fixup! fixup! fixup! fixup! fixup! added first event

2025-08-11 15:49:35 +00:00 · 2025-07-29 13:24:42 +01:00
parent 4f75d9b561
commit ae65867849
10 changed files with 787 additions and 236 deletions
--- a/backend/v3/domain/id_provider.go
+++ b/backend/v3/domain/id_provider.go
@@ -35,6 +35,15 @@ const (
 	IDPStateInactive
 )

+//go:generate enumer -type IDPAutoLinkingOption -transform lower -trimprefix IDPAutoLinkingOption
+type IDPAutoLinkingOption uint8
+
+const (
+	IDPAutoLinkingOptionUnspecified IDPAutoLinkingOption = iota
+	IDPAutoLinkingOptionUserName
+	IDPAutoLinkingOptionEmail
+)
+
 type OIDCMappingField int8

 const (
@@ -57,8 +66,8 @@ type IdentityProvider struct {
 	AllowAutoCreation bool      `json:"allowAutoCreation,omitempty" db:"allow_auto_creation"`
 	AllowAutoUpdate   bool      `json:"allowAutoUpdate,omitempty" db:"allow_auto_update"`
 	AllowLinking      bool      `json:"allowLinking,omitempty" db:"allow_linking"`
-	AllowAutoLinking  bool      `json:"allowAutoLinking,omitempty" db:"allow_auto_linking"`
-	StylingType       int16     `json:"stylingType,omitempty" db:"styling_type"`
+	AllowAutoLinking  string    `json:"allowAutoLinking,omitempty" db:"allow_auto_linking"`
+	StylingType       *int16    `json:"stylingType,omitempty" db:"styling_type"`
 	Payload           *string   `json:"payload,omitempty" db:"payload"`
 	CreatedAt         time.Time `json:"createdAt,omitempty" db:"created_at"`
 	UpdatedAt         time.Time `json:"updatedAt,omitempty" db:"updated_at"`
@@ -74,6 +83,8 @@ type OIDC struct {
 	Scopes                []string           `json:"scopes,omitempty"`
 	IDPDisplayNameMapping OIDCMappingField   `json:"IDPDisplayNameMapping,omitempty"`
 	UserNameMapping       OIDCMappingField   `json:"usernameMapping,omitempty"`
+	IsIDTokenMapping      bool               `json:"idTokenMapping,omitempty"`
+	UsePKCE               bool               `json:"usePKCE,omitempty"`
 }

 type IDPOIDC struct {
@@ -94,6 +105,24 @@ type IDPJWT struct {
 	JWT
 }

+type OAuth struct {
+	ID                    string              `json:"id"`
+	Name                  string              `json:"name,omitempty"`
+	ClientID              string              `json:"clientId,omitempty"`
+	ClientSecret          *crypto.CryptoValue `json:"clientSecret,omitempty"`
+	AuthorizationEndpoint string              `json:"authorizationEndpoint,omitempty"`
+	TokenEndpoint         string              `json:"tokenEndpoint,omitempty"`
+	UserEndpoint          string              `json:"userEndpoint,omitempty"`
+	Scopes                []string            `json:"scopes,omitempty"`
+	IDAttribute           string              `json:"idAttribute,omitempty"`
+	UsePKCE               bool                `json:"usePKCE,omitempty"`
+}
+
+type IDPOAuth struct {
+	*IdentityProvider
+	OAuth
+}
+
 // IDPIdentifierCondition is used to help specify a single identity_provider,
 // it will either be used as the  identity_provider ID or identity_provider name,
 // as identity_provider can be identified either using (instanceID + OrgID + ID) OR (instanceID + OrgID + name)
@@ -132,7 +161,7 @@ type idProviderConditions interface {
 	AllowAutoCreationCondition(allow bool) database.Condition
 	AllowAutoUpdateCondition(allow bool) database.Condition
 	AllowLinkingCondition(allow bool) database.Condition
-	AllowAutoLinkingCondition(allow bool) database.Condition
+	AllowAutoLinkingCondition(linkingType IDPAutoLinkingOption) database.Condition
 	StylingTypeCondition(style int16) database.Condition
 	PayloadCondition(payload string) database.Condition
 }
@@ -164,4 +193,6 @@ type IDProviderRepository interface {

 	GetOIDC(ctx context.Context, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPOIDC, error)
 	GetJWT(ctx context.Context, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPJWT, error)
+
+	GetOAuth(ctx context.Context, id IDPIdentifierCondition, instanceID string, orgID *string) (*IDPOAuth, error)
 }
--- a/backend/v3/domain/idpautolinkingoption_enumer.go
+++ b/backend/v3/domain/idpautolinkingoption_enumer.go
@@ -0,0 +1,82 @@
+// Code generated by "enumer -type IDPAutoLinkingOption -transform lower -trimprefix IDPAutoLinkingOption"; DO NOT EDIT.
+
+package domain
+
+import (
+	"fmt"
+	"strings"
+)
+
+const _IDPAutoLinkingOptionName = "unspecifiedusernameemail"
+
+var _IDPAutoLinkingOptionIndex = [...]uint8{0, 11, 19, 24}
+
+const _IDPAutoLinkingOptionLowerName = "unspecifiedusernameemail"
+
+func (i IDPAutoLinkingOption) String() string {
+	if i >= IDPAutoLinkingOption(len(_IDPAutoLinkingOptionIndex)-1) {
+		return fmt.Sprintf("IDPAutoLinkingOption(%d)", i)
+	}
+	return _IDPAutoLinkingOptionName[_IDPAutoLinkingOptionIndex[i]:_IDPAutoLinkingOptionIndex[i+1]]
+}
+
+// An "invalid array index" compiler error signifies that the constant values have changed.
+// Re-run the stringer command to generate them again.
+func _IDPAutoLinkingOptionNoOp() {
+	var x [1]struct{}
+	_ = x[IDPAutoLinkingOptionUnspecified-(0)]
+	_ = x[IDPAutoLinkingOptionUserName-(1)]
+	_ = x[IDPAutoLinkingOptionEmail-(2)]
+}
+
+var _IDPAutoLinkingOptionValues = []IDPAutoLinkingOption{IDPAutoLinkingOptionUnspecified, IDPAutoLinkingOptionUserName, IDPAutoLinkingOptionEmail}
+
+var _IDPAutoLinkingOptionNameToValueMap = map[string]IDPAutoLinkingOption{
+	_IDPAutoLinkingOptionName[0:11]:       IDPAutoLinkingOptionUnspecified,
+	_IDPAutoLinkingOptionLowerName[0:11]:  IDPAutoLinkingOptionUnspecified,
+	_IDPAutoLinkingOptionName[11:19]:      IDPAutoLinkingOptionUserName,
+	_IDPAutoLinkingOptionLowerName[11:19]: IDPAutoLinkingOptionUserName,
+	_IDPAutoLinkingOptionName[19:24]:      IDPAutoLinkingOptionEmail,
+	_IDPAutoLinkingOptionLowerName[19:24]: IDPAutoLinkingOptionEmail,
+}
+
+var _IDPAutoLinkingOptionNames = []string{
+	_IDPAutoLinkingOptionName[0:11],
+	_IDPAutoLinkingOptionName[11:19],
+	_IDPAutoLinkingOptionName[19:24],
+}
+
+// IDPAutoLinkingOptionString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func IDPAutoLinkingOptionString(s string) (IDPAutoLinkingOption, error) {
+	if val, ok := _IDPAutoLinkingOptionNameToValueMap[s]; ok {
+		return val, nil
+	}
+
+	if val, ok := _IDPAutoLinkingOptionNameToValueMap[strings.ToLower(s)]; ok {
+		return val, nil
+	}
+	return 0, fmt.Errorf("%s does not belong to IDPAutoLinkingOption values", s)
+}
+
+// IDPAutoLinkingOptionValues returns all values of the enum
+func IDPAutoLinkingOptionValues() []IDPAutoLinkingOption {
+	return _IDPAutoLinkingOptionValues
+}
+
+// IDPAutoLinkingOptionStrings returns a slice of all String values of the enum
+func IDPAutoLinkingOptionStrings() []string {
+	strs := make([]string, len(_IDPAutoLinkingOptionNames))
+	copy(strs, _IDPAutoLinkingOptionNames)
+	return strs
+}
+
+// IsAIDPAutoLinkingOption returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i IDPAutoLinkingOption) IsAIDPAutoLinkingOption() bool {
+	for _, v := range _IDPAutoLinkingOptionValues {
+		if i == v {
+			return true
+		}
+	}
+	return false
+}
--- a/backend/v3/storage/database/dialect/postgres/migration/003_identity_providers_table/down.sql
+++ b/backend/v3/storage/database/dialect/postgres/migration/003_identity_providers_table/down.sql
@@ -1,3 +1,4 @@
 DROP TABLE zitadel.identity_providers;
 DROP Type zitadel.idp_state;
 DROP Type zitadel.idp_type;
+DROP Type zitadel.idp_auto_linking_option;
--- a/backend/v3/storage/database/dialect/postgres/migration/003_identity_providers_table/up.sql
+++ b/backend/v3/storage/database/dialect/postgres/migration/003_identity_providers_table/up.sql
@@ -15,6 +15,12 @@ CREATE TYPE zitadel.idp_type AS ENUM (
    'apple'
 );

+CREATE TYPE zitadel.idp_auto_linking_option AS ENUM (
+    'unspecified',
+    'username',
+    'email'
+);
+
 CREATE TABLE zitadel.identity_providers (
    instance_id TEXT NOT NULL
    , org_id TEXT
@@ -27,7 +33,7 @@ CREATE TABLE zitadel.identity_providers (
    , allow_auto_creation BOOLEAN NOT NULL DEFAULT TRUE
    , allow_auto_update BOOLEAN NOT NULL DEFAULT TRUE
    , allow_linking BOOLEAN NOT NULL DEFAULT TRUE
-    , allow_auto_linking BOOLEAN NOT NULL DEFAULT TRUE
+    , allow_auto_linking zitadel.idp_auto_linking_option NOT NULL DEFAULT 'unspecified'
    , styling_type SMALLINT
    , payload JSONB
    
--- a/backend/v3/storage/database/events_testing/id_provider_test.go
+++ b/backend/v3/storage/database/events_testing/id_provider_test.go
@@ -22,7 +22,7 @@ import (
 func TestServer_TestIDProviderReduces(t *testing.T) {
 	instanceID := Instance.ID()

-	t.Run("test idp add reduces", func(t *testing.T) {
+	t.Run("test iam idp add reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		beforeCreate := time.Now()
@@ -57,13 +57,13 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 			assert.Equal(t, instanceID, idp.InstanceID)
 			assert.Equal(t, domain.IDPStateActive.String(), idp.State)
 			assert.Equal(t, true, idp.AutoRegister)
-			assert.Equal(t, int16(idp_grpc.IDPStylingType_STYLING_TYPE_GOOGLE), idp.StylingType)
+			assert.Equal(t, int16(idp_grpc.IDPStylingType_STYLING_TYPE_GOOGLE), *idp.StylingType)
 			assert.WithinRange(t, idp.UpdatedAt, beforeCreate, afterCreate)
 			assert.WithinRange(t, idp.CreatedAt, beforeCreate, afterCreate)
 		}, retryDuration, tick)
 	})

-	t.Run("test idp update reduces", func(t *testing.T) {
+	t.Run("test iam idp update reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		addOIDC, err := AdminClient.AddOIDCIDP(CTX, &admin.AddOIDCIDPRequest{
@@ -106,12 +106,12 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 			assert.Equal(t, addOIDC.IdpId, idp.ID)
 			assert.Equal(t, name, idp.Name)
 			assert.Equal(t, false, idp.AutoRegister)
-			assert.Equal(t, int16(idp_grpc.IDPStylingType_STYLING_TYPE_UNSPECIFIED), idp.StylingType)
+			assert.Equal(t, int16(idp_grpc.IDPStylingType_STYLING_TYPE_UNSPECIFIED), *idp.StylingType)
 			assert.WithinRange(t, idp.UpdatedAt, beforeCreate, afterCreate)
 		}, retryDuration, tick)
 	})

-	t.Run("test idp deactivate reduces", func(t *testing.T) {
+	t.Run("test iam idp deactivate reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		addOIDC, err := AdminClient.AddOIDCIDP(CTX, &admin.AddOIDCIDPRequest{
@@ -153,7 +153,7 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 		}, retryDuration, tick)
 	})

-	t.Run("test idp reactivate reduces", func(t *testing.T) {
+	t.Run("test iam idp reactivate reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		addOIDC, err := AdminClient.AddOIDCIDP(CTX, &admin.AddOIDCIDPRequest{
@@ -214,7 +214,7 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 		}, retryDuration, tick)
 	})

-	t.Run("test idp remove reduces", func(t *testing.T) {
+	t.Run("test iam idp remove reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		// add idp
@@ -252,7 +252,7 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 		}, retryDuration, tick)
 	})

-	t.Run("test idp oidc addded reduces", func(t *testing.T) {
+	t.Run("test iam idp oidc addded reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		// add oidc
@@ -295,7 +295,7 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 		}, retryDuration, tick)
 	})

-	t.Run("test idp oidc changed reduces", func(t *testing.T) {
+	t.Run("test iam idp oidc changed reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		// add oidc
@@ -373,7 +373,7 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 		}, retryDuration, tick)
 	})

-	t.Run("test idp jwt addded reduces", func(t *testing.T) {
+	t.Run("test iam idp jwt addded reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		// add jwt
@@ -399,7 +399,7 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 			)
 			require.NoError(t, err)

-			// event org.idp.jwt.config.added
+			// event iam.idp.jwt.config.added
 			// idp
 			assert.Equal(t, addJWT.IdpId, jwt.ID)
 			assert.Equal(t, domain.IDPTypeJWT.String(), jwt.Type)
@@ -413,7 +413,7 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 		}, retryDuration, tick)
 	})

-	t.Run("test idp jwt changed reduces", func(t *testing.T) {
+	t.Run("test iam idp jwt changed reduces", func(t *testing.T) {
 		name := gofakeit.Name()

 		// add jwt
@@ -469,7 +469,7 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 			)
 			require.NoError(t, err)

-			// event org.idp.jwt.config.changed
+			// event iam.idp.jwt.config.changed
 			// idp
 			assert.Equal(t, addJWT.IdpId, updateJWT.ID)
 			assert.Equal(t, domain.IDPTypeJWT.String(), updateJWT.Type)
@@ -482,4 +482,295 @@ func TestServer_TestIDProviderReduces(t *testing.T) {
 			assert.Equal(t, "new_keyEndpoint", updateJWT.KeysEndpoint)
 		}, retryDuration, tick)
 	})
+
+	t.Run("test instance idp oauth added reduces", func(t *testing.T) {
+		name := gofakeit.Name()
+
+		// add oauth
+		beforeCreate := time.Now().Add(-1 * time.Second)
+		addOAuth, err := AdminClient.AddGenericOAuthProvider(CTX, &admin.AddGenericOAuthProviderRequest{
+			Name:                  name,
+			ClientId:              "clientId",
+			ClientSecret:          "clientSecret",
+			AuthorizationEndpoint: "authoizationEndpoint",
+			TokenEndpoint:         "tokenEndpoint",
+			UserEndpoint:          "userEndpoint",
+			Scopes:                []string{"scope"},
+			IdAttribute:           "idAttribute",
+			ProviderOptions: &idp_grpc.Options{
+				IsLinkingAllowed:  false,
+				IsCreationAllowed: false,
+				IsAutoCreation:    false,
+				IsAutoUpdate:      false,
+				AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_EMAIL,
+			},
+			UsePkce: false,
+		})
+		afterCreate := time.Now()
+		require.NoError(t, err)
+
+		idpRepo := repository.IDProviderRepository(pool)
+
+		// check values for oauth
+		var oauth *domain.IDPOAuth
+		retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Second*5)
+		assert.EventuallyWithT(t, func(t *assert.CollectT) {
+			oauth, err = idpRepo.GetOAuth(CTX, idpRepo.IDCondition(addOAuth.Id), instanceID, nil)
+			require.NoError(t, err)
+
+			// event instance.idp.oauth.added
+			// idp
+			assert.Equal(t, addOAuth.Id, oauth.IdentityProvider.ID)
+			assert.Equal(t, domain.IDPTypeOAuth.String(), oauth.Type)
+
+			// oauth
+			assert.Equal(t, addOAuth.Id, oauth.IdentityProvider.ID)
+			assert.Equal(t, "clientId", oauth.ClientID)
+			assert.NotNil(t, oauth.ClientSecret)
+			assert.Equal(t, "authoizationEndpoint", oauth.AuthorizationEndpoint)
+			assert.Equal(t, "authoizationEndpoint", oauth.AuthorizationEndpoint)
+			assert.Equal(t, "tokenEndpoint", oauth.TokenEndpoint)
+			assert.Equal(t, "userEndpoint", oauth.UserEndpoint)
+			assert.Equal(t, "userEndpoint", oauth.UserEndpoint)
+			assert.Equal(t, []string{"scope"}, oauth.Scopes)
+			assert.Equal(t, false, oauth.AllowLinking)
+			assert.Equal(t, false, oauth.AllowCreation)
+			assert.Equal(t, false, oauth.AllowAutoUpdate)
+			assert.Equal(t, domain.IDPAutoLinkingOptionEmail.String(), oauth.AllowAutoLinking)
+			assert.Equal(t, false, oauth.UsePKCE)
+			assert.WithinRange(t, oauth.CreatedAt, beforeCreate, afterCreate)
+			assert.WithinRange(t, oauth.UpdatedAt, beforeCreate, afterCreate)
+		}, retryDuration, tick)
+	})
+
+	t.Run("test instanceidp oauth changed reduces", func(t *testing.T) {
+		name := gofakeit.Name()
+
+		// add oauth
+		addOAuth, err := AdminClient.AddGenericOAuthProvider(CTX, &admin.AddGenericOAuthProviderRequest{
+			Name:                  name,
+			ClientId:              "clientId",
+			ClientSecret:          "clientSecret",
+			AuthorizationEndpoint: "authoizationEndpoint",
+			TokenEndpoint:         "tokenEndpoint",
+			UserEndpoint:          "userEndpoint",
+			Scopes:                []string{"scope"},
+			IdAttribute:           "idAttribute",
+			ProviderOptions: &idp_grpc.Options{
+				IsLinkingAllowed:  false,
+				IsCreationAllowed: false,
+				IsAutoCreation:    false,
+				IsAutoUpdate:      false,
+				AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_EMAIL,
+			},
+			UsePkce: false,
+		})
+		require.NoError(t, err)
+
+		idpRepo := repository.IDProviderRepository(pool)
+
+		// check values for oauth
+		var oauth *domain.IDPOAuth
+		retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Second*5)
+		assert.EventuallyWithT(t, func(t *assert.CollectT) {
+			oauth, err = idpRepo.GetOAuth(CTX, idpRepo.IDCondition(addOAuth.Id), instanceID, nil)
+			require.NoError(t, err)
+		}, retryDuration, tick)
+
+		name = "new_" + name
+		beforeCreate := time.Now()
+		_, err = AdminClient.UpdateGenericOAuthProvider(CTX, &admin.UpdateGenericOAuthProviderRequest{
+			Id:                    addOAuth.Id,
+			Name:                  name,
+			ClientId:              "new_clientId",
+			ClientSecret:          "new_clientSecret",
+			AuthorizationEndpoint: "new_authoizationEndpoint",
+			TokenEndpoint:         "new_tokenEndpoint",
+			UserEndpoint:          "new_userEndpoint",
+			Scopes:                []string{"new_scope"},
+			IdAttribute:           "new_idAttribute",
+			ProviderOptions: &idp_grpc.Options{
+				IsLinkingAllowed:  true,
+				IsCreationAllowed: true,
+				IsAutoCreation:    true,
+				IsAutoUpdate:      true,
+				AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME,
+			},
+			UsePkce: true,
+		})
+		afterCreate := time.Now()
+		require.NoError(t, err)
+
+		retryDuration, tick = integration.WaitForAndTickWithMaxDuration(CTX, time.Second*5)
+		assert.EventuallyWithT(t, func(t *assert.CollectT) {
+			updateOauth, err := idpRepo.GetOAuth(CTX,
+				idpRepo.IDCondition(addOAuth.Id),
+				instanceID,
+				nil,
+			)
+			require.NoError(t, err)
+
+			// event instance.idp.oauth.changed
+			// idp
+			assert.Equal(t, addOAuth.Id, oauth.IdentityProvider.ID)
+			assert.Equal(t, domain.IDPTypeOAuth.String(), oauth.Type)
+
+			// oauth
+			assert.Equal(t, addOAuth.Id, updateOauth.IdentityProvider.ID)
+			assert.Equal(t, "new_clientId", updateOauth.ClientID)
+			assert.NotEqual(t, oauth.ClientSecret, updateOauth.ClientSecret)
+			assert.Equal(t, "new_authoizationEndpoint", updateOauth.AuthorizationEndpoint)
+			assert.Equal(t, "new_tokenEndpoint", updateOauth.TokenEndpoint)
+			assert.Equal(t, "new_userEndpoint", updateOauth.UserEndpoint)
+			assert.Equal(t, []string{"new_scope"}, updateOauth.Scopes)
+			assert.Equal(t, true, updateOauth.AllowLinking)
+			assert.Equal(t, true, updateOauth.AllowCreation)
+			assert.Equal(t, true, updateOauth.AllowAutoUpdate)
+			assert.Equal(t, domain.IDPAutoLinkingOptionUserName.String(), updateOauth.AllowAutoLinking)
+			assert.Equal(t, true, updateOauth.UsePKCE)
+			assert.WithinRange(t, updateOauth.UpdatedAt, beforeCreate, afterCreate)
+		}, retryDuration, tick)
+	})
+
+	t.Run("test instance idp oidc added reduces", func(t *testing.T) {
+		name := gofakeit.Name()
+
+		// add oidc
+		beforeCreate := time.Now().Add(-1 * time.Second)
+		addOIDC, err := AdminClient.AddGenericOIDCProvider(CTX, &admin.AddGenericOIDCProviderRequest{
+			Name:         name,
+			ClientId:     "clientId",
+			ClientSecret: "clientSecret",
+			Scopes:       []string{"scope"},
+			Issuer:       "issuer",
+			ProviderOptions: &idp_grpc.Options{
+				IsLinkingAllowed:  false,
+				IsCreationAllowed: false,
+				IsAutoCreation:    false,
+				IsAutoUpdate:      false,
+				AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_EMAIL,
+			},
+			IsIdTokenMapping: false,
+			UsePkce:          false,
+		})
+		afterCreate := time.Now()
+		require.NoError(t, err)
+
+		idpRepo := repository.IDProviderRepository(pool)
+
+		// check values for oidc
+		retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Second*5)
+		assert.EventuallyWithT(t, func(t *assert.CollectT) {
+			oidc, err := idpRepo.GetOIDC(CTX, idpRepo.IDCondition(addOIDC.Id), instanceID, nil)
+			require.NoError(t, err)
+
+			// event instance.idp.oidc added
+			// idp
+			assert.Equal(t, addOIDC.Id, oidc.ID)
+			assert.Equal(t, domain.IDPTypeOIDC.String(), oidc.Type)
+
+			// oidc
+			assert.Equal(t, addOIDC.Id, oidc.ID)
+			assert.Equal(t, "clientId", oidc.ClientID)
+			// assert.NotNil(t, oidc.ClientSecret)
+			// assert.Equal(t, "authoizationEndpoint", oidc.AuthorizationEndpoint)
+			// assert.Equal(t, "tokenEndpoint", oidc.TokenEndpoint)
+			// assert.Equal(t, "userEndpoint", oidc.UserEndpoint)
+			// assert.Equal(t, "userEndpoint", oidc.UserEndpoint)
+			assert.Equal(t, []string{"scope"}, oidc.Scopes)
+			assert.Equal(t, "issuer", oidc.Issuer)
+			assert.Equal(t, false, oidc.IsIDTokenMapping)
+			assert.Equal(t, false, oidc.AllowLinking)
+			assert.Equal(t, false, oidc.AllowCreation)
+			assert.Equal(t, false, oidc.AllowAutoUpdate)
+			assert.Equal(t, domain.IDPAutoLinkingOptionEmail.String(), oidc.AllowAutoLinking)
+			assert.Equal(t, false, oidc.UsePKCE)
+			assert.WithinRange(t, oidc.CreatedAt, beforeCreate, afterCreate)
+			assert.WithinRange(t, oidc.UpdatedAt, beforeCreate, afterCreate)
+		}, retryDuration, tick)
+	})
+
+	t.Run("test instanceidp oidc changed reduces", func(t *testing.T) {
+		name := gofakeit.Name()
+
+		addOIDC, err := AdminClient.AddGenericOIDCProvider(CTX, &admin.AddGenericOIDCProviderRequest{
+			Name:         name,
+			ClientId:     "clientId",
+			ClientSecret: "clientSecret",
+			Scopes:       []string{"scope"},
+			Issuer:       "issuer",
+			ProviderOptions: &idp_grpc.Options{
+				IsLinkingAllowed:  false,
+				IsCreationAllowed: false,
+				IsAutoCreation:    false,
+				IsAutoUpdate:      false,
+				AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_EMAIL,
+			},
+			IsIdTokenMapping: false,
+			UsePkce:          false,
+		})
+		require.NoError(t, err)
+
+		idpRepo := repository.IDProviderRepository(pool)
+
+		// check values for oidc
+		var oidc *domain.IDPOIDC
+		retryDuration, tick := integration.WaitForAndTickWithMaxDuration(CTX, time.Second*5)
+		assert.EventuallyWithT(t, func(t *assert.CollectT) {
+			oidc, err = idpRepo.GetOIDC(CTX, idpRepo.IDCondition(addOIDC.Id), instanceID, nil)
+			require.NoError(t, err)
+		}, retryDuration, tick)
+
+		name = "new_" + name
+		beforeCreate := time.Now()
+		_, err = AdminClient.UpdateGenericOIDCProvider(CTX, &admin.UpdateGenericOIDCProviderRequest{
+			Id:           addOIDC.Id,
+			Name:         name,
+			Issuer:       "new_issuer",
+			ClientId:     "new_clientId",
+			ClientSecret: "new_clientSecret",
+			Scopes:       []string{"new_scope"},
+			ProviderOptions: &idp_grpc.Options{
+				IsLinkingAllowed:  true,
+				IsCreationAllowed: true,
+				IsAutoCreation:    true,
+				IsAutoUpdate:      true,
+				AutoLinking:       idp.AutoLinkingOption_AUTO_LINKING_OPTION_USERNAME,
+			},
+			IsIdTokenMapping: true,
+			UsePkce:          true,
+		})
+		afterCreate := time.Now()
+		require.NoError(t, err)
+
+		retryDuration, tick = integration.WaitForAndTickWithMaxDuration(CTX, time.Second*5)
+		assert.EventuallyWithT(t, func(t *assert.CollectT) {
+			updateOIDC, err := idpRepo.GetOIDC(CTX,
+				idpRepo.IDCondition(addOIDC.Id),
+				instanceID,
+				nil,
+			)
+			require.NoError(t, err)
+
+			// event instance.idp.oidc.changed
+			// idp
+			assert.Equal(t, addOIDC.Id, oidc.ID)
+			assert.Equal(t, domain.IDPTypeOIDC.String(), oidc.Type)
+
+			// oidc
+			assert.Equal(t, addOIDC.Id, updateOIDC.ID)
+			assert.Equal(t, "new_clientId", updateOIDC.ClientID)
+			assert.NotEqual(t, oidc.ClientSecret, updateOIDC.ClientSecret)
+			// assert.Equal(t, "new_authoizationEndpoint", updateOIDC.AuthorizationEndpoint)
+			// assert.Equal(t, "new_tokenEndpoint", updateOIDC.TokenEndpoint)
+			assert.Equal(t, []string{"new_scope"}, updateOIDC.Scopes)
+			assert.Equal(t, true, updateOIDC.IsIDTokenMapping)
+			assert.Equal(t, true, updateOIDC.AllowLinking)
+			assert.Equal(t, true, updateOIDC.AllowCreation)
+			assert.Equal(t, true, updateOIDC.AllowAutoUpdate)
+			assert.Equal(t, domain.IDPAutoLinkingOptionUserName.String(), updateOIDC.AllowAutoLinking)
+			assert.Equal(t, true, updateOIDC.UsePKCE)
+			assert.WithinRange(t, updateOIDC.UpdatedAt, beforeCreate, afterCreate)
+		}, retryDuration, tick)
+	})
 }
--- a/backend/v3/storage/database/repository/id_provider.go
+++ b/backend/v3/storage/database/repository/id_provider.go
@@ -163,6 +163,28 @@ func (i *idProvider) GetJWT(ctx context.Context, id domain.IDPIdentifierConditio
 	return idpJWT, nil
 }

+func (i *idProvider) GetOAuth(ctx context.Context, id domain.IDPIdentifierCondition, instnaceID string, orgID *string) (*domain.IDPOAuth, error) {
+	idpOAuth := &domain.IDPOAuth{}
+	var err error
+
+	idpOAuth.IdentityProvider, err = i.Get(ctx, id, instnaceID, orgID)
+	if err != nil {
+		return nil, err
+	}
+
+	if idpOAuth.Type != domain.IDPTypeOAuth.String() {
+		// TODO
+		return nil, errors.New("WRONG TYPE")
+	}
+
+	err = json.Unmarshal([]byte(*idpOAuth.Payload), idpOAuth)
+	if err != nil {
+		return nil, err
+	}
+
+	return idpOAuth, nil
+}
+
 // -------------------------------------------------------------
 // columns
 // -------------------------------------------------------------
@@ -282,8 +304,8 @@ func (i idProvider) AllowLinkingCondition(allow bool) database.Condition {
 	return database.NewBooleanCondition(i.AllowLinkingColumn(), allow)
 }

-func (i idProvider) AllowAutoLinkingCondition(allow bool) database.Condition {
-	return database.NewBooleanCondition(i.AllowAutoLinkingColumn(), allow)
+func (i idProvider) AllowAutoLinkingCondition(linkingType domain.IDPAutoLinkingOption) database.Condition {
+	return database.NewTextCondition(i.AllowAutoLinkingColumn(), database.TextOperationEqual, linkingType.String())
 }

 func (i idProvider) StylingTypeCondition(style int16) database.Condition {