feat: v2 api add way to list authentication factors (#9065)

# Which Problems Are Solved The v2 api currently has no endpoint the get all second factors of a user. # How the Problems Are Solved Our v1 api has the ListHumanAuthFactors which got added to the v2 api under the User resource. # Additional Changes # Additional Context Closes #8833 --------- Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
2025-08-11 14:47:33 +00:00 · 2025-01-02 14:14:49 +01:00
parent e1f0d46393
commit a3d80f93ff
7 changed files with 518 additions and 2 deletions
--- a/proto/zitadel/user/v2/user.proto
+++ b/proto/zitadel/user/v2/user.proto
@@ -276,6 +276,36 @@ message Passkey {
  ];
 }

+message AuthFactor {
+  AuthFactorState state = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "current state of the auth factor";
+    }
+  ];
+  oneof type {
+    AuthFactorOTP otp = 2 [
+      (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+        description: "TOTP second factor"
+      }
+    ];
+    AuthFactorU2F u2f = 3 [
+      (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+        description: "U2F second factor"
+      }
+    ];
+    AuthFactorOTPSMS otp_sms = 4 [
+      (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+        description: "SMS second factor"
+      }
+    ];
+    AuthFactorOTPEmail otp_email = 5 [
+      (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+        description: "Email second factor"
+      }
+    ];
+  }
+}
+
 enum AuthFactorState {
  AUTH_FACTOR_STATE_UNSPECIFIED = 0;
  AUTH_FACTOR_STATE_NOT_READY = 1;
@@ -283,6 +313,23 @@ enum AuthFactorState {
  AUTH_FACTOR_STATE_REMOVED = 3;
 }

+message AuthFactorOTP {}
+message AuthFactorOTPSMS {}
+message AuthFactorOTPEmail {}
+
+message AuthFactorU2F {
+  string id = 1 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"69629023906488334\""
+    }
+  ];
+  string name = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      example: "\"fido key\""
+    }
+  ];
+}
+
 message SendInviteCode {
  // Optionally set a url_template, which will be used in the invite mail sent by ZITADEL to guide the user to your invitation page.
  // If no template is set, the default ZITADEL url will be used.
--- a/proto/zitadel/user/v2/user_service.proto
+++ b/proto/zitadel/user/v2/user_service.proto
@@ -1110,6 +1110,28 @@ service UserService {
    };
  }

+  rpc ListAuthenticationFactors(ListAuthenticationFactorsRequest) returns (ListAuthenticationFactorsResponse) {
+    option (google.api.http) = {
+      post: "/v2/users/{user_id}/authentication_factors/_search"
+    };
+
+    option (zitadel.protoc_gen_zitadel.v2.options) = {
+      auth_option: {
+        permission: "authenticated"
+      }
+    };
+
+    option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
+      responses: {
+        key: "200"
+        value: {
+          description: "OK";
+        }
+      };
+    };
+
+  }
+
  // Create an invite code for a user
  //
  // Create an invite code for a user to initialize their first authentication method (password, passkeys, IdP) depending on the organization's available methods.
@@ -2216,6 +2238,41 @@ enum AuthenticationMethodType {
  AUTHENTICATION_METHOD_TYPE_OTP_EMAIL = 7;
 }

+message ListAuthenticationFactorsRequest{
+  string user_id = 1 [
+    (validate.rules).string = {min_len: 1, max_len: 200},
+    (google.api.field_behavior) = REQUIRED,
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      min_length: 1;
+      max_length: 200;
+      example: "\"69629026806489455\"";
+    }
+  ];
+  repeated AuthFactors auth_factors = 2 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "Specify the Auth Factors you are interested in"
+      default: "All Auth Factors"
+    }
+  ];
+  repeated AuthFactorState states = 3 [
+    (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+      description: "Specify the state of the Auth Factors"
+      default: "Auth Factors that are ready"
+    }
+  ];
+}
+
+enum AuthFactors {
+  OTP = 0;
+  OTP_SMS = 1;
+  OTP_EMAIL = 2;
+  U2F = 3;
+}
+
+message ListAuthenticationFactorsResponse {
+  repeated zitadel.user.v2.AuthFactor result = 1;
+}
+
 message CreateInviteCodeRequest {
  string user_id = 1 [
    (validate.rules).string = {min_len: 1, max_len: 200},