TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 21:37:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into user-v2-api-v4

Browse Source
This commit is contained in:
Stefan Benz
2025-07-14 16:41:08 +02:00
committed by GitHub
parent bd32615916 79fcc2f2b6
commit b12341874d
881 changed files with 71596 additions and 9148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
proto/zitadel/app/v2beta/api.proto Normal file
View File

@@ -0,0 +1,26 @@
syntax = "proto3";
package zitadel.app.v2beta;
import "protoc-gen-openapiv2/options/annotations.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/app/v2beta;app";
enum APIAuthMethodType {
API_AUTH_METHOD_TYPE_BASIC = 0;
API_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT = 1;
}
message APIConfig {
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334@ZITADEL\"";
description: "generated oauth2/oidc client_id";
}
];
APIAuthMethodType auth_method_type = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines how the API passes the login credentials";
}
];
}

121
proto/zitadel/app/v2beta/app.proto Normal file
View File

@@ -0,0 +1,121 @@
syntax = "proto3";
package zitadel.app.v2beta;
import "zitadel/app/v2beta/oidc.proto";
import "zitadel/app/v2beta/saml.proto";
import "zitadel/app/v2beta/api.proto";
import "zitadel/filter/v2/filter.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/timestamp.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/app/v2beta;app";
message Application {
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\"";
}
];
// The timestamp of the app creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the app update.
google.protobuf.Timestamp change_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
AppState state = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the application";
}
];
string name = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"Console\"";
}
];
oneof config {
OIDCConfig oidc_config = 6;
APIConfig api_config = 7;
SAMLConfig saml_config = 8;
}
}
enum AppState {
APP_STATE_UNSPECIFIED = 0;
APP_STATE_ACTIVE = 1;
APP_STATE_INACTIVE = 2;
APP_STATE_REMOVED = 3;
}
enum AppSorting {
APP_SORT_BY_ID = 0;
APP_SORT_BY_NAME = 1;
APP_SORT_BY_STATE = 2;
APP_SORT_BY_CREATION_DATE = 3;
APP_SORT_BY_CHANGE_DATE = 4;
}
message ApplicationSearchFilter {
oneof filter {
option (validate.required) = true;
ApplicationNameQuery name_filter = 1;
AppState state_filter = 2;
bool api_app_only = 3;
bool oidc_app_only = 4;
bool saml_app_only = 5;
}
}
message ApplicationNameQuery {
string name = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"Conso\""
}
];
zitadel.filter.v2.TextFilterMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used"
}
];
}
enum ApplicationKeysSorting {
APPLICATION_KEYS_SORT_BY_ID = 0;
APPLICATION_KEYS_SORT_BY_PROJECT_ID = 1;
APPLICATION_KEYS_SORT_BY_APPLICATION_ID = 2;
APPLICATION_KEYS_SORT_BY_CREATION_DATE = 3;
APPLICATION_KEYS_SORT_BY_ORGANIZATION_ID = 4;
APPLICATION_KEYS_SORT_BY_EXPIRATION = 5;
APPLICATION_KEYS_SORT_BY_TYPE = 6;
}
message ApplicationKey {
string id = 1;
string application_id = 2;
string project_id = 3;
google.protobuf.Timestamp creation_date = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
string organization_id = 5;
google.protobuf.Timestamp expiration_date = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}

994
proto/zitadel/app/v2beta/app_service.proto Normal file
View File

@@ -0,0 +1,994 @@
syntax = "proto3";
package zitadel.app.v2beta;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/app/v2beta/login.proto";
import "zitadel/app/v2beta/oidc.proto";
import "zitadel/app/v2beta/api.proto";
import "zitadel/app/v2beta/app.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/filter/v2/filter.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/app/v2beta;app";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Application Service";
version: "2.0-beta";
description: "This API is intended to manage apps (SAML, OIDC, etc..) in a ZITADEL instance. This service is in beta state. It can AND will continue breaking until a stable version is released.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
// Service to manage apps.
// The service provides methods to create, update, delete and list apps and app keys.
service AppService {
// Create Application
//
// Create an application. The application can be OIDC, API or SAML type, based on the input.
//
// Required permissions:
// - project.app.write
rpc CreateApplication(CreateApplicationRequest) returns (CreateApplicationResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The created application";
}
};
};
option (google.api.http) = {
post: "/v2beta/applications"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Update Application
//
// Changes the configuration of an OIDC, API or SAML type application, as well as
// the application name, based on the input provided.
//
// Required permissions:
// - project.app.write
rpc UpdateApplication(UpdateApplicationRequest) returns (UpdateApplicationResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The updated app.";
}
};
};
option (google.api.http) = {
patch: "/v2beta/applications/{id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Get Application
//
// Retrieves the application matching the provided ID.
//
// Required permissions:
// - project.app.read
rpc GetApplication(GetApplicationRequest) returns (GetApplicationResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The fetched app.";
}
};
};
option (google.api.http) = {
get: "/v2beta/applications/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Delete Application
//
// Deletes the application belonging to the input project and matching the provided
// application ID.
//
// Required permissions:
// - project.app.delete
rpc DeleteApplication(DeleteApplicationRequest) returns (DeleteApplicationResponse) {
option (google.api.http) = {
delete: "/v2beta/applications/{id}"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The time of deletion.";
}
};
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Deactivate Application
//
// Deactivates the application belonging to the input project and matching the provided
// application ID.
//
// Required permissions:
// - project.app.write
rpc DeactivateApplication(DeactivateApplicationRequest) returns (DeactivateApplicationResponse) {
option (google.api.http) = {
post: "/v2beta/applications/{id}/deactivate"
body: "*"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The time of deactivation.";
}
};
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Reactivate Application
//
// Reactivates the application belonging to the input project and matching the provided
// application ID.
//
// Required permissions:
// - project.app.write
rpc ReactivateApplication(ReactivateApplicationRequest) returns (ReactivateApplicationResponse) {
option (google.api.http) = {
post: "/v2beta/applications/{id}/reactivate"
body: "*"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The time of reactivation.";
}
};
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Regenerate Client Secret
//
// Regenerates the client secret of an API or OIDC application that belongs to the input project.
//
// Required permissions:
// - project.app.write
rpc RegenerateClientSecret(RegenerateClientSecretRequest) returns (RegenerateClientSecretResponse) {
option (google.api.http) = {
post: "/v2beta/applications/{application_id}/generate_client_secret"
body: "*"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The regenerated client secret.";
}
};
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// List Applications
//
// Returns a list of applications matching the input parameters that belong to the provided
// project.
//
// The result can be sorted by app id, name, creation date, change date or state. It can also
// be filtered by app state, app type and app name.
//
// Required permissions:
// - project.app.read
rpc ListApplications(ListApplicationsRequest) returns (ListApplicationsResponse) {
option (google.api.http) = {
post: "/v2beta/applications/search"
body: "*"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The matching applications";
}
};
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// Create Application Key
//
// Create a new application key, which is used to authorize an API application.
//
// Key details are returned in the response. They must be stored safely, as it will not
// be possible to retrieve them again.
//
// Required permissions:
// - `project.app.write`
rpc CreateApplicationKey(CreateApplicationKeyRequest) returns (CreateApplicationKeyResponse) {
option (google.api.http) = {
post: "/v2beta/application_keys"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The created application key";
}
};
};
}
// Delete Application Key
//
// Deletes an application key matching the provided ID.
//
// Organization ID is not mandatory, but helps with filtering/performance.
//
// The deletion time is returned in response message.
//
// Required permissions:
// - `project.app.write`
rpc DeleteApplicationKey(DeleteApplicationKeyRequest) returns (DeleteApplicationKeyResponse) {
option (google.api.http) = {
delete: "/v2beta/application_keys/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The time of deletion.";
}
};
};
}
// Get Application Key
//
// Retrieves the application key matching the provided ID.
//
// Specifying a project, organization and app ID is optional but help with filtering/performance.
//
// Required permissions:
// - project.app.read
rpc GetApplicationKey(GetApplicationKeyRequest) returns (GetApplicationKeyResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The fetched app key.";
}
};
};
option (google.api.http) = {
get: "/v2beta/application_keys/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
// List Application Keys
//
// Returns a list of application keys matching the input parameters.
//
// The result can be sorted by id, aggregate, creation date, expiration date, resource owner or type.
// It can also be filtered by app, project or organization ID.
//
// Required permissions:
// - project.app.read
rpc ListApplicationKeys(ListApplicationKeysRequest) returns (ListApplicationKeysResponse) {
option (google.api.http) = {
post: "/v2beta/application_keys/search"
body: "*"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The matching applications";
}
};
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
}
}
message CreateApplicationRequest {
string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string id = 2 [(validate.rules).string = {max_len: 200}];
string name = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"MyApp\"";
}
];
oneof creation_request_type {
option (validate.required) = true;
CreateOIDCApplicationRequest oidc_request = 4;
CreateSAMLApplicationRequest saml_request = 5;
CreateAPIApplicationRequest api_request = 6;
}
}
message CreateApplicationResponse {
string app_id = 1;
// The timestamp of the app creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
oneof creation_response_type {
CreateOIDCApplicationResponse oidc_response = 3;
CreateSAMLApplicationResponse saml_response = 4;
CreateAPIApplicationResponse api_response = 5;
}
}
message CreateOIDCApplicationRequest {
// Callback URI of the authorization request where the code or tokens will be sent to
repeated string redirect_uris = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"http://localhost:4200/auth/callback\"]";
description: "Callback URI of the authorization request where the code or tokens will be sent to";
}
];
repeated OIDCResponseType response_types = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Determines whether a code, id_token token or just id_token will be returned"
}
];
repeated OIDCGrantType grant_types = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "The flow type the application uses to gain access";
}
];
OIDCAppType app_type = 4 [
(validate.rules).enum = {defined_only: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Determines the paradigm of the application";
}
];
OIDCAuthMethodType auth_method_type = 5 [
(validate.rules).enum = {defined_only: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines how the application passes login credentials";
}
];
// ZITADEL will redirect to this link after a successful logout
repeated string post_logout_redirect_uris = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"http://localhost:4200/signedout\"]";
description: "ZITADEL will redirect to this link after a successful logout";
}
];
OIDCVersion version = 7 [(validate.rules).enum = {defined_only: true}];
bool dev_mode = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Used for development, some checks of the OIDC specification will not be checked.";
}
];
OIDCTokenType access_token_type = 9 [
(validate.rules).enum = {defined_only: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Type of the access token returned from ZITADEL";
}
];
bool access_token_role_assertion = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes";
}
];
bool id_token_role_assertion = 11 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Adds roles to the claims of the id token even if they are not requested by scopes";
}
];
bool id_token_userinfo_assertion = 12 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification";
}
];
google.protobuf.Duration clock_skew = 13 [
(validate.rules).duration = {gte: {}, lte: {seconds: 5}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Used to compensate time difference of servers. Duration added to the \"exp\" claim and subtracted from \"iat\", \"auth_time\" and \"nbf\" claims";
example: "\"1s\"";
}
];
repeated string additional_origins = 14 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"scheme://localhost:8080\"]";
description: "Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment";
}
];
bool skip_native_app_success_page = 15 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Skip the successful login page on native apps and directly redirect the user to the callback.";
}
];
string back_channel_logout_uri = 16 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://example.com/auth/backchannel\"]";
description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
}
];
LoginVersion login_version = 17 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}
message CreateOIDCApplicationResponse {
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"1035496534033449\"";
description: "generated client id for this config";
}
];
string client_secret = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"gjoq34589uasgh\"";
description: "generated secret for this config";
}
];
bool none_compliant = 3;
repeated OIDCLocalizedMessage compliance_problems = 4;
}
message CreateSAMLApplicationRequest {
oneof metadata {
option (validate.required) = true;
bytes metadata_xml = 1 [(validate.rules).bytes.max_len = 500000];
string metadata_url = 2 [(validate.rules).string.max_len = 200];
}
LoginVersion login_version = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}
message CreateSAMLApplicationResponse {}
message CreateAPIApplicationRequest {
APIAuthMethodType auth_method_type = 1 [(validate.rules).enum = {defined_only: true}];
}
message CreateAPIApplicationResponse {
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"3950723409029374\"";
description: "generated secret for this config";
}
];
string client_secret = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"gjoq34589uasgh\"";
description: "generated secret for this config";
}
];
}
message UpdateApplicationRequest {
string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"45984352431\"";
}
];
string name = 3 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"MyApplicationName\"";
min_length: 1;
max_length: 200;
}
];
oneof update_request_type {
UpdateSAMLApplicationConfigurationRequest saml_configuration_request = 4;
UpdateOIDCApplicationConfigurationRequest oidc_configuration_request = 5;
UpdateAPIApplicationConfigurationRequest api_configuration_request = 6;
}
}
message UpdateApplicationResponse {
// The timestamp of the app update.
google.protobuf.Timestamp change_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message UpdateSAMLApplicationConfigurationRequest {
oneof metadata {
option (validate.required) = true;
bytes metadata_xml = 1 [(validate.rules).bytes.max_len = 500000];
string metadata_url = 2 [(validate.rules).string.max_len = 200];
}
optional LoginVersion login_version = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}
message UpdateOIDCApplicationConfigurationRequest {
repeated string redirect_uris = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"http://localhost:4200/auth/callback\"]";
description: "Callback URI of the authorization request where the code or tokens will be sent to";
}
];
repeated OIDCResponseType response_types = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Determines whether a code, id_token token or just id_token will be returned"
}
];
repeated OIDCGrantType grant_types = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "The flow type the application uses to gain access";
}
];
optional OIDCAppType app_type = 4 [
(validate.rules).enum = {defined_only: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Determines the paradigm of the application";
}
];
optional OIDCAuthMethodType auth_method_type = 5 [
(validate.rules).enum = {defined_only: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines how the application passes login credentials";
}
];
repeated string post_logout_redirect_uris = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"http://localhost:4200/signedout\"]";
description: "ZITADEL will redirect to this link after a successful logout";
}
];
optional OIDCVersion version = 7 [(validate.rules).enum = {defined_only: true}];
optional bool dev_mode = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Used for development, some checks of the OIDC specification will not be checked.";
}
];
optional OIDCTokenType access_token_type = 9 [
(validate.rules).enum = {defined_only: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Type of the access token returned from ZITADEL";
}
];
optional bool access_token_role_assertion = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes";
}
];
optional bool id_token_role_assertion = 11 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Adds roles to the claims of the id token even if they are not requested by scopes";
}
];
optional bool id_token_userinfo_assertion = 12 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification";
}
];
optional google.protobuf.Duration clock_skew = 13 [
(validate.rules).duration = {gte: {}, lte: {seconds: 5}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Used to compensate time difference of servers. Duration added to the \"exp\" claim and subtracted from \"iat\", \"auth_time\" and \"nbf\" claims";
example: "\"1s\"";
}
];
repeated string additional_origins = 14 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"scheme://localhost:8080\"]";
description: "Additional origins (other than the redirect_uris) from where the API can be used, provided string has to be an origin (scheme://hostname[:port]) without path, query or fragment";
}
];
optional bool skip_native_app_success_page = 15 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Skip the successful login page on native apps and directly redirect the user to the callback.";
}
];
optional string back_channel_logout_uri = 16 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://example.com/auth/backchannel\"]";
description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
}
];
optional LoginVersion login_version = 17 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}
message UpdateAPIApplicationConfigurationRequest {
APIAuthMethodType auth_method_type = 1 [(validate.rules).enum = {defined_only: true}];
}
message GetApplicationRequest {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"45984352431\"";
}
];
}
message GetApplicationResponse {
Application app = 1;
}
message DeleteApplicationRequest {
string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
}
message DeleteApplicationResponse {
google.protobuf.Timestamp deletion_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message DeactivateApplicationRequest{
string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
}
message DeactivateApplicationResponse{
google.protobuf.Timestamp deactivation_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ReactivateApplicationRequest{
string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
}
message ReactivateApplicationResponse{
google.protobuf.Timestamp reactivation_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message RegenerateClientSecretRequest{
string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string application_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
oneof app_type {
option (validate.required) = true;
bool is_oidc = 3;
bool is_api = 4;
}
}
message RegenerateClientSecretResponse{
string client_secret = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"gjoq34589uasgh\"";
description: "generated secret for the client";
}
];
// The timestamp of the creation of the new client secret
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListApplicationsRequest {
string project_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
// Pagination and sorting.
zitadel.filter.v2.PaginationRequest pagination = 2;
//criteria the client is looking for
repeated ApplicationSearchFilter filters = 3;
AppSorting sorting_column = 4;
}
message ListApplicationsResponse {
repeated Application applications = 1;
// Contains the total number of apps matching the query and the applied limit.
zitadel.filter.v2.PaginationResponse pagination = 2;
}
message CreateApplicationKeyRequest {
string app_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string project_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
// The date the key will expire
google.protobuf.Timestamp expiration_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2519-04-01T08:45:00.000000Z\"";
description: "The date the key will expire";
}
];
}
message CreateApplicationKeyResponse {
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"28746028909593987\"";
}
];
// The timestamp of the app creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
bytes key_details = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"eyJ0eXBlIjoiYXBwbGljYXRpb24iLCJrZXlJZCI6IjIwMjcxMDE4NjYyMjcxNDExMyIsImtleSI6Ii0tLS0tQkVHSU4gUlNBIFBSSVZBVEUgS0VZLS0tLS1cbk1JSUVvd0lCQUFLQ0FRRUFuMUxyNStTV0pGRllURU1kaXQ2U0dNY0E2Yks5dG0xMmhlcm55V0wrZm9PWnA3eEVcbk9wcmsvWE81QVplSU5NY0x0ZVhxckJlK1NPdVVNMFpLU2xCMHFTNzNjVStDVTVMTGoycVB0UzhNOFI0N3BGdFhcbjJXRTFJNjNhZHB1N01TejA2SXduQ2lyNnJYOTVPQ2ZneHA3VU1Dd0pSTUZmYXJqdjVBRXY3NXpsSS9lYUV6bUJcbkxKWU1xanZFRmZoN2x3M2lPT3VsWW9kNjNpN3RDNWl5czNlYjNLZW4yWU0rN1FSbXB2dE5qcTJMVmlIMnkrUGJcbk9ESlI3MU9ib05TYVJDNTZDUFpWVytoWDByYXI3VzMwUjI2eGtIQ09oSytQbUpSeGtOY0g1VTdja0xXMEw0WEVcbnNNZkVUSmszeDR3Q0psbisxbElXUzkrNmw0R1E2TWRzWURyOU5RSURBUUFCQW9JQkFCSkx6WGQxMHFBZEQwekNcbnNGUFFOMnJNLzVmV3hONThONDR0YWF6QXg0VHp5K050UlZDTmxScGQvYkxuR2VjbHJIeVpDSmYycWcxcHNEMHJcbkowRGRlR2d0VXBFYWxsYk9scjNEZVBsUGkrYnNsK0RKOUk2c0VSUWwxTjZtQjVzZ0ZJZllBR3UwZjlFSXdIem9cblozR25yNnBRaEVmM0JPUVdsTVhVTlJNSksyOHp3M2E1L01nRmtKVUZUSTUzeXFwbGRtZ2hLajRZR1hLRk1LUGhcbkV3RkxrRncwK2s3K0xuSjFQNGp1ZVd1RXo3WlAyaFpvUWxCcXdSajVyTG9QZ05RbUU4UytFVDRuczlUYzByOFFcbnFyaHlacDZBczJrTDhGTytCZnF3SVpDZnpnWHN2cC9PLzRaSHIzVTB2Ymp3UW1sSzdVSm42U0J6T2hpWFpNU0lcbk5Wc0V5VUVDZ1lFQTFEaktkRGo3NTM1MWQzdlRNQlRFd2JSQ3hoUVZOdENFMnMwVUw4ckJQZ1I0K1dlblNUWmFcbnprWUprcEV0bE54VGxzYnN1Y0RTUXZqeWRYYk5nSHFBeDYzMm1vdTVkak9lR0VTUDFWVGtUdElsZFZQZWszQWxcbjVYbkpQa1dqWGVyVVJZNm5KeUQ5UWhlREx3MVp4NEFYVzNHWURiTFkrT05XV0VKUlJaQUloNjBDZ1lFQXdEQ2xcbnc1MHc4dkcvbEJ4RzNSYW9FaHdLOWNna1VXOHk2T25DekNwcEtjOEZUUmY1VE5iWjl5TzNXUmdYajhkeHRCakFcbkl5VGlzYk9NQk1VaFZKUUtGZHRQaDhoVDBwRkRjeE9ndzY0aHBtYzhyY2RTbXVKNzlYSVRTaHUySjA0N0UvNFZcbnJOTThpWVk5ZGR3VGdGUUlsdFNZL0l0RnFxWERmdjhqK1dVY25La0NnWUVBaENOUU80bDNuNjRucWR2WnBTaHBcblVrclJBTkJrWFJyOGZkZ1BaNnFSSS9KWStNSEhjVmg4dGM3NkN0NkdTUmZlbkJVRU5LeVF2czZPK1FDZCtBOU9cbnZBWGZkRjduZldlcVdtWG1RT2g0dDNNMWk1WkxFZlpVUWt2UU9BdllLcFFhMDZ4OCsyb1pCdHZvL0pVTmY2Q0xcbjZvNFNKUVZrLzZOZGtkckpDODBnNG9rQ2dZQkZsNWYrbkVYa1F0dWZVeG5wNXRGWE5XWldsM0ZuTjMvVXpRaW5cbmkxZm5OcnB4cnhPcjJrUzA4KzdwU1FzSEdpNDNDNXRQWG9UajJlTUN1eXNWaUVHYXBuNUc2YWhJb0NjdlhWVWlcblprUnpFQUR0NERZdU5ZS3pYdXBUTkhPaUNmYmtoMlhyM2RXVzZ0QUloSGRmU1k2T3AwNzZhNmYvWWVUSGNMWGpcbkVkVHBlUUtCZ0FPdnBqcDQ4TzRUWEZkU0JLSnYya005OHVhUjlSQURtdGxTWHd2cTlyQkhTV084NFk4bzE0L1Bcbkl1UmxUOHhROGRYKzhMR21UUCtjcUtiOFFRQ1grQk1YUWxMSEVtWnpnb0xFa0pGMUVIMm4vZEZ5bngxS3prdFNcbm9UZUdsRzZhbXhVOVh4eW9RVFlEVGJCbERwc2FZUlFBZ2FUQzM3UVZRUjhmK1ZoRzFHSFFcbi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tXG4iLCJhcHBJZCI6IjIwMjcwNjM5ODgxMzg4MDU3NyIsImNsaWVudElkIjoiMjAyNzA2Mzk4ODEzOTQ2MTEzQG15dGVzdHByb2plY3QifQ==\"";
}
];
}
message DeleteApplicationKeyRequest {
string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string project_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
string application_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}];
string organization_id = 4 [(validate.rules).string = {max_len: 200}];
}
message DeleteApplicationKeyResponse {
google.protobuf.Timestamp deletion_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message GetApplicationKeyRequest {
string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
string project_id = 2 [(validate.rules).string = {max_len: 200}];
string application_id = 3 [(validate.rules).string = {max_len: 200}];
string organization_id = 4 [(validate.rules).string = {max_len: 200}];
}
message GetApplicationKeyResponse {
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\"";
}
];
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// the date a key will expire
google.protobuf.Timestamp expiration_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the date a key will expire";
example: "\"3019-04-01T08:45:00.000000Z\"";
}
];
}
message ListApplicationKeysRequest {
// Pagination and sorting.
zitadel.filter.v2.PaginationRequest pagination = 1;
ApplicationKeysSorting sorting_column = 2;
oneof resource_id {
string application_id = 3 [(validate.rules).string = {min_len: 1; max_len: 200}];
string project_id = 4 [(validate.rules).string = {min_len: 1; max_len: 200}];
string organization_id = 5 [(validate.rules).string = {min_len: 1; max_len: 200}];
}
}
message ListApplicationKeysResponse {
repeated ApplicationKey keys = 1;
// Contains the total number of app keys matching the query and the applied limit.
zitadel.filter.v2.PaginationResponse pagination = 2;
}

18
proto/zitadel/app/v2beta/login.proto Normal file
View File

@@ -0,0 +1,18 @@
syntax = "proto3";
package zitadel.app.v2beta;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/app/v2beta;app";
message LoginVersion {
oneof version {
LoginV1 login_v1 = 1;
LoginV2 login_v2 = 2;
}
}
message LoginV1 {}
message LoginV2 {
// Optionally specify a base uri of the login UI. If unspecified the default URI will be used.
optional string base_uri = 1;
}

166
proto/zitadel/app/v2beta/oidc.proto Normal file
View File

@@ -0,0 +1,166 @@
syntax = "proto3";
package zitadel.app.v2beta;
import "zitadel/app/v2beta/login.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "google/protobuf/duration.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/app/v2beta;app";
message OIDCLocalizedMessage {
string key = 1;
string localized_message = 2;
}
enum OIDCResponseType {
OIDC_RESPONSE_TYPE_UNSPECIFIED = 0;
OIDC_RESPONSE_TYPE_CODE = 1;
OIDC_RESPONSE_TYPE_ID_TOKEN = 2;
OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN = 3;
}
enum OIDCGrantType{
OIDC_GRANT_TYPE_AUTHORIZATION_CODE = 0;
OIDC_GRANT_TYPE_IMPLICIT = 1;
OIDC_GRANT_TYPE_REFRESH_TOKEN = 2;
OIDC_GRANT_TYPE_DEVICE_CODE = 3;
OIDC_GRANT_TYPE_TOKEN_EXCHANGE = 4;
}
enum OIDCAppType {
OIDC_APP_TYPE_WEB = 0;
OIDC_APP_TYPE_USER_AGENT = 1;
OIDC_APP_TYPE_NATIVE = 2;
}
enum OIDCAuthMethodType {
OIDC_AUTH_METHOD_TYPE_BASIC = 0;
OIDC_AUTH_METHOD_TYPE_POST = 1;
OIDC_AUTH_METHOD_TYPE_NONE = 2;
OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT = 3;
}
enum OIDCVersion {
OIDC_VERSION_1_0 = 0;
}
enum OIDCTokenType {
OIDC_TOKEN_TYPE_BEARER = 0;
OIDC_TOKEN_TYPE_JWT = 1;
}
message OIDCConfig {
repeated string redirect_uris = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://console.zitadel.ch/auth/callback\"]";
description: "Callback URI of the authorization request where the code or tokens will be sent to";
}
];
repeated OIDCResponseType response_types = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Determines whether a code, id_token token or just id_token will be returned"
}
];
repeated OIDCGrantType grant_types = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "The flow type the application uses to gain access";
}
];
OIDCAppType app_type = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "determines the paradigm of the application";
}
];
string client_id = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334@ZITADEL\"";
description: "generated oauth2/oidc client id";
}
];
OIDCAuthMethodType auth_method_type = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines how the application passes login credentials";
}
];
repeated string post_logout_redirect_uris = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://console.zitadel.ch/logout\"]";
description: "ZITADEL will redirect to this link after a successful logout";
}
];
OIDCVersion version = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the OIDC version used by the application";
}
];
bool none_compliant = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "specifies whether the config is OIDC compliant. A production configuration SHOULD be compliant";
}
];
repeated OIDCLocalizedMessage compliance_problems = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "lists the problems for non-compliancy";
}
];
bool dev_mode = 11 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "used for development";
}
];
OIDCTokenType access_token_type = 12 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "type of the access token returned from ZITADEL";
}
];
bool access_token_role_assertion = 13 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes";
}
];
bool id_token_role_assertion = 14 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "adds roles to the claims of the id token even if they are not requested by scopes";
}
];
bool id_token_userinfo_assertion = 15 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification";
}
];
google.protobuf.Duration clock_skew = 16 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Used to compensate time difference of servers. Duration added to the \"exp\" claim and subtracted from \"iat\", \"auth_time\" and \"nbf\" claims";
// min: "0s";
// max: "5s";
}
];
repeated string additional_origins = 17 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://console.zitadel.ch/auth/callback\"]";
description: "additional origins (other than the redirect_uris) from where the API can be used";
}
];
repeated string allowed_origins = 18 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://console.zitadel.ch/auth/callback\"]";
description: "all allowed origins from where the API can be used";
}
];
bool skip_native_app_success_page = 19 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Skip the successful login page on native apps and directly redirect the user to the callback.";
}
];
string back_channel_logout_uri = 20 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"https://example.com/auth/backchannel\"]";
description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
}
];
LoginVersion login_version = 21 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}

20
proto/zitadel/app/v2beta/saml.proto Normal file
View File

@@ -0,0 +1,20 @@
syntax = "proto3";
package zitadel.app.v2beta;
import "zitadel/app/v2beta/login.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/app/v2beta;app";
message SAMLConfig {
oneof metadata{
bytes metadata_xml = 1;
string metadata_url = 2;
}
LoginVersion login_version = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}

18
proto/zitadel/auth.proto
View File

@@ -859,6 +859,11 @@ service AuthService {
};
}
// List My Authorizations / User Grants
//
// Deprecated: [List authorizations](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-list-authorizations.api.mdx) and pass the user ID filter with your users ID to search for your authorizations on granted and owned projects.
//
// Returns a list of the authorizations/user grants the authenticated user has. User grants consist of an organization, a project and 1-n roles.
rpc ListMyUserGrants(ListMyUserGrantsRequest) returns (ListMyUserGrantsResponse) {
option (google.api.http) = {
post: "/usergrants/me/_search"
@@ -869,9 +874,8 @@ service AuthService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Authorizations/Grants"
summary: "List My Authorizations/Grants";
description: "Returns a list of the authorizations/user grants the authenticated user has. User grants consist of an organization, a project and 1-n roles."
tags: "User Authorizations/Grants";
deprecated: true;
};
}
@@ -908,6 +912,11 @@ service AuthService {
};
}
// List My Project Roles
//
// Deprecated: [List authorizations](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-list-authorizations.api.mdx) and pass the user ID filter with your users ID and the project ID filter to search for your authorizations on a granted and an owned project.
//
// Returns a list of roles for the authenticated user and for the requesting project.
rpc ListMyProjectPermissions(ListMyProjectPermissionsRequest) returns (ListMyProjectPermissionsResponse) {
option (google.api.http) = {
post: "/permissions/me/_search"
@@ -919,8 +928,7 @@ service AuthService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Authorizations/Grants"
summary: "List My Project Roles";
description: "Returns a list of roles for the authenticated user and for the requesting project (based on the token)."
deprecated: true;
};
}

181
proto/zitadel/authorization/v2beta/authorization.proto Normal file
View File

@@ -0,0 +1,181 @@
syntax = "proto3";
package zitadel.authorization.v2beta;
import "protoc-gen-openapiv2/options/annotations.proto";
import "google/protobuf/timestamp.proto";
import "validate/validate.proto";
import "zitadel/filter/v2beta/filter.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/authorization/v2beta;authorization";
message Authorization {
// ID is the unique identifier of the authorization.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// ID is the unique identifier of the project the user was granted the authorization for.
string project_id = 2;
// Name is the name of the project the user was granted the authorization for.
string project_name = 3;
// OrganizationID is the ID of the organization the project belongs to.
string project_organization_id = 4;
// ID of the granted project, only provided if it is a granted project.
optional string project_grant_id = 5;
// ID of the organization the project is granted to, only provided if it is a granted project.
optional string granted_organization_id = 6;
// The unique identifier of the organization the authorization belongs to.
string organization_id = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// CreationDate is the timestamp when the authorization was created.
google.protobuf.Timestamp creation_date = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// ChangeDate is the timestamp when the authorization was last updated.
// In case the authorization was not updated, this field is equal to the creation date.
google.protobuf.Timestamp change_date = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// State is the current state of the authorization.
State state = 10;
User user = 11;
// Roles contains the roles the user was granted for the project.
repeated string roles = 12;
}
enum State {
STATE_UNSPECIFIED = 0;
// An active authorization grants the user access with the roles specified on the project.
STATE_ACTIVE = 1;
// An inactive authorization temporarily deactivates the granted access and roles.
// ZITADEL will not include the specific authorization in any authorization information like an access token.
// But the information can still be accessed using the API.
STATE_INACTIVE = 2;
}
message User {
// ID represents the ID of the user who was granted the authorization.
string id = 1;
// PreferredLoginName represents the preferred login name of the granted user.
string preferred_login_name = 2;
// DisplayName represents the public display name of the granted user.
string display_name = 3;
// AvatarURL is the URL to the user's public avatar image.
string avatar_url = 4;
// The organization the user belong to.
// This does not have to correspond with the authorizations organization.
string organization_id = 5;
}
message AuthorizationsSearchFilter {
oneof filter {
option (validate.required) = true;
// Search for authorizations by their IDs.
zitadel.filter.v2beta.InIDsFilter authorization_ids = 1;
// Search for an organizations authorizations by its ID.
zitadel.filter.v2beta.IDFilter organization_id = 2;
// Search for authorizations by their state.
StateQuery state = 3;
// Search for authorizations by the ID of the user who was granted the authorization.
zitadel.filter.v2beta.IDFilter user_id = 4;
// Search for authorizations by the ID of the organisation the user is part of.
zitadel.filter.v2beta.IDFilter user_organization_id = 5;
// Search for authorizations by the preferred login name of the granted user.
UserPreferredLoginNameQuery user_preferred_login_name = 6;
// Search for authorizations by the public display name of the granted user.
UserDisplayNameQuery user_display_name = 7;
// Search for authorizations by the ID of the project the user was granted the authorization for.
// This will also include authorizations granted for project grants of the same project.
zitadel.filter.v2beta.IDFilter project_id = 8;
// Search for authorizations by the name of the project the user was granted the authorization for.
// This will also include authorizations granted for project grants of the same project.
ProjectNameQuery project_name = 9;
// Search for authorizations by the key of the role the user was granted.
RoleKeyQuery role_key = 10;
// Search for authorizations by the ID of the project grant the user was granted the authorization for.
// This will also include authorizations granted for project grants of the same project.
zitadel.filter.v2beta.IDFilter project_grant_id = 11;
}
}
message StateQuery {
// Specify the state of the authorization to search for.
State state = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
}
message UserPreferredLoginNameQuery {
// Specify the preferred login name of the granted user to search for.
string login_name = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Specify the method to search for the preferred login name. Default is EQUAL.
// For example, to search for all authorizations granted to a user with
// a preferred login name containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.filter.v2beta.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message UserDisplayNameQuery {
// Specify the public display name of the granted user to search for.
string display_name = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Specify the method to search for the display name. Default is EQUAL.
// For example, to search for all authorizations granted to a user with
// a display name containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.filter.v2beta.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message ProjectNameQuery {
// Specify the name of the project the user was granted the authorization for to search for.
// Note that this will also include authorizations granted for project grants of the same project.
string name = 1 [(validate.rules).string = {max_len: 200}];
// Specify the method to search for the project name. Default is EQUAL.
// For example, to search for all authorizations granted on a project with
// a name containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.filter.v2beta.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message OrganizationNameQuery {
// Specify the name of the organization the authorization was granted for to search for.
// This can either be the organization the project or the project grant is part of.
string name = 1 [(validate.rules).string = {max_len: 200}];
// Specify the method to search for the organization name. Default is EQUAL.
// For example, to search for all authorizations with an organization name containing a specific string,
// use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.filter.v2beta.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message RoleKeyQuery {
// Specify the key of the role the user was granted to search for.
string key = 1 [(validate.rules).string = {max_len: 200}];
// Specify the method to search for the role key. Default is EQUAL.
// For example, to search for all authorizations starting with a specific role key,
// use STARTS_WITH or STARTS_WITH_IGNORE_CASE.
zitadel.filter.v2beta.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
enum AuthorizationFieldName {
AUTHORIZATION_FIELD_NAME_UNSPECIFIED = 0;
AUTHORIZATION_FIELD_NAME_CREATED_DATE = 1;
AUTHORIZATION_FIELD_NAME_CHANGED_DATE = 2;
AUTHORIZATION_FIELD_NAME_ID = 3;
AUTHORIZATION_FIELD_NAME_USER_ID = 4;
AUTHORIZATION_FIELD_NAME_PROJECT_ID = 5;
AUTHORIZATION_FIELD_NAME_ORGANIZATION_ID = 6;
AUTHORIZATION_FIELD_NAME_USER_ORGANIZATION_ID = 7;
}

456
proto/zitadel/authorization/v2beta/authorization_service.proto Normal file
View File

@@ -0,0 +1,456 @@
syntax = "proto3";
package zitadel.authorization.v2beta;
import "protoc-gen-openapiv2/options/annotations.proto";
import "google/protobuf/timestamp.proto";
import "validate/validate.proto";
import "google/api/annotations.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/authorization/v2beta/authorization.proto";
import "zitadel/filter/v2beta/filter.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/authorization/v2beta;authorization";
// AuthorizationService provides methods to manage authorizations for users within your projects and applications.
//
// For managing permissions and roles for ZITADEL internal resources, like organizations, projects,
// users, etc., please use the InternalPermissionService.
service AuthorizationService {
// List Authorizations
//
// ListAuthorizations returns all authorizations matching the request and necessary permissions.
//
// Required permissions:
// - "user.grant.read"
// - no permissions required for listing own authorizations
rpc ListAuthorizations(ListAuthorizationsRequest) returns (ListAuthorizationsResponse) {
option (google.api.http) = {
// The only reason why it is used here is to avoid a conflict with the ListUsers endpoint, which already handles POST /v2/users.
post: "/v2beta/authorizations/search"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "A list of all authorizations matching the query";
};
};
responses: {
key: "400";
value: {
description: "invalid list query";
};
};
};
}
// Create Authorization
//
// CreateAuthorization creates a new authorization for a user in an owned or granted project.
//
// Required permissions:
// - "user.grant.write"
rpc CreateAuthorization(CreateAuthorizationRequest) returns (CreateAuthorizationResponse) {
option (google.api.http) = {
post: "/v2beta/authorizations"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The newly created authorization";
};
};
responses: {
key: "400";
value: {
description: "invalid create request";
};
};
responses: {
key: "409"
value: {
description: "The authorization already exists.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
};
};
}
};
};
}
// Update Authorization
//
// UpdateAuthorization updates the authorization.
//
// Note that any role keys previously granted to the user and not present in the request will be revoked.
//
// Required permissions:
// - "user.grant.write"
rpc UpdateAuthorization(UpdateAuthorizationRequest) returns (UpdateAuthorizationResponse) {
option (google.api.http) = {
patch: "/v2beta/authorizations/{id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "OK";
};
};
responses: {
key: "404";
value: {
description: "Authorization or one of the roles do not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
};
};
}
}
};
}
// Delete Authorization
//
// DeleteAuthorization deletes the authorization.
//
// In case the authorization is not found, the request will return a successful response as
// the desired state is already achieved.
// You can check the deletion date in the response to verify if the authorization was deleted by the request.
//
// Required permissions:
// - "user.grant.delete"
rpc DeleteAuthorization(DeleteAuthorizationRequest) returns (DeleteAuthorizationResponse) {
option (google.api.http) = {
delete: "/v2beta/authorizations/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The authorization was deleted successfully.";
};
};
responses: {
key: "404";
value: {
description: "Authorization not found.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
};
};
};
};
};
}
// Activate Authorization
//
// ActivateAuthorization activates an existing but inactive authorization.
//
// In case the authorization is already active, the request will return a successful response as
// the desired state is already achieved.
// You can check the change date in the response to verify if the authorization was activated by the request.
//
// Required permissions:
// - "user.grant.write"
rpc ActivateAuthorization(ActivateAuthorizationRequest) returns (ActivateAuthorizationResponse) {
option (google.api.http) = {
post: "/v2beta/authorizations/{id}/activate"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The authorization was activated successfully.";
};
};
responses: {
key: "404";
value: {
description: "Authorization not found.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
};
};
};
};
};
}
// Deactivate Authorization
//
// DeactivateAuthorization deactivates an existing and active authorization.
//
// In case the authorization is already inactive, the request will return a successful response as
// the desired state is already achieved.
// You can check the change date in the response to verify if the authorization was deactivated by the request.
//
// Required permissions:
// - "user.grant.write"
rpc DeactivateAuthorization(DeactivateAuthorizationRequest) returns (DeactivateAuthorizationResponse) {
option (google.api.http) = {
post: "/v2beta/authorizations/{id}/deactivate"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The authorization was deactivated successfully.";
};
};
responses: {
key: "404";
value: {
description: "Authorization not found.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
};
};
};
};
};
}
}
message ListAuthorizationsRequest {
// Paginate through the results using a limit, offset and sorting.
optional zitadel.filter.v2beta.PaginationRequest pagination = 1;
// The field the result is sorted by. The default is the creation date. Beware that if you change this, your result pagination might be inconsistent.
optional AuthorizationFieldName sorting_column = 2 [
(validate.rules).enum = {defined_only: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"AUTHORIZATION_FIELD_NAME_CREATED_DATE\""
}
];
// Define the criteria to query for.
repeated AuthorizationsSearchFilter filters = 3;
}
message ListAuthorizationsResponse {
// Details contains the pagination information.
zitadel.filter.v2beta.PaginationResponse pagination = 1;
repeated Authorization authorizations = 2;
}
message CreateAuthorizationRequest {
// UserID is the ID of the user who should be granted the authorization.
string user_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"163840776835432345\"";
}
];
// Project ID is the ID of the project the user should be authorized for.
string project_id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"163840776835432345\"";
}
];
// OrganizationID is the ID of the organization on which the authorization should be created.
// The organization must either own the project or have a grant for the project.
// If omitted, the authorization is created on the projects organization.
optional string organization_id = 3 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"163840776835432345\"";
}
];
// RoleKeys are the keys of the roles the user should be granted.
repeated string role_keys = 4 [
(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
}
}
},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "[\"user\",\"admin\"]";
}
];
}
message CreateAuthorizationResponse {
// ID is the unique identifier of the newly created authorization.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// CreationDate is the timestamp when the authorization was created.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message UpdateAuthorizationRequest {
// ID is the unique identifier of the authorization.
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"163840776835432345\"";
}
];
// RoleKeys are the keys of the roles the user should be granted.
// Note that any role keys previously granted to the user and not present in the list will be revoked.
repeated string role_keys = 2 [
(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
}
}
},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "[\"user\",\"admin\"]";
}
];
}
message UpdateAuthorizationResponse {
// ChangeDate is the timestamp when the authorization was last updated.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message DeleteAuthorizationRequest {
// ID is the unique identifier of the authorization that should be deleted.
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"163840776835432345\"";
}
];
}
message DeleteAuthorizationResponse {
// DeletionDate is the timestamp when the authorization was deleted.
google.protobuf.Timestamp deletion_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message ActivateAuthorizationRequest {
// ID is the unique identifier of the authorization that should be activated.
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"163840776835432345\"";
}
];
}
message ActivateAuthorizationResponse {
// ChangeDate is the last timestamp when the authorization was changed / activated.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message DeactivateAuthorizationRequest {
// ID is the unique identifier of the authorization that should be deactivated.
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"163840776835432345\"";
}
];
}
message DeactivateAuthorizationResponse {
// ChangeDate is the last timestamp when the authorization was changed / deactivated.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}

48
proto/zitadel/feature/v2/instance.proto
View File

@@ -11,26 +11,14 @@ import "zitadel/feature/v2/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
message SetInstanceFeaturesRequest{
reserved 6;
reserved "actions";
reserved 2, 3, 6, 8;
reserved "oidc_trigger_introspection_projections", "oidc_legacy_introspection", "actions", "web_key";
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "The login UI will use the settings of the default org (and not from the instance) if no organization context is set";
}
];
optional bool oidc_trigger_introspection_projections = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
optional bool oidc_legacy_introspection = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
optional bool user_schema = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -55,13 +43,6 @@ message SetInstanceFeaturesRequest{
}
];
optional bool web_key = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.";
}
];
optional bool debug_oidc_parent_error = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -131,8 +112,8 @@ message GetInstanceFeaturesRequest {
}
message GetInstanceFeaturesResponse {
reserved 7;
reserved "actions";
reserved 3, 4, 7, 9;
reserved "oidc_trigger_introspection_projections", "oidc_legacy_introspection", "actions", "web_key";
zitadel.object.v2.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -141,20 +122,6 @@ message GetInstanceFeaturesResponse {
}
];
FeatureFlag oidc_trigger_introspection_projections = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag oidc_legacy_introspection = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag user_schema = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -176,13 +143,6 @@ message GetInstanceFeaturesResponse {
}
];
FeatureFlag web_key = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.";
}
];
FeatureFlag debug_oidc_parent_error = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";

36
proto/zitadel/feature/v2/system.proto
View File

@@ -11,8 +11,8 @@ import "zitadel/feature/v2/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
message SetSystemFeaturesRequest{
reserved 6;
reserved "actions";
reserved 2, 3, 6;
reserved "oidc_trigger_introspection_projections", "oidc_legacy_introspection", "actions";
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -20,20 +20,6 @@ message SetSystemFeaturesRequest{
}
];
optional bool oidc_trigger_introspection_projections = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
optional bool oidc_legacy_introspection = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
optional bool user_schema = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -105,8 +91,8 @@ message ResetSystemFeaturesResponse {
message GetSystemFeaturesRequest {}
message GetSystemFeaturesResponse {
reserved 7;
reserved "actions";
reserved 3, 4, 7;
reserved "oidc_trigger_introspection_projections", "oidc_legacy_introspection", "actions";
zitadel.object.v2.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -115,20 +101,6 @@ message GetSystemFeaturesResponse {
}
];
FeatureFlag oidc_trigger_introspection_projections = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag oidc_legacy_introspection = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag user_schema = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";

48
proto/zitadel/feature/v2beta/instance.proto
View File

@@ -11,26 +11,14 @@ import "zitadel/feature/v2beta/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta;feature";
message SetInstanceFeaturesRequest{
reserved 6;
reserved "actions";
reserved 2, 3, 6, 8;
reserved "oidc_trigger_introspection_projections", "oidc_legacy_introspection", "actions", "web_key";
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "The login UI will use the settings of the default org (and not from the instance) if no organization context is set";
}
];
optional bool oidc_trigger_introspection_projections = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
optional bool oidc_legacy_introspection = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
optional bool user_schema = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -55,13 +43,6 @@ message SetInstanceFeaturesRequest{
}
];
optional bool web_key = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.";
}
];
optional bool debug_oidc_parent_error = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -97,8 +78,8 @@ message GetInstanceFeaturesRequest {
}
message GetInstanceFeaturesResponse {
reserved 7;
reserved "actions";
reserved 3, 4, 7, 9;
reserved "oidc_trigger_introspection_projections", "oidc_legacy_introspection", "actions", "web_key";
zitadel.object.v2beta.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -107,20 +88,6 @@ message GetInstanceFeaturesResponse {
}
];
FeatureFlag oidc_trigger_introspection_projections = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag oidc_legacy_introspection = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag user_schema = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -142,13 +109,6 @@ message GetInstanceFeaturesResponse {
}
];
FeatureFlag web_key = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable the webkey/v3alpha API. The first time this feature is enabled, web keys are generated and activated.";
}
];
FeatureFlag debug_oidc_parent_error = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";

36
proto/zitadel/feature/v2beta/system.proto
View File

@@ -11,8 +11,8 @@ import "zitadel/feature/v2beta/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta;feature";
message SetSystemFeaturesRequest{
reserved 6;
reserved "actions";
reserved 2, 3, 6;
reserved "oidc_trigger_introspection_projections", "oidc_legacy_introspection", "actions";
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -20,20 +20,6 @@ message SetSystemFeaturesRequest{
}
];
optional bool oidc_trigger_introspection_projections = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
optional bool oidc_legacy_introspection = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
optional bool user_schema = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -78,8 +64,8 @@ message ResetSystemFeaturesResponse {
message GetSystemFeaturesRequest {}
message GetSystemFeaturesResponse {
reserved 7;
reserved "actions";
reserved 3, 4, 7;
reserved "oidc_trigger_introspection_projections", "oidc_legacy_introspection", "actions";
zitadel.object.v2beta.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -88,20 +74,6 @@ message GetSystemFeaturesResponse {
}
];
FeatureFlag oidc_trigger_introspection_projections = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag oidc_legacy_introspection = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag user_schema = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";

11
proto/zitadel/filter/v2beta/filter.proto
View File

@@ -86,7 +86,18 @@ message TimestampFilter {
message InIDsFilter {
// Defines the ids to query for.
repeated string ids = 1 [
(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
}
}
},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "[\"69629023906488334\",\"69622366012355662\"]";
}
];

384
proto/zitadel/internal_permission/v2beta/internal_permission_service.proto Normal file
View File

@@ -0,0 +1,384 @@
syntax = "proto3";
package zitadel.internal_permission.v2beta;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/filter/v2beta/filter.proto";
import "zitadel/internal_permission/v2beta/query.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/internal_permission/v2beta;internal_permission";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Internal Permission Service";
version: "2.0-beta";
description: "This API is intended to manage internal permissions in ZITADEL. This service is in beta state. It can AND will continue breaking until a stable version is released.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
// InternalPermissionService provides methods to manage permissions for resource
// and their management in ZITADEL itself.
//
// If you want to manage permissions and roles within your project or application,
// please use the AuthorizationsService.
service InternalPermissionService {
// ListAdministrators returns all administrators and its roles matching the request and necessary permissions.
//
// Required permissions depend on the resource type:
// - "iam.member.read" for instance administrators
// - "org.member.read" for organization administrators
// - "project.member.read" for project administrators
// - "project.grant.member.read" for project grant administrators
// - no permissions required for listing own administrator roles
rpc ListAdministrators(ListAdministratorsRequest) returns (ListAdministratorsResponse) {
option (google.api.http) = {
post: "/v2beta/administrators/search",
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "A list of all administrators matching the query";
};
};
responses: {
key: "400";
value: {
description: "invalid list query";
};
};
};
}
// CreateAdministrator grants a administrator role to a user for a specific resource.
//
// Note that the roles are specific to the resource type.
// This means that if you want to grant a user the administrator role for an organization and a project,
// you need to create two administrator roles.
//
// Required permissions depend on the resource type:
// - "iam.member.write" for instance administrators
// - "org.member.write" for organization administrators
// - "project.member.write" for project administrators
// - "project.grant.member.write" for project grant administrators
rpc CreateAdministrator(CreateAdministratorRequest) returns (CreateAdministratorResponse) {
option (google.api.http) = {
post: "/v2beta/administrators"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Administrator created successfully";
};
};
responses: {
key: "409"
value: {
description: "The administrator to create already exists.";
}
};
};
}
// UpdateAdministrator updates the specific administrator role.
//
// Note that any role previously granted to the user and not present in the request will be revoked.
//
// Required permissions depend on the resource type:
// - "iam.member.write" for instance administrators
// - "org.member.write" for organization administrators
// - "project.member.write" for project administrators
// - "project.grant.member.write" for project grant administrators
rpc UpdateAdministrator(UpdateAdministratorRequest) returns (UpdateAdministratorResponse) {
option (google.api.http) = {
post: "/v2beta/administrators/{user_id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Administrator successfully updated or left unchanged";
};
};
responses: {
key: "404"
value: {
description: "The administrator to update does not exist.";
}
};
};
}
// DeleteAdministrator revokes a administrator role from a user.
//
// In case the administrator role is not found, the request will return a successful response as
// the desired state is already achieved.
// You can check the deletion date in the response to verify if the administrator role was deleted during the request.
//
// Required permissions depend on the resource type:
// - "iam.member.delete" for instance administrators
// - "org.member.delete" for organization administrators
// - "project.member.delete" for project administrators
// - "project.grant.member.delete" for project grant administrators
rpc DeleteAdministrator(DeleteAdministratorRequest) returns (DeleteAdministratorResponse) {
option (google.api.http) = {
delete: "/v2beta/administrators/{user_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Administrator deleted successfully";
};
};
};
}
}
message ListAdministratorsRequest {
// List limitations and ordering.
optional zitadel.filter.v2beta.PaginationRequest pagination = 1;
// The field the result is sorted by. The default is the creation date. Beware that if you change this, your result pagination might be inconsistent.
optional AdministratorFieldName sorting_column = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"ADMINISTRATOR_FIELD_NAME_CREATION_DATE\""
}
];
// Filter the administrator roles to be returned.
repeated AdministratorSearchFilter filters = 3;
}
message ListAdministratorsResponse {
zitadel.filter.v2beta.PaginationResponse pagination = 1;
repeated Administrator administrators = 2;
}
message GetAdministratorRequest {
// ID is the unique identifier of the administrator.
string id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
}
message GetAdministratorResponse {
Administrator administrator = 1;
}
message CreateAdministratorRequest {
// UserID is the ID of the user who should be granted the administrator role.
string user_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Resource is the type of the resource the administrator roles should be granted for.
ResourceType resource = 2;
// Roles are the roles that should be granted to the user for the specified resource.
// Note that roles are currently specific to the resource type.
// This means that if you want to grant a user the administrator role for an organization and a project,
// you need to create two administrator roles.
repeated string roles = 3 [(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
}
}
}];
}
message ResourceType {
message ProjectGrant {
// ProjectID is required to grant administrator privileges for a specific project.
string project_id = 1;
// ProjectGrantID is required to grant administrator privileges for a specific project grant.
string project_grant_id = 2;
}
// Resource is the type of the resource the administrator roles should be granted for.
oneof resource {
option (validate.required) = true;
// Instance is the resource type for granting administrator privileges on the instance level.
bool instance = 1 [(validate.rules).bool = {const: true}];
// OrganizationID is required to grant administrator privileges for a specific organization.
string organization_id = 2;
// ProjectID is required to grant administrator privileges for a specific project.
string project_id = 3;
// ProjectGrantID is required to grant administrator privileges for a specific project grant.
ProjectGrant project_grant = 4;
}
}
message CreateAdministratorResponse {
// CreationDate is the timestamp when the administrator role was created.
google.protobuf.Timestamp creation_date = 1;
}
message UpdateAdministratorRequest {
// UserID is the ID of the user who should have his administrator roles update.
string user_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Resource is the type of the resource the administrator roles should be granted for.
ResourceType resource = 2;
// Roles are the roles that the user should be granted.
// Note that any role previously granted to the user and not present in the list will be revoked.
repeated string roles = 3 [(validate.rules).repeated = {
unique: true
items: {
string: {
min_len: 1
max_len: 200
}
}
}];
}
message UpdateAdministratorResponse {
// ChangeDate is the timestamp when the administrator role was last updated.
google.protobuf.Timestamp change_date = 1;
}
message DeleteAdministratorRequest {
// UserID is the ID of the user who should have his administrator roles removed.
string user_id = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Resource is the type of the resource the administrator roles should be removed for.
ResourceType resource = 2;
}
message DeleteAdministratorResponse {
// DeletionDate is the timestamp when the administrator role was deleted.
// Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
// In case the deletion occurred in a previous request, the deletion date might not be set.
google.protobuf.Timestamp deletion_date = 1;
}

166
proto/zitadel/internal_permission/v2beta/query.proto Normal file
View File

@@ -0,0 +1,166 @@
syntax = "proto3";
import "google/protobuf/timestamp.proto";
import "validate/validate.proto";
import "zitadel/filter/v2beta/filter.proto";
package zitadel.internal_permission.v2beta;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/internal_permission/v2beta;internal_permission";
message Administrator {
// CreationDate is the timestamp when the administrator role was granted.
google.protobuf.Timestamp creation_date = 1;
// ChangeDate is the timestamp when the administrator role was last updated.
// In case the administrator role was not updated, this field is equal to the creation date.
google.protobuf.Timestamp change_date = 2;
// User is the user who was granted the administrator role.
User user = 3;
// Resource is the type of the resource the administrator roles were granted for.
oneof resource {
// Instance is returned if the administrator roles were granted on the instance level.
bool instance = 4;
// Organization provides information about the organization the administrator roles were granted for.
Organization organization = 5;
// Project provides information about the project the administrator roles were granted for.
Project project = 6;
// ProjectGrant provides information about the project grant the administrator roles were granted for.
ProjectGrant project_grant = 7;
}
// Roles are the roles that were granted to the user for the specified resource.
repeated string roles = 8;
}
message User {
// ID is the unique identifier of the user.
string id = 1;
// PreferredLoginName is the preferred login name of the user. This value is unique across the whole instance.
string preferred_login_name = 2;
// DisplayName is the public display name of the user.
// By default it's the user's given name and family name, their username or their email address.
string display_name = 3;
// The organization the user belong to.
string organization_id = 4;
}
message Organization {
// ID is the unique identifier of the organization the user was granted the administrator role for.
string id = 1;
// Name is the name of the organization the user was granted the administrator role for.
string name = 2;
}
message Project {
// ID is the unique identifier of the project the user was granted the administrator role for.
string id = 1;
// Name is the name of the project the user was granted the administrator role for.
string name = 2;
// OrganizationID is the ID of the organization the project belongs to.
string organization_id = 3;
}
message ProjectGrant {
// ID is the unique identifier of the project grant the user was granted the administrator role for.
string id = 1;
// ProjectID is the ID of the project the project grant belongs to.
string project_id = 2;
// ProjectName is the name of the project the project grant belongs to.
string project_name = 3;
// OrganizationID is the ID of the organization the project grant belongs to.
string organization_id = 4;
// OrganizationID is the ID of the organization the project grant belongs to.
string granted_organization_id = 5;
}
message AdministratorSearchFilter{
oneof filter {
option (validate.required) = true;
// Search for administrator roles by their creation date.
zitadel.filter.v2beta.TimestampFilter creation_date = 1;
// Search for administrator roles by their change date.
zitadel.filter.v2beta.TimestampFilter change_date = 2;
// Search for administrators roles by the IDs of the users who was granted the administrator role.
zitadel.filter.v2beta.InIDsFilter in_user_ids_filter = 3;
// Search for administrators roles by the ID of the organization the user is part of.
zitadel.filter.v2beta.IDFilter user_organization_id = 4;
// Search for administrators roles by the preferred login name of the user.
UserPreferredLoginNameFilter user_preferred_login_name = 5;
// Search for administrators roles by the display name of the user.
UserDisplayNameFilter user_display_name = 6;
// Search for administrators roles granted for a specific resource.
ResourceFilter resource = 7;
// Search for administrators roles granted with a specific role.
RoleFilter role = 8;
// Combine multiple authorization queries with an AND operation.
AndFilter and = 9;
// Combine multiple authorization queries with an OR operation.
// For example, to search for authorizations of multiple OrganizationIDs.
OrFilter or = 10;
// Negate an authorization query.
NotFilter not = 11;
}
}
message UserPreferredLoginNameFilter {
// Search for administrators by the preferred login name of the user.
string preferred_login_name = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Specify the method to search for the preferred login name. Default is EQUAL.
// For example, to search for all administrator roles of a user with a preferred login name
// containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.filter.v2beta.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message UserDisplayNameFilter {
// Search for administrators by the display name of the user.
string display_name = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
// Specify the method to search for the display name. Default is EQUAL.
// For example, to search for all administrator roles of a user with a display name
// containing a specific string, use CONTAINS or CONTAINS_IGNORE_CASE.
zitadel.filter.v2beta.TextFilterMethod method = 2 [(validate.rules).enum.defined_only = true];
}
message ResourceFilter {
// Search for administrators by the granted resource.
oneof resource {
// Search for administrators granted on the instance level.
bool instance = 1;
// Search for administrators granted on a specific organization.
string organization_id = 2;
// Search for administrators granted on a specific project.
string project_id = 3;
// Search for administrators granted on a specific project grant.
string project_grant_id = 4;
}
}
message RoleFilter {
// Search for administrators by the granted role.
string role_key = 1 [(validate.rules).string = {
min_len: 1
max_len: 200
}];
}
message AndFilter {
repeated AdministratorSearchFilter queries = 1;
}
message OrFilter {
repeated AdministratorSearchFilter queries = 1;
}
message NotFilter {
AdministratorSearchFilter query = 1;
}
enum AdministratorFieldName {
ADMINISTRATOR_FIELD_NAME_UNSPECIFIED = 0;
ADMINISTRATOR_FIELD_NAME_USER_ID = 1;
ADMINISTRATOR_FIELD_NAME_CREATION_DATE = 2;
ADMINISTRATOR_FIELD_NAME_CHANGE_DATE = 3;
}

296
proto/zitadel/management.proto
View File

@@ -3329,6 +3329,7 @@ service ManagementService {
};
}
// Deprecated: Use [GetApplication](/apis/resources/application_service_v2/application-service-get-application.api.mdx) instead to fetch an app
rpc GetAppByID(GetAppByIDRequest) returns (GetAppByIDResponse) {
option (google.api.http) = {
get: "/projects/{project_id}/apps/{app_id}"
@@ -3351,9 +3352,11 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [ListApplications](/apis/resources/application_service_v2/application-service-list-applications.api.mdx) instead to list applications
rpc ListApps(ListAppsRequest) returns (ListAppsResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/_search"
@@ -3377,6 +3380,7 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
@@ -3405,6 +3409,7 @@ service ManagementService {
};
}
// Deprecated: Use [CreateApplication](/apis/resources/application_service_v2/application-service-create-application.api.mdx) instead to create an OIDC application
rpc AddOIDCApp(AddOIDCAppRequest) returns (AddOIDCAppResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/oidc"
@@ -3428,62 +3433,74 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
rpc AddSAMLApp(AddSAMLAppRequest) returns (AddSAMLAppResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/saml"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "project.app.write"
check_field_name: "ProjectId"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Applications";
summary: "Create Application (SAML)";
description: "Create a new SAML client. Returns an entity ID"
parameters: {
headers: {
name: "x-zitadel-orgid";
description: "The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.";
type: STRING,
required: false;
};
};
};
}
rpc AddAPIApp(AddAPIAppRequest) returns (AddAPIAppResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/api"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "project.app.write"
check_field_name: "ProjectId"
// Deprecated: Use [CreateApplication](/apis/resources/application_service_v2/application-service-create-application.api.mdx) instead to create a SAML application
rpc AddSAMLApp(AddSAMLAppRequest) returns (AddSAMLAppResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/saml"
body: "*"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Applications";
summary: "Create Application (API)";
description: "Create a new API client. The client id will be generated and returned in the response. Depending on the chosen configuration also a secret will be generated and returned."
parameters: {
headers: {
name: "x-zitadel-orgid";
description: "The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.";
type: STRING,
required: false;
};
};
};
option (zitadel.v1.auth_option) = {
permission: "project.app.write"
check_field_name: "ProjectId"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Applications";
summary: "Create Application (SAML)";
description: "Create a new SAML client. Returns an entity ID"
parameters: {
headers: {
name: "x-zitadel-orgid";
description: "The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.";
type: STRING,
required: false;
};
};
deprecated: true;
};
}
// Create Application (API)
//
// Create a new API client. The client id will be generated and returned in the response.
// Depending on the chosen configuration also a secret will be generated and returned.
//
// Deprecated: Use [CreateApplication](/apis/resources/application_service_v2/application-service-create-application.api.mdx) instead to create an API application
rpc AddAPIApp(AddAPIAppRequest) returns (AddAPIAppResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/api"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "project.app.write"
check_field_name: "ProjectId"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Applications";
summary: "Create Application (API)";
description: "Create a new API client. The client id will be generated and returned in the response. Depending on the chosen configuration also a secret will be generated and returned."
parameters: {
headers: {
name: "x-zitadel-orgid";
description: "The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.";
type: STRING,
required: false;
};
};
deprecated: true;
};
}
// Changes application
//
// Deprecated: Use [PatchApplication](/apis/resources/application_service_v2/application-service-patch-application.api.mdx) instead to update the generic params of an app
rpc UpdateApp(UpdateAppRequest) returns (UpdateAppResponse) {
option (google.api.http) = {
put: "/projects/{project_id}/apps/{app_id}"
@@ -3507,9 +3524,11 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [PatchApplication](/apis/resources/application_service_v2/application-service-patch-application.api.mdx) instead to update the config of an OIDC app
rpc UpdateOIDCAppConfig(UpdateOIDCAppConfigRequest) returns (UpdateOIDCAppConfigResponse) {
option (google.api.http) = {
put: "/projects/{project_id}/apps/{app_id}/oidc_config"
@@ -3533,61 +3552,67 @@ service ManagementService {
required: false;
};
};
deprecated: true
};
}
rpc UpdateSAMLAppConfig(UpdateSAMLAppConfigRequest) returns (UpdateSAMLAppConfigResponse) {
option (google.api.http) = {
put: "/projects/{project_id}/apps/{app_id}/saml_config"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "project.app.write"
check_field_name: "ProjectId"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Applications";
summary: "Update SAML Application Config";
description: "Update the SAML specific configuration of an application."
parameters: {
headers: {
name: "x-zitadel-orgid";
description: "The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.";
type: STRING,
required: false;
};
};
};
}
rpc UpdateAPIAppConfig(UpdateAPIAppConfigRequest) returns (UpdateAPIAppConfigResponse) {
option (google.api.http) = {
put: "/projects/{project_id}/apps/{app_id}/api_config"
body: "*"
};
// Deprecated: Use [PatchApplication](/apis/resources/application_service_v2/application-service-patch-application.api.mdx) instead to update the config of a SAML app
rpc UpdateSAMLAppConfig(UpdateSAMLAppConfigRequest) returns (UpdateSAMLAppConfigResponse) {
option (google.api.http) = {
put: "/projects/{project_id}/apps/{app_id}/saml_config"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "project.app.write"
check_field_name: "ProjectId"
permission: "project.app.write"
check_field_name: "ProjectId"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Applications";
summary: "Update API Application Config";
description: "Update the OIDC-specific configuration of an application."
parameters: {
headers: {
name: "x-zitadel-orgid";
description: "The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.";
type: STRING,
required: false;
};
};
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Applications";
summary: "Update SAML Application Config";
description: "Update the SAML specific configuration of an application."
parameters: {
headers: {
name: "x-zitadel-orgid";
description: "The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.";
type: STRING,
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [PatchApplication](/apis/resources/application_service_v2/application-service-patch-application.api.mdx) instead to update the config of an API app
rpc UpdateAPIAppConfig(UpdateAPIAppConfigRequest) returns (UpdateAPIAppConfigResponse) {
option (google.api.http) = {
put: "/projects/{project_id}/apps/{app_id}/api_config"
body: "*"
};
option (zitadel.v1.auth_option) = {
permission: "project.app.write"
check_field_name: "ProjectId"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Applications";
summary: "Update API Application Config";
description: "Update the OIDC-specific configuration of an application."
parameters: {
headers: {
name: "x-zitadel-orgid";
description: "The default is always the organization of the requesting user. If you like to change/get objects of another organization include the header. Make sure the requesting user has permission to access the requested data.";
type: STRING,
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [DeactivateApplication](/apis/resources/application_service_v2/application-service-deactivate-application.api.mdx) instead to deactivate an app
rpc DeactivateApp(DeactivateAppRequest) returns (DeactivateAppResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/{app_id}/_deactivate"
@@ -3611,9 +3636,11 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [ReactivateApplication](/apis/resources/application_service_v2/application-service-reactivate-application.api.mdx) instead to reactivate an app
rpc ReactivateApp(ReactivateAppRequest) returns (ReactivateAppResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/{app_id}/_reactivate"
@@ -3637,9 +3664,11 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [DeleteApplication](/apis/resources/application_service_v2/application-service-delete-application.api.mdx) instead to delete an app
rpc RemoveApp(RemoveAppRequest) returns (RemoveAppResponse) {
option (google.api.http) = {
delete: "/projects/{project_id}/apps/{app_id}"
@@ -3662,9 +3691,11 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [RegenerateClientSecret](/apis/resources/application_service_v2/application-service-regenerate-client-secret.api.mdx) instead to regenerate an OIDC app client secret
rpc RegenerateOIDCClientSecret(RegenerateOIDCClientSecretRequest) returns (RegenerateOIDCClientSecretResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/{app_id}/oidc_config/_generate_client_secret"
@@ -3688,9 +3719,11 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [RegenerateClientSecret](/apis/resources/application_service_v2/application-service-regenerate-client-secret.api.mdx) instead to regenerate an API app client secret
rpc RegenerateAPIClientSecret(RegenerateAPIClientSecretRequest) returns (RegenerateAPIClientSecretResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/{app_id}/api_config/_generate_client_secret"
@@ -3714,9 +3747,11 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [GetApplicationKey](/apis/resources/application_service_v2/application-service-get-application-key.api.mdx) instead to get an application key
rpc GetAppKey(GetAppKeyRequest) returns (GetAppKeyResponse) {
option (google.api.http) = {
get: "/projects/{project_id}/apps/{app_id}/keys/{key_id}"
@@ -3739,9 +3774,11 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [ListApplicationKeys](/apis/resources/application_service_v2/application-service-list-application-keys.api.mdx) instead to list application keys
rpc ListAppKeys(ListAppKeysRequest) returns (ListAppKeysResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/apps/{app_id}/keys/_search"
@@ -3768,6 +3805,8 @@ service ManagementService {
};
}
// Deprecated: Use [CreateApplicationKey](/apis/resources/application_service_v2/application-service-create-application-key.api.mdx) instead to
// create an application key
rpc AddAppKey(AddAppKeyRequest) returns (AddAppKeyResponse){
option (google.api.http) = {
post: "/projects/{project_id}/apps/{app_id}/keys"
@@ -3791,9 +3830,12 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
// Deprecated: Use [DeleteApplicationKey](/apis/resources/application_service_v2/application-service-delete-application-key.api.mdx) instead to
// delete an application key
rpc RemoveAppKey(RemoveAppKeyRequest) returns (RemoveAppKeyResponse) {
option (google.api.http) = {
delete: "/projects/{project_id}/apps/{app_id}/keys/{key_id}"
@@ -3816,6 +3858,7 @@ service ManagementService {
required: false;
};
};
deprecated: true;
};
}
@@ -4176,6 +4219,11 @@ service ManagementService {
};
}
// Get User Grant By ID
//
// Deprecated: [List authorizations](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-list-authorizations.api.mdx) and filter by its ID.
//
// Returns a user grant per ID. A user grant is a role a user has for a specific project and organization.
rpc GetUserGrantByID(GetUserGrantByIDRequest) returns (GetUserGrantByIDResponse) {
option (google.api.http) = {
get: "/users/{user_id}/grants/{grant_id}"
@@ -4187,8 +4235,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Grants";
summary: "User Grant By ID";
description: "Returns a user grant per ID. A user grant is a role a user has for a specific project and organization."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -4200,6 +4247,11 @@ service ManagementService {
};
}
// Search User Grants
//
// Deprecated: [List authorizations](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-list-authorizations.api.mdx) and pass the user ID filter to search for a users grants on owned or granted projects.
//
// Returns a list of user grants that match the search queries. User grants are the roles users have for a specific project and organization.
rpc ListUserGrants(ListUserGrantRequest) returns (ListUserGrantResponse) {
option (google.api.http) = {
post: "/users/grants/_search"
@@ -4212,8 +4264,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Grants";
summary: "Search User Grants";
description: "Returns a list of user grants that match the search queries. User grants are the roles users have for a specific project and organization."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -4225,6 +4276,12 @@ service ManagementService {
};
}
// Add User Grant
//
// Deprecated: [Add an authorization](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-create-authorization.api.mdx) to grant a user access to an owned or granted project.
//
// Add a user grant for a specific user. User grants are the roles users have for a specific project and organization.
rpc AddUserGrant(AddUserGrantRequest) returns (AddUserGrantResponse) {
option (google.api.http) = {
post: "/users/{user_id}/grants"
@@ -4237,8 +4294,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Grants";
summary: "Add User Grant";
description: "Add a user grant for a specific user. User grants are the roles users have for a specific project and organization."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -4250,6 +4306,11 @@ service ManagementService {
};
}
// Update User Grant
//
// Deprecated: [Update an authorization](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-update-authorization.api.mdx) to update a user's roles on an owned or granted project.
//
// Update the roles of a user grant. User grants are the roles users have for a specific project and organization.
rpc UpdateUserGrant(UpdateUserGrantRequest) returns (UpdateUserGrantResponse) {
option (google.api.http) = {
put: "/users/{user_id}/grants/{grant_id}"
@@ -4262,8 +4323,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Grants";
summary: "Update User Grants";
description: "Update the roles of a user grant. User grants are the roles users have for a specific project and organization."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -4275,6 +4335,11 @@ service ManagementService {
};
}
// Deactivate User Grant
//
// Deprecated: [Deactivate an authorization](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-deactivate-authorization.api.mdx) to disable a user's access to an owned or granted project.
//
// Deactivate the user grant. The user will not be able to use the granted project anymore. Also, the roles will not be included in the tokens when requested. An error will be returned if the user grant is already deactivated.
rpc DeactivateUserGrant(DeactivateUserGrantRequest) returns (DeactivateUserGrantResponse) {
option (google.api.http) = {
post: "/users/{user_id}/grants/{grant_id}/_deactivate"
@@ -4287,8 +4352,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Grants";
summary: "Deactivate User Grant";
description: "Deactivate the user grant. The user will not be able to use the granted project anymore. Also, the roles will not be included in the tokens when requested. An error will be returned if the user grant is already deactivated."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -4300,6 +4364,11 @@ service ManagementService {
};
}
// Reactivate User Grant
//
// Deprecated: [Activate an authorization](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-activate-authorization.api.mdx) to enable a user's access to an owned or granted project.
//
// Reactivate a deactivated user grant. The user will be able to use the granted project again. An error will be returned if the user grant is not deactivated.
rpc ReactivateUserGrant(ReactivateUserGrantRequest) returns (ReactivateUserGrantResponse) {
option (google.api.http) = {
post: "/users/{user_id}/grants/{grant_id}/_reactivate"
@@ -4312,8 +4381,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Grants";
summary: "Reactivate User Grant";
description: "Reactivate a deactivated user grant. The user will be able to use the granted project again. An error will be returned if the user grant is not deactivated."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -4325,6 +4393,11 @@ service ManagementService {
};
}
// Remove User Grant
//
// Deprecated: [Delete an authorization](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-delete-authorization.api.mdx) to remove a users access to an owned or granted project.
//
// Removes the user grant from the user. The user will not be able to use the granted project anymore. Also, the roles will not be included in the tokens when requested.
rpc RemoveUserGrant(RemoveUserGrantRequest) returns (RemoveUserGrantResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/grants/{grant_id}"
@@ -4336,8 +4409,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Grants";
summary: "Remove User Grant";
description: "Removes the user grant from the user. The user will not be able to use the granted project anymore. Also, the roles will not be included in the tokens when requested."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -4349,6 +4421,11 @@ service ManagementService {
};
}
// Bulk Remove User Grants
//
// Deprecated: [Delete authorizations one after the other](apis/resources/authorization_service_v2/zitadel-authorization-v-2-beta-authorization-service-delete-authorization.api.mdx) to remove access for multiple users on multiple owned or granted projects.
//
// Remove a list of user grants. The users will not be able to use the granted project anymore. Also, the roles will not be included in the tokens when requested.
rpc BulkRemoveUserGrant(BulkRemoveUserGrantRequest) returns (BulkRemoveUserGrantResponse) {
option (google.api.http) = {
delete: "/user_grants/_bulk"
@@ -4361,8 +4438,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "User Grants";
summary: "Bulk Remove User Grants";
description: "Remove a list of user grants. The users will not be able to use the granted project anymore. Also, the roles will not be included in the tokens when requested."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";

57
proto/zitadel/metadata/v2/metadata.proto Normal file
View File

@@ -0,0 +1,57 @@
syntax = "proto3";
import "zitadel/filter/v2/filter.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "google/protobuf/timestamp.proto";
package zitadel.metadata.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/metadata/v2";
message Metadata {
google.protobuf.Timestamp creation_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
google.protobuf.Timestamp change_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
string key = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "metadata key",
example: "\"key1\"";
}
];
bytes value = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "metadata value is base64 encoded, make sure to decode to get the value",
example: "\"VGhpcyBpcyBteSBmaXJzdCB2YWx1ZQ==\"";
}
];
}
message MetadataSearchFilter {
oneof filter {
option (validate.required) = true;
MetadataKeyFilter key_filter = 1;
}
}
message MetadataKeyFilter {
string key = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"key\""
}
];
zitadel.filter.v2.TextFilterMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}

2
proto/zitadel/project/v2beta/project_service.proto
View File

@@ -451,7 +451,7 @@ service ProjectService {
// - `project.role.read`
rpc ListProjectRoles (ListProjectRolesRequest) returns (ListProjectRolesResponse) {
option (google.api.http) = {
delete: "/v2beta/projects/{project_id}/roles/search"
post: "/v2beta/projects/{project_id}/roles/search"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {

14
proto/zitadel/system.proto
View File

@@ -118,7 +118,7 @@ service SystemService {
// Returns a list of ZITADEL instances
//
// Deprecated: Use [ListInstances](apis/resources/instance_service_v2/instance-service-list-instances.api.mdx) instead to list instances
// Deprecated: Use [ListInstances](apis/resources/instance_service_v2/zitadel-instance-v-2-beta-instance-service-list-instances.api.mdx) instead to list instances
rpc ListInstances(ListInstancesRequest) returns (ListInstancesResponse) {
option (google.api.http) = {
post: "/instances/_search"
@@ -136,7 +136,7 @@ service SystemService {
// Returns the detail of an instance
//
// Deprecated: Use [GetInstance](apis/resources/instance_service_v2/instance-service-get-instance.api.mdx) instead to get the details of the instance in context
// Deprecated: Use [GetInstance](apis/resources/instance_service_v2/zitadel-instance-v-2-beta-instance-service-get-instance.api.mdx) instead to get the details of the instance in context
rpc GetInstance(GetInstanceRequest) returns (GetInstanceResponse) {
option (google.api.http) = {
get: "/instances/{instance_id}";
@@ -171,7 +171,7 @@ service SystemService {
// Updates name of an existing instance
//
// Deprecated: Use [UpdateInstance](apis/resources/instance_service_v2/instance-service-update-instance.api.mdx) instead to update the name of the instance in context
// Deprecated: Use [UpdateInstance](apis/resources/instance_service_v2/zitadel-instance-v-2-beta-instance-service-update-instance.api.mdx) instead to update the name of the instance in context
rpc UpdateInstance(UpdateInstanceRequest) returns (UpdateInstanceResponse) {
option (google.api.http) = {
put: "/instances/{instance_id}"
@@ -203,7 +203,7 @@ service SystemService {
// Removes an instance
// This might take some time
//
// Deprecated: Use [DeleteInstance](apis/resources/instance_service_v2/instance-service-delete-instance.api.mdx) instead to delete an instance
// Deprecated: Use [DeleteInstance](apis/resources/instance_service_v2/zitadel-instance-v-2-beta-instance-service-delete-instance.api.mdx) instead to delete an instance
rpc RemoveInstance(RemoveInstanceRequest) returns (RemoveInstanceResponse) {
option (google.api.http) = {
delete: "/instances/{instance_id}"
@@ -234,7 +234,7 @@ service SystemService {
// Checks if a domain exists
//
// Deprecated: Use [ListCustomDomains](apis/resources/instance_service_v2/instance-service-list-custom-domains.api.mdx) instead to check existence of an instance
// Deprecated: Use [ListCustomDomains](apis/resources/instance_service_v2/zitadel-instance-v-2-beta-instance-service-list-custom-domains.api.mdx) instead to check existence of an instance
rpc ExistsDomain(ExistsDomainRequest) returns (ExistsDomainResponse) {
option (google.api.http) = {
post: "/domains/{domain}/_exists";
@@ -270,7 +270,7 @@ service SystemService {
// Adds a domain to an instance
//
// Deprecated: Use [AddCustomDomain](apis/resources/instance_service_v2/instance-service-add-custom-domain.api.mdx) instead to add a custom domain to the instance in context
// Deprecated: Use [AddCustomDomain](apis/resources/instance_service_v2/zitadel-instance-v-2-beta-instance-service-add-custom-domain.api.mdx) instead to add a custom domain to the instance in context
rpc AddDomain(AddDomainRequest) returns (AddDomainResponse) {
option (google.api.http) = {
post: "/instances/{instance_id}/domains";
@@ -288,7 +288,7 @@ service SystemService {
// Removes the domain of an instance
//
// Deprecated: Use [RemoveDomain](apis/resources/instance_service_v2/instance-service-remove-custom-domain.api.mdx) instead to remove a custom domain from the instance in context
// Deprecated: Use [RemoveDomain](apis/resources/instance_service_v2/zitadel-instance-v-2-beta-instance-service-remove-custom-domain.api.mdx) instead to remove a custom domain from the instance in context
rpc RemoveDomain(RemoveDomainRequest) returns (RemoveDomainResponse) {
option (google.api.http) = {
delete: "/instances/{instance_id}/domains/{domain}";

18
proto/zitadel/user/v2/idp.proto
View File

@@ -162,3 +162,21 @@ message IDPLink {
}
];
}
message FormData {
// The URL to which the form should be submitted using the POST method.
string url = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://idp.com/saml/v2/acs\"";
}
];
// The form fields to be submitted.
// Each field is represented as a key-value pair, where the key is the field / input name
// and the value is the field / input value.
// All fields need to be submitted as is and as input type "text".
map<string, string> fields = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "{\"relayState\":\"state\",\"SAMLRequest\":\"asjfkj3ir2fj248=\"}";
}
];
}

166
proto/zitadel/user/v2/user_service.proto
View File

@@ -22,6 +22,7 @@ import "zitadel/user/v2/key.proto";
import "zitadel/user/v2/pat.proto";
import "zitadel/user/v2/query.proto";
import "zitadel/filter/v2/filter.proto";
import "zitadel/metadata/v2/metadata.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
@@ -1859,6 +1860,84 @@ service UserService {
};
};
}
// Set User Metadata
//
// Sets a list of key value pairs. Existing metadata entries with matching keys are overwritten. Existing metadata entries without matching keys are untouched. To remove metadata entries, use [DeleteUserMetadata](apis/resources/user_service_v2/user-service-delete-user-metadata.api.mdx). For HTTP requests, make sure the bytes array value is base64 encoded.
//
// Required permission:
// - `user.write`
rpc SetUserMetadata(SetUserMetadataRequest) returns (SetUserMetadataResponse) {
option (google.api.http) = {
post: "/v2/users/{user_id}/metadata"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
};
responses: {
key: "400"
value: {
description: "User not found";
}
};
};
}
// List User Metadata
//
// List metadata of an user filtered by query.
//
// Required permission:
// - `user.read`
rpc ListUserMetadata(ListUserMetadataRequest) returns (ListUserMetadataResponse) {
option (google.api.http) = {
post: "/v2/users/{user_id}/metadata/search"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {auth_option: {
permission: "user.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
};
};
}
// Delete User Metadata
//
// Delete metadata objects from an user with a specific key.
//
// Required permission:
// - `user.write`
rpc DeleteUserMetadata(DeleteUserMetadataRequest) returns (DeleteUserMetadataResponse) {
option (google.api.http) = {
delete: "/v2/users/{user_id}/metadata"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
};
};
}
}
message AddHumanUserRequest{
@@ -1956,6 +2035,13 @@ message CreateUserRequest{
example: "\"TJOPWSDYILLHXFV4MLKNNJOWFG7VSDCK\"";
}
];
// Metadata to bet set. The values have to be base64 encoded.
repeated Metadata metadata = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[{\"key\": \"test1\", \"value\": \"VGhpcyBpcyBteSBmaXJzdCB2YWx1ZQ==\"}, {\"key\": \"test2\", \"value\": \"VGhpcyBpcyBteSBzZWNvbmQgdmFsdWU=\"}]"
}
];
}
message Machine {
// The machine users name is a human readable field that helps identifying the user.
@@ -2961,11 +3047,15 @@ message StartIdentityProviderIntentResponse{
description: "IDP Intent information"
}
];
// POST call information
// Deprecated: Use form_data instead
bytes post_form = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "POST call information"
}
];
// Data for a form POST call
FormData form_data = 5;
}
}
@@ -3518,3 +3608,79 @@ message ListPersonalAccessTokensResponse {
zitadel.filter.v2.PaginationResponse pagination = 1;
repeated PersonalAccessToken result = 2;
}
message Metadata {
// Key in the metadata key/value pair.
string key = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
// Value in the metadata key/value pair.
bytes value = 2 [(validate.rules).bytes = {min_len: 1, max_len: 500000}];
}
message SetUserMetadataRequest{
// ID of the user under which the metadata gets set.
string user_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629012906488334\"";
}
];
// Metadata to bet set. The values have to be base64 encoded.
repeated Metadata metadata = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[{\"key\": \"test1\", \"value\": \"VGhpcyBpcyBteSBmaXJzdCB2YWx1ZQ==\"}, {\"key\": \"test2\", \"value\": \"VGhpcyBpcyBteSBzZWNvbmQgdmFsdWU=\"}]"
}
];
}
message SetUserMetadataResponse{
// The timestamp of the update of the user metadata.
google.protobuf.Timestamp set_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListUserMetadataRequest {
// ID of the user under which the metadata is to be listed.
string user_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629012906488334\"";
}
];
// List limitations and ordering.
optional zitadel.filter.v2.PaginationRequest pagination = 2;
// Define the criteria to query for.
repeated zitadel.metadata.v2.MetadataSearchFilter filters = 3;
}
message ListUserMetadataResponse {
// Pagination of the users metadata results.
zitadel.filter.v2.PaginationResponse pagination = 1;
// The user metadata requested.
repeated zitadel.metadata.v2.Metadata metadata = 2;
}
message DeleteUserMetadataRequest {
// ID of the user which metadata is to be deleted is stored on.
string user_id = 1;
// The keys for the user metadata to be deleted.
repeated string keys = 2 [(validate.rules).repeated.items.string = {min_len: 1, max_len: 200}];
}
message DeleteUserMetadataResponse{
// The timestamp of the deletion of the user metadata.
google.protobuf.Timestamp deletion_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}

18
proto/zitadel/user/v2beta/idp.proto
View File

@@ -162,3 +162,21 @@ message IDPLink {
}
];
}
message FormData {
// The URL to which the form should be submitted using the POST method.
string url = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://idp.com/saml/v2/acs\"";
}
];
// The form fields to be submitted.
// Each field is represented as a key-value pair, where the key is the field / input name
// and the value is the field / input value.
// All fields need to be submitted as is and as input type "text".
map<string, string> fields = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "{\"relayState\":\"state\",\"SAMLRequest\":\"asjfkj3ir2fj248=\"}";
}
];
}

13
proto/zitadel/user/v2beta/user_service.proto
View File

@@ -1788,22 +1788,23 @@ message StartIdentityProviderIntentRequest{
message StartIdentityProviderIntentResponse{
zitadel.object.v2beta.Details details = 1;
oneof next_step {
// URL to which the client should redirect
string auth_url = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "URL to which the client should redirect"
example: "\"https://accounts.google.com/o/oauth2/v2/auth?client_id=clientID&callback=https%3A%2F%2Fzitadel.cloud%2Fidps%2Fcallback\"";
}
];
IDPIntent idp_intent = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "IDP Intent information"
}
];
// IDP Intent information
IDPIntent idp_intent = 3;
// POST call information
// Deprecated: Use form_data instead
bytes post_form = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "POST call information"
}
];
// Data for a form POST call
FormData form_data = 5;
}
}

109
proto/zitadel/webkey/v2/key.proto Normal file
View File

@@ -0,0 +1,109 @@
syntax = "proto3";
package zitadel.webkey.v2;
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/webkey/v2;webkey";
enum State {
STATE_UNSPECIFIED = 0;
// A newly created key is in the initial state and published to the public key endpoint.
STATE_INITIAL = 1;
// The active key is used to sign tokens. Only one key can be active at a time.
STATE_ACTIVE = 2;
// The inactive key is not used to sign tokens anymore, but still published to the public key endpoint.
STATE_INACTIVE = 3;
// The removed key is not used to sign tokens anymore and not published to the public key endpoint.
STATE_REMOVED = 4;
}
message WebKey {
// The unique identifier of the key.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The timestamp of the key creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change to the key (e.g. creation, activation, deactivation).
google.protobuf.Timestamp change_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// State of the key
State state = 4;
// Configured type of the key (either RSA, ECDSA or ED25519)
oneof key {
RSA rsa = 5;
ECDSA ecdsa = 6;
ED25519 ed25519 = 7;
}
}
message RSA {
// Bit size of the RSA key. Default is 2048 bits.
RSABits bits = 1 [
(validate.rules).enum = {defined_only: true, not_in: [0]},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "RSA_BITS_2048";
}
];
// Signing algrithm used. Default is SHA256.
RSAHasher hasher = 2 [
(validate.rules).enum = {defined_only: true, not_in: [0]},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "RSA_HASHER_SHA256";
}
];
}
enum RSABits {
RSA_BITS_UNSPECIFIED = 0;
// 2048 bit RSA key
RSA_BITS_2048 = 1;
// 3072 bit RSA key
RSA_BITS_3072 = 2;
// 4096 bit RSA key
RSA_BITS_4096 = 3;
}
enum RSAHasher {
RSA_HASHER_UNSPECIFIED = 0;
// SHA256 hashing algorithm resulting in the RS256 algorithm header
RSA_HASHER_SHA256 = 1;
// SHA384 hashing algorithm resulting in the RS384 algorithm header
RSA_HASHER_SHA384 = 2;
// SHA512 hashing algorithm resulting in the RS512 algorithm header
RSA_HASHER_SHA512 = 3;
}
message ECDSA {
// Curve of the ECDSA key. Default is P-256.
ECDSACurve curve = 1 [
(validate.rules).enum = {defined_only: true, not_in: [0]},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "ECDSA_CURVE_P256";
}
];
}
enum ECDSACurve {
ECDSA_CURVE_UNSPECIFIED = 0;
// NIST P-256 curve resulting in the ES256 algorithm header
ECDSA_CURVE_P256 = 1;
// NIST P-384 curve resulting in the ES384 algorithm header
ECDSA_CURVE_P384 = 2;
// NIST P-512 curve resulting in the ES512 algorithm header
ECDSA_CURVE_P512 = 3;
}
message ED25519 {}

335
proto/zitadel/webkey/v2/webkey_service.proto Normal file
View File

@@ -0,0 +1,335 @@
syntax = "proto3";
package zitadel.webkey.v2;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/webkey/v2/key.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/webkey/v2;webkey";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Web Key Service";
version: "2.0";
description: "This API is intended to manage web keys for a ZITADEL instance, used to sign and validate OIDC tokens.\n\nThe public key endpoint (outside of this service) is used to retrieve the public keys of the active and inactive keys.\n\nPlease make sure to enable the `web_key` feature flag on your instance to use this service.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
produces: "application/json";
consumes: "application/grpc";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
// Service to manage web keys for OIDC token signing and validation.
// The service provides methods to create, activate, delete and list web keys.
// The public key endpoint (outside of this service) is used to retrieve the public keys of the active and inactive keys.
//
// Please make sure to enable the `web_key` feature flag on your instance to use this service.
service WebKeyService {
// Create Web Key
//
// Generate a private and public key pair. The private key can be used to sign OIDC tokens after activation.
// The public key can be used to validate OIDC tokens.
// The newly created key will have the state `STATE_INITIAL` and is published to the public key endpoint.
// Note that the JWKs OIDC endpoint returns a cacheable response.
//
// If no key type is provided, a RSA key pair with 2048 bits and SHA256 hashing will be created.
//
// Required permission:
// - `iam.web_key.write`
//
// Required feature flag:
// - `web_key`
rpc CreateWebKey(CreateWebKeyRequest) returns (CreateWebKeyResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.write"
}
};
}
// Activate Web Key
//
// Switch the active signing web key. The previously active key will be deactivated.
// Note that the JWKs OIDC endpoint returns a cacheable response.
// Therefore it is not advised to activate a key that has been created within the cache duration (default is 5min),
// as the public key may not have been propagated to caches and clients yet.
//
// Required permission:
// - `iam.web_key.write`
//
// Required feature flag:
// - `web_key`
rpc ActivateWebKey(ActivateWebKeyRequest) returns (ActivateWebKeyResponse) {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Web key activated successfully.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `web_key` is not enabled.";
}
};
responses: {
key: "404"
value: {
description: "The web key to active does not exist.";
}
};
};
}
// Delete Web Key
//
// Delete a web key pair. Only inactive keys can be deleted. Once a key is deleted,
// any tokens signed by this key will be invalid.
// Note that the JWKs OIDC endpoint returns a cacheable response.
// In case the web key is not found, the request will return a successful response as
// the desired state is already achieved.
// You can check the change date in the response to verify if the web key was deleted during the request.
//
// Required permission:
// - `iam.web_key.delete`
//
// Required feature flag:
// - `web_key`
rpc DeleteWebKey(DeleteWebKeyRequest) returns (DeleteWebKeyResponse) {
option (google.api.http) = {
delete: "/v2/web_keys/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.delete"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Web key deleted successfully.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `web_key` is not enabled or the web key is currently active.";
}
};
};
}
// List Web Keys
//
// List all web keys and their states.
//
// Required permission:
// - `iam.web_key.read`
//
// Required feature flag:
// - `web_key`
rpc ListWebKeys(ListWebKeysRequest) returns (ListWebKeysResponse) {
option (google.api.http) = {
get: "/v2/web_keys"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "List of all web keys.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `web_key` is not enabled.";
}
};
};
}
}
message CreateWebKeyRequest {
// The key type to create (RSA, ECDSA, ED25519).
// If no key type is provided, a RSA key pair with 2048 bits and SHA256 hashing will be created.
oneof key {
// Create a RSA key pair and specify the bit size and hashing algorithm.
// If no bits and hasher are provided, a RSA key pair with 2048 bits and SHA256 hashing will be created.
RSA rsa = 1;
// Create a ECDSA key pair and specify the curve.
// If no curve is provided, a ECDSA key pair with P-256 curve will be created.
ECDSA ecdsa = 2;
// Create a ED25519 key pair.
ED25519 ed25519 = 3;
}
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
example: "{\"rsa\":{\"bits\":\"RSA_BITS_2048\",\"hasher\":\"RSA_HASHER_SHA256\"}}";
};
}
message CreateWebKeyResponse {
// The unique identifier of the newly created key.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The timestamp of the key creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message ActivateWebKeyRequest {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message ActivateWebKeyResponse {
// The timestamp of the activation of the key.
google.protobuf.Timestamp change_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message DeleteWebKeyRequest {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message DeleteWebKeyResponse {
// The timestamp of the deletion of the key.
// Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
// In case the deletion occurred in a previous request, the deletion date might be empty.
google.protobuf.Timestamp deletion_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListWebKeysRequest {}
message ListWebKeysResponse {
repeated WebKey web_keys = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[{\"id\":\"69629012906488334\",\"creationDate\":\"2024-12-18T07:50:47.492Z\",\"changeDate\":\"2024-12-18T08:04:47.492Z\",\"state\":\"STATE_ACTIVE\",\"rsa\":{\"bits\":\"RSA_BITS_2048\",\"hasher\":\"RSA_HASHER_SHA256\"}},{\"id\":\"69629012909346200\",\"creationDate\":\"2025-01-18T12:05:47.492Z\",\"state\":\"STATE_INITIAL\",\"ecdsa\":{\"curve\":\"ECDSA_CURVE_P256\"}}]";
}
];
}