OPStorage) getOIDCSettings(ctx context.Context) (accessTokenLifetime, idTokenLifetime, refreshTokenIdleExpiration, refreshTokenExpiration time.Duration, _ error) {
+	oidcSettings, err := o.query.OIDCSettingsByAggID(ctx, authz.GetInstance(ctx).InstanceID())
+	if err != nil && !errors.IsNotFound(err) {
+		return time.Duration(0), time.Duration(0), time.Duration(0), time.Duration(0), err
+	}
+
+	if oidcSettings != nil {
+		return oidcSettings.AccessTokenLifetime, oidcSettings.IdTokenLifetime, oidcSettings.RefreshTokenIdleExpiration, oidcSettings.RefreshTokenExpiration, nil
+	}
+	return o.defaultAccessTokenLifetime, o.defaultIdTokenLifetime, o.defaultRefreshTokenIdleExpiration, o.defaultRefreshTokenExpiration, nil
+}
--- a/internal/api/oidc/client.go
+++ b/internal/api/oidc/client.go
@@ -51,7 +51,13 @@ func (o *OPStorage) GetClientByClientID(ctx context.Context, id string) (_ op.Cl
 	for i, role := range projectRoles.ProjectRoles {
 		allowedScopes[i] = ScopeProjectRolePrefix + role.Key
 	}
-	return ClientFromBusiness(client, o.defaultLoginURL, o.defaultAccessTokenLifetime, o.defaultIdTokenLifetime, allowedScopes)
+
+	accessTokenLifetime, idTokenLifetime, _, _, err := o.getOIDCSettings(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return ClientFromBusiness(client, o.defaultLoginURL, accessTokenLifetime, idTokenLifetime, allowedScopes)
 }

 func (o *OPStorage) GetKeyByIDAndUserID(ctx context.Context, keyID, userID string) (_ *jose.JSONWebKey, err error) {
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@@ -104,6 +104,12 @@ type InstanceSetup struct {
 	EmailTemplate     []byte
 	MessageTexts      []*domain.CustomMessageText
 	SMTPConfiguration *smtp.EmailConfig
+	OIDCSettings      *struct {
+		AccessTokenLifetime        time.Duration
+		IdTokenLifetime            time.Duration
+		RefreshTokenIdleExpiration time.Duration
+		RefreshTokenExpiration     time.Duration
+	}
 }

 type ZitadelConfig struct {
@@ -346,6 +352,18 @@ func (c *Commands) SetUpInstance(ctx context.Context, setup *InstanceSetup) (str
 		)
 	}

+	if setup.OIDCSettings != nil {
+		validations = append(validations,
+			c.prepareAddOIDCSettings(
+				instanceAgg,
+				setup.OIDCSettings.AccessTokenLifetime,
+				setup.OIDCSettings.IdTokenLifetime,
+				setup.OIDCSettings.RefreshTokenIdleExpiration,
+				setup.OIDCSettings.RefreshTokenExpiration,
+			),
+		)
+	}
+
 	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validations...)
 	if err != nil {
 		return "", nil, err
--- a/internal/command/instance_oidc_settings.go
+++ b/internal/command/instance_oidc_settings.go
@@ -2,78 +2,131 @@ package command

 import (
 	"context"
+	"time"

+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command/preparation"
 	"github.com/zitadel/zitadel/internal/domain"
-	caos_errs "github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/errors"
+	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/repository/instance"
 )

+func (c *Commands) prepareAddOIDCSettings(a *instance.Aggregate, accessTokenLifetime, idTokenLifetime, refreshTokenIdleExpiration, refreshTokenExpiration time.Duration) preparation.Validation {
+	return func() (preparation.CreateCommands, error) {
+		if accessTokenLifetime == time.Duration(0) ||
+			idTokenLifetime == time.Duration(0) ||
+			refreshTokenIdleExpiration == time.Duration(0) ||
+			refreshTokenExpiration == time.Duration(0) {
+			return nil, errors.ThrowInvalidArgument(nil, "INST-10s82j", "Errors.Invalid.Argument")
+		}
+
+		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
+			writeModel, err := c.getOIDCSettingsWriteModel(ctx, filter)
+			if err != nil {
+				return nil, err
+			}
+			if writeModel.State == domain.OIDCSettingsStateActive {
+				return nil, errors.ThrowAlreadyExists(nil, "INST-0aaj1o", "Errors.OIDCSettings.AlreadyExists")
+			}
+			return []eventstore.Command{
+				instance.NewOIDCSettingsAddedEvent(
+					ctx,
+					&a.Aggregate,
+					accessTokenLifetime,
+					idTokenLifetime,
+					refreshTokenIdleExpiration,
+					refreshTokenExpiration,
+				),
+			}, nil
+		}, nil
+	}
+}
+
+func (c *Commands) prepareUpdateOIDCSettings(a *instance.Aggregate, accessTokenLifetime, idTokenLifetime, refreshTokenIdleExpiration, refreshTokenExpiration time.Duration) preparation.Validation {
+	return func() (preparation.CreateCommands, error) {
+		if accessTokenLifetime == time.Duration(0) ||
+			idTokenLifetime == time.Duration(0) ||
+			refreshTokenIdleExpiration == time.Duration(0) ||
+			refreshTokenExpiration == time.Duration(0) {
+			return nil, errors.ThrowInvalidArgument(nil, "INST-10sxks", "Errors.Invalid.Argument")
+		}
+
+		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
+			writeModel, err := c.getOIDCSettingsWriteModel(ctx, filter)
+			if err != nil {
+				return nil, err
+			}
+			if writeModel.State != domain.OIDCSettingsStateActive {
+				return nil, errors.ThrowNotFound(nil, "INST-90s32oj", "Errors.OIDCSettings.NotFound")
+			}
+			changedEvent, hasChanged, err := writeModel.NewChangedEvent(
+				ctx,
+				&a.Aggregate,
+				accessTokenLifetime,
+				idTokenLifetime,
+				refreshTokenIdleExpiration,
+				refreshTokenExpiration,
+			)
+			if err != nil {
+				return nil, err
+			}
+			if !hasChanged {
+				return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-0pk2nu", "Errors.NoChangesFound")
+			}
+			return []eventstore.Command{
+				changedEvent,
+			}, nil
+		}, nil
+	}
+}
+
 func (c *Commands) AddOIDCSettings(ctx context.Context, settings *domain.OIDCSettings) (*domain.ObjectDetails, error) {
-	oidcSettingWriteModel, err := c.getOIDCSettings(ctx)
+	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
+	validation := c.prepareAddOIDCSettings(instanceAgg, settings.AccessTokenLifetime, settings.IdTokenLifetime, settings.RefreshTokenIdleExpiration, settings.RefreshTokenExpiration)
+	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validation)
 	if err != nil {
 		return nil, err
 	}
-	if oidcSettingWriteModel.State.Exists() {
-		return nil, caos_errs.ThrowAlreadyExists(nil, "COMMAND-d9nlw", "Errors.OIDCSettings.AlreadyExists")
-	}
-	instanceAgg := InstanceAggregateFromWriteModel(&oidcSettingWriteModel.WriteModel)
-	pushedEvents, err := c.eventstore.Push(ctx, instance.NewOIDCSettingsAddedEvent(
-		ctx,
-		instanceAgg,
-		settings.AccessTokenLifetime,
-		settings.IdTokenLifetime,
-		settings.RefreshTokenIdleExpiration,
-		settings.RefreshTokenExpiration))
+	events, err := c.eventstore.Push(ctx, cmds...)
 	if err != nil {
 		return nil, err
 	}
-	err = AppendAndReduce(oidcSettingWriteModel, pushedEvents...)
-	if err != nil {
-		return nil, err
-	}
-	return writeModelToObjectDetails(&oidcSettingWriteModel.WriteModel), nil
+	return &domain.ObjectDetails{
+		Sequence:      events[len(events)-1].Sequence(),
+		EventDate:     events[len(events)-1].CreationDate(),
+		ResourceOwner: events[len(events)-1].Aggregate().InstanceID,
+	}, nil
 }

 func (c *Commands) ChangeOIDCSettings(ctx context.Context, settings *domain.OIDCSettings) (*domain.ObjectDetails, error) {
-	oidcSettingWriteModel, err := c.getOIDCSettings(ctx)
+	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
+	validation := c.prepareUpdateOIDCSettings(instanceAgg, settings.AccessTokenLifetime, settings.IdTokenLifetime, settings.RefreshTokenIdleExpiration, settings.RefreshTokenExpiration)
+	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validation)
 	if err != nil {
 		return nil, err
 	}
-	if !oidcSettingWriteModel.State.Exists() {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-8snEr", "Errors.OIDCSettings.NotFound")
-	}
-	instanceAgg := InstanceAggregateFromWriteModel(&oidcSettingWriteModel.WriteModel)
-
-	changedEvent, hasChanged, err := oidcSettingWriteModel.NewChangedEvent(
-		ctx,
-		instanceAgg,
-		settings.AccessTokenLifetime,
-		settings.IdTokenLifetime,
-		settings.RefreshTokenIdleExpiration,
-		settings.RefreshTokenExpiration)
+	events, err := c.eventstore.Push(ctx, cmds...)
 	if err != nil {
 		return nil, err
 	}
-	if !hasChanged {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-398uF", "Errors.NoChangesFound")
-	}
-	pushedEvents, err := c.eventstore.Push(ctx, changedEvent)
-	if err != nil {
-		return nil, err
-	}
-	err = AppendAndReduce(oidcSettingWriteModel, pushedEvents...)
-	if err != nil {
-		return nil, err
-	}
-	return writeModelToObjectDetails(&oidcSettingWriteModel.WriteModel), nil
+	return &domain.ObjectDetails{
+		Sequence:      events[len(events)-1].Sequence(),
+		EventDate:     events[len(events)-1].CreationDate(),
+		ResourceOwner: events[len(events)-1].Aggregate().InstanceID,
+	}, nil
 }

-func (c *Commands) getOIDCSettings(ctx context.Context) (_ *InstanceOIDCSettingsWriteModel, err error) {
+func (c *Commands) getOIDCSettingsWriteModel(ctx context.Context, filter preparation.FilterToQueryReducer) (_ *InstanceOIDCSettingsWriteModel, err error) {
 	writeModel := NewInstanceOIDCSettingsWriteModel(ctx)
-	err = c.eventstore.FilterToQueryReducer(ctx, writeModel)
+	events, err := filter(ctx, writeModel.Query())
 	if err != nil {
 		return nil, err
 	}
-
-	return writeModel, nil
+	if len(events) == 0 {
+		return writeModel, nil
+	}
+	writeModel.AppendEvents(events...)
+	err = writeModel.Reduce()
+	return writeModel, err
 }
--- a/internal/command/instance_oidc_settings_test.go
+++ b/internal/command/instance_oidc_settings_test.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	"github.com/stretchr/testify/assert"
+
 	"github.com/zitadel/zitadel/internal/api/authz"

 	"github.com/zitadel/zitadel/internal/domain"
@@ -34,7 +35,7 @@ func TestCommandSide_AddOIDCConfig(t *testing.T) {
 		res    res
 	}{
 		{
-			name: "oidc config, error already exists",
+			name: "oidc settings, error already exists",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
@@ -52,7 +53,7 @@ func TestCommandSide_AddOIDCConfig(t *testing.T) {
 				),
 			},
 			args: args{
-				ctx: context.Background(),
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
 				oidcConfig: &domain.OIDCSettings{
 					AccessTokenLifetime:        1 * time.Hour,
 					IdTokenLifetime:            1 * time.Hour,
@@ -65,7 +66,7 @@ func TestCommandSide_AddOIDCConfig(t *testing.T) {
 			},
 		},
 		{
-			name: "add secret generator, ok",
+			name: "add oidc settings, ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
@@ -102,6 +103,86 @@ func TestCommandSide_AddOIDCConfig(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "add oidc settings, invalid argument 1",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        0 * time.Hour,
+					IdTokenLifetime:            1 * time.Hour,
+					RefreshTokenIdleExpiration: 1 * time.Hour,
+					RefreshTokenExpiration:     1 * time.Hour,
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "add oidc settings, invalid argument 2",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        1 * time.Hour,
+					IdTokenLifetime:            0 * time.Hour,
+					RefreshTokenIdleExpiration: 1 * time.Hour,
+					RefreshTokenExpiration:     1 * time.Hour,
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "add oidc settings, invalid argument 3",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        1 * time.Hour,
+					IdTokenLifetime:            1 * time.Hour,
+					RefreshTokenIdleExpiration: 0 * time.Hour,
+					RefreshTokenExpiration:     1 * time.Hour,
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "add oidc settings, invalid argument 4",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        1 * time.Hour,
+					IdTokenLifetime:            1 * time.Hour,
+					RefreshTokenIdleExpiration: 1 * time.Hour,
+					RefreshTokenExpiration:     0 * time.Hour,
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -141,7 +222,7 @@ func TestCommandSide_ChangeOIDCConfig(t *testing.T) {
 		res    res
 	}{
 		{
-			name: "oidc config not existing, not found error",
+			name: "oidc settings not existing, not found error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
@@ -150,11 +231,97 @@ func TestCommandSide_ChangeOIDCConfig(t *testing.T) {
 			},
 			args: args{
 				ctx: context.Background(),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        1 * time.Hour,
+					IdTokenLifetime:            1 * time.Hour,
+					RefreshTokenIdleExpiration: 1 * time.Hour,
+					RefreshTokenExpiration:     1 * time.Hour,
+				},
 			},
 			res: res{
 				err: caos_errs.IsNotFound,
 			},
 		},
+		{
+			name: "no changes, invalid argument error 1",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        0 * time.Hour,
+					IdTokenLifetime:            1 * time.Hour,
+					RefreshTokenIdleExpiration: 1 * time.Hour,
+					RefreshTokenExpiration:     1 * time.Hour,
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "no changes, invalid argument error 2",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        1 * time.Hour,
+					IdTokenLifetime:            0 * time.Hour,
+					RefreshTokenIdleExpiration: 1 * time.Hour,
+					RefreshTokenExpiration:     1 * time.Hour,
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "no changes, invalid argument error 3",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        1 * time.Hour,
+					IdTokenLifetime:            1 * time.Hour,
+					RefreshTokenIdleExpiration: 0 * time.Hour,
+					RefreshTokenExpiration:     1 * time.Hour,
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
+		{
+			name: "no changes, invalid argument error 4",
+			fields: fields{
+				eventstore: eventstoreExpect(
+					t,
+				),
+			},
+			args: args{
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
+				oidcConfig: &domain.OIDCSettings{
+					AccessTokenLifetime:        1 * time.Hour,
+					IdTokenLifetime:            1 * time.Hour,
+					RefreshTokenIdleExpiration: 1 * time.Hour,
+					RefreshTokenExpiration:     0 * time.Hour,
+				},
+			},
+			res: res{
+				err: caos_errs.IsErrorInvalidArgument,
+			},
+		},
 		{
 			name: "no changes, precondition error",
 			fields: fields{
@@ -175,7 +342,7 @@ func TestCommandSide_ChangeOIDCConfig(t *testing.T) {
 				),
 			},
 			args: args{
-				ctx: context.Background(),
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
 				oidcConfig: &domain.OIDCSettings{
 					AccessTokenLifetime:        1 * time.Hour,
 					IdTokenLifetime:            1 * time.Hour,
@@ -188,7 +355,7 @@ func TestCommandSide_ChangeOIDCConfig(t *testing.T) {
 			},
 		},
 		{
-			name: "secret generator change, ok",
+			name: "oidc settings change, ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
@@ -206,8 +373,9 @@ func TestCommandSide_ChangeOIDCConfig(t *testing.T) {
 					),
 					expectPush(
 						[]*repository.Event{
-							eventFromEventPusher(
-								newOIDCConfigChangedEvent(context.Background(),
+							eventFromEventPusherWithInstanceID("INSTANCE",
+								newOIDCConfigChangedEvent(
+									context.Background(),
 									time.Hour*2,
 									time.Hour*2,
 									time.Hour*2,
@@ -218,7 +386,7 @@ func TestCommandSide_ChangeOIDCConfig(t *testing.T) {
 				),
 			},
 			args: args{
-				ctx: context.Background(),
+				ctx: authz.WithInstanceID(context.Background(), "INSTANCE"),
 				oidcConfig: &domain.OIDCSettings{
 					AccessTokenLifetime:        2 * time.Hour,
 					IdTokenLifetime:            2 * time.Hour,
--- a/internal/command/smtp.go
+++ b/internal/command/smtp.go
@@ -9,7 +9,6 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/errors"
-	caos_errs "github.com/zitadel/zitadel/internal/errors"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/notification/channels/smtp"
 	"github.com/zitadel/zitadel/internal/repository/instance"
@@ -58,7 +57,7 @@ func (c *Commands) ChangeSMTPConfigPassword(ctx context.Context, password string
 		return nil, err
 	}
 	if smtpConfigWriteModel.State != domain.SMTPConfigStateActive {
-		return nil, caos_errs.ThrowNotFound(nil, "COMMAND-3n9ls", "Errors.SMTPConfig.NotFound")
+		return nil, errors.ThrowNotFound(nil, "COMMAND-3n9ls", "Errors.SMTPConfig.NotFound")
 	}
 	var smtpPassword *crypto.CryptoValue
 	if password != "" {
@@ -180,7 +179,7 @@ func (c *Commands) prepareChangeSMTPConfig(a *instance.Aggregate, from, name, ho
 				return nil, err
 			}
 			if !hasChanged {
-				return nil, caos_errs.ThrowPreconditionFailed(nil, "COMMAND-m0o3f", "Errors.NoChangesFound")
+				return nil, errors.ThrowPreconditionFailed(nil, "COMMAND-m0o3f", "Errors.NoChangesFound")
 			}
 			return []eventstore.Command{
 				changedEvent,
--- a/internal/query/projection/oidc_settings.go
+++ b/internal/query/projection/oidc_settings.go
@@ -8,7 +8,6 @@ import (
 	"github.com/zitadel/zitadel/internal/eventstore/handler"
 	"github.com/zitadel/zitadel/internal/eventstore/handler/crdb"
 	"github.com/zitadel/zitadel/internal/repository/instance"
-	"github.com/zitadel/zitadel/internal/repository/project"
 )

 const (
@@ -43,7 +42,6 @@ func newOIDCSettingsProjection(ctx context.Context, config crdb.StatementHandler
 			crdb.NewColumn(OIDCSettingsColumnInstanceID, crdb.ColumnTypeText),
 			crdb.NewColumn(OIDCSettingsColumnSequence, crdb.ColumnTypeInt64),
 			crdb.NewColumn(OIDCSettingsColumnAccessTokenLifetime, crdb.ColumnTypeInt64),
-			crdb.NewColumn(ExternalLoginCheckLifetimeCol, crdb.ColumnTypeInt64),
 			crdb.NewColumn(OIDCSettingsColumnIdTokenLifetime, crdb.ColumnTypeInt64),
 			crdb.NewColumn(OIDCSettingsColumnRefreshTokenIdleExpiration, crdb.ColumnTypeInt64),
 			crdb.NewColumn(OIDCSettingsColumnRefreshTokenExpiration, crdb.ColumnTypeInt64),
@@ -58,7 +56,7 @@ func newOIDCSettingsProjection(ctx context.Context, config crdb.StatementHandler
 func (p *oidcSettingsProjection) reducers() []handler.AggregateReducer {
 	return []handler.AggregateReducer{
 		{
-			Aggregate: project.AggregateType,
+			Aggregate: instance.AggregateType,
 			EventRedusers: []handler.EventReducer{
 				{
 					Event:  instance.OIDCSettingsAddedEventType,
--- a/internal/repository/instance/oidc_settings.go
+++ b/internal/repository/instance/oidc_settings.go
@@ -14,7 +14,6 @@ const (
 	oidcSettingsPrefix           = "oidc.settings."
 	OIDCSettingsAddedEventType   = instanceEventTypePrefix + oidcSettingsPrefix + "added"
 	OIDCSettingsChangedEventType = instanceEventTypePrefix + oidcSettingsPrefix + "changed"
-	OIDCSettingsRemovedEventType = instanceEventTypePrefix + oidcSettingsPrefix + "removed"
 )

 type OIDCSettingsAddedEvent struct {