feat: app handling compliance (#527)

* feat: check oidc compliance

* fix: add tests

* fix: add oidc config tests

* fix: add oidc config tests user agent

* fix: test oidc config compliance

* fix: test oidc config compliance

* fix: useragent implicit authmethod none

* fix: merge master

* feat: translate compliance problems

* feat: check native app for custom url

* fix: better compliance handling

* fix: better compliance handling

* feat: add odidc dev mode

* fix: remove deprecated request fro management api

* fix: oidc package version

* fix: migration

* fix: tests

* fix: remove unused functions

* fix: generate proto files

* fix: native implicit and code none compliant

* fix: create project

* Update internal/project/model/oidc_config_test.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: tests

* Update internal/project/model/oidc_config.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* Update internal/project/model/oidc_config.go

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

* fix: tests

Co-authored-by: Livio Amstutz <livio.a@gmail.com>

console/src/app/services/project.service.ts

@@ -547,47 +547,6 @@ export class ProjectService {
         );
     }
 
-    // ********* */
-
-    public async SearchProjectUserGrants(
-        projectId: string,
-        offset: number,
-        limit: number,
-        queryList?: UserGrantSearchQuery[],
-    ): Promise<UserGrantSearchResponse> {
-        const req = new ProjectUserGrantSearchRequest();
-        req.setLimit(limit);
-        req.setOffset(offset);
-        req.setProjectId(projectId);
-        if (queryList) {
-            req.setQueriesList(queryList);
-        }
-        return await this.request(
-            c => c.searchProjectUserGrants,
-            req,
-            f => f,
-        );
-    }
-
-    public async CreateProjectUserGrant(
-        projectId: string,
-        userId: string,
-        roleKeysList: string[],
-    ): Promise<UserGrant> {
-        const req = new UserGrantCreate();
-        req.setProjectId(projectId);
-        req.setRoleKeysList(roleKeysList);
-        req.setUserId(userId);
-
-        return await this.request(
-            c => c.createProjectUserGrant,
-            req,
-            f => f,
-        );
-    }
-
-    // ********* */
-
     public async CreateOIDCApp(app: OIDCApplicationCreate.AsObject): Promise<Application> {
         const req = new OIDCApplicationCreate();
         req.setProjectId(app.projectId);

go.mod

@@ -16,13 +16,13 @@ require (
 	github.com/aws/aws-sdk-go v1.33.13 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc
 	github.com/caos/logging v0.0.2
-	github.com/caos/oidc v0.6.4
+	github.com/caos/oidc v0.7.0
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/cockroachdb/cockroach-go/v2 v2.0.4
 	github.com/envoyproxy/protoc-gen-validate v0.4.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
-	github.com/golang/mock v1.4.3
+	github.com/golang/mock v1.4.4
 	github.com/golang/protobuf v1.4.2
 	github.com/google/go-cmp v0.5.1 // indirect
 	github.com/gorilla/csrf v1.7.0

go.sum

@@ -71,8 +71,8 @@ github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBW
 github.com/caos/logging v0.0.0-20191210002624-b3260f690a6a/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
 github.com/caos/logging v0.0.2 h1:ebg5C/HN0ludYR+WkvnFjwSExF4wvyiWPyWGcKMYsoo=
 github.com/caos/logging v0.0.2/go.mod h1:9LKiDE2ChuGv6CHYif/kiugrfEXu9AwDiFWSreX7Wp0=
-github.com/caos/oidc v0.6.4 h1:BrtKcK004kkJqTBLP73tZat3SXozYMxqZrQ7mDpx+nY=
+github.com/caos/oidc v0.7.0 h1:KmZ/sHBqBvfn2g8ExlBJEbQKGViJsKfxZsAXfMOkPZ0=
-github.com/caos/oidc v0.6.4/go.mod h1:f3bYdAHhN9WS3VxYgy5c9wgsiJ3qNrek1r7ktgHriDs=
+github.com/caos/oidc v0.7.0/go.mod h1:mnuSyFmv+WSuk2C/zps445xiMU9dW384/pV4WnIS8b0=
 github.com/census-instrumentation/opencensus-proto v0.2.1 h1:glEXhBS5PSLLv4IXzLA5yPRVX4bilULVyxxbrfOtDAk=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -140,6 +140,8 @@ github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt
 github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
 github.com/golang/mock v1.4.3 h1:GV+pQPG/EUUbkh47niozDcADz6go/dUwhVzdUQHIVRw=
 github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.4 h1:l75CXGRSwbaYNpl/Z2X1XIIAMSCquvXgpVZDhwEIJsc=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

internal/api/grpc/management/application.go

@@ -17,7 +17,7 @@ func (s *Server) SearchApplications(ctx context.Context, in *management.Applicat
 }
 
 func (s *Server) ApplicationByID(ctx context.Context, in *management.ApplicationID) (*management.ApplicationView, error) {
-	app, err := s.project.ApplicationByID(ctx, in.Id)
+	app, err := s.project.ApplicationByID(ctx, in.ProjectId, in.Id)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/management/application_converter.go

@@ -52,6 +52,10 @@ func oidcConfigFromModel(config *proj_model.OIDCConfig) *management.OIDCConfig {
 		ClientSecret:           config.ClientSecretString,
 		AuthMethodType:         oidcAuthMethodTypeFromModel(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		Version:                oidcVersionFromModel(config.OIDCVersion),
+		NoneCompliant:          config.Compliance.NoneCompliant,
+		ComplianceProblems:     complianceProblemsToLocalizedMessages(config.Compliance.Problems),
+		DevMode:                config.DevMode,
 	}
 }
 
@@ -64,9 +68,22 @@ func oidcConfigFromApplicationViewModel(app *proj_model.ApplicationView) *manage
 		ClientId:               app.OIDCClientID,
 		AuthMethodType:         oidcAuthMethodTypeFromModel(app.OIDCAuthMethodType),
 		PostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		Version:                oidcVersionFromModel(app.OIDCVersion),
+		NoneCompliant:          app.NoneCompliant,
+		ComplianceProblems:     complianceProblemsToLocalizedMessages(app.ComplianceProblems),
+		DevMode:                app.DevMode,
 	}
 }
 
+func complianceProblemsToLocalizedMessages(problems []string) []*message.LocalizedMessage {
+	converted := make([]*message.LocalizedMessage, len(problems))
+	for i, p := range problems {
+		converted[i] = message.NewLocalizedMessage(p)
+	}
+	return converted
+
+}
+
 func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.Application {
 	return &proj_model.Application{
 		ObjectRoot: models.ObjectRoot{
@@ -75,12 +92,14 @@ func oidcAppCreateToModel(app *management.OIDCApplicationCreate) *proj_model.App
 		Name: app.Name,
 		Type: proj_model.AppTypeOIDC,
 		OIDCConfig: &proj_model.OIDCConfig{
+			OIDCVersion:            oidcVersionToModel(app.Version),
 			RedirectUris:           app.RedirectUris,
 			ResponseTypes:          oidcResponseTypesToModel(app.ResponseTypes),
 			GrantTypes:             oidcGrantTypesToModel(app.GrantTypes),
 			ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
 			AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
 			PostLogoutRedirectUris: app.PostLogoutRedirectUris,
+			DevMode:                app.DevMode,
 		},
 	}
 }
@@ -107,6 +126,7 @@ func oidcConfigUpdateToModel(app *management.OIDCConfigUpdate) *proj_model.OIDCC
 		ApplicationType:        oidcApplicationTypeToModel(app.ApplicationType),
 		AuthMethodType:         oidcAuthMethodTypeToModel(app.AuthMethodType),
 		PostLogoutRedirectUris: app.PostLogoutRedirectUris,
+		DevMode:                app.DevMode,
 	}
 }
 
@@ -284,6 +304,14 @@ func oidcApplicationTypeToModel(appType management.OIDCApplicationType) proj_mod
 	return proj_model.OIDCApplicationTypeWeb
 }
 
+func oidcVersionToModel(version management.OIDCVersion) proj_model.OIDCVersion {
+	switch version {
+	case management.OIDCVersion_OIDCV1_0:
+		return proj_model.OIDCVersionV1
+	}
+	return proj_model.OIDCVersionV1
+}
+
 func oidcApplicationTypeFromModel(appType proj_model.OIDCApplicationType) management.OIDCApplicationType {
 	switch appType {
 	case proj_model.OIDCApplicationTypeWeb:
@@ -323,6 +351,15 @@ func oidcAuthMethodTypeFromModel(authType proj_model.OIDCAuthMethodType) managem
 	}
 }
 
+func oidcVersionFromModel(version proj_model.OIDCVersion) management.OIDCVersion {
+	switch version {
+	case proj_model.OIDCVersionV1:
+		return management.OIDCVersion_OIDCV1_0
+	default:
+		return management.OIDCVersion_OIDCV1_0
+	}
+}
+
 func appChangesToResponse(response *proj_model.ApplicationChanges, offset uint64, limit uint64) (_ *management.Changes) {
 	return &management.Changes{
 		Limit:   limit,

internal/api/grpc/management/user_grant.go

@@ -67,107 +67,3 @@ func (s *Server) BulkRemoveUserGrant(ctx context.Context, in *management.UserGra
 	err := s.usergrant.BulkRemoveUserGrant(ctx, userGrantRemoveBulkToModel(in)...)
 	return &empty.Empty{}, err
 }
-
-func (s *Server) SearchProjectUserGrants(ctx context.Context, in *management.ProjectUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
-	request := projectUserGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	request.AppendProjectIDQuery(in.ProjectId)
-	response, err := s.usergrant.SearchUserGrants(ctx, request)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantSearchResponseFromModel(response), nil
-}
-
-func (s *Server) ProjectUserGrantByID(ctx context.Context, request *management.ProjectUserGrantID) (*management.UserGrantView, error) {
-	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantViewFromModel(user), nil
-}
-
-func (s *Server) CreateProjectUserGrant(ctx context.Context, in *management.UserGrantCreate) (*management.UserGrant, error) {
-	user, err := s.usergrant.AddUserGrant(ctx, userGrantCreateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-func (s *Server) UpdateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantUpdate) (*management.UserGrant, error) {
-	user, err := s.usergrant.ChangeUserGrant(ctx, projectUserGrantUpdateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) DeactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) ReactivateProjectUserGrant(ctx context.Context, in *management.ProjectUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) SearchProjectGrantUserGrants(ctx context.Context, in *management.ProjectGrantUserGrantSearchRequest) (*management.UserGrantSearchResponse, error) {
-	grant, err := s.project.ProjectGrantByID(ctx, in.ProjectGrantId)
-	if err != nil {
-		return nil, err
-	}
-	request := projectGrantUserGrantSearchRequestsToModel(in)
-	request.AppendMyOrgQuery(authz.GetCtxData(ctx).OrgID)
-	request.AppendProjectIDQuery(grant.ProjectID)
-	response, err := s.usergrant.SearchUserGrants(ctx, request)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantSearchResponseFromModel(response), nil
-}
-
-func (s *Server) ProjectGrantUserGrantByID(ctx context.Context, request *management.ProjectGrantUserGrantID) (*management.UserGrantView, error) {
-	user, err := s.usergrant.UserGrantByID(ctx, request.Id)
-	if err != nil {
-		return nil, err
-	}
-	return userGrantViewFromModel(user), nil
-}
-
-func (s *Server) CreateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantCreate) (*management.UserGrant, error) {
-	user, err := s.usergrant.AddUserGrant(ctx, projectGrantUserGrantCreateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-func (s *Server) UpdateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantUpdate) (*management.UserGrant, error) {
-	user, err := s.usergrant.ChangeUserGrant(ctx, projectGrantUserGrantUpdateToModel(in))
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) DeactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.DeactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}
-
-func (s *Server) ReactivateProjectGrantUserGrant(ctx context.Context, in *management.ProjectGrantUserGrantID) (*management.UserGrant, error) {
-	user, err := s.usergrant.ReactivateUserGrant(ctx, in.Id)
-	if err != nil {
-		return nil, err
-	}
-	return usergrantFromModel(user), nil
-}

internal/api/grpc/management/user_grant_converter.go

@@ -69,29 +69,6 @@ func userGrantRemoveBulkToModel(u *management.UserGrantRemoveBulk) []string {
 	return ids
 }
 
-func projectUserGrantUpdateToModel(u *management.ProjectUserGrantUpdate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
-		RoleKeys:   u.RoleKeys,
-	}
-}
-
-func projectGrantUserGrantCreateToModel(u *management.ProjectGrantUserGrantCreate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		UserID:    u.UserId,
-		ProjectID: u.ProjectId,
-		RoleKeys:  u.RoleKeys,
-		GrantID:   u.ProjectGrantId,
-	}
-}
-
-func projectGrantUserGrantUpdateToModel(u *management.ProjectGrantUserGrantUpdate) *grant_model.UserGrant {
-	return &grant_model.UserGrant{
-		ObjectRoot: models.ObjectRoot{AggregateID: u.Id},
-		RoleKeys:   u.RoleKeys,
-	}
-}
-
 func userGrantSearchRequestsToModel(project *management.UserGrantSearchRequest) *grant_model.UserGrantSearchRequest {
 	return &grant_model.UserGrantSearchRequest{
 		Offset:  project.Offset,

internal/api/oidc/client_converter.go

@@ -1,6 +1,7 @@
 package oidc
 
 import (
+	"github.com/caos/oidc/pkg/oidc"
 	"time"
 
 	"github.com/caos/oidc/pkg/op"
@@ -27,7 +28,7 @@ func (c *Client) ApplicationType() op.ApplicationType {
 	return op.ApplicationType(c.OIDCApplicationType)
 }
 
-func (c *Client) GetAuthMethod() op.AuthMethod {
+func (c *Client) AuthMethod() op.AuthMethod {
 	return authMethodToOIDC(c.OIDCAuthMethodType)
 }
 
@@ -47,6 +48,14 @@ func (c *Client) PostLogoutRedirectURIs() []string {
 	return c.OIDCPostLogoutRedirectUris
 }
 
+func (c *Client) ResponseTypes() []oidc.ResponseType {
+	return responseTypesToOIDC(c.OIDCResponseTypes)
+}
+
+func (c *Client) DevMode() bool {
+	return c.ApplicationView.DevMode
+}
+
 func (c *Client) AccessTokenLifetime() time.Duration {
 	return c.defaultAccessTokenLifetime //PLANNED: impl from real client
 }
@@ -71,3 +80,24 @@ func authMethodToOIDC(authType model.OIDCAuthMethodType) op.AuthMethod {
 		return op.AuthMethodBasic
 	}
 }
+
+func responseTypesToOIDC(responseTypes []model.OIDCResponseType) []oidc.ResponseType {
+	oidcTypes := make([]oidc.ResponseType, len(responseTypes))
+	for i, t := range responseTypes {
+		oidcTypes[i] = responseTypeToOIDC(t)
+	}
+	return oidcTypes
+}
+
+func responseTypeToOIDC(responseType model.OIDCResponseType) oidc.ResponseType {
+	switch responseType {
+	case model.OIDCResponseTypeCode:
+		return oidc.ResponseTypeCode
+	case model.OIDCResponseTypeIDTokenToken:
+		return oidc.ResponseTypeIDToken
+	case model.OIDCResponseTypeIDToken:
+		return oidc.ResponseTypeIDTokenOnly
+	default:
+		return oidc.ResponseTypeCode
+	}
+}

internal/management/repository/eventsourcing/eventstore/project.go

@@ -296,10 +296,31 @@ func (repo *ProjectRepo) ProjectChanges(ctx context.Context, id string, lastSequ
 	return changes, nil
 }
 
-func (repo *ProjectRepo) ApplicationByID(ctx context.Context, appID string) (*proj_model.ApplicationView, error) {
+func (repo *ProjectRepo) ApplicationByID(ctx context.Context, projectID, appID string) (*proj_model.ApplicationView, error) {
-	app, err := repo.View.ApplicationByID(appID)
+	app, viewErr := repo.View.ApplicationByID(appID)
-	if err != nil {
+	if viewErr != nil && !caos_errs.IsNotFound(viewErr) {
-		return nil, err
+		return nil, viewErr
+	}
+	if caos_errs.IsNotFound(viewErr) {
+		app = new(model.ApplicationView)
+	}
+
+	events, esErr := repo.ProjectEvents.ProjectEventsByID(ctx, projectID, app.Sequence)
+	if caos_errs.IsNotFound(viewErr) && len(events) == 0 {
+		return nil, caos_errs.ThrowNotFound(nil, "EVENT-Fshu8", "Errors.Application.NotFound")
+	}
+
+	if esErr != nil {
+		logging.Log("EVENT-SLCo9").WithError(viewErr).Debug("error retrieving new events")
+		return model.ApplicationViewToModel(app), nil
+	}
+
+	viewApp := *app
+	for _, event := range events {
+		err := app.AppendEvent(event)
+		if err != nil {
+			return model.ApplicationViewToModel(&viewApp), nil
+		}
 	}
 	return model.ApplicationViewToModel(app), nil
 }

internal/management/repository/project.go

@@ -32,7 +32,7 @@ type ProjectRepository interface {
 	ProjectChanges(ctx context.Context, id string, lastSequence uint64, limit uint64, sortAscending bool) (*model.ProjectChanges, error)
 	BulkAddProjectRole(ctx context.Context, role []*model.ProjectRole) error
 
-	ApplicationByID(ctx context.Context, appID string) (*model.ApplicationView, error)
+	ApplicationByID(ctx context.Context, projectID, appID string) (*model.ApplicationView, error)
 	AddApplication(ctx context.Context, app *model.Application) (*model.Application, error)
 	ChangeApplication(ctx context.Context, app *model.Application) (*model.Application, error)
 	DeactivateApplication(ctx context.Context, projectID, appID string) (*model.Application, error)

internal/project/model/application_view.go

@@ -14,6 +14,7 @@ type ApplicationView struct {
 	State        AppState
 
 	IsOIDC                     bool
+	OIDCVersion                OIDCVersion
 	OIDCClientID               string
 	OIDCRedirectUris           []string
 	OIDCResponseTypes          []OIDCResponseType
@@ -21,6 +22,9 @@ type ApplicationView struct {
 	OIDCApplicationType        OIDCApplicationType
 	OIDCAuthMethodType         OIDCAuthMethodType
 	OIDCPostLogoutRedirectUris []string
+	NoneCompliant              bool
+	ComplianceProblems         []string
+	DevMode                    bool
 
 	Sequence uint64
 }

internal/project/model/oidc_config.go

@@ -12,6 +12,13 @@ import (
 	"github.com/caos/zitadel/internal/id"
 )
 
+const (
+	http           = "http://"
+	httpLocalhost  = "http://localhost:"
+	httpLocalhost2 = "http://localhost/"
+	https          = "https://"
+)
+
 type OIDCConfig struct {
 	es_models.ObjectRoot
 	AppID                  string
@@ -24,8 +31,17 @@ type OIDCConfig struct {
 	ApplicationType        OIDCApplicationType
 	AuthMethodType         OIDCAuthMethodType
 	PostLogoutRedirectUris []string
+	OIDCVersion            OIDCVersion
+	Compliance             *Compliance
+	DevMode                bool
 }
 
+type OIDCVersion int32
+
+const (
+	OIDCVersionV1 OIDCVersion = iota
+)
+
 type OIDCResponseType int32
 
 const (
@@ -58,10 +74,15 @@ const (
 	OIDCAuthMethodTypeNone
 )
 
+type Compliance struct {
+	NoneCompliant bool
+	Problems      []string
+}
+
 func (c *OIDCConfig) IsValid() bool {
 	grantTypes := c.getRequiredGrantTypes()
 	for _, grantType := range grantTypes {
-		ok := c.containsGrantType(grantType)
+		ok := containsOIDCGrantType(c.GrantTypes, grantType)
 		if !ok {
 			return false
 		}
@@ -97,6 +118,113 @@ func (c *OIDCConfig) GenerateNewClientSecret(generator crypto.Generator) (string
 	return stringSecret, nil
 }
 
+func (c *OIDCConfig) FillCompliance() {
+	c.Compliance = GetOIDCCompliance(c.OIDCVersion, c.ApplicationType, c.GrantTypes, c.ResponseTypes, c.AuthMethodType, c.RedirectUris)
+}
+
+func GetOIDCCompliance(version OIDCVersion, appType OIDCApplicationType, grantTypes []OIDCGrantType, responseTypes []OIDCResponseType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	switch version {
+	case OIDCVersionV1:
+		return GetOIDCV1Compliance(appType, grantTypes, authMethod, redirectUris)
+	}
+	return nil
+}
+
+func GetOIDCV1Compliance(appType OIDCApplicationType, grantTypes []OIDCGrantType, authMethod OIDCAuthMethodType, redirectUris []string) *Compliance {
+	compliance := &Compliance{NoneCompliant: false}
+	if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) && containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+		CheckRedirectUrisImplicitAndCode(compliance, appType, redirectUris)
+	} else {
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeImplicit) {
+			CheckRedirectUrisImplicit(compliance, appType, redirectUris)
+		}
+		if containsOIDCGrantType(grantTypes, OIDCGrantTypeAuthorizationCode) {
+			CheckRedirectUrisCode(compliance, appType, redirectUris)
+		}
+	}
+
+	switch appType {
+	case OIDCApplicationTypeNative:
+		GetOIDCV1NativeApplicationCompliance(compliance, authMethod)
+	case OIDCApplicationTypeUserAgent:
+		GetOIDCV1UserAgentApplicationCompliance(compliance, authMethod)
+	}
+	if compliance.NoneCompliant {
+		compliance.Problems = append([]string{"Application.OIDC.V1.NotCompliant"}, compliance.Problems...)
+	}
+	return compliance
+}
+
+func GetOIDCV1NativeApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Native.AuthMethodType.NotNone")
+	}
+}
+
+func GetOIDCV1UserAgentApplicationCompliance(compliance *Compliance, authMethod OIDCAuthMethodType) {
+	if authMethod != OIDCAuthMethodTypeNone {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.UserAgent.AuthMethodType.NotNone")
+	}
+}
+
+func CheckRedirectUrisCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if urlContainsPrefix(redirectUris, http) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative")
+	}
+}
+
+func CheckRedirectUrisImplicit(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if urlContainsPrefix(redirectUris, http) {
+		if appType == OIDCApplicationTypeNative {
+			if !onlyLocalhostIsHttp(redirectUris) {
+				compliance.NoneCompliant = true
+				compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost")
+			}
+			return
+		}
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed")
+	}
+}
+
+func CheckRedirectUrisImplicitAndCode(compliance *Compliance, appType OIDCApplicationType, redirectUris []string) {
+	if urlsAreHttps(redirectUris) {
+		return
+	}
+	if containsCustom(redirectUris) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed")
+	}
+	if (urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeNative {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Implicit.RedirectUris.HttpLocalhostOnlyForNative")
+	}
+	if urlContainsPrefix(redirectUris, http) && !(urlContainsPrefix(redirectUris, httpLocalhost) || urlContainsPrefix(redirectUris, httpLocalhost2)) && appType != OIDCApplicationTypeWeb {
+		compliance.NoneCompliant = true
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb")
+	}
+	if !compliance.NoneCompliant {
+		compliance.Problems = append(compliance.Problems, "Application.OIDC.V1.NotAllCombinationsAreAllowed")
+	}
+}
+
 func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 	grantTypes := make([]OIDCGrantType, 0)
 	implicit := false
@@ -106,6 +234,7 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 			grantTypes = append(grantTypes, OIDCGrantTypeAuthorizationCode)
 		case OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken:
 			if !implicit {
+				implicit = true
 				grantTypes = append(grantTypes, OIDCGrantTypeImplicit)
 			}
 		}
@@ -113,11 +242,49 @@ func (c *OIDCConfig) getRequiredGrantTypes() []OIDCGrantType {
 	return grantTypes
 }
 
-func (c *OIDCConfig) containsGrantType(grantType OIDCGrantType) bool {
+func containsOIDCGrantType(grantTypes []OIDCGrantType, grantType OIDCGrantType) bool {
-	for _, t := range c.GrantTypes {
+	for _, gt := range grantTypes {
-		if t == grantType {
+		if gt == grantType {
 			return true
 		}
 	}
 	return false
 }
+
+func urlsAreHttps(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, https) {
+			return false
+		}
+	}
+	return true
+}
+
+func urlContainsPrefix(uris []string, prefix string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, prefix) {
+			return true
+		}
+	}
+	return false
+}
+
+func containsCustom(uris []string) bool {
+	for _, uri := range uris {
+		if !strings.HasPrefix(uri, http) && !strings.HasPrefix(uri, https) {
+			return true
+		}
+	}
+	return false
+}
+
+func onlyLocalhostIsHttp(uris []string) bool {
+	for _, uri := range uris {
+		if strings.HasPrefix(uri, http) {
+			if !strings.HasPrefix(uri, httpLocalhost) && !strings.HasPrefix(uri, httpLocalhost2) {
+				return false
+			}
+		}
+	}
+	return true
+}

internal/project/model/oidc_config_test.go

@@ -0,0 +1,869 @@
+package model
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestGetOIDCC1Compliance(t *testing.T) {
+	type args struct {
+		appType      OIDCApplicationType
+		grantTypes   []OIDCGrantType
+		authMethod   OIDCAuthMethodType
+		redirectUris []string
+	}
+	type result struct {
+		noneCompliant      bool
+		complianceProblems []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result result
+	}{
+		{
+			name: "Native: codeflow custom redirect (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: codeflow http redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "Native: codeflow http://localhost redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "Native: codeflow http://localhost: redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "Native: codeflow https redirect (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: codeflow invalid authmethod type (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypePost,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Native.AuthMethodType.NotNone",
+				},
+			},
+		},
+		{
+			name: "Native: implicit custom redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Native: implicit http redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.NativeShouldBeHttpLocalhost",
+				},
+			},
+		},
+		{
+			name: "Native: implicit http://localhost redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: implicit http://localhost: redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: implicit https redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: implicit and code (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Native: implicit and code (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeNative,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "Web: code https redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Web: code http redirect uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Web: code custom redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
+				},
+			},
+		},
+		{
+			name: "Web: implicit https uri (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Web: implicit http redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Web: implicit custom redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Web: implicit http://localhost redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Web: implicit http://localhost: redirect uri (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "Web: implicit and code (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "Web: implicit and code (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeWeb,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code https redirect (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "UserAgent: code http redirect (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code http:localhost redirect (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code http:localhost redirect (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.HttpOnlyForWeb",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code custom redirect (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Code.RedirectUris.CustomOnlyForNative",
+				},
+			},
+		},
+		{
+			name: "UserAgent: code authmethod type not none (not compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypePost,
+				redirectUris: []string{
+					"https://zitadel.chauth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit https redirect (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "UserAgent: implicit http redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit custom redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit http://localhost redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit http://localhost: redirect (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"http://localhost:1234/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.HttpNotAllowed",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit auth method not none (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit},
+				authMethod: OIDCAuthMethodTypePost,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.UserAgent.AuthMethodType.NotNone",
+				},
+			},
+		},
+		{
+			name: "UserAgent: implicit and code (compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: false,
+			},
+		},
+		{
+			name: "UserAgent: implicit and code (none compliant)",
+			args: args{
+				appType:    OIDCApplicationTypeUserAgent,
+				grantTypes: []OIDCGrantType{OIDCGrantTypeImplicit, OIDCGrantTypeAuthorizationCode},
+				authMethod: OIDCAuthMethodTypeNone,
+				redirectUris: []string{
+					"https://zitadel.ch/auth/callback",
+					"zitadel://auth/callback",
+				},
+			},
+			result: result{
+				noneCompliant: true,
+				complianceProblems: []string{
+					"Application.OIDC.V1.NotCompliant",
+					"Application.OIDC.V1.Implicit.RedirectUris.CustomNotAllowed",
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := GetOIDCV1Compliance(tt.args.appType, tt.args.grantTypes, tt.args.authMethod, tt.args.redirectUris)
+			if tt.result.noneCompliant != result.NoneCompliant {
+				t.Errorf("got wrong result nonecompliant: expected: %v, actual: %v ", tt.result.noneCompliant, result.NoneCompliant)
+			}
+			if tt.result.noneCompliant {
+				if len(tt.result.complianceProblems) != len(result.Problems) {
+					t.Errorf("got wrong result compliance problems len: expected: %v, actual: %v ", len(tt.result.complianceProblems), len(result.Problems))
+				}
+				if !reflect.DeepEqual(tt.result.complianceProblems, result.Problems) {
+					t.Errorf("got wrong result compliance problems: expected: %v, actual: %v ", tt.result.complianceProblems, result.Problems)
+				}
+			}
+		})
+	}
+}
+
+func TestGetRequiredGrantTypes(t *testing.T) {
+	type args struct {
+		oidcConfig OIDCConfig
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result []OIDCGrantType
+	}{
+		{
+			name: "oidc response type code",
+			args: args{
+				oidcConfig: OIDCConfig{
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode},
+				},
+			},
+			result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode},
+		},
+		{
+			name: "oidc response type id_token",
+			args: args{
+				oidcConfig: OIDCConfig{
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken},
+				},
+			},
+			result: []OIDCGrantType{OIDCGrantTypeImplicit},
+		},
+		{
+			name: "oidc response type id_token and id_token token",
+			args: args{
+				oidcConfig: OIDCConfig{
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
+				},
+			},
+			result: []OIDCGrantType{OIDCGrantTypeImplicit},
+		},
+		{
+			name: "oidc response type code, id_token and id_token token",
+			args: args{
+				oidcConfig: OIDCConfig{
+					ResponseTypes: []OIDCResponseType{OIDCResponseTypeCode, OIDCResponseTypeIDToken, OIDCResponseTypeIDTokenToken},
+				},
+			},
+			result: []OIDCGrantType{OIDCGrantTypeAuthorizationCode, OIDCGrantTypeImplicit},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.args.oidcConfig.getRequiredGrantTypes()
+			if !reflect.DeepEqual(tt.result, result) {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func TestContainsOIDCGrantType(t *testing.T) {
+	type args struct {
+		grantTypes []OIDCGrantType
+		grantType  OIDCGrantType
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "contains grant type",
+			args: args{
+				grantTypes: []OIDCGrantType{
+					OIDCGrantTypeAuthorizationCode,
+					OIDCGrantTypeImplicit,
+				},
+				grantType: OIDCGrantTypeImplicit,
+			},
+			result: true,
+		},
+		{
+			name: "doesnt contain grant type",
+			args: args{
+				grantTypes: []OIDCGrantType{
+					OIDCGrantTypeAuthorizationCode,
+					OIDCGrantTypeRefreshToken,
+				},
+				grantType: OIDCGrantTypeImplicit,
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := containsOIDCGrantType(tt.args.grantTypes, tt.args.grantType)
+			if result != tt.result {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func TestUrlsAreHttps(t *testing.T) {
+	type args struct {
+		uris []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+		{
+			name: "only https uris",
+			args: args{
+				uris: []string{
+					"https://zitadel.ch",
+					"https://caos.ch",
+				},
+			},
+			result: true,
+		},
+		{
+			name: "http localhost uris",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://localhost",
+				},
+			},
+			result: false,
+		},
+		{
+			name: "http not localhsot",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://caos.ch",
+				},
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := urlsAreHttps(tt.args.uris)
+			if result != tt.result {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}
+
+func TestOnlyLocalhostIsHttp(t *testing.T) {
+	type args struct {
+		uris []string
+	}
+	tests := []struct {
+		name   string
+		args   args
+		result bool
+	}{
+
+		{
+			name: "http not localhost",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://caos.ch",
+				},
+			},
+			result: false,
+		},
+		{
+			name: "http localhost/",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://localhost/auth/callback",
+				},
+			},
+			result: true,
+		},
+		{
+			name: "http not localhost:",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://localhost:9090",
+				},
+			},
+			result: true,
+		},
+		{
+			name: "http not localhost",
+			args: args{
+				uris: []string{
+					"https://zitadel.com",
+					"http://localhost:9090",
+					"http://zitadel.ch",
+				},
+			},
+			result: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := onlyLocalhostIsHttp(tt.args.uris)
+			if result != tt.result {
+				t.Errorf("got wrong result: expected: %v, actual: %v ", tt.result, result)
+			}
+		})
+	}
+}

internal/project/repository/eventsourcing/eventstore.go

@@ -534,6 +534,7 @@ func (es *ProjectEventstore) AddApplication(ctx context.Context, app *proj_model
 	if _, a := model.GetApplication(repoProject.Applications, app.AppID); a != nil {
 		converted := model.AppToModel(a)
 		converted.OIDCConfig.ClientSecretString = stringPw
+		converted.OIDCConfig.FillCompliance()
 		return converted, nil
 	}
 	return nil, caos_errs.ThrowInternal(nil, "EVENT-GvPct", "Errors.Internal")

internal/project/repository/eventsourcing/model/oidc_config.go

@@ -11,6 +11,7 @@ import (
 
 type OIDCConfig struct {
 	es_models.ObjectRoot
+	Version                int32               `json:"oidcVersion,omitempty"`
 	AppID                  string              `json:"appId"`
 	ClientID               string              `json:"clientId,omitempty"`
 	ClientSecret           *crypto.CryptoValue `json:"clientSecret,omitempty"`
@@ -20,6 +21,7 @@ type OIDCConfig struct {
 	ApplicationType        int32               `json:"applicationType,omitempty"`
 	AuthMethodType         int32               `json:"authMethodType,omitempty"`
 	PostLogoutRedirectUris []string            `json:"postLogoutRedirectUris,omitempty"`
+	DevMode                bool                `json:"devMode,omitempty"`
 }
 
 func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
@@ -40,9 +42,15 @@ func (c *OIDCConfig) Changes(changed *OIDCConfig) map[string]interface{} {
 	if c.AuthMethodType != changed.AuthMethodType {
 		changes["authMethodType"] = changed.AuthMethodType
 	}
+	if c.Version != changed.Version {
+		changes["oidcVersion"] = changed.Version
+	}
 	if !reflect.DeepEqual(c.PostLogoutRedirectUris, changed.PostLogoutRedirectUris) {
 		changes["postLogoutRedirectUris"] = changed.PostLogoutRedirectUris
 	}
+	if c.DevMode != changed.DevMode {
+		changes["devMode"] = changed.DevMode
+	}
 	return changes
 }
 
@@ -58,6 +66,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 	return &OIDCConfig{
 		ObjectRoot:             config.ObjectRoot,
 		AppID:                  config.AppID,
+		Version:                int32(config.OIDCVersion),
 		ClientID:               config.ClientID,
 		ClientSecret:           config.ClientSecret,
 		RedirectUris:           config.RedirectUris,
@@ -66,6 +75,7 @@ func OIDCConfigFromModel(config *model.OIDCConfig) *OIDCConfig {
 		ApplicationType:        int32(config.ApplicationType),
 		AuthMethodType:         int32(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		DevMode:                config.DevMode,
 	}
 }
 
@@ -78,9 +88,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 	for i, rt := range config.GrantTypes {
 		grantTypes[i] = model.OIDCGrantType(rt)
 	}
-	return &model.OIDCConfig{
+	oidcConfig := &model.OIDCConfig{
 		ObjectRoot:             config.ObjectRoot,
 		AppID:                  config.AppID,
+		OIDCVersion:            model.OIDCVersion(config.Version),
 		ClientID:               config.ClientID,
 		ClientSecret:           config.ClientSecret,
 		RedirectUris:           config.RedirectUris,
@@ -89,7 +100,10 @@ func OIDCConfigToModel(config *OIDCConfig) *model.OIDCConfig {
 		ApplicationType:        model.OIDCApplicationType(config.ApplicationType),
 		AuthMethodType:         model.OIDCAuthMethodType(config.AuthMethodType),
 		PostLogoutRedirectUris: config.PostLogoutRedirectUris,
+		DevMode:                config.DevMode,
 	}
+	oidcConfig.FillCompliance()
+	return oidcConfig
 }
 
 func (p *Project) appendAddOIDCConfigEvent(event *es_models.Event) error {

internal/project/repository/eventsourcing/project.go

@@ -2,6 +2,7 @@ package eventsourcing
 
 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"
 
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
@@ -46,6 +47,7 @@ func ProjectCreateAggregate(aggCreator *es_models.AggregateCreator, project *mod
 		}
 		validationQuery := es_models.NewSearchQuery().
 			AggregateTypeFilter(model.ProjectAggregate).
+			ResourceOwnerFilter(authz.GetCtxData(ctx).OrgID).
 			EventTypesFilter(model.ProjectAdded, model.ProjectChanged, model.ProjectRemoved)
 
 		validation := addProjectValidation(project.Name)

internal/project/repository/view/model/application.go

@@ -28,6 +28,7 @@ type ApplicationView struct {
 	State        int32     `json:"-" gorm:"column:app_state"`
 
 	IsOIDC                     bool           `json:"-" gorm:"column:is_oidc"`
+	OIDCVersion                int32          `json:"oidcVersion" gorm:"column:oidc_version"`
 	OIDCClientID               string         `json:"clientId" gorm:"column:oidc_client_id"`
 	OIDCRedirectUris           pq.StringArray `json:"redirectUris" gorm:"column:oidc_redirect_uris"`
 	OIDCResponseTypes          pq.Int64Array  `json:"responseTypes" gorm:"column:oidc_response_types"`
@@ -35,6 +36,9 @@ type ApplicationView struct {
 	OIDCApplicationType        int32          `json:"applicationType" gorm:"column:oidc_application_type"`
 	OIDCAuthMethodType         int32          `json:"authMethodType" gorm:"column:oidc_auth_method_type"`
 	OIDCPostLogoutRedirectUris pq.StringArray `json:"postLogoutRedirectUris" gorm:"column:oidc_post_logout_redirect_uris"`
+	NoneCompliant              bool           `json:"-" gorm:"column:none_compliant"`
+	ComplianceProblems         pq.StringArray `json:"-" gorm:"column:compliance_problems"`
+	DevMode                    bool           `json:"devMode" gorm:"column:dev_mode"`
 
 	Sequence uint64 `json:"-" gorm:"sequence"`
 }
@@ -57,6 +61,7 @@ func ApplicationViewFromModel(app *model.ApplicationView) *ApplicationView {
 		OIDCApplicationType:        int32(app.OIDCApplicationType),
 		OIDCAuthMethodType:         int32(app.OIDCAuthMethodType),
 		OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		DevMode:                    app.DevMode,
 	}
 }
 
@@ -87,6 +92,7 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		ChangeDate:   app.ChangeDate,
 
 		IsOIDC:                     app.IsOIDC,
+		OIDCVersion:                model.OIDCVersion(app.OIDCVersion),
 		OIDCClientID:               app.OIDCClientID,
 		OIDCRedirectUris:           app.OIDCRedirectUris,
 		OIDCResponseTypes:          OIDCResponseTypesToModel(app.OIDCResponseTypes),
@@ -94,6 +100,9 @@ func ApplicationViewToModel(app *ApplicationView) *model.ApplicationView {
 		OIDCApplicationType:        model.OIDCApplicationType(app.OIDCApplicationType),
 		OIDCAuthMethodType:         model.OIDCAuthMethodType(app.OIDCAuthMethodType),
 		OIDCPostLogoutRedirectUris: app.OIDCPostLogoutRedirectUris,
+		NoneCompliant:              app.NoneCompliant,
+		ComplianceProblems:         app.ComplianceProblems,
+		DevMode:                    app.DevMode,
 	}
 }
 
@@ -132,9 +141,17 @@ func (a *ApplicationView) AppendEvent(event *models.Event) (err error) {
 	case es_model.OIDCConfigAdded:
 		a.IsOIDC = true
 		err = a.SetData(event)
+		if err != nil {
+			return err
+		}
+		a.setCompliance()
 	case es_model.OIDCConfigChanged,
 		es_model.ApplicationChanged:
 		err = a.SetData(event)
+		if err != nil {
+			return err
+		}
+		a.setCompliance()
 	case es_model.ApplicationDeactivated:
 		a.State = int32(model.AppStateInactive)
 	case es_model.ApplicationReactivated:
@@ -154,3 +171,9 @@ func (a *ApplicationView) SetData(event *models.Event) error {
 	}
 	return nil
 }
+
+func (a *ApplicationView) setCompliance() {
+	compliance := model.GetOIDCCompliance(model.OIDCVersion(a.OIDCVersion), model.OIDCApplicationType(a.OIDCApplicationType), OIDCGrantTypesToModel(a.OIDCGrantTypes), OIDCResponseTypesToModel(a.OIDCResponseTypes), model.OIDCAuthMethodType(a.OIDCAuthMethodType), a.OIDCPostLogoutRedirectUris)
+	a.NoneCompliant = compliance.NoneCompliant
+	a.ComplianceProblems = compliance.Problems
+}

internal/static/i18n/de.yaml

@@ -291,3 +291,24 @@ EventTypes:
       removed: ZITADEL Mitglied entfernt
   key_pair:
     added: Schlüsselpaar hinzugefügt
+Application:
+  OIDC:
+    V1:
+      NotCompliant: Deine Konfiguration ist nicht konform und weicht vom OIDC 1.0 Standard ab.
+      NotAllCombinationsAreAllowed: Die Konfiguration ist konform, jedoch werden nicht alle möglichen Kombinationen erlaubt.
+      Code:
+        RedirectUris:
+          HttpOnlyForWeb: Grant Type Code erlaubt http Redirect Uris nur für den Apptype Web.
+          CustomOnlyForNative: Grant Type Code erlaubt custom Redirect Uris nur für den Apptype Native. (z.B appname:// )
+      Implicit:
+        RedirectUris:
+          CustomNotAllowed: Grant Type Implicit erlaubt keine custom Redirect Uris.
+          HttpNotAllowed: Grant Type Implicit erlaubt keine http Redirect Uris.
+          NativeShouldBeHttpLocalhost: Grant Type Implicit erlaubt beim Apptype Native http nur mit localhost (http://localhost)
+          HttpLocalhostOnlyForNative: Http://localhost Redirect Uri ist nur für Native Applikationen erlaubt.
+      Native:
+        AuthMethodType:
+          NotNone: Bei Native Applikationen sollte der AuthMethodType none sein.
+      UserAgent:
+        AuthMethodType:
+          NotNone: Bei einem User Agent sollte der AuthMethodType none sein.

internal/static/i18n/en.yaml

@@ -291,3 +291,24 @@ EventTypes:
       removed: ZITADEL member removed
   key_pair:
     added: Key pair added
+Application:
+  OIDC:
+    V1:
+      NotCompliant: Your configuration is not compliant and differs from OIDC 1.0 standard.
+      NotAllCombinationsAreAllowed: Configuration is compliant, but not all possible combinations are allowed.
+      Code:
+        RedirectUris:
+          HttpOnlyForWeb: Grant type code only allowed http redirect uris for apptype web.
+          CustomOnlyForNative: Grant type code only allowes custom redirect uris for apptype native  (e.g appname:// )
+      Implicit:
+        RedirectUris:
+          CustomNotAllowed: Grant type implicit doesn't allow custom redirect uris
+          HttpNotAllowed: Grant tpye implicit doesn't allow http redirect uris
+          NativeShouldBeHttpLocalhost: Grant tpye implicit only allowed http://localhost for native apptype
+          HttpLocalhostOnlyForNative: Http://localhost redirect uri is only allowed for native applications.
+      Native:
+        AuthMethodType:
+          NotNone: Native applications should have authmethodtype none.
+      UserAgent:
+        AuthMethodType:
+          NotNone: User agent app should have authmethodtype none.

migrations/cockroach/V1.4__compliance.sql

@@ -0,0 +1,18 @@
+BEGIN;
+
+ALTER TABLE management.applications ADD COLUMN oidc_version SMALLINT;
+ALTER TABLE management.applications ADD COLUMN none_compliant BOOLEAN;
+ALTER TABLE management.applications ADD COLUMN compliance_problems TEXT ARRAY;
+ALTER TABLE management.applications ADD COLUMN dev_mode BOOLEAN;
+
+ALTER TABLE auth.applications ADD COLUMN oidc_version SMALLINT;
+ALTER TABLE auth.applications ADD COLUMN none_compliant BOOLEAN;
+ALTER TABLE auth.applications ADD COLUMN compliance_problems TEXT ARRAY;
+ALTER TABLE auth.applications ADD COLUMN dev_mode BOOLEAN;
+
+ALTER TABLE authz.applications ADD COLUMN oidc_version SMALLINT;
+ALTER TABLE authz.applications ADD COLUMN none_compliant BOOLEAN;
+ALTER TABLE authz.applications ADD COLUMN compliance_problems TEXT ARRAY;
+ALTER TABLE authz.applications ADD COLUMN dev_mode BOOLEAN;
+
+COMMIT;

pkg/grpc/management/application.go

@@ -0,0 +1,24 @@
+package management
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
+)
+
+func (a *ApplicationView) Localizers() []middleware.Localizer {
+	if a == nil {
+		return nil
+	}
+
+	switch configType := a.AppConfig.(type) {
+	case *ApplicationView_OidcConfig:
+		if !configType.OidcConfig.NoneCompliant {
+			return nil
+		}
+		localizers := make([]middleware.Localizer, len(configType.OidcConfig.ComplianceProblems))
+		for i, problem := range configType.OidcConfig.ComplianceProblems {
+			localizers[i] = problem
+		}
+		return localizers
+	}
+	return nil
+}

pkg/grpc/management/management.pb.authoptions.go

@@ -553,64 +553,4 @@ var ManagementService_AuthMethods = authz.MethodMapping{
 		Permission: "user.grant.delete",
 		CheckParam: "",
 	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectUserGrants": authz.Option{
-		Permission: "project.user.grant.read",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/ProjectUserGrantByID": authz.Option{
-		Permission: "project.user.grant.read",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/CreateProjectUserGrant": authz.Option{
-		Permission: "project.user.grant.write",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectUserGrant": authz.Option{
-		Permission: "project.user.grant.write",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectUserGrant": authz.Option{
-		Permission: "project.user.grant.write",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectUserGrant": authz.Option{
-		Permission: "project.user.grant.write",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectGrantUserGrants": authz.Option{
-		Permission: "project.grant.user.grant.read",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/ProjectGrantUserGrantByID": authz.Option{
-		Permission: "project.grant.user.grant.read",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/CreateProjectGrantUserGrant": authz.Option{
-		Permission: "project.grant.user.grant.write",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectGrantUserGrant": authz.Option{
-		Permission: "project.grant.user.grant.write",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectGrantUserGrant": authz.Option{
-		Permission: "project.grant.user.grant.write",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectGrantUserGrant": authz.Option{
-		Permission: "project.grant.user.grant.write",
-		CheckParam: "ProjectGrantId",
-	},
 }

pkg/grpc/management/mock/management.proto.mock.go

@@ -477,46 +477,6 @@ func (mr *MockManagementServiceClientMockRecorder) CreateProjectGrant(arg0, arg1
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectGrant), varargs...)
 }
 
-// CreateProjectGrantUserGrant mocks base method
-func (m *MockManagementServiceClient) CreateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateProjectGrantUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateProjectGrantUserGrant indicates an expected call of CreateProjectGrantUserGrant
-func (mr *MockManagementServiceClientMockRecorder) CreateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectGrantUserGrant), varargs...)
-}
-
-// CreateProjectUserGrant mocks base method
-func (m *MockManagementServiceClient) CreateProjectUserGrant(arg0 context.Context, arg1 *management.UserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateProjectUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateProjectUserGrant indicates an expected call of CreateProjectUserGrant
-func (mr *MockManagementServiceClientMockRecorder) CreateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectUserGrant), varargs...)
-}
-
 // CreateUser mocks base method
 func (m *MockManagementServiceClient) CreateUser(arg0 context.Context, arg1 *management.CreateUserRequest, arg2 ...grpc.CallOption) (*management.User, error) {
 	m.ctrl.T.Helper()
@@ -637,46 +597,6 @@ func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectGrant(arg0,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectGrant), varargs...)
 }
 
-// DeactivateProjectGrantUserGrant mocks base method
-func (m *MockManagementServiceClient) DeactivateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateProjectGrantUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateProjectGrantUserGrant indicates an expected call of DeactivateProjectGrantUserGrant
-func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectGrantUserGrant), varargs...)
-}
-
-// DeactivateProjectUserGrant mocks base method
-func (m *MockManagementServiceClient) DeactivateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateProjectUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateProjectUserGrant indicates an expected call of DeactivateProjectUserGrant
-func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectUserGrant), varargs...)
-}
-
 // DeactivateUser mocks base method
 func (m *MockManagementServiceClient) DeactivateUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.User, error) {
 	m.ctrl.T.Helper()
@@ -1357,46 +1277,6 @@ func (mr *MockManagementServiceClientMockRecorder) ProjectGrantByID(arg0, arg1 i
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectGrantByID), varargs...)
 }
 
-// ProjectGrantUserGrantByID mocks base method
-func (m *MockManagementServiceClient) ProjectGrantUserGrantByID(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrantView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ProjectGrantUserGrantByID", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ProjectGrantUserGrantByID indicates an expected call of ProjectGrantUserGrantByID
-func (mr *MockManagementServiceClientMockRecorder) ProjectGrantUserGrantByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectGrantUserGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectGrantUserGrantByID), varargs...)
-}
-
-// ProjectUserGrantByID mocks base method
-func (m *MockManagementServiceClient) ProjectUserGrantByID(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrantView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ProjectUserGrantByID", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ProjectUserGrantByID indicates an expected call of ProjectUserGrantByID
-func (mr *MockManagementServiceClientMockRecorder) ProjectUserGrantByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectUserGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectUserGrantByID), varargs...)
-}
-
 // ReactivateApplication mocks base method
 func (m *MockManagementServiceClient) ReactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) {
 	m.ctrl.T.Helper()
@@ -1477,46 +1357,6 @@ func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectGrant(arg0,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectGrant), varargs...)
 }
 
-// ReactivateProjectGrantUserGrant mocks base method
-func (m *MockManagementServiceClient) ReactivateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateProjectGrantUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateProjectGrantUserGrant indicates an expected call of ReactivateProjectGrantUserGrant
-func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectGrantUserGrant), varargs...)
-}
-
-// ReactivateProjectUserGrant mocks base method
-func (m *MockManagementServiceClient) ReactivateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateProjectUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateProjectUserGrant indicates an expected call of ReactivateProjectUserGrant
-func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectUserGrant), varargs...)
-}
-
 // ReactivateUser mocks base method
 func (m *MockManagementServiceClient) ReactivateUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.User, error) {
 	m.ctrl.T.Helper()
@@ -1937,26 +1777,6 @@ func (mr *MockManagementServiceClientMockRecorder) SearchProjectGrantMembers(arg
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectGrantMembers", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectGrantMembers), varargs...)
 }
 
-// SearchProjectGrantUserGrants mocks base method
-func (m *MockManagementServiceClient) SearchProjectGrantUserGrants(arg0 context.Context, arg1 *management.ProjectGrantUserGrantSearchRequest, arg2 ...grpc.CallOption) (*management.UserGrantSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjectGrantUserGrants", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjectGrantUserGrants indicates an expected call of SearchProjectGrantUserGrants
-func (mr *MockManagementServiceClientMockRecorder) SearchProjectGrantUserGrants(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectGrantUserGrants", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectGrantUserGrants), varargs...)
-}
-
 // SearchProjectGrants mocks base method
 func (m *MockManagementServiceClient) SearchProjectGrants(arg0 context.Context, arg1 *management.ProjectGrantSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectGrantSearchResponse, error) {
 	m.ctrl.T.Helper()
@@ -2017,26 +1837,6 @@ func (mr *MockManagementServiceClientMockRecorder) SearchProjectRoles(arg0, arg1
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectRoles", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectRoles), varargs...)
 }
 
-// SearchProjectUserGrants mocks base method
-func (m *MockManagementServiceClient) SearchProjectUserGrants(arg0 context.Context, arg1 *management.ProjectUserGrantSearchRequest, arg2 ...grpc.CallOption) (*management.UserGrantSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjectUserGrants", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjectUserGrants indicates an expected call of SearchProjectUserGrants
-func (mr *MockManagementServiceClientMockRecorder) SearchProjectUserGrants(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectUserGrants", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectUserGrants), varargs...)
-}
-
 // SearchProjects mocks base method
 func (m *MockManagementServiceClient) SearchProjects(arg0 context.Context, arg1 *management.ProjectSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectSearchResponse, error) {
 	m.ctrl.T.Helper()
@@ -2337,46 +2137,6 @@ func (mr *MockManagementServiceClientMockRecorder) UpdateProjectGrant(arg0, arg1
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectGrant), varargs...)
 }
 
-// UpdateProjectGrantUserGrant mocks base method
-func (m *MockManagementServiceClient) UpdateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateProjectGrantUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateProjectGrantUserGrant indicates an expected call of UpdateProjectGrantUserGrant
-func (mr *MockManagementServiceClientMockRecorder) UpdateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectGrantUserGrant), varargs...)
-}
-
-// UpdateProjectUserGrant mocks base method
-func (m *MockManagementServiceClient) UpdateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateProjectUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateProjectUserGrant indicates an expected call of UpdateProjectUserGrant
-func (mr *MockManagementServiceClientMockRecorder) UpdateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectUserGrant), varargs...)
-}
-
 // UpdateUserAddress mocks base method
 func (m *MockManagementServiceClient) UpdateUserAddress(arg0 context.Context, arg1 *management.UpdateUserAddressRequest, arg2 ...grpc.CallOption) (*management.UserAddress, error) {
 	m.ctrl.T.Helper()

pkg/grpc/management/proto/management.proto

@@ -1247,184 +1247,6 @@ service ManagementService {
             permission: "user.grant.delete"
         };
     }
-
-    // search user grants based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) {
-        option deprecated = true;
-        option (google.api.http) = {
-            post: "/projects/{project_id}/users/grants/_search"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.read"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // get user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) {
-        option deprecated = true;
-        option (google.api.http) = {
-            get: "/projects/{project_id}/users/{user_id}/grants/{id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.read"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // create user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            post: "/projects/{project_id}/users/{user_id}/grants"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.write"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // update user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projects/{project_id}/users/{user_id}/grants/{id}"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.write"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // deactivate user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.write"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // reactivate user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.write"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // search user grants based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) {
-        option deprecated = true;
-        option (google.api.http) = {
-            post: "/projectgrants/{project_grant_id}/users/grants/_search"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.read"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // get user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) {
-        option deprecated = true;
-        option (google.api.http) = {
-            get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.read"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // create user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            post: "/projectgrants/{project_grant_id}/users/{user_id}/grants"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.write"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // update user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.write"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // deactivate user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.write"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // reactivate user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.write"
-            check_field_name: "ProjectGrantId"
-        };
-    }
 }
 
 message ZitadelDocs {
@@ -2335,6 +2157,10 @@ message OIDCConfig {
     string client_secret = 6;
     OIDCAuthMethodType auth_method_type = 7;
     repeated string post_logout_redirect_uris = 8;
+    OIDCVersion version = 9;
+    bool none_compliant = 10;
+    repeated caos.zitadel.api.v1.LocalizedMessage compliance_problems = 11;
+    bool dev_mode = 12;
 }
 
 message OIDCApplicationCreate {
@@ -2346,6 +2172,12 @@ message OIDCApplicationCreate {
     OIDCApplicationType application_type = 6;
     OIDCAuthMethodType auth_method_type = 7;
     repeated string post_logout_redirect_uris = 8;
+    OIDCVersion version = 9;
+    bool dev_mode = 10;
+}
+
+enum OIDCVersion {
+    OIDCV1_0 = 0;
 }
 
 message OIDCConfigUpdate {
@@ -2357,6 +2189,7 @@ message OIDCConfigUpdate {
     OIDCApplicationType application_type = 6;
     OIDCAuthMethodType auth_method_type = 7;
     repeated string post_logout_redirect_uris = 8;
+    bool dev_mode = 9;
 }
 
 enum OIDCResponseType {
@@ -2630,39 +2463,6 @@ message UserGrantID {
     string id = 2;
 }
 
-message ProjectUserGrantID {
-    string project_id = 1;
-    string user_id = 2;
-    string id = 3;
-}
-
-message ProjectUserGrantUpdate {
-    string project_id = 1;
-    string user_id = 2;
-    string id = 3;
-    repeated string role_keys = 4;
-}
-
-message ProjectGrantUserGrantID {
-    string project_grant_id = 1;
-    string user_id = 2;
-    string id = 3;
-}
-
-message ProjectGrantUserGrantCreate {
-    string user_id = 1;
-    string project_grant_id = 2;
-    string project_id = 3 [(validate.rules).string.min_len = 1];
-    repeated string role_keys = 4;
-}
-
-message ProjectGrantUserGrantUpdate {
-    string project_grant_id = 1;
-    string user_id = 2;
-    string id = 3;
-    repeated string role_keys = 4;
-}
-
 enum UserGrantState {
     USERGRANTSTATE_UNSPECIFIED = 0;
     USERGRANTSTATE_ACTIVE = 1;

pkg/grpc/message/message.go

@@ -11,3 +11,7 @@ func (m *LocalizedMessage) SetLocalizedMessage(message string) {
 func NewLocalizedEventType(key string) *LocalizedMessage {
 	return &LocalizedMessage{Key: "EventTypes." + key}
 }
+
+func NewLocalizedMessage(key string) *LocalizedMessage {
+	return &LocalizedMessage{Key: key}
+}