feat: idp v2 api GetIDPByID (#8425)

# Which Problems Are Solved

GetIDPByID as endpoint in the API v2 so that it can be available for the
new login.

# How the Problems Are Solved

Create GetIDPByID endpoint with IDP v2 API, throught the GetProviderByID
implementation from admin and management API.

# Additional Changes

- Remove the OwnerType attribute from the response, as the information
is available through the resourceOwner.
- correct refs to messages in proto which are used for doc generation
- renaming of elements for API v3

# Additional Context

Closes #8337

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>

internal/api/grpc/admin/idp.go

@@ -157,7 +157,7 @@ func (s *Server) GetProviderByID(ctx context.Context, req *admin_pb.GetProviderB
 	if err != nil {
 		return nil, err
 	}
-	idp, err := s.query.IDPTemplateByID(ctx, true, req.Id, false, instanceIDQuery)
+	idp, err := s.query.IDPTemplateByID(ctx, true, req.Id, false, nil, instanceIDQuery)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/idp/v2/query.go

@@ -0,0 +1,369 @@
+package idp
+
+import (
+	"context"
+
+	"github.com/crewjam/saml"
+	"github.com/muhlemmer/gu"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/idp/providers/azuread"
+	"github.com/zitadel/zitadel/internal/query"
+	idp_rp "github.com/zitadel/zitadel/internal/repository/idp"
+	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp/v2"
+)
+
+func (s *Server) GetIDPByID(ctx context.Context, req *idp_pb.GetIDPByIDRequest) (*idp_pb.GetIDPByIDResponse, error) {
+	idp, err := s.query.IDPTemplateByID(ctx, true, req.Id, false, s.checkPermission)
+	if err != nil {
+		return nil, err
+	}
+	return &idp_pb.GetIDPByIDResponse{Idp: idpToPb(idp)}, nil
+}
+
+func idpToPb(idp *query.IDPTemplate) *idp_pb.IDP {
+	return &idp_pb.IDP{
+		Id: idp.ID,
+		Details: object.DomainToDetailsPb(
+			&domain.ObjectDetails{
+				Sequence:      idp.Sequence,
+				EventDate:     idp.ChangeDate,
+				ResourceOwner: idp.ResourceOwner,
+			}),
+		State:  idpStateToPb(idp.State),
+		Name:   idp.Name,
+		Type:   idpTypeToPb(idp.Type),
+		Config: configToPb(idp),
+	}
+}
+
+func idpStateToPb(state domain.IDPState) idp_pb.IDPState {
+	switch state {
+	case domain.IDPStateActive:
+		return idp_pb.IDPState_IDP_STATE_ACTIVE
+	case domain.IDPStateInactive:
+		return idp_pb.IDPState_IDP_STATE_INACTIVE
+	case domain.IDPStateUnspecified:
+		return idp_pb.IDPState_IDP_STATE_UNSPECIFIED
+	case domain.IDPStateMigrated:
+		return idp_pb.IDPState_IDP_STATE_MIGRATED
+	case domain.IDPStateRemoved:
+		return idp_pb.IDPState_IDP_STATE_REMOVED
+	default:
+		return idp_pb.IDPState_IDP_STATE_UNSPECIFIED
+	}
+}
+
+func idpTypeToPb(idpType domain.IDPType) idp_pb.IDPType {
+	switch idpType {
+	case domain.IDPTypeOIDC:
+		return idp_pb.IDPType_IDP_TYPE_OIDC
+	case domain.IDPTypeJWT:
+		return idp_pb.IDPType_IDP_TYPE_JWT
+	case domain.IDPTypeOAuth:
+		return idp_pb.IDPType_IDP_TYPE_OAUTH
+	case domain.IDPTypeLDAP:
+		return idp_pb.IDPType_IDP_TYPE_LDAP
+	case domain.IDPTypeAzureAD:
+		return idp_pb.IDPType_IDP_TYPE_AZURE_AD
+	case domain.IDPTypeGitHub:
+		return idp_pb.IDPType_IDP_TYPE_GITHUB
+	case domain.IDPTypeGitHubEnterprise:
+		return idp_pb.IDPType_IDP_TYPE_GITHUB_ES
+	case domain.IDPTypeGitLab:
+		return idp_pb.IDPType_IDP_TYPE_GITLAB
+	case domain.IDPTypeGitLabSelfHosted:
+		return idp_pb.IDPType_IDP_TYPE_GITLAB_SELF_HOSTED
+	case domain.IDPTypeGoogle:
+		return idp_pb.IDPType_IDP_TYPE_GOOGLE
+	case domain.IDPTypeApple:
+		return idp_pb.IDPType_IDP_TYPE_APPLE
+	case domain.IDPTypeSAML:
+		return idp_pb.IDPType_IDP_TYPE_SAML
+	case domain.IDPTypeUnspecified:
+		return idp_pb.IDPType_IDP_TYPE_UNSPECIFIED
+	default:
+		return idp_pb.IDPType_IDP_TYPE_UNSPECIFIED
+	}
+}
+
+func configToPb(config *query.IDPTemplate) *idp_pb.IDPConfig {
+	idpConfig := &idp_pb.IDPConfig{
+		Options: &idp_pb.Options{
+			IsLinkingAllowed:  config.IsLinkingAllowed,
+			IsCreationAllowed: config.IsCreationAllowed,
+			IsAutoCreation:    config.IsAutoCreation,
+			IsAutoUpdate:      config.IsAutoUpdate,
+			AutoLinking:       autoLinkingOptionToPb(config.AutoLinking),
+		},
+	}
+	if config.OAuthIDPTemplate != nil {
+		oauthConfigToPb(idpConfig, config.OAuthIDPTemplate)
+		return idpConfig
+	}
+	if config.OIDCIDPTemplate != nil {
+		oidcConfigToPb(idpConfig, config.OIDCIDPTemplate)
+		return idpConfig
+	}
+	if config.JWTIDPTemplate != nil {
+		jwtConfigToPb(idpConfig, config.JWTIDPTemplate)
+		return idpConfig
+	}
+	if config.AzureADIDPTemplate != nil {
+		azureConfigToPb(idpConfig, config.AzureADIDPTemplate)
+		return idpConfig
+	}
+	if config.GitHubIDPTemplate != nil {
+		githubConfigToPb(idpConfig, config.GitHubIDPTemplate)
+		return idpConfig
+	}
+	if config.GitHubEnterpriseIDPTemplate != nil {
+		githubEnterpriseConfigToPb(idpConfig, config.GitHubEnterpriseIDPTemplate)
+		return idpConfig
+	}
+	if config.GitLabIDPTemplate != nil {
+		gitlabConfigToPb(idpConfig, config.GitLabIDPTemplate)
+		return idpConfig
+	}
+	if config.GitLabSelfHostedIDPTemplate != nil {
+		gitlabSelfHostedConfigToPb(idpConfig, config.GitLabSelfHostedIDPTemplate)
+		return idpConfig
+	}
+	if config.GoogleIDPTemplate != nil {
+		googleConfigToPb(idpConfig, config.GoogleIDPTemplate)
+		return idpConfig
+	}
+	if config.LDAPIDPTemplate != nil {
+		ldapConfigToPb(idpConfig, config.LDAPIDPTemplate)
+		return idpConfig
+	}
+	if config.AppleIDPTemplate != nil {
+		appleConfigToPb(idpConfig, config.AppleIDPTemplate)
+		return idpConfig
+	}
+	if config.SAMLIDPTemplate != nil {
+		samlConfigToPb(idpConfig, config.SAMLIDPTemplate)
+		return idpConfig
+	}
+	return idpConfig
+}
+
+func autoLinkingOptionToPb(linking domain.AutoLinkingOption) idp_pb.AutoLinkingOption {
+	switch linking {
+	case domain.AutoLinkingOptionUnspecified:
+		return idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED
+	case domain.AutoLinkingOptionUsername:
+		return idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME
+	case domain.AutoLinkingOptionEmail:
+		return idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_EMAIL
+	default:
+		return idp_pb.AutoLinkingOption_AUTO_LINKING_OPTION_UNSPECIFIED
+	}
+}
+
+func oauthConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.OAuthIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_Oauth{
+		Oauth: &idp_pb.OAuthConfig{
+			ClientId:              template.ClientID,
+			AuthorizationEndpoint: template.AuthorizationEndpoint,
+			TokenEndpoint:         template.TokenEndpoint,
+			UserEndpoint:          template.UserEndpoint,
+			Scopes:                template.Scopes,
+			IdAttribute:           template.IDAttribute,
+		},
+	}
+}
+
+func oidcConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.OIDCIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_Oidc{
+		Oidc: &idp_pb.GenericOIDCConfig{
+			ClientId:         template.ClientID,
+			Issuer:           template.Issuer,
+			Scopes:           template.Scopes,
+			IsIdTokenMapping: template.IsIDTokenMapping,
+		},
+	}
+}
+
+func jwtConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.JWTIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_Jwt{
+		Jwt: &idp_pb.JWTConfig{
+			JwtEndpoint:  template.Endpoint,
+			Issuer:       template.Issuer,
+			KeysEndpoint: template.KeysEndpoint,
+			HeaderName:   template.HeaderName,
+		},
+	}
+}
+
+func azureConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.AzureADIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_AzureAd{
+		AzureAd: &idp_pb.AzureADConfig{
+			ClientId:      template.ClientID,
+			Tenant:        azureTenantToPb(template.Tenant),
+			EmailVerified: template.IsEmailVerified,
+			Scopes:        template.Scopes,
+		},
+	}
+}
+
+func azureTenantToPb(tenant string) *idp_pb.AzureADTenant {
+	var tenantType idp_pb.IsAzureADTenantType
+	switch azuread.TenantType(tenant) {
+	case azuread.CommonTenant:
+		tenantType = &idp_pb.AzureADTenant_TenantType{TenantType: idp_pb.AzureADTenantType_AZURE_AD_TENANT_TYPE_COMMON}
+	case azuread.OrganizationsTenant:
+		tenantType = &idp_pb.AzureADTenant_TenantType{TenantType: idp_pb.AzureADTenantType_AZURE_AD_TENANT_TYPE_ORGANISATIONS}
+	case azuread.ConsumersTenant:
+		tenantType = &idp_pb.AzureADTenant_TenantType{TenantType: idp_pb.AzureADTenantType_AZURE_AD_TENANT_TYPE_CONSUMERS}
+	default:
+		tenantType = &idp_pb.AzureADTenant_TenantId{TenantId: tenant}
+	}
+	return &idp_pb.AzureADTenant{Type: tenantType}
+}
+
+func githubConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.GitHubIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_Github{
+		Github: &idp_pb.GitHubConfig{
+			ClientId: template.ClientID,
+			Scopes:   template.Scopes,
+		},
+	}
+}
+
+func githubEnterpriseConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.GitHubEnterpriseIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_GithubEs{
+		GithubEs: &idp_pb.GitHubEnterpriseServerConfig{
+			ClientId:              template.ClientID,
+			AuthorizationEndpoint: template.AuthorizationEndpoint,
+			TokenEndpoint:         template.TokenEndpoint,
+			UserEndpoint:          template.UserEndpoint,
+			Scopes:                template.Scopes,
+		},
+	}
+}
+
+func gitlabConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.GitLabIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_Gitlab{
+		Gitlab: &idp_pb.GitLabConfig{
+			ClientId: template.ClientID,
+			Scopes:   template.Scopes,
+		},
+	}
+}
+
+func gitlabSelfHostedConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.GitLabSelfHostedIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_GitlabSelfHosted{
+		GitlabSelfHosted: &idp_pb.GitLabSelfHostedConfig{
+			ClientId: template.ClientID,
+			Issuer:   template.Issuer,
+			Scopes:   template.Scopes,
+		},
+	}
+}
+
+func googleConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.GoogleIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_Google{
+		Google: &idp_pb.GoogleConfig{
+			ClientId: template.ClientID,
+			Scopes:   template.Scopes,
+		},
+	}
+}
+
+func ldapConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.LDAPIDPTemplate) {
+	var timeout *durationpb.Duration
+	if template.Timeout != 0 {
+		timeout = durationpb.New(template.Timeout)
+	}
+	idpConfig.Config = &idp_pb.IDPConfig_Ldap{
+		Ldap: &idp_pb.LDAPConfig{
+			Servers:           template.Servers,
+			StartTls:          template.StartTLS,
+			BaseDn:            template.BaseDN,
+			BindDn:            template.BindDN,
+			UserBase:          template.UserBase,
+			UserObjectClasses: template.UserObjectClasses,
+			UserFilters:       template.UserFilters,
+			Timeout:           timeout,
+			Attributes:        ldapAttributesToPb(template.LDAPAttributes),
+		},
+	}
+}
+
+func ldapAttributesToPb(attributes idp_rp.LDAPAttributes) *idp_pb.LDAPAttributes {
+	return &idp_pb.LDAPAttributes{
+		IdAttribute:                attributes.IDAttribute,
+		FirstNameAttribute:         attributes.FirstNameAttribute,
+		LastNameAttribute:          attributes.LastNameAttribute,
+		DisplayNameAttribute:       attributes.DisplayNameAttribute,
+		NickNameAttribute:          attributes.NickNameAttribute,
+		PreferredUsernameAttribute: attributes.PreferredUsernameAttribute,
+		EmailAttribute:             attributes.EmailAttribute,
+		EmailVerifiedAttribute:     attributes.EmailVerifiedAttribute,
+		PhoneAttribute:             attributes.PhoneAttribute,
+		PhoneVerifiedAttribute:     attributes.PhoneVerifiedAttribute,
+		PreferredLanguageAttribute: attributes.PreferredLanguageAttribute,
+		AvatarUrlAttribute:         attributes.AvatarURLAttribute,
+		ProfileAttribute:           attributes.ProfileAttribute,
+	}
+}
+
+func appleConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.AppleIDPTemplate) {
+	idpConfig.Config = &idp_pb.IDPConfig_Apple{
+		Apple: &idp_pb.AppleConfig{
+			ClientId: template.ClientID,
+			TeamId:   template.TeamID,
+			KeyId:    template.KeyID,
+			Scopes:   template.Scopes,
+		},
+	}
+}
+
+func samlConfigToPb(idpConfig *idp_pb.IDPConfig, template *query.SAMLIDPTemplate) {
+	nameIDFormat := idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_PERSISTENT
+	if template.NameIDFormat.Valid {
+		nameIDFormat = nameIDToPb(template.NameIDFormat.V)
+	}
+	idpConfig.Config = &idp_pb.IDPConfig_Saml{
+		Saml: &idp_pb.SAMLConfig{
+			MetadataXml:                   template.Metadata,
+			Binding:                       bindingToPb(template.Binding),
+			WithSignedRequest:             template.WithSignedRequest,
+			NameIdFormat:                  nameIDFormat,
+			TransientMappingAttributeName: gu.Ptr(template.TransientMappingAttributeName),
+		},
+	}
+}
+
+func bindingToPb(binding string) idp_pb.SAMLBinding {
+	switch binding {
+	case "":
+		return idp_pb.SAMLBinding_SAML_BINDING_UNSPECIFIED
+	case saml.HTTPPostBinding:
+		return idp_pb.SAMLBinding_SAML_BINDING_POST
+	case saml.HTTPRedirectBinding:
+		return idp_pb.SAMLBinding_SAML_BINDING_REDIRECT
+	case saml.HTTPArtifactBinding:
+		return idp_pb.SAMLBinding_SAML_BINDING_ARTIFACT
+	default:
+		return idp_pb.SAMLBinding_SAML_BINDING_UNSPECIFIED
+	}
+}
+
+func nameIDToPb(format domain.SAMLNameIDFormat) idp_pb.SAMLNameIDFormat {
+	switch format {
+	case domain.SAMLNameIDFormatUnspecified:
+		return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_UNSPECIFIED
+	case domain.SAMLNameIDFormatEmailAddress:
+		return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_EMAIL_ADDRESS
+	case domain.SAMLNameIDFormatPersistent:
+		return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_PERSISTENT
+	case domain.SAMLNameIDFormatTransient:
+		return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_TRANSIENT
+	default:
+		return idp_pb.SAMLNameIDFormat_SAML_NAME_ID_FORMAT_UNSPECIFIED
+	}
+}

internal/api/grpc/idp/v2/query_integration_test.go

@@ -0,0 +1,235 @@
+//go:build integration
+
+package idp_test
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/idp/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/object/v2"
+)
+
+type idpAttr struct {
+	ID      string
+	Name    string
+	Details *object.Details
+}
+
+func TestServer_GetIDPByID(t *testing.T) {
+	type args struct {
+		ctx context.Context
+		req *idp.GetIDPByIDRequest
+		dep func(ctx context.Context, request *idp.GetIDPByIDRequest) *idpAttr
+	}
+	tests := []struct {
+		name    string
+		args    args
+		want    *idp.GetIDPByIDResponse
+		wantErr bool
+	}{
+		{
+			name: "idp by ID, no id provided",
+			args: args{
+				IamCTX,
+				&idp.GetIDPByIDRequest{
+					Id: "",
+				},
+				func(ctx context.Context, request *idp.GetIDPByIDRequest) *idpAttr {
+					return nil
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "idp by ID, not found",
+			args: args{
+				IamCTX,
+				&idp.GetIDPByIDRequest{
+					Id: "unknown",
+				},
+				func(ctx context.Context, request *idp.GetIDPByIDRequest) *idpAttr {
+					return nil
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "idp by ID, instance, ok",
+			args: args{
+				IamCTX,
+				&idp.GetIDPByIDRequest{},
+				func(ctx context.Context, request *idp.GetIDPByIDRequest) *idpAttr {
+					name := fmt.Sprintf("GetIDPByID%d", time.Now().UnixNano())
+					resp := Tester.AddGenericOAuthIDP(ctx, name)
+					request.Id = resp.Id
+					return &idpAttr{
+						resp.GetId(),
+						name,
+						&object.Details{
+							Sequence:      resp.Details.Sequence,
+							ChangeDate:    resp.Details.ChangeDate,
+							ResourceOwner: resp.Details.ResourceOwner,
+						}}
+				},
+			},
+			want: &idp.GetIDPByIDResponse{
+				Idp: &idp.IDP{
+					Details: &object.Details{
+						ChangeDate: timestamppb.Now(),
+					},
+					State: idp.IDPState_IDP_STATE_ACTIVE,
+					Type:  idp.IDPType_IDP_TYPE_OAUTH,
+					Config: &idp.IDPConfig{
+						Config: &idp.IDPConfig_Oauth{
+							Oauth: &idp.OAuthConfig{
+								ClientId:              "clientID",
+								AuthorizationEndpoint: "https://example.com/oauth/v2/authorize",
+								TokenEndpoint:         "https://example.com/oauth/v2/token",
+								UserEndpoint:          "https://api.example.com/user",
+								Scopes:                []string{"openid", "profile", "email"},
+								IdAttribute:           "id",
+							},
+						},
+						Options: &idp.Options{
+							IsLinkingAllowed:  true,
+							IsCreationAllowed: true,
+							IsAutoCreation:    true,
+							IsAutoUpdate:      true,
+							AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "idp by ID, instance, no permission",
+			args: args{
+				UserCTX,
+				&idp.GetIDPByIDRequest{},
+				func(ctx context.Context, request *idp.GetIDPByIDRequest) *idpAttr {
+					name := fmt.Sprintf("GetIDPByID%d", time.Now().UnixNano())
+					resp := Tester.AddGenericOAuthIDP(IamCTX, name)
+					request.Id = resp.Id
+					return &idpAttr{
+						resp.GetId(),
+						name,
+						&object.Details{
+							Sequence:      resp.Details.Sequence,
+							ChangeDate:    resp.Details.ChangeDate,
+							ResourceOwner: resp.Details.ResourceOwner,
+						}}
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "idp by ID, org, ok",
+			args: args{
+				CTX,
+				&idp.GetIDPByIDRequest{},
+				func(ctx context.Context, request *idp.GetIDPByIDRequest) *idpAttr {
+					name := fmt.Sprintf("GetIDPByID%d", time.Now().UnixNano())
+					resp := Tester.AddOrgGenericOAuthIDP(ctx, name)
+					request.Id = resp.Id
+					return &idpAttr{
+						resp.GetId(),
+						name,
+						&object.Details{
+							Sequence:      resp.Details.Sequence,
+							ChangeDate:    resp.Details.ChangeDate,
+							ResourceOwner: resp.Details.ResourceOwner,
+						}}
+				},
+			},
+			want: &idp.GetIDPByIDResponse{
+				Idp: &idp.IDP{
+					Details: &object.Details{
+						ChangeDate: timestamppb.Now(),
+					},
+					State: idp.IDPState_IDP_STATE_ACTIVE,
+					Type:  idp.IDPType_IDP_TYPE_OAUTH,
+					Config: &idp.IDPConfig{
+						Config: &idp.IDPConfig_Oauth{
+							Oauth: &idp.OAuthConfig{
+								ClientId:              "clientID",
+								AuthorizationEndpoint: "https://example.com/oauth/v2/authorize",
+								TokenEndpoint:         "https://example.com/oauth/v2/token",
+								UserEndpoint:          "https://api.example.com/user",
+								Scopes:                []string{"openid", "profile", "email"},
+								IdAttribute:           "id",
+							},
+						},
+						Options: &idp.Options{
+							IsLinkingAllowed:  true,
+							IsCreationAllowed: true,
+							IsAutoCreation:    true,
+							IsAutoUpdate:      true,
+							AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME,
+						},
+					},
+				},
+			},
+		},
+		{
+			name: "idp by ID, org, no permission",
+			args: args{
+				UserCTX,
+				&idp.GetIDPByIDRequest{},
+				func(ctx context.Context, request *idp.GetIDPByIDRequest) *idpAttr {
+					name := fmt.Sprintf("GetIDPByID%d", time.Now().UnixNano())
+					resp := Tester.AddOrgGenericOAuthIDP(CTX, name)
+					request.Id = resp.Id
+					return &idpAttr{
+						resp.GetId(),
+						name,
+						&object.Details{
+							Sequence:      resp.Details.Sequence,
+							ChangeDate:    resp.Details.ChangeDate,
+							ResourceOwner: resp.Details.ResourceOwner,
+						}}
+				},
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			idpAttr := tt.args.dep(tt.args.ctx, tt.args.req)
+			retryDuration := time.Minute
+			if ctxDeadline, ok := CTX.Deadline(); ok {
+				retryDuration = time.Until(ctxDeadline)
+			}
+			require.EventuallyWithT(t, func(ttt *assert.CollectT) {
+				got, getErr := Client.GetIDPByID(tt.args.ctx, tt.args.req)
+				assertErr := assert.NoError
+				if tt.wantErr {
+					assertErr = assert.Error
+				}
+				assertErr(ttt, getErr)
+				if getErr != nil {
+					return
+				}
+
+				// set provided info from creation
+				tt.want.Idp.Details = idpAttr.Details
+				tt.want.Idp.Name = idpAttr.Name
+				tt.want.Idp.Id = idpAttr.ID
+
+				// first check for details, mgmt and admin api don't fill the details correctly
+				integration.AssertDetails(t, tt.want.Idp, got.Idp)
+				// then set details
+				tt.want.Idp.Details = got.Idp.Details
+				// to check the rest of the content
+				assert.Equal(ttt, tt.want.Idp, got.Idp)
+			}, retryDuration, time.Second)
+		})
+	}
+}

internal/api/grpc/idp/v2/server.go

@@ -0,0 +1,56 @@
+package idp
+
+import (
+	"google.golang.org/grpc"
+
+	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/grpc/server"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/pkg/grpc/idp/v2"
+)
+
+var _ idp.IdentityProviderServiceServer = (*Server)(nil)
+
+type Server struct {
+	idp.UnimplementedIdentityProviderServiceServer
+	command *command.Commands
+	query   *query.Queries
+
+	checkPermission domain.PermissionCheck
+}
+
+type Config struct{}
+
+func CreateServer(
+	command *command.Commands,
+	query *query.Queries,
+	checkPermission domain.PermissionCheck,
+) *Server {
+	return &Server{
+		command:         command,
+		query:           query,
+		checkPermission: checkPermission,
+	}
+}
+
+func (s *Server) RegisterServer(grpcServer *grpc.Server) {
+	idp.RegisterIdentityProviderServiceServer(grpcServer, s)
+}
+
+func (s *Server) AppName() string {
+	return idp.IdentityProviderService_ServiceDesc.ServiceName
+}
+
+func (s *Server) MethodPrefix() string {
+	return idp.IdentityProviderService_ServiceDesc.ServiceName
+}
+
+func (s *Server) AuthMethods() authz.MethodMapping {
+	return idp.IdentityProviderService_AuthMethods
+}
+
+func (s *Server) RegisterGateway() server.RegisterGatewayFunc {
+	return idp.RegisterIdentityProviderServiceHandler
+}

internal/api/grpc/idp/v2/server_integration_test.go

@@ -0,0 +1,40 @@
+//go:build integration
+
+package idp_test
+
+import (
+	"context"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/zitadel/zitadel/internal/integration"
+	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp/v2"
+)
+
+var (
+	CTX       context.Context
+	IamCTX    context.Context
+	UserCTX   context.Context
+	SystemCTX context.Context
+	ErrCTX    context.Context
+	Tester    *integration.Tester
+	Client    idp_pb.IdentityProviderServiceClient
+)
+
+func TestMain(m *testing.M) {
+	os.Exit(func() int {
+		ctx, errCtx, cancel := integration.Contexts(time.Hour)
+		defer cancel()
+
+		Tester = integration.NewTester(ctx)
+		defer Tester.Done()
+
+		UserCTX = Tester.WithAuthorization(ctx, integration.Login)
+		IamCTX = Tester.WithAuthorization(ctx, integration.IAMOwner)
+		SystemCTX = Tester.WithAuthorization(ctx, integration.SystemUser)
+		CTX, ErrCTX = Tester.WithAuthorization(ctx, integration.OrgOwner), errCtx
+		Client = Tester.Client.IDPv2
+		return m.Run()
+	}())
+}

internal/api/grpc/management/idp.go

@@ -149,7 +149,7 @@ func (s *Server) GetProviderByID(ctx context.Context, req *mgmt_pb.GetProviderBy
 	if err != nil {
 		return nil, err
 	}
-	idp, err := s.query.IDPTemplateByID(ctx, true, req.Id, false, orgIDQuery)
+	idp, err := s.query.IDPTemplateByID(ctx, true, req.Id, false, nil, orgIDQuery)
 	if err != nil {
 		return nil, err
 	}

internal/api/ui/login/policy_handler.go

@@ -18,7 +18,7 @@ func (l *Login) getOrgDomainPolicy(r *http.Request, orgID string) (*query.Domain
 }
 
 func (l *Login) getIDPByID(r *http.Request, id string) (*query.IDPTemplate, error) {
-	return l.query.IDPTemplateByID(r.Context(), false, id, false)
+	return l.query.IDPTemplateByID(r.Context(), false, id, false, nil)
 }
 
 func (l *Login) getLoginPolicy(r *http.Request, orgID string) (*query.LoginPolicy, error) {

internal/domain/permission.go

@@ -33,4 +33,6 @@ const (
 	PermissionUserCredentialWrite = "user.credential.write"
 	PermissionSessionWrite        = "session.write"
 	PermissionSessionDelete       = "session.delete"
+	PermissionIDPRead             = "iam.idp.read"
+	PermissionOrgIDPRead          = "org.idp.read"
 )

internal/integration/client.go

@@ -24,22 +24,24 @@ import (
 	"github.com/zitadel/zitadel/internal/idp/providers/ldap"
 	openid "github.com/zitadel/zitadel/internal/idp/providers/oidc"
 	"github.com/zitadel/zitadel/internal/idp/providers/saml"
-	"github.com/zitadel/zitadel/internal/repository/idp"
+	idp_rp "github.com/zitadel/zitadel/internal/repository/idp"
 	"github.com/zitadel/zitadel/pkg/grpc/admin"
 	"github.com/zitadel/zitadel/pkg/grpc/auth"
 	"github.com/zitadel/zitadel/pkg/grpc/feature/v2"
 	feature_v2beta "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta"
+	"github.com/zitadel/zitadel/pkg/grpc/idp"
+	idp_pb "github.com/zitadel/zitadel/pkg/grpc/idp/v2"
 	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
-	object "github.com/zitadel/zitadel/pkg/grpc/object/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/object/v2"
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2"
 	oidc_pb_v2beta "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
-	org "github.com/zitadel/zitadel/pkg/grpc/org/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/org/v2"
 	org_v2beta "github.com/zitadel/zitadel/pkg/grpc/org/v2beta"
 	action "github.com/zitadel/zitadel/pkg/grpc/resources/action/v3alpha"
 	webkey_v3alpha "github.com/zitadel/zitadel/pkg/grpc/resources/webkey/v3alpha"
-	session "github.com/zitadel/zitadel/pkg/grpc/session/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/session/v2"
 	session_v2beta "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
-	settings "github.com/zitadel/zitadel/pkg/grpc/settings/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/settings/v2"
 	settings_v2beta "github.com/zitadel/zitadel/pkg/grpc/settings/v2beta"
 	"github.com/zitadel/zitadel/pkg/grpc/system"
 	user_pb "github.com/zitadel/zitadel/pkg/grpc/user"
@@ -69,6 +71,7 @@ type Client struct {
 	FeatureV2      feature.FeatureServiceClient
 	UserSchemaV3   schema.UserSchemaServiceClient
 	WebKeyV3Alpha  webkey_v3alpha.ZITADELWebKeysClient
+	IDPv2          idp_pb.IdentityProviderServiceClient
 }
 
 func newClient(cc *grpc.ClientConn) Client {
@@ -93,6 +96,7 @@ func newClient(cc *grpc.ClientConn) Client {
 		FeatureV2:      feature.NewFeatureServiceClient(cc),
 		UserSchemaV3:   schema.NewUserSchemaServiceClient(cc),
 		WebKeyV3Alpha:  webkey_v3alpha.NewZITADELWebKeysClient(cc),
+		IDPv2:          idp_pb.NewIdentityProviderServiceClient(cc),
 	}
 }
 
@@ -367,6 +371,28 @@ func (s *Tester) SetUserPassword(ctx context.Context, userID, password string, c
 	return resp.GetDetails()
 }
 
+func (s *Tester) AddGenericOAuthIDP(ctx context.Context, name string) *admin.AddGenericOAuthProviderResponse {
+	resp, err := s.Client.Admin.AddGenericOAuthProvider(ctx, &admin.AddGenericOAuthProviderRequest{
+		Name:                  name,
+		ClientId:              "clientID",
+		ClientSecret:          "clientSecret",
+		AuthorizationEndpoint: "https://example.com/oauth/v2/authorize",
+		TokenEndpoint:         "https://example.com/oauth/v2/token",
+		UserEndpoint:          "https://api.example.com/user",
+		Scopes:                []string{"openid", "profile", "email"},
+		IdAttribute:           "id",
+		ProviderOptions: &idp.Options{
+			IsLinkingAllowed:  true,
+			IsCreationAllowed: true,
+			IsAutoCreation:    true,
+			IsAutoUpdate:      true,
+			AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME,
+		},
+	})
+	logging.OnError(err).Fatal("create generic OAuth idp")
+	return resp
+}
+
 func (s *Tester) AddGenericOAuthProvider(t *testing.T, ctx context.Context) string {
 	ctx = authz.WithInstance(ctx, s.Instance)
 	id, _, err := s.Commands.AddInstanceGenericOAuthProvider(ctx, command.GenericOAuthProvider{
@@ -378,7 +404,7 @@ func (s *Tester) AddGenericOAuthProvider(t *testing.T, ctx context.Context) stri
 		UserEndpoint:          "https://api.example.com/user",
 		Scopes:                []string{"openid", "profile", "email"},
 		IDAttribute:           "id",
-		IDPOptions: idp.Options{
+		IDPOptions: idp_rp.Options{
 			IsLinkingAllowed:  true,
 			IsCreationAllowed: true,
 			IsAutoCreation:    true,
@@ -389,6 +415,28 @@ func (s *Tester) AddGenericOAuthProvider(t *testing.T, ctx context.Context) stri
 	return id
 }
 
+func (s *Tester) AddOrgGenericOAuthIDP(ctx context.Context, name string) *mgmt.AddGenericOAuthProviderResponse {
+	resp, err := s.Client.Mgmt.AddGenericOAuthProvider(ctx, &mgmt.AddGenericOAuthProviderRequest{
+		Name:                  name,
+		ClientId:              "clientID",
+		ClientSecret:          "clientSecret",
+		AuthorizationEndpoint: "https://example.com/oauth/v2/authorize",
+		TokenEndpoint:         "https://example.com/oauth/v2/token",
+		UserEndpoint:          "https://api.example.com/user",
+		Scopes:                []string{"openid", "profile", "email"},
+		IdAttribute:           "id",
+		ProviderOptions: &idp.Options{
+			IsLinkingAllowed:  true,
+			IsCreationAllowed: true,
+			IsAutoCreation:    true,
+			IsAutoUpdate:      true,
+			AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME,
+		},
+	})
+	logging.OnError(err).Fatal("create generic OAuth idp")
+	return resp
+}
+
 func (s *Tester) AddOrgGenericOAuthProvider(t *testing.T, ctx context.Context, orgID string) string {
 	ctx = authz.WithInstance(ctx, s.Instance)
 	id, _, err := s.Commands.AddOrgGenericOAuthProvider(ctx, orgID,
@@ -401,7 +449,7 @@ func (s *Tester) AddOrgGenericOAuthProvider(t *testing.T, ctx context.Context, o
 			UserEndpoint:          "https://api.example.com/user",
 			Scopes:                []string{"openid", "profile", "email"},
 			IDAttribute:           "id",
-			IDPOptions: idp.Options{
+			IDPOptions: idp_rp.Options{
 				IsLinkingAllowed:  true,
 				IsCreationAllowed: true,
 				IsAutoCreation:    true,
@@ -417,7 +465,7 @@ func (s *Tester) AddSAMLProvider(t *testing.T, ctx context.Context) string {
 	id, _, err := s.Server.Commands.AddInstanceSAMLProvider(ctx, command.SAMLProvider{
 		Name:     "saml-idp",
 		Metadata: []byte("<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2023-09-16T09:00:32.986Z\" cacheDuration=\"PT48H\" entityID=\"http://localhost:8000/metadata\">\n  <IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <KeyDescriptor use=\"signing\">\n      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n        <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n          <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n        </X509Data>\n      </KeyInfo>\n    </KeyDescriptor>\n    <KeyDescriptor use=\"encryption\">\n      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n        <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n          <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n        </X509Data>\n      </KeyInfo>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n    </KeyDescriptor>\n    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n    <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n    <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n  </IDPSSODescriptor>\n</EntityDescriptor>"),
-		IDPOptions: idp.Options{
+		IDPOptions: idp_rp.Options{
 			IsLinkingAllowed:  true,
 			IsCreationAllowed: true,
 			IsAutoCreation:    true,
@@ -435,7 +483,7 @@ func (s *Tester) AddSAMLRedirectProvider(t *testing.T, ctx context.Context, tran
 		Binding:                       "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
 		Metadata:                      []byte("<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2023-09-16T09:00:32.986Z\" cacheDuration=\"PT48H\" entityID=\"http://localhost:8000/metadata\">\n  <IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <KeyDescriptor use=\"signing\">\n      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n        <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n          <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n        </X509Data>\n      </KeyInfo>\n    </KeyDescriptor>\n    <KeyDescriptor use=\"encryption\">\n      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n        <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n          <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n        </X509Data>\n      </KeyInfo>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n    </KeyDescriptor>\n    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n    <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n  </IDPSSODescriptor>\n</EntityDescriptor>"),
 		TransientMappingAttributeName: transientMappingAttributeName,
-		IDPOptions: idp.Options{
+		IDPOptions: idp_rp.Options{
 			IsLinkingAllowed:  true,
 			IsCreationAllowed: true,
 			IsAutoCreation:    true,
@@ -452,7 +500,7 @@ func (s *Tester) AddSAMLPostProvider(t *testing.T, ctx context.Context) string {
 		Name:     "saml-idp-post",
 		Binding:  "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
 		Metadata: []byte("<EntityDescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" validUntil=\"2023-09-16T09:00:32.986Z\" cacheDuration=\"PT48H\" entityID=\"http://localhost:8000/metadata\">\n  <IDPSSODescriptor xmlns=\"urn:oasis:names:tc:SAML:2.0:metadata\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\">\n    <KeyDescriptor use=\"signing\">\n      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n        <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n          <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n        </X509Data>\n      </KeyInfo>\n    </KeyDescriptor>\n    <KeyDescriptor use=\"encryption\">\n      <KeyInfo xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n        <X509Data xmlns=\"http://www.w3.org/2000/09/xmldsig#\">\n          <X509Certificate xmlns=\"http://www.w3.org/2000/09/xmldsig#\">MIIDBzCCAe+gAwIBAgIJAPr/Mrlc8EGhMA0GCSqGSIb3DQEBBQUAMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTAeFw0xNTEyMjgxOTE5NDVaFw0yNTEyMjUxOTE5NDVaMBoxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANDoWzLos4LWxTn8Gyu2lEbl4WcelUbgLN5zYm4ron8Ahs+rvcsu2zkdD/s6jdGJI8WqJKhYK2u61ygnXgAZqC6ggtFPnBpizcDzjgND2g+aucSoUODHt67f0fQuAmupN/zp5MZysJ6IHLJnYLNpfJYk96lRz9ODnO1Mpqtr9PWxm+pz7nzq5F0vRepkgpcRxv6ufQBjlrFytccyEVdXrvFtkjXcnhVVNSR4kHuOOMS6D7pebSJ1mrCmshbD5SX1jXPBKFPAjozYX6PxqLxUx1Y4faFEf4MBBVcInyB4oURNB2s59hEEi2jq9izNE7EbEK6BY5sEhoCPl9m32zE6ljkCAwEAAaNQME4wHQYDVR0OBBYEFB9ZklC1Ork2zl56zg08ei7ss/+iMB8GA1UdIwQYMBaAFB9ZklC1Ork2zl56zg08ei7ss/+iMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAAVoTSQ5pAirw8OR9FZ1bRSuTDhY9uxzl/OL7lUmsv2cMNeCB3BRZqm3mFt+cwN8GsH6f3uvNONIhgFpTGN5LEcXQz89zJEzB+qaHqmbFpHQl/sx2B8ezNgT/882H2IH00dXESEfy/+1gHg2pxjGnhRBN6el/gSaDiySIMKbilDrffuvxiCfbpPN0NRRiPJhd2ay9KuL/RxQRl1gl9cHaWiouWWba1bSBb2ZPhv2rPMUsFo98ntkGCObDX6Y1SpkqmoTbrsbGFsTG2DLxnvr4GdN1BSr0Uu/KV3adj47WkXVPeMYQti/bQmxQB8tRFhrw80qakTLUzreO96WzlBBMtY=</X509Certificate>\n        </X509Data>\n      </KeyInfo>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes128-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes192-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#aes256-cbc\"></EncryptionMethod>\n      <EncryptionMethod Algorithm=\"http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p\"></EncryptionMethod>\n    </KeyDescriptor>\n    <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>\n    <SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"http://localhost:8000/sso\"></SingleSignOnService>\n  </IDPSSODescriptor>\n</EntityDescriptor>"),
-		IDPOptions: idp.Options{
+		IDPOptions: idp_rp.Options{
 			IsLinkingAllowed:  true,
 			IsCreationAllowed: true,
 			IsAutoCreation:    true,

internal/query/idp_template.go

@@ -712,8 +712,29 @@ var (
 	}
 )
 
-// IDPTemplateByID searches for the requested id
-func (q *Queries) IDPTemplateByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, queries ...SearchQuery) (template *IDPTemplate, err error) {
+// IDPTemplateByID searches for the requested id with permission check if necessary
+func (q *Queries) IDPTemplateByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, permissionCheck domain.PermissionCheck, queries ...SearchQuery) (template *IDPTemplate, err error) {
+	idp, err := q.idpTemplateByID(ctx, shouldTriggerBulk, id, withOwnerRemoved, queries...)
+	if err != nil {
+		return nil, err
+	}
+	if permissionCheck != nil {
+		switch idp.OwnerType {
+		case domain.IdentityProviderTypeSystem:
+			if err := permissionCheck(ctx, domain.PermissionIDPRead, idp.ResourceOwner, idp.ID); err != nil {
+				return nil, err
+			}
+		case domain.IdentityProviderTypeOrg:
+			if err := permissionCheck(ctx, domain.PermissionOrgIDPRead, idp.ResourceOwner, idp.ID); err != nil {
+				return nil, err
+			}
+		}
+	}
+	return idp, nil
+}
+
+// idpTemplateByID searches for the requested id
+func (q *Queries) idpTemplateByID(ctx context.Context, shouldTriggerBulk bool, id string, withOwnerRemoved bool, queries ...SearchQuery) (template *IDPTemplate, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()