feat: add personal access tokens for service users (#2974)

* feat: add machine tokens * fix test * rename to pat * fix merge and tests * fix scopes * fix migration version * fix test * Update internal/repository/user/personal_access_token.go Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com> Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>
2025-08-11 19:17:32 +00:00 · 2022-02-08 09:37:28 +01:00
parent 3bf9adece5
commit 699fdaf68e
32 changed files with 1838 additions and 30 deletions
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -668,7 +668,7 @@ service ManagementService {
        };
    }

-    // Removed a machine key
+    // Removes a machine key
    rpc RemoveMachineKey(RemoveMachineKeyRequest) returns (RemoveMachineKeyResponse) {
        option (google.api.http) = {
            delete: "/users/{user_id}/keys/{key_id}"
@@ -679,6 +679,53 @@ service ManagementService {
        };
    }

+    // Returns a personal access token of a (machine) user
+    rpc GetPersonalAccessTokenByIDs(GetPersonalAccessTokenByIDsRequest) returns (GetPersonalAccessTokenByIDsResponse) {
+        option (google.api.http) = {
+            get: "/users/{user_id}/pats/{token_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    // Returns all personal access tokens of a (machine) user which match the query
+    // Limit should always be set, there is a default limit set by the service
+    rpc ListPersonalAccessTokens(ListPersonalAccessTokensRequest) returns (ListPersonalAccessTokensResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/pats/_search"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.read"
+        };
+    }
+
+    // Generates a new personal access token for a machine user, details should be stored after return
+    rpc AddPersonalAccessToken(AddPersonalAccessTokenRequest) returns (AddPersonalAccessTokenResponse) {
+        option (google.api.http) = {
+            post: "/users/{user_id}/pats"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    // Removes a personal access token
+    rpc RemovePersonalAccessToken(RemovePersonalAccessTokenRequest) returns (RemovePersonalAccessTokenResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/pats/{token_id}"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
    // Lists all identity providers (social logins) which a human has configured (e.g Google, Microsoft, AD, etc..)
    // Limit should always be set, there is a default limit set by the service
    rpc ListHumanLinkedIDPs(ListHumanLinkedIDPsRequest) returns (ListHumanLinkedIDPsResponse) {
@@ -3398,6 +3445,51 @@ message RemoveMachineKeyResponse {
    zitadel.v1.ObjectDetails details = 1;
 }

+message GetPersonalAccessTokenByIDsRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string token_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message GetPersonalAccessTokenByIDsResponse {
+    zitadel.user.v1.PersonalAccessToken token = 1;
+}
+
+message ListPersonalAccessTokensRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    //list limitations and ordering
+    zitadel.v1.ListQuery query = 2;
+}
+
+message ListPersonalAccessTokensResponse {
+    zitadel.v1.ListDetails details = 1;
+    repeated zitadel.user.v1.PersonalAccessToken result = 2;
+}
+
+message AddPersonalAccessTokenRequest {
+    string user_id = 1 [(validate.rules).string.min_len = 1];
+    google.protobuf.Timestamp expiration_date = 2 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"2519-04-01T08:45:00.000000Z\"";
+            description: "The date the token will expire and no logins will be possible";
+        }
+    ];
+}
+
+message AddPersonalAccessTokenResponse {
+    string token_id = 1;
+    string token = 2;
+    zitadel.v1.ObjectDetails details = 3;
+}
+
+message RemovePersonalAccessTokenRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string token_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemovePersonalAccessTokenResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
 message ListHumanLinkedIDPsRequest {
    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    //list limitations and ordering
--- a/proto/zitadel/user.proto
+++ b/proto/zitadel/user.proto
@@ -571,6 +571,28 @@ message RefreshToken {
    ];
 }

+
+message PersonalAccessToken {
+    string id = 1 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"69629023906488334\"";
+        }
+    ];
+    zitadel.v1.ObjectDetails details = 2;
+    google.protobuf.Timestamp expiration_date = 3 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "the date the token will expire";
+            example: "\"3019-04-01T08:45:00.000000Z\"";
+        }
+    ];
+    repeated string scopes = 4 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            description: "scopes granted to the token";
+            example: "[\"openid\"]";
+        }
+    ];
+}
+
 message UserGrant {
    string id = 1 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -863,4 +885,4 @@ message UserGrantUserTypeQuery {
    ];
 }

-//PLANNED: login name query
+//PLANNED: login name query