feat: exchange gRPC server implementation to connectRPC (#10145)

# Which Problems Are Solved

The current maintained gRPC server in combination with a REST (grpc)
gateway is getting harder and harder to maintain. Additionally, there
have been and still are issues with supporting / displaying `oneOf`s
correctly.
We therefore decided to exchange the server implementation to
connectRPC, which apart from supporting connect as protocol, also also
"standard" gRCP clients as well as HTTP/1.1 / rest like clients, e.g.
curl directly call the server without any additional gateway.

# How the Problems Are Solved

- All v2 services are moved to connectRPC implementation. (v1 services
are still served as pure grpc servers)
- All gRPC server interceptors were migrated / copied to a corresponding
connectRPC interceptor.
- API.ListGrpcServices and API. ListGrpcMethods were changed to include
the connect services and endpoints.
- gRPC server reflection was changed to a `StaticReflector` using the
`ListGrpcServices` list.
- The `grpc.Server` interfaces was split into different combinations to
be able to handle the different cases (grpc server and prefixed gateway,
connect server with grpc gateway, connect server only, ...)
- Docs of services serving connectRPC only with no additional gateway
(instance, webkey, project, app, org v2 beta) are changed to expose that
- since the plugin is not yet available on buf, we download it using
`postinstall` hook of the docs

# Additional Changes

- WebKey service is added as v2 service (in addition to the current
v2beta)

# Additional Context

closes #9483

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>

internal/api/grpc/oidc/v2/oidc.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/base64"
 
+	"connectrpc.com/connect"
 	"github.com/zitadel/logging"
 	"github.com/zitadel/oidc/v3/pkg/op"
 	"google.golang.org/protobuf/types/known/durationpb"
@@ -18,30 +19,30 @@ import (
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2"
 )
 
-func (s *Server) GetAuthRequest(ctx context.Context, req *oidc_pb.GetAuthRequestRequest) (*oidc_pb.GetAuthRequestResponse, error) {
-	authRequest, err := s.query.AuthRequestByID(ctx, true, req.GetAuthRequestId(), true)
+func (s *Server) GetAuthRequest(ctx context.Context, req *connect.Request[oidc_pb.GetAuthRequestRequest]) (*connect.Response[oidc_pb.GetAuthRequestResponse], error) {
+	authRequest, err := s.query.AuthRequestByID(ctx, true, req.Msg.GetAuthRequestId(), true)
 	if err != nil {
 		logging.WithError(err).Error("query authRequest by ID")
 		return nil, err
 	}
-	return &oidc_pb.GetAuthRequestResponse{
+	return connect.NewResponse(&oidc_pb.GetAuthRequestResponse{
 		AuthRequest: authRequestToPb(authRequest),
-	}, nil
+	}), nil
 }
 
-func (s *Server) CreateCallback(ctx context.Context, req *oidc_pb.CreateCallbackRequest) (*oidc_pb.CreateCallbackResponse, error) {
-	switch v := req.GetCallbackKind().(type) {
+func (s *Server) CreateCallback(ctx context.Context, req *connect.Request[oidc_pb.CreateCallbackRequest]) (*connect.Response[oidc_pb.CreateCallbackResponse], error) {
+	switch v := req.Msg.GetCallbackKind().(type) {
 	case *oidc_pb.CreateCallbackRequest_Error:
-		return s.failAuthRequest(ctx, req.GetAuthRequestId(), v.Error)
+		return s.failAuthRequest(ctx, req.Msg.GetAuthRequestId(), v.Error)
 	case *oidc_pb.CreateCallbackRequest_Session:
-		return s.linkSessionToAuthRequest(ctx, req.GetAuthRequestId(), v.Session)
+		return s.linkSessionToAuthRequest(ctx, req.Msg.GetAuthRequestId(), v.Session)
 	default:
 		return nil, zerrors.ThrowUnimplementedf(nil, "OIDCv2-zee7A", "verification oneOf %T in method CreateCallback not implemented", v)
 	}
 }
 
-func (s *Server) GetDeviceAuthorizationRequest(ctx context.Context, req *oidc_pb.GetDeviceAuthorizationRequestRequest) (*oidc_pb.GetDeviceAuthorizationRequestResponse, error) {
-	deviceRequest, err := s.query.DeviceAuthRequestByUserCode(ctx, req.GetUserCode())
+func (s *Server) GetDeviceAuthorizationRequest(ctx context.Context, req *connect.Request[oidc_pb.GetDeviceAuthorizationRequestRequest]) (*connect.Response[oidc_pb.GetDeviceAuthorizationRequestResponse], error) {
+	deviceRequest, err := s.query.DeviceAuthRequestByUserCode(ctx, req.Msg.GetUserCode())
 	if err != nil {
 		return nil, err
 	}
@@ -49,7 +50,7 @@ func (s *Server) GetDeviceAuthorizationRequest(ctx context.Context, req *oidc_pb
 	if err != nil {
 		return nil, err
 	}
-	return &oidc_pb.GetDeviceAuthorizationRequestResponse{
+	return connect.NewResponse(&oidc_pb.GetDeviceAuthorizationRequestResponse{
 		DeviceAuthorizationRequest: &oidc_pb.DeviceAuthorizationRequest{
 			Id:          base64.RawURLEncoding.EncodeToString(encrypted),
 			ClientId:    deviceRequest.ClientID,
@@ -57,24 +58,24 @@ func (s *Server) GetDeviceAuthorizationRequest(ctx context.Context, req *oidc_pb
 			AppName:     deviceRequest.AppName,
 			ProjectName: deviceRequest.ProjectName,
 		},
-	}, nil
+	}), nil
 }
 
-func (s *Server) AuthorizeOrDenyDeviceAuthorization(ctx context.Context, req *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest) (*oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse, error) {
-	deviceCode, err := s.deviceCodeFromID(req.GetDeviceAuthorizationId())
+func (s *Server) AuthorizeOrDenyDeviceAuthorization(ctx context.Context, req *connect.Request[oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest]) (*connect.Response[oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse], error) {
+	deviceCode, err := s.deviceCodeFromID(req.Msg.GetDeviceAuthorizationId())
 	if err != nil {
 		return nil, err
 	}
-	switch req.GetDecision().(type) {
+	switch req.Msg.GetDecision().(type) {
 	case *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Session:
-		_, err = s.command.ApproveDeviceAuthWithSession(ctx, deviceCode, req.GetSession().GetSessionId(), req.GetSession().GetSessionToken())
+		_, err = s.command.ApproveDeviceAuthWithSession(ctx, deviceCode, req.Msg.GetSession().GetSessionId(), req.Msg.GetSession().GetSessionToken())
 	case *oidc_pb.AuthorizeOrDenyDeviceAuthorizationRequest_Deny:
 		_, err = s.command.CancelDeviceAuth(ctx, deviceCode, domain.DeviceAuthCanceledDenied)
 	}
 	if err != nil {
 		return nil, err
 	}
-	return &oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}, nil
+	return connect.NewResponse(&oidc_pb.AuthorizeOrDenyDeviceAuthorizationResponse{}), nil
 }
 
 func authRequestToPb(a *query.AuthRequest) *oidc_pb.AuthRequest {
@@ -136,7 +137,7 @@ func (s *Server) checkPermission(ctx context.Context, clientID string, userID st
 	return nil
 }
 
-func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *oidc_pb.AuthorizationError) (*oidc_pb.CreateCallbackResponse, error) {
+func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *oidc_pb.AuthorizationError) (*connect.Response[oidc_pb.CreateCallbackResponse], error) {
 	details, aar, err := s.command.FailAuthRequest(ctx, authRequestID, errorReasonToDomain(ae.GetError()))
 	if err != nil {
 		return nil, err
@@ -146,13 +147,13 @@ func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *
 	if err != nil {
 		return nil, err
 	}
-	return &oidc_pb.CreateCallbackResponse{
+	return connect.NewResponse(&oidc_pb.CreateCallbackResponse{
 		Details:     object.DomainToDetailsPb(details),
 		CallbackUrl: callback,
-	}, nil
+	}), nil
 }
 
-func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID string, session *oidc_pb.Session) (*oidc_pb.CreateCallbackResponse, error) {
+func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID string, session *oidc_pb.Session) (*connect.Response[oidc_pb.CreateCallbackResponse], error) {
 	details, aar, err := s.command.LinkSessionToAuthRequest(ctx, authRequestID, session.GetSessionId(), session.GetSessionToken(), true, s.checkPermission)
 	if err != nil {
 		return nil, err
@@ -172,10 +173,10 @@ func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID str
 	if err != nil {
 		return nil, err
 	}
-	return &oidc_pb.CreateCallbackResponse{
+	return connect.NewResponse(&oidc_pb.CreateCallbackResponse{
 		Details:     object.DomainToDetailsPb(details),
 		CallbackUrl: callback,
-	}, nil
+	}), nil
 }
 
 func errorReasonToDomain(errorReason oidc_pb.ErrorReason) domain.OIDCErrorReason {

internal/api/grpc/oidc/v2/server.go

@@ -1,7 +1,10 @@
 package oidc
 
 import (
-	"google.golang.org/grpc"
+	"net/http"
+
+	"connectrpc.com/connect"
+	"google.golang.org/protobuf/reflect/protoreflect"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/server"
@@ -10,12 +13,12 @@ import (
 	"github.com/zitadel/zitadel/internal/crypto"
 	"github.com/zitadel/zitadel/internal/query"
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2"
+	"github.com/zitadel/zitadel/pkg/grpc/oidc/v2/oidcconnect"
 )
 
-var _ oidc_pb.OIDCServiceServer = (*Server)(nil)
+var _ oidcconnect.OIDCServiceHandler = (*Server)(nil)
 
 type Server struct {
-	oidc_pb.UnimplementedOIDCServiceServer
 	command *command.Commands
 	query   *query.Queries
 
@@ -42,8 +45,12 @@ func CreateServer(
 	}
 }
 
-func (s *Server) RegisterServer(grpcServer *grpc.Server) {
-	oidc_pb.RegisterOIDCServiceServer(grpcServer, s)
+func (s *Server) RegisterConnectServer(interceptors ...connect.Interceptor) (string, http.Handler) {
+	return oidcconnect.NewOIDCServiceHandler(s, connect.WithInterceptors(interceptors...))
+}
+
+func (s *Server) FileDescriptor() protoreflect.FileDescriptor {
+	return oidc_pb.File_zitadel_oidc_v2_oidc_service_proto
 }
 
 func (s *Server) AppName() string {

internal/api/grpc/oidc/v2beta/oidc.go

@@ -3,6 +3,7 @@ package oidc
 import (
 	"context"
 
+	"connectrpc.com/connect"
 	"github.com/zitadel/logging"
 	"github.com/zitadel/oidc/v3/pkg/op"
 	"google.golang.org/protobuf/types/known/durationpb"
@@ -17,15 +18,15 @@ import (
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
 )
 
-func (s *Server) GetAuthRequest(ctx context.Context, req *oidc_pb.GetAuthRequestRequest) (*oidc_pb.GetAuthRequestResponse, error) {
-	authRequest, err := s.query.AuthRequestByID(ctx, true, req.GetAuthRequestId(), true)
+func (s *Server) GetAuthRequest(ctx context.Context, req *connect.Request[oidc_pb.GetAuthRequestRequest]) (*connect.Response[oidc_pb.GetAuthRequestResponse], error) {
+	authRequest, err := s.query.AuthRequestByID(ctx, true, req.Msg.GetAuthRequestId(), true)
 	if err != nil {
 		logging.WithError(err).Error("query authRequest by ID")
 		return nil, err
 	}
-	return &oidc_pb.GetAuthRequestResponse{
+	return connect.NewResponse(&oidc_pb.GetAuthRequestResponse{
 		AuthRequest: authRequestToPb(authRequest),
-	}, nil
+	}), nil
 }
 
 func authRequestToPb(a *query.AuthRequest) *oidc_pb.AuthRequest {
@@ -73,18 +74,18 @@ func promptToPb(p domain.Prompt) oidc_pb.Prompt {
 	}
 }
 
-func (s *Server) CreateCallback(ctx context.Context, req *oidc_pb.CreateCallbackRequest) (*oidc_pb.CreateCallbackResponse, error) {
-	switch v := req.GetCallbackKind().(type) {
+func (s *Server) CreateCallback(ctx context.Context, req *connect.Request[oidc_pb.CreateCallbackRequest]) (*connect.Response[oidc_pb.CreateCallbackResponse], error) {
+	switch v := req.Msg.GetCallbackKind().(type) {
 	case *oidc_pb.CreateCallbackRequest_Error:
-		return s.failAuthRequest(ctx, req.GetAuthRequestId(), v.Error)
+		return s.failAuthRequest(ctx, req.Msg.GetAuthRequestId(), v.Error)
 	case *oidc_pb.CreateCallbackRequest_Session:
-		return s.linkSessionToAuthRequest(ctx, req.GetAuthRequestId(), v.Session)
+		return s.linkSessionToAuthRequest(ctx, req.Msg.GetAuthRequestId(), v.Session)
 	default:
 		return nil, zerrors.ThrowUnimplementedf(nil, "OIDCv2-zee7A", "verification oneOf %T in method CreateCallback not implemented", v)
 	}
 }
 
-func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *oidc_pb.AuthorizationError) (*oidc_pb.CreateCallbackResponse, error) {
+func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *oidc_pb.AuthorizationError) (*connect.Response[oidc_pb.CreateCallbackResponse], error) {
 	details, aar, err := s.command.FailAuthRequest(ctx, authRequestID, errorReasonToDomain(ae.GetError()))
 	if err != nil {
 		return nil, err
@@ -94,10 +95,10 @@ func (s *Server) failAuthRequest(ctx context.Context, authRequestID string, ae *
 	if err != nil {
 		return nil, err
 	}
-	return &oidc_pb.CreateCallbackResponse{
+	return connect.NewResponse(&oidc_pb.CreateCallbackResponse{
 		Details:     object.DomainToDetailsPb(details),
 		CallbackUrl: callback,
-	}, nil
+	}), nil
 }
 
 func (s *Server) checkPermission(ctx context.Context, clientID string, userID string) error {
@@ -114,7 +115,7 @@ func (s *Server) checkPermission(ctx context.Context, clientID string, userID st
 	return nil
 }
 
-func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID string, session *oidc_pb.Session) (*oidc_pb.CreateCallbackResponse, error) {
+func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID string, session *oidc_pb.Session) (*connect.Response[oidc_pb.CreateCallbackResponse], error) {
 	details, aar, err := s.command.LinkSessionToAuthRequest(ctx, authRequestID, session.GetSessionId(), session.GetSessionToken(), true, s.checkPermission)
 	if err != nil {
 		return nil, err
@@ -130,10 +131,10 @@ func (s *Server) linkSessionToAuthRequest(ctx context.Context, authRequestID str
 	if err != nil {
 		return nil, err
 	}
-	return &oidc_pb.CreateCallbackResponse{
+	return connect.NewResponse(&oidc_pb.CreateCallbackResponse{
 		Details:     object.DomainToDetailsPb(details),
 		CallbackUrl: callback,
-	}, nil
+	}), nil
 }
 
 func errorReasonToDomain(errorReason oidc_pb.ErrorReason) domain.OIDCErrorReason {

internal/api/grpc/oidc/v2beta/server.go

@@ -1,7 +1,10 @@
 package oidc
 
 import (
-	"google.golang.org/grpc"
+	"net/http"
+
+	"connectrpc.com/connect"
+	"google.golang.org/protobuf/reflect/protoreflect"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/server"
@@ -9,12 +12,12 @@ import (
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/query"
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
+	"github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta/oidcconnect"
 )
 
-var _ oidc_pb.OIDCServiceServer = (*Server)(nil)
+var _ oidcconnect.OIDCServiceHandler = (*Server)(nil)
 
 type Server struct {
-	oidc_pb.UnimplementedOIDCServiceServer
 	command *command.Commands
 	query   *query.Queries
 
@@ -38,8 +41,12 @@ func CreateServer(
 	}
 }
 
-func (s *Server) RegisterServer(grpcServer *grpc.Server) {
-	oidc_pb.RegisterOIDCServiceServer(grpcServer, s)
+func (s *Server) RegisterConnectServer(interceptors ...connect.Interceptor) (string, http.Handler) {
+	return oidcconnect.NewOIDCServiceHandler(s, connect.WithInterceptors(interceptors...))
+}
+
+func (s *Server) FileDescriptor() protoreflect.FileDescriptor {
+	return oidc_pb.File_zitadel_oidc_v2beta_oidc_service_proto
 }
 
 func (s *Server) AppName() string {