feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved

To be able to migrate or test the new login UI, admins might want to
(temporarily) switch individual apps.
At a later point admin might want to make sure all applications use the
new login UI.

# How the Problems Are Solved

- Added a feature flag `` on instance level to require all apps to use
the new login and provide an optional base url.
- if the flag is enabled, all (OIDC) applications will automatically use
the v2 login.
  - if disabled, applications can decide based on their configuration
- Added an option on OIDC apps to use the new login UI and an optional
base url.
- Removed the requirement to use `x-zitadel-login-client` to be
redirected to the login V2 and retrieve created authrequest and link
them to SSO sessions.
- Added a new "IAM_LOGIN_CLIENT" role to allow management of users,
sessions, grants and more without `x-zitadel-login-client`.

# Additional Changes

None

# Additional Context

closes https://github.com/zitadel/zitadel/issues/8702

internal/api/grpc/resources/user/v3alpha/integration_test/email_test.go

@@ -69,7 +69,7 @@ func TestServer_SetContactEmail(t *testing.T) {
 		},
 		{
 			name: "email patch, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.SetContactEmailRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -412,7 +412,7 @@ func TestServer_VerifyContactEmail(t *testing.T) {
 		},
 		{
 			name: "email verify, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.VerifyContactEmailRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -601,7 +601,7 @@ func TestServer_ResendContactEmailCode(t *testing.T) {
 		},
 		{
 			name: "email resend, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.ResendContactEmailCodeRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()

internal/api/grpc/resources/user/v3alpha/integration_test/phone_test.go

@@ -68,7 +68,7 @@ func TestServer_SetContactPhone(t *testing.T) {
 		},
 		{
 			name: "phone patch, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.SetContactPhoneRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -340,7 +340,7 @@ func TestServer_VerifyContactPhone(t *testing.T) {
 		},
 		{
 			name: "phone verify, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.VerifyContactPhoneRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -530,7 +530,7 @@ func TestServer_ResendContactPhoneCode(t *testing.T) {
 		},
 		{
 			name: "phone resend, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.ResendContactPhoneCodeRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()

internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go

@@ -94,7 +94,7 @@ func TestServer_CreateUser(t *testing.T) {
 		},
 		{
 			name: "user create, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			req: &user.CreateUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
@@ -294,7 +294,7 @@ func TestServer_PatchUser(t *testing.T) {
 		},
 		{
 			name: "user patch, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.PatchUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -734,7 +734,7 @@ func TestServer_DeleteUser(t *testing.T) {
 		},
 		{
 			name: "user delete, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.DeleteUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -950,7 +950,7 @@ func TestServer_LockUser(t *testing.T) {
 		},
 		{
 			name: "user lock, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.LockUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -1152,7 +1152,7 @@ func TestServer_UnlockUser(t *testing.T) {
 		},
 		{
 			name: "user unlock, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.UnlockUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -1333,7 +1333,7 @@ func TestServer_DeactivateUser(t *testing.T) {
 		},
 		{
 			name: "user deactivate, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.DeactivateUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -1535,7 +1535,7 @@ func TestServer_ActivateUser(t *testing.T) {
 		},
 		{
 			name: "user activate, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.ActivateUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()