Merge commit '416a35537f89b1c3ccd3d123289cea37b3309bba' into next-rc

internal/api/grpc/action/v2beta/integration_test/execution_target_test.go

@@ -477,10 +477,10 @@ func waitForExecutionOnCondition(ctx context.Context, t *testing.T, instance *in
 		if !assert.NoError(ttt, err) {
 			return
 		}
-		if !assert.Len(ttt, got.GetResult(), 1) {
+		if !assert.Len(ttt, got.GetExecutions(), 1) {
 			return
 		}
-		gotTargets := got.GetResult()[0].GetTargets()
+		gotTargets := got.GetExecutions()[0].GetTargets()
 		// always first check length, otherwise its failed anyway
 		if assert.Len(ttt, gotTargets, len(targets)) {
 			for i := range targets {
@@ -506,10 +506,10 @@ func waitForTarget(ctx context.Context, t *testing.T, instance *integration.Inst
 		if !assert.NoError(ttt, err) {
 			return
 		}
-		if !assert.Len(ttt, got.GetResult(), 1) {
+		if !assert.Len(ttt, got.GetTargets(), 1) {
 			return
 		}
-		config := got.GetResult()[0]
+		config := got.GetTargets()[0]
 		assert.Equal(ttt, config.GetEndpoint(), endpoint)
 		switch ty {
 		case domain.TargetTypeWebhook:
@@ -605,7 +605,7 @@ func TestServer_ExecutionTargetPreUserinfo(t *testing.T) {
 						{Key: "added", Value: "value"},
 					},
 				}
-				return expectPreUserinfoExecution(ctx, t, instance, req, response)
+				return expectPreUserinfoExecution(ctx, t, instance, client.GetClientId(), req, response)
 			},
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
@@ -630,7 +630,7 @@ func TestServer_ExecutionTargetPreUserinfo(t *testing.T) {
 						"addedLog",
 					},
 				}
-				return expectPreUserinfoExecution(ctx, t, instance, req, response)
+				return expectPreUserinfoExecution(ctx, t, instance, client.GetClientId(), req, response)
 			},
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
@@ -655,7 +655,7 @@ func TestServer_ExecutionTargetPreUserinfo(t *testing.T) {
 						{Key: "key", Value: []byte("value")},
 					},
 				}
-				return expectPreUserinfoExecution(ctx, t, instance, req, response)
+				return expectPreUserinfoExecution(ctx, t, instance, client.GetClientId(), req, response)
 			},
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
@@ -692,7 +692,7 @@ func TestServer_ExecutionTargetPreUserinfo(t *testing.T) {
 						{Key: "added3", Value: "value3"},
 					},
 				}
-				return expectPreUserinfoExecution(ctx, t, instance, req, response)
+				return expectPreUserinfoExecution(ctx, t, instance, client.GetClientId(), req, response)
 			},
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
@@ -755,7 +755,7 @@ func TestServer_ExecutionTargetPreUserinfo(t *testing.T) {
 	}
 }
 
-func expectPreUserinfoExecution(ctx context.Context, t *testing.T, instance *integration.Instance, req *oidc_pb.CreateCallbackRequest, response *oidc_api.ContextInfoResponse) (string, func()) {
+func expectPreUserinfoExecution(ctx context.Context, t *testing.T, instance *integration.Instance, clientID string, req *oidc_pb.CreateCallbackRequest, response *oidc_api.ContextInfoResponse) (string, func()) {
 	userEmail := gofakeit.Email()
 	userPhone := "+41" + gofakeit.Phone()
 	userResp := instance.CreateHumanUserVerified(ctx, instance.DefaultOrg.Id, userEmail, userPhone)
@@ -767,7 +767,7 @@ func expectPreUserinfoExecution(ctx context.Context, t *testing.T, instance *int
 			SessionToken: sessionResp.GetSessionToken(),
 		},
 	}
-	expectedContextInfo := contextInfoForUserOIDC(instance, "function/preuserinfo", userResp, userEmail, userPhone)
+	expectedContextInfo := contextInfoForUserOIDC(instance, "function/preuserinfo", clientID, userResp, userEmail, userPhone)
 
 	targetURL, closeF, _, _ := integration.TestServerCall(expectedContextInfo, 0, http.StatusOK, response)
 
@@ -845,7 +845,7 @@ func getAccessTokenClaims(ctx context.Context, t *testing.T, instance *integrati
 	return claims
 }
 
-func contextInfoForUserOIDC(instance *integration.Instance, function string, userResp *user.AddHumanUserResponse, email, phone string) *oidc_api.ContextInfo {
+func contextInfoForUserOIDC(instance *integration.Instance, function string, clientID string, userResp *user.AddHumanUserResponse, email, phone string) *oidc_api.ContextInfo {
 	return &oidc_api.ContextInfo{
 		Function: function,
 		UserInfo: &oidc.UserInfo{
@@ -878,6 +878,9 @@ func contextInfoForUserOIDC(instance *integration.Instance, function string, use
 			},
 		},
 		UserMetadata: nil,
+		Application: &oidc_api.ContextInfoApplication{
+			ClientID: clientID,
+		},
 		Org: &query.UserInfoOrg{
 			ID:            instance.DefaultOrg.GetId(),
 			Name:          instance.DefaultOrg.GetName(),
@@ -918,7 +921,7 @@ func TestServer_ExecutionTargetPreAccessToken(t *testing.T) {
 						{Key: "added1", Value: "value"},
 					},
 				}
-				return expectPreAccessTokenExecution(ctx, t, instance, req, response)
+				return expectPreAccessTokenExecution(ctx, t, instance, client.GetClientId(), req, response)
 			},
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
@@ -943,7 +946,7 @@ func TestServer_ExecutionTargetPreAccessToken(t *testing.T) {
 						"addedLog",
 					},
 				}
-				return expectPreAccessTokenExecution(ctx, t, instance, req, response)
+				return expectPreAccessTokenExecution(ctx, t, instance, client.GetClientId(), req, response)
 			},
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
@@ -968,7 +971,7 @@ func TestServer_ExecutionTargetPreAccessToken(t *testing.T) {
 						{Key: "key", Value: []byte("value")},
 					},
 				}
-				return expectPreAccessTokenExecution(ctx, t, instance, req, response)
+				return expectPreAccessTokenExecution(ctx, t, instance, client.GetClientId(), req, response)
 			},
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
@@ -1005,7 +1008,7 @@ func TestServer_ExecutionTargetPreAccessToken(t *testing.T) {
 						{Key: "added3", Value: "value3"},
 					},
 				}
-				return expectPreAccessTokenExecution(ctx, t, instance, req, response)
+				return expectPreAccessTokenExecution(ctx, t, instance, client.GetClientId(), req, response)
 			},
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
@@ -1060,7 +1063,7 @@ func TestServer_ExecutionTargetPreAccessToken(t *testing.T) {
 	}
 }
 
-func expectPreAccessTokenExecution(ctx context.Context, t *testing.T, instance *integration.Instance, req *oidc_pb.CreateCallbackRequest, response *oidc_api.ContextInfoResponse) (string, func()) {
+func expectPreAccessTokenExecution(ctx context.Context, t *testing.T, instance *integration.Instance, clientID string, req *oidc_pb.CreateCallbackRequest, response *oidc_api.ContextInfoResponse) (string, func()) {
 	userEmail := gofakeit.Email()
 	userPhone := "+41" + gofakeit.Phone()
 	userResp := instance.CreateHumanUserVerified(ctx, instance.DefaultOrg.Id, userEmail, userPhone)
@@ -1072,7 +1075,7 @@ func expectPreAccessTokenExecution(ctx context.Context, t *testing.T, instance *
 			SessionToken: sessionResp.GetSessionToken(),
 		},
 	}
-	expectedContextInfo := contextInfoForUserOIDC(instance, "function/preaccesstoken", userResp, userEmail, userPhone)
+	expectedContextInfo := contextInfoForUserOIDC(instance, "function/preaccesstoken", clientID, userResp, userEmail, userPhone)
 
 	targetURL, closeF, _, _ := integration.TestServerCall(expectedContextInfo, 0, http.StatusOK, response)
 

internal/api/grpc/action/v2beta/integration_test/query_test.go

@@ -206,7 +206,7 @@ func TestServer_GetTarget(t *testing.T) {
 				}
 				assert.NoError(ttt, err)
 				assert.EqualExportedValues(ttt, tt.want, got)
-			}, retryDuration, tick, "timeout waiting for expected target result")
+			}, retryDuration, tick, "timeout waiting for expected target Executions")
 		})
 	}
 }
@@ -253,7 +253,7 @@ func TestServer_ListTargets(t *testing.T) {
 					TotalResult:  0,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Target{},
+				Targets: []*action.Target{},
 			},
 		},
 		{
@@ -269,11 +269,11 @@ func TestServer_ListTargets(t *testing.T) {
 						},
 					}
 
-					response.Result[0].Id = resp.GetId()
-					response.Result[0].Name = name
-					response.Result[0].CreationDate = resp.GetCreationDate()
-					response.Result[0].ChangeDate = resp.GetCreationDate()
-					response.Result[0].SigningKey = resp.GetSigningKey()
+					response.Targets[0].Id = resp.GetId()
+					response.Targets[0].Name = name
+					response.Targets[0].CreationDate = resp.GetCreationDate()
+					response.Targets[0].ChangeDate = resp.GetCreationDate()
+					response.Targets[0].SigningKey = resp.GetSigningKey()
 				},
 				req: &action.ListTargetsRequest{
 					Filters: []*action.TargetSearchFilter{{}},
@@ -284,7 +284,7 @@ func TestServer_ListTargets(t *testing.T) {
 					TotalResult:  1,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Target{
+				Targets: []*action.Target{
 					{
 						Endpoint: "https://example.com",
 						TargetType: &action.Target_RestWebhook{
@@ -309,11 +309,11 @@ func TestServer_ListTargets(t *testing.T) {
 						},
 					}
 
-					response.Result[0].Id = resp.GetId()
-					response.Result[0].Name = name
-					response.Result[0].CreationDate = resp.GetCreationDate()
-					response.Result[0].ChangeDate = resp.GetCreationDate()
-					response.Result[0].SigningKey = resp.GetSigningKey()
+					response.Targets[0].Id = resp.GetId()
+					response.Targets[0].Name = name
+					response.Targets[0].CreationDate = resp.GetCreationDate()
+					response.Targets[0].ChangeDate = resp.GetCreationDate()
+					response.Targets[0].SigningKey = resp.GetSigningKey()
 				},
 				req: &action.ListTargetsRequest{
 					Filters: []*action.TargetSearchFilter{{}},
@@ -324,7 +324,7 @@ func TestServer_ListTargets(t *testing.T) {
 					TotalResult:  1,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Target{
+				Targets: []*action.Target{
 					{
 						Endpoint: "https://example.com",
 						TargetType: &action.Target_RestWebhook{
@@ -354,23 +354,23 @@ func TestServer_ListTargets(t *testing.T) {
 						},
 					}
 
-					response.Result[2].Id = resp1.GetId()
-					response.Result[2].Name = name1
-					response.Result[2].CreationDate = resp1.GetCreationDate()
-					response.Result[2].ChangeDate = resp1.GetCreationDate()
-					response.Result[2].SigningKey = resp1.GetSigningKey()
+					response.Targets[2].Id = resp1.GetId()
+					response.Targets[2].Name = name1
+					response.Targets[2].CreationDate = resp1.GetCreationDate()
+					response.Targets[2].ChangeDate = resp1.GetCreationDate()
+					response.Targets[2].SigningKey = resp1.GetSigningKey()
 
-					response.Result[1].Id = resp2.GetId()
-					response.Result[1].Name = name2
-					response.Result[1].CreationDate = resp2.GetCreationDate()
-					response.Result[1].ChangeDate = resp2.GetCreationDate()
-					response.Result[1].SigningKey = resp2.GetSigningKey()
+					response.Targets[1].Id = resp2.GetId()
+					response.Targets[1].Name = name2
+					response.Targets[1].CreationDate = resp2.GetCreationDate()
+					response.Targets[1].ChangeDate = resp2.GetCreationDate()
+					response.Targets[1].SigningKey = resp2.GetSigningKey()
 
-					response.Result[0].Id = resp3.GetId()
-					response.Result[0].Name = name3
-					response.Result[0].CreationDate = resp3.GetCreationDate()
-					response.Result[0].ChangeDate = resp3.GetCreationDate()
-					response.Result[0].SigningKey = resp3.GetSigningKey()
+					response.Targets[0].Id = resp3.GetId()
+					response.Targets[0].Name = name3
+					response.Targets[0].CreationDate = resp3.GetCreationDate()
+					response.Targets[0].ChangeDate = resp3.GetCreationDate()
+					response.Targets[0].SigningKey = resp3.GetSigningKey()
 				},
 				req: &action.ListTargetsRequest{
 					Filters: []*action.TargetSearchFilter{{}},
@@ -381,7 +381,7 @@ func TestServer_ListTargets(t *testing.T) {
 					TotalResult:  3,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Target{
+				Targets: []*action.Target{
 					{
 						Endpoint: "https://example.com",
 						TargetType: &action.Target_RestAsync{
@@ -427,13 +427,13 @@ func TestServer_ListTargets(t *testing.T) {
 				require.NoError(ttt, listErr)
 
 				// always first check length, otherwise its failed anyway
-				if assert.Len(ttt, got.Result, len(tt.want.Result)) {
-					for i := range tt.want.Result {
-						assert.EqualExportedValues(ttt, tt.want.Result[i], got.Result[i])
+				if assert.Len(ttt, got.Targets, len(tt.want.Targets)) {
+					for i := range tt.want.Targets {
+						assert.EqualExportedValues(ttt, tt.want.Targets[i], got.Targets[i])
 					}
 				}
 				assertPaginationResponse(ttt, tt.want.Pagination, got.Pagination)
-			}, retryDuration, tick, "timeout waiting for expected execution result")
+			}, retryDuration, tick, "timeout waiting for expected execution Executions")
 		})
 	}
 }
@@ -476,9 +476,9 @@ func TestServer_ListExecutions(t *testing.T) {
 					resp := instance.SetExecution(ctx, t, cond, []string{targetResp.GetId()})
 
 					// Set expected response with used values for SetExecution
-					response.Result[0].CreationDate = resp.GetSetDate()
-					response.Result[0].ChangeDate = resp.GetSetDate()
-					response.Result[0].Condition = cond
+					response.Executions[0].CreationDate = resp.GetSetDate()
+					response.Executions[0].ChangeDate = resp.GetSetDate()
+					response.Executions[0].Condition = cond
 				},
 				req: &action.ListExecutionsRequest{
 					Filters: []*action.ExecutionSearchFilter{{
@@ -503,7 +503,7 @@ func TestServer_ListExecutions(t *testing.T) {
 					TotalResult:  1,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Execution{
+				Executions: []*action.Execution{
 					{
 						Condition: &action.Condition{
 							ConditionType: &action.Condition_Request{
@@ -544,10 +544,10 @@ func TestServer_ListExecutions(t *testing.T) {
 					}
 					resp := instance.SetExecution(ctx, t, cond, []string{target.GetId()})
 
-					response.Result[0].CreationDate = resp.GetSetDate()
-					response.Result[0].ChangeDate = resp.GetSetDate()
-					response.Result[0].Condition = cond
-					response.Result[0].Targets = []string{target.GetId()}
+					response.Executions[0].CreationDate = resp.GetSetDate()
+					response.Executions[0].ChangeDate = resp.GetSetDate()
+					response.Executions[0].Condition = cond
+					response.Executions[0].Targets = []string{target.GetId()}
 				},
 				req: &action.ListExecutionsRequest{
 					Filters: []*action.ExecutionSearchFilter{{}},
@@ -558,7 +558,7 @@ func TestServer_ListExecutions(t *testing.T) {
 					TotalResult:  1,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Execution{
+				Executions: []*action.Execution{
 					{
 						Condition: &action.Condition{},
 						Targets:   []string{""},
@@ -604,7 +604,7 @@ func TestServer_ListExecutions(t *testing.T) {
 
 					cond1 := request.Filters[0].GetInConditionsFilter().GetConditions()[0]
 					resp1 := instance.SetExecution(ctx, t, cond1, []string{targetResp.GetId()})
-					response.Result[2] = &action.Execution{
+					response.Executions[2] = &action.Execution{
 						CreationDate: resp1.GetSetDate(),
 						ChangeDate:   resp1.GetSetDate(),
 						Condition:    cond1,
@@ -613,7 +613,7 @@ func TestServer_ListExecutions(t *testing.T) {
 
 					cond2 := request.Filters[0].GetInConditionsFilter().GetConditions()[1]
 					resp2 := instance.SetExecution(ctx, t, cond2, []string{targetResp.GetId()})
-					response.Result[1] = &action.Execution{
+					response.Executions[1] = &action.Execution{
 						CreationDate: resp2.GetSetDate(),
 						ChangeDate:   resp2.GetSetDate(),
 						Condition:    cond2,
@@ -622,7 +622,7 @@ func TestServer_ListExecutions(t *testing.T) {
 
 					cond3 := request.Filters[0].GetInConditionsFilter().GetConditions()[2]
 					resp3 := instance.SetExecution(ctx, t, cond3, []string{targetResp.GetId()})
-					response.Result[0] = &action.Execution{
+					response.Executions[0] = &action.Execution{
 						CreationDate: resp3.GetSetDate(),
 						ChangeDate:   resp3.GetSetDate(),
 						Condition:    cond3,
@@ -640,7 +640,7 @@ func TestServer_ListExecutions(t *testing.T) {
 					TotalResult:  3,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Execution{
+				Executions: []*action.Execution{
 					{}, {}, {},
 				},
 			},
@@ -653,7 +653,7 @@ func TestServer_ListExecutions(t *testing.T) {
 					conditions := request.Filters[0].GetInConditionsFilter().GetConditions()
 					for i, cond := range conditions {
 						resp := instance.SetExecution(ctx, t, cond, []string{targetResp.GetId()})
-						response.Result[(len(conditions)-1)-i] = &action.Execution{
+						response.Executions[(len(conditions)-1)-i] = &action.Execution{
 							CreationDate: resp.GetSetDate(),
 							ChangeDate:   resp.GetSetDate(),
 							Condition:    cond,
@@ -687,7 +687,7 @@ func TestServer_ListExecutions(t *testing.T) {
 					TotalResult:  10,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Execution{
+				Executions: []*action.Execution{
 					{},
 					{},
 					{},
@@ -709,7 +709,7 @@ func TestServer_ListExecutions(t *testing.T) {
 					conditions := request.Filters[0].GetInConditionsFilter().GetConditions()
 					for i, cond := range conditions {
 						resp := instance.SetExecution(ctx, t, cond, []string{targetResp.GetId()})
-						response.Result[i] = &action.Execution{
+						response.Executions[i] = &action.Execution{
 							CreationDate: resp.GetSetDate(),
 							ChangeDate:   resp.GetSetDate(),
 							Condition:    cond,
@@ -744,7 +744,7 @@ func TestServer_ListExecutions(t *testing.T) {
 					TotalResult:  10,
 					AppliedLimit: 100,
 				},
-				Result: []*action.Execution{
+				Executions: []*action.Execution{
 					{},
 					{},
 					{},
@@ -774,11 +774,11 @@ func TestServer_ListExecutions(t *testing.T) {
 				}
 				require.NoError(ttt, listErr)
 				// always first check length, otherwise its failed anyway
-				if assert.Len(ttt, got.Result, len(tt.want.Result)) {
-					assert.EqualExportedValues(ttt, got.Result, tt.want.Result)
+				if assert.Len(ttt, got.Executions, len(tt.want.Executions)) {
+					assert.EqualExportedValues(ttt, got.Executions, tt.want.Executions)
 				}
 				assertPaginationResponse(ttt, tt.want.Pagination, got.Pagination)
-			}, retryDuration, tick, "timeout waiting for expected execution result")
+			}, retryDuration, tick, "timeout waiting for expected execution Executions")
 		})
 	}
 }

internal/api/grpc/action/v2beta/query.go

@@ -52,7 +52,7 @@ func (s *Server) ListTargets(ctx context.Context, req *connect.Request[action.Li
 		return nil, err
 	}
 	return connect.NewResponse(&action.ListTargetsResponse{
-		Result:     targetsToPb(resp.Targets),
+		Targets:    targetsToPb(resp.Targets),
 		Pagination: filter.QueryToPaginationPb(queries.SearchRequest, resp.SearchResponse),
 	}), nil
 }
@@ -67,7 +67,7 @@ func (s *Server) ListExecutions(ctx context.Context, req *connect.Request[action
 		return nil, err
 	}
 	return connect.NewResponse(&action.ListExecutionsResponse{
-		Result:     executionsToPb(resp.Executions),
+		Executions: executionsToPb(resp.Executions),
 		Pagination: filter.QueryToPaginationPb(queries.SearchRequest, resp.SearchResponse),
 	}), nil
 }

internal/api/grpc/admin/instance.go

@@ -30,6 +30,7 @@ func (s *Server) ListInstanceDomains(ctx context.Context, req *admin_pb.ListInst
 	}
 	return &admin_pb.ListInstanceDomainsResponse{
 		Result: instance_grpc.DomainsToPb(domains.Domains),
+		SortingColumn: req.SortingColumn,
 		Details: object.ToListDetails(
 			domains.Count,
 			domains.Sequence,
@@ -49,6 +50,7 @@ func (s *Server) ListInstanceTrustedDomains(ctx context.Context, req *admin_pb.L
 	}
 	return &admin_pb.ListInstanceTrustedDomainsResponse{
 		Result: instance_grpc.TrustedDomainsToPb(domains.Domains),
+		SortingColumn: req.SortingColumn,
 		Details: object.ToListDetails(
 			domains.Count,
 			domains.Sequence,

internal/api/grpc/admin/instance_converter.go

@@ -51,8 +51,23 @@ func ListInstanceTrustedDomainsRequestToModel(req *admin_pb.ListInstanceTrustedD
 			Offset:        offset,
 			Limit:         limit,
 			Asc:           asc,
-			SortingColumn: fieldNameToInstanceDomainColumn(req.SortingColumn),
+			SortingColumn: fieldNameToInstanceTrustedDomainColumn(req.SortingColumn),
 		},
 		Queries: queries,
 	}, nil
 }
+
+func fieldNameToInstanceTrustedDomainColumn(fieldName instance.DomainFieldName) query.Column {
+	switch fieldName {
+	case instance.DomainFieldName_DOMAIN_FIELD_NAME_DOMAIN:
+		return query.InstanceTrustedDomainDomainCol
+	case instance.DomainFieldName_DOMAIN_FIELD_NAME_CREATION_DATE:
+		return query.InstanceTrustedDomainCreationDateCol
+	case instance.DomainFieldName_DOMAIN_FIELD_NAME_UNSPECIFIED,
+		instance.DomainFieldName_DOMAIN_FIELD_NAME_PRIMARY,
+		instance.DomainFieldName_DOMAIN_FIELD_NAME_GENERATED:
+		return query.InstanceTrustedDomainCreationDateCol
+	default:
+		return query.Column{}
+	}
+}

internal/api/grpc/admin/org.go

@@ -9,7 +9,6 @@ import (
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
-	"github.com/zitadel/zitadel/internal/query"
 	admin_pb "github.com/zitadel/zitadel/pkg/grpc/admin"
 )
 
@@ -104,17 +103,5 @@ func (s *Server) SetUpOrg(ctx context.Context, req *admin_pb.SetUpOrgRequest) (*
 }
 
 func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain string) ([]string, error) {
-	loginName, err := query.NewUserPreferredLoginNameSearchQuery("@"+orgDomain, query.TextEndsWithIgnoreCase)
-	if err != nil {
-		return nil, err
-	}
-	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: []query.SearchQuery{loginName}}, nil)
-	if err != nil {
-		return nil, err
-	}
-	userIDs := make([]string, len(users.Users))
-	for i, user := range users.Users {
-		userIDs[i] = user.ID
-	}
-	return userIDs, nil
+	return s.query.SearchClaimedUserIDsOfOrgDomain(ctx, orgDomain, "")
 }

internal/api/grpc/management/org.go

@@ -316,28 +316,7 @@ func (s *Server) RemoveOrgMember(ctx context.Context, req *mgmt_pb.RemoveOrgMemb
 }
 
 func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain, orgID string) ([]string, error) {
-	queries := make([]query.SearchQuery, 0, 2)
-	loginName, err := query.NewUserPreferredLoginNameSearchQuery("@"+orgDomain, query.TextEndsWithIgnoreCase)
-	if err != nil {
-		return nil, err
-	}
-	queries = append(queries, loginName)
-	if orgID != "" {
-		owner, err := query.NewUserResourceOwnerSearchQuery(orgID, query.TextNotEquals)
-		if err != nil {
-			return nil, err
-		}
-		queries = append(queries, owner)
-	}
-	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: queries}, nil)
-	if err != nil {
-		return nil, err
-	}
-	userIDs := make([]string, len(users.Users))
-	for i, user := range users.Users {
-		userIDs[i] = user.ID
-	}
-	return userIDs, nil
+	return s.query.SearchClaimedUserIDsOfOrgDomain(ctx, orgDomain, orgID)
 }
 
 func (s *Server) ListOrgMetadata(ctx context.Context, req *mgmt_pb.ListOrgMetadataRequest) (*mgmt_pb.ListOrgMetadataResponse, error) {

internal/api/grpc/org/v2beta/integration_test/org_test.go

@@ -47,14 +47,17 @@ func TestMain(m *testing.M) {
 func TestServer_CreateOrganization(t *testing.T) {
 	idpResp := Instance.AddGenericOAuthProvider(CTX, Instance.DefaultOrg.Id)
 
-	tests := []struct {
-		name    string
-		ctx     context.Context
-		req     *v2beta_org.CreateOrganizationRequest
-		id      string
-		want    *v2beta_org.CreateOrganizationResponse
-		wantErr bool
-	}{
+	type test struct {
+		name     string
+		ctx      context.Context
+		req      *v2beta_org.CreateOrganizationRequest
+		id       string
+		testFunc func(ctx context.Context, t *testing.T)
+		want     *v2beta_org.CreateOrganizationResponse
+		wantErr  bool
+	}
+
+	tests := []test{
 		{
 			name: "missing permission",
 			ctx:  Instance.WithAuthorization(CTX, integration.UserTypeOrgOwner),
@@ -73,6 +76,25 @@ func TestServer_CreateOrganization(t *testing.T) {
 			},
 			wantErr: true,
 		},
+		func() test {
+			orgName := gofakeit.Name()
+			return test{
+				name: "adding org with same name twice",
+				ctx:  CTX,
+				req: &v2beta_org.CreateOrganizationRequest{
+					Name:   orgName,
+					Admins: nil,
+				},
+				testFunc: func(ctx context.Context, t *testing.T) {
+					// create org initially
+					_, err := Client.CreateOrganization(ctx, &v2beta_org.CreateOrganizationRequest{
+						Name: orgName,
+					})
+					require.NoError(t, err)
+				},
+				wantErr: true,
+			}
+		}(),
 		{
 			name: "invalid admin type",
 			ctx:  CTX,
@@ -208,11 +230,38 @@ func TestServer_CreateOrganization(t *testing.T) {
 				Name: gofakeit.AppName(),
 				Id:   gu.Ptr("custom_id"),
 			},
-			want: &v2beta_org.CreateOrganizationResponse{},
+			want: &v2beta_org.CreateOrganizationResponse{
+				Id: "custom_id",
+			},
 		},
+		func() test {
+			orgID := gofakeit.Name()
+			return test{
+				name: "adding org with same ID twice",
+				ctx:  CTX,
+				req: &v2beta_org.CreateOrganizationRequest{
+					Id:     &orgID,
+					Name:   gofakeit.Name(),
+					Admins: nil,
+				},
+				testFunc: func(ctx context.Context, t *testing.T) {
+					// create org initially
+					_, err := Client.CreateOrganization(ctx, &v2beta_org.CreateOrganizationRequest{
+						Id:   &orgID,
+						Name: gofakeit.Name(),
+					})
+					require.NoError(t, err)
+				},
+				wantErr: true,
+			}
+		}(),
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			if tt.testFunc != nil {
+				tt.testFunc(tt.ctx, t)
+			}
+
 			got, err := Client.CreateOrganization(tt.ctx, tt.req)
 			if tt.wantErr {
 				require.Error(t, err)
@@ -1044,6 +1093,70 @@ func TestServer_AddOrganizationDomain(t *testing.T) {
 	}
 }
 
+func TestServer_AddOrganizationDomain_ClaimDomain(t *testing.T) {
+	domain := gofakeit.DomainName()
+
+	// create an organization, ensure it has globally unique usernames
+	// and create a user with a loginname that matches the domain later on
+	organization, err := Client.CreateOrganization(CTX, &v2beta_org.CreateOrganizationRequest{
+		Name: gofakeit.AppName(),
+	})
+	require.NoError(t, err)
+	_, err = Instance.Client.Admin.AddCustomDomainPolicy(CTX, &admin.AddCustomDomainPolicyRequest{
+		OrgId:                 organization.GetId(),
+		UserLoginMustBeDomain: false,
+	})
+	require.NoError(t, err)
+	username := gofakeit.Username() + "@" + domain
+	ownUser := Instance.CreateHumanUserVerified(CTX, organization.GetId(), username, "")
+
+	// create another organization, ensure it has globally unique usernames
+	// and create a user with a loginname that matches the domain later on
+	otherOrg, err := Client.CreateOrganization(CTX, &v2beta_org.CreateOrganizationRequest{
+		Name: gofakeit.AppName(),
+	})
+	require.NoError(t, err)
+	_, err = Instance.Client.Admin.AddCustomDomainPolicy(CTX, &admin.AddCustomDomainPolicyRequest{
+		OrgId:                 otherOrg.GetId(),
+		UserLoginMustBeDomain: false,
+	})
+	require.NoError(t, err)
+
+	otherUsername := gofakeit.Username() + "@" + domain
+	otherUser := Instance.CreateHumanUserVerified(CTX, otherOrg.GetId(), otherUsername, "")
+
+	// if we add the domain now to the first organization, it should be claimed on the second organization, resp. its user(s)
+	_, err = Client.AddOrganizationDomain(CTX, &v2beta_org.AddOrganizationDomainRequest{
+		OrganizationId: organization.GetId(),
+		Domain:         domain,
+	})
+	require.NoError(t, err)
+
+	// check both users: the first one must be untouched, the second one must be updated
+	users, err := Instance.Client.UserV2.ListUsers(CTX, &user.ListUsersRequest{
+		Queries: []*user.SearchQuery{
+			{
+				Query: &user.SearchQuery_InUserIdsQuery{
+					InUserIdsQuery: &user.InUserIDQuery{UserIds: []string{ownUser.GetUserId(), otherUser.GetUserId()}},
+				},
+			},
+		},
+	})
+	require.NoError(t, err)
+	require.Len(t, users.GetResult(), 2)
+
+	for _, u := range users.GetResult() {
+		if u.GetUserId() == ownUser.GetUserId() {
+			assert.Equal(t, username, u.GetPreferredLoginName())
+			continue
+		}
+		if u.GetUserId() == otherUser.GetUserId() {
+			assert.NotEqual(t, otherUsername, u.GetPreferredLoginName())
+			assert.Contains(t, u.GetPreferredLoginName(), "@temporary.")
+		}
+	}
+}
+
 func TestServer_ListOrganizationDomains(t *testing.T) {
 	domain := gofakeit.URL()
 	tests := []struct {

internal/api/grpc/org/v2beta/org.go

@@ -250,26 +250,5 @@ func createOrganizationRequestAdminToCommand(admin *v2beta_org.CreateOrganizatio
 }
 
 func (s *Server) getClaimedUserIDsOfOrgDomain(ctx context.Context, orgDomain, orgID string) ([]string, error) {
-	queries := make([]query.SearchQuery, 0, 2)
-	loginName, err := query.NewUserPreferredLoginNameSearchQuery("@"+orgDomain, query.TextEndsWithIgnoreCase)
-	if err != nil {
-		return nil, err
-	}
-	queries = append(queries, loginName)
-	if orgID != "" {
-		owner, err := query.NewUserResourceOwnerSearchQuery(orgID, query.TextNotEquals)
-		if err != nil {
-			return nil, err
-		}
-		queries = append(queries, owner)
-	}
-	users, err := s.query.SearchUsers(ctx, &query.UserSearchQueries{Queries: queries}, nil)
-	if err != nil {
-		return nil, err
-	}
-	userIDs := make([]string, len(users.Users))
-	for i, user := range users.Users {
-		userIDs[i] = user.ID
-	}
-	return userIDs, nil
+	return s.query.SearchClaimedUserIDsOfOrgDomain(ctx, orgDomain, orgID)
 }