feat: project roles (#843)

* fix logging

* token verification

* feat: assert roles

* feat: add project role assertion on project and token type on app

* id and access token role assertion

* add project role check

* user grant required step in login

* update library

* fix merge

* fix merge

* fix merge

* update oidc library

* fix tests

* add tests for GrantRequiredStep

* add missing field ProjectRoleCheck on project view model

* fix project create

* fix project create

pkg/grpc/management/proto/management.proto

@@ -2180,11 +2180,15 @@ enum OrgMemberSearchKey {
 
 message ProjectCreateRequest {
   string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  bool project_role_assertion = 2;
+  bool project_role_check = 3;
 }
 
 message ProjectUpdateRequest {
   string id = 1 [(validate.rules).string = {min_len: 1}];
   string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+  bool project_role_assertion = 3;
+  bool project_role_check = 4;
 }
 
 message ProjectSearchResponse {
@@ -2204,6 +2208,8 @@ message ProjectView {
   google.protobuf.Timestamp creation_date = 5;
   string resource_owner = 6;
   uint64 sequence = 7;
+  bool project_role_assertion = 8;
+  bool project_role_check = 9;
 }
 
 message ProjectSearchRequest {
@@ -2234,6 +2240,8 @@ message Project {
   google.protobuf.Timestamp change_date = 4;
   google.protobuf.Timestamp creation_date = 5;
   uint64 sequence = 6;
+  bool project_role_assertion = 7;
+  bool project_role_check = 8;
 }
 
 enum ProjectState {
@@ -2423,6 +2431,9 @@ message OIDCConfig {
   bool none_compliant = 10;
   repeated caos.zitadel.api.v1.LocalizedMessage compliance_problems = 11;
   bool dev_mode = 12;
+  OIDCTokenType access_token_type = 13;
+  bool access_token_role_assertion = 14;
+  bool id_token_role_assertion = 15;
 }
 
 message OIDCApplicationCreate {
@@ -2436,12 +2447,20 @@ message OIDCApplicationCreate {
   repeated string post_logout_redirect_uris = 8;
   OIDCVersion version = 9;
   bool dev_mode = 10;
+  OIDCTokenType access_token_type = 11;
+  bool access_token_role_assertion = 12;
+  bool id_token_role_assertion = 13;
 }
 
 enum OIDCVersion {
   OIDCV1_0 = 0;
 }
 
+enum OIDCTokenType {
+    OIDCTokenType_Bearer = 0;
+    OIDCTokenType_JWT = 1;
+}
+
 message OIDCConfigUpdate {
   string project_id = 1 [(validate.rules).string = {min_len: 1}];
   string application_id = 2 [(validate.rules).string = {min_len: 1}];
@@ -2452,6 +2471,9 @@ message OIDCConfigUpdate {
   OIDCAuthMethodType auth_method_type = 7;
   repeated string post_logout_redirect_uris = 8;
   bool dev_mode = 9;
+  OIDCTokenType access_token_type = 10;
+  bool access_token_role_assertion = 11;
+  bool id_token_role_assertion = 12;
 }
 
 enum OIDCResponseType {