feat: restrict login to specific org by id (scope) (#4294)

* feat: add new org scope

* change default of UserLoginMustBeDomain to false

* return resource owner claims

* fix: use email style for first user

* fix: ensure email style for default users (backwards compatibility)

* change to external domain (as it was before UserLoginMustBeDomain change)

* update e2e tests to use email style usernames

* document new scope

* lint e2e

Co-authored-by: Fabi <38692350+hifabienne@users.noreply.github.com>

internal/api/grpc/system/server.go

@@ -25,25 +25,29 @@ type Server struct {
 	command         *command.Commands
 	query           *query.Queries
 	administrator   repository.AdministratorRepository
-	DefaultInstance command.InstanceSetup
+	defaultInstance command.InstanceSetup
+	externalDomain  string
 }
 
 type Config struct {
 	Repository eventsourcing.Config
 }
 
-func CreateServer(command *command.Commands,
+func CreateServer(
+	command *command.Commands,
 	query *query.Queries,
 	repo repository.Repository,
 	database string,
 	defaultInstance command.InstanceSetup,
+	externalDomain string,
 ) *Server {
 	return &Server{
 		command:         command,
 		query:           query,
 		administrator:   repo,
 		database:        database,
-		DefaultInstance: defaultInstance,
+		defaultInstance: defaultInstance,
+		externalDomain:  externalDomain,
 	}
 }