feat: port reduction (#323)

* move mgmt pkg

* begin package restructure

* rename auth package to authz

* begin start api

* move auth

* move admin

* fix merge

* configs and interceptors

* interceptor

* revert generate-grpc.sh

* some cleanups

* console

* move console

* fix tests and merging

* js linting

* merge

* merging and configs

* change k8s base to current ports

* fixes

* cleanup

* regenerate proto

* remove unnecessary whitespace

* missing param

* go mod tidy

* fix merging

* move login pkg

* cleanup

* move api pkgs again

* fix pkg naming

* fix generate-static.sh for login

* update workflow

* fixes

* logging

* remove duplicate

* comment for optional gateway interfaces

* regenerate protos

* fix proto imports for grpc web

* protos

* grpc web generate

* grpc web generate

* fix changes

* add translation interceptor

* fix merging

* regenerate mgmt proto

.github/workflows/release.yml

@@ -92,12 +92,12 @@ jobs:
     - uses: actions/download-artifact@v2
       with:
         name: angular
-        path: console/dist/app
+        path: console/dist/console
     - run: go get github.com/rakyll/statik
     - run: ./build/console/generate-static.sh
-    - run: cat pkg/console/statik/statik.go
+    - run: cat internal/ui/console/statik/statik.go
     - run: ./build/login/generate-static.sh
-    - run: cat internal/login/statik/statik.go
+    - run: cat internal/ui/login/statik/statik.go
     - run: ./build/notification/generate-static.sh
     - run: cat internal/notification/statik/statik.go
     - run: ./build/zitadel/generate-static.sh

build/console/generate-grpc.sh

@@ -23,19 +23,19 @@ echo "Generate grpc"
 
 protoc \
   -I=/usr/local/include \
-  -I=../pkg/message \
+  -I=../pkg/grpc/message \
-  -I=../pkg/management/api/proto \
+  -I=../pkg/grpc/management/proto \
-  -I=../pkg/auth/api/proto \
+  -I=../pkg/grpc/auth/proto \
-  -I=../pkg/admin/api/proto \
+  -I=../pkg/grpc/admin/proto \
   -I=../internal/protoc/protoc-gen-authoption \
   -I=node_modules/google-proto-files \
   -I=tmp \
   --js_out=import_style=commonjs,binary:$GEN_PATH \
   --grpc-web_out=import_style=commonjs+dts,mode=grpcweb:$GEN_PATH \
-  ../pkg/message/*.proto \
+  ../pkg/grpc/message/proto/*.proto \
-  ../pkg/management/api/proto/*.proto \
+  ../pkg/grpc/management/proto/*.proto \
-  ../pkg/admin/api/proto/*.proto \
+  ../pkg/grpc/admin/proto/*.proto \
-  ../pkg/auth/api/proto/*.proto
+  ../pkg/grpc/auth/proto/*.proto
 
 echo "Generate annotations js file (compatibility)"
 

build/console/generate-static.sh

@@ -2,4 +2,4 @@
 
 set -eux
 
-go generate pkg/console/statik/generate.go
+go generate internal/ui/console/statik/generate.go

build/login/generate-static.sh

@@ -2,4 +2,4 @@
 
 set -eux
 
-go generate internal/login/statik/generate.go
+go generate internal/ui/login/statik/generate.go

cmd/zitadel/caos_local.sh

@@ -40,10 +40,10 @@ export SMTP_TLS=TRUE
 export CHAT_URL=$(gopass zitadel-secrets/zitadel/dev/google-chat-url)
 
 #OIDC
-export ZITADEL_ISSUER=http://localhost:50022
+export ZITADEL_ISSUER=http://localhost:50002/oauth/v2/
-export ZITADEL_ACCOUNTS=http://localhost:50031
+export ZITADEL_ACCOUNTS=http://localhost:50003/login
-export ZITADEL_AUTHORIZE=http://localhost:50022
+export ZITADEL_AUTHORIZE=http://localhost:50002/oauth/v2/
-export ZITADEL_OAUTH=http://localhost:50022
+export ZITADEL_OAUTH=http://localhost:50002/oauth/v2/
 export ZITADEL_CONSOLE=http://localhost:4200
 export CAOS_OIDC_DEV=true
 export ZITADEL_COOKIE_DOMAIN=localhost
@@ -55,7 +55,7 @@ export ZITADEL_CSRF_DEV=true
 export ZITADEL_CACHE_MAXAGE=12h
 export ZITADEL_CACHE_SHARED_MAXAGE=168h
 export ZITADEL_SHORT_CACHE_MAXAGE=5m
-export ZITADEL_SHORT_CACHE_SHARED_MAXAGE=15min
+export ZITADEL_SHORT_CACHE_SHARED_MAXAGE=15m
 
 #Console
 export ZITADEL_CONSOLE_ENV_DIR=../../console/src/assets/

cmd/zitadel/main.go

@@ -3,47 +3,59 @@ package main
 import (
 	"context"
 	"flag"
-	"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
-	"github.com/caos/zitadel/internal/authz"
-	sd "github.com/caos/zitadel/internal/config/systemdefaults"
-	"github.com/caos/zitadel/internal/login"
 
 	"github.com/caos/logging"
 
-	internal_authz "github.com/caos/zitadel/internal/api/auth"
+	admin_es "github.com/caos/zitadel/internal/admin/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/api"
+	internal_authz "github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/admin"
+	"github.com/caos/zitadel/internal/api/grpc/auth"
+	"github.com/caos/zitadel/internal/api/grpc/management"
+	"github.com/caos/zitadel/internal/api/oidc"
+	auth_es "github.com/caos/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/authz"
+	authz_repo "github.com/caos/zitadel/internal/authz/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/config"
+	sd "github.com/caos/zitadel/internal/config/systemdefaults"
+	mgmt_es "github.com/caos/zitadel/internal/management/repository/eventsourcing"
 	"github.com/caos/zitadel/internal/notification"
 	tracing "github.com/caos/zitadel/internal/tracing/config"
-	"github.com/caos/zitadel/pkg/admin"
+	"github.com/caos/zitadel/internal/ui"
-	"github.com/caos/zitadel/pkg/auth"
+	"github.com/caos/zitadel/internal/ui/console"
-	"github.com/caos/zitadel/pkg/console"
+	"github.com/caos/zitadel/internal/ui/login"
-	"github.com/caos/zitadel/pkg/management"
 )
 
 type Config struct {
-	Mgmt         management.Config
-	Auth         auth.Config
-	Login        login.Config
-	AuthZ        authz.Config
-	Admin        admin.Config
-	Console      console.Config
-	Notification notification.Config
-
 	Log            logging.Config
 	Tracing        tracing.TracingConfig
 	InternalAuthZ  internal_authz.Config
 	SystemDefaults sd.SystemDefaults
+
+	AuthZ authz.Config
+	Auth  auth_es.Config
+	Admin admin_es.Config
+	Mgmt  mgmt_es.Config
+
+	API api.Config
+	UI  ui.Config
+
+	Notification notification.Config
 }
 
+var (
+	configPaths         = config.NewArrayFlags("authz.yaml", "startup.yaml", "system-defaults.yaml")
+	adminEnabled        = flag.Bool("admin", true, "enable admin api")
+	managementEnabled   = flag.Bool("management", true, "enable management api")
+	authEnabled         = flag.Bool("auth", true, "enable auth api")
+	oidcEnabled         = flag.Bool("oidc", true, "enable oidc api")
+	loginEnabled        = flag.Bool("login", true, "enable login ui")
+	consoleEnabled      = flag.Bool("console", true, "enable console ui")
+	notificationEnabled = flag.Bool("notification", true, "enable notification handler")
+)
+
 func main() {
-	configPaths := config.NewArrayFlags("authz.yaml", "startup.yaml", "system-defaults.yaml")
 	flag.Var(configPaths, "config-files", "paths to the config files")
-	managementEnabled := flag.Bool("management", true, "enable management api")
-	authEnabled := flag.Bool("auth", true, "enable auth api")
-	loginEnabled := flag.Bool("login", true, "enable login ui")
-	adminEnabled := flag.Bool("admin", true, "enable admin api")
-	consoleEnabled := flag.Bool("console", true, "enable console ui")
-	notificationEnabled := flag.Bool("notification", true, "enable notification handler")
 	flag.Parse()
 
 	conf := new(Config)
@@ -53,31 +65,58 @@ func main() {
 	ctx := context.Background()
 	authZRepo, err := authz.Start(ctx, conf.AuthZ, conf.InternalAuthZ, conf.SystemDefaults)
 	logging.Log("MAIN-s9KOw").OnError(err).Fatal("error starting authz repo")
-
+	var authRepo *auth_es.EsRepository
-	if *adminEnabled {
+	if *authEnabled || *oidcEnabled || *loginEnabled {
-		admin.Start(ctx, conf.Admin, authZRepo, conf.InternalAuthZ, conf.SystemDefaults)
+		authRepo, err = auth_es.Start(conf.Auth, conf.InternalAuthZ, conf.SystemDefaults, authZRepo)
-	}
-	if *managementEnabled {
-		management.Start(ctx, conf.Mgmt, authZRepo, conf.InternalAuthZ, conf.SystemDefaults)
-	}
-	var authRepo *eventsourcing.EsRepository
-	if *authEnabled || *loginEnabled {
-		authRepo, err = eventsourcing.Start(conf.Auth.Repository, conf.InternalAuthZ, conf.SystemDefaults, authZRepo)
 		logging.Log("MAIN-9oRw6").OnError(err).Fatal("error starting auth repo")
 	}
-	if *authEnabled {
+
-		auth.Start(ctx, conf.Auth, authZRepo, conf.InternalAuthZ, conf.SystemDefaults, authRepo)
+	startAPI(ctx, conf, authZRepo, authRepo)
-	}
+	startUI(ctx, conf, authRepo)
-	if *loginEnabled {
+
-		login.Start(ctx, conf.Login, conf.SystemDefaults, authRepo)
-	}
 	if *notificationEnabled {
 		notification.Start(ctx, conf.Notification, conf.SystemDefaults)
 	}
-	if *consoleEnabled {
+
-		err = console.Start(ctx, conf.Console)
-		logging.Log("MAIN-3Dfuc").OnError(err).Fatal("error starting console ui")
-	}
 	<-ctx.Done()
 	logging.Log("MAIN-s8d2h").Info("stopping zitadel")
 }
+
+func startUI(ctx context.Context, conf *Config, authRepo *auth_es.EsRepository) {
+	uis := ui.Create(conf.UI)
+	if *loginEnabled {
+		uis.RegisterHandler(ui.LoginHandler, login.Start(conf.UI.Login, authRepo, ui.LoginHandler).Handler())
+	}
+	if *consoleEnabled {
+		consoleHandler, err := console.Start(conf.UI.Console)
+		logging.Log("API-AGD1f").OnError(err).Fatal("error starting console")
+		uis.RegisterHandler(ui.ConsoleHandler, consoleHandler)
+	}
+	uis.Start(ctx)
+}
+
+func startAPI(ctx context.Context, conf *Config, authZRepo *authz_repo.EsRepository, authRepo *auth_es.EsRepository) {
+	apis := api.Create(conf.API, conf.InternalAuthZ, authZRepo, conf.SystemDefaults)
+	roles := make([]string, len(conf.InternalAuthZ.RolePermissionMappings))
+	for i, role := range conf.InternalAuthZ.RolePermissionMappings {
+		roles[i] = role.Role
+	}
+	if *adminEnabled {
+		adminRepo, err := admin_es.Start(ctx, conf.Admin, conf.SystemDefaults, roles)
+		logging.Log("API-D42tq").OnError(err).Fatal("error starting auth repo")
+		apis.RegisterServer(ctx, admin.CreateServer(adminRepo))
+	}
+	if *managementEnabled {
+		managementRepo, err := mgmt_es.Start(conf.Mgmt, conf.SystemDefaults, roles)
+		logging.Log("API-Gd2qq").OnError(err).Fatal("error starting management repo")
+		apis.RegisterServer(ctx, management.CreateServer(managementRepo, conf.SystemDefaults))
+	}
+	if *authEnabled {
+		apis.RegisterServer(ctx, auth.CreateServer(authRepo))
+	}
+	if *oidcEnabled {
+		op := oidc.NewProvider(ctx, conf.API.OIDC, authRepo)
+		apis.RegisterHandler("/oauth/v2", op.HttpHandler().Handler)
+	}
+	apis.Start(ctx)
+}

cmd/zitadel/startup.yaml

@@ -1,3 +1,8 @@
+Log:
+  Level: $ZITADEL_LOG_LEVEL
+  Formatter:
+    Format: text
+
 Tracing:
   Type: google
   Config:
@@ -5,19 +10,134 @@ Tracing:
     MetricPrefix: ZITADEL-V1
     Fraction: $ZITADEL_TRACING_FRACTION
 
-Log:
+AuthZ:
-  Level: $ZITADEL_LOG_LEVEL
+  Repository:
-  Formatter:
+    Eventstore:
-    Format: text
+      ServiceName: 'AuthZ'
+      Repository:
+        SQL:
+          Host: $ZITADEL_EVENTSTORE_HOST
+          Port: $ZITADEL_EVENTSTORE_PORT
+          User: 'authz'
+          Database: 'eventstore'
+          Password: $CR_AUTHZ_PASSWORD
+          SSL:
+            Mode: $CR_SSL_MODE
+            RootCert: $CR_ROOT_CERT
+            Cert: $CR_AUTHZ_CERT
+            Key: $CR_AUTHZ_KEY
+      Cache:
+        Type: 'fastcache'
+        Config:
+          MaxCacheSizeInByte: 10485760 #10mb
+    View:
+      Host: $ZITADEL_EVENTSTORE_HOST
+      Port: $ZITADEL_EVENTSTORE_PORT
+      User: 'authz'
+      Database: 'authz'
+      SSL:
+        Mode: $CR_SSL_MODE
+        RootCert: $CR_ROOT_CERT
+        Cert: $CR_AUTHZ_CERT
+        Key: $CR_AUTHZ_KEY
+    Spooler:
+      ConcurrentTasks: 1
+      BulkLimit: 100
+      FailureCountUntilSkip: 5
+
+Auth:
+  SearchLimit: 100
+  Eventstore:
+    ServiceName: 'authAPI'
+    Repository:
+      SQL:
+        Host: $ZITADEL_EVENTSTORE_HOST
+        Port: $ZITADEL_EVENTSTORE_PORT
+        User: 'auth'
+        Database: 'eventstore'
+        Password: $CR_AUTH_PASSWORD
+        SSL:
+          Mode: $CR_SSL_MODE
+          RootCert: $CR_ROOT_CERT
+          Cert: $CR_AUTH_CERT
+          Key: $CR_AUTH_KEY
+    Cache:
+      Type: 'fastcache'
+      Config:
+        MaxCacheSizeInByte: 10485760 #10mb
+  AuthRequest:
+    Connection:
+      Host: $ZITADEL_EVENTSTORE_HOST
+      Port: $ZITADEL_EVENTSTORE_PORT
+      User: 'auth'
+      Database: 'auth'
+      Password: $CR_AUTH_PASSWORD
+      SSL:
+        Mode: $CR_SSL_MODE
+        RootCert: $CR_ROOT_CERT
+        Cert: $CR_AUTH_CERT
+        Key: $CR_AUTH_KEY
+  View:
+    Host: $ZITADEL_EVENTSTORE_HOST
+    Port: $ZITADEL_EVENTSTORE_PORT
+    User: 'auth'
+    Database: 'auth'
+    Password: $CR_AUTH_PASSWORD
+    SSL:
+      Mode: $CR_SSL_MODE
+      RootCert: $CR_ROOT_CERT
+      Cert: $CR_AUTH_CERT
+      Key: $CR_AUTH_KEY
+  Spooler:
+    ConcurrentTasks: 4
+    BulkLimit: 100
+    FailureCountUntilSkip: 5
+  KeyConfig:
+    Size: 2048
+    PrivateKeyLifetime: 6h
+    PublicKeyLifetime: 30h
+    EncryptionConfig:
+      EncryptionKeyID: $ZITADEL_OIDC_KEYS_ID
+    SigningKeyRotation: 10s
+
+Admin:
+  SearchLimit: 100
+  Domain: $ZITADEL_DEFAULT_DOMAIN
+  Eventstore:
+    ServiceName: 'Admin'
+    Repository:
+      SQL:
+        Host: $ZITADEL_EVENTSTORE_HOST
+        Port: $ZITADEL_EVENTSTORE_PORT
+        User: 'admin_api'
+        Database: 'eventstore'
+        Password: $CR_ADMINAPI_PASSWORD
+        SSL:
+          Mode: $CR_SSL_MODE
+          RootCert: $CR_ROOT_CERT
+          Cert: $CR_ADMINAPI_CERT
+          Key: $CR_ADMINAPI_KEY
+    Cache:
+      Type: 'fastcache'
+      Config:
+        MaxCacheSizeInByte: 10485760 #10mb
+  View:
+    Host: $ZITADEL_EVENTSTORE_HOST
+    Port: $ZITADEL_EVENTSTORE_PORT
+    User: 'admin_api'
+    Database: 'admin_api'
+    Password: $CR_ADMINAPI_PASSWORD
+    SSL:
+      Mode: $CR_SSL_MODE
+      RootCert: $CR_ROOT_CERT
+      Cert: $CR_ADMINAPI_CERT
+      Key: $CR_ADMINAPI_KEY
+  Spooler:
+    ConcurrentTasks: 1
+    BulkLimit: 100
+    FailureCountUntilSkip: 5
 
 Mgmt:
-  API:
-    GRPC:
-      ServerPort: 50010
-      GatewayPort: 50011
-      CustomHeaders:
-        - x-zitadel-
-  Repository:
   SearchLimit: 100
   Domain: $ZITADEL_DEFAULT_DOMAIN
   Eventstore:
@@ -27,8 +147,8 @@ Mgmt:
         Host: $ZITADEL_EVENTSTORE_HOST
         Port: $ZITADEL_EVENTSTORE_PORT
         User: 'management'
-          Password: $CR_MANAGEMENT_PASSWORD
         Database: 'eventstore'
+        Password: $CR_MANAGEMENT_PASSWORD
         SSL:
           Mode: $CR_SSL_MODE
           RootCert: $CR_ROOT_CERT
@@ -42,8 +162,8 @@ Mgmt:
     Host: $ZITADEL_EVENTSTORE_HOST
     Port: $ZITADEL_EVENTSTORE_PORT
     User: 'management'
-      Password: $CR_MANAGEMENT_PASSWORD
     Database: 'management'
+    Password: $CR_MANAGEMENT_PASSWORD
     SSL:
       Mode: $CR_SSL_MODE
       RootCert: $CR_ROOT_CERT
@@ -54,18 +174,16 @@ Mgmt:
     BulkLimit: 100
     FailureCountUntilSkip: 5
 
-Auth:
 API:
   GRPC:
-      ServerPort: 50020
+    ServerPort: 50001
-      GatewayPort: 50021
+    GatewayPort: 50002
     CustomHeaders:
       - x-zitadel-
   OIDC:
     OPConfig:
       Issuer: $ZITADEL_ISSUER
       DefaultLogoutRedirectURI: $ZITADEL_ACCOUNTS/logout/done
-        Port: 50022
     StorageConfig:
       DefaultLoginURL: $ZITADEL_ACCOUNTS/login?authRequestID=
       DefaultAccessTokenLifetime: 12h
@@ -95,64 +213,11 @@ Auth:
       Keys:
         Path: 'keys'
         URL: '$ZITADEL_OAUTH/keys'
-  Repository:
-    SearchLimit: 100
-    Eventstore:
-      ServiceName: 'authAPI'
-      Repository:
-        SQL:
-          Host: $ZITADEL_EVENTSTORE_HOST
-          Port: $ZITADEL_EVENTSTORE_PORT
-          User: 'auth'
-          Password: $CR_AUTH_PASSWORD
-          Database: 'eventstore'
-          SSL:
-            Mode: $CR_SSL_MODE
-            RootCert: $CR_ROOT_CERT
-            Cert: $CR_AUTH_CERT
-            Key: $CR_AUTH_KEY
-      Cache:
-        Type: 'fastcache'
-        Config:
-          MaxCacheSizeInByte: 10485760 #10mb
-    AuthRequest:
-      Connection:
-        Host: $ZITADEL_EVENTSTORE_HOST
-        Port: $ZITADEL_EVENTSTORE_PORT
-        User: 'auth'
-        Password: $CR_AUTH_PASSWORD
-        Database: 'auth'
-        SSL:
-          Mode: $CR_SSL_MODE
-          RootCert: $CR_ROOT_CERT
-          Cert: $CR_AUTH_CERT
-          Key: $CR_AUTH_KEY
-    View:
-      Host: $ZITADEL_EVENTSTORE_HOST
-      Port: $ZITADEL_EVENTSTORE_PORT
-      User: 'auth'
-      Password: $CR_AUTH_PASSWORD
-      Database: 'auth'
-      SSL:
-        Mode: $CR_SSL_MODE
-        RootCert: $CR_ROOT_CERT
-        Cert: $CR_AUTH_CERT
-        Key: $CR_AUTH_KEY
-    Spooler:
-      ConcurrentTasks: 4
-      BulkLimit: 100
-      FailureCountUntilSkip: 5
-    KeyConfig:
-      Size: 2048
-      PrivateKeyLifetime: 6h
-      PublicKeyLifetime: 30h
-      EncryptionConfig:
-        EncryptionKeyID: $ZITADEL_OIDC_KEYS_ID
-      SigningKeyRotation: 10s
 
+UI:
+  Port: 50003
   Login:
     Handler:
-    Port: 50031
       OidcAuthCallbackURL: '$ZITADEL_AUTHORIZE/authorize/'
       ZitadelURL: '$ZITADEL_CONSOLE'
       LanguageCookieName: 'caos.zitadel.login.lang'
@@ -165,90 +230,7 @@ Login:
       Cache:
         MaxAge: $ZITADEL_CACHE_MAXAGE
         SharedMaxAge: $ZITADEL_CACHE_SHARED_MAXAGE
-
-
-AuthZ:
-  Repository:
-    Eventstore:
-      ServiceName: 'AuthZ'
-      Repository:
-        SQL:
-          Host: $ZITADEL_EVENTSTORE_HOST
-          Port: $ZITADEL_EVENTSTORE_PORT
-          User: 'authz'
-          Password: $CR_AUTHZ_PASSWORD
-          Database: 'eventstore'
-          SSL:
-            Mode: $CR_SSL_MODE
-            RootCert: $CR_ROOT_CERT
-            Cert: $CR_AUTHZ_CERT
-            Key: $CR_AUTHZ_KEY
-      Cache:
-        Type: 'fastcache'
-        Config:
-          MaxCacheSizeInByte: 10485760 #10mb
-    View:
-      Host: $ZITADEL_EVENTSTORE_HOST
-      Port: $ZITADEL_EVENTSTORE_PORT
-      User: 'authz'
-      Password: $CR_AUTHZ_PASSWORD
-      Database: 'authz'
-      SSL:
-        Mode: $CR_SSL_MODE
-        RootCert: $CR_ROOT_CERT
-        Cert: $CR_AUTHZ_CERT
-        Key: $CR_AUTHZ_KEY
-    Spooler:
-      ConcurrentTasks: 1
-      BulkLimit: 100
-      FailureCountUntilSkip: 5
-
-Admin:
-  API:
-    GRPC:
-      ServerPort: 50040
-      GatewayPort: 50041
-      CustomHeaders:
-        - x-zitadel-
-  Repository:
-    SearchLimit: 100
-    Domain: $ZITADEL_DEFAULT_DOMAIN
-    Eventstore:
-      ServiceName: 'Admin'
-      Repository:
-        SQL:
-          Host: $ZITADEL_EVENTSTORE_HOST
-          Port: $ZITADEL_EVENTSTORE_PORT
-          User: 'adminapi'
-          Password: $CR_ADMINAPI_PASSWORD
-          Database: 'eventstore'
-          SSL:
-            Mode: $CR_SSL_MODE
-            RootCert: $CR_ROOT_CERT
-            Cert: $CR_ADMINAPI_CERT
-            Key: $CR_ADMINAPI_KEY
-      Cache:
-        Type: 'fastcache'
-        Config:
-          MaxCacheSizeInByte: 10485760 #10mb
-    View:
-      Host: $ZITADEL_EVENTSTORE_HOST
-      Port: $ZITADEL_EVENTSTORE_PORT
-      User: 'adminapi'
-      Password: $CR_ADMINAPI_PASSWORD
-      Database: 'adminapi'
-      SSL:
-        Mode: $CR_SSL_MODE
-        RootCert: $CR_ROOT_CERT
-        Cert: $CR_ADMINAPI_CERT
-        Key: $CR_ADMINAPI_KEY
-    Spooler:
-      ConcurrentTasks: 1
-      BulkLimit: 100
-      FailureCountUntilSkip: 5
-
   Console:
-  Port: 50050
     EnvOverwriteDir: $ZITADEL_CONSOLE_ENV_DIR
     ShortCache:
       MaxAge: $ZITADEL_SHORT_CACHE_MAXAGE
@@ -258,7 +240,6 @@ Console:
       SharedMaxAge: $ZITADEL_CACHE_SHARED_MAXAGE
     CSPDomain: $ZITADEL_DEFAULT_DOMAIN
 
-
 Notification:
   Repository:
     DefaultLanguage: 'de'
@@ -270,8 +251,8 @@ Notification:
           Host: $ZITADEL_EVENTSTORE_HOST
           Port: $ZITADEL_EVENTSTORE_PORT
           User: 'notification'
-          Password: $CR_NOTIFICATION_PASSWORD
           Database: 'eventstore'
+          Password: $CR_NOTIFICATION_PASSWORD
           SSL:
             Mode: $CR_SSL_MODE
             RootCert: $CR_ROOT_CERT
@@ -285,8 +266,8 @@ Notification:
       Host: $ZITADEL_EVENTSTORE_HOST
       Port: $ZITADEL_EVENTSTORE_PORT
       User: 'notification'
-      Password: $CR_NOTIFICATION_PASSWORD
       Database: 'notification'
+      Password: $CR_NOTIFICATION_PASSWORD
       SSL:
         Mode: $CR_SSL_MODE
         RootCert: $CR_ROOT_CERT

console/package.json

@@ -5,7 +5,7 @@
     "ng": "ng",
     "start": "ng serve",
     "build": "ng build",
-    "prodbuild": "ng build --prod",
+    "prodbuild": "ng build --prod --base-href /console/",
     "lint": "ng lint && stylelint './projects/**/*.scss' --syntax scss",
     "postinstall": "../build/console/generate-grpc.sh"
   },

console/src/app/app.component.html

@@ -5,9 +5,9 @@
         </button>
         <a *ngIf="(isHandset$ | async) == false" class="title" [routerLink]="['/']">
             <img class="logo" *ngIf="componentCssClass == 'dark-theme'; else lighttheme"
-                src="../assets/images/zitadel-logo-oneline-darkdesign.svg" />
+                src="./assets/images/zitadel-logo-oneline-darkdesign.svg" />
             <ng-template #lighttheme>
-                <img class="logo" src="../assets/images/zitadel-logo-oneline-lightdesign.svg" />
+                <img class="logo" src="./assets/images/zitadel-logo-oneline-lightdesign.svg" />
             </ng-template>
         </a>
 

console/src/app/app.module.ts

@@ -1,5 +1,5 @@
 import { OverlayModule } from '@angular/cdk/overlay';
-import { CommonModule, registerLocaleData } from '@angular/common';
+import { APP_BASE_HREF, CommonModule, registerLocaleData, PlatformLocation } from '@angular/common';
 import { HttpClient, HttpClientModule } from '@angular/common/http';
 import localeDe from '@angular/common/locales/de';
 import { APP_INITIALIZER, NgModule } from '@angular/core';
@@ -42,7 +42,7 @@ registerLocaleData(localeDe);
 
 // AoT requires an exported function for factories
 export function HttpLoaderFactory(http: HttpClient): TranslateHttpLoader {
-    return new TranslateHttpLoader(http);
+  return new TranslateHttpLoader(http, './assets/i18n/');
 }
 
 const appInitializerFn = (grpcServ: GrpcService) => {
@@ -57,12 +57,10 @@ const stateHandlerFn = (stateHandler: StatehandlerService) => {
     };
 };
 
-export let authConfig = {
+const authConfig: AuthConfig = {
-    redirectUri: window.location.origin + '/auth/callback',
     scope: 'openid profile email', // offline_access
     responseType: 'code',
     oidc: true,
-    postLogoutRedirectUri: window.location.origin + '/signedout',
 };
 
 @NgModule({

console/src/app/pages/home/home.component.html

@@ -1,8 +1,8 @@
 <div class="wrapper">
     <div class="header">
-        <img *ngIf="dark; else lighttheme" src="../assets/images/zitadel-logo-oneline-darkdesign.svg" />
+        <img *ngIf="dark; else lighttheme" src="./assets/images/zitadel-logo-oneline-darkdesign.svg" />
         <ng-template #lighttheme>
-            <img src="../assets/images/zitadel-logo-oneline-lightdesign.svg" />
+            <img src="./assets/images/zitadel-logo-oneline-lightdesign.svg" />
         </ng-template>
     </div>
 

console/src/app/pages/signedout/signedout.component.html

@@ -1,9 +1,9 @@
 <div class="wrap">
     <div class="block">
         <div class="header">
-            <img *ngIf="dark; else lighttheme" src="../../../assets/images/zitadel-logo-oneline-darkdesign.svg" />
+            <img *ngIf="dark; else lighttheme" src="./assets/images/zitadel-logo-oneline-darkdesign.svg" />
             <ng-template #lighttheme>
-                <img src="../../../assets/images/zitadel-logo-oneline-lightdesign.svg" />
+                <img src="./assets/images/zitadel-logo-oneline-lightdesign.svg" />
             </ng-template>
             <p>{{'USER.SIGNEDOUT' | translate}}</p>
 

console/src/app/services/auth.service.ts

@@ -64,6 +64,8 @@ export class AuthService {
     public async authenticate(config?: Partial<AuthConfig>, setState: boolean = true): Promise<boolean> {
         this.config.issuer = config?.issuer || this.grpcService.issuer;
         this.config.clientId = config?.clientId || this.grpcService.clientid;
+        this.config.redirectUri = config?.redirectUri || this.grpcService.redirectUri;
+        this.config.postLogoutRedirectUri = config?.postLogoutRedirectUri || this.grpcService.postLogoutRedirectUri;
         this.config.customQueryParams = config?.customQueryParams;
         this.oauthService.configure(this.config);
         // this.oauthService.setupAutomaticSilentRefresh();

console/src/app/services/grpc.service.ts

@@ -1,5 +1,6 @@
 import { HttpClient } from '@angular/common/http';
 import { Injectable } from '@angular/core';
+import { PlatformLocation } from '@angular/common';
 
 import { AdminServicePromiseClient } from '../proto/generated/admin_grpc_web_pb';
 import { AuthServicePromiseClient } from '../proto/generated/auth_grpc_web_pb';
@@ -12,6 +13,8 @@ import { GrpcRequestFn } from './grpc-handler';
 export class GrpcService {
     public issuer: string = '';
     public clientid: string = '';
+    public redirectUri: string = '';
+    public postLogoutRedirectUri: string = '';
 
     public auth!: AuthServicePromiseClient;
     public mgmt!: ManagementServicePromiseClient;
@@ -19,10 +22,11 @@ export class GrpcService {
 
     constructor(
         private http: HttpClient,
+        private platformLocation: PlatformLocation,
     ) { }
 
     public async loadAppEnvironment(): Promise<any> {
-        return this.http.get('/assets/environment.json')
+        return this.http.get('./assets/environment.json')
             .toPromise().then((data: any) => {
                 if (data && data.authServiceUrl && data.mgmtServiceUrl && data.issuer) {
                     this.auth = new AuthServicePromiseClient(data.authServiceUrl);
@@ -32,6 +36,8 @@ export class GrpcService {
                     this.issuer = data.issuer;
                     if (data.clientid) {
                         this.clientid = data.clientid;
+                        this.redirectUri = window.location.origin + this.platformLocation.getBaseHrefFromDOM() + 'auth/callback';
+                        this.postLogoutRedirectUri = window.location.origin + this.platformLocation.getBaseHrefFromDOM() + 'signedout';
                     }
                 }
                 return Promise.resolve(data);

internal/admin/auth/token_verifier.go

@@ -1,36 +0,0 @@
-package auth
-
-import (
-	"context"
-	"github.com/caos/zitadel/internal/api/auth"
-	authz_repo "github.com/caos/zitadel/internal/authz/repository/eventsourcing"
-)
-
-const (
-	adminName = "Admin-API"
-)
-
-type TokenVerifier struct {
-	adminID   string
-	authZRepo *authz_repo.EsRepository
-}
-
-func Start(authZRepo *authz_repo.EsRepository) (v *TokenVerifier) {
-	return &TokenVerifier{authZRepo: authZRepo}
-}
-
-func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string) (string, string, string, error) {
-	userID, clientID, agentID, err := v.authZRepo.VerifyAccessToken(ctx, token, adminName, v.adminID)
-	if clientID != "" {
-		v.adminID = clientID
-	}
-	return userID, clientID, agentID, err
-}
-
-func (v *TokenVerifier) ResolveGrant(ctx context.Context) (*auth.Grant, error) {
-	return v.authZRepo.ResolveGrants(ctx)
-}
-
-func (v *TokenVerifier) GetProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
-	return v.authZRepo.ProjectIDByClientID(ctx, clientID)
-}

internal/admin/config.go

@@ -1,4 +0,0 @@
-package admin
-
-type Config struct {
-}

internal/admin/repository/eventsourcing/eventstore/user.go

@@ -2,7 +2,8 @@ package eventstore
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/api/auth"
+
+	"github.com/caos/zitadel/internal/api/authz"
 	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
 	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	usr_model "github.com/caos/zitadel/internal/user/model"
@@ -20,11 +21,11 @@ func (repo *UserRepo) UserByID(ctx context.Context, id string) (project *usr_mod
 }
 
 func (repo *UserRepo) CreateUser(ctx context.Context, user *usr_model.User) (*usr_model.User, error) {
-	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, auth.GetCtxData(ctx).OrgID)
+	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
-	orgPolicy, err := repo.OrgEvents.GetOrgIamPolicy(ctx, auth.GetCtxData(ctx).OrgID)
+	orgPolicy, err := repo.OrgEvents.GetOrgIamPolicy(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -32,7 +33,7 @@ func (repo *UserRepo) CreateUser(ctx context.Context, user *usr_model.User) (*us
 }
 
 func (repo *UserRepo) RegisterUser(ctx context.Context, user *usr_model.User, resourceOwner string) (*usr_model.User, error) {
-	policyResourceOwner := auth.GetCtxData(ctx).OrgID
+	policyResourceOwner := authz.GetCtxData(ctx).OrgID
 	if resourceOwner != "" {
 		policyResourceOwner = resourceOwner
 	}

internal/admin/repository/eventsourcing/setup/setup.go

@@ -2,12 +2,11 @@ package setup
 
 import (
 	"context"
-	policy_model "github.com/caos/zitadel/internal/policy/model"
-	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	"time"
 
 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/api/auth"
+
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/config/systemdefaults"
 	"github.com/caos/zitadel/internal/config/types"
 	caos_errs "github.com/caos/zitadel/internal/errors"
@@ -16,6 +15,8 @@ import (
 	iam_event "github.com/caos/zitadel/internal/iam/repository/eventsourcing"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	policy_model "github.com/caos/zitadel/internal/policy/model"
+	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	proj_model "github.com/caos/zitadel/internal/project/model"
 	proj_event "github.com/caos/zitadel/internal/project/repository/eventsourcing"
 	usr_model "github.com/caos/zitadel/internal/user/model"
@@ -208,7 +209,7 @@ func (setUp *initializer) org(ctx context.Context, org types.Org) (*org_model.Or
 	ctx = setSetUpContextData(ctx, "")
 	createOrg := &org_model.Org{
 		Name:    org.Name,
-		Domains: []*org_model.OrgDomain{&org_model.OrgDomain{Domain: org.Domain}},
+		Domains: []*org_model.OrgDomain{{Domain: org.Domain}},
 	}
 	return setUp.repos.OrgEvents.CreateOrg(ctx, createOrg)
 }
@@ -434,5 +435,5 @@ func getOIDCAuthMethod(authMethod string) proj_model.OIDCAuthMethodType {
 }
 
 func setSetUpContextData(ctx context.Context, orgID string) context.Context {
-	return auth.SetCtxData(ctx, auth.CtxData{UserID: SetupUser, OrgID: orgID})
+	return authz.SetCtxData(ctx, authz.CtxData{UserID: SetupUser, OrgID: orgID})
 }

internal/api/api.go

@@ -0,0 +1,53 @@
+package api
+
+import (
+	"context"
+	"net/http"
+
+	"google.golang.org/grpc"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/internal/api/oidc"
+	authz_es "github.com/caos/zitadel/internal/authz/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+)
+
+type Config struct {
+	GRPC grpc_util.Config
+	OIDC oidc.OPHandlerConfig
+}
+
+type API struct {
+	grpcServer     *grpc.Server
+	gatewayHandler *server.GatewayHandler
+	verifier       *authz.TokenVerifier
+	serverPort     string
+}
+
+func Create(config Config, authZ authz.Config, authZRepo *authz_es.EsRepository, sd systemdefaults.SystemDefaults) *API {
+	api := &API{
+		serverPort: config.GRPC.ServerPort,
+	}
+	api.verifier = authz.Start(authZRepo)
+	api.grpcServer = server.CreateServer(api.verifier, authZ, sd.DefaultLanguage)
+	api.gatewayHandler = server.CreateGatewayHandler(config.GRPC)
+
+	return api
+}
+
+func (a *API) RegisterServer(ctx context.Context, server server.Server) {
+	server.RegisterServer(a.grpcServer)
+	a.gatewayHandler.RegisterGateway(ctx, server)
+	a.verifier.RegisterServer(server.AppName(), server.MethodPrefix(), server.AuthMethods())
+}
+
+func (a *API) RegisterHandler(prefix string, handler http.Handler) {
+	a.gatewayHandler.RegisterHandler(prefix, handler)
+}
+
+func (a *API) Start(ctx context.Context) {
+	server.Serve(ctx, a.grpcServer, a.serverPort)
+	a.gatewayHandler.Serve(ctx)
+}

internal/api/auth/context.go

@@ -1,91 +0,0 @@
-package auth
-
-import (
-	"context"
-	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/api"
-	grpc_util "github.com/caos/zitadel/internal/api/grpc"
-	"google.golang.org/grpc/metadata"
-	"strconv"
-)
-
-type key int
-
-const (
-	permissionsKey key = 1
-	dataKey        key = 2
-)
-
-type CtxData struct {
-	UserID            string
-	OrgID             string
-	ProjectID         string
-	AgentID           string
-	PreferredLanguage string
-}
-
-func (ctxData CtxData) IsZero() bool {
-	return ctxData.UserID == "" || ctxData.OrgID == ""
-}
-
-type Grants []*Grant
-
-type Grant struct {
-	OrgID string
-	Roles []string
-}
-
-type TokenVerifier interface {
-	VerifyAccessToken(ctx context.Context, token string) (string, string, string, error)
-	ResolveGrant(ctx context.Context) (*Grant, error)
-	GetProjectIDByClientID(ctx context.Context, clientID string) (string, error)
-}
-
-func VerifyTokenAndWriteCtxData(ctx context.Context, token, orgID string, t TokenVerifier) (_ context.Context, err error) {
-	var userID, projectID, clientID, agentID string
-	//TODO: Remove as soon an authentification is implemented
-	if CheckInternal(ctx) {
-		userID = grpc_util.GetHeader(ctx, api.ZitadelUserID)
-		clientID = grpc_util.GetHeader(ctx, api.ZitadelClientID)
-		projectID, err = t.GetProjectIDByClientID(ctx, clientID)
-		agentID = grpc_util.GetHeader(ctx, api.ZitadelAgentID)
-
-	} else {
-		userID, clientID, agentID, err = verifyAccessToken(ctx, token, t)
-		if err != nil {
-			return nil, err
-		}
-
-		projectID, err = t.GetProjectIDByClientID(ctx, clientID)
-		logging.LogWithFields("AUTH-GfAoV", "clientID", clientID).OnError(err).Warn("could not read projectid by clientid")
-	}
-	return context.WithValue(ctx, dataKey, CtxData{UserID: userID, OrgID: orgID, ProjectID: projectID, AgentID: agentID}), nil
-}
-
-func SetCtxData(ctx context.Context, ctxData CtxData) context.Context {
-	return context.WithValue(ctx, dataKey, ctxData)
-}
-
-func GetCtxData(ctx context.Context) CtxData {
-	ctxData, _ := ctx.Value(dataKey).(CtxData)
-	return ctxData
-}
-
-func GetPermissionsFromCtx(ctx context.Context) []string {
-	ctxPermission, _ := ctx.Value(permissionsKey).([]string)
-	return ctxPermission
-}
-
-//TODO: Remove as soon an authentification is implemented
-func CheckInternal(ctx context.Context) bool {
-	md, ok := metadata.FromIncomingContext(ctx)
-	if !ok {
-		return false
-	}
-	v, ok := md[api.LoginKey]
-	if !ok {
-		return false
-	}
-	ok, _ = strconv.ParseBool(v[0])
-	return ok
-}

internal/api/auth/token.go

@@ -1,20 +0,0 @@
-package auth
-
-import (
-	"context"
-	"strings"
-
-	"github.com/caos/zitadel/internal/errors"
-)
-
-const (
-	BearerPrefix = "Bearer "
-)
-
-func verifyAccessToken(ctx context.Context, token string, t TokenVerifier) (string, string, string, error) {
-	parts := strings.Split(token, BearerPrefix)
-	if len(parts) != 2 {
-		return "", "", "", errors.ThrowUnauthenticated(nil, "AUTH-7fs1e", "invalid auth header")
-	}
-	return t.VerifyAccessToken(ctx, parts[1])
-}

internal/api/authz/authorization.go

@@ -1,4 +1,4 @@
-package auth
+package authz
 
 import (
 	"context"
@@ -13,8 +13,8 @@ const (
 	authenticated = "authenticated"
 )
 
-func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID string, verifier TokenVerifier, authConfig *Config, requiredAuthOption Option) (context.Context, error) {
+func CheckUserAuthorization(ctx context.Context, req interface{}, token, orgID string, verifier *TokenVerifier, authConfig Config, requiredAuthOption Option, method string) (context.Context, error) {
-	ctx, err := VerifyTokenAndWriteCtxData(ctx, token, orgID, verifier)
+	ctx, err := VerifyTokenAndWriteCtxData(ctx, token, orgID, verifier, method)
 	if err != nil {
 		return nil, err
 	}

internal/api/authz/authorization_test.go

@@ -1,4 +1,4 @@
-package auth
+package authz
 
 import (
 	"testing"

internal/api/authz/config.go

@@ -1,4 +1,4 @@
-package auth
+package authz
 
 type Config struct {
 	RolePermissionMappings []RoleMapping

internal/api/authz/context.go

@@ -0,0 +1,57 @@
+package authz
+
+import (
+	"context"
+
+	"github.com/caos/logging"
+)
+
+type key int
+
+const (
+	permissionsKey key = 1
+	dataKey        key = 2
+)
+
+type CtxData struct {
+	UserID            string
+	OrgID             string
+	ProjectID         string
+	AgentID           string
+	PreferredLanguage string
+}
+
+func (ctxData CtxData) IsZero() bool {
+	return ctxData.UserID == "" || ctxData.OrgID == ""
+}
+
+type Grants []*Grant
+
+type Grant struct {
+	OrgID string
+	Roles []string
+}
+
+func VerifyTokenAndWriteCtxData(ctx context.Context, token, orgID string, t *TokenVerifier, method string) (_ context.Context, err error) {
+	userID, clientID, agentID, err := verifyAccessToken(ctx, token, t, method)
+	if err != nil {
+		return nil, err
+	}
+	projectID, err := t.GetProjectIDByClientID(ctx, clientID)
+	logging.LogWithFields("AUTH-GfAoV", "clientID", clientID).OnError(err).Warn("could not read projectid by clientid")
+	return context.WithValue(ctx, dataKey, CtxData{UserID: userID, OrgID: orgID, ProjectID: projectID, AgentID: agentID}), nil
+}
+
+func SetCtxData(ctx context.Context, ctxData CtxData) context.Context {
+	return context.WithValue(ctx, dataKey, ctxData)
+}
+
+func GetCtxData(ctx context.Context) CtxData {
+	ctxData, _ := ctx.Value(dataKey).(CtxData)
+	return ctxData
+}
+
+func GetPermissionsFromCtx(ctx context.Context) []string {
+	ctxPermission, _ := ctx.Value(permissionsKey).([]string)
+	return ctxPermission
+}

internal/api/authz/context_mock.go

@@ -1,4 +1,4 @@
-package auth
+package authz
 
 import "context"
 

internal/api/authz/permissions.go

@@ -1,4 +1,4 @@
-package auth
+package authz
 
 import (
 	"context"
@@ -6,7 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/errors"
 )
 
-func getUserMethodPermissions(ctx context.Context, t TokenVerifier, requiredPerm string, authConfig *Config) (context.Context, []string, error) {
+func getUserMethodPermissions(ctx context.Context, t *TokenVerifier, requiredPerm string, authConfig Config) (context.Context, []string, error) {
 	ctxData := GetCtxData(ctx)
 	if ctxData.IsZero() {
 		return nil, nil, errors.ThrowUnauthenticated(nil, "AUTH-rKLWEH", "context missing")
@@ -22,7 +22,7 @@ func getUserMethodPermissions(ctx context.Context, t TokenVerifier, requiredPerm
 	return context.WithValue(ctx, permissionsKey, permissions), permissions, nil
 }
 
-func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig *Config) []string {
+func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig Config) []string {
 	resolvedPermissions := make([]string, 0)
 	for _, role := range grant.Roles {
 		resolvedPermissions = mapRoleToPerm(requiredPerm, role, authConfig, resolvedPermissions)
@@ -31,7 +31,7 @@ func mapGrantToPermissions(requiredPerm string, grant *Grant, authConfig *Config
 	return resolvedPermissions
 }
 
-func mapRoleToPerm(requiredPerm, actualRole string, authConfig *Config, resolvedPermissions []string) []string {
+func mapRoleToPerm(requiredPerm, actualRole string, authConfig Config, resolvedPermissions []string) []string {
 	roleName, roleContextID := SplitPermission(actualRole)
 	perms := authConfig.getPermissionsFromRole(roleName)
 

internal/api/authz/permissions_test.go

@@ -1,4 +1,4 @@
-package auth
+package authz
 
 import (
 	"context"
@@ -15,18 +15,22 @@ type testVerifier struct {
 	grant *Grant
 }
 
-func (v *testVerifier) VerifyAccessToken(ctx context.Context, token string) (string, string, string, error) {
+func (v *testVerifier) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, error) {
-	return "userID", "clientID", "agentID", nil
+	return "userID", "agentID", nil
 }
 
-func (v *testVerifier) ResolveGrant(ctx context.Context) (*Grant, error) {
+func (v *testVerifier) ResolveGrants(ctx context.Context) (*Grant, error) {
 	return v.grant, nil
 }
 
-func (v *testVerifier) GetProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
+func (v *testVerifier) ProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
 	return "", nil
 }
 
+func (v *testVerifier) VerifierClientID(ctx context.Context, appName string) (string, error) {
+	return "clientID", nil
+}
+
 func equalStringArray(a, b []string) bool {
 	if len(a) != len(b) {
 		return false
@@ -42,9 +46,9 @@ func equalStringArray(a, b []string) bool {
 func Test_GetUserMethodPermissions(t *testing.T) {
 	type args struct {
 		ctx          context.Context
-		verifier     TokenVerifier
+		verifier     *TokenVerifier
 		requiredPerm string
-		authConfig   *Config
+		authConfig   Config
 	}
 	tests := []struct {
 		name    string
@@ -57,16 +61,17 @@ func Test_GetUserMethodPermissions(t *testing.T) {
 			name: "Empty Context",
 			args: args{
 				ctx: getTestCtx("", ""),
-				verifier: &testVerifier{grant: &Grant{
+				verifier: Start(&testVerifier{grant: &Grant{
-					Roles: []string{"ORG_OWNER"}}},
+					Roles: []string{"ORG_OWNER"},
+				}}),
 				requiredPerm: "project.read",
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "IAM_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -81,15 +86,15 @@ func Test_GetUserMethodPermissions(t *testing.T) {
 			name: "No Grants",
 			args: args{
 				ctx:          getTestCtx("", ""),
-				verifier:     &testVerifier{grant: &Grant{}},
+				verifier:     Start(&testVerifier{grant: &Grant{}}),
 				requiredPerm: "project.read",
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "IAM_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -102,16 +107,17 @@ func Test_GetUserMethodPermissions(t *testing.T) {
 			name: "Get Permissions",
 			args: args{
 				ctx: getTestCtx("userID", "orgID"),
-				verifier: &testVerifier{grant: &Grant{
+				verifier: Start(&testVerifier{grant: &Grant{
-					Roles: []string{"ORG_OWNER"}}},
+					Roles: []string{"ORG_OWNER"},
+				}}),
 				requiredPerm: "project.read",
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "IAM_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -144,7 +150,7 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 	type args struct {
 		requiredPerm string
 		grant        *Grant
-		authConfig   *Config
+		authConfig   Config
 	}
 	tests := []struct {
 		name   string
@@ -156,13 +162,13 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 			args: args{
 				requiredPerm: "project.read",
 				grant:        &Grant{Roles: []string{"ORG_OWNER"}},
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "IAM_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -176,13 +182,13 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 			args: args{
 				requiredPerm: "project.write",
 				grant:        &Grant{Roles: []string{"ORG_OWNER"}},
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "IAM_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -196,13 +202,13 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 			args: args{
 				requiredPerm: "project.read",
 				grant:        &Grant{Roles: []string{"ORG_OWNER", "IAM_OWNER"}},
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "IAM_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -216,13 +222,13 @@ func Test_MapGrantsToPermissions(t *testing.T) {
 			args: args{
 				requiredPerm: "project.read",
 				grant:        &Grant{Roles: []string{"ORG_OWNER", "PROJECT_OWNER:1"}},
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "PROJECT_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -246,7 +252,7 @@ func Test_MapRoleToPerm(t *testing.T) {
 	type args struct {
 		requiredPerm        string
 		actualRole          string
-		authConfig          *Config
+		authConfig          Config
 		resolvedPermissions []string
 	}
 	tests := []struct {
@@ -259,13 +265,13 @@ func Test_MapRoleToPerm(t *testing.T) {
 			args: args{
 				requiredPerm: "project.read",
 				actualRole:   "ORG_OWNER",
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "IAM_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -280,13 +286,13 @@ func Test_MapRoleToPerm(t *testing.T) {
 			args: args{
 				requiredPerm: "project.read",
 				actualRole:   "ORG_OWNER",
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "IAM_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -301,13 +307,13 @@ func Test_MapRoleToPerm(t *testing.T) {
 			args: args{
 				requiredPerm: "project.read",
 				actualRole:   "PROJECT_OWNER:1",
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "PROJECT_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},
@@ -322,13 +328,13 @@ func Test_MapRoleToPerm(t *testing.T) {
 			args: args{
 				requiredPerm: "project.read",
 				actualRole:   "PROJECT_OWNER:1",
-				authConfig: &Config{
+				authConfig: Config{
 					RolePermissionMappings: []RoleMapping{
-						RoleMapping{
+						{
 							Role:        "PROJECT_OWNER",
 							Permissions: []string{"project.read"},
 						},
-						RoleMapping{
+						{
 							Role:        "ORG_OWNER",
 							Permissions: []string{"org.read", "project.read"},
 						},

internal/api/authz/token.go

@@ -0,0 +1,105 @@
+package authz
+
+import (
+	"context"
+	"strings"
+	"sync"
+
+	caos_errs "github.com/caos/zitadel/internal/errors"
+)
+
+const (
+	BearerPrefix = "Bearer "
+)
+
+type TokenVerifier struct {
+	authZRepo   authZRepo
+	clients     sync.Map
+	authMethods MethodMapping
+}
+
+type authZRepo interface {
+	VerifyAccessToken(ctx context.Context, token, clientID string) (userID, agentID string, err error)
+	VerifierClientID(ctx context.Context, name string) (clientID string, err error)
+	ResolveGrants(ctx context.Context) (grant *Grant, err error)
+	ProjectIDByClientID(ctx context.Context, clientID string) (projectID string, err error)
+}
+
+func Start(authZRepo authZRepo) (v *TokenVerifier) {
+	return &TokenVerifier{authZRepo: authZRepo}
+}
+
+func (v *TokenVerifier) VerifyAccessToken(ctx context.Context, token string, method string) (userID, clientID, agentID string, err error) {
+	clientID, err = v.clientIDFromMethod(ctx, method)
+	if err != nil {
+		return "", "", "", err
+	}
+	userID, agentID, err = v.authZRepo.VerifyAccessToken(ctx, token, clientID)
+	return userID, clientID, agentID, err
+}
+
+type client struct {
+	id   string
+	name string
+}
+
+func (v *TokenVerifier) RegisterServer(appName, methodPrefix string, mappings MethodMapping) {
+	v.clients.Store(methodPrefix, &client{name: appName})
+	if v.authMethods == nil {
+		v.authMethods = make(map[string]Option)
+	}
+	for method, option := range mappings {
+		v.authMethods[method] = option
+	}
+}
+
+func prefixFromMethod(method string) (string, bool) {
+	parts := strings.Split(method, "/")
+	if len(parts) < 2 {
+		return "", false
+	}
+	return parts[1], true
+}
+
+func (v *TokenVerifier) clientIDFromMethod(ctx context.Context, method string) (string, error) {
+	prefix, ok := prefixFromMethod(method)
+	if !ok {
+		return "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-GRD2Q", "Errors.Internal")
+	}
+	app, ok := v.clients.Load(prefix)
+	if !ok {
+		return "", caos_errs.ThrowPermissionDenied(nil, "AUTHZ-G2qrh", "Errors.Internal")
+	}
+	var err error
+	c := app.(*client)
+	if c.id != "" {
+		return c.id, nil
+	}
+	c.id, err = v.authZRepo.VerifierClientID(ctx, c.name)
+	if err != nil {
+		return "", caos_errs.ThrowPermissionDenied(err, "AUTHZ-ptTIF2", "Errors.Internal")
+	}
+	v.clients.Store(prefix, c)
+	return c.id, nil
+}
+
+func (v *TokenVerifier) ResolveGrant(ctx context.Context) (*Grant, error) {
+	return v.authZRepo.ResolveGrants(ctx)
+}
+
+func (v *TokenVerifier) GetProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
+	return v.authZRepo.ProjectIDByClientID(ctx, clientID)
+}
+
+func (v *TokenVerifier) CheckAuthMethod(method string) (Option, bool) {
+	authOpt, ok := v.authMethods[method]
+	return authOpt, ok
+}
+
+func verifyAccessToken(ctx context.Context, token string, t *TokenVerifier, method string) (userID, clientID, agentID string, err error) {
+	parts := strings.Split(token, BearerPrefix)
+	if len(parts) != 2 {
+		return "", "", "", caos_errs.ThrowUnauthenticated(nil, "AUTH-7fs1e", "invalid auth header")
+	}
+	return t.VerifyAccessToken(ctx, parts[1], method)
+}

internal/api/authz/token_test.go

@@ -1,7 +1,8 @@
-package auth
+package authz
 
 import (
 	"context"
+	"sync"
 	"testing"
 
 	"github.com/caos/zitadel/internal/errors"
@@ -12,7 +13,8 @@ func Test_VerifyAccessToken(t *testing.T) {
 	type args struct {
 		ctx      context.Context
 		token    string
-		verifier *testVerifier
+		verifier *TokenVerifier
+		method   string
 	}
 	tests := []struct {
 		name    string
@@ -40,13 +42,23 @@ func Test_VerifyAccessToken(t *testing.T) {
 			args: args{
 				ctx:   context.Background(),
 				token: "Bearer AUTH",
+				verifier: &TokenVerifier{
+					authZRepo: &testVerifier{grant: &Grant{}},
+					clients: func() sync.Map {
+						m := sync.Map{}
+						m.Store("service", &client{name: "name"})
+						return m
+					}(),
+					authMethods: MethodMapping{"/service/method": Option{Permission: "authenticated"}},
+				},
+				method: "/service/method",
 			},
 			wantErr: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, _, _, err := verifyAccessToken(tt.args.ctx, tt.args.token, tt.args.verifier)
+			_, _, _, err := verifyAccessToken(tt.args.ctx, tt.args.token, tt.args.verifier, tt.args.method)
 			if tt.wantErr && err == nil {
 				t.Errorf("got wrong result, should get err: actual: %v ", err)
 			}

internal/api/grpc/admin/administrator.go

@@ -1,33 +1,36 @@
-package grpc
+package admin
 
 import (
 	"context"
-	view_model "github.com/caos/zitadel/internal/view/model"
+
 	"github.com/golang/protobuf/ptypes/empty"
+
+	view_model "github.com/caos/zitadel/internal/view/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func (s *Server) GetViews(ctx context.Context, _ *empty.Empty) (_ *Views, err error) {
+func (s *Server) GetViews(ctx context.Context, _ *empty.Empty) (_ *admin.Views, err error) {
 	views, err := s.administrator.GetViews(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return &Views{Views: viewsFromModel(views)}, nil
+	return &admin.Views{Views: viewsFromModel(views)}, nil
 }
 
-func (s *Server) ClearView(ctx context.Context, viewID *ViewID) (_ *empty.Empty, err error) {
+func (s *Server) ClearView(ctx context.Context, viewID *admin.ViewID) (_ *empty.Empty, err error) {
 	err = s.administrator.ClearView(ctx, viewID.Database, viewID.ViewName)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) GetFailedEvents(ctx context.Context, _ *empty.Empty) (_ *FailedEvents, err error) {
+func (s *Server) GetFailedEvents(ctx context.Context, _ *empty.Empty) (_ *admin.FailedEvents, err error) {
 	failedEvents, err := s.administrator.GetFailedEvents(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return &FailedEvents{FailedEvents: failedEventsFromModel(failedEvents)}, nil
+	return &admin.FailedEvents{FailedEvents: failedEventsFromModel(failedEvents)}, nil
 }
 
-func (s *Server) RemoveFailedEvent(ctx context.Context, failedEventID *FailedEventID) (_ *empty.Empty, err error) {
+func (s *Server) RemoveFailedEvent(ctx context.Context, failedEventID *admin.FailedEventID) (_ *empty.Empty, err error) {
 	err = s.administrator.RemoveFailedEvent(ctx, &view_model.FailedEvent{Database: failedEventID.Database, ViewName: failedEventID.ViewName, FailedSequence: failedEventID.FailedSequence})
 	return &empty.Empty{}, err
 }

internal/api/grpc/admin/administrator_converter.go

@@ -1,11 +1,12 @@
-package grpc
+package admin
 
 import (
 	view_model "github.com/caos/zitadel/internal/view/model"
+	"github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func viewsFromModel(views []*view_model.View) []*View {
+func viewsFromModel(views []*view_model.View) []*admin.View {
-	result := make([]*View, len(views))
+	result := make([]*admin.View, len(views))
 	for i, view := range views {
 		result[i] = viewFromModel(view)
 	}
@@ -13,8 +14,8 @@ func viewsFromModel(views []*view_model.View) []*View {
 	return result
 }
 
-func failedEventsFromModel(failedEvents []*view_model.FailedEvent) []*FailedEvent {
+func failedEventsFromModel(failedEvents []*view_model.FailedEvent) []*admin.FailedEvent {
-	result := make([]*FailedEvent, len(failedEvents))
+	result := make([]*admin.FailedEvent, len(failedEvents))
 	for i, view := range failedEvents {
 		result[i] = failedEventFromModel(view)
 	}
@@ -22,16 +23,16 @@ func failedEventsFromModel(failedEvents []*view_model.FailedEvent) []*FailedEven
 	return result
 }
 
-func viewFromModel(view *view_model.View) *View {
+func viewFromModel(view *view_model.View) *admin.View {
-	return &View{
+	return &admin.View{
 		Database: view.Database,
 		ViewName: view.ViewName,
 		Sequence: view.CurrentSequence,
 	}
 }
 
-func failedEventFromModel(failedEvent *view_model.FailedEvent) *FailedEvent {
+func failedEventFromModel(failedEvent *view_model.FailedEvent) *admin.FailedEvent {
-	return &FailedEvent{
+	return &admin.FailedEvent{
 		Database:       failedEvent.Database,
 		ViewName:       failedEvent.ViewName,
 		FailedSequence: failedEvent.FailedSequence,

internal/api/grpc/admin/iam_member.go

@@ -1,16 +1,18 @@
-package grpc
+package admin
 
 import (
 	"context"
 
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func (s *Server) GetIamMemberRoles(ctx context.Context, _ *empty.Empty) (*IamMemberRoles, error) {
+func (s *Server) GetIamMemberRoles(ctx context.Context, _ *empty.Empty) (*admin.IamMemberRoles, error) {
-	return &IamMemberRoles{Roles: s.iam.GetIamMemberRoles()}, nil
+	return &admin.IamMemberRoles{Roles: s.iam.GetIamMemberRoles()}, nil
 }
 
-func (s *Server) SearchIamMembers(ctx context.Context, in *IamMemberSearchRequest) (*IamMemberSearchResponse, error) {
+func (s *Server) SearchIamMembers(ctx context.Context, in *admin.IamMemberSearchRequest) (*admin.IamMemberSearchResponse, error) {
 	members, err := s.iam.SearchIamMembers(ctx, iamMemberSearchRequestToModel(in))
 	if err != nil {
 		return nil, err
@@ -18,7 +20,7 @@ func (s *Server) SearchIamMembers(ctx context.Context, in *IamMemberSearchReques
 	return iamMemberSearchResponseFromModel(members), nil
 }
 
-func (s *Server) AddIamMember(ctx context.Context, member *AddIamMemberRequest) (*IamMember, error) {
+func (s *Server) AddIamMember(ctx context.Context, member *admin.AddIamMemberRequest) (*admin.IamMember, error) {
 	addedMember, err := s.iam.AddIamMember(ctx, addIamMemberToModel(member))
 	if err != nil {
 		return nil, err
@@ -27,7 +29,7 @@ func (s *Server) AddIamMember(ctx context.Context, member *AddIamMemberRequest)
 	return iamMemberFromModel(addedMember), nil
 }
 
-func (s *Server) ChangeIamMember(ctx context.Context, member *ChangeIamMemberRequest) (*IamMember, error) {
+func (s *Server) ChangeIamMember(ctx context.Context, member *admin.ChangeIamMemberRequest) (*admin.IamMember, error) {
 	changedMember, err := s.iam.ChangeIamMember(ctx, changeIamMemberToModel(member))
 	if err != nil {
 		return nil, err
@@ -35,7 +37,7 @@ func (s *Server) ChangeIamMember(ctx context.Context, member *ChangeIamMemberReq
 	return iamMemberFromModel(changedMember), nil
 }
 
-func (s *Server) RemoveIamMember(ctx context.Context, member *RemoveIamMemberRequest) (*empty.Empty, error) {
+func (s *Server) RemoveIamMember(ctx context.Context, member *admin.RemoveIamMemberRequest) (*empty.Empty, error) {
 	err := s.iam.RemoveIamMember(ctx, member.UserId)
 	return &empty.Empty{}, err
 }

internal/api/grpc/admin/iam_member_converter.go

@@ -1,13 +1,15 @@
-package grpc
+package admin
 
 import (
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func addIamMemberToModel(member *AddIamMemberRequest) *iam_model.IamMember {
+func addIamMemberToModel(member *admin.AddIamMemberRequest) *iam_model.IamMember {
 	memberModel := &iam_model.IamMember{
 		UserID: member.UserId,
 	}
@@ -16,7 +18,7 @@ func addIamMemberToModel(member *AddIamMemberRequest) *iam_model.IamMember {
 	return memberModel
 }
 
-func changeIamMemberToModel(member *ChangeIamMemberRequest) *iam_model.IamMember {
+func changeIamMemberToModel(member *admin.ChangeIamMemberRequest) *iam_model.IamMember {
 	memberModel := &iam_model.IamMember{
 		UserID: member.UserId,
 	}
@@ -25,14 +27,14 @@ func changeIamMemberToModel(member *ChangeIamMemberRequest) *iam_model.IamMember
 	return memberModel
 }
 
-func iamMemberFromModel(member *iam_model.IamMember) *IamMember {
+func iamMemberFromModel(member *iam_model.IamMember) *admin.IamMember {
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-Lsp76").OnError(err).Debug("date parse failed")
 
 	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
 	logging.Log("GRPC-3fG5s").OnError(err).Debug("date parse failed")
 
-	return &IamMember{
+	return &admin.IamMember{
 		UserId:       member.UserID,
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,
@@ -41,7 +43,7 @@ func iamMemberFromModel(member *iam_model.IamMember) *IamMember {
 	}
 }
 
-func iamMemberSearchRequestToModel(request *IamMemberSearchRequest) *iam_model.IamMemberSearchRequest {
+func iamMemberSearchRequestToModel(request *admin.IamMemberSearchRequest) *iam_model.IamMemberSearchRequest {
 	return &iam_model.IamMemberSearchRequest{
 		Limit:   request.Limit,
 		Offset:  request.Offset,
@@ -49,7 +51,7 @@ func iamMemberSearchRequestToModel(request *IamMemberSearchRequest) *iam_model.I
 	}
 }
 
-func iamMemberSearchQueriesToModel(queries []*IamMemberSearchQuery) []*iam_model.IamMemberSearchQuery {
+func iamMemberSearchQueriesToModel(queries []*admin.IamMemberSearchQuery) []*iam_model.IamMemberSearchQuery {
 	modelQueries := make([]*iam_model.IamMemberSearchQuery, len(queries))
 	for i, query := range queries {
 		modelQueries[i] = iamMemberSearchQueryToModel(query)
@@ -58,7 +60,7 @@ func iamMemberSearchQueriesToModel(queries []*IamMemberSearchQuery) []*iam_model
 	return modelQueries
 }
 
-func iamMemberSearchQueryToModel(query *IamMemberSearchQuery) *iam_model.IamMemberSearchQuery {
+func iamMemberSearchQueryToModel(query *admin.IamMemberSearchQuery) *iam_model.IamMemberSearchQuery {
 	return &iam_model.IamMemberSearchQuery{
 		Key:    iamMemberSearchKeyToModel(query.Key),
 		Method: iamMemberSearchMethodToModel(query.Method),
@@ -66,50 +68,50 @@ func iamMemberSearchQueryToModel(query *IamMemberSearchQuery) *iam_model.IamMemb
 	}
 }
 
-func iamMemberSearchKeyToModel(key IamMemberSearchKey) iam_model.IamMemberSearchKey {
+func iamMemberSearchKeyToModel(key admin.IamMemberSearchKey) iam_model.IamMemberSearchKey {
 	switch key {
-	case IamMemberSearchKey_IAMMEMBERSEARCHKEY_EMAIL:
+	case admin.IamMemberSearchKey_IAMMEMBERSEARCHKEY_EMAIL:
 		return iam_model.IamMemberSearchKeyEmail
-	case IamMemberSearchKey_IAMMEMBERSEARCHKEY_FIRST_NAME:
+	case admin.IamMemberSearchKey_IAMMEMBERSEARCHKEY_FIRST_NAME:
 		return iam_model.IamMemberSearchKeyFirstName
-	case IamMemberSearchKey_IAMMEMBERSEARCHKEY_LAST_NAME:
+	case admin.IamMemberSearchKey_IAMMEMBERSEARCHKEY_LAST_NAME:
 		return iam_model.IamMemberSearchKeyLastName
-	case IamMemberSearchKey_IAMMEMBERSEARCHKEY_USER_ID:
+	case admin.IamMemberSearchKey_IAMMEMBERSEARCHKEY_USER_ID:
 		return iam_model.IamMemberSearchKeyUserID
 	default:
 		return iam_model.IamMemberSearchKeyUnspecified
 	}
 }
 
-func iamMemberSearchMethodToModel(key SearchMethod) model.SearchMethod {
+func iamMemberSearchMethodToModel(key admin.SearchMethod) model.SearchMethod {
 	switch key {
-	case SearchMethod_SEARCHMETHOD_CONTAINS:
+	case admin.SearchMethod_SEARCHMETHOD_CONTAINS:
 		return model.SearchMethodContains
-	case SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
+	case admin.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
 		return model.SearchMethodContainsIgnoreCase
-	case SearchMethod_SEARCHMETHOD_EQUALS:
+	case admin.SearchMethod_SEARCHMETHOD_EQUALS:
 		return model.SearchMethodEquals
-	case SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
+	case admin.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
 		return model.SearchMethodEqualsIgnoreCase
-	case SearchMethod_SEARCHMETHOD_STARTS_WITH:
+	case admin.SearchMethod_SEARCHMETHOD_STARTS_WITH:
 		return model.SearchMethodStartsWith
-	case SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
+	case admin.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
 		return model.SearchMethodStartsWithIgnoreCase
 	default:
 		return -1
 	}
 }
 
-func iamMemberSearchResponseFromModel(resp *iam_model.IamMemberSearchResponse) *IamMemberSearchResponse {
+func iamMemberSearchResponseFromModel(resp *iam_model.IamMemberSearchResponse) *admin.IamMemberSearchResponse {
-	return &IamMemberSearchResponse{
+	return &admin.IamMemberSearchResponse{
 		Limit:       resp.Limit,
 		Offset:      resp.Offset,
 		TotalResult: resp.TotalResult,
 		Result:      iamMembersFromView(resp.Result),
 	}
 }
-func iamMembersFromView(viewMembers []*iam_model.IamMemberView) []*IamMemberView {
+func iamMembersFromView(viewMembers []*iam_model.IamMemberView) []*admin.IamMemberView {
-	members := make([]*IamMemberView, len(viewMembers))
+	members := make([]*admin.IamMemberView, len(viewMembers))
 
 	for i, member := range viewMembers {
 		members[i] = iamMemberFromView(member)
@@ -118,13 +120,13 @@ func iamMembersFromView(viewMembers []*iam_model.IamMemberView) []*IamMemberView
 	return members
 }
 
-func iamMemberFromView(member *iam_model.IamMemberView) *IamMemberView {
+func iamMemberFromView(member *iam_model.IamMemberView) *admin.IamMemberView {
 	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
 	logging.Log("GRPC-Lso9c").OnError(err).Debug("unable to parse changedate")
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-6szE").OnError(err).Debug("unable to parse creation date")
 
-	return &IamMemberView{
+	return &admin.IamMemberView{
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		Roles:        member.Roles,

internal/api/grpc/admin/org.go

@@ -1,11 +1,14 @@
-package grpc
+package admin
 
 import (
 	"context"
+
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/admin"
 )
 
-func (s *Server) GetOrgByID(ctx context.Context, orgID *OrgID) (_ *Org, err error) {
+func (s *Server) GetOrgByID(ctx context.Context, orgID *admin.OrgID) (_ *admin.Org, err error) {
 	org, err := s.org.OrgByID(ctx, orgID.Id)
 	if err != nil {
 		return nil, err
@@ -13,12 +16,12 @@ func (s *Server) GetOrgByID(ctx context.Context, orgID *OrgID) (_ *Org, err erro
 	return orgFromModel(org), nil
 }
 
-func (s *Server) SearchOrgs(ctx context.Context, request *OrgSearchRequest) (_ *OrgSearchResponse, err error) {
+func (s *Server) SearchOrgs(ctx context.Context, request *admin.OrgSearchRequest) (_ *admin.OrgSearchResponse, err error) {
 	result, err := s.org.SearchOrgs(ctx, orgSearchRequestToModel(request))
 	if err != nil {
 		return nil, err
 	}
-	return &OrgSearchResponse{
+	return &admin.OrgSearchResponse{
 		Result:      orgViewsFromModel(result.Result),
 		Limit:       request.Limit,
 		Offset:      request.Offset,
@@ -26,13 +29,13 @@ func (s *Server) SearchOrgs(ctx context.Context, request *OrgSearchRequest) (_ *
 	}, nil
 }
 
-func (s *Server) IsOrgUnique(ctx context.Context, request *UniqueOrgRequest) (org *UniqueOrgResponse, err error) {
+func (s *Server) IsOrgUnique(ctx context.Context, request *admin.UniqueOrgRequest) (org *admin.UniqueOrgResponse, err error) {
 	isUnique, err := s.org.IsOrgUnique(ctx, request.Name, request.Domain)
 
-	return &UniqueOrgResponse{IsUnique: isUnique}, err
+	return &admin.UniqueOrgResponse{IsUnique: isUnique}, err
 }
 
-func (s *Server) SetUpOrg(ctx context.Context, orgSetUp *OrgSetUpRequest) (_ *OrgSetUpResponse, err error) {
+func (s *Server) SetUpOrg(ctx context.Context, orgSetUp *admin.OrgSetUpRequest) (_ *admin.OrgSetUpResponse, err error) {
 	setUp, err := s.org.SetUpOrg(ctx, setUpRequestToModel(orgSetUp))
 	if err != nil {
 		return nil, err
@@ -40,7 +43,7 @@ func (s *Server) SetUpOrg(ctx context.Context, orgSetUp *OrgSetUpRequest) (_ *Or
 	return setUpOrgResponseFromModel(setUp), err
 }
 
-func (s *Server) GetOrgIamPolicy(ctx context.Context, in *OrgIamPolicyID) (_ *OrgIamPolicy, err error) {
+func (s *Server) GetOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *admin.OrgIamPolicy, err error) {
 	policy, err := s.org.GetOrgIamPolicyByID(ctx, in.OrgId)
 	if err != nil {
 		return nil, err
@@ -48,7 +51,7 @@ func (s *Server) GetOrgIamPolicy(ctx context.Context, in *OrgIamPolicyID) (_ *Or
 	return orgIamPolicyFromModel(policy), err
 }
 
-func (s *Server) CreateOrgIamPolicy(ctx context.Context, in *OrgIamPolicyRequest) (_ *OrgIamPolicy, err error) {
+func (s *Server) CreateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
 	policy, err := s.org.CreateOrgIamPolicy(ctx, orgIamPolicyRequestToModel(in))
 	if err != nil {
 		return nil, err
@@ -56,7 +59,7 @@ func (s *Server) CreateOrgIamPolicy(ctx context.Context, in *OrgIamPolicyRequest
 	return orgIamPolicyFromModel(policy), err
 }
 
-func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *OrgIamPolicyRequest) (_ *OrgIamPolicy, err error) {
+func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyRequest) (_ *admin.OrgIamPolicy, err error) {
 	policy, err := s.org.ChangeOrgIamPolicy(ctx, orgIamPolicyRequestToModel(in))
 	if err != nil {
 		return nil, err
@@ -64,7 +67,7 @@ func (s *Server) UpdateOrgIamPolicy(ctx context.Context, in *OrgIamPolicyRequest
 	return orgIamPolicyFromModel(policy), err
 }
 
-func (s *Server) DeleteOrgIamPolicy(ctx context.Context, in *OrgIamPolicyID) (_ *empty.Empty, err error) {
+func (s *Server) DeleteOrgIamPolicy(ctx context.Context, in *admin.OrgIamPolicyID) (_ *empty.Empty, err error) {
 	err = s.org.RemoveOrgIamPolicy(ctx, in.OrgId)
 	return &empty.Empty{}, err
 }

internal/api/grpc/admin/org_converter.go

@@ -1,24 +1,26 @@
-package grpc
+package admin
 
 import (
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+	"golang.org/x/text/language"
+
 	admin_model "github.com/caos/zitadel/internal/admin/model"
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/admin"
-	"golang.org/x/text/language"
 )
 
-func setUpRequestToModel(setUp *OrgSetUpRequest) *admin_model.SetupOrg {
+func setUpRequestToModel(setUp *admin.OrgSetUpRequest) *admin_model.SetupOrg {
 	return &admin_model.SetupOrg{
 		Org:  orgCreateRequestToModel(setUp.Org),
 		User: userCreateRequestToModel(setUp.User),
 	}
 }
 
-func orgCreateRequestToModel(org *CreateOrgRequest) *org_model.Org {
+func orgCreateRequestToModel(org *admin.CreateOrgRequest) *org_model.Org {
 	o := &org_model.Org{
 		Domains: []*org_model.OrgDomain{},
 		Name:    org.Name,
@@ -30,7 +32,7 @@ func orgCreateRequestToModel(org *CreateOrgRequest) *org_model.Org {
 	return o
 }
 
-func userCreateRequestToModel(user *CreateUserRequest) *usr_model.User {
+func userCreateRequestToModel(user *admin.CreateUserRequest) *usr_model.User {
 	preferredLanguage, err := language.Parse(user.PreferredLanguage)
 	logging.Log("GRPC-30hwz").OnError(err).Debug("unable to parse language")
 	result := &usr_model.User{
@@ -63,15 +65,15 @@ func userCreateRequestToModel(user *CreateUserRequest) *usr_model.User {
 	return result
 }
 
-func setUpOrgResponseFromModel(setUp *admin_model.SetupOrg) *OrgSetUpResponse {
+func setUpOrgResponseFromModel(setUp *admin_model.SetupOrg) *admin.OrgSetUpResponse {
-	return &OrgSetUpResponse{
+	return &admin.OrgSetUpResponse{
 		Org:  orgFromModel(setUp.Org),
 		User: userFromModel(setUp.User),
 	}
 }
 
-func orgViewsFromModel(orgs []*org_model.OrgView) []*Org {
+func orgViewsFromModel(orgs []*org_model.OrgView) []*admin.Org {
-	result := make([]*Org, len(orgs))
+	result := make([]*admin.Org, len(orgs))
 	for i, org := range orgs {
 		result[i] = orgViewFromModel(org)
 	}
@@ -79,14 +81,14 @@ func orgViewsFromModel(orgs []*org_model.OrgView) []*Org {
 	return result
 }
 
-func orgFromModel(org *org_model.Org) *Org {
+func orgFromModel(org *org_model.Org) *admin.Org {
 	creationDate, err := ptypes.TimestampProto(org.CreationDate)
 	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
 
 	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
 	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
 
-	return &Org{
+	return &admin.Org{
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		Id:           org.AggregateID,
@@ -95,14 +97,14 @@ func orgFromModel(org *org_model.Org) *Org {
 	}
 }
 
-func orgViewFromModel(org *org_model.OrgView) *Org {
+func orgViewFromModel(org *org_model.OrgView) *admin.Org {
 	creationDate, err := ptypes.TimestampProto(org.CreationDate)
 	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
 
 	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
 	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
 
-	return &Org{
+	return &admin.Org{
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		Id:           org.ID,
@@ -111,14 +113,14 @@ func orgViewFromModel(org *org_model.OrgView) *Org {
 	}
 }
 
-func userFromModel(user *usr_model.User) *User {
+func userFromModel(user *usr_model.User) *admin.User {
 	creationDate, err := ptypes.TimestampProto(user.CreationDate)
 	logging.Log("GRPC-8duwe").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(user.ChangeDate)
 	logging.Log("GRPC-ckoe3d").OnError(err).Debug("unable to parse timestamp")
 
-	converted := &User{
+	converted := &admin.User{
 		Id:                user.AggregateID,
 		State:             userStateFromModel(user.State),
 		CreationDate:      creationDate,
@@ -150,57 +152,57 @@ func userFromModel(user *usr_model.User) *User {
 	return converted
 }
 
-func orgStateFromModel(state org_model.OrgState) OrgState {
+func orgStateFromModel(state org_model.OrgState) admin.OrgState {
 	switch state {
 	case org_model.OrgStateActive:
-		return OrgState_ORGSTATE_ACTIVE
+		return admin.OrgState_ORGSTATE_ACTIVE
 	case org_model.OrgStateInactive:
-		return OrgState_ORGSTATE_INACTIVE
+		return admin.OrgState_ORGSTATE_INACTIVE
 	default:
-		return OrgState_ORGSTATE_UNSPECIFIED
+		return admin.OrgState_ORGSTATE_UNSPECIFIED
 	}
 }
 
-func genderFromModel(gender usr_model.Gender) Gender {
+func genderFromModel(gender usr_model.Gender) admin.Gender {
 	switch gender {
 	case usr_model.GenderFemale:
-		return Gender_GENDER_FEMALE
+		return admin.Gender_GENDER_FEMALE
 	case usr_model.GenderMale:
-		return Gender_GENDER_MALE
+		return admin.Gender_GENDER_MALE
 	case usr_model.GenderDiverse:
-		return Gender_GENDER_DIVERSE
+		return admin.Gender_GENDER_DIVERSE
 	default:
-		return Gender_GENDER_UNSPECIFIED
+		return admin.Gender_GENDER_UNSPECIFIED
 	}
 }
 
-func genderToModel(gender Gender) usr_model.Gender {
+func genderToModel(gender admin.Gender) usr_model.Gender {
 	switch gender {
-	case Gender_GENDER_FEMALE:
+	case admin.Gender_GENDER_FEMALE:
 		return usr_model.GenderFemale
-	case Gender_GENDER_MALE:
+	case admin.Gender_GENDER_MALE:
 		return usr_model.GenderMale
-	case Gender_GENDER_DIVERSE:
+	case admin.Gender_GENDER_DIVERSE:
 		return usr_model.GenderDiverse
 	default:
 		return usr_model.GenderUnspecified
 	}
 }
 
-func userStateFromModel(state usr_model.UserState) UserState {
+func userStateFromModel(state usr_model.UserState) admin.UserState {
 	switch state {
 	case usr_model.UserStateActive:
-		return UserState_USERSTATE_ACTIVE
+		return admin.UserState_USERSTATE_ACTIVE
 	case usr_model.UserStateInactive:
-		return UserState_USERSTATE_INACTIVE
+		return admin.UserState_USERSTATE_INACTIVE
 	case usr_model.UserStateLocked:
-		return UserState_USERSTATE_LOCKED
+		return admin.UserState_USERSTATE_LOCKED
 	default:
-		return UserState_USERSTATE_UNSPECIFIED
+		return admin.UserState_USERSTATE_UNSPECIFIED
 	}
 }
 
-func orgSearchRequestToModel(req *OrgSearchRequest) *org_model.OrgSearchRequest {
+func orgSearchRequestToModel(req *admin.OrgSearchRequest) *org_model.OrgSearchRequest {
 	return &org_model.OrgSearchRequest{
 		Limit:         req.Limit,
 		Asc:           req.Asc,
@@ -210,7 +212,7 @@ func orgSearchRequestToModel(req *OrgSearchRequest) *org_model.OrgSearchRequest
 	}
 }
 
-func orgQueriesToModel(queries []*OrgSearchQuery) []*org_model.OrgSearchQuery {
+func orgQueriesToModel(queries []*admin.OrgSearchQuery) []*org_model.OrgSearchQuery {
 	modelQueries := make([]*org_model.OrgSearchQuery, len(queries))
 
 	for i, query := range queries {
@@ -220,7 +222,7 @@ func orgQueriesToModel(queries []*OrgSearchQuery) []*org_model.OrgSearchQuery {
 	return modelQueries
 }
 
-func orgQueryToModel(query *OrgSearchQuery) *org_model.OrgSearchQuery {
+func orgQueryToModel(query *admin.OrgSearchQuery) *org_model.OrgSearchQuery {
 	return &org_model.OrgSearchQuery{
 		Key:    orgQueryKeyToModel(query.Key),
 		Value:  query.Value,
@@ -228,40 +230,40 @@ func orgQueryToModel(query *OrgSearchQuery) *org_model.OrgSearchQuery {
 	}
 }
 
-func orgQueryKeyToModel(key OrgSearchKey) org_model.OrgSearchKey {
+func orgQueryKeyToModel(key admin.OrgSearchKey) org_model.OrgSearchKey {
 	switch key {
-	case OrgSearchKey_ORGSEARCHKEY_DOMAIN:
+	case admin.OrgSearchKey_ORGSEARCHKEY_DOMAIN:
 		return org_model.OrgSearchKeyOrgDomain
-	case OrgSearchKey_ORGSEARCHKEY_ORG_NAME:
+	case admin.OrgSearchKey_ORGSEARCHKEY_ORG_NAME:
 		return org_model.OrgSearchKeyOrgName
-	case OrgSearchKey_ORGSEARCHKEY_STATE:
+	case admin.OrgSearchKey_ORGSEARCHKEY_STATE:
 		return org_model.OrgSearchKeyState
 	default:
 		return org_model.OrgSearchKeyUnspecified
 	}
 }
 
-func orgQueryMethodToModel(method OrgSearchMethod) model.SearchMethod {
+func orgQueryMethodToModel(method admin.OrgSearchMethod) model.SearchMethod {
 	switch method {
-	case OrgSearchMethod_ORGSEARCHMETHOD_CONTAINS:
+	case admin.OrgSearchMethod_ORGSEARCHMETHOD_CONTAINS:
 		return model.SearchMethodContains
-	case OrgSearchMethod_ORGSEARCHMETHOD_EQUALS:
+	case admin.OrgSearchMethod_ORGSEARCHMETHOD_EQUALS:
 		return model.SearchMethodEquals
-	case OrgSearchMethod_ORGSEARCHMETHOD_STARTS_WITH:
+	case admin.OrgSearchMethod_ORGSEARCHMETHOD_STARTS_WITH:
 		return model.SearchMethodStartsWith
 	default:
 		return 0
 	}
 }
 
-func orgIamPolicyFromModel(policy *org_model.OrgIamPolicy) *OrgIamPolicy {
+func orgIamPolicyFromModel(policy *org_model.OrgIamPolicy) *admin.OrgIamPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")
 
 	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
 	logging.Log("GRPC-Ps9fW").OnError(err).Debug("unable to get timestamp from time")
 
-	return &OrgIamPolicy{
+	return &admin.OrgIamPolicy{
 		OrgId:                 policy.AggregateID,
 		Description:           policy.Description,
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
@@ -271,7 +273,7 @@ func orgIamPolicyFromModel(policy *org_model.OrgIamPolicy) *OrgIamPolicy {
 	}
 }
 
-func orgIamPolicyRequestToModel(policy *OrgIamPolicyRequest) *org_model.OrgIamPolicy {
+func orgIamPolicyRequestToModel(policy *admin.OrgIamPolicyRequest) *org_model.OrgIamPolicy {
 	return &org_model.OrgIamPolicy{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: policy.OrgId,

internal/api/grpc/admin/probes.go

@@ -1,11 +1,12 @@
-package grpc
+package admin
 
 import (
 	"context"
 
-	"github.com/caos/zitadel/internal/errors"
 	"github.com/golang/protobuf/ptypes/empty"
 	pb_struct "github.com/golang/protobuf/ptypes/struct"
+
+	"github.com/caos/zitadel/internal/errors"
 )
 
 func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {

internal/api/grpc/admin/server.go

@@ -0,0 +1,61 @@
+package admin
+
+import (
+	"google.golang.org/grpc"
+
+	"github.com/caos/zitadel/internal/admin/repository"
+	"github.com/caos/zitadel/internal/admin/repository/eventsourcing"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/pkg/grpc/admin"
+)
+
+const (
+	adminName = "Admin-API"
+)
+
+var _ admin.AdminServiceServer = (*Server)(nil)
+
+type Server struct {
+	org           repository.OrgRepository
+	iam           repository.IamRepository
+	administrator repository.AdministratorRepository
+	repo          repository.Repository
+}
+
+type Config struct {
+	Repository eventsourcing.Config
+}
+
+func CreateServer(repo repository.Repository) *Server {
+	return &Server{
+		org:           repo,
+		iam:           repo,
+		administrator: repo,
+		repo:          repo,
+	}
+}
+
+func (s *Server) RegisterServer(grpcServer *grpc.Server) {
+	admin.RegisterAdminServiceServer(grpcServer, s)
+}
+
+func (s *Server) AppName() string {
+	return adminName
+}
+
+func (s *Server) MethodPrefix() string {
+	return admin.AdminService_MethodPrefix
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return admin.AdminService_AuthMethods
+}
+
+func (s *Server) RegisterGateway() server.GatewayFunc {
+	return admin.RegisterAdminServiceHandlerFromEndpoint
+}
+
+func (s *Server) GatewayPathPrefix() string {
+	return "/admin/v1"
+}

internal/api/grpc/auth/gateway.go

@@ -1,4 +1,4 @@
-package grpc
+package auth
 
 import (
 	"strings"
@@ -7,6 +7,7 @@ import (
 
 	grpc_util "github.com/caos/zitadel/internal/api/grpc"
 	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/pkg/grpc/auth"
 )
 
 type Gateway struct {
@@ -24,7 +25,7 @@ func StartGateway(conf grpc_util.GatewayConfig) *Gateway {
 }
 
 func (gw *Gateway) Gateway() server.GatewayFunc {
-	return RegisterAuthServiceHandlerFromEndpoint
+	return auth.RegisterAuthServiceHandlerFromEndpoint
 }
 
 func (gw *Gateway) GRPCEndpoint() string {

internal/api/grpc/auth/policy_complexity_converter.go

@@ -1,19 +1,21 @@
-package grpc
+package auth
 
 import (
 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/policy/model"
 	"github.com/golang/protobuf/ptypes"
+
+	"github.com/caos/zitadel/internal/policy/model"
+	"github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *PasswordComplexityPolicy {
+func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *auth.PasswordComplexityPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-Lsi3d").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
 	logging.Log("GRPC-P0wr4").OnError(err).Debug("unable to parse timestamp")
 
-	return &PasswordComplexityPolicy{
+	return &auth.PasswordComplexityPolicy{
 		Id:           policy.AggregateID,
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,

internal/api/grpc/auth/probes.go

@@ -1,10 +1,12 @@
-package grpc
+package auth
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/errors"
+
 	"github.com/golang/protobuf/ptypes/empty"
 	pb_struct "github.com/golang/protobuf/ptypes/struct"
+
+	"github.com/caos/zitadel/internal/errors"
 )
 
 func (s *Server) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, error) {

internal/api/grpc/auth/search_converter.go

@@ -0,0 +1,25 @@
+package auth
+
+import (
+	"github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+func searchMethodToModel(method auth.SearchMethod) model.SearchMethod {
+	switch method {
+	case auth.SearchMethod_SEARCHMETHOD_EQUALS:
+		return model.SearchMethodEquals
+	case auth.SearchMethod_SEARCHMETHOD_CONTAINS:
+		return model.SearchMethodContains
+	case auth.SearchMethod_SEARCHMETHOD_STARTS_WITH:
+		return model.SearchMethodStartsWith
+	case auth.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
+		return model.SearchMethodEqualsIgnoreCase
+	case auth.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
+		return model.SearchMethodContainsIgnoreCase
+	case auth.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
+		return model.SearchMethodStartsWithIgnoreCase
+	default:
+		return model.SearchMethodEquals
+	}
+}

internal/api/grpc/auth/server.go

@@ -0,0 +1,55 @@
+package auth
+
+import (
+	"google.golang.org/grpc"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/internal/auth/repository"
+	"github.com/caos/zitadel/internal/auth/repository/eventsourcing"
+	"github.com/caos/zitadel/pkg/grpc/auth"
+)
+
+var _ auth.AuthServiceServer = (*Server)(nil)
+
+const (
+	authName = "Auth-API"
+)
+
+type Server struct {
+	repo repository.Repository
+}
+
+type Config struct {
+	Repository eventsourcing.Config
+}
+
+func CreateServer(authRepo repository.Repository) *Server {
+	return &Server{
+		repo: authRepo,
+	}
+}
+
+func (s *Server) RegisterServer(grpcServer *grpc.Server) {
+	auth.RegisterAuthServiceServer(grpcServer, s)
+}
+
+func (s *Server) AppName() string {
+	return authName
+}
+
+func (s *Server) MethodPrefix() string {
+	return auth.AuthService_MethodPrefix
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return auth.AuthService_AuthMethods
+}
+
+func (s *Server) RegisterGateway() server.GatewayFunc {
+	return auth.RegisterAuthServiceHandlerFromEndpoint
+}
+
+func (s *Server) GatewayPathPrefix() string {
+	return "/auth/v1"
+}

internal/api/grpc/auth/user.go

@@ -1,12 +1,14 @@
-package grpc
+package auth
 
 import (
 	"context"
 
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func (s *Server) GetMyUser(ctx context.Context, _ *empty.Empty) (*UserView, error) {
+func (s *Server) GetMyUser(ctx context.Context, _ *empty.Empty) (*auth.UserView, error) {
 	user, err := s.repo.MyUser(ctx)
 	if err != nil {
 		return nil, err
@@ -14,7 +16,7 @@ func (s *Server) GetMyUser(ctx context.Context, _ *empty.Empty) (*UserView, erro
 	return userViewFromModel(user), nil
 }
 
-func (s *Server) GetMyUserProfile(ctx context.Context, _ *empty.Empty) (*UserProfileView, error) {
+func (s *Server) GetMyUserProfile(ctx context.Context, _ *empty.Empty) (*auth.UserProfileView, error) {
 	profile, err := s.repo.MyProfile(ctx)
 	if err != nil {
 		return nil, err
@@ -22,7 +24,7 @@ func (s *Server) GetMyUserProfile(ctx context.Context, _ *empty.Empty) (*UserPro
 	return profileViewFromModel(profile), nil
 }
 
-func (s *Server) GetMyUserEmail(ctx context.Context, _ *empty.Empty) (*UserEmailView, error) {
+func (s *Server) GetMyUserEmail(ctx context.Context, _ *empty.Empty) (*auth.UserEmailView, error) {
 	email, err := s.repo.MyEmail(ctx)
 	if err != nil {
 		return nil, err
@@ -30,7 +32,7 @@ func (s *Server) GetMyUserEmail(ctx context.Context, _ *empty.Empty) (*UserEmail
 	return emailViewFromModel(email), nil
 }
 
-func (s *Server) GetMyUserPhone(ctx context.Context, _ *empty.Empty) (*UserPhoneView, error) {
+func (s *Server) GetMyUserPhone(ctx context.Context, _ *empty.Empty) (*auth.UserPhoneView, error) {
 	phone, err := s.repo.MyPhone(ctx)
 	if err != nil {
 		return nil, err
@@ -42,7 +44,8 @@ func (s *Server) RemoveMyUserPhone(ctx context.Context, _ *empty.Empty) (*empty.
 	err := s.repo.RemoveMyPhone(ctx)
 	return &empty.Empty{}, err
 }
-func (s *Server) GetMyUserAddress(ctx context.Context, _ *empty.Empty) (*UserAddressView, error) {
+
+func (s *Server) GetMyUserAddress(ctx context.Context, _ *empty.Empty) (*auth.UserAddressView, error) {
 	address, err := s.repo.MyAddress(ctx)
 	if err != nil {
 		return nil, err
@@ -50,15 +53,15 @@ func (s *Server) GetMyUserAddress(ctx context.Context, _ *empty.Empty) (*UserAdd
 	return addressViewFromModel(address), nil
 }
 
-func (s *Server) GetMyMfas(ctx context.Context, _ *empty.Empty) (*MultiFactors, error) {
+func (s *Server) GetMyMfas(ctx context.Context, _ *empty.Empty) (*auth.MultiFactors, error) {
 	mfas, err := s.repo.MyUserMfas(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return &MultiFactors{Mfas: mfasFromModel(mfas)}, nil
+	return &auth.MultiFactors{Mfas: mfasFromModel(mfas)}, nil
 }
 
-func (s *Server) UpdateMyUserProfile(ctx context.Context, request *UpdateUserProfileRequest) (*UserProfile, error) {
+func (s *Server) UpdateMyUserProfile(ctx context.Context, request *auth.UpdateUserProfileRequest) (*auth.UserProfile, error) {
 	profile, err := s.repo.ChangeMyProfile(ctx, updateProfileToModel(ctx, request))
 	if err != nil {
 		return nil, err
@@ -66,7 +69,7 @@ func (s *Server) UpdateMyUserProfile(ctx context.Context, request *UpdateUserPro
 	return profileFromModel(profile), nil
 }
 
-func (s *Server) ChangeMyUserEmail(ctx context.Context, request *UpdateUserEmailRequest) (*UserEmail, error) {
+func (s *Server) ChangeMyUserEmail(ctx context.Context, request *auth.UpdateUserEmailRequest) (*auth.UserEmail, error) {
 	email, err := s.repo.ChangeMyEmail(ctx, updateEmailToModel(ctx, request))
 	if err != nil {
 		return nil, err
@@ -74,7 +77,7 @@ func (s *Server) ChangeMyUserEmail(ctx context.Context, request *UpdateUserEmail
 	return emailFromModel(email), nil
 }
 
-func (s *Server) VerifyMyUserEmail(ctx context.Context, request *VerifyMyUserEmailRequest) (*empty.Empty, error) {
+func (s *Server) VerifyMyUserEmail(ctx context.Context, request *auth.VerifyMyUserEmailRequest) (*empty.Empty, error) {
 	err := s.repo.VerifyMyEmail(ctx, request.Code)
 	return &empty.Empty{}, err
 }
@@ -84,7 +87,7 @@ func (s *Server) ResendMyEmailVerificationMail(ctx context.Context, _ *empty.Emp
 	return &empty.Empty{}, err
 }
 
-func (s *Server) ChangeMyUserPhone(ctx context.Context, request *UpdateUserPhoneRequest) (*UserPhone, error) {
+func (s *Server) ChangeMyUserPhone(ctx context.Context, request *auth.UpdateUserPhoneRequest) (*auth.UserPhone, error) {
 	phone, err := s.repo.ChangeMyPhone(ctx, updatePhoneToModel(ctx, request))
 	if err != nil {
 		return nil, err
@@ -92,7 +95,7 @@ func (s *Server) ChangeMyUserPhone(ctx context.Context, request *UpdateUserPhone
 	return phoneFromModel(phone), nil
 }
 
-func (s *Server) VerifyMyUserPhone(ctx context.Context, request *VerifyUserPhoneRequest) (*empty.Empty, error) {
+func (s *Server) VerifyMyUserPhone(ctx context.Context, request *auth.VerifyUserPhoneRequest) (*empty.Empty, error) {
 	err := s.repo.VerifyMyPhone(ctx, request.Code)
 	return &empty.Empty{}, err
 }
@@ -102,7 +105,7 @@ func (s *Server) ResendMyPhoneVerificationCode(ctx context.Context, _ *empty.Emp
 	return &empty.Empty{}, err
 }
 
-func (s *Server) UpdateMyUserAddress(ctx context.Context, request *UpdateUserAddressRequest) (*UserAddress, error) {
+func (s *Server) UpdateMyUserAddress(ctx context.Context, request *auth.UpdateUserAddressRequest) (*auth.UserAddress, error) {
 	address, err := s.repo.ChangeMyAddress(ctx, updateAddressToModel(ctx, request))
 	if err != nil {
 		return nil, err
@@ -110,12 +113,12 @@ func (s *Server) UpdateMyUserAddress(ctx context.Context, request *UpdateUserAdd
 	return addressFromModel(address), nil
 }
 
-func (s *Server) ChangeMyPassword(ctx context.Context, request *PasswordChange) (*empty.Empty, error) {
+func (s *Server) ChangeMyPassword(ctx context.Context, request *auth.PasswordChange) (*empty.Empty, error) {
 	err := s.repo.ChangeMyPassword(ctx, request.OldPassword, request.NewPassword)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) GetMyPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*PasswordComplexityPolicy, error) {
+func (s *Server) GetMyPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*auth.PasswordComplexityPolicy, error) {
 	policy, err := s.repo.GetMyPasswordComplexityPolicy(ctx)
 	if err != nil {
 		return nil, err
@@ -123,7 +126,7 @@ func (s *Server) GetMyPasswordComplexityPolicy(ctx context.Context, _ *empty.Emp
 	return passwordComplexityPolicyFromModel(policy), nil
 }
 
-func (s *Server) AddMfaOTP(ctx context.Context, _ *empty.Empty) (_ *MfaOtpResponse, err error) {
+func (s *Server) AddMfaOTP(ctx context.Context, _ *empty.Empty) (_ *auth.MfaOtpResponse, err error) {
 	otp, err := s.repo.AddMyMfaOTP(ctx)
 	if err != nil {
 		return nil, err
@@ -131,7 +134,7 @@ func (s *Server) AddMfaOTP(ctx context.Context, _ *empty.Empty) (_ *MfaOtpRespon
 	return otpFromModel(otp), nil
 }
 
-func (s *Server) VerifyMfaOTP(ctx context.Context, request *VerifyMfaOtp) (*empty.Empty, error) {
+func (s *Server) VerifyMfaOTP(ctx context.Context, request *auth.VerifyMfaOtp) (*empty.Empty, error) {
 	err := s.repo.VerifyMyMfaOTPSetup(ctx, request.Code)
 	return &empty.Empty{}, err
 }
@@ -141,7 +144,7 @@ func (s *Server) RemoveMfaOTP(ctx context.Context, _ *empty.Empty) (_ *empty.Emp
 	return &empty.Empty{}, err
 }
 
-func (s *Server) GetMyUserChanges(ctx context.Context, request *ChangesRequest) (*Changes, error) {
+func (s *Server) GetMyUserChanges(ctx context.Context, request *auth.ChangesRequest) (*auth.Changes, error) {
 	changes, err := s.repo.MyUserChanges(ctx, request.SequenceOffset, request.Limit, request.Asc)
 	if err != nil {
 		return nil, err

internal/api/grpc/auth/user_converter.go

@@ -1,21 +1,23 @@
-package grpc
+package auth
 
 import (
 	"context"
 	"encoding/json"
 
 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/api/auth"
-	"github.com/caos/zitadel/internal/eventstore/models"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	message "github.com/caos/zitadel/pkg/message"
 	"github.com/golang/protobuf/ptypes"
 	"golang.org/x/text/language"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/models"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/pkg/grpc/auth"
+	"github.com/caos/zitadel/pkg/grpc/message"
 )
 
-func userViewFromModel(user *usr_model.UserView) *UserView {
+func userViewFromModel(user *usr_model.UserView) *auth.UserView {
 	creationDate, err := ptypes.TimestampProto(user.CreationDate)
 	logging.Log("GRPC-sd32g").OnError(err).Debug("unable to parse timestamp")
 
@@ -28,7 +30,7 @@ func userViewFromModel(user *usr_model.UserView) *UserView {
 	passwordChanged, err := ptypes.TimestampProto(user.PasswordChanged)
 	logging.Log("GRPC-fgQFT").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserView{
+	return &auth.UserView{
 		Id:                 user.ID,
 		State:              userStateFromModel(user.State),
 		CreationDate:       creationDate,
@@ -58,14 +60,14 @@ func userViewFromModel(user *usr_model.UserView) *UserView {
 	}
 }
 
-func profileFromModel(profile *usr_model.Profile) *UserProfile {
+func profileFromModel(profile *usr_model.Profile) *auth.UserProfile {
 	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
 	logging.Log("GRPC-56t5s").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
 	logging.Log("GRPC-K58ds").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserProfile{
+	return &auth.UserProfile{
 		Id:                profile.AggregateID,
 		CreationDate:      creationDate,
 		ChangeDate:        changeDate,
@@ -80,14 +82,14 @@ func profileFromModel(profile *usr_model.Profile) *UserProfile {
 	}
 }
 
-func profileViewFromModel(profile *usr_model.Profile) *UserProfileView {
+func profileViewFromModel(profile *usr_model.Profile) *auth.UserProfileView {
 	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
 	logging.Log("GRPC-s9iKs").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
 	logging.Log("GRPC-9sujE").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserProfileView{
+	return &auth.UserProfileView{
 		Id:                 profile.AggregateID,
 		CreationDate:       creationDate,
 		ChangeDate:         changeDate,
@@ -104,12 +106,12 @@ func profileViewFromModel(profile *usr_model.Profile) *UserProfileView {
 	}
 }
 
-func updateProfileToModel(ctx context.Context, u *UpdateUserProfileRequest) *usr_model.Profile {
+func updateProfileToModel(ctx context.Context, u *auth.UpdateUserProfileRequest) *usr_model.Profile {
 	preferredLanguage, err := language.Parse(u.PreferredLanguage)
 	logging.Log("GRPC-lk73L").OnError(err).Debug("language malformed")
 
 	return &usr_model.Profile{
-		ObjectRoot:        models.ObjectRoot{AggregateID: auth.GetCtxData(ctx).UserID},
+		ObjectRoot:        models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
 		FirstName:         u.FirstName,
 		LastName:          u.LastName,
 		NickName:          u.NickName,
@@ -118,14 +120,14 @@ func updateProfileToModel(ctx context.Context, u *UpdateUserProfileRequest) *usr
 	}
 }
 
-func emailFromModel(email *usr_model.Email) *UserEmail {
+func emailFromModel(email *usr_model.Email) *auth.UserEmail {
 	creationDate, err := ptypes.TimestampProto(email.CreationDate)
 	logging.Log("GRPC-sdoi3").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
 	logging.Log("GRPC-klJK3").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserEmail{
+	return &auth.UserEmail{
 		Id:              email.AggregateID,
 		CreationDate:    creationDate,
 		ChangeDate:      changeDate,
@@ -135,14 +137,14 @@ func emailFromModel(email *usr_model.Email) *UserEmail {
 	}
 }
 
-func emailViewFromModel(email *usr_model.Email) *UserEmailView {
+func emailViewFromModel(email *usr_model.Email) *auth.UserEmailView {
 	creationDate, err := ptypes.TimestampProto(email.CreationDate)
 	logging.Log("GRPC-LSp8s").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
 	logging.Log("GRPC-6szJe").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserEmailView{
+	return &auth.UserEmailView{
 		Id:              email.AggregateID,
 		CreationDate:    creationDate,
 		ChangeDate:      changeDate,
@@ -152,21 +154,21 @@ func emailViewFromModel(email *usr_model.Email) *UserEmailView {
 	}
 }
 
-func updateEmailToModel(ctx context.Context, e *UpdateUserEmailRequest) *usr_model.Email {
+func updateEmailToModel(ctx context.Context, e *auth.UpdateUserEmailRequest) *usr_model.Email {
 	return &usr_model.Email{
-		ObjectRoot:   models.ObjectRoot{AggregateID: auth.GetCtxData(ctx).UserID},
+		ObjectRoot:   models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
 		EmailAddress: e.Email,
 	}
 }
 
-func phoneFromModel(phone *usr_model.Phone) *UserPhone {
+func phoneFromModel(phone *usr_model.Phone) *auth.UserPhone {
 	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
 	logging.Log("GRPC-kjn5J").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
 	logging.Log("GRPC-LKA9S").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserPhone{
+	return &auth.UserPhone{
 		Id:              phone.AggregateID,
 		CreationDate:    creationDate,
 		ChangeDate:      changeDate,
@@ -176,14 +178,14 @@ func phoneFromModel(phone *usr_model.Phone) *UserPhone {
 	}
 }
 
-func phoneViewFromModel(phone *usr_model.Phone) *UserPhoneView {
+func phoneViewFromModel(phone *usr_model.Phone) *auth.UserPhoneView {
 	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
 	logging.Log("GRPC-s5zJS").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
 	logging.Log("GRPC-s9kLe").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserPhoneView{
+	return &auth.UserPhoneView{
 		Id:              phone.AggregateID,
 		CreationDate:    creationDate,
 		ChangeDate:      changeDate,
@@ -193,21 +195,21 @@ func phoneViewFromModel(phone *usr_model.Phone) *UserPhoneView {
 	}
 }
 
-func updatePhoneToModel(ctx context.Context, e *UpdateUserPhoneRequest) *usr_model.Phone {
+func updatePhoneToModel(ctx context.Context, e *auth.UpdateUserPhoneRequest) *usr_model.Phone {
 	return &usr_model.Phone{
-		ObjectRoot:  models.ObjectRoot{AggregateID: auth.GetCtxData(ctx).UserID},
+		ObjectRoot:  models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
 		PhoneNumber: e.Phone,
 	}
 }
 
-func addressFromModel(address *usr_model.Address) *UserAddress {
+func addressFromModel(address *usr_model.Address) *auth.UserAddress {
 	creationDate, err := ptypes.TimestampProto(address.CreationDate)
 	logging.Log("GRPC-65FRs").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
 	logging.Log("GRPC-aslk4").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserAddress{
+	return &auth.UserAddress{
 		Id:            address.AggregateID,
 		CreationDate:  creationDate,
 		ChangeDate:    changeDate,
@@ -220,14 +222,14 @@ func addressFromModel(address *usr_model.Address) *UserAddress {
 	}
 }
 
-func addressViewFromModel(address *usr_model.Address) *UserAddressView {
+func addressViewFromModel(address *usr_model.Address) *auth.UserAddressView {
 	creationDate, err := ptypes.TimestampProto(address.CreationDate)
 	logging.Log("GRPC-sk4fS").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
 	logging.Log("GRPC-9siEs").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserAddressView{
+	return &auth.UserAddressView{
 		Id:            address.AggregateID,
 		CreationDate:  creationDate,
 		ChangeDate:    changeDate,
@@ -240,9 +242,9 @@ func addressViewFromModel(address *usr_model.Address) *UserAddressView {
 	}
 }
 
-func updateAddressToModel(ctx context.Context, address *UpdateUserAddressRequest) *usr_model.Address {
+func updateAddressToModel(ctx context.Context, address *auth.UpdateUserAddressRequest) *usr_model.Address {
 	return &usr_model.Address{
-		ObjectRoot:    models.ObjectRoot{AggregateID: auth.GetCtxData(ctx).UserID},
+		ObjectRoot:    models.ObjectRoot{AggregateID: authz.GetCtxData(ctx).UserID},
 		Country:       address.Country,
 		StreetAddress: address.StreetAddress,
 		Region:        address.Region,
@@ -251,8 +253,8 @@ func updateAddressToModel(ctx context.Context, address *UpdateUserAddressRequest
 	}
 }
 
-func otpFromModel(otp *usr_model.OTP) *MfaOtpResponse {
+func otpFromModel(otp *usr_model.OTP) *auth.MfaOtpResponse {
-	return &MfaOtpResponse{
+	return &auth.MfaOtpResponse{
 		UserId: otp.AggregateID,
 		Url:    otp.Url,
 		Secret: otp.SecretString,
@@ -260,96 +262,96 @@ func otpFromModel(otp *usr_model.OTP) *MfaOtpResponse {
 	}
 }
 
-func userStateFromModel(state usr_model.UserState) UserState {
+func userStateFromModel(state usr_model.UserState) auth.UserState {
 	switch state {
 	case usr_model.UserStateActive:
-		return UserState_USERSTATE_ACTIVE
+		return auth.UserState_USERSTATE_ACTIVE
 	case usr_model.UserStateInactive:
-		return UserState_USERSTATE_INACTIVE
+		return auth.UserState_USERSTATE_INACTIVE
 	case usr_model.UserStateLocked:
-		return UserState_USERSTATE_LOCKED
+		return auth.UserState_USERSTATE_LOCKED
 	case usr_model.UserStateInitial:
-		return UserState_USERSTATE_INITIAL
+		return auth.UserState_USERSTATE_INITIAL
 	case usr_model.UserStateSuspend:
-		return UserState_USERSTATE_SUSPEND
+		return auth.UserState_USERSTATE_SUSPEND
 	default:
-		return UserState_USERSTATE_UNSPECIFIED
+		return auth.UserState_USERSTATE_UNSPECIFIED
 	}
 }
 
-func genderFromModel(gender usr_model.Gender) Gender {
+func genderFromModel(gender usr_model.Gender) auth.Gender {
 	switch gender {
 	case usr_model.GenderFemale:
-		return Gender_GENDER_FEMALE
+		return auth.Gender_GENDER_FEMALE
 	case usr_model.GenderMale:
-		return Gender_GENDER_MALE
+		return auth.Gender_GENDER_MALE
 	case usr_model.GenderDiverse:
-		return Gender_GENDER_DIVERSE
+		return auth.Gender_GENDER_DIVERSE
 	default:
-		return Gender_GENDER_UNSPECIFIED
+		return auth.Gender_GENDER_UNSPECIFIED
 	}
 }
 
-func genderToModel(gender Gender) usr_model.Gender {
+func genderToModel(gender auth.Gender) usr_model.Gender {
 	switch gender {
-	case Gender_GENDER_FEMALE:
+	case auth.Gender_GENDER_FEMALE:
 		return usr_model.GenderFemale
-	case Gender_GENDER_MALE:
+	case auth.Gender_GENDER_MALE:
 		return usr_model.GenderMale
-	case Gender_GENDER_DIVERSE:
+	case auth.Gender_GENDER_DIVERSE:
 		return usr_model.GenderDiverse
 	default:
 		return usr_model.GenderUnspecified
 	}
 }
 
-func mfaStateFromModel(state usr_model.MfaState) MFAState {
+func mfaStateFromModel(state usr_model.MfaState) auth.MFAState {
 	switch state {
 	case usr_model.MfaStateReady:
-		return MFAState_MFASTATE_READY
+		return auth.MFAState_MFASTATE_READY
 	case usr_model.MfaStateNotReady:
-		return MFAState_MFASTATE_NOT_READY
+		return auth.MFAState_MFASTATE_NOT_READY
 	default:
-		return MFAState_MFASTATE_UNSPECIFIED
+		return auth.MFAState_MFASTATE_UNSPECIFIED
 	}
 }
 
-func mfasFromModel(mfas []*usr_model.MultiFactor) []*MultiFactor {
+func mfasFromModel(mfas []*usr_model.MultiFactor) []*auth.MultiFactor {
-	converted := make([]*MultiFactor, len(mfas))
+	converted := make([]*auth.MultiFactor, len(mfas))
 	for i, mfa := range mfas {
 		converted[i] = mfaFromModel(mfa)
 	}
 	return converted
 }
 
-func mfaFromModel(mfa *usr_model.MultiFactor) *MultiFactor {
+func mfaFromModel(mfa *usr_model.MultiFactor) *auth.MultiFactor {
-	return &MultiFactor{
+	return &auth.MultiFactor{
 		State: mfaStateFromModel(mfa.State),
 		Type:  mfaTypeFromModel(mfa.Type),
 	}
 }
 
-func mfaTypeFromModel(mfatype usr_model.MfaType) MfaType {
+func mfaTypeFromModel(mfatype usr_model.MfaType) auth.MfaType {
 	switch mfatype {
 	case usr_model.MfaTypeOTP:
-		return MfaType_MFATYPE_OTP
+		return auth.MfaType_MFATYPE_OTP
 	case usr_model.MfaTypeSMS:
-		return MfaType_MFATYPE_SMS
+		return auth.MfaType_MFATYPE_SMS
 	default:
-		return MfaType_MFATYPE_UNSPECIFIED
+		return auth.MfaType_MFATYPE_UNSPECIFIED
 	}
 }
 
-func userChangesToResponse(response *usr_model.UserChanges, offset uint64, limit uint64) (_ *Changes) {
+func userChangesToResponse(response *usr_model.UserChanges, offset uint64, limit uint64) (_ *auth.Changes) {
-	return &Changes{
+	return &auth.Changes{
 		Limit:   limit,
 		Offset:  offset,
 		Changes: userChangesToAPI(response),
 	}
 }
 
-func userChangesToAPI(changes *usr_model.UserChanges) (_ []*Change) {
+func userChangesToAPI(changes *usr_model.UserChanges) (_ []*auth.Change) {
-	result := make([]*Change, len(changes.Changes))
+	result := make([]*auth.Change, len(changes.Changes))
 
 	for i, change := range changes.Changes {
 		var data *structpb.Struct
@@ -359,7 +361,7 @@ func userChangesToAPI(changes *usr_model.UserChanges) (_ []*Change) {
 			err = protojson.Unmarshal(changedData, data)
 			logging.Log("GRPC-0kRsY").OnError(err).Debug("unable to marshal changed data to struct")
 		}
-		result[i] = &Change{
+		result[i] = &auth.Change{
 			ChangeDate: change.ChangeDate,
 			EventType:  message.NewLocalizedEventType(change.EventType),
 			Sequence:   change.Sequence,

internal/api/grpc/auth/user_grant.go

@@ -1,11 +1,14 @@
-package grpc
+package auth
 
 import (
 	"context"
+
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func (s *Server) SearchMyUserGrant(ctx context.Context, in *UserGrantSearchRequest) (*UserGrantSearchResponse, error) {
+func (s *Server) SearchMyUserGrant(ctx context.Context, in *auth.UserGrantSearchRequest) (*auth.UserGrantSearchResponse, error) {
 	response, err := s.repo.SearchMyUserGrants(ctx, userGrantSearchRequestsToModel(in))
 	if err != nil {
 		return nil, err
@@ -13,7 +16,7 @@ func (s *Server) SearchMyUserGrant(ctx context.Context, in *UserGrantSearchReque
 	return userGrantSearchResponseFromModel(response), nil
 }
 
-func (s *Server) SearchMyProjectOrgs(ctx context.Context, in *MyProjectOrgSearchRequest) (*MyProjectOrgSearchResponse, error) {
+func (s *Server) SearchMyProjectOrgs(ctx context.Context, in *auth.MyProjectOrgSearchRequest) (*auth.MyProjectOrgSearchResponse, error) {
 	response, err := s.repo.SearchMyProjectOrgs(ctx, myProjectOrgSearchRequestRequestsToModel(in))
 	if err != nil {
 		return nil, err
@@ -21,18 +24,18 @@ func (s *Server) SearchMyProjectOrgs(ctx context.Context, in *MyProjectOrgSearch
 	return projectOrgSearchResponseFromModel(response), nil
 }
 
-func (s *Server) GetMyZitadelPermissions(ctx context.Context, _ *empty.Empty) (*MyPermissions, error) {
+func (s *Server) GetMyZitadelPermissions(ctx context.Context, _ *empty.Empty) (*auth.MyPermissions, error) {
 	perms, err := s.repo.SearchMyZitadelPermissions(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return &MyPermissions{Permissions: perms}, nil
+	return &auth.MyPermissions{Permissions: perms}, nil
 }
 
-func (s *Server) GetMyProjectPermissions(ctx context.Context, _ *empty.Empty) (*MyPermissions, error) {
+func (s *Server) GetMyProjectPermissions(ctx context.Context, _ *empty.Empty) (*auth.MyPermissions, error) {
 	perms, err := s.repo.SearchMyProjectPermissions(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return &MyPermissions{Permissions: perms}, nil
+	return &auth.MyPermissions{Permissions: perms}, nil
 }

internal/api/grpc/auth/user_grant_converter.go

@@ -1,10 +1,11 @@
-package grpc
+package auth
 
 import (
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
+	"github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func userGrantSearchRequestsToModel(request *UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
+func userGrantSearchRequestsToModel(request *auth.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
 	return &grant_model.UserGrantSearchRequest{
 		Offset:  request.Offset,
 		Limit:   request.Limit,
@@ -12,7 +13,7 @@ func userGrantSearchRequestsToModel(request *UserGrantSearchRequest) *grant_mode
 	}
 }
 
-func userGrantSearchQueriesToModel(queries []*UserGrantSearchQuery) []*grant_model.UserGrantSearchQuery {
+func userGrantSearchQueriesToModel(queries []*auth.UserGrantSearchQuery) []*grant_model.UserGrantSearchQuery {
 	converted := make([]*grant_model.UserGrantSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = userGrantSearchQueryToModel(q)
@@ -20,7 +21,7 @@ func userGrantSearchQueriesToModel(queries []*UserGrantSearchQuery) []*grant_mod
 	return converted
 }
 
-func userGrantSearchQueryToModel(query *UserGrantSearchQuery) *grant_model.UserGrantSearchQuery {
+func userGrantSearchQueryToModel(query *auth.UserGrantSearchQuery) *grant_model.UserGrantSearchQuery {
 	return &grant_model.UserGrantSearchQuery{
 		Key:    userGrantSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -28,18 +29,18 @@ func userGrantSearchQueryToModel(query *UserGrantSearchQuery) *grant_model.UserG
 	}
 }
 
-func userGrantSearchKeyToModel(key UserGrantSearchKey) grant_model.UserGrantSearchKey {
+func userGrantSearchKeyToModel(key auth.UserGrantSearchKey) grant_model.UserGrantSearchKey {
 	switch key {
-	case UserGrantSearchKey_UserGrantSearchKey_ORG_ID:
+	case auth.UserGrantSearchKey_UserGrantSearchKey_ORG_ID:
 		return grant_model.UserGrantSearchKeyResourceOwner
-	case UserGrantSearchKey_UserGrantSearchKey_PROJECT_ID:
+	case auth.UserGrantSearchKey_UserGrantSearchKey_PROJECT_ID:
 		return grant_model.UserGrantSearchKeyProjectID
 	default:
 		return grant_model.UserGrantSearchKeyUnspecified
 	}
 }
 
-func myProjectOrgSearchRequestRequestsToModel(request *MyProjectOrgSearchRequest) *grant_model.UserGrantSearchRequest {
+func myProjectOrgSearchRequestRequestsToModel(request *auth.MyProjectOrgSearchRequest) *grant_model.UserGrantSearchRequest {
 	return &grant_model.UserGrantSearchRequest{
 		Offset:        request.Offset,
 		Limit:         request.Limit,
@@ -49,7 +50,7 @@ func myProjectOrgSearchRequestRequestsToModel(request *MyProjectOrgSearchRequest
 	}
 }
 
-func myProjectOrgSearchQueriesToModel(queries []*MyProjectOrgSearchQuery) []*grant_model.UserGrantSearchQuery {
+func myProjectOrgSearchQueriesToModel(queries []*auth.MyProjectOrgSearchQuery) []*grant_model.UserGrantSearchQuery {
 	converted := make([]*grant_model.UserGrantSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = myProjectOrgSearchQueryToModel(q)
@@ -57,7 +58,7 @@ func myProjectOrgSearchQueriesToModel(queries []*MyProjectOrgSearchQuery) []*gra
 	return converted
 }
 
-func myProjectOrgSearchQueryToModel(query *MyProjectOrgSearchQuery) *grant_model.UserGrantSearchQuery {
+func myProjectOrgSearchQueryToModel(query *auth.MyProjectOrgSearchQuery) *grant_model.UserGrantSearchQuery {
 	return &grant_model.UserGrantSearchQuery{
 		Key:    myProjectOrgSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -65,17 +66,17 @@ func myProjectOrgSearchQueryToModel(query *MyProjectOrgSearchQuery) *grant_model
 	}
 }
 
-func myProjectOrgSearchKeyToModel(key MyProjectOrgSearchKey) grant_model.UserGrantSearchKey {
+func myProjectOrgSearchKeyToModel(key auth.MyProjectOrgSearchKey) grant_model.UserGrantSearchKey {
 	switch key {
-	case MyProjectOrgSearchKey_MYPROJECTORGSEARCHKEY_ORG_NAME:
+	case auth.MyProjectOrgSearchKey_MYPROJECTORGSEARCHKEY_ORG_NAME:
 		return grant_model.UserGrantSearchKeyOrgName
 	default:
 		return grant_model.UserGrantSearchKeyUnspecified
 	}
 }
 
-func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchResponse) *UserGrantSearchResponse {
+func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchResponse) *auth.UserGrantSearchResponse {
-	return &UserGrantSearchResponse{
+	return &auth.UserGrantSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -83,16 +84,16 @@ func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchRespo
 	}
 }
 
-func userGrantViewsFromModel(users []*grant_model.UserGrantView) []*UserGrantView {
+func userGrantViewsFromModel(users []*grant_model.UserGrantView) []*auth.UserGrantView {
-	converted := make([]*UserGrantView, len(users))
+	converted := make([]*auth.UserGrantView, len(users))
 	for i, user := range users {
 		converted[i] = userGrantViewFromModel(user)
 	}
 	return converted
 }
 
-func userGrantViewFromModel(grant *grant_model.UserGrantView) *UserGrantView {
+func userGrantViewFromModel(grant *grant_model.UserGrantView) *auth.UserGrantView {
-	return &UserGrantView{
+	return &auth.UserGrantView{
 		UserId:    grant.UserID,
 		OrgId:     grant.ResourceOwner,
 		OrgName:   grant.OrgName,
@@ -101,8 +102,8 @@ func userGrantViewFromModel(grant *grant_model.UserGrantView) *UserGrantView {
 	}
 }
 
-func projectOrgSearchResponseFromModel(response *grant_model.ProjectOrgSearchResponse) *MyProjectOrgSearchResponse {
+func projectOrgSearchResponseFromModel(response *grant_model.ProjectOrgSearchResponse) *auth.MyProjectOrgSearchResponse {
-	return &MyProjectOrgSearchResponse{
+	return &auth.MyProjectOrgSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -110,16 +111,16 @@ func projectOrgSearchResponseFromModel(response *grant_model.ProjectOrgSearchRes
 	}
 }
 
-func projectOrgsFromModel(projectOrgs []*grant_model.Org) []*Org {
+func projectOrgsFromModel(projectOrgs []*grant_model.Org) []*auth.Org {
-	converted := make([]*Org, len(projectOrgs))
+	converted := make([]*auth.Org, len(projectOrgs))
 	for i, org := range projectOrgs {
 		converted[i] = projectOrgFromModel(org)
 	}
 	return converted
 }
 
-func projectOrgFromModel(org *grant_model.Org) *Org {
+func projectOrgFromModel(org *grant_model.Org) *auth.Org {
-	return &Org{
+	return &auth.Org{
 		Id:   org.OrgID,
 		Name: org.OrgName,
 	}

internal/api/grpc/auth/user_session.go

@@ -1,14 +1,17 @@
-package grpc
+package auth
 
 import (
 	"context"
+
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func (s *Server) GetMyUserSessions(ctx context.Context, _ *empty.Empty) (_ *UserSessionViews, err error) {
+func (s *Server) GetMyUserSessions(ctx context.Context, _ *empty.Empty) (_ *auth.UserSessionViews, err error) {
 	userSessions, err := s.repo.GetMyUserSessions(ctx)
 	if err != nil {
 		return nil, err
 	}
-	return &UserSessionViews{UserSessions: userSessionViewsFromModel(userSessions)}, nil
+	return &auth.UserSessionViews{UserSessions: userSessionViewsFromModel(userSessions)}, nil
 }

internal/api/grpc/auth/user_session_converter.go

@@ -1,20 +1,21 @@
-package grpc
+package auth
 
 import (
 	auth_req_model "github.com/caos/zitadel/internal/auth_request/model"
 	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/pkg/grpc/auth"
 )
 
-func userSessionViewsFromModel(userSessions []*usr_model.UserSessionView) []*UserSessionView {
+func userSessionViewsFromModel(userSessions []*usr_model.UserSessionView) []*auth.UserSessionView {
-	converted := make([]*UserSessionView, len(userSessions))
+	converted := make([]*auth.UserSessionView, len(userSessions))
 	for i, s := range userSessions {
 		converted[i] = userSessionViewFromModel(s)
 	}
 	return converted
 }
 
-func userSessionViewFromModel(userSession *usr_model.UserSessionView) *UserSessionView {
+func userSessionViewFromModel(userSession *usr_model.UserSessionView) *auth.UserSessionView {
-	return &UserSessionView{
+	return &auth.UserSessionView{
 		Sequence:    userSession.Sequence,
 		AgentId:     userSession.UserAgentID,
 		UserId:      userSession.UserID,
@@ -25,13 +26,13 @@ func userSessionViewFromModel(userSession *usr_model.UserSessionView) *UserSessi
 	}
 }
 
-func userSessionStateFromModel(state auth_req_model.UserSessionState) UserSessionState {
+func userSessionStateFromModel(state auth_req_model.UserSessionState) auth.UserSessionState {
 	switch state {
 	case auth_req_model.UserSessionStateActive:
-		return UserSessionState_USERSESSIONSTATE_ACTIVE
+		return auth.UserSessionState_USERSESSIONSTATE_ACTIVE
 	case auth_req_model.UserSessionStateTerminated:
-		return UserSessionState_USERSESSIONSTATE_TERMINATED
+		return auth.UserSessionState_USERSESSIONSTATE_TERMINATED
 	default:
-		return UserSessionState_USERSESSIONSTATE_UNSPECIFIED
+		return auth.UserSessionState_USERSESSIONSTATE_UNSPECIFIED
 	}
 }

internal/api/grpc/caos_errors.go

@@ -4,15 +4,17 @@ import (
 	"context"
 
 	"github.com/caos/logging"
-	"github.com/caos/zitadel/pkg/message"
+
+	"github.com/caos/zitadel/pkg/grpc/message"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 
 	caos_errs "github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/i18n"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 )
 
-func CaosToGRPCError(err error, ctx context.Context, translator *i18n.Translator) error {
+func CaosToGRPCError(ctx context.Context, err error, translator *i18n.Translator) error {
 	if err == nil {
 		return nil
 	}
@@ -39,7 +41,7 @@ func ExtractCaosError(err error) (c codes.Code, msg, id string, ok bool) {
 		return codes.AlreadyExists, caosErr.GetMessage(), caosErr.GetID(), true
 	case *caos_errs.DeadlineExceededError:
 		return codes.DeadlineExceeded, caosErr.GetMessage(), caosErr.GetID(), true
-	case caos_errs.InternalError:
+	case *caos_errs.InternalError:
 		return codes.Internal, caosErr.GetMessage(), caosErr.GetID(), true
 	case *caos_errs.InvalidArgumentError:
 		return codes.InvalidArgument, caosErr.GetMessage(), caosErr.GetID(), true

internal/api/grpc/caos_errors_test.go

@@ -0,0 +1,167 @@
+package grpc
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"google.golang.org/grpc/codes"
+
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/i18n"
+)
+
+func TestCaosToGRPCError(t *testing.T) {
+	type args struct {
+		err        error
+		translator *i18n.Translator
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			"no error",
+			args{},
+			false,
+		},
+		{
+			"unknown error",
+			args{errors.New("unknown"), nil},
+			true,
+		},
+		{
+			"caos error",
+			args{caos_errs.ThrowInternal(nil, "", "message"), nil},
+			true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := CaosToGRPCError(context.Background(), tt.args.err, tt.args.translator); (err != nil) != tt.wantErr {
+				t.Errorf("CaosToGRPCError() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func Test_Extract(t *testing.T) {
+	type args struct {
+		err error
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantC   codes.Code
+		wantMsg string
+		wantID  string
+		wantOk  bool
+	}{
+		{
+			"already exists",
+			args{caos_errs.ThrowAlreadyExists(nil, "id", "already exists")},
+			codes.AlreadyExists,
+			"already exists",
+			"id",
+			true,
+		},
+		{
+			"deadline exceeded",
+			args{caos_errs.ThrowDeadlineExceeded(nil, "id", "deadline exceeded")},
+			codes.DeadlineExceeded,
+			"deadline exceeded",
+			"id",
+			true,
+		},
+		{
+			"internal error",
+			args{caos_errs.ThrowInternal(nil, "id", "internal error")},
+			codes.Internal,
+			"internal error",
+			"id",
+			true,
+		},
+		{
+			"invalid argument",
+			args{caos_errs.ThrowInvalidArgument(nil, "id", "invalid argument")},
+			codes.InvalidArgument,
+			"invalid argument",
+			"id",
+			true,
+		},
+		{
+			"not found",
+			args{caos_errs.ThrowNotFound(nil, "id", "not found")},
+			codes.NotFound,
+			"not found",
+			"id",
+			true,
+		},
+		{
+			"permission denied",
+			args{caos_errs.ThrowPermissionDenied(nil, "id", "permission denied")},
+			codes.PermissionDenied,
+			"permission denied",
+			"id",
+			true,
+		},
+		{
+			"precondition failed",
+			args{caos_errs.ThrowPreconditionFailed(nil, "id", "precondition failed")},
+			codes.FailedPrecondition,
+			"precondition failed",
+			"id",
+			true,
+		},
+		{
+			"unauthenticated",
+			args{caos_errs.ThrowUnauthenticated(nil, "id", "unauthenticated")},
+			codes.Unauthenticated,
+			"unauthenticated",
+			"id",
+			true,
+		},
+		{
+			"unavailable",
+			args{caos_errs.ThrowUnavailable(nil, "id", "unavailable")},
+			codes.Unavailable,
+			"unavailable",
+			"id",
+			true,
+		},
+		{
+			"unimplemented",
+			args{caos_errs.ThrowUnimplemented(nil, "id", "unimplemented")},
+			codes.Unimplemented,
+			"unimplemented",
+			"id",
+			true,
+		},
+		{
+			"unknown",
+			args{errors.New("unknown")},
+			codes.Unknown,
+			"unknown",
+			"",
+			false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotC, gotMsg, gotID, gotOk := ExtractCaosError(tt.args.err)
+			if gotC != tt.wantC {
+				t.Errorf("extract() gotC = %v, want %v", gotC, tt.wantC)
+			}
+			if gotMsg != tt.wantMsg {
+				t.Errorf("extract() gotMsg = %v, want %v", gotMsg, tt.wantMsg)
+			}
+			if gotID != tt.wantID {
+				t.Errorf("extract() gotID = %v, want %v", gotID, tt.wantID)
+			}
+			if gotOk != tt.wantOk {
+				t.Errorf("extract() gotOk = %v, want %v", gotOk, tt.wantOk)
+			}
+		})
+	}
+}

internal/api/grpc/client/middleware/tacing_test.go

@@ -0,0 +1,68 @@
+package middleware
+
+import (
+	"context"
+	"testing"
+
+	"go.opencensus.io/plugin/ocgrpc"
+	"go.opencensus.io/trace"
+	"google.golang.org/grpc/stats"
+)
+
+func Test_tracingClientHandler_TagRPC(t *testing.T) {
+	type fields struct {
+		IgnoredMethods []GRPCMethod
+		ClientHandler  ocgrpc.ClientHandler
+	}
+	type args struct {
+		ctx     context.Context
+		tagInfo *stats.RPCTagInfo
+	}
+	tests := []struct {
+		name     string
+		fields   fields
+		args     args
+		wantSpan bool
+	}{
+		{
+			"ignored method",
+			fields{
+				IgnoredMethods: []GRPCMethod{"ignore"},
+				ClientHandler:  ocgrpc.ClientHandler{},
+			},
+			args{
+				ctx: context.Background(),
+				tagInfo: &stats.RPCTagInfo{
+					FullMethodName: "ignore",
+				},
+			},
+			false,
+		},
+		{
+			"tag",
+			fields{
+				IgnoredMethods: []GRPCMethod{"ignore"},
+				ClientHandler:  ocgrpc.ClientHandler{},
+			},
+			args{
+				ctx: context.Background(),
+				tagInfo: &stats.RPCTagInfo{
+					FullMethodName: "tag",
+				},
+			},
+			true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := &tracingClientHandler{
+				IgnoredMethods: tt.fields.IgnoredMethods,
+				ClientHandler:  tt.fields.ClientHandler,
+			}
+			got := s.TagRPC(tt.args.ctx, tt.args.tagInfo)
+			if (trace.FromContext(got) != nil) != tt.wantSpan {
+				t.Errorf("TagRPC() = %v, want %v", got, tt.wantSpan)
+			}
+		})
+	}
+}

internal/api/grpc/client/middleware/tracing.go

@@ -9,18 +9,27 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/stats"
 
-	"github.com/caos/zitadel/internal/api"
+	"github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/tracing"
 )
 
 type GRPCMethod string
 
 func TracingStatsClient(ignoredMethods ...GRPCMethod) grpc.DialOption {
-	return grpc.WithStatsHandler(&tracingClientHandler{ignoredMethods, ocgrpc.ClientHandler{StartOptions: trace.StartOptions{Sampler: tracing.Sampler(), SpanKind: trace.SpanKindClient}}})
+	return grpc.WithStatsHandler(
+		&tracingClientHandler{
+			ignoredMethods,
+			ocgrpc.ClientHandler{
+				StartOptions: trace.StartOptions{
+					Sampler:  tracing.Sampler(),
+					SpanKind: trace.SpanKindClient},
+			},
+		},
+	)
 }
 
 func DefaultTracingStatsClient() grpc.DialOption {
-	return TracingStatsClient(api.Healthz, api.Readiness, api.Validation)
+	return TracingStatsClient(http.Healthz, http.Readiness, http.Validation)
 }
 
 type tracingClientHandler struct {

internal/api/grpc/header.go

@@ -5,7 +5,7 @@ import (
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/util/metautils"
 
-	"github.com/caos/zitadel/internal/api"
+	"github.com/caos/zitadel/internal/api/http"
 )
 
 func GetHeader(ctx context.Context, headername string) string {
@@ -13,5 +13,5 @@ func GetHeader(ctx context.Context, headername string) string {
 }
 
 func GetAuthorizationHeader(ctx context.Context) string {
-	return GetHeader(ctx, api.Authorization)
+	return GetHeader(ctx, http.Authorization)
 }

internal/api/grpc/header_test.go

@@ -0,0 +1,92 @@
+package grpc
+
+import (
+	"context"
+	"testing"
+
+	"google.golang.org/grpc/metadata"
+)
+
+func TestGetHeader(t *testing.T) {
+	type args struct {
+		ctx        context.Context
+		headername string
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			"empty context",
+			args{
+				ctx:        context.Background(),
+				headername: "header",
+			},
+			"",
+		},
+		{
+			"context without header",
+			args{
+				ctx:        metadata.NewIncomingContext(context.Background(), metadata.Pairs("header2", "value")),
+				headername: "header",
+			},
+			"",
+		},
+		{
+			"context with header",
+			args{
+				ctx:        metadata.NewIncomingContext(context.Background(), metadata.Pairs("header", "value")),
+				headername: "header",
+			},
+			"value",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := GetHeader(tt.args.ctx, tt.args.headername); got != tt.want {
+				t.Errorf("GetHeader() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestGetAuthorizationHeader(t *testing.T) {
+	type args struct {
+		ctx context.Context
+	}
+	tests := []struct {
+		name string
+		args args
+		want string
+	}{
+		{
+			"empty context",
+			args{
+				ctx: context.Background(),
+			},
+			"",
+		},
+		{
+			"context without header",
+			args{
+				ctx: metadata.NewIncomingContext(context.Background(), metadata.Pairs("header", "value")),
+			},
+			"",
+		},
+		{
+			"context with header",
+			args{
+				ctx: metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "value")),
+			},
+			"value",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := GetAuthorizationHeader(tt.args.ctx); got != tt.want {
+				t.Errorf("GetAuthorizationHeader() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

internal/api/grpc/management/application.go

@@ -1,12 +1,14 @@
-package grpc
+package management
 
 import (
 	"context"
 
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) SearchApplications(ctx context.Context, in *ApplicationSearchRequest) (*ApplicationSearchResponse, error) {
+func (s *Server) SearchApplications(ctx context.Context, in *management.ApplicationSearchRequest) (*management.ApplicationSearchResponse, error) {
 	response, err := s.project.SearchApplications(ctx, applicationSearchRequestsToModel(in))
 	if err != nil {
 		return nil, err
@@ -14,7 +16,7 @@ func (s *Server) SearchApplications(ctx context.Context, in *ApplicationSearchRe
 	return applicationSearchResponseFromModel(response), nil
 }
 
-func (s *Server) ApplicationByID(ctx context.Context, in *ApplicationID) (*ApplicationView, error) {
+func (s *Server) ApplicationByID(ctx context.Context, in *management.ApplicationID) (*management.ApplicationView, error) {
 	app, err := s.project.ApplicationByID(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -22,28 +24,28 @@ func (s *Server) ApplicationByID(ctx context.Context, in *ApplicationID) (*Appli
 	return applicationViewFromModel(app), nil
 }
 
-func (s *Server) CreateOIDCApplication(ctx context.Context, in *OIDCApplicationCreate) (*Application, error) {
+func (s *Server) CreateOIDCApplication(ctx context.Context, in *management.OIDCApplicationCreate) (*management.Application, error) {
 	app, err := s.project.AddApplication(ctx, oidcAppCreateToModel(in))
 	if err != nil {
 		return nil, err
 	}
 	return appFromModel(app), nil
 }
-func (s *Server) UpdateApplication(ctx context.Context, in *ApplicationUpdate) (*Application, error) {
+func (s *Server) UpdateApplication(ctx context.Context, in *management.ApplicationUpdate) (*management.Application, error) {
 	app, err := s.project.ChangeApplication(ctx, appUpdateToModel(in))
 	if err != nil {
 		return nil, err
 	}
 	return appFromModel(app), nil
 }
-func (s *Server) DeactivateApplication(ctx context.Context, in *ApplicationID) (*Application, error) {
+func (s *Server) DeactivateApplication(ctx context.Context, in *management.ApplicationID) (*management.Application, error) {
 	app, err := s.project.DeactivateApplication(ctx, in.ProjectId, in.Id)
 	if err != nil {
 		return nil, err
 	}
 	return appFromModel(app), nil
 }
-func (s *Server) ReactivateApplication(ctx context.Context, in *ApplicationID) (*Application, error) {
+func (s *Server) ReactivateApplication(ctx context.Context, in *management.ApplicationID) (*management.Application, error) {
 	app, err := s.project.ReactivateApplication(ctx, in.ProjectId, in.Id)
 	if err != nil {
 		return nil, err
@@ -51,12 +53,12 @@ func (s *Server) ReactivateApplication(ctx context.Context, in *ApplicationID) (
 	return appFromModel(app), nil
 }
 
-func (s *Server) RemoveApplication(ctx context.Context, in *ApplicationID) (*empty.Empty, error) {
+func (s *Server) RemoveApplication(ctx context.Context, in *management.ApplicationID) (*empty.Empty, error) {
 	err := s.project.RemoveApplication(ctx, in.ProjectId, in.Id)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) UpdateApplicationOIDCConfig(ctx context.Context, in *OIDCConfigUpdate) (*OIDCConfig, error) {
+func (s *Server) UpdateApplicationOIDCConfig(ctx context.Context, in *management.OIDCConfigUpdate) (*management.OIDCConfig, error) {
 	config, err := s.project.ChangeOIDCConfig(ctx, oidcConfigUpdateToModel(in))
 	if err != nil {
 		return nil, err
@@ -64,15 +66,15 @@ func (s *Server) UpdateApplicationOIDCConfig(ctx context.Context, in *OIDCConfig
 	return oidcConfigFromModel(config), nil
 }
 
-func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, in *ApplicationID) (*ClientSecret, error) {
+func (s *Server) RegenerateOIDCClientSecret(ctx context.Context, in *management.ApplicationID) (*management.ClientSecret, error) {
 	config, err := s.project.ChangeOIDConfigSecret(ctx, in.ProjectId, in.Id)
 	if err != nil {
 		return nil, err
 	}
-	return &ClientSecret{ClientSecret: config.ClientSecretString}, nil
+	return &management.ClientSecret{ClientSecret: config.ClientSecretString}, nil
 }
 
-func (s *Server) ApplicationChanges(ctx context.Context, changesRequest *ChangeRequest) (*Changes, error) {
+func (s *Server) ApplicationChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
 	response, err := s.project.ApplicationChanges(ctx, changesRequest.Id, changesRequest.SecId, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
 	if err != nil {
 		return nil, err

internal/api/grpc/management/application_converter.go

@@ -1,27 +1,28 @@
-package grpc
+package management
 
 import (
 	"encoding/json"
 
 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/eventstore/models"
-	"github.com/caos/zitadel/internal/model"
-	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/caos/zitadel/pkg/message"
-
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	"github.com/caos/zitadel/internal/model"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/message"
 )
 
-func appFromModel(app *proj_model.Application) *Application {
+func appFromModel(app *proj_model.Application) *management.Application {
 	creationDate, err := ptypes.TimestampProto(app.CreationDate)
 	logging.Log("GRPC-iejs3").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(app.ChangeDate)
 	logging.Log("GRPC-di7rw").OnError(err).Debug("unable to parse timestamp")
 
-	return &Application{
+	return &management.Application{
 		Id:           app.AppID,
 		State:        appStateFromModel(app.State),
 		CreationDate: creationDate,
@@ -32,17 +33,17 @@ func appFromModel(app *proj_model.Application) *Application {
 	}
 }
 
-func appConfigFromModel(app *proj_model.Application) isApplication_AppConfig {
+func appConfigFromModel(app *proj_model.Application) management.AppConfig {
 	if app.Type == proj_model.AppTypeOIDC {
-		return &Application_OidcConfig{
+		return &management.Application_OidcConfig{
 			OidcConfig: oidcConfigFromModel(app.OIDCConfig),
 		}
 	}
 	return nil
 }
 
-func oidcConfigFromModel(config *proj_model.OIDCConfig) *OIDCConfig {
+func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
-	return &OIDCConfig{
+	return &management.OIDCConfig{
 		RedirectUris:           config.RedirectUris,
 		ResponseTypes:          oidcResponseTypesFromModel(config.ResponseTypes),
 		GrantTypes:             oidcGrantTypesFromModel(config.GrantTypes),
@@ -54,8 +55,8 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *OIDCConfig {
 	}
 }
 
-func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *OIDCConfig {
+func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *management.OIDCConfig {
-	return &OIDCConfig{
+	return &management.OIDCConfig{
 		RedirectUris:           app.OIDCRedirectUris,
 		ResponseTypes:          oidcResponseTypesFromModel(app.OIDCResponseTypes),
 		GrantTypes:             oidcGrantTypesFromModel(app.OIDCGrantTypes),
@@ -66,7 +67,7 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *OIDCCo
 	}
 }
 
-func oidcAppCreateToModel(app *OIDCApplicationCreate) *proj_model.Application {
+func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.Application {
 	return &proj_model.Application{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: app.ProjectId,
@@ -84,7 +85,7 @@ func oidcAppCreateToModel(app *OIDCApplicationCreate) *proj_model.Application {
 	}
 }
 
-func appUpdateToModel(app *ApplicationUpdate) *proj_model.Application {
+func appUpdateToModel(app *management.ApplicationUpdate) *proj_model.Application {
 	return &proj_model.Application{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: app.ProjectId,
@@ -94,7 +95,7 @@ func appUpdateToModel(app *ApplicationUpdate) *proj_model.Application {
 	}
 }
 
-func oidcConfigUpdateToModel(app *OIDCConfigUpdate) *proj_model.OIDCConfig {
+func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCConfig {
 	return &proj_model.OIDCConfig{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: app.ProjectId,
@@ -109,7 +110,7 @@ func oidcConfigUpdateToModel(app *OIDCConfigUpdate) *proj_model.OIDCConfig {
 	}
 }
 
-func applicationSearchRequestsToModel(request *ApplicationSearchRequest) *proj_model.ApplicationSearchRequest {
+func applicationSearchRequestsToModel(request *management.ApplicationSearchRequest) *proj_model.ApplicationSearchRequest {
 	return &proj_model.ApplicationSearchRequest{
 		Offset:  request.Offset,
 		Limit:   request.Limit,
@@ -117,7 +118,7 @@ func applicationSearchRequestsToModel(request *ApplicationSearchRequest) *proj_m
 	}
 }
 
-func applicationSearchQueriesToModel(projectID string, queries []*ApplicationSearchQuery) []*proj_model.ApplicationSearchQuery {
+func applicationSearchQueriesToModel(projectID string, queries []*management.ApplicationSearchQuery) []*proj_model.ApplicationSearchQuery {
 	converted := make([]*proj_model.ApplicationSearchQuery, len(queries)+1)
 	for i, q := range queries {
 		converted[i] = applicationSearchQueryToModel(q)
@@ -127,7 +128,7 @@ func applicationSearchQueriesToModel(projectID string, queries []*ApplicationSea
 	return converted
 }
 
-func applicationSearchQueryToModel(query *ApplicationSearchQuery) *proj_model.ApplicationSearchQuery {
+func applicationSearchQueryToModel(query *management.ApplicationSearchQuery) *proj_model.ApplicationSearchQuery {
 	return &proj_model.ApplicationSearchQuery{
 		Key:    applicationSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -135,17 +136,17 @@ func applicationSearchQueryToModel(query *ApplicationSearchQuery) *proj_model.Ap
 	}
 }
 
-func applicationSearchKeyToModel(key ApplicationSearchKey) proj_model.AppSearchKey {
+func applicationSearchKeyToModel(key management.ApplicationSearchKey) proj_model.AppSearchKey {
 	switch key {
-	case ApplicationSearchKey_APPLICATIONSEARCHKEY_APP_NAME:
+	case management.ApplicationSearchKey_APPLICATIONSEARCHKEY_APP_NAME:
 		return proj_model.AppSearchKeyName
 	default:
 		return proj_model.AppSearchKeyUnspecified
 	}
 }
 
-func applicationSearchResponseFromModel(response *proj_model.ApplicationSearchResponse) *ApplicationSearchResponse {
+func applicationSearchResponseFromModel(response *proj_model.ApplicationSearchResponse) *management.ApplicationSearchResponse {
-	return &ApplicationSearchResponse{
+	return &management.ApplicationSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -153,22 +154,22 @@ func applicationSearchResponseFromModel(response *proj_model.ApplicationSearchRe
 	}
 }
 
-func applicationViewsFromModel(apps []*proj_model.ApplicationView) []*ApplicationView {
+func applicationViewsFromModel(apps []*proj_model.ApplicationView) []*management.ApplicationView {
-	converted := make([]*ApplicationView, len(apps))
+	converted := make([]*management.ApplicationView, len(apps))
 	for i, app := range apps {
 		converted[i] = applicationViewFromModel(app)
 	}
 	return converted
 }
 
-func applicationViewFromModel(application *proj_model.ApplicationView) *ApplicationView {
+func applicationViewFromModel(application *proj_model.ApplicationView) *management.ApplicationView {
 	creationDate, err := ptypes.TimestampProto(application.CreationDate)
 	logging.Log("GRPC-lo9sw").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(application.ChangeDate)
 	logging.Log("GRPC-8uwsd").OnError(err).Debug("unable to parse timestamp")
 
-	converted := &ApplicationView{
+	converted := &management.ApplicationView{
 		Id:           application.ID,
 		State:        appStateFromModel(application.State),
 		CreationDate: creationDate,
@@ -177,25 +178,25 @@ func applicationViewFromModel(application *proj_model.ApplicationView) *Applicat
 		Sequence:     application.Sequence,
 	}
 	if application.IsOIDC {
-		converted.AppConfig = &ApplicationView_OidcConfig{
+		converted.AppConfig = &management.ApplicationView_OidcConfig{
 			OidcConfig: oidcConfigFromApplicationViewModel(application),
 		}
 	}
 	return converted
 }
 
-func appStateFromModel(state proj_model.AppState) AppState {
+func appStateFromModel(state proj_model.AppState) management.AppState {
 	switch state {
 	case proj_model.AppStateActive:
-		return AppState_APPSTATE_ACTIVE
+		return management.AppState_APPSTATE_ACTIVE
 	case proj_model.AppStateInactive:
-		return AppState_APPSTATE_INACTIVE
+		return management.AppState_APPSTATE_INACTIVE
 	default:
-		return AppState_APPSTATE_UNSPECIFIED
+		return management.AppState_APPSTATE_UNSPECIFIED
 	}
 }
 
-func oidcResponseTypesToModel(responseTypes []OIDCResponseType) []proj_model.OIDCResponseType {
+func oidcResponseTypesToModel(responseTypes []management.OIDCResponseType) []proj_model.OIDCResponseType {
 	if responseTypes == nil || len(responseTypes) == 0 {
 		return []proj_model.OIDCResponseType{proj_model.OIDCResponseTypeCode}
 	}
@@ -203,11 +204,11 @@ func oidcResponseTypesToModel(responseTypes []OIDCResponseType) []proj_model.OID
 
 	for i, responseType := range responseTypes {
 		switch responseType {
-		case OIDCResponseType_OIDCRESPONSETYPE_CODE:
+		case management.OIDCResponseType_OIDCRESPONSETYPE_CODE:
 			oidcResponseTypes[i] = proj_model.OIDCResponseTypeCode
-		case OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN:
+		case management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN:
 			oidcResponseTypes[i] = proj_model.OIDCResponseTypeIDToken
-		case OIDCResponseType_OIDCRESPONSETYPE_TOKEN:
+		case management.OIDCResponseType_OIDCRESPONSETYPE_TOKEN:
 			oidcResponseTypes[i] = proj_model.OIDCResponseTypeToken
 		}
 	}
@@ -215,24 +216,24 @@ func oidcResponseTypesToModel(responseTypes []OIDCResponseType) []proj_model.OID
 	return oidcResponseTypes
 }
 
-func oidcResponseTypesFromModel(responseTypes []proj_model.OIDCResponseType) []OIDCResponseType {
+func oidcResponseTypesFromModel(responseTypes []proj_model.OIDCResponseType) []management.OIDCResponseType {
-	oidcResponseTypes := make([]OIDCResponseType, len(responseTypes))
+	oidcResponseTypes := make([]management.OIDCResponseType, len(responseTypes))
 
 	for i, responseType := range responseTypes {
 		switch responseType {
 		case proj_model.OIDCResponseTypeCode:
-			oidcResponseTypes[i] = OIDCResponseType_OIDCRESPONSETYPE_CODE
+			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_CODE
 		case proj_model.OIDCResponseTypeIDToken:
-			oidcResponseTypes[i] = OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN
+			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_ID_TOKEN
 		case proj_model.OIDCResponseTypeToken:
-			oidcResponseTypes[i] = OIDCResponseType_OIDCRESPONSETYPE_TOKEN
+			oidcResponseTypes[i] = management.OIDCResponseType_OIDCRESPONSETYPE_TOKEN
 		}
 	}
 
 	return oidcResponseTypes
 }
 
-func oidcGrantTypesToModel(grantTypes []OIDCGrantType) []proj_model.OIDCGrantType {
+func oidcGrantTypesToModel(grantTypes []management.OIDCGrantType) []proj_model.OIDCGrantType {
 	if grantTypes == nil || len(grantTypes) == 0 {
 		return []proj_model.OIDCGrantType{proj_model.OIDCGrantTypeAuthorizationCode}
 	}
@@ -240,94 +241,94 @@ func oidcGrantTypesToModel(grantTypes []OIDCGrantType) []proj_model.OIDCGrantTyp
 
 	for i, grantType := range grantTypes {
 		switch grantType {
-		case OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE:
+		case management.OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE:
 			oidcGrantTypes[i] = proj_model.OIDCGrantTypeAuthorizationCode
-		case OIDCGrantType_OIDCGRANTTYPE_IMPLICIT:
+		case management.OIDCGrantType_OIDCGRANTTYPE_IMPLICIT:
 			oidcGrantTypes[i] = proj_model.OIDCGrantTypeImplicit
-		case OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN:
+		case management.OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN:
 			oidcGrantTypes[i] = proj_model.OIDCGrantTypeRefreshToken
 		}
 	}
 	return oidcGrantTypes
 }
 
-func oidcGrantTypesFromModel(grantTypes []proj_model.OIDCGrantType) []OIDCGrantType {
+func oidcGrantTypesFromModel(grantTypes []proj_model.OIDCGrantType) []management.OIDCGrantType {
-	oidcGrantTypes := make([]OIDCGrantType, len(grantTypes))
+	oidcGrantTypes := make([]management.OIDCGrantType, len(grantTypes))
 
 	for i, grantType := range grantTypes {
 		switch grantType {
 		case proj_model.OIDCGrantTypeAuthorizationCode:
-			oidcGrantTypes[i] = OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE
+			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_AUTHORIZATION_CODE
 		case proj_model.OIDCGrantTypeImplicit:
-			oidcGrantTypes[i] = OIDCGrantType_OIDCGRANTTYPE_IMPLICIT
+			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_IMPLICIT
 		case proj_model.OIDCGrantTypeRefreshToken:
-			oidcGrantTypes[i] = OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN
+			oidcGrantTypes[i] = management.OIDCGrantType_OIDCGRANTTYPE_REFRESH_TOKEN
 		}
 	}
 	return oidcGrantTypes
 }
 
-func oidcApplicationTypeToModel(appType OIDCApplicationType) proj_model.OIDCApplicationType {
+func oidcApplicationTypeToModel(appType management.OIDCApplicationType) proj_model.OIDCApplicationType {
 	switch appType {
-	case OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB:
+	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB:
 		return proj_model.OIDCApplicationTypeWeb
-	case OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT:
+	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT:
 		return proj_model.OIDCApplicationTypeUserAgent
-	case OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE:
+	case management.OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE:
 		return proj_model.OIDCApplicationTypeNative
 	}
 	return proj_model.OIDCApplicationTypeWeb
 }
 
-func oidcApplicationTypeFromModel(appType proj_model.OIDCApplicationType) OIDCApplicationType {
+func oidcApplicationTypeFromModel(appType proj_model.OIDCApplicationType) management.OIDCApplicationType {
 	switch appType {
 	case proj_model.OIDCApplicationTypeWeb:
-		return OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
+		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
 	case proj_model.OIDCApplicationTypeUserAgent:
-		return OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT
+		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_USER_AGENT
 	case proj_model.OIDCApplicationTypeNative:
-		return OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE
+		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_NATIVE
 	default:
-		return OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
+		return management.OIDCApplicationType_OIDCAPPLICATIONTYPE_WEB
 	}
 }
 
-func oidcAuthMethodTypeToModel(authType OIDCAuthMethodType) proj_model.OIDCAuthMethodType {
+func oidcAuthMethodTypeToModel(authType management.OIDCAuthMethodType) proj_model.OIDCAuthMethodType {
 	switch authType {
-	case OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC:
+	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC:
 		return proj_model.OIDCAuthMethodTypeBasic
-	case OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST:
+	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST:
 		return proj_model.OIDCAuthMethodTypePost
-	case OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE:
+	case management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE:
 		return proj_model.OIDCAuthMethodTypeNone
 	default:
 		return proj_model.OIDCAuthMethodTypeBasic
 	}
 }
 
-func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) OIDCAuthMethodType {
+func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) management.OIDCAuthMethodType {
 	switch authType {
 	case proj_model.OIDCAuthMethodTypeBasic:
-		return OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
 	case proj_model.OIDCAuthMethodTypePost:
-		return OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_POST
 	case proj_model.OIDCAuthMethodTypeNone:
-		return OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_NONE
 	default:
-		return OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
+		return management.OIDCAuthMethodType_OIDCAUTHMETHODTYPE_BASIC
 	}
 }
 
-func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *Changes) {
+func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *management.Changes) {
-	return &Changes{
+	return &management.Changes{
 		Limit:   limit,
 		Offset:  offset,
 		Changes: appChangesToMgtAPI(response),
 	}
 }
 
-func appChangesToMgtAPI(changes *proj_model.ApplicationChanges) (_ []*Change) {
+func appChangesToMgtAPI(changes *proj_model.ApplicationChanges) (_ []*management.Change) {
-	result := make([]*Change, len(changes.Changes))
+	result := make([]*management.Change, len(changes.Changes))
 
 	for i, change := range changes.Changes {
 		b, err := json.Marshal(change.Data)
@@ -335,7 +336,7 @@ func appChangesToMgtAPI(changes *proj_model.ApplicationChanges) (_ []*Change) {
 		err = protojson.Unmarshal(b, data)
 		if err != nil {
 		}
-		result[i] = &Change{
+		result[i] = &management.Change{
 			ChangeDate: change.ChangeDate,
 			EventType:  message.NewLocalizedEventType(change.EventType),
 			Sequence:   change.Sequence,

internal/api/grpc/management/gateway.go

@@ -1,10 +1,13 @@
-package grpc
+package management
 
 import (
+	"strings"
+
+	"github.com/grpc-ecosystem/grpc-gateway/runtime"
+
 	grpc_util "github.com/caos/zitadel/internal/api/grpc"
 	"github.com/caos/zitadel/internal/api/grpc/server"
-	"github.com/grpc-ecosystem/grpc-gateway/runtime"
+	"github.com/caos/zitadel/pkg/grpc/management"
-	"strings"
 )
 
 type Gateway struct {
@@ -22,7 +25,7 @@ func StartGateway(conf grpc_util.GatewayConfig) *Gateway {
 }
 
 func (gw *Gateway) Gateway() server.GatewayFunc {
-	return RegisterManagementServiceHandlerFromEndpoint
+	return management.RegisterManagementServiceHandlerFromEndpoint
 }
 
 func (gw *Gateway) GRPCEndpoint() string {

internal/api/grpc/management/iam.go

@@ -1,11 +1,14 @@
-package grpc
+package management
 
 import (
 	"context"
+
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) GetIam(ctx context.Context, _ *empty.Empty) (*Iam, error) {
+func (s *Server) GetIam(ctx context.Context, _ *empty.Empty) (*management.Iam, error) {
 	iam, err := s.iam.IamByID(ctx, s.systemDefaults.IamID)
 	if err != nil {
 		return nil, err

internal/api/grpc/management/iam_converter.go

@@ -1,11 +1,12 @@
-package grpc
+package management
 
 import (
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func iamFromModel(iam *iam_model.Iam) *Iam {
+func iamFromModel(iam *iam_model.Iam) *management.Iam {
-	return &Iam{
+	return &management.Iam{
 		IamProjectId: iam.IamProjectID,
 		GlobalOrgId:  iam.GlobalOrgID,
 		SetUpDone:    iam.SetUpDone,

internal/api/grpc/management/org.go

@@ -1,21 +1,23 @@
-package grpc
+package management
 
 import (
 	"context"
 
-	"github.com/caos/zitadel/internal/api/auth"
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) GetMyOrg(ctx context.Context, _ *empty.Empty) (*OrgView, error) {
+func (s *Server) GetMyOrg(ctx context.Context, _ *empty.Empty) (*management.OrgView, error) {
-	org, err := s.org.OrgByID(ctx, auth.GetCtxData(ctx).OrgID)
+	org, err := s.org.OrgByID(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
 	return orgViewFromModel(org), nil
 }
 
-func (s *Server) GetOrgByDomainGlobal(ctx context.Context, in *Domain) (*OrgView, error) {
+func (s *Server) GetOrgByDomainGlobal(ctx context.Context, in *management.Domain) (*management.OrgView, error) {
 	org, err := s.org.OrgByDomainGlobal(ctx, in.Domain)
 	if err != nil {
 		return nil, err
@@ -23,23 +25,23 @@ func (s *Server) GetOrgByDomainGlobal(ctx context.Context, in *Domain) (*OrgView
 	return orgViewFromModel(org), nil
 }
 
-func (s *Server) DeactivateMyOrg(ctx context.Context, _ *empty.Empty) (*Org, error) {
+func (s *Server) DeactivateMyOrg(ctx context.Context, _ *empty.Empty) (*management.Org, error) {
-	org, err := s.org.DeactivateOrg(ctx, auth.GetCtxData(ctx).OrgID)
+	org, err := s.org.DeactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
 	return orgFromModel(org), nil
 }
 
-func (s *Server) ReactivateMyOrg(ctx context.Context, _ *empty.Empty) (*Org, error) {
+func (s *Server) ReactivateMyOrg(ctx context.Context, _ *empty.Empty) (*management.Org, error) {
-	org, err := s.org.ReactivateOrg(ctx, auth.GetCtxData(ctx).OrgID)
+	org, err := s.org.ReactivateOrg(ctx, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
 	return orgFromModel(org), nil
 }
 
-func (s *Server) SearchMyOrgDomains(ctx context.Context, in *OrgDomainSearchRequest) (*OrgDomainSearchResponse, error) {
+func (s *Server) SearchMyOrgDomains(ctx context.Context, in *management.OrgDomainSearchRequest) (*management.OrgDomainSearchResponse, error) {
 	domains, err := s.org.SearchMyOrgDomains(ctx, orgDomainSearchRequestToModel(in))
 	if err != nil {
 		return nil, err
@@ -47,7 +49,7 @@ func (s *Server) SearchMyOrgDomains(ctx context.Context, in *OrgDomainSearchRequ
 	return orgDomainSearchResponseFromModel(domains), nil
 }
 
-func (s *Server) AddMyOrgDomain(ctx context.Context, in *AddOrgDomainRequest) (*OrgDomain, error) {
+func (s *Server) AddMyOrgDomain(ctx context.Context, in *management.AddOrgDomainRequest) (*management.OrgDomain, error) {
 	domain, err := s.org.AddMyOrgDomain(ctx, addOrgDomainToModel(in))
 	if err != nil {
 		return nil, err
@@ -55,12 +57,12 @@ func (s *Server) AddMyOrgDomain(ctx context.Context, in *AddOrgDomainRequest) (*
 	return orgDomainFromModel(domain), nil
 }
 
-func (s *Server) RemoveMyOrgDomain(ctx context.Context, in *RemoveOrgDomainRequest) (*empty.Empty, error) {
+func (s *Server) RemoveMyOrgDomain(ctx context.Context, in *management.RemoveOrgDomainRequest) (*empty.Empty, error) {
 	err := s.org.RemoveMyOrgDomain(ctx, in.Domain)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) OrgChanges(ctx context.Context, changesRequest *ChangeRequest) (*Changes, error) {
+func (s *Server) OrgChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
 	response, err := s.org.OrgChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
 	if err != nil {
 		return nil, err
@@ -68,7 +70,7 @@ func (s *Server) OrgChanges(ctx context.Context, changesRequest *ChangeRequest)
 	return orgChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
 }
 
-func (s *Server) GetMyOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *OrgIamPolicy, err error) {
+func (s *Server) GetMyOrgIamPolicy(ctx context.Context, _ *empty.Empty) (_ *management.OrgIamPolicy, err error) {
 	policy, err := s.org.GetMyOrgIamPolicy(ctx)
 	if err != nil {
 		return nil, err

internal/api/grpc/management/org_converter.go

@@ -1,33 +1,34 @@
-package grpc
+package management
 
 import (
 	"encoding/json"
 
 	"github.com/caos/logging"
-	org_model "github.com/caos/zitadel/internal/org/model"
-	"github.com/caos/zitadel/pkg/message"
-
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/structpb"
+
+	org_model "github.com/caos/zitadel/internal/org/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/message"
 )
 
-func orgsFromModel(orgs []*org_model.Org) []*Org {
+func orgsFromModel(orgs []*org_model.Org) []*management.Org {
-	orgList := make([]*Org, len(orgs))
+	orgList := make([]*management.Org, len(orgs))
 	for i, org := range orgs {
 		orgList[i] = orgFromModel(org)
 	}
 	return orgList
 }
 
-func orgFromModel(org *org_model.Org) *Org {
+func orgFromModel(org *org_model.Org) *management.Org {
 	creationDate, err := ptypes.TimestampProto(org.CreationDate)
 	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
 
 	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
 	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
 
-	return &Org{
+	return &management.Org{
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		Id:           org.AggregateID,
@@ -36,14 +37,14 @@ func orgFromModel(org *org_model.Org) *Org {
 	}
 }
 
-func orgViewFromModel(org *org_model.OrgView) *OrgView {
+func orgViewFromModel(org *org_model.OrgView) *management.OrgView {
 	creationDate, err := ptypes.TimestampProto(org.CreationDate)
 	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
 
 	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
 	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
 
-	return &OrgView{
+	return &management.OrgView{
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		Id:           org.ID,
@@ -52,29 +53,29 @@ func orgViewFromModel(org *org_model.OrgView) *OrgView {
 	}
 }
 
-func orgStateFromModel(state org_model.OrgState) OrgState {
+func orgStateFromModel(state org_model.OrgState) management.OrgState {
 	switch state {
 	case org_model.OrgStateActive:
-		return OrgState_ORGSTATE_ACTIVE
+		return management.OrgState_ORGSTATE_ACTIVE
 	case org_model.OrgStateInactive:
-		return OrgState_ORGSTATE_INACTIVE
+		return management.OrgState_ORGSTATE_INACTIVE
 	default:
-		return OrgState_ORGSTATE_UNSPECIFIED
+		return management.OrgState_ORGSTATE_UNSPECIFIED
 	}
 }
 
-func addOrgDomainToModel(domain *AddOrgDomainRequest) *org_model.OrgDomain {
+func addOrgDomainToModel(domain *management.AddOrgDomainRequest) *org_model.OrgDomain {
 	return &org_model.OrgDomain{Domain: domain.Domain}
 }
 
-func orgDomainFromModel(domain *org_model.OrgDomain) *OrgDomain {
+func orgDomainFromModel(domain *org_model.OrgDomain) *management.OrgDomain {
 	creationDate, err := ptypes.TimestampProto(domain.CreationDate)
 	logging.Log("GRPC-u8Ksj").OnError(err).Debug("unable to get timestamp from time")
 
 	changeDate, err := ptypes.TimestampProto(domain.ChangeDate)
 	logging.Log("GRPC-9osFS").OnError(err).Debug("unable to get timestamp from time")
 
-	return &OrgDomain{
+	return &management.OrgDomain{
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		OrgId:        domain.AggregateID,
@@ -84,14 +85,14 @@ func orgDomainFromModel(domain *org_model.OrgDomain) *OrgDomain {
 	}
 }
 
-func orgDomainViewFromModel(domain *org_model.OrgDomainView) *OrgDomainView {
+func orgDomainViewFromModel(domain *org_model.OrgDomainView) *management.OrgDomainView {
 	creationDate, err := ptypes.TimestampProto(domain.CreationDate)
 	logging.Log("GRPC-7sjDs").OnError(err).Debug("unable to get timestamp from time")
 
 	changeDate, err := ptypes.TimestampProto(domain.ChangeDate)
 	logging.Log("GRPC-8iSji").OnError(err).Debug("unable to get timestamp from time")
 
-	return &OrgDomainView{
+	return &management.OrgDomainView{
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		OrgId:        domain.OrgID,
@@ -101,7 +102,7 @@ func orgDomainViewFromModel(domain *org_model.OrgDomainView) *OrgDomainView {
 	}
 }
 
-func orgDomainSearchRequestToModel(request *OrgDomainSearchRequest) *org_model.OrgDomainSearchRequest {
+func orgDomainSearchRequestToModel(request *management.OrgDomainSearchRequest) *org_model.OrgDomainSearchRequest {
 	return &org_model.OrgDomainSearchRequest{
 		Limit:   request.Limit,
 		Offset:  request.Offset,
@@ -109,7 +110,7 @@ func orgDomainSearchRequestToModel(request *OrgDomainSearchRequest) *org_model.O
 	}
 }
 
-func orgDomainSearchQueriesToModel(queries []*OrgDomainSearchQuery) []*org_model.OrgDomainSearchQuery {
+func orgDomainSearchQueriesToModel(queries []*management.OrgDomainSearchQuery) []*org_model.OrgDomainSearchQuery {
 	modelQueries := make([]*org_model.OrgDomainSearchQuery, len(queries))
 
 	for i, query := range queries {
@@ -119,7 +120,7 @@ func orgDomainSearchQueriesToModel(queries []*OrgDomainSearchQuery) []*org_model
 	return modelQueries
 }
 
-func orgDomainSearchQueryToModel(query *OrgDomainSearchQuery) *org_model.OrgDomainSearchQuery {
+func orgDomainSearchQueryToModel(query *management.OrgDomainSearchQuery) *org_model.OrgDomainSearchQuery {
 	return &org_model.OrgDomainSearchQuery{
 		Key:    orgDomainSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -127,25 +128,25 @@ func orgDomainSearchQueryToModel(query *OrgDomainSearchQuery) *org_model.OrgDoma
 	}
 }
 
-func orgDomainSearchKeyToModel(key OrgDomainSearchKey) org_model.OrgDomainSearchKey {
+func orgDomainSearchKeyToModel(key management.OrgDomainSearchKey) org_model.OrgDomainSearchKey {
 	switch key {
-	case OrgDomainSearchKey_ORGDOMAINSEARCHKEY_DOMAIN:
+	case management.OrgDomainSearchKey_ORGDOMAINSEARCHKEY_DOMAIN:
 		return org_model.OrgDomainSearchKeyDomain
 	default:
 		return org_model.OrgDomainSearchKeyUnspecified
 	}
 }
 
-func orgDomainSearchResponseFromModel(resp *org_model.OrgDomainSearchResponse) *OrgDomainSearchResponse {
+func orgDomainSearchResponseFromModel(resp *org_model.OrgDomainSearchResponse) *management.OrgDomainSearchResponse {
-	return &OrgDomainSearchResponse{
+	return &management.OrgDomainSearchResponse{
 		Limit:       resp.Limit,
 		Offset:      resp.Offset,
 		TotalResult: resp.TotalResult,
 		Result:      orgDomainsFromModel(resp.Result),
 	}
 }
-func orgDomainsFromModel(viewDomains []*org_model.OrgDomainView) []*OrgDomainView {
+func orgDomainsFromModel(viewDomains []*org_model.OrgDomainView) []*management.OrgDomainView {
-	domains := make([]*OrgDomainView, len(viewDomains))
+	domains := make([]*management.OrgDomainView, len(viewDomains))
 
 	for i, domain := range viewDomains {
 		domains[i] = orgDomainViewFromModel(domain)
@@ -154,16 +155,16 @@ func orgDomainsFromModel(viewDomains []*org_model.OrgDomainView) []*OrgDomainVie
 	return domains
 }
 
-func orgChangesToResponse(response *org_model.OrgChanges, offset uint64, limit uint64) (_ *Changes) {
+func orgChangesToResponse(response *org_model.OrgChanges, offset uint64, limit uint64) (_ *management.Changes) {
-	return &Changes{
+	return &management.Changes{
 		Limit:   limit,
 		Offset:  offset,
 		Changes: orgChangesToMgtAPI(response),
 	}
 }
 
-func orgChangesToMgtAPI(changes *org_model.OrgChanges) (_ []*Change) {
+func orgChangesToMgtAPI(changes *org_model.OrgChanges) (_ []*management.Change) {
-	result := make([]*Change, len(changes.Changes))
+	result := make([]*management.Change, len(changes.Changes))
 
 	for i, change := range changes.Changes {
 		b, err := json.Marshal(change.Data)
@@ -171,7 +172,7 @@ func orgChangesToMgtAPI(changes *org_model.OrgChanges) (_ []*Change) {
 		err = protojson.Unmarshal(b, data)
 		if err != nil {
 		}
-		result[i] = &Change{
+		result[i] = &management.Change{
 			ChangeDate: change.ChangeDate,
 			EventType:  message.NewLocalizedEventType(change.EventType),
 			Sequence:   change.Sequence,
@@ -184,8 +185,8 @@ func orgChangesToMgtAPI(changes *org_model.OrgChanges) (_ []*Change) {
 	return result
 }
 
-func orgIamPolicyFromModel(policy *org_model.OrgIamPolicy) *OrgIamPolicy {
+func orgIamPolicyFromModel(policy *org_model.OrgIamPolicy) *management.OrgIamPolicy {
-	return &OrgIamPolicy{
+	return &management.OrgIamPolicy{
 		OrgId:                 policy.AggregateID,
 		Description:           policy.Description,
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,

internal/api/grpc/management/org_member.go

@@ -1,16 +1,18 @@
-package grpc
+package management
 
 import (
 	"context"
 
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) GetOrgMemberRoles(ctx context.Context, _ *empty.Empty) (*OrgMemberRoles, error) {
+func (s *Server) GetOrgMemberRoles(ctx context.Context, _ *empty.Empty) (*management.OrgMemberRoles, error) {
-	return &OrgMemberRoles{Roles: s.org.GetOrgMemberRoles()}, nil
+	return &management.OrgMemberRoles{Roles: s.org.GetOrgMemberRoles()}, nil
 }
 
-func (s *Server) SearchMyOrgMembers(ctx context.Context, in *OrgMemberSearchRequest) (*OrgMemberSearchResponse, error) {
+func (s *Server) SearchMyOrgMembers(ctx context.Context, in *management.OrgMemberSearchRequest) (*management.OrgMemberSearchResponse, error) {
 	members, err := s.org.SearchMyOrgMembers(ctx, orgMemberSearchRequestToModel(in))
 	if err != nil {
 		return nil, err
@@ -18,7 +20,7 @@ func (s *Server) SearchMyOrgMembers(ctx context.Context, in *OrgMemberSearchRequ
 	return orgMemberSearchResponseFromModel(members), nil
 }
 
-func (s *Server) AddMyOrgMember(ctx context.Context, member *AddOrgMemberRequest) (*OrgMember, error) {
+func (s *Server) AddMyOrgMember(ctx context.Context, member *management.AddOrgMemberRequest) (*management.OrgMember, error) {
 	addedMember, err := s.org.AddMyOrgMember(ctx, addOrgMemberToModel(member))
 	if err != nil {
 		return nil, err
@@ -27,7 +29,7 @@ func (s *Server) AddMyOrgMember(ctx context.Context, member *AddOrgMemberRequest
 	return orgMemberFromModel(addedMember), nil
 }
 
-func (s *Server) ChangeMyOrgMember(ctx context.Context, member *ChangeOrgMemberRequest) (*OrgMember, error) {
+func (s *Server) ChangeMyOrgMember(ctx context.Context, member *management.ChangeOrgMemberRequest) (*management.OrgMember, error) {
 	changedMember, err := s.org.ChangeMyOrgMember(ctx, changeOrgMemberToModel(member))
 	if err != nil {
 		return nil, err
@@ -35,7 +37,7 @@ func (s *Server) ChangeMyOrgMember(ctx context.Context, member *ChangeOrgMemberR
 	return orgMemberFromModel(changedMember), nil
 }
 
-func (s *Server) RemoveMyOrgMember(ctx context.Context, member *RemoveOrgMemberRequest) (*empty.Empty, error) {
+func (s *Server) RemoveMyOrgMember(ctx context.Context, member *management.RemoveOrgMemberRequest) (*empty.Empty, error) {
 	err := s.org.RemoveMyOrgMember(ctx, member.UserId)
 	return &empty.Empty{}, err
 }

internal/api/grpc/management/org_member_converter.go

@@ -1,13 +1,15 @@
-package grpc
+package management
 
 import (
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/model"
 	org_model "github.com/caos/zitadel/internal/org/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func addOrgMemberToModel(member *AddOrgMemberRequest) *org_model.OrgMember {
+func addOrgMemberToModel(member *management.AddOrgMemberRequest) *org_model.OrgMember {
 	memberModel := &org_model.OrgMember{
 		UserID: member.UserId,
 	}
@@ -16,7 +18,7 @@ func addOrgMemberToModel(member *AddOrgMemberRequest) *org_model.OrgMember {
 	return memberModel
 }
 
-func changeOrgMemberToModel(member *ChangeOrgMemberRequest) *org_model.OrgMember {
+func changeOrgMemberToModel(member *management.ChangeOrgMemberRequest) *org_model.OrgMember {
 	memberModel := &org_model.OrgMember{
 		UserID: member.UserId,
 	}
@@ -25,14 +27,14 @@ func changeOrgMemberToModel(member *ChangeOrgMemberRequest) *org_model.OrgMember
 	return memberModel
 }
 
-func orgMemberFromModel(member *org_model.OrgMember) *OrgMember {
+func orgMemberFromModel(member *org_model.OrgMember) *management.OrgMember {
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-jC5wY").OnError(err).Debug("date parse failed")
 
 	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
 	logging.Log("GRPC-Nc2jJ").OnError(err).Debug("date parse failed")
 
-	return &OrgMember{
+	return &management.OrgMember{
 		UserId:       member.UserID,
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,
@@ -41,7 +43,7 @@ func orgMemberFromModel(member *org_model.OrgMember) *OrgMember {
 	}
 }
 
-func orgMemberSearchRequestToModel(request *OrgMemberSearchRequest) *org_model.OrgMemberSearchRequest {
+func orgMemberSearchRequestToModel(request *management.OrgMemberSearchRequest) *org_model.OrgMemberSearchRequest {
 	return &org_model.OrgMemberSearchRequest{
 		Limit:   request.Limit,
 		Offset:  request.Offset,
@@ -49,7 +51,7 @@ func orgMemberSearchRequestToModel(request *OrgMemberSearchRequest) *org_model.O
 	}
 }
 
-func orgMemberSearchQueriesToModel(queries []*OrgMemberSearchQuery) []*org_model.OrgMemberSearchQuery {
+func orgMemberSearchQueriesToModel(queries []*management.OrgMemberSearchQuery) []*org_model.OrgMemberSearchQuery {
 	modelQueries := make([]*org_model.OrgMemberSearchQuery, len(queries)+1)
 
 	for i, query := range queries {
@@ -59,7 +61,7 @@ func orgMemberSearchQueriesToModel(queries []*OrgMemberSearchQuery) []*org_model
 	return modelQueries
 }
 
-func orgMemberSearchQueryToModel(query *OrgMemberSearchQuery) *org_model.OrgMemberSearchQuery {
+func orgMemberSearchQueryToModel(query *management.OrgMemberSearchQuery) *org_model.OrgMemberSearchQuery {
 	return &org_model.OrgMemberSearchQuery{
 		Key:    orgMemberSearchKeyToModel(query.Key),
 		Method: orgMemberSearchMethodToModel(query.Method),
@@ -67,50 +69,50 @@ func orgMemberSearchQueryToModel(query *OrgMemberSearchQuery) *org_model.OrgMemb
 	}
 }
 
-func orgMemberSearchKeyToModel(key OrgMemberSearchKey) org_model.OrgMemberSearchKey {
+func orgMemberSearchKeyToModel(key management.OrgMemberSearchKey) org_model.OrgMemberSearchKey {
 	switch key {
-	case OrgMemberSearchKey_ORGMEMBERSEARCHKEY_EMAIL:
+	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_EMAIL:
 		return org_model.OrgMemberSearchKeyEmail
-	case OrgMemberSearchKey_ORGMEMBERSEARCHKEY_FIRST_NAME:
+	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_FIRST_NAME:
 		return org_model.OrgMemberSearchKeyFirstName
-	case OrgMemberSearchKey_ORGMEMBERSEARCHKEY_LAST_NAME:
+	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_LAST_NAME:
 		return org_model.OrgMemberSearchKeyLastName
-	case OrgMemberSearchKey_ORGMEMBERSEARCHKEY_USER_ID:
+	case management.OrgMemberSearchKey_ORGMEMBERSEARCHKEY_USER_ID:
 		return org_model.OrgMemberSearchKeyUserID
 	default:
 		return org_model.OrgMemberSearchKeyUnspecified
 	}
 }
 
-func orgMemberSearchMethodToModel(key SearchMethod) model.SearchMethod {
+func orgMemberSearchMethodToModel(key management.SearchMethod) model.SearchMethod {
 	switch key {
-	case SearchMethod_SEARCHMETHOD_CONTAINS:
+	case management.SearchMethod_SEARCHMETHOD_CONTAINS:
 		return model.SearchMethodContains
-	case SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
+	case management.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
 		return model.SearchMethodContainsIgnoreCase
-	case SearchMethod_SEARCHMETHOD_EQUALS:
+	case management.SearchMethod_SEARCHMETHOD_EQUALS:
 		return model.SearchMethodEquals
-	case SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
+	case management.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
 		return model.SearchMethodEqualsIgnoreCase
-	case SearchMethod_SEARCHMETHOD_STARTS_WITH:
+	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH:
 		return model.SearchMethodStartsWith
-	case SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
+	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
 		return model.SearchMethodStartsWithIgnoreCase
 	default:
 		return -1
 	}
 }
 
-func orgMemberSearchResponseFromModel(resp *org_model.OrgMemberSearchResponse) *OrgMemberSearchResponse {
+func orgMemberSearchResponseFromModel(resp *org_model.OrgMemberSearchResponse) *management.OrgMemberSearchResponse {
-	return &OrgMemberSearchResponse{
+	return &management.OrgMemberSearchResponse{
 		Limit:       resp.Limit,
 		Offset:      resp.Offset,
 		TotalResult: resp.TotalResult,
 		Result:      orgMembersFromView(resp.Result),
 	}
 }
-func orgMembersFromView(viewMembers []*org_model.OrgMemberView) []*OrgMemberView {
+func orgMembersFromView(viewMembers []*org_model.OrgMemberView) []*management.OrgMemberView {
-	members := make([]*OrgMemberView, len(viewMembers))
+	members := make([]*management.OrgMemberView, len(viewMembers))
 
 	for i, member := range viewMembers {
 		members[i] = orgMemberFromView(member)
@@ -119,13 +121,13 @@ func orgMembersFromView(viewMembers []*org_model.OrgMemberView) []*OrgMemberView
 	return members
 }
 
-func orgMemberFromView(member *org_model.OrgMemberView) *OrgMemberView {
+func orgMemberFromView(member *org_model.OrgMemberView) *management.OrgMemberView {
 	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
 	logging.Log("GRPC-S9LAZ").OnError(err).Debug("unable to parse changedate")
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-oJN56").OnError(err).Debug("unable to parse creation date")
 
-	return &OrgMemberView{
+	return &management.OrgMemberView{
 		ChangeDate:   changeDate,
 		CreationDate: creationDate,
 		Roles:        member.Roles,

internal/api/grpc/management/policy.go

@@ -1,13 +1,15 @@
-package grpc
+package management
 
 import (
 	"context"
 
-	"github.com/caos/zitadel/internal/errors"
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *PasswordComplexityPolicyCreate) (*PasswordComplexityPolicy, error) {
+func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyCreate) (*management.PasswordComplexityPolicy, error) {
 	policyresp, err := s.policy.CreatePasswordComplexityPolicy(ctx, passwordComplexityPolicyCreateToModel(policy))
 	if err != nil {
 		return nil, err
@@ -16,7 +18,7 @@ func (s *Server) CreatePasswordComplexityPolicy(ctx context.Context, policy *Pas
 	return passwordComplexityPolicyFromModel(policyresp), nil
 }
 
-func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*PasswordComplexityPolicy, error) {
+func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordComplexityPolicy, error) {
 	policy, err := s.policy.GetPasswordComplexityPolicy(ctx)
 	if err != nil {
 		return nil, err
@@ -25,7 +27,7 @@ func (s *Server) GetPasswordComplexityPolicy(ctx context.Context, _ *empty.Empty
 	return passwordComplexityPolicyFromModel(policy), nil
 }
 
-func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *PasswordComplexityPolicyUpdate) (*PasswordComplexityPolicy, error) {
+func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *management.PasswordComplexityPolicyUpdate) (*management.PasswordComplexityPolicy, error) {
 	policyresp, err := s.policy.UpdatePasswordComplexityPolicy(ctx, passwordComplexityPolicyUpdateToModel(policy))
 	if err != nil {
 		return nil, err
@@ -34,11 +36,11 @@ func (s *Server) UpdatePasswordComplexityPolicy(ctx context.Context, policy *Pas
 	return passwordComplexityPolicyFromModel(policyresp), nil
 }
 
-func (s *Server) DeletePasswordComplexityPolicy(ctx context.Context, ID *PasswordComplexityPolicyID) (*empty.Empty, error) {
+func (s *Server) DeletePasswordComplexityPolicy(ctx context.Context, ID *management.PasswordComplexityPolicyID) (*empty.Empty, error) {
 	return nil, errors.ThrowUnimplemented(nil, "GRPC-skw3f", "Not implemented")
 }
 
-func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *PasswordAgePolicyCreate) (*PasswordAgePolicy, error) {
+func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyCreate) (*management.PasswordAgePolicy, error) {
 	policyresp, err := s.policy.CreatePasswordAgePolicy(ctx, passwordAgePolicyCreateToModel(policy))
 	if err != nil {
 		return nil, err
@@ -47,7 +49,7 @@ func (s *Server) CreatePasswordAgePolicy(ctx context.Context, policy *PasswordAg
 	return passwordAgePolicyFromModel(policyresp), nil
 }
 
-func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*PasswordAgePolicy, error) {
+func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordAgePolicy, error) {
 	policy, err := s.policy.GetPasswordAgePolicy(ctx)
 	if err != nil {
 		return nil, err
@@ -56,7 +58,7 @@ func (s *Server) GetPasswordAgePolicy(ctx context.Context, _ *empty.Empty) (*Pas
 	return passwordAgePolicyFromModel(policy), nil
 }
 
-func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *PasswordAgePolicyUpdate) (*PasswordAgePolicy, error) {
+func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *management.PasswordAgePolicyUpdate) (*management.PasswordAgePolicy, error) {
 	policyresp, err := s.policy.UpdatePasswordAgePolicy(ctx, passwordAgePolicyUpdateToModel(policy))
 	if err != nil {
 		return nil, err
@@ -65,11 +67,11 @@ func (s *Server) UpdatePasswordAgePolicy(ctx context.Context, policy *PasswordAg
 	return passwordAgePolicyFromModel(policyresp), nil
 }
 
-func (s *Server) DeletePasswordAgePolicy(ctx context.Context, ID *PasswordAgePolicyID) (*empty.Empty, error) {
+func (s *Server) DeletePasswordAgePolicy(ctx context.Context, ID *management.PasswordAgePolicyID) (*empty.Empty, error) {
 	return nil, errors.ThrowUnimplemented(nil, "GRPC-plo67", "Not implemented")
 }
 
-func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *PasswordLockoutPolicyCreate) (*PasswordLockoutPolicy, error) {
+func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyCreate) (*management.PasswordLockoutPolicy, error) {
 	policyresp, err := s.policy.CreatePasswordLockoutPolicy(ctx, passwordLockoutPolicyCreateToModel(policy))
 	if err != nil {
 		return nil, err
@@ -78,7 +80,7 @@ func (s *Server) CreatePasswordLockoutPolicy(ctx context.Context, policy *Passwo
 	return passwordLockoutPolicyFromModel(policyresp), nil
 }
 
-func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*PasswordLockoutPolicy, error) {
+func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (*management.PasswordLockoutPolicy, error) {
 	policy, err := s.policy.GetPasswordLockoutPolicy(ctx)
 	if err != nil {
 		return nil, err
@@ -87,7 +89,7 @@ func (s *Server) GetPasswordLockoutPolicy(ctx context.Context, _ *empty.Empty) (
 	return passwordLockoutPolicyFromModel(policy), nil
 }
 
-func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *PasswordLockoutPolicyUpdate) (*PasswordLockoutPolicy, error) {
+func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *management.PasswordLockoutPolicyUpdate) (*management.PasswordLockoutPolicy, error) {
 	policyresp, err := s.policy.UpdatePasswordLockoutPolicy(ctx, passwordLockoutPolicyUpdateToModel(policy))
 	if err != nil {
 		return nil, err
@@ -96,6 +98,6 @@ func (s *Server) UpdatePasswordLockoutPolicy(ctx context.Context, policy *Passwo
 	return passwordLockoutPolicyFromModel(policyresp), nil
 }
 
-func (s *Server) DeletePasswordLockoutPolicy(ctx context.Context, ID *PasswordLockoutPolicyID) (*empty.Empty, error) {
+func (s *Server) DeletePasswordLockoutPolicy(ctx context.Context, ID *management.PasswordLockoutPolicyID) (*empty.Empty, error) {
 	return nil, errors.ThrowUnimplemented(nil, "GRPC-GHkd9", "Not implemented")
 }

internal/api/grpc/management/policy_age_converter.go

@@ -1,20 +1,22 @@
-package grpc
+package management
 
 import (
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func passwordAgePolicyFromModel(policy *model.PasswordAgePolicy) *PasswordAgePolicy {
+func passwordAgePolicyFromModel(policy *model.PasswordAgePolicy) *management.PasswordAgePolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-6ILdB").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
 	logging.Log("GRPC-ngUzJ").OnError(err).Debug("unable to parse timestamp")
 
-	return &PasswordAgePolicy{
+	return &management.PasswordAgePolicy{
 		Id:             policy.AggregateID,
 		CreationDate:   creationDate,
 		ChangeDate:     changeDate,
@@ -26,7 +28,7 @@ func passwordAgePolicyFromModel(policy *model.PasswordAgePolicy) *PasswordAgePol
 	}
 }
 
-func passwordAgePolicyToModel(policy *PasswordAgePolicy) *model.PasswordAgePolicy {
+func passwordAgePolicyToModel(policy *management.PasswordAgePolicy) *model.PasswordAgePolicy {
 	creationDate, err := ptypes.Timestamp(policy.CreationDate)
 	logging.Log("GRPC-2QSfU").OnError(err).Debug("unable to parse timestamp")
 
@@ -46,7 +48,7 @@ func passwordAgePolicyToModel(policy *PasswordAgePolicy) *model.PasswordAgePolic
 	}
 }
 
-func passwordAgePolicyCreateToModel(policy *PasswordAgePolicyCreate) *model.PasswordAgePolicy {
+func passwordAgePolicyCreateToModel(policy *management.PasswordAgePolicyCreate) *model.PasswordAgePolicy {
 	return &model.PasswordAgePolicy{
 		Description:    policy.Description,
 		ExpireWarnDays: policy.ExpireWarnDays,
@@ -54,7 +56,7 @@ func passwordAgePolicyCreateToModel(policy *PasswordAgePolicyCreate) *model.Pass
 	}
 }
 
-func passwordAgePolicyUpdateToModel(policy *PasswordAgePolicyUpdate) *model.PasswordAgePolicy {
+func passwordAgePolicyUpdateToModel(policy *management.PasswordAgePolicyUpdate) *model.PasswordAgePolicy {
 	return &model.PasswordAgePolicy{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: policy.Id,

internal/api/grpc/management/policy_complexity_converter.go

@@ -1,20 +1,23 @@
-package grpc
+package management
 
 import (
 	"github.com/caos/logging"
+
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *PasswordComplexityPolicy {
+func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *management.PasswordComplexityPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-cQRHE").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
 	logging.Log("GRPC-PVA1c").OnError(err).Debug("unable to parse timestamp")
 
-	return &PasswordComplexityPolicy{
+	return &management.PasswordComplexityPolicy{
 		Id:           policy.AggregateID,
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,
@@ -29,7 +32,7 @@ func passwordComplexityPolicyFromModel(policy *model.PasswordComplexityPolicy) *
 	}
 }
 
-func passwordComplexityPolicyToModel(policy *PasswordComplexityPolicy) *model.PasswordComplexityPolicy {
+func passwordComplexityPolicyToModel(policy *management.PasswordComplexityPolicy) *model.PasswordComplexityPolicy {
 	creationDate, err := ptypes.Timestamp(policy.CreationDate)
 	logging.Log("GRPC-asmEZ").OnError(err).Debug("unable to parse timestamp")
 
@@ -52,7 +55,7 @@ func passwordComplexityPolicyToModel(policy *PasswordComplexityPolicy) *model.Pa
 	}
 }
 
-func passwordComplexityPolicyCreateToModel(policy *PasswordComplexityPolicyCreate) *model.PasswordComplexityPolicy {
+func passwordComplexityPolicyCreateToModel(policy *management.PasswordComplexityPolicyCreate) *model.PasswordComplexityPolicy {
 	return &model.PasswordComplexityPolicy{
 		Description:  policy.Description,
 		MinLength:    policy.MinLength,
@@ -63,7 +66,7 @@ func passwordComplexityPolicyCreateToModel(policy *PasswordComplexityPolicyCreat
 	}
 }
 
-func passwordComplexityPolicyUpdateToModel(policy *PasswordComplexityPolicyUpdate) *model.PasswordComplexityPolicy {
+func passwordComplexityPolicyUpdateToModel(policy *management.PasswordComplexityPolicyUpdate) *model.PasswordComplexityPolicy {
 	return &model.PasswordComplexityPolicy{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: policy.Id,

internal/api/grpc/management/policy_lockout_converter.go

@@ -1,20 +1,23 @@
-package grpc
+package management
 
 import (
 	"github.com/caos/logging"
+
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/policy/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func passwordLockoutPolicyFromModel(policy *model.PasswordLockoutPolicy) *PasswordLockoutPolicy {
+func passwordLockoutPolicyFromModel(policy *model.PasswordLockoutPolicy) *management.PasswordLockoutPolicy {
 	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
 	logging.Log("GRPC-JRSbT").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
 	logging.Log("GRPC-1sizr").OnError(err).Debug("unable to parse timestamp")
 
-	return &PasswordLockoutPolicy{
+	return &management.PasswordLockoutPolicy{
 		Id:                  policy.AggregateID,
 		CreationDate:        creationDate,
 		ChangeDate:          changeDate,
@@ -26,7 +29,7 @@ func passwordLockoutPolicyFromModel(policy *model.PasswordLockoutPolicy) *Passwo
 	}
 }
 
-func passwordLockoutPolicyToModel(policy *PasswordLockoutPolicy) *model.PasswordLockoutPolicy {
+func passwordLockoutPolicyToModel(policy *management.PasswordLockoutPolicy) *model.PasswordLockoutPolicy {
 	creationDate, err := ptypes.Timestamp(policy.CreationDate)
 	logging.Log("GRPC-8a511").OnError(err).Debug("unable to parse timestamp")
 
@@ -47,7 +50,7 @@ func passwordLockoutPolicyToModel(policy *PasswordLockoutPolicy) *model.Password
 	}
 }
 
-func passwordLockoutPolicyCreateToModel(policy *PasswordLockoutPolicyCreate) *model.PasswordLockoutPolicy {
+func passwordLockoutPolicyCreateToModel(policy *management.PasswordLockoutPolicyCreate) *model.PasswordLockoutPolicy {
 	return &model.PasswordLockoutPolicy{
 		Description:         policy.Description,
 		MaxAttempts:         policy.MaxAttempts,
@@ -55,7 +58,7 @@ func passwordLockoutPolicyCreateToModel(policy *PasswordLockoutPolicyCreate) *mo
 	}
 }
 
-func passwordLockoutPolicyUpdateToModel(policy *PasswordLockoutPolicyUpdate) *model.PasswordLockoutPolicy {
+func passwordLockoutPolicyUpdateToModel(policy *management.PasswordLockoutPolicyUpdate) *model.PasswordLockoutPolicy {
 	return &model.PasswordLockoutPolicy{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: policy.Id,

internal/api/grpc/management/probes.go

@@ -1,4 +1,4 @@
-package grpc
+package management
 
 import (
 	"context"

internal/api/grpc/management/project.go

@@ -1,36 +1,38 @@
-package grpc
+package management
 
 import (
 	"context"
 
-	"github.com/caos/zitadel/internal/api"
-	"github.com/caos/zitadel/internal/api/auth"
-	grpc_util "github.com/caos/zitadel/internal/api/grpc"
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) CreateProject(ctx context.Context, in *ProjectCreateRequest) (*Project, error) {
+func (s *Server) CreateProject(ctx context.Context, in *management.ProjectCreateRequest) (*management.Project, error) {
 	project, err := s.project.CreateProject(ctx, in.Name)
 	if err != nil {
 		return nil, err
 	}
 	return projectFromModel(project), nil
 }
-func (s *Server) UpdateProject(ctx context.Context, in *ProjectUpdateRequest) (*Project, error) {
+func (s *Server) UpdateProject(ctx context.Context, in *management.ProjectUpdateRequest) (*management.Project, error) {
 	project, err := s.project.UpdateProject(ctx, projectUpdateToModel(in))
 	if err != nil {
 		return nil, err
 	}
 	return projectFromModel(project), nil
 }
-func (s *Server) DeactivateProject(ctx context.Context, in *ProjectID) (*Project, error) {
+func (s *Server) DeactivateProject(ctx context.Context, in *management.ProjectID) (*management.Project, error) {
 	project, err := s.project.DeactivateProject(ctx, in.Id)
 	if err != nil {
 		return nil, err
 	}
 	return projectFromModel(project), nil
 }
-func (s *Server) ReactivateProject(ctx context.Context, in *ProjectID) (*Project, error) {
+func (s *Server) ReactivateProject(ctx context.Context, in *management.ProjectID) (*management.Project, error) {
 	project, err := s.project.ReactivateProject(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -38,9 +40,9 @@ func (s *Server) ReactivateProject(ctx context.Context, in *ProjectID) (*Project
 	return projectFromModel(project), nil
 }
 
-func (s *Server) SearchProjects(ctx context.Context, in *ProjectSearchRequest) (*ProjectSearchResponse, error) {
+func (s *Server) SearchProjects(ctx context.Context, in *management.ProjectSearchRequest) (*management.ProjectSearchResponse, error) {
 	request := projectSearchRequestsToModel(in)
-	request.AppendMyResourceOwnerQuery(grpc_util.GetHeader(ctx, api.ZitadelOrgID))
+	request.AppendMyResourceOwnerQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
 	response, err := s.project.SearchProjects(ctx, request)
 	if err != nil {
 		return nil, err
@@ -48,7 +50,7 @@ func (s *Server) SearchProjects(ctx context.Context, in *ProjectSearchRequest) (
 	return projectSearchResponseFromModel(response), nil
 }
 
-func (s *Server) ProjectByID(ctx context.Context, id *ProjectID) (*ProjectView, error) {
+func (s *Server) ProjectByID(ctx context.Context, id *management.ProjectID) (*management.ProjectView, error) {
 	project, err := s.project.ProjectByID(ctx, id.Id)
 	if err != nil {
 		return nil, err
@@ -56,9 +58,9 @@ func (s *Server) ProjectByID(ctx context.Context, id *ProjectID) (*ProjectView,
 	return projectViewFromModel(project), nil
 }
 
-func (s *Server) SearchGrantedProjects(ctx context.Context, in *GrantedProjectSearchRequest) (*ProjectGrantSearchResponse, error) {
+func (s *Server) SearchGrantedProjects(ctx context.Context, in *management.GrantedProjectSearchRequest) (*management.ProjectGrantSearchResponse, error) {
 	request := grantedProjectSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, api.ZitadelOrgID))
+	request.AppendMyOrgQuery(grpc_util.GetHeader(ctx, http.ZitadelOrgID))
 	response, err := s.project.SearchProjectGrants(ctx, request)
 	if err != nil {
 		return nil, err
@@ -66,7 +68,7 @@ func (s *Server) SearchGrantedProjects(ctx context.Context, in *GrantedProjectSe
 	return projectGrantSearchResponseFromModel(response), nil
 }
 
-func (s *Server) GetGrantedProjectByID(ctx context.Context, in *ProjectGrantID) (*ProjectGrantView, error) {
+func (s *Server) GetGrantedProjectByID(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrantView, error) {
 	project, err := s.project.ProjectGrantViewByID(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -74,7 +76,7 @@ func (s *Server) GetGrantedProjectByID(ctx context.Context, in *ProjectGrantID)
 	return projectGrantFromGrantedProjectModel(project), nil
 }
 
-func (s *Server) AddProjectRole(ctx context.Context, in *ProjectRoleAdd) (*ProjectRole, error) {
+func (s *Server) AddProjectRole(ctx context.Context, in *management.ProjectRoleAdd) (*management.ProjectRole, error) {
 	role, err := s.project.AddProjectRole(ctx, projectRoleAddToModel(in))
 	if err != nil {
 		return nil, err
@@ -82,12 +84,12 @@ func (s *Server) AddProjectRole(ctx context.Context, in *ProjectRoleAdd) (*Proje
 	return projectRoleFromModel(role), nil
 }
 
-func (s *Server) BulkAddProjectRole(ctx context.Context, in *ProjectRoleAddBulk) (*empty.Empty, error) {
+func (s *Server) BulkAddProjectRole(ctx context.Context, in *management.ProjectRoleAddBulk) (*empty.Empty, error) {
 	err := s.project.BulkAddProjectRole(ctx, projectRoleAddBulkToModel(in))
 	return &empty.Empty{}, err
 }
 
-func (s *Server) ChangeProjectRole(ctx context.Context, in *ProjectRoleChange) (*ProjectRole, error) {
+func (s *Server) ChangeProjectRole(ctx context.Context, in *management.ProjectRoleChange) (*management.ProjectRole, error) {
 	role, err := s.project.ChangeProjectRole(ctx, projectRoleChangeToModel(in))
 	if err != nil {
 		return nil, err
@@ -95,14 +97,14 @@ func (s *Server) ChangeProjectRole(ctx context.Context, in *ProjectRoleChange) (
 	return projectRoleFromModel(role), nil
 }
 
-func (s *Server) RemoveProjectRole(ctx context.Context, in *ProjectRoleRemove) (*empty.Empty, error) {
+func (s *Server) RemoveProjectRole(ctx context.Context, in *management.ProjectRoleRemove) (*empty.Empty, error) {
 	err := s.project.RemoveProjectRole(ctx, in.Id, in.Key)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) SearchProjectRoles(ctx context.Context, in *ProjectRoleSearchRequest) (*ProjectRoleSearchResponse, error) {
+func (s *Server) SearchProjectRoles(ctx context.Context, in *management.ProjectRoleSearchRequest) (*management.ProjectRoleSearchResponse, error) {
 	request := projectRoleSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(auth.GetCtxData(ctx).OrgID)
+	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
 	request.AppendProjectQuery(in.ProjectId)
 	response, err := s.project.SearchProjectRoles(ctx, request)
 	if err != nil {
@@ -111,7 +113,7 @@ func (s *Server) SearchProjectRoles(ctx context.Context, in *ProjectRoleSearchRe
 	return projectRoleSearchResponseFromModel(response), nil
 }
 
-func (s *Server) ProjectChanges(ctx context.Context, changesRequest *ChangeRequest) (*Changes, error) {
+func (s *Server) ProjectChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
 	response, err := s.project.ProjectChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
 	if err != nil {
 		return nil, err

internal/api/grpc/management/project_converter.go

@@ -1,26 +1,27 @@
-package grpc
+package management
 
 import (
 	"encoding/json"
 
 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/eventstore/models"
-	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/caos/zitadel/pkg/message"
-
 	"github.com/golang/protobuf/ptypes"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	proj_model "github.com/caos/zitadel/internal/project/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/message"
 )
 
-func projectFromModel(project *proj_model.Project) *Project {
+func projectFromModel(project *proj_model.Project) *management.Project {
 	creationDate, err := ptypes.TimestampProto(project.CreationDate)
 	logging.Log("GRPC-iejs3").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(project.ChangeDate)
 	logging.Log("GRPC-di7rw").OnError(err).Debug("unable to parse timestamp")
 
-	return &Project{
+	return &management.Project{
 		Id:           project.AggregateID,
 		State:        projectStateFromModel(project.State),
 		CreationDate: creationDate,
@@ -30,8 +31,8 @@ func projectFromModel(project *proj_model.Project) *Project {
 	}
 }
 
-func projectSearchResponseFromModel(response *proj_model.ProjectViewSearchResponse) *ProjectSearchResponse {
+func projectSearchResponseFromModel(response *proj_model.ProjectViewSearchResponse) *management.ProjectSearchResponse {
-	return &ProjectSearchResponse{
+	return &management.ProjectSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -39,22 +40,22 @@ func projectSearchResponseFromModel(response *proj_model.ProjectViewSearchRespon
 	}
 }
 
-func projectViewsFromModel(projects []*proj_model.ProjectView) []*ProjectView {
+func projectViewsFromModel(projects []*proj_model.ProjectView) []*management.ProjectView {
-	converted := make([]*ProjectView, len(projects))
+	converted := make([]*management.ProjectView, len(projects))
 	for i, project := range projects {
 		converted[i] = projectViewFromModel(project)
 	}
 	return converted
 }
 
-func projectViewFromModel(project *proj_model.ProjectView) *ProjectView {
+func projectViewFromModel(project *proj_model.ProjectView) *management.ProjectView {
 	creationDate, err := ptypes.TimestampProto(project.CreationDate)
 	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(project.ChangeDate)
 	logging.Log("GRPC-sope3").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectView{
+	return &management.ProjectView{
 		ProjectId:     project.ProjectID,
 		State:         projectStateFromModel(project.State),
 		CreationDate:  creationDate,
@@ -65,8 +66,8 @@ func projectViewFromModel(project *proj_model.ProjectView) *ProjectView {
 	}
 }
 
-func projectRoleSearchResponseFromModel(response *proj_model.ProjectRoleSearchResponse) *ProjectRoleSearchResponse {
+func projectRoleSearchResponseFromModel(response *proj_model.ProjectRoleSearchResponse) *management.ProjectRoleSearchResponse {
-	return &ProjectRoleSearchResponse{
+	return &management.ProjectRoleSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -74,19 +75,19 @@ func projectRoleSearchResponseFromModel(response *proj_model.ProjectRoleSearchRe
 	}
 }
 
-func projectRoleViewsFromModel(roles []*proj_model.ProjectRoleView) []*ProjectRoleView {
+func projectRoleViewsFromModel(roles []*proj_model.ProjectRoleView) []*management.ProjectRoleView {
-	converted := make([]*ProjectRoleView, len(roles))
+	converted := make([]*management.ProjectRoleView, len(roles))
 	for i, role := range roles {
 		converted[i] = projectRoleViewFromModel(role)
 	}
 	return converted
 }
 
-func projectRoleViewFromModel(role *proj_model.ProjectRoleView) *ProjectRoleView {
+func projectRoleViewFromModel(role *proj_model.ProjectRoleView) *management.ProjectRoleView {
 	creationDate, err := ptypes.TimestampProto(role.CreationDate)
 	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectRoleView{
+	return &management.ProjectRoleView{
 		ProjectId:    role.ProjectID,
 		CreationDate: creationDate,
 		Key:          role.Key,
@@ -96,18 +97,18 @@ func projectRoleViewFromModel(role *proj_model.ProjectRoleView) *ProjectRoleView
 	}
 }
 
-func projectStateFromModel(state proj_model.ProjectState) ProjectState {
+func projectStateFromModel(state proj_model.ProjectState) management.ProjectState {
 	switch state {
 	case proj_model.ProjectStateActive:
-		return ProjectState_PROJECTSTATE_ACTIVE
+		return management.ProjectState_PROJECTSTATE_ACTIVE
 	case proj_model.ProjectStateInactive:
-		return ProjectState_PROJECTSTATE_INACTIVE
+		return management.ProjectState_PROJECTSTATE_INACTIVE
 	default:
-		return ProjectState_PROJECTSTATE_UNSPECIFIED
+		return management.ProjectState_PROJECTSTATE_UNSPECIFIED
 	}
 }
 
-func projectUpdateToModel(project *ProjectUpdateRequest) *proj_model.Project {
+func projectUpdateToModel(project *management.ProjectUpdateRequest) *proj_model.Project {
 	return &proj_model.Project{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: project.Id,
@@ -116,14 +117,14 @@ func projectUpdateToModel(project *ProjectUpdateRequest) *proj_model.Project {
 	}
 }
 
-func projectRoleFromModel(role *proj_model.ProjectRole) *ProjectRole {
+func projectRoleFromModel(role *proj_model.ProjectRole) *management.ProjectRole {
 	creationDate, err := ptypes.TimestampProto(role.CreationDate)
 	logging.Log("GRPC-due83").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(role.ChangeDate)
 	logging.Log("GRPC-id93s").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectRole{
+	return &management.ProjectRole{
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,
 		Sequence:     role.Sequence,
@@ -133,7 +134,7 @@ func projectRoleFromModel(role *proj_model.ProjectRole) *ProjectRole {
 	}
 }
 
-func projectRoleAddBulkToModel(bulk *ProjectRoleAddBulk) []*proj_model.ProjectRole {
+func projectRoleAddBulkToModel(bulk *management.ProjectRoleAddBulk) []*proj_model.ProjectRole {
 	roles := make([]*proj_model.ProjectRole, len(bulk.ProjectRoles))
 	for i, role := range bulk.ProjectRoles {
 		roles[i] = &proj_model.ProjectRole{
@@ -148,7 +149,7 @@ func projectRoleAddBulkToModel(bulk *ProjectRoleAddBulk) []*proj_model.ProjectRo
 	return roles
 }
 
-func projectRoleAddToModel(role *ProjectRoleAdd) *proj_model.ProjectRole {
+func projectRoleAddToModel(role *management.ProjectRoleAdd) *proj_model.ProjectRole {
 	return &proj_model.ProjectRole{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: role.Id,
@@ -159,7 +160,7 @@ func projectRoleAddToModel(role *ProjectRoleAdd) *proj_model.ProjectRole {
 	}
 }
 
-func projectRoleChangeToModel(role *ProjectRoleChange) *proj_model.ProjectRole {
+func projectRoleChangeToModel(role *management.ProjectRoleChange) *proj_model.ProjectRole {
 	return &proj_model.ProjectRole{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: role.Id,
@@ -170,14 +171,14 @@ func projectRoleChangeToModel(role *ProjectRoleChange) *proj_model.ProjectRole {
 	}
 }
 
-func projectSearchRequestsToModel(project *ProjectSearchRequest) *proj_model.ProjectViewSearchRequest {
+func projectSearchRequestsToModel(project *management.ProjectSearchRequest) *proj_model.ProjectViewSearchRequest {
 	return &proj_model.ProjectViewSearchRequest{
 		Offset:  project.Offset,
 		Limit:   project.Limit,
 		Queries: projectSearchQueriesToModel(project.Queries),
 	}
 }
-func grantedProjectSearchRequestsToModel(request *GrantedProjectSearchRequest) *proj_model.ProjectGrantViewSearchRequest {
+func grantedProjectSearchRequestsToModel(request *management.GrantedProjectSearchRequest) *proj_model.ProjectGrantViewSearchRequest {
 	return &proj_model.ProjectGrantViewSearchRequest{
 		Offset:  request.Offset,
 		Limit:   request.Limit,
@@ -185,7 +186,7 @@ func grantedProjectSearchRequestsToModel(request *GrantedProjectSearchRequest) *
 	}
 }
 
-func projectSearchQueriesToModel(queries []*ProjectSearchQuery) []*proj_model.ProjectViewSearchQuery {
+func projectSearchQueriesToModel(queries []*management.ProjectSearchQuery) []*proj_model.ProjectViewSearchQuery {
 	converted := make([]*proj_model.ProjectViewSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = projectSearchQueryToModel(q)
@@ -193,7 +194,7 @@ func projectSearchQueriesToModel(queries []*ProjectSearchQuery) []*proj_model.Pr
 	return converted
 }
 
-func projectSearchQueryToModel(query *ProjectSearchQuery) *proj_model.ProjectViewSearchQuery {
+func projectSearchQueryToModel(query *management.ProjectSearchQuery) *proj_model.ProjectViewSearchQuery {
 	return &proj_model.ProjectViewSearchQuery{
 		Key:    projectSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -201,16 +202,16 @@ func projectSearchQueryToModel(query *ProjectSearchQuery) *proj_model.ProjectVie
 	}
 }
 
-func projectSearchKeyToModel(key ProjectSearchKey) proj_model.ProjectViewSearchKey {
+func projectSearchKeyToModel(key management.ProjectSearchKey) proj_model.ProjectViewSearchKey {
 	switch key {
-	case ProjectSearchKey_PROJECTSEARCHKEY_PROJECT_NAME:
+	case management.ProjectSearchKey_PROJECTSEARCHKEY_PROJECT_NAME:
 		return proj_model.ProjectViewSearchKeyName
 	default:
 		return proj_model.ProjectViewSearchKeyUnspecified
 	}
 }
 
-func grantedPRojectSearchQueriesToModel(queries []*ProjectSearchQuery) []*proj_model.ProjectGrantViewSearchQuery {
+func grantedPRojectSearchQueriesToModel(queries []*management.ProjectSearchQuery) []*proj_model.ProjectGrantViewSearchQuery {
 	converted := make([]*proj_model.ProjectGrantViewSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = grantedProjectSearchQueryToModel(q)
@@ -218,7 +219,7 @@ func grantedPRojectSearchQueriesToModel(queries []*ProjectSearchQuery) []*proj_m
 	return converted
 }
 
-func grantedProjectSearchQueryToModel(query *ProjectSearchQuery) *proj_model.ProjectGrantViewSearchQuery {
+func grantedProjectSearchQueryToModel(query *management.ProjectSearchQuery) *proj_model.ProjectGrantViewSearchQuery {
 	return &proj_model.ProjectGrantViewSearchQuery{
 		Key:    projectGrantSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -226,16 +227,16 @@ func grantedProjectSearchQueryToModel(query *ProjectSearchQuery) *proj_model.Pro
 	}
 }
 
-func projectGrantSearchKeyToModel(key ProjectSearchKey) proj_model.ProjectGrantViewSearchKey {
+func projectGrantSearchKeyToModel(key management.ProjectSearchKey) proj_model.ProjectGrantViewSearchKey {
 	switch key {
-	case ProjectSearchKey_PROJECTSEARCHKEY_PROJECT_NAME:
+	case management.ProjectSearchKey_PROJECTSEARCHKEY_PROJECT_NAME:
 		return proj_model.GrantedProjectSearchKeyName
 	default:
 		return proj_model.GrantedProjectSearchKeyUnspecified
 	}
 }
 
-func projectRoleSearchRequestsToModel(role *ProjectRoleSearchRequest) *proj_model.ProjectRoleSearchRequest {
+func projectRoleSearchRequestsToModel(role *management.ProjectRoleSearchRequest) *proj_model.ProjectRoleSearchRequest {
 	return &proj_model.ProjectRoleSearchRequest{
 		Offset:  role.Offset,
 		Limit:   role.Limit,
@@ -243,7 +244,7 @@ func projectRoleSearchRequestsToModel(role *ProjectRoleSearchRequest) *proj_mode
 	}
 }
 
-func projectRoleSearchQueriesToModel(queries []*ProjectRoleSearchQuery) []*proj_model.ProjectRoleSearchQuery {
+func projectRoleSearchQueriesToModel(queries []*management.ProjectRoleSearchQuery) []*proj_model.ProjectRoleSearchQuery {
 	converted := make([]*proj_model.ProjectRoleSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = projectRoleSearchQueryToModel(q)
@@ -251,7 +252,7 @@ func projectRoleSearchQueriesToModel(queries []*ProjectRoleSearchQuery) []*proj_
 	return converted
 }
 
-func projectRoleSearchQueryToModel(query *ProjectRoleSearchQuery) *proj_model.ProjectRoleSearchQuery {
+func projectRoleSearchQueryToModel(query *management.ProjectRoleSearchQuery) *proj_model.ProjectRoleSearchQuery {
 	return &proj_model.ProjectRoleSearchQuery{
 		Key:    projectRoleSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -259,27 +260,27 @@ func projectRoleSearchQueryToModel(query *ProjectRoleSearchQuery) *proj_model.Pr
 	}
 }
 
-func projectRoleSearchKeyToModel(key ProjectRoleSearchKey) proj_model.ProjectRoleSearchKey {
+func projectRoleSearchKeyToModel(key management.ProjectRoleSearchKey) proj_model.ProjectRoleSearchKey {
 	switch key {
-	case ProjectRoleSearchKey_PROJECTROLESEARCHKEY_KEY:
+	case management.ProjectRoleSearchKey_PROJECTROLESEARCHKEY_KEY:
 		return proj_model.ProjectRoleSearchKeyKey
-	case ProjectRoleSearchKey_PROJECTROLESEARCHKEY_DISPLAY_NAME:
+	case management.ProjectRoleSearchKey_PROJECTROLESEARCHKEY_DISPLAY_NAME:
 		return proj_model.ProjectRoleSearchKeyDisplayName
 	default:
 		return proj_model.ProjectRoleSearchKeyUnspecified
 	}
 }
 
-func projectChangesToResponse(response *proj_model.ProjectChanges, offset uint64, limit uint64) (_ *Changes) {
+func projectChangesToResponse(response *proj_model.ProjectChanges, offset uint64, limit uint64) (_ *management.Changes) {
-	return &Changes{
+	return &management.Changes{
 		Limit:   limit,
 		Offset:  offset,
 		Changes: projectChangesToMgtAPI(response),
 	}
 }
 
-func projectChangesToMgtAPI(changes *proj_model.ProjectChanges) (_ []*Change) {
+func projectChangesToMgtAPI(changes *proj_model.ProjectChanges) (_ []*management.Change) {
-	result := make([]*Change, len(changes.Changes))
+	result := make([]*management.Change, len(changes.Changes))
 
 	for i, change := range changes.Changes {
 		b, err := json.Marshal(change.Data)
@@ -287,7 +288,7 @@ func projectChangesToMgtAPI(changes *proj_model.ProjectChanges) (_ []*Change) {
 		err = protojson.Unmarshal(b, data)
 		if err != nil {
 		}
-		result[i] = &Change{
+		result[i] = &management.Change{
 			ChangeDate: change.ChangeDate,
 			EventType:  message.NewLocalizedEventType(change.EventType),
 			Sequence:   change.Sequence,

internal/api/grpc/management/project_grant.go

@@ -1,16 +1,18 @@
-package grpc
+package management
 
 import (
 	"context"
 
-	"github.com/caos/zitadel/internal/api"
-	grpc_util "github.com/caos/zitadel/internal/api/grpc"
 	"github.com/golang/protobuf/ptypes/empty"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) SearchProjectGrants(ctx context.Context, in *ProjectGrantSearchRequest) (*ProjectGrantSearchResponse, error) {
+func (s *Server) SearchProjectGrants(ctx context.Context, in *management.ProjectGrantSearchRequest) (*management.ProjectGrantSearchResponse, error) {
 	request := projectGrantSearchRequestsToModel(in)
-	orgID := grpc_util.GetHeader(ctx, api.ZitadelOrgID)
+	orgID := grpc_util.GetHeader(ctx, http.ZitadelOrgID)
 	request.AppendMyResourceOwnerQuery(orgID)
 	request.AppendNotMyOrgQuery(orgID)
 	response, err := s.project.SearchProjectGrants(ctx, request)
@@ -20,7 +22,7 @@ func (s *Server) SearchProjectGrants(ctx context.Context, in *ProjectGrantSearch
 	return projectGrantSearchResponseFromModel(response), nil
 }
 
-func (s *Server) ProjectGrantByID(ctx context.Context, in *ProjectGrantID) (*ProjectGrantView, error) {
+func (s *Server) ProjectGrantByID(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrantView, error) {
 	grant, err := s.project.ProjectGrantByID(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -28,21 +30,21 @@ func (s *Server) ProjectGrantByID(ctx context.Context, in *ProjectGrantID) (*Pro
 	return projectGrantFromGrantedProjectModel(grant), nil
 }
 
-func (s *Server) CreateProjectGrant(ctx context.Context, in *ProjectGrantCreate) (*ProjectGrant, error) {
+func (s *Server) CreateProjectGrant(ctx context.Context, in *management.ProjectGrantCreate) (*management.ProjectGrant, error) {
 	grant, err := s.project.AddProjectGrant(ctx, projectGrantCreateToModel(in))
 	if err != nil {
 		return nil, err
 	}
 	return projectGrantFromModel(grant), nil
 }
-func (s *Server) UpdateProjectGrant(ctx context.Context, in *ProjectGrantUpdate) (*ProjectGrant, error) {
+func (s *Server) UpdateProjectGrant(ctx context.Context, in *management.ProjectGrantUpdate) (*management.ProjectGrant, error) {
 	grant, err := s.project.ChangeProjectGrant(ctx, projectGrantUpdateToModel(in))
 	if err != nil {
 		return nil, err
 	}
 	return projectGrantFromModel(grant), nil
 }
-func (s *Server) DeactivateProjectGrant(ctx context.Context, in *ProjectGrantID) (*ProjectGrant, error) {
+func (s *Server) DeactivateProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrant, error) {
 	grant, err := s.project.DeactivateProjectGrant(ctx, in.ProjectId, in.Id)
 	if err != nil {
 		return nil, err
@@ -50,7 +52,7 @@ func (s *Server) DeactivateProjectGrant(ctx context.Context, in *ProjectGrantID)
 	return projectGrantFromModel(grant), nil
 }
 
-func (s *Server) ReactivateProjectGrant(ctx context.Context, in *ProjectGrantID) (*ProjectGrant, error) {
+func (s *Server) ReactivateProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*management.ProjectGrant, error) {
 	grant, err := s.project.ReactivateProjectGrant(ctx, in.ProjectId, in.Id)
 	if err != nil {
 		return nil, err
@@ -58,7 +60,7 @@ func (s *Server) ReactivateProjectGrant(ctx context.Context, in *ProjectGrantID)
 	return projectGrantFromModel(grant), nil
 }
 
-func (s *Server) RemoveProjectGrant(ctx context.Context, in *ProjectGrantID) (*empty.Empty, error) {
+func (s *Server) RemoveProjectGrant(ctx context.Context, in *management.ProjectGrantID) (*empty.Empty, error) {
 	err := s.project.RemoveProjectGrant(ctx, in.ProjectId, in.Id)
 	return &empty.Empty{}, err
 }

internal/api/grpc/management/project_grant_converter.go

@@ -1,21 +1,24 @@
-package grpc
+package management
 
 import (
 	"github.com/caos/logging"
+
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	"github.com/caos/zitadel/internal/model"
 	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func projectGrantFromModel(grant *proj_model.ProjectGrant) *ProjectGrant {
+func projectGrantFromModel(grant *proj_model.ProjectGrant) *management.ProjectGrant {
 	creationDate, err := ptypes.TimestampProto(grant.CreationDate)
 	logging.Log("GRPC-8d73s").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(grant.ChangeDate)
 	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectGrant{
+	return &management.ProjectGrant{
 		Id:           grant.GrantID,
 		State:        projectGrantStateFromModel(grant.State),
 		CreationDate: creationDate,
@@ -27,7 +30,7 @@ func projectGrantFromModel(grant *proj_model.ProjectGrant) *ProjectGrant {
 	}
 }
 
-func projectGrantCreateToModel(grant *ProjectGrantCreate) *proj_model.ProjectGrant {
+func projectGrantCreateToModel(grant *management.ProjectGrantCreate) *proj_model.ProjectGrant {
 	return &proj_model.ProjectGrant{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: grant.ProjectId,
@@ -37,7 +40,7 @@ func projectGrantCreateToModel(grant *ProjectGrantCreate) *proj_model.ProjectGra
 	}
 }
 
-func projectGrantUpdateToModel(grant *ProjectGrantUpdate) *proj_model.ProjectGrant {
+func projectGrantUpdateToModel(grant *management.ProjectGrantUpdate) *proj_model.ProjectGrant {
 	return &proj_model.ProjectGrant{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: grant.ProjectId,
@@ -47,7 +50,7 @@ func projectGrantUpdateToModel(grant *ProjectGrantUpdate) *proj_model.ProjectGra
 	}
 }
 
-func projectGrantSearchRequestsToModel(request *ProjectGrantSearchRequest) *proj_model.ProjectGrantViewSearchRequest {
+func projectGrantSearchRequestsToModel(request *management.ProjectGrantSearchRequest) *proj_model.ProjectGrantViewSearchRequest {
 	return &proj_model.ProjectGrantViewSearchRequest{
 		Offset:  request.Offset,
 		Limit:   request.Limit,
@@ -55,7 +58,7 @@ func projectGrantSearchRequestsToModel(request *ProjectGrantSearchRequest) *proj
 	}
 }
 
-func projectGrantSearchQueriesToModel(projectId string, queries []*ProjectGrantSearchQuery) []*proj_model.ProjectGrantViewSearchQuery {
+func projectGrantSearchQueriesToModel(projectId string, queries []*management.ProjectGrantSearchQuery) []*proj_model.ProjectGrantViewSearchQuery {
 	converted := make([]*proj_model.ProjectGrantViewSearchQuery, 0)
 	converted = append(converted, &proj_model.ProjectGrantViewSearchQuery{
 		Key:    proj_model.GrantedProjectSearchKeyProjectID,
@@ -68,7 +71,7 @@ func projectGrantSearchQueriesToModel(projectId string, queries []*ProjectGrantS
 	return converted
 }
 
-func projectGrantSearchQueryToModel(query *ProjectGrantSearchQuery) *proj_model.ProjectGrantViewSearchQuery {
+func projectGrantSearchQueryToModel(query *management.ProjectGrantSearchQuery) *proj_model.ProjectGrantViewSearchQuery {
 	return &proj_model.ProjectGrantViewSearchQuery{
 		Key:    projectGrantViewSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -76,19 +79,19 @@ func projectGrantSearchQueryToModel(query *ProjectGrantSearchQuery) *proj_model.
 	}
 }
 
-func projectGrantViewSearchKeyToModel(key ProjectGrantSearchKey) proj_model.ProjectGrantViewSearchKey {
+func projectGrantViewSearchKeyToModel(key management.ProjectGrantSearchKey) proj_model.ProjectGrantViewSearchKey {
 	switch key {
-	case ProjectGrantSearchKey_PROJECTGRANTSEARCHKEY_PROJECT_NAME:
+	case management.ProjectGrantSearchKey_PROJECTGRANTSEARCHKEY_PROJECT_NAME:
 		return proj_model.GrantedProjectSearchKeyProjectID
-	case ProjectGrantSearchKey_PROJECTGRANTSEARCHKEY_ROLE_KEY:
+	case management.ProjectGrantSearchKey_PROJECTGRANTSEARCHKEY_ROLE_KEY:
 		return proj_model.GrantedProjectSearchKeyRoleKeys
 	default:
 		return proj_model.GrantedProjectSearchKeyUnspecified
 	}
 }
 
-func projectGrantSearchResponseFromModel(response *proj_model.ProjectGrantViewSearchResponse) *ProjectGrantSearchResponse {
+func projectGrantSearchResponseFromModel(response *proj_model.ProjectGrantViewSearchResponse) *management.ProjectGrantSearchResponse {
-	return &ProjectGrantSearchResponse{
+	return &management.ProjectGrantSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -96,22 +99,22 @@ func projectGrantSearchResponseFromModel(response *proj_model.ProjectGrantViewSe
 	}
 }
 
-func projectGrantsFromGrantedProjectModel(projects []*proj_model.ProjectGrantView) []*ProjectGrantView {
+func projectGrantsFromGrantedProjectModel(projects []*proj_model.ProjectGrantView) []*management.ProjectGrantView {
-	converted := make([]*ProjectGrantView, len(projects))
+	converted := make([]*management.ProjectGrantView, len(projects))
 	for i, project := range projects {
 		converted[i] = projectGrantFromGrantedProjectModel(project)
 	}
 	return converted
 }
 
-func projectGrantFromGrantedProjectModel(project *proj_model.ProjectGrantView) *ProjectGrantView {
+func projectGrantFromGrantedProjectModel(project *proj_model.ProjectGrantView) *management.ProjectGrantView {
 	creationDate, err := ptypes.TimestampProto(project.CreationDate)
 	logging.Log("GRPC-dlso3").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(project.ChangeDate)
 	logging.Log("GRPC-sope3").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectGrantView{
+	return &management.ProjectGrantView{
 		ProjectId:         project.ProjectID,
 		State:             projectGrantStateFromProjectStateModel(project.State),
 		CreationDate:      creationDate,
@@ -127,24 +130,24 @@ func projectGrantFromGrantedProjectModel(project *proj_model.ProjectGrantView) *
 	}
 }
 
-func projectGrantStateFromModel(state proj_model.ProjectGrantState) ProjectGrantState {
+func projectGrantStateFromModel(state proj_model.ProjectGrantState) management.ProjectGrantState {
 	switch state {
 	case proj_model.ProjectGrantStateActive:
-		return ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
+		return management.ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
 	case proj_model.ProjectGrantStateInactive:
-		return ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
+		return management.ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
 	default:
-		return ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
+		return management.ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
 	}
 }
 
-func projectGrantStateFromProjectStateModel(state proj_model.ProjectState) ProjectGrantState {
+func projectGrantStateFromProjectStateModel(state proj_model.ProjectState) management.ProjectGrantState {
 	switch state {
 	case proj_model.ProjectStateActive:
-		return ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
+		return management.ProjectGrantState_PROJECTGRANTSTATE_ACTIVE
 	case proj_model.ProjectStateInactive:
-		return ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
+		return management.ProjectGrantState_PROJECTGRANTSTATE_INACTIVE
 	default:
-		return ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
+		return management.ProjectGrantState_PROJECTGRANTSTATE_UNSPECIFIED
 	}
 }

internal/api/grpc/management/project_grant_member.go

@@ -1,16 +1,18 @@
-package grpc
+package management
 
 import (
 	"context"
 
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) GetProjectGrantMemberRoles(ctx context.Context, _ *empty.Empty) (*ProjectGrantMemberRoles, error) {
+func (s *Server) GetProjectGrantMemberRoles(ctx context.Context, _ *empty.Empty) (*management.ProjectGrantMemberRoles, error) {
-	return &ProjectGrantMemberRoles{Roles: s.project.GetProjectGrantMemberRoles()}, nil
+	return &management.ProjectGrantMemberRoles{Roles: s.project.GetProjectGrantMemberRoles()}, nil
 }
 
-func (s *Server) SearchProjectGrantMembers(ctx context.Context, in *ProjectGrantMemberSearchRequest) (*ProjectGrantMemberSearchResponse, error) {
+func (s *Server) SearchProjectGrantMembers(ctx context.Context, in *management.ProjectGrantMemberSearchRequest) (*management.ProjectGrantMemberSearchResponse, error) {
 	response, err := s.project.SearchProjectGrantMembers(ctx, projectGrantMemberSearchRequestsToModel(in))
 	if err != nil {
 		return nil, err
@@ -18,7 +20,7 @@ func (s *Server) SearchProjectGrantMembers(ctx context.Context, in *ProjectGrant
 	return projectGrantMemberSearchResponseFromModel(response), nil
 }
 
-func (s *Server) AddProjectGrantMember(ctx context.Context, in *ProjectGrantMemberAdd) (*ProjectGrantMember, error) {
+func (s *Server) AddProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberAdd) (*management.ProjectGrantMember, error) {
 	member, err := s.project.AddProjectGrantMember(ctx, projectGrantMemberAddToModel(in))
 	if err != nil {
 		return nil, err
@@ -26,7 +28,7 @@ func (s *Server) AddProjectGrantMember(ctx context.Context, in *ProjectGrantMemb
 	return projectGrantMemberFromModel(member), nil
 }
 
-func (s *Server) ChangeProjectGrantMember(ctx context.Context, in *ProjectGrantMemberChange) (*ProjectGrantMember, error) {
+func (s *Server) ChangeProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberChange) (*management.ProjectGrantMember, error) {
 	member, err := s.project.ChangeProjectGrantMember(ctx, projectGrantMemberChangeToModel(in))
 	if err != nil {
 		return nil, err
@@ -34,7 +36,7 @@ func (s *Server) ChangeProjectGrantMember(ctx context.Context, in *ProjectGrantM
 	return projectGrantMemberFromModel(member), nil
 }
 
-func (s *Server) RemoveProjectGrantMember(ctx context.Context, in *ProjectGrantMemberRemove) (*empty.Empty, error) {
+func (s *Server) RemoveProjectGrantMember(ctx context.Context, in *management.ProjectGrantMemberRemove) (*empty.Empty, error) {
 	err := s.project.RemoveProjectGrantMember(ctx, in.ProjectId, in.GrantId, in.UserId)
 	return &empty.Empty{}, err
 }

internal/api/grpc/management/project_grant_member_converter.go

@@ -1,20 +1,22 @@
-package grpc
+package management
 
 import (
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func projectGrantMemberFromModel(member *proj_model.ProjectGrantMember) *ProjectGrantMember {
+func projectGrantMemberFromModel(member *proj_model.ProjectGrantMember) *management.ProjectGrantMember {
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-7du3s").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
 	logging.Log("GRPC-8duew").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectGrantMember{
+	return &management.ProjectGrantMember{
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,
 		Sequence:     member.Sequence,
@@ -23,7 +25,7 @@ func projectGrantMemberFromModel(member *proj_model.ProjectGrantMember) *Project
 	}
 }
 
-func projectGrantMemberAddToModel(member *ProjectGrantMemberAdd) *proj_model.ProjectGrantMember {
+func projectGrantMemberAddToModel(member *management.ProjectGrantMemberAdd) *proj_model.ProjectGrantMember {
 	return &proj_model.ProjectGrantMember{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: member.ProjectId,
@@ -34,7 +36,7 @@ func projectGrantMemberAddToModel(member *ProjectGrantMemberAdd) *proj_model.Pro
 	}
 }
 
-func projectGrantMemberChangeToModel(member *ProjectGrantMemberChange) *proj_model.ProjectGrantMember {
+func projectGrantMemberChangeToModel(member *management.ProjectGrantMemberChange) *proj_model.ProjectGrantMember {
 	return &proj_model.ProjectGrantMember{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: member.ProjectId,
@@ -45,7 +47,7 @@ func projectGrantMemberChangeToModel(member *ProjectGrantMemberChange) *proj_mod
 	}
 }
 
-func projectGrantMemberSearchRequestsToModel(role *ProjectGrantMemberSearchRequest) *proj_model.ProjectGrantMemberSearchRequest {
+func projectGrantMemberSearchRequestsToModel(role *management.ProjectGrantMemberSearchRequest) *proj_model.ProjectGrantMemberSearchRequest {
 	return &proj_model.ProjectGrantMemberSearchRequest{
 		Offset:  role.Offset,
 		Limit:   role.Limit,
@@ -53,7 +55,7 @@ func projectGrantMemberSearchRequestsToModel(role *ProjectGrantMemberSearchReque
 	}
 }
 
-func projectGrantMemberSearchQueriesToModel(queries []*ProjectGrantMemberSearchQuery) []*proj_model.ProjectGrantMemberSearchQuery {
+func projectGrantMemberSearchQueriesToModel(queries []*management.ProjectGrantMemberSearchQuery) []*proj_model.ProjectGrantMemberSearchQuery {
 	converted := make([]*proj_model.ProjectGrantMemberSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = projectGrantMemberSearchQueryToModel(q)
@@ -61,7 +63,7 @@ func projectGrantMemberSearchQueriesToModel(queries []*ProjectGrantMemberSearchQ
 	return converted
 }
 
-func projectGrantMemberSearchQueryToModel(query *ProjectGrantMemberSearchQuery) *proj_model.ProjectGrantMemberSearchQuery {
+func projectGrantMemberSearchQueryToModel(query *management.ProjectGrantMemberSearchQuery) *proj_model.ProjectGrantMemberSearchQuery {
 	return &proj_model.ProjectGrantMemberSearchQuery{
 		Key:    projectGrantMemberSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -69,23 +71,23 @@ func projectGrantMemberSearchQueryToModel(query *ProjectGrantMemberSearchQuery)
 	}
 }
 
-func projectGrantMemberSearchKeyToModel(key ProjectGrantMemberSearchKey) proj_model.ProjectGrantMemberSearchKey {
+func projectGrantMemberSearchKeyToModel(key management.ProjectGrantMemberSearchKey) proj_model.ProjectGrantMemberSearchKey {
 	switch key {
-	case ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_EMAIL:
+	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_EMAIL:
 		return proj_model.ProjectGrantMemberSearchKeyEmail
-	case ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_FIRST_NAME:
+	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_FIRST_NAME:
 		return proj_model.ProjectGrantMemberSearchKeyFirstName
-	case ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_LAST_NAME:
+	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_LAST_NAME:
 		return proj_model.ProjectGrantMemberSearchKeyLastName
-	case ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_USER_NAME:
+	case management.ProjectGrantMemberSearchKey_PROJECTGRANTMEMBERSEARCHKEY_USER_NAME:
 		return proj_model.ProjectGrantMemberSearchKeyUserName
 	default:
 		return proj_model.ProjectGrantMemberSearchKeyUnspecified
 	}
 }
 
-func projectGrantMemberSearchResponseFromModel(response *proj_model.ProjectGrantMemberSearchResponse) *ProjectGrantMemberSearchResponse {
+func projectGrantMemberSearchResponseFromModel(response *proj_model.ProjectGrantMemberSearchResponse) *management.ProjectGrantMemberSearchResponse {
-	return &ProjectGrantMemberSearchResponse{
+	return &management.ProjectGrantMemberSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -93,22 +95,22 @@ func projectGrantMemberSearchResponseFromModel(response *proj_model.ProjectGrant
 	}
 }
 
-func projectGrantMemberViewsFromModel(roles []*proj_model.ProjectGrantMemberView) []*ProjectGrantMemberView {
+func projectGrantMemberViewsFromModel(roles []*proj_model.ProjectGrantMemberView) []*management.ProjectGrantMemberView {
-	converted := make([]*ProjectGrantMemberView, len(roles))
+	converted := make([]*management.ProjectGrantMemberView, len(roles))
 	for i, role := range roles {
 		converted[i] = projectGrantMemberViewFromModel(role)
 	}
 	return converted
 }
 
-func projectGrantMemberViewFromModel(member *proj_model.ProjectGrantMemberView) *ProjectGrantMemberView {
+func projectGrantMemberViewFromModel(member *proj_model.ProjectGrantMemberView) *management.ProjectGrantMemberView {
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-los93").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
 	logging.Log("GRPC-ski4e").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectGrantMemberView{
+	return &management.ProjectGrantMemberView{
 		UserId:       member.UserID,
 		UserName:     member.UserName,
 		Email:        member.Email,

internal/api/grpc/management/project_member.go

@@ -1,15 +1,18 @@
-package grpc
+package management
 
 import (
 	"context"
+
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) GetProjectMemberRoles(ctx context.Context, _ *empty.Empty) (*ProjectMemberRoles, error) {
+func (s *Server) GetProjectMemberRoles(ctx context.Context, _ *empty.Empty) (*management.ProjectMemberRoles, error) {
-	return &ProjectMemberRoles{Roles: s.project.GetProjectMemberRoles()}, nil
+	return &management.ProjectMemberRoles{Roles: s.project.GetProjectMemberRoles()}, nil
 }
 
-func (s *Server) SearchProjectMembers(ctx context.Context, in *ProjectMemberSearchRequest) (*ProjectMemberSearchResponse, error) {
+func (s *Server) SearchProjectMembers(ctx context.Context, in *management.ProjectMemberSearchRequest) (*management.ProjectMemberSearchResponse, error) {
 	request := projectMemberSearchRequestsToModel(in)
 	request.AppendProjectQuery(in.ProjectId)
 	response, err := s.project.SearchProjectMembers(ctx, request)
@@ -19,7 +22,7 @@ func (s *Server) SearchProjectMembers(ctx context.Context, in *ProjectMemberSear
 	return projectMemberSearchResponseFromModel(response), nil
 }
 
-func (s *Server) AddProjectMember(ctx context.Context, in *ProjectMemberAdd) (*ProjectMember, error) {
+func (s *Server) AddProjectMember(ctx context.Context, in *management.ProjectMemberAdd) (*management.ProjectMember, error) {
 	member, err := s.project.AddProjectMember(ctx, projectMemberAddToModel(in))
 	if err != nil {
 		return nil, err
@@ -27,7 +30,7 @@ func (s *Server) AddProjectMember(ctx context.Context, in *ProjectMemberAdd) (*P
 	return projectMemberFromModel(member), nil
 }
 
-func (s *Server) ChangeProjectMember(ctx context.Context, in *ProjectMemberChange) (*ProjectMember, error) {
+func (s *Server) ChangeProjectMember(ctx context.Context, in *management.ProjectMemberChange) (*management.ProjectMember, error) {
 	member, err := s.project.ChangeProjectMember(ctx, projectMemberChangeToModel(in))
 	if err != nil {
 		return nil, err
@@ -35,7 +38,7 @@ func (s *Server) ChangeProjectMember(ctx context.Context, in *ProjectMemberChang
 	return projectMemberFromModel(member), nil
 }
 
-func (s *Server) RemoveProjectMember(ctx context.Context, in *ProjectMemberRemove) (*empty.Empty, error) {
+func (s *Server) RemoveProjectMember(ctx context.Context, in *management.ProjectMemberRemove) (*empty.Empty, error) {
 	err := s.project.RemoveProjectMember(ctx, in.Id, in.UserId)
 	return &empty.Empty{}, err
 }

internal/api/grpc/management/project_member_converter.go

@@ -1,20 +1,22 @@
-package grpc
+package management
 
 import (
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	proj_model "github.com/caos/zitadel/internal/project/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func projectMemberFromModel(member *proj_model.ProjectMember) *ProjectMember {
+func projectMemberFromModel(member *proj_model.ProjectMember) *management.ProjectMember {
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-kd8re").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
 	logging.Log("GRPC-dlei3").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectMember{
+	return &management.ProjectMember{
 		CreationDate: creationDate,
 		ChangeDate:   changeDate,
 		Sequence:     member.Sequence,
@@ -23,7 +25,7 @@ func projectMemberFromModel(member *proj_model.ProjectMember) *ProjectMember {
 	}
 }
 
-func projectMemberAddToModel(member *ProjectMemberAdd) *proj_model.ProjectMember {
+func projectMemberAddToModel(member *management.ProjectMemberAdd) *proj_model.ProjectMember {
 	return &proj_model.ProjectMember{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: member.Id,
@@ -33,7 +35,7 @@ func projectMemberAddToModel(member *ProjectMemberAdd) *proj_model.ProjectMember
 	}
 }
 
-func projectMemberChangeToModel(member *ProjectMemberChange) *proj_model.ProjectMember {
+func projectMemberChangeToModel(member *management.ProjectMemberChange) *proj_model.ProjectMember {
 	return &proj_model.ProjectMember{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: member.Id,
@@ -43,7 +45,7 @@ func projectMemberChangeToModel(member *ProjectMemberChange) *proj_model.Project
 	}
 }
 
-func projectMemberSearchRequestsToModel(role *ProjectMemberSearchRequest) *proj_model.ProjectMemberSearchRequest {
+func projectMemberSearchRequestsToModel(role *management.ProjectMemberSearchRequest) *proj_model.ProjectMemberSearchRequest {
 	return &proj_model.ProjectMemberSearchRequest{
 		Offset:  role.Offset,
 		Limit:   role.Limit,
@@ -51,7 +53,7 @@ func projectMemberSearchRequestsToModel(role *ProjectMemberSearchRequest) *proj_
 	}
 }
 
-func projectMemberSearchQueriesToModel(queries []*ProjectMemberSearchQuery) []*proj_model.ProjectMemberSearchQuery {
+func projectMemberSearchQueriesToModel(queries []*management.ProjectMemberSearchQuery) []*proj_model.ProjectMemberSearchQuery {
 	converted := make([]*proj_model.ProjectMemberSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = projectMemberSearchQueryToModel(q)
@@ -59,7 +61,7 @@ func projectMemberSearchQueriesToModel(queries []*ProjectMemberSearchQuery) []*p
 	return converted
 }
 
-func projectMemberSearchQueryToModel(query *ProjectMemberSearchQuery) *proj_model.ProjectMemberSearchQuery {
+func projectMemberSearchQueryToModel(query *management.ProjectMemberSearchQuery) *proj_model.ProjectMemberSearchQuery {
 	return &proj_model.ProjectMemberSearchQuery{
 		Key:    projectMemberSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -67,23 +69,23 @@ func projectMemberSearchQueryToModel(query *ProjectMemberSearchQuery) *proj_mode
 	}
 }
 
-func projectMemberSearchKeyToModel(key ProjectMemberSearchKey) proj_model.ProjectMemberSearchKey {
+func projectMemberSearchKeyToModel(key management.ProjectMemberSearchKey) proj_model.ProjectMemberSearchKey {
 	switch key {
-	case ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_EMAIL:
+	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_EMAIL:
 		return proj_model.ProjectMemberSearchKeyEmail
-	case ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_FIRST_NAME:
+	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_FIRST_NAME:
 		return proj_model.ProjectMemberSearchKeyFirstName
-	case ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_LAST_NAME:
+	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_LAST_NAME:
 		return proj_model.ProjectMemberSearchKeyLastName
-	case ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_USER_NAME:
+	case management.ProjectMemberSearchKey_PROJECTMEMBERSEARCHKEY_USER_NAME:
 		return proj_model.ProjectMemberSearchKeyUserName
 	default:
 		return proj_model.ProjectMemberSearchKeyUnspecified
 	}
 }
 
-func projectMemberSearchResponseFromModel(response *proj_model.ProjectMemberSearchResponse) *ProjectMemberSearchResponse {
+func projectMemberSearchResponseFromModel(response *proj_model.ProjectMemberSearchResponse) *management.ProjectMemberSearchResponse {
-	return &ProjectMemberSearchResponse{
+	return &management.ProjectMemberSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -91,22 +93,22 @@ func projectMemberSearchResponseFromModel(response *proj_model.ProjectMemberSear
 	}
 }
 
-func projectMemberViewsFromModel(members []*proj_model.ProjectMemberView) []*ProjectMemberView {
+func projectMemberViewsFromModel(members []*proj_model.ProjectMemberView) []*management.ProjectMemberView {
-	converted := make([]*ProjectMemberView, len(members))
+	converted := make([]*management.ProjectMemberView, len(members))
 	for i, member := range members {
 		converted[i] = projectMemberViewFromModel(member)
 	}
 	return converted
 }
 
-func projectMemberViewFromModel(member *proj_model.ProjectMemberView) *ProjectMemberView {
+func projectMemberViewFromModel(member *proj_model.ProjectMemberView) *management.ProjectMemberView {
 	creationDate, err := ptypes.TimestampProto(member.CreationDate)
 	logging.Log("GRPC-sl9cs").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
 	logging.Log("GRPC-8iw2d").OnError(err).Debug("unable to parse timestamp")
 
-	return &ProjectMemberView{
+	return &management.ProjectMemberView{
 		UserId:       member.UserID,
 		UserName:     member.UserName,
 		Email:        member.Email,

internal/api/grpc/management/search_converter.go

@@ -0,0 +1,31 @@
+package management
+
+import (
+	"github.com/caos/zitadel/internal/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+func searchMethodToModel(method management.SearchMethod) model.SearchMethod {
+	switch method {
+	case management.SearchMethod_SEARCHMETHOD_EQUALS:
+		return model.SearchMethodEquals
+	case management.SearchMethod_SEARCHMETHOD_CONTAINS:
+		return model.SearchMethodContains
+	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH:
+		return model.SearchMethodStartsWith
+	case management.SearchMethod_SEARCHMETHOD_EQUALS_IGNORE_CASE:
+		return model.SearchMethodEqualsIgnoreCase
+	case management.SearchMethod_SEARCHMETHOD_CONTAINS_IGNORE_CASE:
+		return model.SearchMethodContainsIgnoreCase
+	case management.SearchMethod_SEARCHMETHOD_STARTS_WITH_IGNORE_CASE:
+		return model.SearchMethodStartsWithIgnoreCase
+	case management.SearchMethod_SEARCHMETHOD_NOT_EQUALS:
+		return model.SearchMethodNotEquals
+	case management.SearchMethod_SEARCHMETHOD_IS_ONE_OF:
+		return model.SearchMethodIsOneOf
+	case management.SearchMethod_SEARCHMETHOD_LIST_CONTAINS:
+		return model.SearchMethodListContains
+	default:
+		return model.SearchMethodEquals
+	}
+}

internal/api/grpc/management/server.go

@@ -0,0 +1,69 @@
+package management
+
+import (
+	"google.golang.org/grpc"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/server"
+	"github.com/caos/zitadel/internal/config/systemdefaults"
+	"github.com/caos/zitadel/internal/management/repository"
+	"github.com/caos/zitadel/internal/management/repository/eventsourcing"
+	"github.com/caos/zitadel/pkg/grpc/management"
+)
+
+const (
+	mgmtName = "Management-API"
+)
+
+var _ management.ManagementServiceServer = (*Server)(nil)
+
+type Server struct {
+	project        repository.ProjectRepository
+	policy         repository.PolicyRepository
+	org            repository.OrgRepository
+	user           repository.UserRepository
+	usergrant      repository.UserGrantRepository
+	iam            repository.IamRepository
+	authZ          authz.Config
+	systemDefaults systemdefaults.SystemDefaults
+}
+
+type Config struct {
+	Repository eventsourcing.Config
+}
+
+func CreateServer(repo repository.Repository, sd systemdefaults.SystemDefaults) *Server {
+	return &Server{
+		project:        repo,
+		policy:         repo,
+		org:            repo,
+		user:           repo,
+		usergrant:      repo,
+		iam:            repo,
+		systemDefaults: sd,
+	}
+}
+
+func (s *Server) RegisterServer(grpcServer *grpc.Server) {
+	management.RegisterManagementServiceServer(grpcServer, s)
+}
+
+func (s *Server) AppName() string {
+	return mgmtName
+}
+
+func (s *Server) MethodPrefix() string {
+	return management.ManagementService_MethodPrefix
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return management.ManagementService_AuthMethods
+}
+
+func (s *Server) RegisterGateway() server.GatewayFunc {
+	return management.RegisterManagementServiceHandlerFromEndpoint
+}
+
+func (s *Server) GatewayPathPrefix() string {
+	return "/mgmt/v1"
+}

internal/api/grpc/management/user.go

@@ -1,15 +1,17 @@
-package grpc
+package management
 
 import (
 	"context"
 
-	"github.com/caos/zitadel/internal/api"
-	grpc_util "github.com/caos/zitadel/internal/api/grpc"
-	"github.com/caos/zitadel/internal/errors"
 	"github.com/golang/protobuf/ptypes/empty"
+
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/http"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) GetUserByID(ctx context.Context, id *UserID) (*UserView, error) {
+func (s *Server) GetUserByID(ctx context.Context, id *management.UserID) (*management.UserView, error) {
 	user, err := s.user.UserByID(ctx, id.Id)
 	if err != nil {
 		return nil, err
@@ -17,7 +19,7 @@ func (s *Server) GetUserByID(ctx context.Context, id *UserID) (*UserView, error)
 	return userViewFromModel(user), nil
 }
 
-func (s *Server) GetUserByEmailGlobal(ctx context.Context, email *Email) (*UserView, error) {
+func (s *Server) GetUserByEmailGlobal(ctx context.Context, email *management.Email) (*management.UserView, error) {
 	user, err := s.user.GetGlobalUserByEmail(ctx, email.Email)
 	if err != nil {
 		return nil, err
@@ -25,9 +27,9 @@ func (s *Server) GetUserByEmailGlobal(ctx context.Context, email *Email) (*UserV
 	return userViewFromModel(user), nil
 }
 
-func (s *Server) SearchUsers(ctx context.Context, in *UserSearchRequest) (*UserSearchResponse, error) {
+func (s *Server) SearchUsers(ctx context.Context, in *management.UserSearchRequest) (*management.UserSearchResponse, error) {
 	request := userSearchRequestsToModel(in)
-	orgID := grpc_util.GetHeader(ctx, api.ZitadelOrgID)
+	orgID := grpc_util.GetHeader(ctx, http.ZitadelOrgID)
 	request.AppendMyOrgQuery(orgID)
 	response, err := s.user.SearchUsers(ctx, request)
 	if err != nil {
@@ -36,7 +38,7 @@ func (s *Server) SearchUsers(ctx context.Context, in *UserSearchRequest) (*UserS
 	return userSearchResponseFromModel(response), nil
 }
 
-func (s *Server) UserChanges(ctx context.Context, changesRequest *ChangeRequest) (*Changes, error) {
+func (s *Server) UserChanges(ctx context.Context, changesRequest *management.ChangeRequest) (*management.Changes, error) {
 	response, err := s.user.UserChanges(ctx, changesRequest.Id, changesRequest.SequenceOffset, changesRequest.Limit, changesRequest.Asc)
 	if err != nil {
 		return nil, err
@@ -44,15 +46,15 @@ func (s *Server) UserChanges(ctx context.Context, changesRequest *ChangeRequest)
 	return userChangesToResponse(response, changesRequest.GetSequenceOffset(), changesRequest.GetLimit()), nil
 }
 
-func (s *Server) IsUserUnique(ctx context.Context, request *UniqueUserRequest) (*UniqueUserResponse, error) {
+func (s *Server) IsUserUnique(ctx context.Context, request *management.UniqueUserRequest) (*management.UniqueUserResponse, error) {
 	unique, err := s.user.IsUserUnique(ctx, request.UserName, request.Email)
 	if err != nil {
 		return nil, err
 	}
-	return &UniqueUserResponse{IsUnique: unique}, nil
+	return &management.UniqueUserResponse{IsUnique: unique}, nil
 }
 
-func (s *Server) CreateUser(ctx context.Context, in *CreateUserRequest) (*User, error) {
+func (s *Server) CreateUser(ctx context.Context, in *management.CreateUserRequest) (*management.User, error) {
 	user, err := s.user.CreateUser(ctx, userCreateToModel(in))
 	if err != nil {
 		return nil, err
@@ -60,7 +62,7 @@ func (s *Server) CreateUser(ctx context.Context, in *CreateUserRequest) (*User,
 	return userFromModel(user), nil
 }
 
-func (s *Server) DeactivateUser(ctx context.Context, in *UserID) (*User, error) {
+func (s *Server) DeactivateUser(ctx context.Context, in *management.UserID) (*management.User, error) {
 	user, err := s.user.DeactivateUser(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -68,7 +70,7 @@ func (s *Server) DeactivateUser(ctx context.Context, in *UserID) (*User, error)
 	return userFromModel(user), nil
 }
 
-func (s *Server) ReactivateUser(ctx context.Context, in *UserID) (*User, error) {
+func (s *Server) ReactivateUser(ctx context.Context, in *management.UserID) (*management.User, error) {
 	user, err := s.user.ReactivateUser(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -76,7 +78,7 @@ func (s *Server) ReactivateUser(ctx context.Context, in *UserID) (*User, error)
 	return userFromModel(user), nil
 }
 
-func (s *Server) LockUser(ctx context.Context, in *UserID) (*User, error) {
+func (s *Server) LockUser(ctx context.Context, in *management.UserID) (*management.User, error) {
 	user, err := s.user.LockUser(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -84,7 +86,7 @@ func (s *Server) LockUser(ctx context.Context, in *UserID) (*User, error) {
 	return userFromModel(user), nil
 }
 
-func (s *Server) UnlockUser(ctx context.Context, in *UserID) (*User, error) {
+func (s *Server) UnlockUser(ctx context.Context, in *management.UserID) (*management.User, error) {
 	user, err := s.user.UnlockUser(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -92,11 +94,11 @@ func (s *Server) UnlockUser(ctx context.Context, in *UserID) (*User, error) {
 	return userFromModel(user), nil
 }
 
-func (s *Server) DeleteUser(ctx context.Context, in *UserID) (*empty.Empty, error) {
+func (s *Server) DeleteUser(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
 	return nil, errors.ThrowUnimplemented(nil, "GRPC-as4fg", "Not implemented")
 }
 
-func (s *Server) GetUserProfile(ctx context.Context, in *UserID) (*UserProfileView, error) {
+func (s *Server) GetUserProfile(ctx context.Context, in *management.UserID) (*management.UserProfileView, error) {
 	profile, err := s.user.ProfileByID(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -104,7 +106,7 @@ func (s *Server) GetUserProfile(ctx context.Context, in *UserID) (*UserProfileVi
 	return profileViewFromModel(profile), nil
 }
 
-func (s *Server) UpdateUserProfile(ctx context.Context, request *UpdateUserProfileRequest) (*UserProfile, error) {
+func (s *Server) UpdateUserProfile(ctx context.Context, request *management.UpdateUserProfileRequest) (*management.UserProfile, error) {
 	profile, err := s.user.ChangeProfile(ctx, updateProfileToModel(request))
 	if err != nil {
 		return nil, err
@@ -112,7 +114,7 @@ func (s *Server) UpdateUserProfile(ctx context.Context, request *UpdateUserProfi
 	return profileFromModel(profile), nil
 }
 
-func (s *Server) GetUserEmail(ctx context.Context, in *UserID) (*UserEmailView, error) {
+func (s *Server) GetUserEmail(ctx context.Context, in *management.UserID) (*management.UserEmailView, error) {
 	email, err := s.user.EmailByID(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -120,7 +122,7 @@ func (s *Server) GetUserEmail(ctx context.Context, in *UserID) (*UserEmailView,
 	return emailViewFromModel(email), nil
 }
 
-func (s *Server) ChangeUserEmail(ctx context.Context, request *UpdateUserEmailRequest) (*UserEmail, error) {
+func (s *Server) ChangeUserEmail(ctx context.Context, request *management.UpdateUserEmailRequest) (*management.UserEmail, error) {
 	email, err := s.user.ChangeEmail(ctx, updateEmailToModel(request))
 	if err != nil {
 		return nil, err
@@ -128,12 +130,12 @@ func (s *Server) ChangeUserEmail(ctx context.Context, request *UpdateUserEmailRe
 	return emailFromModel(email), nil
 }
 
-func (s *Server) ResendEmailVerificationMail(ctx context.Context, in *UserID) (*empty.Empty, error) {
+func (s *Server) ResendEmailVerificationMail(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
 	err := s.user.CreateEmailVerificationCode(ctx, in.Id)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) GetUserPhone(ctx context.Context, in *UserID) (*UserPhoneView, error) {
+func (s *Server) GetUserPhone(ctx context.Context, in *management.UserID) (*management.UserPhoneView, error) {
 	phone, err := s.user.PhoneByID(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -141,7 +143,7 @@ func (s *Server) GetUserPhone(ctx context.Context, in *UserID) (*UserPhoneView,
 	return phoneViewFromModel(phone), nil
 }
 
-func (s *Server) ChangeUserPhone(ctx context.Context, request *UpdateUserPhoneRequest) (*UserPhone, error) {
+func (s *Server) ChangeUserPhone(ctx context.Context, request *management.UpdateUserPhoneRequest) (*management.UserPhone, error) {
 	phone, err := s.user.ChangePhone(ctx, updatePhoneToModel(request))
 	if err != nil {
 		return nil, err
@@ -149,16 +151,17 @@ func (s *Server) ChangeUserPhone(ctx context.Context, request *UpdateUserPhoneRe
 	return phoneFromModel(phone), nil
 }
 
-func (s *Server) RemoveUserPhone(ctx context.Context, userID *UserID) (*empty.Empty, error) {
+func (s *Server) RemoveUserPhone(ctx context.Context, userID *management.UserID) (*empty.Empty, error) {
 	err := s.user.RemovePhone(ctx, userID.Id)
 	return &empty.Empty{}, err
 }
-func (s *Server) ResendPhoneVerificationCode(ctx context.Context, in *UserID) (*empty.Empty, error) {
+
+func (s *Server) ResendPhoneVerificationCode(ctx context.Context, in *management.UserID) (*empty.Empty, error) {
 	err := s.user.CreatePhoneVerificationCode(ctx, in.Id)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) GetUserAddress(ctx context.Context, in *UserID) (*UserAddressView, error) {
+func (s *Server) GetUserAddress(ctx context.Context, in *management.UserID) (*management.UserAddressView, error) {
 	address, err := s.user.AddressByID(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -166,7 +169,7 @@ func (s *Server) GetUserAddress(ctx context.Context, in *UserID) (*UserAddressVi
 	return addressViewFromModel(address), nil
 }
 
-func (s *Server) UpdateUserAddress(ctx context.Context, request *UpdateUserAddressRequest) (*UserAddress, error) {
+func (s *Server) UpdateUserAddress(ctx context.Context, request *management.UpdateUserAddressRequest) (*management.UserAddress, error) {
 	address, err := s.user.ChangeAddress(ctx, updateAddressToModel(request))
 	if err != nil {
 		return nil, err
@@ -174,20 +177,20 @@ func (s *Server) UpdateUserAddress(ctx context.Context, request *UpdateUserAddre
 	return addressFromModel(address), nil
 }
 
-func (s *Server) SendSetPasswordNotification(ctx context.Context, request *SetPasswordNotificationRequest) (*empty.Empty, error) {
+func (s *Server) SendSetPasswordNotification(ctx context.Context, request *management.SetPasswordNotificationRequest) (*empty.Empty, error) {
 	err := s.user.RequestSetPassword(ctx, request.Id, notifyTypeToModel(request.Type))
 	return &empty.Empty{}, err
 }
 
-func (s *Server) SetInitialPassword(ctx context.Context, request *PasswordRequest) (*empty.Empty, error) {
+func (s *Server) SetInitialPassword(ctx context.Context, request *management.PasswordRequest) (*empty.Empty, error) {
 	_, err := s.user.SetOneTimePassword(ctx, passwordRequestToModel(request))
 	return &empty.Empty{}, err
 }
 
-func (s *Server) GetUserMfas(ctx context.Context, userID *UserID) (*MultiFactors, error) {
+func (s *Server) GetUserMfas(ctx context.Context, userID *management.UserID) (*management.MultiFactors, error) {
 	mfas, err := s.user.UserMfas(ctx, userID.Id)
 	if err != nil {
 		return nil, err
 	}
-	return &MultiFactors{Mfas: mfasFromModel(mfas)}, nil
+	return &management.MultiFactors{Mfas: mfasFromModel(mfas)}, nil
 }

internal/api/grpc/management/user_converter.go

@@ -1,27 +1,28 @@
-package grpc
+package management
 
 import (
 	"encoding/json"
 
 	"github.com/caos/logging"
-	"github.com/caos/zitadel/internal/eventstore/models"
-	usr_model "github.com/caos/zitadel/internal/user/model"
-	"github.com/caos/zitadel/pkg/message"
-
 	"github.com/golang/protobuf/ptypes"
 	"golang.org/x/text/language"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/caos/zitadel/internal/eventstore/models"
+	usr_model "github.com/caos/zitadel/internal/user/model"
+	"github.com/caos/zitadel/pkg/grpc/management"
+	"github.com/caos/zitadel/pkg/grpc/message"
 )
 
-func userFromModel(user *usr_model.User) *User {
+func userFromModel(user *usr_model.User) *management.User {
 	creationDate, err := ptypes.TimestampProto(user.CreationDate)
 	logging.Log("GRPC-8duwe").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(user.ChangeDate)
 	logging.Log("GRPC-ckoe3d").OnError(err).Debug("unable to parse timestamp")
 
-	converted := &User{
+	converted := &management.User{
 		Id:                user.AggregateID,
 		State:             userStateFromModel(user.State),
 		CreationDate:      creationDate,
@@ -53,7 +54,7 @@ func userFromModel(user *usr_model.User) *User {
 	return converted
 }
 
-func userCreateToModel(u *CreateUserRequest) *usr_model.User {
+func userCreateToModel(u *management.CreateUserRequest) *usr_model.User {
 	preferredLanguage, err := language.Parse(u.PreferredLanguage)
 	logging.Log("GRPC-cK5k2").OnError(err).Debug("language malformed")
 
@@ -87,14 +88,14 @@ func userCreateToModel(u *CreateUserRequest) *usr_model.User {
 	return user
 }
 
-func passwordRequestToModel(r *PasswordRequest) *usr_model.Password {
+func passwordRequestToModel(r *management.PasswordRequest) *usr_model.Password {
 	return &usr_model.Password{
 		ObjectRoot:   models.ObjectRoot{AggregateID: r.Id},
 		SecretString: r.Password,
 	}
 }
 
-func userSearchRequestsToModel(project *UserSearchRequest) *usr_model.UserSearchRequest {
+func userSearchRequestsToModel(project *management.UserSearchRequest) *usr_model.UserSearchRequest {
 	return &usr_model.UserSearchRequest{
 		Offset:  project.Offset,
 		Limit:   project.Limit,
@@ -102,7 +103,7 @@ func userSearchRequestsToModel(project *UserSearchRequest) *usr_model.UserSearch
 	}
 }
 
-func userSearchQueriesToModel(queries []*UserSearchQuery) []*usr_model.UserSearchQuery {
+func userSearchQueriesToModel(queries []*management.UserSearchQuery) []*usr_model.UserSearchQuery {
 	converted := make([]*usr_model.UserSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = userSearchQueryToModel(q)
@@ -110,7 +111,7 @@ func userSearchQueriesToModel(queries []*UserSearchQuery) []*usr_model.UserSearc
 	return converted
 }
 
-func userSearchQueryToModel(query *UserSearchQuery) *usr_model.UserSearchQuery {
+func userSearchQueryToModel(query *management.UserSearchQuery) *usr_model.UserSearchQuery {
 	return &usr_model.UserSearchQuery{
 		Key:    userSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -118,35 +119,35 @@ func userSearchQueryToModel(query *UserSearchQuery) *usr_model.UserSearchQuery {
 	}
 }
 
-func userSearchKeyToModel(key UserSearchKey) usr_model.UserSearchKey {
+func userSearchKeyToModel(key management.UserSearchKey) usr_model.UserSearchKey {
 	switch key {
-	case UserSearchKey_USERSEARCHKEY_USER_NAME:
+	case management.UserSearchKey_USERSEARCHKEY_USER_NAME:
 		return usr_model.UserSearchKeyUserName
-	case UserSearchKey_USERSEARCHKEY_FIRST_NAME:
+	case management.UserSearchKey_USERSEARCHKEY_FIRST_NAME:
 		return usr_model.UserSearchKeyFirstName
-	case UserSearchKey_USERSEARCHKEY_LAST_NAME:
+	case management.UserSearchKey_USERSEARCHKEY_LAST_NAME:
 		return usr_model.UserSearchKeyLastName
-	case UserSearchKey_USERSEARCHKEY_NICK_NAME:
+	case management.UserSearchKey_USERSEARCHKEY_NICK_NAME:
 		return usr_model.UserSearchKeyNickName
-	case UserSearchKey_USERSEARCHKEY_DISPLAY_NAME:
+	case management.UserSearchKey_USERSEARCHKEY_DISPLAY_NAME:
 		return usr_model.UserSearchKeyDisplayName
-	case UserSearchKey_USERSEARCHKEY_EMAIL:
+	case management.UserSearchKey_USERSEARCHKEY_EMAIL:
 		return usr_model.UserSearchKeyEmail
-	case UserSearchKey_USERSEARCHKEY_STATE:
+	case management.UserSearchKey_USERSEARCHKEY_STATE:
 		return usr_model.UserSearchKeyState
 	default:
 		return usr_model.UserSearchKeyUnspecified
 	}
 }
 
-func profileFromModel(profile *usr_model.Profile) *UserProfile {
+func profileFromModel(profile *usr_model.Profile) *management.UserProfile {
 	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
 	logging.Log("GRPC-dkso3").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
 	logging.Log("GRPC-ski8d").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserProfile{
+	return &management.UserProfile{
 		Id:                profile.AggregateID,
 		CreationDate:      creationDate,
 		ChangeDate:        changeDate,
@@ -161,14 +162,14 @@ func profileFromModel(profile *usr_model.Profile) *UserProfile {
 	}
 }
 
-func profileViewFromModel(profile *usr_model.Profile) *UserProfileView {
+func profileViewFromModel(profile *usr_model.Profile) *management.UserProfileView {
 	creationDate, err := ptypes.TimestampProto(profile.CreationDate)
 	logging.Log("GRPC-sk8sk").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(profile.ChangeDate)
 	logging.Log("GRPC-s30Ks'").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserProfileView{
+	return &management.UserProfileView{
 		Id:                 profile.AggregateID,
 		CreationDate:       creationDate,
 		ChangeDate:         changeDate,
@@ -185,7 +186,7 @@ func profileViewFromModel(profile *usr_model.Profile) *UserProfileView {
 	}
 }
 
-func updateProfileToModel(u *UpdateUserProfileRequest) *usr_model.Profile {
+func updateProfileToModel(u *management.UpdateUserProfileRequest) *usr_model.Profile {
 	preferredLanguage, err := language.Parse(u.PreferredLanguage)
 	logging.Log("GRPC-d8k2s").OnError(err).Debug("language malformed")
 
@@ -199,14 +200,14 @@ func updateProfileToModel(u *UpdateUserProfileRequest) *usr_model.Profile {
 	}
 }
 
-func emailFromModel(email *usr_model.Email) *UserEmail {
+func emailFromModel(email *usr_model.Email) *management.UserEmail {
 	creationDate, err := ptypes.TimestampProto(email.CreationDate)
 	logging.Log("GRPC-d9ow2").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
 	logging.Log("GRPC-s0dkw").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserEmail{
+	return &management.UserEmail{
 		Id:              email.AggregateID,
 		CreationDate:    creationDate,
 		ChangeDate:      changeDate,
@@ -216,14 +217,14 @@ func emailFromModel(email *usr_model.Email) *UserEmail {
 	}
 }
 
-func emailViewFromModel(email *usr_model.Email) *UserEmailView {
+func emailViewFromModel(email *usr_model.Email) *management.UserEmailView {
 	creationDate, err := ptypes.TimestampProto(email.CreationDate)
 	logging.Log("GRPC-sKefs").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(email.ChangeDate)
 	logging.Log("GRPC-0isjD").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserEmailView{
+	return &management.UserEmailView{
 		Id:              email.AggregateID,
 		CreationDate:    creationDate,
 		ChangeDate:      changeDate,
@@ -233,7 +234,7 @@ func emailViewFromModel(email *usr_model.Email) *UserEmailView {
 	}
 }
 
-func updateEmailToModel(e *UpdateUserEmailRequest) *usr_model.Email {
+func updateEmailToModel(e *management.UpdateUserEmailRequest) *usr_model.Email {
 	return &usr_model.Email{
 		ObjectRoot:      models.ObjectRoot{AggregateID: e.Id},
 		EmailAddress:    e.Email,
@@ -241,14 +242,14 @@ func updateEmailToModel(e *UpdateUserEmailRequest) *usr_model.Email {
 	}
 }
 
-func phoneFromModel(phone *usr_model.Phone) *UserPhone {
+func phoneFromModel(phone *usr_model.Phone) *management.UserPhone {
 	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
 	logging.Log("GRPC-ps9ws").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
 	logging.Log("GRPC-09ewq").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserPhone{
+	return &management.UserPhone{
 		Id:              phone.AggregateID,
 		CreationDate:    creationDate,
 		ChangeDate:      changeDate,
@@ -258,14 +259,14 @@ func phoneFromModel(phone *usr_model.Phone) *UserPhone {
 	}
 }
 
-func phoneViewFromModel(phone *usr_model.Phone) *UserPhoneView {
+func phoneViewFromModel(phone *usr_model.Phone) *management.UserPhoneView {
 	creationDate, err := ptypes.TimestampProto(phone.CreationDate)
 	logging.Log("GRPC-6gSj").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(phone.ChangeDate)
 	logging.Log("GRPC-lKs8f").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserPhoneView{
+	return &management.UserPhoneView{
 		Id:              phone.AggregateID,
 		CreationDate:    creationDate,
 		ChangeDate:      changeDate,
@@ -274,7 +275,7 @@ func phoneViewFromModel(phone *usr_model.Phone) *UserPhoneView {
 		IsPhoneVerified: phone.IsPhoneVerified,
 	}
 }
-func updatePhoneToModel(e *UpdateUserPhoneRequest) *usr_model.Phone {
+func updatePhoneToModel(e *management.UpdateUserPhoneRequest) *usr_model.Phone {
 	return &usr_model.Phone{
 		ObjectRoot:      models.ObjectRoot{AggregateID: e.Id},
 		PhoneNumber:     e.Phone,
@@ -282,14 +283,14 @@ func updatePhoneToModel(e *UpdateUserPhoneRequest) *usr_model.Phone {
 	}
 }
 
-func addressFromModel(address *usr_model.Address) *UserAddress {
+func addressFromModel(address *usr_model.Address) *management.UserAddress {
 	creationDate, err := ptypes.TimestampProto(address.CreationDate)
 	logging.Log("GRPC-ud8w7").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
 	logging.Log("GRPC-si9ws").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserAddress{
+	return &management.UserAddress{
 		Id:            address.AggregateID,
 		CreationDate:  creationDate,
 		ChangeDate:    changeDate,
@@ -302,14 +303,14 @@ func addressFromModel(address *usr_model.Address) *UserAddress {
 	}
 }
 
-func addressViewFromModel(address *usr_model.Address) *UserAddressView {
+func addressViewFromModel(address *usr_model.Address) *management.UserAddressView {
 	creationDate, err := ptypes.TimestampProto(address.CreationDate)
 	logging.Log("GRPC-67stC").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(address.ChangeDate)
 	logging.Log("GRPC-0jSfs").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserAddressView{
+	return &management.UserAddressView{
 		Id:            address.AggregateID,
 		CreationDate:  creationDate,
 		ChangeDate:    changeDate,
@@ -322,7 +323,7 @@ func addressViewFromModel(address *usr_model.Address) *UserAddressView {
 	}
 }
 
-func updateAddressToModel(address *UpdateUserAddressRequest) *usr_model.Address {
+func updateAddressToModel(address *management.UpdateUserAddressRequest) *usr_model.Address {
 	return &usr_model.Address{
 		ObjectRoot:    models.ObjectRoot{AggregateID: address.Id},
 		Country:       address.Country,
@@ -333,8 +334,8 @@ func updateAddressToModel(address *UpdateUserAddressRequest) *usr_model.Address
 	}
 }
 
-func userSearchResponseFromModel(response *usr_model.UserSearchResponse) *UserSearchResponse {
+func userSearchResponseFromModel(response *usr_model.UserSearchResponse) *management.UserSearchResponse {
-	return &UserSearchResponse{
+	return &management.UserSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -342,15 +343,15 @@ func userSearchResponseFromModel(response *usr_model.UserSearchResponse) *UserSe
 	}
 }
 
-func userViewsFromModel(users []*usr_model.UserView) []*UserView {
+func userViewsFromModel(users []*usr_model.UserView) []*management.UserView {
-	converted := make([]*UserView, len(users))
+	converted := make([]*management.UserView, len(users))
 	for i, user := range users {
 		converted[i] = userViewFromModel(user)
 	}
 	return converted
 }
 
-func userViewFromModel(user *usr_model.UserView) *UserView {
+func userViewFromModel(user *usr_model.UserView) *management.UserView {
 	creationDate, err := ptypes.TimestampProto(user.CreationDate)
 	logging.Log("GRPC-dl9we").OnError(err).Debug("unable to parse timestamp")
 
@@ -363,7 +364,7 @@ func userViewFromModel(user *usr_model.UserView) *UserView {
 	passwordChanged, err := ptypes.TimestampProto(user.PasswordChanged)
 	logging.Log("GRPC-dl9ws").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserView{
+	return &management.UserView{
 		Id:                 user.ID,
 		State:              userStateFromModel(user.State),
 		CreationDate:       creationDate,
@@ -393,107 +394,107 @@ func userViewFromModel(user *usr_model.UserView) *UserView {
 	}
 }
 
-func mfasFromModel(mfas []*usr_model.MultiFactor) []*MultiFactor {
+func mfasFromModel(mfas []*usr_model.MultiFactor) []*management.MultiFactor {
-	converted := make([]*MultiFactor, len(mfas))
+	converted := make([]*management.MultiFactor, len(mfas))
 	for i, mfa := range mfas {
 		converted[i] = mfaFromModel(mfa)
 	}
 	return converted
 }
 
-func mfaFromModel(mfa *usr_model.MultiFactor) *MultiFactor {
+func mfaFromModel(mfa *usr_model.MultiFactor) *management.MultiFactor {
-	return &MultiFactor{
+	return &management.MultiFactor{
 		State: mfaStateFromModel(mfa.State),
 		Type:  mfaTypeFromModel(mfa.Type),
 	}
 }
 
-func notifyTypeToModel(state NotificationType) usr_model.NotificationType {
+func notifyTypeToModel(state management.NotificationType) usr_model.NotificationType {
 	switch state {
-	case NotificationType_NOTIFICATIONTYPE_EMAIL:
+	case management.NotificationType_NOTIFICATIONTYPE_EMAIL:
 		return usr_model.NotificationTypeEmail
-	case NotificationType_NOTIFICATIONTYPE_SMS:
+	case management.NotificationType_NOTIFICATIONTYPE_SMS:
 		return usr_model.NotificationTypeSms
 	default:
 		return usr_model.NotificationTypeEmail
 	}
 }
 
-func userStateFromModel(state usr_model.UserState) UserState {
+func userStateFromModel(state usr_model.UserState) management.UserState {
 	switch state {
 	case usr_model.UserStateActive:
-		return UserState_USERSTATE_ACTIVE
+		return management.UserState_USERSTATE_ACTIVE
 	case usr_model.UserStateInactive:
-		return UserState_USERSTATE_INACTIVE
+		return management.UserState_USERSTATE_INACTIVE
 	case usr_model.UserStateLocked:
-		return UserState_USERSTATE_LOCKED
+		return management.UserState_USERSTATE_LOCKED
 	case usr_model.UserStateInitial:
-		return UserState_USERSTATE_INITIAL
+		return management.UserState_USERSTATE_INITIAL
 	case usr_model.UserStateSuspend:
-		return UserState_USERSTATE_SUSPEND
+		return management.UserState_USERSTATE_SUSPEND
 	default:
-		return UserState_USERSTATE_UNSPECIFIED
+		return management.UserState_USERSTATE_UNSPECIFIED
 	}
 }
 
-func genderFromModel(gender usr_model.Gender) Gender {
+func genderFromModel(gender usr_model.Gender) management.Gender {
 	switch gender {
 	case usr_model.GenderFemale:
-		return Gender_GENDER_FEMALE
+		return management.Gender_GENDER_FEMALE
 	case usr_model.GenderMale:
-		return Gender_GENDER_MALE
+		return management.Gender_GENDER_MALE
 	case usr_model.GenderDiverse:
-		return Gender_GENDER_DIVERSE
+		return management.Gender_GENDER_DIVERSE
 	default:
-		return Gender_GENDER_UNSPECIFIED
+		return management.Gender_GENDER_UNSPECIFIED
 	}
 }
 
-func genderToModel(gender Gender) usr_model.Gender {
+func genderToModel(gender management.Gender) usr_model.Gender {
 	switch gender {
-	case Gender_GENDER_FEMALE:
+	case management.Gender_GENDER_FEMALE:
 		return usr_model.GenderFemale
-	case Gender_GENDER_MALE:
+	case management.Gender_GENDER_MALE:
 		return usr_model.GenderMale
-	case Gender_GENDER_DIVERSE:
+	case management.Gender_GENDER_DIVERSE:
 		return usr_model.GenderDiverse
 	default:
 		return usr_model.GenderUnspecified
 	}
 }
 
-func mfaTypeFromModel(mfatype usr_model.MfaType) MfaType {
+func mfaTypeFromModel(mfatype usr_model.MfaType) management.MfaType {
 	switch mfatype {
 	case usr_model.MfaTypeOTP:
-		return MfaType_MFATYPE_OTP
+		return management.MfaType_MFATYPE_OTP
 	case usr_model.MfaTypeSMS:
-		return MfaType_MFATYPE_SMS
+		return management.MfaType_MFATYPE_SMS
 	default:
-		return MfaType_MFATYPE_UNSPECIFIED
+		return management.MfaType_MFATYPE_UNSPECIFIED
 	}
 }
 
-func mfaStateFromModel(state usr_model.MfaState) MFAState {
+func mfaStateFromModel(state usr_model.MfaState) management.MFAState {
 	switch state {
 	case usr_model.MfaStateReady:
-		return MFAState_MFASTATE_READY
+		return management.MFAState_MFASTATE_READY
 	case usr_model.MfaStateNotReady:
-		return MFAState_MFASTATE_NOT_READY
+		return management.MFAState_MFASTATE_NOT_READY
 	default:
-		return MFAState_MFASTATE_UNSPECIFIED
+		return management.MFAState_MFASTATE_UNSPECIFIED
 	}
 }
 
-func userChangesToResponse(response *usr_model.UserChanges, offset uint64, limit uint64) (_ *Changes) {
+func userChangesToResponse(response *usr_model.UserChanges, offset uint64, limit uint64) (_ *management.Changes) {
-	return &Changes{
+	return &management.Changes{
 		Limit:   limit,
 		Offset:  offset,
 		Changes: userChangesToMgtAPI(response),
 	}
 }
 
-func userChangesToMgtAPI(changes *usr_model.UserChanges) (_ []*Change) {
+func userChangesToMgtAPI(changes *usr_model.UserChanges) (_ []*management.Change) {
-	result := make([]*Change, len(changes.Changes))
+	result := make([]*management.Change, len(changes.Changes))
 
 	for i, change := range changes.Changes {
 		var data *structpb.Struct
@@ -504,7 +505,7 @@ func userChangesToMgtAPI(changes *usr_model.UserChanges) (_ []*Change) {
 			logging.Log("GRPC-a7F54").OnError(err).Debug("unable to marshal changed data to struct")
 		}
 
-		result[i] = &Change{
+		result[i] = &management.Change{
 			ChangeDate: change.ChangeDate,
 			EventType:  message.NewLocalizedEventType(change.EventType),
 			Sequence:   change.Sequence,

internal/api/grpc/management/user_grant.go

@@ -1,14 +1,17 @@
-package grpc
+package management
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/api/auth"
+
 	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func (s *Server) SearchUserGrants(ctx context.Context, in *UserGrantSearchRequest) (*UserGrantSearchResponse, error) {
+func (s *Server) SearchUserGrants(ctx context.Context, in *management.UserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
 	request := userGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(auth.GetCtxData(ctx).OrgID)
+	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
 	response, err := s.usergrant.SearchUserGrants(ctx, request)
 	if err != nil {
 		return nil, err
@@ -16,7 +19,7 @@ func (s *Server) SearchUserGrants(ctx context.Context, in *UserGrantSearchReques
 	return userGrantSearchResponseFromModel(response), nil
 }
 
-func (s *Server) UserGrantByID(ctx context.Context, request *UserGrantID) (*UserGrantView, error) {
+func (s *Server) UserGrantByID(ctx context.Context, request *management.UserGrantID) (*management.UserGrantView, error) {
 	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
 	if err != nil {
 		return nil, err
@@ -24,7 +27,7 @@ func (s *Server) UserGrantByID(ctx context.Context, request *UserGrantID) (*User
 	return userGrantViewFromModel(user), nil
 }
 
-func (s *Server) CreateUserGrant(ctx context.Context, in *UserGrantCreate) (*UserGrant, error) {
+func (s *Server) CreateUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
 	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
 	if err != nil {
 		return nil, err
@@ -32,21 +35,21 @@ func (s *Server) CreateUserGrant(ctx context.Context, in *UserGrantCreate) (*Use
 	return usergrantFromModel(user), nil
 }
 
-func (s *Server) UpdateUserGrant(ctx context.Context, in *UserGrantUpdate) (*UserGrant, error) {
+func (s *Server) UpdateUserGrant(ctx context.Context, in *management.UserGrantUpdate) (*management.UserGrant, error) {
 	user, err := s.usergrant.ChangeUserGrant(ctx, userGrantUpdateToModel(in))
 	if err != nil {
 		return nil, err
 	}
 	return usergrantFromModel(user), nil
 }
-func (s *Server) DeactivateUserGrant(ctx context.Context, in *UserGrantID) (*UserGrant, error) {
+func (s *Server) DeactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) {
 	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
 	if err != nil {
 		return nil, err
 	}
 	return usergrantFromModel(user), nil
 }
-func (s *Server) ReactivateUserGrant(ctx context.Context, in *UserGrantID) (*UserGrant, error) {
+func (s *Server) ReactivateUserGrant(ctx context.Context, in *management.UserGrantID) (*management.UserGrant, error) {
 	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -54,29 +57,29 @@ func (s *Server) ReactivateUserGrant(ctx context.Context, in *UserGrantID) (*Use
 	return usergrantFromModel(user), nil
 }
 
-func (s *Server) RemoveUserGrant(ctx context.Context, in *UserGrantID) (*empty.Empty, error) {
+func (s *Server) RemoveUserGrant(ctx context.Context, in *management.UserGrantID) (*empty.Empty, error) {
 	err := s.usergrant.RemoveUserGrant(ctx, in.Id)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) BulkCreateUserGrant(ctx context.Context, in *UserGrantCreateBulk) (*empty.Empty, error) {
+func (s *Server) BulkCreateUserGrant(ctx context.Context, in *management.UserGrantCreateBulk) (*empty.Empty, error) {
 	err := s.usergrant.BulkAddUserGrant(ctx, userGrantCreateBulkToModel(in)...)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) BulkUpdateUserGrant(ctx context.Context, in *UserGrantUpdateBulk) (*empty.Empty, error) {
+func (s *Server) BulkUpdateUserGrant(ctx context.Context, in *management.UserGrantUpdateBulk) (*empty.Empty, error) {
 	err := s.usergrant.BulkChangeUserGrant(ctx, userGrantUpdateBulkToModel(in)...)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) BulkRemoveUserGrant(ctx context.Context, in *UserGrantRemoveBulk) (*empty.Empty, error) {
+func (s *Server) BulkRemoveUserGrant(ctx context.Context, in *management.UserGrantRemoveBulk) (*empty.Empty, error) {
 	err := s.usergrant.BulkRemoveUserGrant(ctx, userGrantRemoveBulkToModel(in)...)
 	return &empty.Empty{}, err
 }
 
-func (s *Server) SearchProjectUserGrants(ctx context.Context, in *ProjectUserGrantSearchRequest) (*UserGrantSearchResponse, error) {
+func (s *Server) SearchProjectUserGrants(ctx context.Context, in *management.ProjectUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
 	request := projectUserGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(auth.GetCtxData(ctx).OrgID)
+	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
 	request.AppendProjectIDQuery(in.ProjectId)
 	response, err := s.usergrant.SearchUserGrants(ctx, request)
 	if err != nil {
@@ -85,7 +88,7 @@ func (s *Server) SearchProjectUserGrants(ctx context.Context, in *ProjectUserGra
 	return userGrantSearchResponseFromModel(response), nil
 }
 
-func (s *Server) ProjectUserGrantByID(ctx context.Context, request *ProjectUserGrantID) (*UserGrantView, error) {
+func (s *Server) ProjectUserGrantByID(ctx context.Context, request *management.ProjectUserGrantID) (*management.UserGrantView, error) {
 	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
 	if err != nil {
 		return nil, err
@@ -93,14 +96,14 @@ func (s *Server) ProjectUserGrantByID(ctx context.Context, request *ProjectUserG
 	return userGrantViewFromModel(user), nil
 }
 
-func (s *Server) CreateProjectUserGrant(ctx context.Context, in *UserGrantCreate) (*UserGrant, error) {
+func (s *Server) CreateProjectUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
 	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
 	if err != nil {
 		return nil, err
 	}
 	return usergrantFromModel(user), nil
 }
-func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *ProjectUserGrantUpdate) (*UserGrant, error) {
+func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantUpdate) (*management.UserGrant, error) {
 	user, err := s.usergrant.ChangeUserGrant(ctx, projectUserGrantUpdateToModel(in))
 	if err != nil {
 		return nil, err
@@ -108,7 +111,7 @@ func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *ProjectUserGran
 	return usergrantFromModel(user), nil
 }
 
-func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *ProjectUserGrantID) (*UserGrant, error) {
+func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
 	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -116,7 +119,7 @@ func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *ProjectUser
 	return usergrantFromModel(user), nil
 }
 
-func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *ProjectUserGrantID) (*UserGrant, error) {
+func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
 	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -124,13 +127,13 @@ func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *ProjectUser
 	return usergrantFromModel(user), nil
 }
 
-func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, in *ProjectGrantUserGrantSearchRequest) (*UserGrantSearchResponse, error) {
+func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, in *management.ProjectGrantUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
 	grant, err := s.project.ProjectGrantByID(ctx, in.ProjectGrantId)
 	if err != nil {
 		return nil, err
 	}
 	request := projectGrantUserGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(auth.GetCtxData(ctx).OrgID)
+	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
 	request.AppendProjectIDQuery(grant.ProjectID)
 	response, err := s.usergrant.SearchUserGrants(ctx, request)
 	if err != nil {
@@ -139,7 +142,7 @@ func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, in *ProjectGr
 	return userGrantSearchResponseFromModel(response), nil
 }
 
-func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *ProjectGrantUserGrantID) (*UserGrantView, error) {
+func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *management.ProjectGrantUserGrantID) (*management.UserGrantView, error) {
 	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
 	if err != nil {
 		return nil, err
@@ -147,14 +150,14 @@ func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *Project
 	return userGrantViewFromModel(user), nil
 }
 
-func (s *Server) CreateProjectGrantUserGrant(ctx context.Context, in *ProjectGrantUserGrantCreate) (*UserGrant, error) {
+func (s *Server) CreateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantCreate) (*management.UserGrant, error) {
 	user, err := s.usergrant.AddUserGrant(ctx, projectGrantUserGrantCreateToModel(in))
 	if err != nil {
 		return nil, err
 	}
 	return usergrantFromModel(user), nil
 }
-func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *ProjectGrantUserGrantUpdate) (*UserGrant, error) {
+func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantUpdate) (*management.UserGrant, error) {
 	user, err := s.usergrant.ChangeUserGrant(ctx, projectGrantUserGrantUpdateToModel(in))
 	if err != nil {
 		return nil, err
@@ -162,7 +165,7 @@ func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *ProjectGra
 	return usergrantFromModel(user), nil
 }
 
-func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *ProjectGrantUserGrantID) (*UserGrant, error) {
+func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
 	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
 	if err != nil {
 		return nil, err
@@ -170,7 +173,7 @@ func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *Projec
 	return usergrantFromModel(user), nil
 }
 
-func (s *Server) ReactivateProjectGrantUserGrant(ctx context.Context, in *ProjectGrantUserGrantID) (*UserGrant, error) {
+func (s *Server) ReactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
 	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
 	if err != nil {
 		return nil, err

internal/api/grpc/management/user_grant_converter.go

@@ -1,20 +1,22 @@
-package grpc
+package management
 
 import (
 	"github.com/caos/logging"
+	"github.com/golang/protobuf/ptypes"
+
 	"github.com/caos/zitadel/internal/eventstore/models"
 	grant_model "github.com/caos/zitadel/internal/usergrant/model"
-	"github.com/golang/protobuf/ptypes"
+	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
-func usergrantFromModel(grant *grant_model.UserGrant) *UserGrant {
+func usergrantFromModel(grant *grant_model.UserGrant) *management.UserGrant {
 	creationDate, err := ptypes.TimestampProto(grant.CreationDate)
 	logging.Log("GRPC-ki9ds").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(grant.ChangeDate)
 	logging.Log("GRPC-sl9ew").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserGrant{
+	return &management.UserGrant{
 		Id:           grant.AggregateID,
 		UserId:       grant.UserID,
 		State:        usergrantStateFromModel(grant.State),
@@ -26,7 +28,7 @@ func usergrantFromModel(grant *grant_model.UserGrant) *UserGrant {
 	}
 }
 
-func userGrantCreateBulkToModel(u *UserGrantCreateBulk) []*grant_model.UserGrant {
+func userGrantCreateBulkToModel(u *management.UserGrantCreateBulk) []*grant_model.UserGrant {
 	grants := make([]*grant_model.UserGrant, len(u.UserGrants))
 	for i, grant := range u.UserGrants {
 		grants[i] = userGrantCreateToModel(grant)
@@ -34,7 +36,7 @@ func userGrantCreateBulkToModel(u *UserGrantCreateBulk) []*grant_model.UserGrant
 	return grants
 }
 
-func userGrantCreateToModel(u *UserGrantCreate) *grant_model.UserGrant {
+func userGrantCreateToModel(u *management.UserGrantCreate) *grant_model.UserGrant {
 	return &grant_model.UserGrant{
 		ObjectRoot: models.ObjectRoot{AggregateID: u.UserId},
 		UserID:     u.UserId,
@@ -43,7 +45,7 @@ func userGrantCreateToModel(u *UserGrantCreate) *grant_model.UserGrant {
 	}
 }
 
-func userGrantUpdateBulkToModel(u *UserGrantUpdateBulk) []*grant_model.UserGrant {
+func userGrantUpdateBulkToModel(u *management.UserGrantUpdateBulk) []*grant_model.UserGrant {
 	grants := make([]*grant_model.UserGrant, len(u.UserGrants))
 	for i, grant := range u.UserGrants {
 		grants[i] = userGrantUpdateToModel(grant)
@@ -51,14 +53,14 @@ func userGrantUpdateBulkToModel(u *UserGrantUpdateBulk) []*grant_model.UserGrant
 	return grants
 }
 
-func userGrantUpdateToModel(u *UserGrantUpdate) *grant_model.UserGrant {
+func userGrantUpdateToModel(u *management.UserGrantUpdate) *grant_model.UserGrant {
 	return &grant_model.UserGrant{
 		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
 		RoleKeys:   u.RoleKeys,
 	}
 }
 
-func userGrantRemoveBulkToModel(u *UserGrantRemoveBulk) []string {
+func userGrantRemoveBulkToModel(u *management.UserGrantRemoveBulk) []string {
 	ids := make([]string, len(u.Ids))
 	for i, id := range u.Ids {
 		ids[i] = id
@@ -66,14 +68,14 @@ func userGrantRemoveBulkToModel(u *UserGrantRemoveBulk) []string {
 	return ids
 }
 
-func projectUserGrantUpdateToModel(u *ProjectUserGrantUpdate) *grant_model.UserGrant {
+func projectUserGrantUpdateToModel(u *management.ProjectUserGrantUpdate) *grant_model.UserGrant {
 	return &grant_model.UserGrant{
 		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
 		RoleKeys:   u.RoleKeys,
 	}
 }
 
-func projectGrantUserGrantCreateToModel(u *ProjectGrantUserGrantCreate) *grant_model.UserGrant {
+func projectGrantUserGrantCreateToModel(u *management.ProjectGrantUserGrantCreate) *grant_model.UserGrant {
 	return &grant_model.UserGrant{
 		UserID:    u.UserId,
 		ProjectID: u.ProjectId,
@@ -81,14 +83,14 @@ func projectGrantUserGrantCreateToModel(u *ProjectGrantUserGrantCreate) *grant_m
 	}
 }
 
-func projectGrantUserGrantUpdateToModel(u *ProjectGrantUserGrantUpdate) *grant_model.UserGrant {
+func projectGrantUserGrantUpdateToModel(u *management.ProjectGrantUserGrantUpdate) *grant_model.UserGrant {
 	return &grant_model.UserGrant{
 		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
 		RoleKeys:   u.RoleKeys,
 	}
 }
 
-func userGrantSearchRequestsToModel(project *UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
+func userGrantSearchRequestsToModel(project *management.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
 	return &grant_model.UserGrantSearchRequest{
 		Offset:  project.Offset,
 		Limit:   project.Limit,
@@ -96,7 +98,7 @@ func userGrantSearchRequestsToModel(project *UserGrantSearchRequest) *grant_mode
 	}
 }
 
-func userGrantSearchQueriesToModel(queries []*UserGrantSearchQuery) []*grant_model.UserGrantSearchQuery {
+func userGrantSearchQueriesToModel(queries []*management.UserGrantSearchQuery) []*grant_model.UserGrantSearchQuery {
 	converted := make([]*grant_model.UserGrantSearchQuery, len(queries))
 	for i, q := range queries {
 		converted[i] = userGrantSearchQueryToModel(q)
@@ -104,7 +106,7 @@ func userGrantSearchQueriesToModel(queries []*UserGrantSearchQuery) []*grant_mod
 	return converted
 }
 
-func userGrantSearchQueryToModel(query *UserGrantSearchQuery) *grant_model.UserGrantSearchQuery {
+func userGrantSearchQueryToModel(query *management.UserGrantSearchQuery) *grant_model.UserGrantSearchQuery {
 	return &grant_model.UserGrantSearchQuery{
 		Key:    userGrantSearchKeyToModel(query.Key),
 		Method: searchMethodToModel(query.Method),
@@ -112,23 +114,23 @@ func userGrantSearchQueryToModel(query *UserGrantSearchQuery) *grant_model.UserG
 	}
 }
 
-func userGrantSearchKeyToModel(key UserGrantSearchKey) grant_model.UserGrantSearchKey {
+func userGrantSearchKeyToModel(key management.UserGrantSearchKey) grant_model.UserGrantSearchKey {
 	switch key {
-	case UserGrantSearchKey_USERGRANTSEARCHKEY_ORG_ID:
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ORG_ID:
 		return grant_model.UserGrantSearchKeyResourceOwner
-	case UserGrantSearchKey_USERGRANTSEARCHKEY_PROJECT_ID:
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_PROJECT_ID:
 		return grant_model.UserGrantSearchKeyProjectID
-	case UserGrantSearchKey_USERGRANTSEARCHKEY_USER_ID:
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_USER_ID:
 		return grant_model.UserGrantSearchKeyUserID
-	case UserGrantSearchKey_USERGRANTSEARCHKEY_ROLE_KEY:
+	case management.UserGrantSearchKey_USERGRANTSEARCHKEY_ROLE_KEY:
 		return grant_model.UserGrantSearchKeyRoleKey
 	default:
 		return grant_model.UserGrantSearchKeyUnspecified
 	}
 }
 
-func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchResponse) *UserGrantSearchResponse {
+func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchResponse) *management.UserGrantSearchResponse {
-	return &UserGrantSearchResponse{
+	return &management.UserGrantSearchResponse{
 		Offset:      response.Offset,
 		Limit:       response.Limit,
 		TotalResult: response.TotalResult,
@@ -136,22 +138,22 @@ func userGrantSearchResponseFromModel(response *grant_model.UserGrantSearchRespo
 	}
 }
 
-func userGrantViewsFromModel(users []*grant_model.UserGrantView) []*UserGrantView {
+func userGrantViewsFromModel(users []*grant_model.UserGrantView) []*management.UserGrantView {
-	converted := make([]*UserGrantView, len(users))
+	converted := make([]*management.UserGrantView, len(users))
 	for i, user := range users {
 		converted[i] = userGrantViewFromModel(user)
 	}
 	return converted
 }
 
-func userGrantViewFromModel(grant *grant_model.UserGrantView) *UserGrantView {
+func userGrantViewFromModel(grant *grant_model.UserGrantView) *management.UserGrantView {
 	creationDate, err := ptypes.TimestampProto(grant.CreationDate)
 	logging.Log("GRPC-dl9we").OnError(err).Debug("unable to parse timestamp")
 
 	changeDate, err := ptypes.TimestampProto(grant.ChangeDate)
 	logging.Log("GRPC-lpsg5").OnError(err).Debug("unable to parse timestamp")
 
-	return &UserGrantView{
+	return &management.UserGrantView{
 		Id:            grant.ID,
 		State:         usergrantStateFromModel(grant.State),
 		CreationDate:  creationDate,
@@ -173,18 +175,18 @@ func userGrantViewFromModel(grant *grant_model.UserGrantView) *UserGrantView {
 	}
 }
 
-func usergrantStateFromModel(state grant_model.UserGrantState) UserGrantState {
+func usergrantStateFromModel(state grant_model.UserGrantState) management.UserGrantState {
 	switch state {
 	case grant_model.UserGrantStateActive:
-		return UserGrantState_USERGRANTSTATE_ACTIVE
+		return management.UserGrantState_USERGRANTSTATE_ACTIVE
 	case grant_model.UserGrantStateInactive:
-		return UserGrantState_USERGRANTSTATE_INACTIVE
+		return management.UserGrantState_USERGRANTSTATE_INACTIVE
 	default:
-		return UserGrantState_USERGRANTSTATE_UNSPECIFIED
+		return management.UserGrantState_USERGRANTSTATE_UNSPECIFIED
 	}
 }
 
-func projectUserGrantSearchRequestsToModel(project *ProjectUserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
+func projectUserGrantSearchRequestsToModel(project *management.ProjectUserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
 	return &grant_model.UserGrantSearchRequest{
 		Offset:  project.Offset,
 		Limit:   project.Limit,
@@ -192,7 +194,7 @@ func projectUserGrantSearchRequestsToModel(project *ProjectUserGrantSearchReques
 	}
 }
 
-func projectGrantUserGrantSearchRequestsToModel(project *ProjectGrantUserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
+func projectGrantUserGrantSearchRequestsToModel(project *management.ProjectGrantUserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
 	return &grant_model.UserGrantSearchRequest{
 		Offset:  project.Offset,
 		Limit:   project.Limit,

internal/api/grpc/server/gateway.go

@@ -3,12 +3,14 @@ package server
 import (
 	"context"
 	"net/http"
+	"strings"
 
 	"github.com/grpc-ecosystem/grpc-gateway/runtime"
 	"google.golang.org/grpc"
 
 	"github.com/caos/logging"
 
+	grpc_util "github.com/caos/zitadel/internal/api/grpc"
 	client_middleware "github.com/caos/zitadel/internal/api/grpc/client/middleware"
 	http_util "github.com/caos/zitadel/internal/api/http"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
@@ -22,26 +24,41 @@ const (
 var (
 	DefaultJSONMarshaler = &runtime.JSONPb{OrigName: false, EmitDefaults: false}
 
-	DefaultServeMuxOptions = []runtime.ServeMuxOption{
+	DefaultServeMuxOptions = func(customHeaders ...string) []runtime.ServeMuxOption {
+		return []runtime.ServeMuxOption{
 			runtime.WithMarshalerOption(DefaultJSONMarshaler.ContentType(), DefaultJSONMarshaler),
 			runtime.WithMarshalerOption(mimeWildcard, DefaultJSONMarshaler),
 			runtime.WithMarshalerOption(runtime.MIMEWildcard, DefaultJSONMarshaler),
-		runtime.WithIncomingHeaderMatcher(runtime.DefaultHeaderMatcher),
+			runtime.WithIncomingHeaderMatcher(DefaultHeaderMatcher(customHeaders...)),
 			runtime.WithOutgoingHeaderMatcher(runtime.DefaultHeaderMatcher),
 		}
+	}
+
+	DefaultHeaderMatcher = func(customHeaders ...string) runtime.HeaderMatcherFunc {
+		return func(header string) (string, bool) {
+			for _, customHeader := range customHeaders {
+				if strings.HasPrefix(strings.ToLower(header), customHeader) {
+					return header, true
+				}
+			}
+			return runtime.DefaultHeaderMatcher(header)
+		}
+	}
 )
 
 type Gateway interface {
-	GRPCEndpoint() string
+	RegisterGateway() GatewayFunc
-	GatewayPort() string
+	GatewayPathPrefix() string
-	Gateway() GatewayFunc
 }
 
 type GatewayFunc func(ctx context.Context, mux *runtime.ServeMux, endpoint string, opts []grpc.DialOption) error
 
+//optional extending interfaces of Gateway below
+
 type gatewayCustomServeMuxOptions interface {
 	GatewayServeMuxOptions() []runtime.ServeMuxOption
 }
+
 type grpcGatewayCustomInterceptor interface {
 	GatewayHTTPInterceptor(http.Handler) http.Handler
 }
@@ -50,28 +67,62 @@ type gatewayCustomCallOptions interface {
 	GatewayCallOptions() []grpc.DialOption
 }
 
-func StartGateway(ctx context.Context, g Gateway) {
+type GatewayHandler struct {
-	mux := createMux(ctx, g)
+	mux           *http.ServeMux
-	serveGateway(ctx, mux, gatewayPort(g.GatewayPort()), g)
+	serverPort    string
+	gatewayPort   string
+	customHeaders []string
 }
 
-func createMux(ctx context.Context, g Gateway) *runtime.ServeMux {
+func CreateGatewayHandler(config grpc_util.Config) *GatewayHandler {
-	muxOptions := DefaultServeMuxOptions
+	return &GatewayHandler{
+		mux:           http.NewServeMux(),
+		serverPort:    config.ServerPort,
+		gatewayPort:   config.GatewayPort,
+		customHeaders: config.CustomHeaders,
+	}
+}
+
+//RegisterGateway registers a handler (Gateway interface) on defined port
+//Gateway interface may be extended with optional implementation of interfaces (gatewayCustomServeMuxOptions, ...)
+func (g *GatewayHandler) RegisterGateway(ctx context.Context, gateway Gateway) {
+	handler := createGateway(ctx, gateway, g.serverPort, g.customHeaders...)
+	prefix := gateway.GatewayPathPrefix()
+	g.RegisterHandler(prefix, handler)
+}
+
+func (g *GatewayHandler) RegisterHandler(prefix string, handler http.Handler) {
+	http_util.RegisterHandler(g.mux, prefix, handler)
+}
+
+func (g *GatewayHandler) Serve(ctx context.Context) {
+	http_util.Serve(ctx, g.mux, g.gatewayPort, "api")
+}
+
+func createGateway(ctx context.Context, g Gateway, port string, customHeaders ...string) http.Handler {
+	mux := createMux(g, customHeaders...)
+	opts := createDialOptions(g)
+	err := g.RegisterGateway()(ctx, mux, http_util.Endpoint(port), opts)
+	logging.Log("SERVE-7B7G0E").OnError(err).Panic("failed to register grpc gateway")
+	return addInterceptors(mux, g)
+}
+
+func createMux(g Gateway, customHeaders ...string) *runtime.ServeMux {
+	muxOptions := DefaultServeMuxOptions(customHeaders...)
 	if customOpts, ok := g.(gatewayCustomServeMuxOptions); ok {
 		muxOptions = customOpts.GatewayServeMuxOptions()
 	}
-	mux := runtime.NewServeMux(muxOptions...)
+	return runtime.NewServeMux(muxOptions...)
+}
 
+func createDialOptions(g Gateway) []grpc.DialOption {
 	opts := []grpc.DialOption{grpc.WithInsecure()}
 	opts = append(opts, client_middleware.DefaultTracingStatsClient())
 
 	if customOpts, ok := g.(gatewayCustomCallOptions); ok {
 		opts = append(opts, customOpts.GatewayCallOptions()...)
 	}
-	err := g.Gateway()(ctx, mux, g.GRPCEndpoint(), opts)
+	return opts
-	logging.Log("SERVE-7B7G0E").OnError(err).Panic("failed to create mux for grpc gateway")
-
-	return mux
 }
 
 func addInterceptors(handler http.Handler, g Gateway) http.Handler {
@@ -83,26 +134,6 @@ func addInterceptors(handler http.Handler, g Gateway) http.Handler {
 	return http_mw.CORSInterceptorOpts(http_mw.DefaultCORSOptions, handler)
 }
 
-func serveGateway(ctx context.Context, handler http.Handler, port string, g Gateway) {
-	server := &http.Server{
-		Handler: addInterceptors(handler, g),
-	}
-
-	listener := http_util.CreateListener(port)
-
-	go func() {
-		<-ctx.Done()
-		err := server.Shutdown(ctx)
-		logging.Log("SERVE-m7kBlq").OnError(err).Warn("error during graceful shutdown of grpc gateway")
-	}()
-
-	go func() {
-		err := server.Serve(listener)
-		logging.Log("SERVE-tBHR60").OnError(err).Panic("grpc gateway serve failed")
-	}()
-	logging.LogWithFields("SERVE-KHh0Cb", "port", port).Info("grpc gateway is listening")
-}
-
 func gatewayPort(port string) string {
 	if port == "" {
 		return defaultGatewayPort

internal/api/grpc/server/middleware/auth_interceptor.go

@@ -2,37 +2,39 @@ package middleware
 
 import (
 	"context"
+
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
-	"github.com/caos/zitadel/internal/api"
+	"github.com/caos/zitadel/internal/api/authz"
-	"github.com/caos/zitadel/internal/api/auth"
 	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/api/http"
 )
 
-func AuthorizationInterceptor(verifier auth.TokenVerifier, authConfig *auth.Config, authMethods auth.MethodMapping) func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+func AuthorizationInterceptor(verifier *authz.TokenVerifier, authConfig authz.Config) grpc.UnaryServerInterceptor {
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-		authOpt, needsToken := authMethods[info.FullMethod]
+		return authorize(ctx, req, info, handler, verifier, authConfig)
+	}
+}
+
+func authorize(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, verifier *authz.TokenVerifier, authConfig authz.Config) (interface{}, error) {
+	authOpt, needsToken := verifier.CheckAuthMethod(info.FullMethod)
 	if !needsToken {
 		return handler(ctx, req)
 	}
 
-		authToken := ""
+	authToken := grpc_util.GetAuthorizationHeader(ctx)
-		//TODO: Remove check internal as soon as authentification is implemented
-		if !auth.CheckInternal(ctx) {
-			authToken = grpc_util.GetAuthorizationHeader(ctx)
 	if authToken == "" {
 		return nil, status.Error(codes.Unauthenticated, "auth header missing")
 	}
-		}
-		orgID := grpc_util.GetHeader(ctx, api.ZitadelOrgID)
 
-		ctx, err := auth.CheckUserAuthorization(ctx, req, authToken, orgID, verifier, authConfig, authOpt)
+	orgID := grpc_util.GetHeader(ctx, http.ZitadelOrgID)
+
+	ctx, err := authz.CheckUserAuthorization(ctx, req, authToken, orgID, verifier, authConfig, authOpt, info.FullMethod)
 	if err != nil {
 		return nil, err
 	}
 
 	return handler(ctx, req)
 }
-}

internal/api/grpc/server/middleware/auth_interceptor_test.go

@@ -0,0 +1,148 @@
+package middleware
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/metadata"
+
+	"github.com/caos/zitadel/internal/api/authz"
+)
+
+var (
+	mockMethods = authz.MethodMapping{
+		"need.authentication": authz.Option{
+			Permission: "authenticated",
+		},
+	}
+)
+
+type verifierMock struct{}
+
+func (v *verifierMock) VerifyAccessToken(ctx context.Context, token, clientID string) (string, string, error) {
+	return "", "", nil
+}
+func (v *verifierMock) ResolveGrants(ctx context.Context) (*authz.Grant, error) {
+	return nil, nil
+}
+func (v *verifierMock) ProjectIDByClientID(ctx context.Context, clientID string) (string, error) {
+	return "", nil
+}
+func (v *verifierMock) VerifierClientID(ctx context.Context, appName string) (string, error) {
+	return "", nil
+}
+
+func Test_authorize(t *testing.T) {
+	type args struct {
+		ctx         context.Context
+		req         interface{}
+		info        *grpc.UnaryServerInfo
+		handler     grpc.UnaryHandler
+		verifier    *authz.TokenVerifier
+		authConfig  authz.Config
+		authMethods authz.MethodMapping
+	}
+	type res struct {
+		want    interface{}
+		wantErr bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"no token needed ok",
+			args{
+				ctx:     context.Background(),
+				req:     &mockReq{},
+				info:    mockInfo("/no/token/needed"),
+				handler: emptyMockHandler,
+				verifier: func() *authz.TokenVerifier {
+					verifier := authz.Start(&verifierMock{})
+					verifier.RegisterServer("need", "need", authz.MethodMapping{})
+					return verifier
+				}(),
+				authMethods: mockMethods,
+			},
+			res{
+				&mockReq{},
+				false,
+			},
+		},
+		{
+			"auth header missing error",
+			args{
+				ctx:     context.Background(),
+				req:     &mockReq{},
+				info:    mockInfo("/need/authentication"),
+				handler: emptyMockHandler,
+				verifier: func() *authz.TokenVerifier {
+					verifier := authz.Start(&verifierMock{})
+					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
+					return verifier
+				}(),
+				authConfig:  authz.Config{},
+				authMethods: mockMethods,
+			},
+			res{
+				nil,
+				true,
+			},
+		},
+		{
+			"unauthorized error",
+			args{
+				ctx:     metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "wrong")),
+				req:     &mockReq{},
+				info:    mockInfo("/need/authentication"),
+				handler: emptyMockHandler,
+				verifier: func() *authz.TokenVerifier {
+					verifier := authz.Start(&verifierMock{})
+					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
+					return verifier
+				}(),
+				authConfig:  authz.Config{},
+				authMethods: mockMethods,
+			},
+			res{
+				nil,
+				true,
+			},
+		},
+		{
+			"authorized ok",
+			args{
+				ctx:     metadata.NewIncomingContext(context.Background(), metadata.Pairs("authorization", "Bearer token")),
+				req:     &mockReq{},
+				info:    mockInfo("/need/authentication"),
+				handler: emptyMockHandler,
+				verifier: func() *authz.TokenVerifier {
+					verifier := authz.Start(&verifierMock{})
+					verifier.RegisterServer("need", "need", authz.MethodMapping{"/need/authentication": authz.Option{Permission: "authenticated"}})
+					return verifier
+				}(),
+				authConfig:  authz.Config{},
+				authMethods: mockMethods,
+			},
+			res{
+				&mockReq{},
+				false,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := authorize(tt.args.ctx, tt.args.req, tt.args.info, tt.args.handler, tt.args.verifier, tt.args.authConfig)
+			if (err != nil) != tt.res.wantErr {
+				t.Errorf("authorize() error = %v, wantErr %v", err, tt.res.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.res.want) {
+				t.Errorf("authorize() got = %v, want %v", got, tt.res.want)
+			}
+		})
+	}
+}

internal/api/grpc/server/middleware/error_interceptor.go

@@ -4,18 +4,22 @@ import (
 	"context"
 
 	"golang.org/x/text/language"
-
 	"google.golang.org/grpc"
 
 	grpc_util "github.com/caos/zitadel/internal/api/grpc"
+	"github.com/caos/zitadel/internal/i18n"
 	_ "github.com/caos/zitadel/internal/statik"
 )
 
-func ErrorHandler(defaultLanguage language.Tag) func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+func ErrorHandler(defaultLanguage language.Tag) grpc.UnaryServerInterceptor {
 	translator := newZitadelTranslator(defaultLanguage)
 
 	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
+		return toGRPCError(ctx, req, handler, translator)
+	}
+}
+
+func toGRPCError(ctx context.Context, req interface{}, handler grpc.UnaryHandler, translator *i18n.Translator) (interface{}, error) {
 	resp, err := handler(ctx, req)
-		return resp, grpc_util.CaosToGRPCError(err, ctx, translator)
+	return resp, grpc_util.CaosToGRPCError(ctx, err, translator)
-	}
 }

internal/api/grpc/server/middleware/error_interceptor_test.go

@@ -0,0 +1,63 @@
+package middleware
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"google.golang.org/grpc"
+)
+
+func Test_toGRPCError(t *testing.T) {
+	type args struct {
+		ctx     context.Context
+		req     interface{}
+		handler grpc.UnaryHandler
+	}
+	type res struct {
+		want    interface{}
+		wantErr bool
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"no error",
+			args{
+				ctx:     context.Background(),
+				req:     &mockReq{},
+				handler: emptyMockHandler,
+			},
+			res{
+				&mockReq{},
+				false,
+			},
+		},
+		{
+			"error",
+			args{
+				ctx:     context.Background(),
+				req:     &mockReq{},
+				handler: errorMockHandler,
+			},
+			res{
+				nil,
+				true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := toGRPCError(tt.args.ctx, tt.args.req, tt.args.handler, nil)
+			if (err != nil) != tt.res.wantErr {
+				t.Errorf("toGRPCError() error = %v, wantErr %v", err, tt.res.wantErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.res.want) {
+				t.Errorf("toGRPCError() got = %v, want %v", got, tt.res.want)
+			}
+		})
+	}
+}

internal/api/grpc/server/middleware/mock_test.go

@@ -0,0 +1,26 @@
+package middleware
+
+import (
+	"context"
+
+	"google.golang.org/grpc"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func emptyMockHandler(_ context.Context, req interface{}) (interface{}, error) {
+	return req, nil
+}
+
+func errorMockHandler(_ context.Context, req interface{}) (interface{}, error) {
+	return nil, errors.ThrowInternal(nil, "test", "error")
+}
+
+type mockReq struct{}
+
+func mockInfo(path string) *grpc.UnaryServerInfo {
+	return &grpc.UnaryServerInfo{
+		Server:     nil,
+		FullMethod: path,
+	}
+}

internal/api/grpc/server/middleware/tracing.go

@@ -9,13 +9,28 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/stats"
 
+	"github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/tracing"
 )
 
 type GRPCMethod string
 
 func TracingStatsServer(ignoredMethods ...GRPCMethod) grpc.ServerOption {
-	return grpc.StatsHandler(&tracingServerHandler{ignoredMethods, ocgrpc.ServerHandler{StartOptions: trace.StartOptions{Sampler: tracing.Sampler(), SpanKind: trace.SpanKindServer}}})
+	return grpc.StatsHandler(
+		&tracingServerHandler{
+			ignoredMethods,
+			ocgrpc.ServerHandler{
+				StartOptions: trace.StartOptions{
+					Sampler:  tracing.Sampler(),
+					SpanKind: trace.SpanKindServer,
+				},
+			},
+		},
+	)
+}
+
+func DefaultTracingStatsServer() grpc.ServerOption {
+	return TracingStatsServer(http.Healthz, http.Readiness, http.Validation)
 }
 
 type tracingServerHandler struct {

internal/api/grpc/server/middleware/tracing_test.go

@@ -0,0 +1,71 @@
+package middleware
+
+import (
+	"context"
+	"testing"
+
+	"go.opencensus.io/plugin/ocgrpc"
+	"go.opencensus.io/trace"
+	"google.golang.org/grpc/stats"
+)
+
+func Test_tracingServerHandler_TagRPC(t *testing.T) {
+	type fields struct {
+		IgnoredMethods []GRPCMethod
+		ServerHandler  ocgrpc.ServerHandler
+	}
+	type args struct {
+		ctx     context.Context
+		tagInfo *stats.RPCTagInfo
+	}
+	type res struct {
+		wantSpan bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		args   args
+		res    res
+	}{
+		{
+			"ignored method",
+			fields{
+				IgnoredMethods: []GRPCMethod{"ignore"},
+				ServerHandler:  ocgrpc.ServerHandler{},
+			},
+			args{
+				ctx: context.Background(),
+				tagInfo: &stats.RPCTagInfo{
+					FullMethodName: "ignore",
+				},
+			},
+			res{false},
+		},
+		{
+			"tag",
+			fields{
+				IgnoredMethods: []GRPCMethod{"ignore"},
+				ServerHandler:  ocgrpc.ServerHandler{},
+			},
+			args{
+				ctx: context.Background(),
+				tagInfo: &stats.RPCTagInfo{
+					FullMethodName: "tag",
+				},
+			},
+			res{true},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := &tracingServerHandler{
+				IgnoredMethods: tt.fields.IgnoredMethods,
+				ServerHandler:  tt.fields.ServerHandler,
+			}
+			got := s.TagRPC(tt.args.ctx, tt.args.tagInfo)
+			if (trace.FromContext(got) != nil) != tt.res.wantSpan {
+				t.Errorf("TagRPC() = %v, want %v", got, tt.res.wantSpan)
+			}
+		})
+	}
+}

internal/api/grpc/server/probes.go

@@ -26,7 +26,10 @@ func (v *Validator) Healthz(_ context.Context, e *empty.Empty) (*empty.Empty, er
 }
 
 func (v *Validator) Ready(ctx context.Context, e *empty.Empty) (*empty.Empty, error) {
-	return e, ready(ctx, v.validations)
+	if len(validate(ctx, v.validations)) == 0 {
+		return e, nil
+	}
+	return nil, errors.ThrowInternal(nil, "API-2jD9a", "not ready")
 }
 
 func (v *Validator) Validate(ctx context.Context, _ *empty.Empty) (*structpb.Struct, error) {
@@ -34,13 +37,6 @@ func (v *Validator) Validate(ctx context.Context, _ *empty.Empty) (*structpb.Str
 	return proto.ToPBStruct(validations)
 }
 
-func ready(ctx context.Context, validations map[string]ValidationFunction) error {
-	if len(validate(ctx, validations)) == 0 {
-		return nil
-	}
-	return errors.ThrowInternal(nil, "API-2jD9a", "not ready")
-}
-
 func validate(ctx context.Context, validations map[string]ValidationFunction) map[string]error {
 	errors := make(map[string]error)
 	for id, validation := range validations {

internal/api/grpc/server/probes_test.go

@@ -0,0 +1,158 @@
+package server
+
+import (
+	"context"
+	"reflect"
+	"testing"
+
+	"github.com/golang/protobuf/ptypes/empty"
+
+	"github.com/caos/zitadel/internal/errors"
+)
+
+func TestValidator_Healthz(t *testing.T) {
+	type fields struct {
+		validations map[string]ValidationFunction
+	}
+	type res struct {
+		want   *empty.Empty
+		hasErr bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		res    res
+	}{
+		{
+			"ok",
+			fields{},
+			res{
+				&empty.Empty{},
+				false,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			v := &Validator{
+				validations: tt.fields.validations,
+			}
+			got, err := v.Healthz(nil, &empty.Empty{})
+			if (err != nil) != tt.res.hasErr {
+				t.Errorf("Healthz() error = %v, wantErr %v", err, tt.res.hasErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.res.want) {
+				t.Errorf("Healthz() got = %v, want %v", got, tt.res.want)
+			}
+		})
+	}
+}
+
+func TestValidator_Ready(t *testing.T) {
+	type fields struct {
+		validations map[string]ValidationFunction
+	}
+	type res struct {
+		want   *empty.Empty
+		hasErr bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		res    res
+	}{
+		{
+			"unready error",
+			fields{validations: map[string]ValidationFunction{
+				"error": func(_ context.Context) error {
+					return errors.ThrowInternal(nil, "id", "message")
+				},
+			}},
+			res{
+				nil,
+				true,
+			},
+		},
+		{
+			"ready ok",
+			fields{validations: map[string]ValidationFunction{
+				"ok": func(_ context.Context) error {
+					return nil
+				},
+			}},
+			res{
+				&empty.Empty{},
+				false,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			v := &Validator{
+				validations: tt.fields.validations,
+			}
+			got, err := v.Ready(context.Background(), &empty.Empty{})
+			if (err != nil) != tt.res.hasErr {
+				t.Errorf("Ready() error = %v, wantErr %v", err, tt.res.hasErr)
+				return
+			}
+			if !reflect.DeepEqual(got, tt.res.want) {
+				t.Errorf("Ready() got = %v, want %v", got, tt.res.want)
+			}
+		})
+	}
+}
+
+func Test_validate(t *testing.T) {
+	type args struct {
+		validations map[string]ValidationFunction
+	}
+	type res struct {
+		want map[string]error
+	}
+	tests := []struct {
+		name string
+		args args
+		res  res
+	}{
+		{
+			"no error empty",
+			args{
+				validations: map[string]ValidationFunction{
+					"ok": func(_ context.Context) error {
+						return nil
+					},
+				},
+			},
+			res{
+				map[string]error{},
+			},
+		},
+		{
+			"error in list",
+			args{
+				validations: map[string]ValidationFunction{
+					"ok": func(_ context.Context) error {
+						return nil
+					},
+					"error": func(_ context.Context) error {
+						return errors.ThrowInternal(nil, "id", "message")
+					},
+				},
+			},
+			res{
+				map[string]error{
+					"error": errors.ThrowInternal(nil, "id", "message"),
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := validate(context.Background(), tt.args.validations); !reflect.DeepEqual(got, tt.res.want) {
+				t.Errorf("validate() = %v, want %v", got, tt.res.want)
+			}
+		})
+	}
+}

internal/api/grpc/server/server.go

@@ -2,12 +2,14 @@ package server
 
 import (
 	"context"
-	"github.com/caos/zitadel/internal/config/systemdefaults"
-	"net"
 
 	"github.com/caos/logging"
+	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
+	"golang.org/x/text/language"
 	"google.golang.org/grpc"
 
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
 	"github.com/caos/zitadel/internal/api/http"
 )
 
@@ -16,30 +18,36 @@ const (
 )
 
 type Server interface {
-	GRPCPort() string
+	Gateway
-	GRPCServer(defaults systemdefaults.SystemDefaults) (*grpc.Server, error)
+	RegisterServer(*grpc.Server)
+	AppName() string
+	MethodPrefix() string
+	AuthMethods() authz.MethodMapping
 }
 
-func StartServer(ctx context.Context, s Server, defaults systemdefaults.SystemDefaults) {
+func CreateServer(verifier *authz.TokenVerifier, authConfig authz.Config, lang language.Tag) *grpc.Server {
-	port := grpcPort(s.GRPCPort())
+	return grpc.NewServer(
-	listener := http.CreateListener(port)
+		middleware.TracingStatsServer(http.Healthz, http.Readiness, http.Validation),
-	server := createGrpcServer(s, defaults)
+		grpc.UnaryInterceptor(
-	serveServer(ctx, server, listener, port)
+			grpc_middleware.ChainUnaryServer(
+				middleware.ErrorHandler(lang),
+				middleware.TranslationHandler(lang),
+				grpc_middleware.ChainUnaryServer(
+					middleware.AuthorizationInterceptor(verifier, authConfig),
+				),
+			),
+		),
+	)
 }
 
-func createGrpcServer(s Server, defaults systemdefaults.SystemDefaults) *grpc.Server {
+func Serve(ctx context.Context, server *grpc.Server, port string) {
-	grpcServer, err := s.GRPCServer(defaults)
-	logging.Log("SERVE-k280HZ").OnError(err).Panic("failed to create grpc server")
-	return grpcServer
-}
-
-func serveServer(ctx context.Context, server *grpc.Server, listener net.Listener, port string) {
 	go func() {
 		<-ctx.Done()
 		server.GracefulStop()
 	}()
 
 	go func() {
+		listener := http.CreateListener(port)
 		err := server.Serve(listener)
 		logging.Log("SERVE-Ga3e94").OnError(err).Panic("grpc server serve failed")
 	}()

internal/api/header.go

@@ -1,30 +0,0 @@
-package api
-
-const (
-	Authorization  = "authorization"
-	Accept         = "accept"
-	AcceptLanguage = "accept-language"
-	CacheControl   = "cache-control"
-	ContentType    = "content-type"
-	Expires        = "expires"
-	Location       = "location"
-	Origin         = "origin"
-	Pragma         = "pragma"
-	UserAgent      = "user-agent"
-	ForwardedFor   = "x-forwarded-for"
-
-	ContentSecurityPolicy   = "content-security-policy"
-	XXSSProtection          = "x-xss-protection"
-	StrictTransportSecurity = "strict-transport-security"
-	XFrameOptions           = "x-frame-options"
-	XContentTypeOptions     = "x-content-type-options"
-	ReferrerPolicy          = "referrer-policy"
-	FeaturePolicy           = "feature-policy"
-
-	ZitadelOrgID = "x-zitadel-orgid"
-	//TODO: Remove as soon an authentification is implemented
-	ZitadelUserID   = "x-zitadel-userid"
-	ZitadelClientID = "x-zitadel-clientid"
-	ZitadelAgentID  = "x-zitadel-agentid"
-	LoginKey        = "x-zitadel-login"
-)

internal/api/html/i18n.go

@@ -1,109 +0,0 @@
-package html
-
-import (
-	"encoding/json"
-	"io/ioutil"
-	"net/http"
-	"path"
-
-	"github.com/BurntSushi/toml"
-	"github.com/caos/logging"
-	"github.com/ghodss/yaml"
-	"github.com/nicksnyder/go-i18n/v2/i18n"
-	"golang.org/x/text/language"
-
-	"github.com/caos/zitadel/internal/api"
-	http_util "github.com/caos/zitadel/internal/api/http"
-	"github.com/caos/zitadel/internal/errors"
-)
-
-type Translator struct {
-	bundle        *i18n.Bundle
-	cookieName    string
-	cookieHandler *http_util.CookieHandler
-}
-
-type TranslatorConfig struct {
-	Path            string
-	DefaultLanguage language.Tag
-	CookieName      string
-}
-
-func NewTranslator(config TranslatorConfig) (*Translator, error) {
-	t := new(Translator)
-	var err error
-	t.bundle, err = newBundle(config.Path, config.DefaultLanguage)
-	if err != nil {
-		return nil, err
-	}
-	t.cookieHandler = http_util.NewCookieHandler()
-	t.cookieName = config.CookieName
-	return t, nil
-}
-
-func newBundle(i18nDir string, defaultLanguage language.Tag) (*i18n.Bundle, error) {
-	bundle := i18n.NewBundle(defaultLanguage)
-	yamlUnmarshal := func(data []byte, v interface{}) error { return yaml.Unmarshal(data, v) }
-	bundle.RegisterUnmarshalFunc("yaml", yamlUnmarshal)
-	bundle.RegisterUnmarshalFunc("yml", yamlUnmarshal)
-	bundle.RegisterUnmarshalFunc("json", json.Unmarshal)
-	bundle.RegisterUnmarshalFunc("toml", toml.Unmarshal)
-	files, err := ioutil.ReadDir(i18nDir)
-	if err != nil {
-		return nil, errors.ThrowNotFound(err, "HTML-MnXRie", "path not found")
-	}
-	for _, file := range files {
-		bundle.MustLoadMessageFile(path.Join(i18nDir, file.Name()))
-	}
-	return bundle, nil
-}
-
-func (t *Translator) LocalizeFromRequest(r *http.Request, id string, args map[string]interface{}) string {
-	s, err := t.localizerFromRequest(r).Localize(&i18n.LocalizeConfig{
-		MessageID:    id,
-		TemplateData: args,
-	})
-	if err != nil {
-		logging.Log("HTML-MsF5sx").WithError(err).Warnf("missing translation")
-		return id
-	}
-	return s
-}
-
-func (t *Translator) Localize(id string, args map[string]interface{}) string {
-	s, _ := t.localizer().Localize(&i18n.LocalizeConfig{
-		MessageID:    id,
-		TemplateData: args,
-	})
-	return s
-}
-
-func (t *Translator) Lang(r *http.Request) language.Tag {
-	matcher := language.NewMatcher(t.bundle.LanguageTags())
-	tag, _ := language.MatchStrings(matcher, t.langsFromRequest(r)...)
-	return tag
-}
-
-func (t *Translator) SetLangCookie(w http.ResponseWriter, lang language.Tag) {
-	t.cookieHandler.SetCookie(w, t.cookieName, lang.String())
-}
-
-func (t *Translator) localizerFromRequest(r *http.Request) *i18n.Localizer {
-	return t.localizer(t.langsFromRequest(r)...)
-}
-
-func (t *Translator) localizer(langs ...string) *i18n.Localizer {
-	return i18n.NewLocalizer(t.bundle, langs...)
-}
-
-func (t *Translator) langsFromRequest(r *http.Request) []string {
-	langs := make([]string, 0)
-	if r == nil {
-		return langs
-	}
-	lang, err := t.cookieHandler.GetCookieValue(r, t.cookieName)
-	if err == nil {
-		langs = append(langs, lang)
-	}
-	return append(langs, r.Header.Get(api.AcceptLanguage))
-}

internal/api/html/renderer.go

@@ -1,81 +0,0 @@
-package html
-
-import (
-	"net/http"
-	"path"
-	"text/template"
-
-	"github.com/caos/logging"
-	"golang.org/x/text/language"
-)
-
-const (
-	TranslateFn = "t"
-)
-
-type Renderer struct {
-	Templates  map[string]*template.Template
-	translator *Translator
-}
-
-func NewRenderer(templatesDir string, tmplMapping map[string]string, funcs map[string]interface{}, translatorConfig TranslatorConfig) (*Renderer, error) {
-	var err error
-	r := new(Renderer)
-	r.translator, err = NewTranslator(translatorConfig)
-	if err != nil {
-		return nil, err
-	}
-	r.loadTemplates(templatesDir, tmplMapping, funcs)
-	return r, nil
-}
-
-func (r *Renderer) RenderTemplate(w http.ResponseWriter, req *http.Request, tmpl *template.Template, data interface{}, reqFuncs map[string]interface{}) {
-	reqFuncs = r.registerTranslateFn(req, reqFuncs)
-	err := tmpl.Funcs(reqFuncs).Execute(w, data)
-	logging.LogWithFields("HTML-lF8F6w", "template", tmpl.Name).OnError(err).Error("error rendering template")
-}
-
-func (r *Renderer) Localize(id string, args map[string]interface{}) string {
-	return r.translator.Localize(id, args)
-}
-
-func (r *Renderer) LocalizeFromRequest(req *http.Request, id string, args map[string]interface{}) string {
-	return r.translator.LocalizeFromRequest(req, id, args)
-}
-func (r *Renderer) Lang(req *http.Request) language.Tag {
-	return r.translator.Lang(req)
-}
-
-func (r *Renderer) loadTemplates(templatesDir string, tmplMapping map[string]string, funcs map[string]interface{}) {
-	funcs = r.registerTranslateFn(nil, funcs)
-	funcs[TranslateFn] = func(id string, args ...interface{}) string {
-		return id
-	}
-	tmpls := template.Must(template.New("").Funcs(funcs).ParseGlob(path.Join(templatesDir, "*.html")))
-	r.Templates = make(map[string]*template.Template, len(tmplMapping))
-	for name, file := range tmplMapping {
-		r.Templates[name] = tmpls.Lookup(file)
-	}
-}
-
-func (r *Renderer) registerTranslateFn(req *http.Request, funcs map[string]interface{}) map[string]interface{} {
-	if funcs == nil {
-		funcs = make(map[string]interface{})
-	}
-	funcs[TranslateFn] = func(id string, args ...interface{}) string {
-		m := map[string]interface{}{}
-		var key string
-		for i, arg := range args {
-			if i%2 == 0 {
-				key = arg.(string)
-				continue
-			}
-			m[key] = arg
-		}
-		if r == nil {
-			return r.Localize(id, m)
-		}
-		return r.LocalizeFromRequest(req, id, m)
-	}
-	return funcs
-}

internal/api/http/header.go

@@ -5,8 +5,30 @@ import (
 	"net"
 	"net/http"
 	"strings"
+)
 
-	"github.com/caos/zitadel/internal/api"
+const (
+	Authorization   = "authorization"
+	Accept          = "accept"
+	AcceptLanguage  = "accept-language"
+	CacheControl    = "cache-control"
+	ContentType     = "content-type"
+	Expires         = "expires"
+	Location        = "location"
+	Origin          = "origin"
+	Pragma          = "pragma"
+	UserAgentHeader = "user-agent"
+	ForwardedFor    = "x-forwarded-for"
+
+	ContentSecurityPolicy   = "content-security-policy"
+	XXSSProtection          = "x-xss-protection"
+	StrictTransportSecurity = "strict-transport-security"
+	XFrameOptions           = "x-frame-options"
+	XContentTypeOptions     = "x-content-type-options"
+	ReferrerPolicy          = "referrer-policy"
+	FeaturePolicy           = "feature-policy"
+
+	ZitadelOrgID = "x-zitadel-orgid"
 )
 
 type key int
@@ -35,7 +57,7 @@ func RemoteIPFromCtx(ctx context.Context) string {
 	if !ok {
 		return RemoteAddrFromCtx(ctx)
 	}
-	forwarded, ok := ForwardedFor(ctxHeaders)
+	forwarded, ok := GetForwardedFor(ctxHeaders)
 	if ok {
 		return forwarded
 	}
@@ -47,15 +69,15 @@ func RemoteIPFromRequest(r *http.Request) net.IP {
 }
 
 func RemoteIPStringFromRequest(r *http.Request) string {
-	ip, ok := ForwardedFor(r.Header)
+	ip, ok := GetForwardedFor(r.Header)
 	if ok {
 		return ip
 	}
 	return r.RemoteAddr
 }
 
-func ForwardedFor(headers http.Header) (string, bool) {
+func GetForwardedFor(headers http.Header) (string, bool) {
-	forwarded, ok := headers[api.ForwardedFor]
+	forwarded, ok := headers[ForwardedFor]
 	if ok {
 		ip := strings.Split(forwarded[0], ", ")[0]
 		if ip != "" {

internal/api/http/listener.go

@@ -8,12 +8,12 @@ import (
 )
 
 func CreateListener(endpoint string) net.Listener {
-	l, err := net.Listen("tcp", listenerEndpoint(endpoint))
+	l, err := net.Listen("tcp", Endpoint(endpoint))
 	logging.Log("SERVE-6vasef").OnError(err).Fatal("creating listener failed")
 	return l
 }
 
-func listenerEndpoint(endpoint string) string {
+func Endpoint(endpoint string) string {
 	if strings.Contains(endpoint, ":") {
 		return endpoint
 	}

internal/api/http/middleware/cache_interceptor.go

@@ -7,7 +7,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/caos/zitadel/internal/api"
+	http_utils "github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/config/types"
 )
 
@@ -120,9 +120,9 @@ func (c *Cache) serializeHeaders(w http.ResponseWriter) {
 		control = append(control, string(c.Revalidation))
 	}
 
-	w.Header().Set(api.CacheControl, strings.Join(control, ", "))
+	w.Header().Set(http_utils.CacheControl, strings.Join(control, ", "))
-	w.Header().Set(api.Expires, expires)
+	w.Header().Set(http_utils.Expires, expires)
 	if pragma {
-		w.Header().Set(api.Pragma, "no-cache")
+		w.Header().Set(http_utils.Pragma, "no-cache")
 	}
 }