feat(6222): remove @ and project from OIDC client ID (#8178)

# Which Problems Are Solved The client ID for OIDC applications has an `@` in it, which is not allowed in some 3rd-party systems (such as AWS). # How the Problems Are Solved Per @fforootd and @hifabienne in #6222, remove the project suffix and the `@` from the client ID and just use the generated ID. # Additional Changes N/A # Additional Context - Closes #6222 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com> Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-01-06 13:27:45 +00:00 · 2024-07-04 01:31:40 -07:00 · 2024-07-04 01:31:40 -07:00 · 32b707cf46
commit 32b707cf46
parent 02c98f570b
13 changed files with 220 additions and 51 deletions
--- a/e2e/cypress/e2e/applications/applications.cy.ts
+++ b/e2e/cypress/e2e/applications/applications.cy.ts
@ -37,7 +37,7 @@ describe('applications', () => {
      cy.get('[data-e2e="create-button"]').click();
      cy.get('[id*=overlay]').should('exist');
      cy.shouldConfirmSuccess();
-      const expectClientId = new RegExp(`^.*[0-9]+\\@${testProjectName}.*$`);
+      const expectClientId = new RegExp(`^.*[0-9]+.*$`);
      cy.get('[data-e2e="client-id-copy"]').click();
      cy.contains('[data-e2e="client-id"]', expectClientId);
      cy.clipboardMatches(expectClientId);
@ -64,7 +64,7 @@ describe('applications', () => {
      cy.get('[data-e2e="create-button"]').click();
      cy.get('[id*=overlay]').should('exist');
      cy.shouldConfirmSuccess();
-      const expectClientId = new RegExp(`^.*[0-9]+\\@${testProjectName}.*$`);
+      const expectClientId = new RegExp(`^.*[0-9]+.*$`);
      cy.get('[data-e2e="client-id-copy"]').click();
      cy.contains('[data-e2e="client-id"]', expectClientId);
      cy.clipboardMatches(expectClientId);
--- a/internal/command/instance_test.go
+++ b/internal/command/instance_test.go
@ -63,7 +63,7 @@ func projectAddedEvents(ctx context.Context, instanceID, orgID, id, owner string
 	events = append(events, apiAppEvents(ctx, orgID, id, "auth-id", "Auth-API")...)

 	consoleAppID := "console-id"
-	consoleClientID := "clientID@zitadel"
+	consoleClientID := "clientID"
 	events = append(events, oidcAppEvents(ctx, orgID, id, consoleAppID, "Console", consoleClientID, externalSecure)...)
 	events = append(events,
 		instance.NewIAMConsoleSetEvent(ctx,
@ -90,7 +90,7 @@ func apiAppEvents(ctx context.Context, orgID, projectID, id, name string) []even
 		project.NewAPIConfigAddedEvent(ctx,
 			&project.NewAggregate(projectID, orgID).Aggregate,
 			id,
-			"clientID@zitadel",
+			"clientID",
 			"",
 			domain.APIAuthMethodTypePrivateKeyJWT,
 		),
--- a/internal/command/project_application_api.go
+++ b/internal/command/project_application_api.go
@ -35,7 +35,7 @@ func (c *Commands) AddAPIAppCommand(app *addAPIApp) preparation.Validation {
 				return nil, zerrors.ThrowNotFound(err, "PROJE-Sf2gb", "Errors.Project.NotFound")
 			}

-			app.ClientID, err = domain.NewClientID(c.idGenerator, project.Name)
+			app.ClientID, err = c.idGenerator.Next()
 			if err != nil {
 				return nil, zerrors.ThrowInternal(err, "V2-f0pgP", "Errors.Internal")
 			}
@ -78,19 +78,19 @@ func (c *Commands) AddAPIApplicationWithID(ctx context.Context, apiApp *domain.A
 	if existingAPI.State != domain.AppStateUnspecified {
 		return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-mabu12", "Errors.Project.App.AlreadyExisting")
 	}
-	project, err := c.getProjectByID(ctx, apiApp.AggregateID, resourceOwner)
+	_, err = c.getProjectByID(ctx, apiApp.AggregateID, resourceOwner)
 	if err != nil {
 		return nil, zerrors.ThrowPreconditionFailed(err, "PROJECT-9fnsa", "Errors.Project.NotFound")
 	}

-	return c.addAPIApplicationWithID(ctx, apiApp, resourceOwner, project, appID)
+	return c.addAPIApplicationWithID(ctx, apiApp, resourceOwner, appID)
 }

 func (c *Commands) AddAPIApplication(ctx context.Context, apiApp *domain.APIApp, resourceOwner string) (_ *domain.APIApp, err error) {
 	if apiApp == nil || apiApp.AggregateID == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-5m9E", "Errors.Project.App.Invalid")
 	}
-	project, err := c.getProjectByID(ctx, apiApp.AggregateID, resourceOwner)
+	_, err = c.getProjectByID(ctx, apiApp.AggregateID, resourceOwner)
 	if err != nil {
 		return nil, zerrors.ThrowPreconditionFailed(err, "PROJECT-9fnsf", "Errors.Project.NotFound")
 	}
@ -104,10 +104,10 @@ func (c *Commands) AddAPIApplication(ctx context.Context, apiApp *domain.APIApp,
 		return nil, err
 	}

-	return c.addAPIApplicationWithID(ctx, apiApp, resourceOwner, project, appID)
+	return c.addAPIApplicationWithID(ctx, apiApp, resourceOwner, appID)
 }

-func (c *Commands) addAPIApplicationWithID(ctx context.Context, apiApp *domain.APIApp, resourceOwner string, project *domain.Project, appID string) (_ *domain.APIApp, err error) {
+func (c *Commands) addAPIApplicationWithID(ctx context.Context, apiApp *domain.APIApp, resourceOwner string, appID string) (_ *domain.APIApp, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@ -121,7 +121,7 @@ func (c *Commands) addAPIApplicationWithID(ctx context.Context, apiApp *domain.A
 	}

 	var plain string
-	err = domain.SetNewClientID(apiApp, c.idGenerator, project)
+	err = domain.SetNewClientID(apiApp, c.idGenerator)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/command/project_application_api_test.go
+++ b/internal/command/project_application_api_test.go
@ -117,7 +117,7 @@ func TestAddAPIConfig(t *testing.T) {
 					),
 					project.NewAPIConfigAddedEvent(ctx, &agg.Aggregate,
 						"appID",
-						"clientID@project",
+						"clientID",
 						"",
 						domain.APIAuthMethodTypePrivateKeyJWT,
 					),
@ -252,7 +252,7 @@ func TestCommandSide_AddAPIApplication(t *testing.T) {
 						project.NewAPIConfigAddedEvent(context.Background(),
 							&project.NewAggregate("project1", "org1").Aggregate,
 							"app1",
-							"client1@project",
+							"client1",
 							"secret",
 							domain.APIAuthMethodTypeBasic),
 					),
@ -278,7 +278,61 @@ func TestCommandSide_AddAPIApplication(t *testing.T) {
 					},
 					AppID:              "app1",
 					AppName:            "app",
-					ClientID:           "client1@project",
+					ClientID:           "client1",
+					ClientSecretString: "secret",
+					AuthMethodType:     domain.APIAuthMethodTypeBasic,
+					State:              domain.AppStateActive,
+				},
+			},
+		},
+		{
+			name: "create api app basic old ID format, ok",
+			fields: fields{
+				eventstore: expectEventstore(
+					expectFilter(
+						eventFromEventPusher(
+							project.NewProjectAddedEvent(context.Background(),
+								&project.NewAggregate("project1", "org1").Aggregate,
+								"project", true, true, true,
+								domain.PrivateLabelingSettingUnspecified),
+						),
+					),
+					expectPush(
+						project.NewApplicationAddedEvent(context.Background(),
+							&project.NewAggregate("project1", "org1").Aggregate,
+							"app1",
+							"app",
+						),
+						project.NewAPIConfigAddedEvent(context.Background(),
+							&project.NewAggregate("project1", "org1").Aggregate,
+							"app1",
+							"client1@project1",
+							"secret",
+							domain.APIAuthMethodTypeBasic),
+					),
+				),
+				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "app1", "client1@project1"),
+			},
+			args: args{
+				ctx: context.Background(),
+				apiApp: &domain.APIApp{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID: "project1",
+					},
+					AppName:        "app",
+					AuthMethodType: domain.APIAuthMethodTypeBasic,
+				},
+				resourceOwner: "org1",
+			},
+			res: res{
+				want: &domain.APIApp{
+					ObjectRoot: models.ObjectRoot{
+						AggregateID:   "project1",
+						ResourceOwner: "org1",
+					},
+					AppID:              "app1",
+					AppName:            "app",
+					ClientID:           "client1@project1",
 					ClientSecretString: "secret",
 					AuthMethodType:     domain.APIAuthMethodTypeBasic,
 					State:              domain.AppStateActive,
@ -306,7 +360,7 @@ func TestCommandSide_AddAPIApplication(t *testing.T) {
 						project.NewAPIConfigAddedEvent(context.Background(),
 							&project.NewAggregate("project1", "org1").Aggregate,
 							"app1",
-							"client1@project",
+							"client1",
 							"",
 							domain.APIAuthMethodTypePrivateKeyJWT),
 					),
@ -332,7 +386,7 @@ func TestCommandSide_AddAPIApplication(t *testing.T) {
 					},
 					AppID:          "app1",
 					AppName:        "app",
-					ClientID:       "client1@project",
+					ClientID:       "client1",
 					AuthMethodType: domain.APIAuthMethodTypePrivateKeyJWT,
 					State:          domain.AppStateActive,
 				},
--- a/internal/command/project_application_oidc.go
+++ b/internal/command/project_application_oidc.go
@ -68,7 +68,7 @@ func (c *Commands) AddOIDCAppCommand(app *addOIDCApp) preparation.Validation {
 				return nil, zerrors.ThrowNotFound(err, "PROJE-6swVG", "Errors.Project.NotFound")
 			}

-			app.ClientID, err = domain.NewClientID(c.idGenerator, project.Name)
+			app.ClientID, err = c.idGenerator.Next()
 			if err != nil {
 				return nil, zerrors.ThrowInternal(err, "V2-VMSQ1", "Errors.Internal")
 			}
@ -126,19 +126,19 @@ func (c *Commands) AddOIDCApplicationWithID(ctx context.Context, oidcApp *domain
 		return nil, zerrors.ThrowPreconditionFailed(nil, "PROJECT-lxowmp", "Errors.Project.App.AlreadyExisting")
 	}

-	project, err := c.getProjectByID(ctx, oidcApp.AggregateID, resourceOwner)
+	_, err = c.getProjectByID(ctx, oidcApp.AggregateID, resourceOwner)
 	if err != nil {
 		return nil, zerrors.ThrowPreconditionFailed(err, "PROJECT-3m9s2", "Errors.Project.NotFound")
 	}

-	return c.addOIDCApplicationWithID(ctx, oidcApp, resourceOwner, project, appID)
+	return c.addOIDCApplicationWithID(ctx, oidcApp, resourceOwner, appID)
 }

 func (c *Commands) AddOIDCApplication(ctx context.Context, oidcApp *domain.OIDCApp, resourceOwner string) (_ *domain.OIDCApp, err error) {
 	if oidcApp == nil || oidcApp.AggregateID == "" {
 		return nil, zerrors.ThrowInvalidArgument(nil, "PROJECT-34Fm0", "Errors.Project.App.Invalid")
 	}
-	project, err := c.getProjectByID(ctx, oidcApp.AggregateID, resourceOwner)
+	_, err = c.getProjectByID(ctx, oidcApp.AggregateID, resourceOwner)
 	if err != nil {
 		return nil, zerrors.ThrowPreconditionFailed(err, "PROJECT-3m9ss", "Errors.Project.NotFound")
 	}
@ -152,10 +152,10 @@ func (c *Commands) AddOIDCApplication(ctx context.Context, oidcApp *domain.OIDCA
 		return nil, err
 	}

-	return c.addOIDCApplicationWithID(ctx, oidcApp, resourceOwner, project, appID)
+	return c.addOIDCApplicationWithID(ctx, oidcApp, resourceOwner, appID)
 }

-func (c *Commands) addOIDCApplicationWithID(ctx context.Context, oidcApp *domain.OIDCApp, resourceOwner string, project *domain.Project, appID string) (_ *domain.OIDCApp, err error) {
+func (c *Commands) addOIDCApplicationWithID(ctx context.Context, oidcApp *domain.OIDCApp, resourceOwner string, appID string) (_ *domain.OIDCApp, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

@ -169,7 +169,7 @@ func (c *Commands) addOIDCApplicationWithID(ctx context.Context, oidcApp *domain
 	}

 	var plain string
-	err = domain.SetNewClientID(oidcApp, c.idGenerator, project)
+	err = domain.SetNewClientID(oidcApp, c.idGenerator)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/command/project_application_oidc_test.go
+++ b/internal/command/project_application_oidc_test.go
@ -158,7 +158,7 @@ func TestAddOIDCApp(t *testing.T) {
 					project.NewOIDCConfigAddedEvent(ctx, &agg.Aggregate,
 						domain.OIDCVersionV1,
 						"id",
-						"clientID@project",
+						"clientID",
 						"",
 						[]string{"https://test.ch"},
 						[]domain.OIDCResponseType{domain.OIDCResponseTypeCode},
@ -214,6 +214,71 @@ func TestAddOIDCApp(t *testing.T) {
 					}).
 					Filter(),
 			},
+			want: Want{
+				Commands: []eventstore.Command{
+					project.NewApplicationAddedEvent(ctx, &agg.Aggregate,
+						"id",
+						"name",
+					),
+					project.NewOIDCConfigAddedEvent(ctx, &agg.Aggregate,
+						domain.OIDCVersionV1,
+						"id",
+						"clientID",
+						"",
+						nil,
+						[]domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+						[]domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+						domain.OIDCApplicationTypeWeb,
+						domain.OIDCAuthMethodTypeNone,
+						nil,
+						false,
+						domain.OIDCTokenTypeBearer,
+						false,
+						false,
+						false,
+						0,
+						nil,
+						false,
+					),
+				},
+			},
+		},
+		{
+			name: "correct with old ID format",
+			fields: fields{
+				idGenerator: id_mock.NewIDGeneratorExpectIDs(t, "clientID@project"),
+			},
+			args: args{
+				app: &addOIDCApp{
+					AddApp: AddApp{
+						Aggregate: *agg,
+						ID:        "id",
+						Name:      "name",
+					},
+					GrantTypes:    []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+					ResponseTypes: []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+					Version:       domain.OIDCVersionV1,
+
+					ApplicationType: domain.OIDCApplicationTypeWeb,
+					AuthMethodType:  domain.OIDCAuthMethodTypeNone,
+					AccessTokenType: domain.OIDCTokenTypeBearer,
+				},
+				filter: NewMultiFilter().
+					Append(func(ctx context.Context, queryFactory *eventstore.SearchQueryBuilder) ([]eventstore.Event, error) {
+						return []eventstore.Event{
+							project.NewProjectAddedEvent(
+								ctx,
+								&agg.Aggregate,
+								"project",
+								false,
+								false,
+								false,
+								domain.PrivateLabelingSettingUnspecified,
+							),
+						}, nil
+					}).
+					Filter(),
+			},
 			want: Want{
 				Commands: []eventstore.Command{
 					project.NewApplicationAddedEvent(ctx, &agg.Aggregate,
@ -288,7 +353,7 @@ func TestAddOIDCApp(t *testing.T) {
 					project.NewOIDCConfigAddedEvent(ctx, &agg.Aggregate,
 						domain.OIDCVersionV1,
 						"id",
-						"clientID@project",
+						"clientID",
 						"secret",
 						nil,
 						[]domain.OIDCResponseType{domain.OIDCResponseTypeCode},
@ -434,7 +499,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 							&project.NewAggregate("project1", "org1").Aggregate,
 							domain.OIDCVersionV1,
 							"app1",
-							"client1@project",
+							"client1",
 							"secret",
 							[]string{"https://test.ch"},
 							[]domain.OIDCResponseType{domain.OIDCResponseTypeCode},
@ -488,7 +553,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 					},
 					AppID:                    "app1",
 					AppName:                  "app",
-					ClientID:                 "client1@project",
+					ClientID:                 "client1",
 					ClientSecretString:       "secret",
 					AuthMethodType:           domain.OIDCAuthMethodTypePost,
 					OIDCVersion:              domain.OIDCVersionV1,
@ -532,7 +597,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 							&project.NewAggregate("project1", "org1").Aggregate,
 							domain.OIDCVersionV1,
 							"app1",
-							"client1@project",
+							"client1",
 							"secret",
 							[]string{"https://test.ch"},
 							[]domain.OIDCResponseType{domain.OIDCResponseTypeCode},
@ -586,7 +651,7 @@ func TestCommandSide_AddOIDCApplication(t *testing.T) {
 					},
 					AppID:                    "app1",
 					AppName:                  "app",
-					ClientID:                 "client1@project",
+					ClientID:                 "client1",
 					ClientSecretString:       "secret",
 					AuthMethodType:           domain.OIDCAuthMethodTypePost,
 					OIDCVersion:              domain.OIDCVersionV1,
--- a/internal/domain/application_oauth.go
+++ b/internal/domain/application_oauth.go
@ -1,9 +1,6 @@
 package domain

 import (
-	"fmt"
-	"strings"
-
 	"github.com/zitadel/zitadel/internal/id"
 )

@ -13,9 +10,9 @@ type oAuthApplication interface {
 	requiresClientSecret() bool
 }

-// ClientID random_number@projectname (eg. 495894098234@zitadel)
-func SetNewClientID(a oAuthApplication, idGenerator id.Generator, project *Project) error {
-	clientID, err := NewClientID(idGenerator, project.Name)
+// ClientID random_number (eg. 495894098234)
+func SetNewClientID(a oAuthApplication, idGenerator id.Generator) error {
+	clientID, err := idGenerator.Next()
 	if err != nil {
 		return err
 	}
@ -24,15 +21,6 @@ func SetNewClientID(a oAuthApplication, idGenerator id.Generator, project *Proje
 	return nil
 }

-func NewClientID(idGenerator id.Generator, projectName string) (string, error) {
-	rndID, err := idGenerator.Next()
-	if err != nil {
-		return "", err
-	}
-
-	return fmt.Sprintf("%s@%s", rndID, strings.ReplaceAll(strings.ToLower(projectName), " ", "_")), nil
-}
-
 func SetNewClientSecretIfNeeded(a oAuthApplication, generate func() (encodedHash, plain string, err error)) (string, error) {
 	if !a.requiresClientSecret() {
 		return "", nil
--- a/internal/query/oidc_client_test.go
+++ b/internal/query/oidc_client_test.go
@ -21,6 +21,8 @@ var (
 	testdataOidcClientJWT string
 	//go:embed testdata/oidc_client_public.json
 	testdataOidcClientPublic string
+	//go:embed testdata/oidc_client_public_old_id.json
+	testdataOidcClientPublicOldId string
 	//go:embed testdata/oidc_client_secret.json
 	testdataOidcClientSecret string
 	//go:embed testdata/oidc_client_no_settings.json
@ -64,7 +66,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				InstanceID:               "230690539048009730",
 				AppID:                    "236647088211886082",
 				State:                    domain.AppStateActive,
-				ClientID:                 "236647088211951618@tests",
+				ClientID:                 "236647088211951618",
 				HashedSecret:             "",
 				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
 				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
@ -92,6 +94,38 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 		{
 			name: "public client",
 			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientPublic}, "instanceID", "clientID", true),
+			want: &OIDCClient{
+				InstanceID:               "230690539048009730",
+				AppID:                    "236646457053020162",
+				State:                    domain.AppStateActive,
+				ClientID:                 "236646457053085698",
+				HashedSecret:             "",
+				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
+				ResponseTypes:            []domain.OIDCResponseType{domain.OIDCResponseTypeCode},
+				GrantTypes:               []domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
+				ApplicationType:          domain.OIDCApplicationTypeWeb,
+				AuthMethodType:           domain.OIDCAuthMethodTypeNone,
+				PostLogoutRedirectURIs:   nil,
+				IsDevMode:                true,
+				AccessTokenType:          domain.OIDCTokenTypeBearer,
+				AccessTokenRoleAssertion: false,
+				IDTokenRoleAssertion:     false,
+				IDTokenUserinfoAssertion: false,
+				ClockSkew:                0,
+				AdditionalOrigins:        nil,
+				PublicKeys:               nil,
+				ProjectID:                "236645808328409090",
+				ProjectRoleAssertion:     true,
+				ProjectRoleKeys:          []string{"role1", "role2"},
+				Settings: &OIDCSettings{
+					AccessTokenLifetime: 43200000000000,
+					IdTokenLifetime:     43200000000000,
+				},
+			},
+		},
+		{
+			name: "public client",
+			mock: mockQuery(expQuery, cols, []driver.Value{testdataOidcClientPublicOldId}, "instanceID", "clientID", true),
 			want: &OIDCClient{
 				InstanceID:               "230690539048009730",
 				AppID:                    "236646457053020162",
@ -128,7 +162,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				InstanceID:               "230690539048009730",
 				AppID:                    "236646858984783874",
 				State:                    domain.AppStateActive,
-				ClientID:                 "236646858984849410@tests",
+				ClientID:                 "236646858984849410",
 				HashedSecret:             "$2a$14$OzZ0XEZZEtD13py/EPba2evsS6WcKZ5orVMj9pWHEGEHmLu2h3PFq",
 				RedirectURIs:             []string{"http://localhost:9999/auth/callback"},
 				ResponseTypes:            []domain.OIDCResponseType{0},
@ -160,7 +194,7 @@ low2kyJov38V4Uk2I8kuXpLcnrpw5Tio2ooiUE27b0vHZqBKOei9Uo88qCrn3EKx
 				InstanceID:   "239520764275982338",
 				AppID:        "239520764276441090",
 				State:        domain.AppStateActive,
-				ClientID:     "239520764779364354@zitadel",
+				ClientID:     "239520764779364354",
 				HashedSecret: "",
 				RedirectURIs: []string{
 					"http://test2-qucuh5.localhost:9000/ui/console/auth/callback",
--- a/internal/query/testdata/oidc_client_jwt.json
+++ b/internal/query/testdata/oidc_client_jwt.json
@ -2,7 +2,7 @@
  "instance_id": "230690539048009730",
  "app_id": "236647088211886082",
  "state": 1,
-  "client_id": "236647088211951618@tests",
+  "client_id": "236647088211951618",
  "client_secret": null,
  "redirect_uris": ["http://localhost:9999/auth/callback"],
  "response_types": [0],
--- a/internal/query/testdata/oidc_client_no_settings.json
+++ b/internal/query/testdata/oidc_client_no_settings.json
@ -2,7 +2,7 @@
  "instance_id": "239520764275982338",
  "app_id": "239520764276441090",
  "state": 1,
-  "client_id": "239520764779364354@zitadel",
+  "client_id": "239520764779364354",
  "client_secret": null,
  "redirect_uris": [
    "http://test2-qucuh5.localhost:9000/ui/console/auth/callback",
--- a/internal/query/testdata/oidc_client_public.json
+++ b/internal/query/testdata/oidc_client_public.json
@ -2,7 +2,7 @@
  "instance_id": "230690539048009730",
  "app_id": "236646457053020162",
  "state": 1,
-  "client_id": "236646457053085698@tests",
+  "client_id": "236646457053085698",
  "client_secret": null,
  "redirect_uris": ["http://localhost:9999/auth/callback"],
  "response_types": [0],
--- a/internal/query/testdata/oidc_client_public_old_id.json
+++ b/internal/query/testdata/oidc_client_public_old_id.json
@ -0,0 +1,28 @@
+{
+  "instance_id": "230690539048009730",
+  "app_id": "236646457053020162",
+  "state": 1,
+  "client_id": "236646457053085698@tests",
+  "client_secret": null,
+  "redirect_uris": ["http://localhost:9999/auth/callback"],
+  "response_types": [0],
+  "grant_types": [0],
+  "application_type": 0,
+  "auth_method_type": 2,
+  "post_logout_redirect_uris": null,
+  "is_dev_mode": true,
+  "access_token_type": 0,
+  "access_token_role_assertion": false,
+  "id_token_role_assertion": false,
+  "id_token_userinfo_assertion": false,
+  "clock_skew": 0,
+  "additional_origins": null,
+  "project_id": "236645808328409090",
+  "project_role_assertion": true,
+  "project_role_keys": ["role1", "role2"],
+  "public_keys": null,
+  "settings": {
+    "access_token_lifetime": 43200000000000,
+    "id_token_lifetime": 43200000000000
+  }
+}
--- a/internal/query/testdata/oidc_client_secret.json
+++ b/internal/query/testdata/oidc_client_secret.json
@ -2,7 +2,7 @@
  "instance_id": "230690539048009730",
  "app_id": "236646858984783874",
  "state": 1,
-  "client_id": "236646858984849410@tests",
+  "client_id": "236646858984849410",
  "client_secret": "$2a$14$OzZ0XEZZEtD13py/EPba2evsS6WcKZ5orVMj9pWHEGEHmLu2h3PFq",
  "redirect_uris": ["http://localhost:9999/auth/callback"],
  "response_types": [0],