feat: app handling compliance (#527)

* feat: check oidc compliance * fix: add tests * fix: add oidc config tests * fix: add oidc config tests user agent * fix: test oidc config compliance * fix: test oidc config compliance * fix: useragent implicit authmethod none * fix: merge master * feat: translate compliance problems * feat: check native app for custom url * fix: better compliance handling * fix: better compliance handling * feat: add odidc dev mode * fix: remove deprecated request fro management api * fix: oidc package version * fix: migration * fix: tests * fix: remove unused functions * fix: generate proto files * fix: native implicit and code none compliant * fix: create project * Update internal/project/model/oidc_config_test.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 04:07:31 +00:00 · 2020-08-10 09:34:56 +02:00
parent 64f0b191b5
commit 5699fe80d5
27 changed files with 15925 additions and 16502 deletions
--- a/internal/api/grpc/management/application.go
+++ b/internal/api/grpc/management/application.go
@@ -17,7 +17,7 @@ func (s *Server) SearchApplications(ctx context.Context, in *management.Applicat
 }

 func (s *Server) ApplicationByID(ctx context.Context, in *management.ApplicationID) (*management.ApplicationView, error) {
-	app, err := s.project.ApplicationByID(ctx, in.Id)
+	app, err := s.project.ApplicationByID(ctx, in.ProjectId, in.Id)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/management/application_converter.go
+++ b/internal/api/grpc/management/application_converter.go
@@ -52,6 +52,10 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
 		ClientSecret:           config.ClientSecretString,
 		AuthMethodType:         oidcAuthMethodTypeFromModel(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		Version:                oidcVersionFromModel(config.OIDCVersion),
+		NoneCompliant:          config.Compliance.NoneCompliant,
+		ComplianceProblems:     complianceProblemsToLocalizedMessages(config.Compliance.Problems),
+		DevMode:                config.DevMode,
 	}
 }

@@ -64,9 +68,22 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *manage
 		ClientId:               app.OIDCClientID,
 		AuthMethodType:         oidcAuthMethodTypeFromModel(app.OIDCAuthMethodType),
 		PostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		Version:                oidcVersionFromModel(app.OIDCVersion),
+		NoneCompliant:          app.NoneCompliant,
+		ComplianceProblems:     complianceProblemsToLocalizedMessages(app.ComplianceProblems),
+		DevMode:                app.DevMode,
 	}
 }

+func complianceProblemsToLocalizedMessages(problems []string) []*message.LocalizedMessage {
+	converted := make([]*message.LocalizedMessage, len(problems))
+	for i, p := range problems {
+		converted[i] = message.NewLocalizedMessage(p)
+	}
+	return converted
+
+}
+
 func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.Application {
 	return &proj_model.Application{
 		ObjectRoot: models.ObjectRoot{
@@ -75,12 +92,14 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App
 		Name: app.Name,
 		Type: proj_model.AppTypeOIDC,
 		OIDCConfig: &proj_model.OIDCConfig{
+			OIDCVersion:            oidcVersionToModel(app.Version),
 			RedirectUris:           app.RedirectUris,
 			ResponseTypes:          oidcResponseTypesToModel(app.ResponseTypes),
 			GrantTypes:             oidcGrantTypesToModel(app.GrantTypes),
 			ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
 			AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
 			PostLogoutRedirectUris: app.PostLogoutRedirectUris,
+			DevMode:                app.DevMode,
 		},
 	}
 }
@@ -107,6 +126,7 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC
 		ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
 		AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
 		PostLogoutRedirectUris: app.PostLogoutRedirectUris,
+		DevMode:                app.DevMode,
 	}
 }

@@ -284,6 +304,14 @@ func oidcApplicationTypeToModel(appType management.OIDCApplicationType) proj_mod
 	return proj_model.OIDCApplicationTypeWeb
 }

+func oidcVersionToModel(version management.OIDCVersion) proj_model.OIDCVersion {
+	switch version {
+	case management.OIDCVersion_OIDCV1_0:
+		return proj_model.OIDCVersionV1
+	}
+	return proj_model.OIDCVersionV1
+}
+
 func oidcApplicationTypeFromModel(appType proj_model.OIDCApplicationType) management.OIDCApplicationType {
 	switch appType {
 	case proj_model.OIDCApplicationTypeWeb:
@@ -323,6 +351,15 @@ func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) managem
 	}
 }

+func oidcVersionFromModel(version proj_model.OIDCVersion) management.OIDCVersion {
+	switch version {
+	case proj_model.OIDCVersionV1:
+		return management.OIDCVersion_OIDCV1_0
+	default:
+		return management.OIDCVersion_OIDCV1_0
+	}
+}
+
 func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *management.Changes) {
 	return &management.Changes{
 		Limit:   limit,
--- a/internal/api/grpc/management/user_grant.go
+++ b/internal/api/grpc/management/user_grant.go
@@ -67,107 +67,3 @@ func (s *Server) BulkRemoveUserGrant(ctx context.Context, in *management.UserGra
 	err := s.usergrant.BulkRemoveUserGrant(ctx, userGrantRemoveBulkToModel(in)...)
 	return &empty.Empty{}, err
 }
-
-func (s *Server) SearchProjectUserGrants(ctx context.Context, in *management.ProjectUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
-	request := projectUserGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	request.AppendProjectIDQuery(in.ProjectId)
-	response, err := s.usergrant.SearchUserGrants(ctx, request)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantSearchResponseFromModel(response), nil
-}
-
-func (s *Server) ProjectUserGrantByID(ctx context.Context, request *management.ProjectUserGrantID) (*management.UserGrantView, error) {
-	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantViewFromModel(user), nil
-}
-
-func (s *Server) CreateProjectUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
-	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantUpdate) (*management.UserGrant, error) {
-	user, err := s.usergrant.ChangeUserGrant(ctx, projectUserGrantUpdateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, in *management.ProjectGrantUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
-	grant, err := s.project.ProjectGrantByID(ctx, in.ProjectGrantId)
-	if err != nil {
-		return nil, err
-	}
-	request := projectGrantUserGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	request.AppendProjectIDQuery(grant.ProjectID)
-	response, err := s.usergrant.SearchUserGrants(ctx, request)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantSearchResponseFromModel(response), nil
-}
-
-func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *management.ProjectGrantUserGrantID) (*management.UserGrantView, error) {
-	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantViewFromModel(user), nil
-}
-
-func (s *Server) CreateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantCreate) (*management.UserGrant, error) {
-	user, err := s.usergrant.AddUserGrant(ctx, projectGrantUserGrantCreateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantUpdate) (*management.UserGrant, error) {
-	user, err := s.usergrant.ChangeUserGrant(ctx, projectGrantUserGrantUpdateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) ReactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
--- a/internal/api/grpc/management/user_grant_converter.go
+++ b/internal/api/grpc/management/user_grant_converter.go
@@ -69,29 +69,6 @@ func userGrantRemoveBulkToModel(u *management.UserGrantRemoveBulk) []string {
 	return ids
 }

-func projectUserGrantUpdateToModel(u *management.ProjectUserGrantUpdate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
-		RoleKeys:   u.RoleKeys,
-	}
-}
-
-func projectGrantUserGrantCreateToModel(u *management.ProjectGrantUserGrantCreate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		UserID:    u.UserId,
-		ProjectID: u.ProjectId,
-		RoleKeys:  u.RoleKeys,
-		GrantID:   u.ProjectGrantId,
-	}
-}
-
-func projectGrantUserGrantUpdateToModel(u *management.ProjectGrantUserGrantUpdate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
-		RoleKeys:   u.RoleKeys,
-	}
-}
-
 func userGrantSearchRequestsToModel(project *management.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
 	return &grant_model.UserGrantSearchRequest{
 		Offset:  project.Offset,
--- a/internal/api/oidc/client_converter.go
+++ b/internal/api/oidc/client_converter.go
@@ -1,6 +1,7 @@
 package oidc

 import (
+	"github.com/caos/oidc/pkg/oidc"
 	"time"

 	"github.com/caos/oidc/pkg/op"
@@ -27,7 +28,7 @@ func (c *Client) ApplicationType() op.ApplicationType {
 	return op.ApplicationType(c.OIDCApplicationType)
 }

-func (c *Client) GetAuthMethod() op.AuthMethod {
+func (c *Client) AuthMethod() op.AuthMethod {
 	return authMethodToOIDC(c.OIDCAuthMethodType)
 }

@@ -47,6 +48,14 @@ func (c *Client) PostLogoutRedirectURIs() []string {
 	return c.OIDCPostLogoutRedirectUris
 }

+func (c *Client) ResponseTypes() []oidc.ResponseType {
+	return responseTypesToOIDC(c.OIDCResponseTypes)
+}
+
+func (c *Client) DevMode() bool {
+	return c.ApplicationView.DevMode
+}
+
 func (c *Client) AccessTokenLifetime() time.Duration {
 	return c.defaultAccessTokenLifetime //PLANNED: impl from real client
 }
@@ -71,3 +80,24 @@ func authMethodToOIDC(authType model.OIDCAuthMethodType) op.AuthMethod {
 		return op.AuthMethodBasic
 	}
 }
+
+func responseTypesToOIDC(responseTypes []model.OIDCResponseType) []oidc.ResponseType {
+	oidcTypes := make([]oidc.ResponseType, len(responseTypes))
+	for i, t := range responseTypes {
+		oidcTypes[i] = responseTypeToOIDC(t)
+	}
+	return oidcTypes
+}
+
+func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
+	switch responseType {
+	case model.OIDCResponseTypeCode:
+		return oidc.ResponseTypeCode
+	case model.OIDCResponseTypeIDTokenToken:
+		return oidc.ResponseTypeIDToken
+	case model.OIDCResponseTypeIDToken:
+		return oidc.ResponseTypeIDTokenOnly
+	default:
+		return oidc.ResponseTypeCode
+	}
+}
--- a/internal/management/repository/eventsourcing/eventstore/project.go
+++ b/internal/management/repository/eventsourcing/eventstore/project.go
@@ -296,10 +296,31 @@ func (repo *ProjectRepo) ProjectChanges(ctx context.Context, id string, lastSequ
 	return changes, nil
 }

-func (repo *ProjectRepo) ApplicationByID(ctx context.Context, appID string) (*proj_model.ApplicationView, error) {
-	app, err := repo.View.ApplicationByID(appID)
-	if err != nil {
-		return nil, err
+func (repo *ProjectRepo) ApplicationByID(ctx context.Context, projectID, appID string) (*proj_model.ApplicationView, error) {
+	app, viewErr := repo.View.ApplicationByID(appID)
+	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
+		return nil, viewErr
+	}
+	if caos_errs.IsNotFound(viewErr) {
+		app = new(model.ApplicationView)
+	}
+
+	events, esErr := repo.ProjectEvents.ProjectEventsByID(ctx, projectID, app.Sequence)
+	if caos_errs.IsNotFound(viewErr) && len(events) == 0 {
+		return nil, caos_errs.ThrowNotFound(nil, "EVENT-Fshu8", "Errors.Application.NotFound")
+	}
+
+	if esErr != nil {
+		logging.Log("EVENT-SLCo9").WithError(viewErr).Debug("error retrieving new events")
+		return model.ApplicationViewToModel(app), nil
+	}
+
+	viewApp := *app
+	for _, event := range events {
+		err := app.AppendEvent(event)
+		if err != nil {
+			return model.ApplicationViewToModel(&viewApp), nil
+		}
 	}
 	return model.ApplicationViewToModel(app), nil
 }
--- a/internal/management/repository/project.go
+++ b/internal/management/repository/project.go
@@ -32,7 +32,7 @@ type ProjectRepository interface {
 	ProjectChanges(ctx context.Context, id string, lastSequence uint64, limit uint64, sortAscending bool) (*model.ProjectChanges, error)
 	BulkAddProjectRole(ctx context.Context, role []*model.ProjectRole) error

-	ApplicationByID(ctx context.Context, appID string) (*model.ApplicationView, error)
+	ApplicationByID(ctx context.Context, projectID, appID string) (*model.ApplicationView, error)
 	AddApplication(ctx context.Context, app *model.Application) (*model.Application, error)
 	ChangeApplication(ctx context.Context, app *model.Application) (*model.Application, error)
 	DeactivateApplication(ctx context.Context, projectID, appID string) (*model.Application, error)
--- a/internal/project/model/application_view.go
+++ b/internal/project/model/application_view.go
@@ -14,6 +14,7 @@ type ApplicationView struct {
 	State        AppState

 	IsOIDC                     bool
+	OIDCVersion                OIDCVersion
 	OIDCClientID               string
 	OIDCRedirectUris           []string
 	OIDCResponseTypes          []OIDCResponseType
@@ -21,6 +22,9 @@ type ApplicationView struct {
 	OIDCApplicationType        OIDCApplicationType
 	OIDCAuthMethodType         OIDCAuthMethodType
 	OIDCPostLogoutRedirectUris []string
+	NoneCompliant              bool
+	ComplianceProblems         []string
+	DevMode                    bool

 	Sequence uint64
 }
--- a/internal/project/model/oidc_config.go
+++ b/internal/project/model/oidc_config.go
@@ -12,6 +12,13 @@ import (
 	"github.com/caos/zitadel/internal/id"
 )

+const (
+	http           = "http://"
+	httpLocalhost  = "http://localhost:"
+	httpLocalhost2 = "http://localhost/"
+	https          = "https://"
+)
+
 type OIDCConfig struct {
 	es_models.ObjectRoot
 	AppID                  string
@@ -24,8 +31,17 @@ type OIDCConfig struct {
 	ApplicationType        OIDCApplicationType
 	AuthMethodType         OIDCAuthMethodType
 	PostLogoutRedirectUris []string
+	OIDCVersion            OIDCVersion
+	Compliance             *Compliance
+	DevMode                bool
 }

+type OIDCVersion int32
+
+const (
+	OIDCVersionV1 OIDCVersion = iota
+)
+
 type OIDCResponseType int32

 const (
@@ -58,10 +74,15 @@ const (
 	OIDCAuthMethodTypeNone
 )

+type Compliance struct {
+	NoneCompliant bool
+	Problems      []string
+}
+
 func (c *OIDCConfig) IsValid() bool {
 	grantTypes := c.getRequiredGrantTypes()
 	for _, grantType := range grantTypes {
-		ok := c.containsGrantType(grantType)
+		ok := containsOIDCGrantType(c.GrantTypes, grantType)
 		if !ok {
 			return false
 		}
@@ -97,6 +118,113 @@ func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string
 	return stringSecret, nil
 }

+func (c *OIDCConfig) FillCompliance() {
+	c.Compliance = GetOIDCCompliance(c.OIDCVersion, c.ApplicationType, c.GrantTypes, c.ResponseTypes, c.AuthMethodType, c.RedirectUris)
+}
+
+func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	switch version {
+	case OIDCVersionV1:
+		return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
+	}
+	return nil
+}
+
+func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	compliance := &Compliance{NoneCompliant: false}
+	if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+		CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
+	} else {
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
+			CheckRedirectUrisImplicit(compliance, appType, redirectUris)
+		}
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+			CheckRedirectUrisCode(compliance, appType, redirectUris)
+		}
+	}
+
+	switch appType {
+	case OIDCApplicationTypeNative:
+		GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
+	case OIDCApplicationTypeUserAgent:
+		GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
+	}
+	if compliance.NoneCompliant {
+		compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
+	}
+	return compliance
+}
+
+func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
+	}
+}
+
+func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
+	}
+}
+
+func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
+	}
+}
+
+func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if urlContainsPrefix(redirectUris, http) {
+		if appType == OIDCApplicationTypeNative {
+			if !onlyLocalhostIsHttp(redirectUris) {
+				compliance.NoneCompliant = true
+				compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
+			}
+			return
+		}
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
+	}
+}
+
+func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
+	}
+	if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if !compliance.NoneCompliant {
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
+	}
+}
+
 func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 	grantTypes := make([]OIDCGrantType, 0)
 	implicit := false
@@ -106,6 +234,7 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 			grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
 		case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
 			if !implicit {
+				implicit = true
 				grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
 			}
 		}
@@ -113,11 +242,49 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 	return grantTypes
 }

-func (c *OIDCConfig) containsGrantType(grantType OIDCGrantType) bool {
-	for _, t := range c.GrantTypes {
-		if t == grantType {
+func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
+	for _, gt := range grantTypes {
+		if gt == grantType {
 			return true
 		}
 	}
 	return false
 }
+
+func urlsAreHttps(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, https) {
+			return false
+		}
+	}
+	return true
+}
+
+func urlContainsPrefix(uris []string, prefix string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+func containsCustom(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
+			return true
+		}
+	}
+	return false
+}
+
+func onlyLocalhostIsHttp(uris []string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, http) {
+			if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
+				return false
+			}
+		}
+	}
+	return true
+}
--- a/internal/project/model/oidc_config_test.go
+++ b/internal/project/model/oidc_config_test.go
@@ -0,0 +1,869 @@
+package model
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestGetOIDCC1Compliance(t *testing.T) {
+	type args struct {
+		appType      OIDCApplicationType
+		grantTypes   []OIDCGrantType
+		authMethod   OIDCAuthMethodType
+		redirectUris []string
+	}
+	type result struct {
+		noneCompliant      bool
+		complianceProblems []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result result
+	}{
+		{
+			name: "Native: codeflow custom redirect (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: codeflow http redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "Native: codeflow http://localhost redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "Native: codeflow http://localhost: redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "Native: codeflow https redirect (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: codeflow invalid authmethod type (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypePost,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Native.AuthMethodType.NotNone",
+				},
+			},
+		},
+		{
+			name: "Native: implicit custom redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Native: implicit http redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost",
+				},
+			},
+		},
+		{
+			name: "Native: implicit http://localhost redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: implicit http://localhost: redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: implicit https redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: implicit and code (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: implicit and code (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "Web: code https redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Web: code http redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Web: code custom redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
+				},
+			},
+		},
+		{
+			name: "Web: implicit https uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Web: implicit http redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Web: implicit custom redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Web: implicit http://localhost redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Web: implicit http://localhost: redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Web: implicit and code (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Web: implicit and code (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code https redirect (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "UserAgent: code http redirect (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code http:localhost redirect (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code http:localhost redirect (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code custom redirect (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code authmethod type not none (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypePost,
+				redirectUris: []string{
+					"https://zitadel.chauth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit https redirect (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "UserAgent: implicit http redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit custom redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit http://localhost redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit http://localhost: redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit auth method not none (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypePost,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit and code (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "UserAgent: implicit and code (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := GetOIDCV1Compliance(tt.args.appType, tt.args.grantTypes, tt.args.authMethod, tt.args.redirectUris)
+			if tt.result.noneCompliant != result.NoneCompliant {
+				t.Errorf("got wrong result nonecompliant: expected: %v, actual: %v ", tt.result.noneCompliant, result.NoneCompliant)
+			}
+			if tt.result.noneCompliant {
+				if len(tt.result.complianceProblems) != len(result.Problems) {
+					t.Errorf("got wrong result compliance problems len: expected: %v, actual: %v ", len(tt.result.complianceProblems), len(result.Problems))
+				}
+				if !reflect.DeepEqual(tt.result.complianceProblems, result.Problems) {
+					t.Errorf("got wrong result compliance problems: expected: %v, actual: %v ", tt.result.complianceProblems, result.Problems)
+				}
+			}
+		})
+	}
+}
+
+func TestGetRequiredGrantTypes(t *testing.T) {
+	type args struct {
+		oidcConfig OIDCConfig
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result []OIDCGrantType
+	}{
+		{
+			name: "oidc response type code",
+			args: args{
+				oidcConfig: OIDCConfig{
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
+				},
+			},
+			result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+		},
+		{
+			name: "oidc response type id_token",
+			args: args{
+				oidcConfig: OIDCConfig{
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken},
+				},
+			},
+			result: []OIDCGrantType{OIDCGrantTypeImplicit},
+		},
+		{
+			name: "oidc response type id_token and id_token token",
+			args: args{
+				oidcConfig: OIDCConfig{
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
+				},
+			},
+			result: []OIDCGrantType{OIDCGrantTypeImplicit},
+		},
+		{
+			name: "oidc response type code, id_token and id_token token",
+			args: args{
+				oidcConfig: OIDCConfig{
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
+				},
+			},
+			result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.args.oidcConfig.getRequiredGrantTypes()
+			if !reflect.DeepEqual(tt.result, result) {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func TestContainsOIDCGrantType(t *testing.T) {
+	type args struct {
+		grantTypes []OIDCGrantType
+		grantType  OIDCGrantType
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "contains grant type",
+			args: args{
+				grantTypes: []OIDCGrantType{
+					OIDCGrantTypeAuthorizationCode,
+					OIDCGrantTypeImplicit,
+				},
+				grantType: OIDCGrantTypeImplicit,
+			},
+			result: true,
+		},
+		{
+			name: "doesnt contain grant type",
+			args: args{
+				grantTypes: []OIDCGrantType{
+					OIDCGrantTypeAuthorizationCode,
+					OIDCGrantTypeRefreshToken,
+				},
+				grantType: OIDCGrantTypeImplicit,
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := containsOIDCGrantType(tt.args.grantTypes, tt.args.grantType)
+			if result != tt.result {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func TestUrlsAreHttps(t *testing.T) {
+	type args struct {
+		uris []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "only https uris",
+			args: args{
+				uris: []string{
+					"https://zitadel.ch",
+					"https://caos.ch",
+				},
+			},
+			result: true,
+		},
+		{
+			name: "http localhost uris",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://localhost",
+				},
+			},
+			result: false,
+		},
+		{
+			name: "http not localhsot",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://caos.ch",
+				},
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := urlsAreHttps(tt.args.uris)
+			if result != tt.result {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func TestOnlyLocalhostIsHttp(t *testing.T) {
+	type args struct {
+		uris []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+
+		{
+			name: "http not localhost",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://caos.ch",
+				},
+			},
+			result: false,
+		},
+		{
+			name: "http localhost/",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://localhost/auth/callback",
+				},
+			},
+			result: true,
+		},
+		{
+			name: "http not localhost:",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://localhost:9090",
+				},
+			},
+			result: true,
+		},
+		{
+			name: "http not localhost",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://localhost:9090",
+					"http://zitadel.ch",
+				},
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := onlyLocalhostIsHttp(tt.args.uris)
+			if result != tt.result {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
--- a/internal/project/repository/eventsourcing/eventstore.go
+++ b/internal/project/repository/eventsourcing/eventstore.go
@@ -534,6 +534,7 @@ func (es *ProjectEventstore) AddApplication(ctx context.Context, app *proj_model
 	if _, a := model.GetApplication(repoProject.Applications, app.AppID); a != nil {
 		converted := model.AppToModel(a)
 		converted.OIDCConfig.ClientSecretString = stringPw
+		converted.OIDCConfig.FillCompliance()
 		return converted, nil
 	}
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-GvPct", "Errors.Internal")
--- a/internal/project/repository/eventsourcing/model/oidc_config.go
+++ b/internal/project/repository/eventsourcing/model/oidc_config.go
@@ -11,6 +11,7 @@ import (

 type OIDCConfig struct {
 	es_models.ObjectRoot
+	Version                int32               `json:"oidcVersion,omitempty"`
 	AppID                  string              `json:"appId"`
 	ClientID               string              `json:"clientId,omitempty"`
 	ClientSecret           *crypto.CryptoValue `json:"clientSecret,omitempty"`
@@ -20,6 +21,7 @@ type OIDCConfig struct {
 	ApplicationType        int32               `json:"applicationType,omitempty"`
 	AuthMethodType         int32               `json:"authMethodType,omitempty"`
 	PostLogoutRedirectUris []string            `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                bool                `json:"devMode,omitempty"`
 }

 func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@@ -40,9 +42,15 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
 	if c.AuthMethodType != changed.AuthMethodType {
 		changes["authMethodType"] = changed.AuthMethodType
 	}
+	if c.Version != changed.Version {
+		changes["oidcVersion"] = changed.Version
+	}
 	if !reflect.DeepEqual(c.PostLogoutRedirectUris, changed.PostLogoutRedirectUris) {
 		changes["postLogoutRedirectUris"] = changed.PostLogoutRedirectUris
 	}
+	if c.DevMode != changed.DevMode {
+		changes["devMode"] = changed.DevMode
+	}
 	return changes
 }

@@ -58,6 +66,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 	return &OIDCConfig{
 		ObjectRoot:             config.ObjectRoot,
 		AppID:                  config.AppID,
+		Version:                int32(config.OIDCVersion),
 		ClientID:               config.ClientID,
 		ClientSecret:           config.ClientSecret,
 		RedirectUris:           config.RedirectUris,
@@ -66,6 +75,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 		ApplicationType:        int32(config.ApplicationType),
 		AuthMethodType:         int32(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		DevMode:                config.DevMode,
 	}
 }

@@ -78,9 +88,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 	for i, rt := range config.GrantTypes {
 		grantTypes[i] = model.OIDCGrantType(rt)
 	}
-	return &model.OIDCConfig{
+	oidcConfig := &model.OIDCConfig{
 		ObjectRoot:             config.ObjectRoot,
 		AppID:                  config.AppID,
+		OIDCVersion:            model.OIDCVersion(config.Version),
 		ClientID:               config.ClientID,
 		ClientSecret:           config.ClientSecret,
 		RedirectUris:           config.RedirectUris,
@@ -89,7 +100,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 		ApplicationType:        model.OIDCApplicationType(config.ApplicationType),
 		AuthMethodType:         model.OIDCAuthMethodType(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		DevMode:                config.DevMode,
 	}
+	oidcConfig.FillCompliance()
+	return oidcConfig
 }

 func (p *Project) appendAddOIDCConfigEvent(event *es_models.Event) error {
--- a/internal/project/repository/eventsourcing/project.go
+++ b/internal/project/repository/eventsourcing/project.go
@@ -2,6 +2,7 @@ package eventsourcing

 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"

 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
@@ -46,6 +47,7 @@ func ProjectCreateAggregate(aggCreator *es_models.AggregateCreator, project *mod
 		}
 		validationQuery := es_models.NewSearchQuery().
 			AggregateTypeFilter(model.ProjectAggregate).
+			ResourceOwnerFilter(authz.GetCtxData(ctx).OrgID).
 			EventTypesFilter(model.ProjectAdded, model.ProjectChanged, model.ProjectRemoved)

 		validation := addProjectValidation(project.Name)
--- a/internal/project/repository/view/model/application.go
+++ b/internal/project/repository/view/model/application.go
@@ -28,6 +28,7 @@ type ApplicationView struct {
 	State        int32     `json:"-" gorm:"column:app_state"`

 	IsOIDC                     bool           `json:"-" gorm:"column:is_oidc"`
+	OIDCVersion                int32          `json:"oidcVersion" gorm:"column:oidc_version"`
 	OIDCClientID               string         `json:"clientId" gorm:"column:oidc_client_id"`
 	OIDCRedirectUris           pq.StringArray `json:"redirectUris" gorm:"column:oidc_redirect_uris"`
 	OIDCResponseTypes          pq.Int64Array  `json:"responseTypes" gorm:"column:oidc_response_types"`
@@ -35,6 +36,9 @@ type ApplicationView struct {
 	OIDCApplicationType        int32          `json:"applicationType" gorm:"column:oidc_application_type"`
 	OIDCAuthMethodType         int32          `json:"authMethodType" gorm:"column:oidc_auth_method_type"`
 	OIDCPostLogoutRedirectUris pq.StringArray `json:"postLogoutRedirectUris" gorm:"column:oidc_post_logout_redirect_uris"`
+	NoneCompliant              bool           `json:"-" gorm:"column:none_compliant"`
+	ComplianceProblems         pq.StringArray `json:"-" gorm:"column:compliance_problems"`
+	DevMode                    bool           `json:"devMode" gorm:"column:dev_mode"`

 	Sequence uint64 `json:"-" gorm:"sequence"`
 }
@@ -57,6 +61,7 @@ func ApplicationViewFromModel(app *model.ApplicationView) *ApplicationView {
 		OIDCApplicationType:        int32(app.OIDCApplicationType),
 		OIDCAuthMethodType:         int32(app.OIDCAuthMethodType),
 		OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		DevMode:                    app.DevMode,
 	}
 }

@@ -87,6 +92,7 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		ChangeDate:   app.ChangeDate,

 		IsOIDC:                     app.IsOIDC,
+		OIDCVersion:                model.OIDCVersion(app.OIDCVersion),
 		OIDCClientID:               app.OIDCClientID,
 		OIDCRedirectUris:           app.OIDCRedirectUris,
 		OIDCResponseTypes:          OIDCResponseTypesToModel(app.OIDCResponseTypes),
@@ -94,6 +100,9 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		OIDCApplicationType:        model.OIDCApplicationType(app.OIDCApplicationType),
 		OIDCAuthMethodType:         model.OIDCAuthMethodType(app.OIDCAuthMethodType),
 		OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		NoneCompliant:              app.NoneCompliant,
+		ComplianceProblems:         app.ComplianceProblems,
+		DevMode:                    app.DevMode,
 	}
 }

@@ -132,9 +141,17 @@ func (a *ApplicationView) AppendEvent(event *models.Event) (err error) {
 	case es_model.OIDCConfigAdded:
 		a.IsOIDC = true
 		err = a.SetData(event)
+		if err != nil {
+			return err
+		}
+		a.setCompliance()
 	case es_model.OIDCConfigChanged,
 		es_model.ApplicationChanged:
 		err = a.SetData(event)
+		if err != nil {
+			return err
+		}
+		a.setCompliance()
 	case es_model.ApplicationDeactivated:
 		a.State = int32(model.AppStateInactive)
 	case es_model.ApplicationReactivated:
@@ -154,3 +171,9 @@ func (a *ApplicationView) SetData(event *models.Event) error {
 	}
 	return nil
 }
+
+func (a *ApplicationView) setCompliance() {
+	compliance := model.GetOIDCCompliance(model.OIDCVersion(a.OIDCVersion), model.OIDCApplicationType(a.OIDCApplicationType), OIDCGrantTypesToModel(a.OIDCGrantTypes), OIDCResponseTypesToModel(a.OIDCResponseTypes), model.OIDCAuthMethodType(a.OIDCAuthMethodType), a.OIDCPostLogoutRedirectUris)
+	a.NoneCompliant = compliance.NoneCompliant
+	a.ComplianceProblems = compliance.Problems
+}
--- a/internal/static/i18n/de.yaml
+++ b/internal/static/i18n/de.yaml
@@ -291,3 +291,24 @@ EventTypes:
      removed: ZITADEL Mitglied entfernt
  key_pair:
    added: Schlüsselpaar hinzugefügt
+Application:
+  OIDC:
+    V1:
+      NotCompliant: Deine Konfiguration ist nicht konform und weicht vom OIDC 1.0 Standard ab.
+      NotAllCombinationsAreAllowed: Die Konfiguration ist konform, jedoch werden nicht alle möglichen Kombinationen erlaubt.
+      Code:
+        RedirectUris:
+          HttpOnlyForWeb: Grant Type Code erlaubt http Redirect Uris nur für den Apptype Web.
+          CustomOnlyForNative: Grant Type Code erlaubt custom Redirect Uris nur für den Apptype Native. (z.B appname:// )
+      Implicit:
+        RedirectUris:
+          CustomNotAllowed: Grant Type Implicit erlaubt keine custom Redirect Uris.
+          HttpNotAllowed: Grant Type Implicit erlaubt keine http Redirect Uris.
+          NativeShouldBeHttpLocalhost: Grant Type Implicit erlaubt beim Apptype Native http nur mit localhost (http://localhost)
+          HttpLocalhostOnlyForNative: Http://localhost Redirect Uri ist nur für Native Applikationen erlaubt.
+      Native:
+        AuthMethodType:
+          NotNone: Bei Native Applikationen sollte der AuthMethodType none sein.
+      UserAgent:
+        AuthMethodType:
+          NotNone: Bei einem User Agent sollte der AuthMethodType none sein.
--- a/internal/static/i18n/en.yaml
+++ b/internal/static/i18n/en.yaml
@@ -291,3 +291,24 @@ EventTypes:
      removed: ZITADEL member removed
  key_pair:
    added: Key pair added
+Application:
+  OIDC:
+    V1:
+      NotCompliant: Your configuration is not compliant and differs from OIDC 1.0 standard.
+      NotAllCombinationsAreAllowed: Configuration is compliant, but not all possible combinations are allowed.
+      Code:
+        RedirectUris:
+          HttpOnlyForWeb: Grant type code only allowed http redirect uris for apptype web.
+          CustomOnlyForNative: Grant type code only allowes custom redirect uris for apptype native  (e.g appname:// )
+      Implicit:
+        RedirectUris:
+          CustomNotAllowed: Grant type implicit doesn't allow custom redirect uris
+          HttpNotAllowed: Grant tpye implicit doesn't allow http redirect uris
+          NativeShouldBeHttpLocalhost: Grant tpye implicit only allowed http://localhost for native apptype
+          HttpLocalhostOnlyForNative: Http://localhost redirect uri is only allowed for native applications.
+      Native:
+        AuthMethodType:
+          NotNone: Native applications should have authmethodtype none.
+      UserAgent:
+        AuthMethodType:
+          NotNone: User agent app should have authmethodtype none.