TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-11 20:47:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: api v2beta to api v2 protos (#8343)

Browse Source 
# Which Problems Are Solved

The go linter can't limit the checks to the diff in
https://github.com/zitadel/zitadel/pull/8283 because it's too large

# How the Problems Are Solved

The protos from https://github.com/zitadel/zitadel/pull/8283 are merged
separately

# Additional Context

Contributes to #7236

---------

Co-authored-by: Elio Bischof <elio@zitadel.com>
This commit is contained in:
Stefan Benz
2024-07-26 12:28:28 +02:00
committed by GitHub
parent 57428a1281
commit bc16962aac
57 changed files with 6690 additions and 291 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/docs/apis/_v3_action_execution.proto
View File

@@ -52,7 +52,7 @@ message RequestExecution {
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 1000,
example: "\"/zitadel.session.v2beta.SessionService/ListSessions\"";
example: "\"/zitadel.session.v2.SessionService/ListSessions\"";
}
];
// GRPC-service as condition.
@@ -61,7 +61,7 @@ message RequestExecution {
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 1000,
example: "\"zitadel.session.v2beta.SessionService\"";
example: "\"zitadel.session.v2.SessionService\"";
}
];
// All calls to any available services and methods as condition.
@@ -78,7 +78,7 @@ message ResponseExecution {
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 1000,
example: "\"/zitadel.session.v2beta.SessionService/ListSessions\"";
example: "\"/zitadel.session.v2.SessionService/ListSessions\"";
}
];
// GRPC-service as condition.
@@ -87,7 +87,7 @@ message ResponseExecution {
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 1000,
example: "\"zitadel.session.v2beta.SessionService\"";
example: "\"zitadel.session.v2.SessionService\"";
}
];
// All calls to any available services and methods as condition.

2
docs/docs/apis/_v3_action_search.proto
View File

@@ -47,7 +47,7 @@ message IncludeFilter {
string include = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the id of the include"
example: "\"request.zitadel.session.v2beta.SessionService\"";
example: "\"request.zitadel.session.v2.SessionService\"";
}
];
}

8
docs/docs/apis/actionsv2/execution-local.md
View File

@@ -85,7 +85,7 @@ curl -L -X PUT 'https://$CUSTOM-DOMAIN/v3alpha/executions' \
--data-raw '{
"condition": {
"request": {
"method": "/zitadel.user.v2beta.UserService/AddHumanUser"
"method": "/zitadel.user.v2.UserService/AddHumanUser"
}
},
"targets": [
@@ -98,10 +98,10 @@ curl -L -X PUT 'https://$CUSTOM-DOMAIN/v3alpha/executions' \
## Example call
Now on every call on `/zitadel.user.v2beta.UserService/AddHumanUser` the local server prints out the received body of the request:
Now on every call on `/zitadel.user.v2.UserService/AddHumanUser` the local server prints out the received body of the request:
```shell
curl -L -X PUT 'https://$CUSTOM-DOMAIN/v2beta/users/human' \
curl -L -X PUT 'https://$CUSTOM-DOMAIN/v2/users/human' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <TOKEN>' \
@@ -119,7 +119,7 @@ curl -L -X PUT 'https://$CUSTOM-DOMAIN/v2beta/users/human' \
Should print out something like, also described under [Sent information Request](./introduction#sent-information-request):
```shell
{
"fullMethod": "/zitadel.user.v2beta.UserService/AddHumanUser",
"fullMethod": "/zitadel.user.v2.UserService/AddHumanUser",
"instanceID": "262851882718855632",
"orgID": "262851882718921168",
"projectID": "262851882719052240",

24
docs/docs/apis/actionsv2/introduction.md
View File

@@ -70,16 +70,16 @@ The API documentation to set an Execution can be found [here](/apis/resources/ac
### Condition Best Match
As the conditions can be defined on different levels, ZITADEL tries to find out which Execution is the best match.
This means that for example if you have an Execution defined on `all requests`, on the service `zitadel.user.v2beta.UserService` and on `/zitadel.user.v2beta.UserService/AddHumanUser`,
ZITADEL would with a call on the `/zitadel.user.v2beta.UserService/AddHumanUser` use the Executions with the following priority:
This means that for example if you have an Execution defined on `all requests`, on the service `zitadel.user.v2.UserService` and on `/zitadel.user.v2.UserService/AddHumanUser`,
ZITADEL would with a call on the `/zitadel.user.v2.UserService/AddHumanUser` use the Executions with the following priority:
1. `/zitadel.user.v2beta.UserService/AddHumanUser`
2. `zitadel.user.v2beta.UserService`
1. `/zitadel.user.v2.UserService/AddHumanUser`
2. `zitadel.user.v2.UserService`
3. `all`
If you then have a call on `/zitadel.user.v2beta.UserService/UpdateHumanUser` the following priority would be found:
If you then have a call on `/zitadel.user.v2.UserService/UpdateHumanUser` the following priority would be found:
1. `zitadel.user.v2beta.UserService`
1. `zitadel.user.v2.UserService`
2. `all`
And if you use a different service, for example `zitadel.session.v2.SessionService`, then the `all` Execution would still be used.
@@ -100,7 +100,7 @@ If you define 2 Executions as follows:
{
"condition": {
"request": {
"service": "zitadel.user.v2beta.UserService"
"service": "zitadel.user.v2.UserService"
}
},
"targets": [
@@ -115,7 +115,7 @@ If you define 2 Executions as follows:
{
"condition": {
"request": {
"method": "/zitadel.user.v2beta.UserService/AddHumanUser"
"method": "/zitadel.user.v2.UserService/AddHumanUser"
}
},
"targets": [
@@ -125,7 +125,7 @@ If you define 2 Executions as follows:
{
"include": {
"request": {
"service": "zitadel.user.v2beta.UserService"
"service": "zitadel.user.v2.UserService"
}
}
}
@@ -133,7 +133,7 @@ If you define 2 Executions as follows:
}
```
The called Targets on "/zitadel.user.v2beta.UserService/AddHumanUser" would be, in order:
The called Targets on "/zitadel.user.v2.UserService/AddHumanUser" would be, in order:
1. `<TargetID2>`
2. `<TargetID1>`
@@ -147,8 +147,8 @@ For Request and Response there are 3 levels the condition can be defined:
- `All`, handling any request or response under the ZITADEL API
The available conditions can be found under:
- [All available Methods](/apis/resources/action_service_v3/action-service-list-execution-methods), for example `/zitadel.user.v2beta.UserService/AddHumanUser`
- [All available Services](/apis/resources/action_service_v3/action-service-list-execution-services), for example `zitadel.user.v2beta.UserService`
- [All available Methods](/apis/resources/action_service_v3/action-service-list-execution-methods), for example `/zitadel.user.v2.UserService/AddHumanUser`
- [All available Services](/apis/resources/action_service_v3/action-service-list-execution-services), for example `zitadel.user.v2.UserService`
### Condition for Functions

6
docs/docs/apis/introduction.mdx
View File

@@ -313,4 +313,10 @@ For easy copying to your reverse proxy configuration, here is the list of URL pa
/zitadel.settings.v2beta.SettingsService/
/zitadel.oidc.v2beta.OIDCService/
/zitadel.org.v2beta.OrganizationService/
/v2/
/zitadel.user.v2.UserService/
/zitadel.session.v2.SessionService/
/zitadel.settings.v2.SettingsService/
/zitadel.oidc.v2.OIDCService/
/zitadel.org.v2.OrganizationService/
```

4
docs/docs/apis/v2.mdx
View File

@@ -1,5 +1,5 @@
---
title: APIs V2 (Beta)
title: APIs V2 (General Available)
---
import DocCardList from '@theme/DocCardList';
@@ -7,6 +7,4 @@ import DocCardList from '@theme/DocCardList';
APIs V2 organize access by resources (users, settings, etc.), unlike context-specific V1 APIs.
This simplifies finding the right API, especially for multi-organization resources.
**Note**: V2 is currently in [Beta](/support/software-release-cycles-support#beta) and not yet generally available (breaking changes possible). Check individual services for availability.
<DocCardList />

2
docs/docs/guides/integrate/login-ui/_list-mfa-options.mdx
View File

@@ -8,7 +8,7 @@ Request Example:
```bash
curl --request GET \
--url https://$ZITADEL_DOMAIN/v2beta/settings/login \
--url https://$ZITADEL_DOMAIN/v2/settings/login \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''
```

4
docs/docs/guides/integrate/login-ui/_logout.mdx
View File

@@ -16,7 +16,7 @@ Make sure that the provided token is from the authenticated user, resp. the mana
```bash
curl --request DELETE \
--url https://$ZITADEL_DOMAIN/v2beta/sessions/218480890961985793 \
--url https://$ZITADEL_DOMAIN/v2/sessions/218480890961985793 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json'
@@ -28,7 +28,7 @@ Send the session token in the body of the request:
```bash
curl --request DELETE \
--url https://$ZITADEL_DOMAIN/v2beta/sessions/218480890961985793 \
--url https://$ZITADEL_DOMAIN/v2/sessions/218480890961985793 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \

2
docs/docs/guides/integrate/login-ui/_select-account.mdx
View File

@@ -9,7 +9,7 @@ The list of session IDs can be sent in the “search sessions” request to get
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/sessions/search \
--url https://$ZITADEL_DOMAIN/v2/sessions/search \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \

2
docs/docs/guides/integrate/login-ui/_update_session_webauthn.mdx
View File

@@ -8,7 +8,7 @@ Example Request:
```bash
curl --request PATCH \
--url https://$ZITADEL_DOMAIN/v2beta/sessions/218480890961985793 \
--url https://$ZITADEL_DOMAIN/v2/sessions/218480890961985793 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \

10
docs/docs/guides/integrate/login-ui/external-login.mdx
View File

@@ -26,7 +26,7 @@ In the response, you will get an authentication URL of the provider you like.
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/idp_intents \
--url https://$ZITADEL_DOMAIN/v2/idp_intents \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \
@@ -73,7 +73,7 @@ To get the information of the provider, make a request to ZITADEL.
### Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/idp_intents/$INTENT_ID \
--url https://$ZITADEL_DOMAIN/v2/idp_intents/$INTENT_ID \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \
@@ -129,7 +129,7 @@ This check requires that the previous step ended on the successful page and didn
#### Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/sessions \
--url https://$ZITADEL_DOMAIN/v2/sessions \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
@@ -160,7 +160,7 @@ The display name is used to list the linkings on the users.
#### Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/human \
--url https://$ZITADEL_DOMAIN/v2/users/human \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \
@@ -198,7 +198,7 @@ If you want to link/connect to an existing account you can perform the add ident
#### Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/users/218385419895570689/links \
--url https://$ZITADEL_DOMAIN/v2/users/users/218385419895570689/links \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \

30
docs/docs/guides/integrate/login-ui/mfa.mdx
View File

@@ -41,7 +41,7 @@ Request Example:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/totp \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/totp \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''
--header 'Content-Type: application/json' \
@@ -73,7 +73,7 @@ Request Example:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/totp/verify \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/totp/verify \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''
--header 'Content-Type: application/json' \
@@ -99,7 +99,7 @@ Example Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/sessions \
--url https://$ZITADEL_DOMAIN/v2/sessions \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -136,7 +136,7 @@ More detailed information about the API: [Update session Documentation](/apis/re
Example Request
```bash
curl --request PATCH \
--url https://$ZITADEL_DOMAIN/v2beta/sessions/$SESSION-ID \
--url https://$ZITADEL_DOMAIN/v2/sessions/$SESSION-ID \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
@@ -175,7 +175,7 @@ Example Request:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER-ID/phone \
--url https://$ZITADEL_DOMAIN/v2/users/$USER-ID/phone \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -195,7 +195,7 @@ More detailed information about the API: [Verify phone](/apis/resources/user_ser
Example Request:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER-ID/phone/verify \
--url https://$ZITADEL_DOMAIN/v2/users/$USER-ID/phone/verify \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -213,7 +213,7 @@ More detailed information about the API: [Add OTP SMS for a user](/apis/resource
Example Request:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER-ID/otp_sms \
--url https://$ZITADEL_DOMAIN/v2/users/$USER-ID/otp_sms \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json'
@@ -237,7 +237,7 @@ Example Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/sessions \
--url https://$ZITADEL_DOMAIN/v2/sessions \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -264,7 +264,7 @@ Example Request
```bash
curl --request PATCH \
--url https://$ZITADEL_DOMAIN/v2beta/sessions/225307381909694507 \
--url https://$ZITADEL_DOMAIN/v2/sessions/225307381909694507 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -301,7 +301,7 @@ More detailed information about the API: [Add OTP Email for a user](/apis/resour
Example Request:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER-ID/otp_email \
--url https://$ZITADEL_DOMAIN/v2/users/$USER-ID/otp_email \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json'
@@ -325,7 +325,7 @@ Example Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/sessions \
--url https://$ZITADEL_DOMAIN/v2/sessions \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -352,7 +352,7 @@ Example Request
```bash
curl --request PATCH \
--url https://$ZITADEL_DOMAIN/v2beta/sessions/225307381909694507 \
--url https://$ZITADEL_DOMAIN/v2/sessions/225307381909694507 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -386,7 +386,7 @@ Request Example:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/u2f \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/u2f \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''
--header 'Content-Type: application/json' \
@@ -457,7 +457,7 @@ Example Request:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/u2f/$PASSKEY_ID \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/u2f/$PASSKEY_ID \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \
@@ -497,7 +497,7 @@ Example Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/sessions \
--url https://$ZITADEL_DOMAIN/v2/sessions \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \

4
docs/docs/guides/integrate/login-ui/oidc-standard.mdx
View File

@@ -55,7 +55,7 @@ With the ID from the redirect before you will now be able to get the information
```bash
curl --request GET \
--url https://$ZITADEL_DOMAIN/v2beta/oidc/auth_requests/V2_224908753244265546 \
--url https://$ZITADEL_DOMAIN/v2/oidc/auth_requests/V2_224908753244265546 \
--header 'Authorization: Bearer '"$TOKEN"''\
```
@@ -100,7 +100,7 @@ Read more about the [Finalize Auth Request Documentation](/docs/apis/resources/o
Make sure that the authorization header is from the same account that you originally sent in the client id header ```x-zitadel-login-client: <userid>``` on the authorize endpoint.
```bash
curl --request POST \
--url $ZITADEL_DOMAIN/v2beta/oidc/auth_requests/V2_224908753244265546 \
--url $ZITADEL_DOMAIN/v2/oidc/auth_requests/V2_224908753244265546 \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \

8
docs/docs/guides/integrate/login-ui/passkey.mdx
View File

@@ -34,7 +34,7 @@ Send either the sendLink or the returnCode (empty message) in the request body,
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/passkeys/registration_link \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/passkeys/registration_link \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \
@@ -81,7 +81,7 @@ The code only has to be filled if the user did get a registration code.
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/passkeys \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/passkeys \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \
@@ -185,7 +185,7 @@ Example Request:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/passkeys/$PASSKEY_ID \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/passkeys/$PASSKEY_ID \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \
@@ -223,7 +223,7 @@ More detailed information about the API: [Create Session Documentation](/apis/re
Example Request:
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/sessions \
--url https://$ZITADEL_DOMAIN/v2/sessions \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \

6
docs/docs/guides/integrate/login-ui/password-reset.mdx
View File

@@ -29,7 +29,7 @@ Make sure to also include the URL Template to customize the reset link in the em
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/password_reset \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/password_reset \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -48,7 +48,7 @@ Send the request with asking for the return Code in the body of the request.
#### Request
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/password_reset \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/password_reset \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -96,7 +96,7 @@ In this case it requires additionally the current password instead of the verifi
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/$USER_ID/password \
--url https://$ZITADEL_DOMAIN/v2/users/$USER_ID/password \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \

6
docs/docs/guides/integrate/login-ui/username-password.mdx
View File

@@ -23,7 +23,7 @@ Read more about the metadata [here](/docs/guides/manage/customize/user-metadata)
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/users/human \
--url https://$ZITADEL_DOMAIN/v2/users/human \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -111,7 +111,7 @@ Send it to the Get Session Endpoint to find out how the user has authenticated.
```bash
curl --request POST \
--url https://$ZITADEL_DOMAIN/v2beta/sessions \
--url https://$ZITADEL_DOMAIN/v2/sessions \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"'' \
--header 'Content-Type: application/json' \
@@ -176,7 +176,7 @@ To update an existing session, add the session ID you got in the previous step t
```bash
curl --request PATCH \
--url https://$ZITADEL_DOMAIN/v2beta/sessions/$SESSION_ID \
--url https://$ZITADEL_DOMAIN/v2/sessions/$SESSION_ID \
--header 'Accept: application/json' \
--header 'Authorization: Bearer '"$TOKEN"''\
--header 'Content-Type: application/json' \

2
docs/docs/guides/integrate/token-exchange.mdx
View File

@@ -188,7 +188,7 @@ These preparation steps are needed for all Token Exchange interaction, including
As Token Exchange is still a beta feature, the feature needs to be enabled for your instance by an `IAM_OWNER` first:
```bash
curl -L -X PUT 'https://$CUSTOM-DOMAIN/v2beta/features/instance' \
curl -L -X PUT 'https://$CUSTOM-DOMAIN/v2/features/instance' \
-H 'Content-Type: application/json' \
-H 'Accept: application/json' \
-H 'Authorization: Bearer <IAM_OWNER_TOKEN>' \

1
docs/docs/legal/service-description/billing.md
View File

@@ -49,6 +49,7 @@ Management endpoints:
- /zitadel.*
- /v2alpha*
- /v2beta*
- /v2*
- /admin*
- /management*
- /system*

36
docs/docusaurus.config.js
View File

@@ -284,39 +284,39 @@ module.exports = {
categoryLinkSource: "tag",
},
},
user: {
specPath: ".artifacts/openapi/zitadel/user/v2beta/user_service.swagger.json",
outputDir: "docs/apis/resources/user_service",
user_v2: {
specPath: ".artifacts/openapi/zitadel/user/v2/user_service.swagger.json",
outputDir: "docs/apis/resources/user_service_v2",
sidebarOptions: {
groupPathsBy: "tag",
categoryLinkSource: "auto",
categoryLinkSource: "tag",
},
},
session: {
specPath: ".artifacts/openapi/zitadel/session/v2beta/session_service.swagger.json",
outputDir: "docs/apis/resources/session_service",
session_v2: {
specPath: ".artifacts/openapi/zitadel/session/v2/session_service.swagger.json",
outputDir: "docs/apis/resources/session_service_v2",
sidebarOptions: {
groupPathsBy: "tag",
categoryLinkSource: "auto",
categoryLinkSource: "tag",
},
},
oidc: {
specPath: ".artifacts/openapi/zitadel/oidc/v2beta/oidc_service.swagger.json",
outputDir: "docs/apis/resources/oidc_service",
oidc_v2: {
specPath: ".artifacts/openapi/zitadel/oidc/v2/oidc_service.swagger.json",
outputDir: "docs/apis/resources/oidc_service_v2",
sidebarOptions: {
groupPathsBy: "tag",
categoryLinkSource: "auto",
categoryLinkSource: "tag",
},
},
settings: {
specPath: ".artifacts/openapi/zitadel/settings/v2beta/settings_service.swagger.json",
outputDir: "docs/apis/resources/settings_service",
settings_v2: {
specPath: ".artifacts/openapi/zitadel/settings/v2/settings_service.swagger.json",
outputDir: "docs/apis/resources/settings_service_v2",
sidebarOptions: {
groupPathsBy: "tag",
categoryLinkSource: "auto",
categoryLinkSource: "tag",
},
},
user_schema: {
user_schema_v3: {
specPath: ".artifacts/openapi/zitadel/user/schema/v3alpha/user_schema_service.swagger.json",
outputDir: "docs/apis/resources/user_schema_service_v3",
sidebarOptions: {
@@ -341,7 +341,7 @@ module.exports = {
},
},
feature_v2: {
specPath: ".artifacts/openapi/zitadel/feature/v2beta/feature_service.swagger.json",
specPath: ".artifacts/openapi/zitadel/feature/v2/feature_service.swagger.json",
outputDir: "docs/apis/resources/feature_service_v2",
sidebarOptions: {
groupPathsBy: "tag",

62
docs/sidebars.js
View File

@@ -548,7 +548,7 @@ module.exports = {
items: [
{
type: "category",
label: "V1 (General Available)",
label: "V1 (Generally Available)",
collapsed: false,
link: {
type: "generated-index",
@@ -612,7 +612,7 @@ module.exports = {
},
{
type: "category",
label: "V2 (Beta)",
label: "V2 (Generally Available)",
collapsed: false,
link: {
type: "doc",
@@ -621,71 +621,61 @@ module.exports = {
items: [
{
type: "category",
label: "User Lifecycle (Beta)",
label: "User Lifecycle",
link: {
type: "generated-index",
title: "User Service API (Beta)",
slug: "/apis/resources/user_service",
title: "User Service API",
slug: "/apis/resources/user_service_v2",
description:
"This API is intended to manage users in a ZITADEL instance.\n" +
"\n" +
"This project is in beta state. It can AND will continue breaking until the services provide the same functionality as the current login.",
"This API is intended to manage users in a ZITADEL instance.\n"
},
items: require("./docs/apis/resources/user_service/sidebar.ts"),
items: require("./docs/apis/resources/user_service_v2/sidebar.ts"),
},
{
type: "category",
label: "Session Lifecycle (Beta)",
label: "Session Lifecycle",
link: {
type: "generated-index",
title: "Session Service API (Beta)",
slug: "/apis/resources/session_service",
title: "Session Service API",
slug: "/apis/resources/session_service_v2",
description:
"This API is intended to manage sessions in a ZITADEL instance.\n" +
"\n" +
"This project is in beta state. It can AND will continue breaking until the services provide the same functionality as the current login.",
"This API is intended to manage sessions in a ZITADEL instance.\n"
},
items: require("./docs/apis/resources/session_service/sidebar.ts"),
items: require("./docs/apis/resources/session_service_v2/sidebar.ts"),
},
{
type: "category",
label: "OIDC Lifecycle (Beta)",
label: "OIDC Lifecycle",
link: {
type: "generated-index",
title: "OIDC Service API (Beta)",
slug: "/apis/resources/oidc_service",
title: "OIDC Service API",
slug: "/apis/resources/oidc_service_v2",
description:
"Get OIDC Auth Request details and create callback URLs.\n" +
"\n" +
"This project is in beta state. It can AND will continue breaking until the services provide the same functionality as the current login.",
"Get OIDC Auth Request details and create callback URLs.\n"
},
items: require("./docs/apis/resources/oidc_service/sidebar.ts"),
items: require("./docs/apis/resources/oidc_service_v2/sidebar.ts"),
},
{
type: "category",
label: "Settings Lifecycle (Beta)",
label: "Settings Lifecycle",
link: {
type: "generated-index",
title: "Settings Service API (Beta)",
slug: "/apis/resources/settings_service",
title: "Settings Service API",
slug: "/apis/resources/settings_service_v2",
description:
"This API is intended to manage settings in a ZITADEL instance.\n" +
"\n" +
"This project is in beta state. It can AND will continue to break until the services provide the same functionality as the current login.",
"This API is intended to manage settings in a ZITADEL instance.\n"
},
items: require("./docs/apis/resources/settings_service/sidebar.ts"),
items: require("./docs/apis/resources/settings_service_v2/sidebar.ts"),
},
{
type: "category",
label: "Feature Lifecycle (Beta)",
label: "Feature Lifecycle",
link: {
type: "generated-index",
title: "Feature Service API (Beta)",
slug: "/apis/resources/feature_service",
title: "Feature Service API",
slug: "/apis/resources/feature_service/v2",
description:
'This API is intended to manage features for ZITADEL. Feature settings that are available on multiple "levels", such as instance and organization. The higher level instance acts as a default for the lower level. When a feature is set on multiple levels, the lower level takes precedence. Features can be experimental where ZITADEL will assume a sane default, such as disabled. When over time confidence in such a feature grows, ZITADEL can default to enabling the feature. As a final step we might choose to always enable a feature and remove the setting from this API, reserving the proto field number. Such removal is not considered a breaking change. Setting a removed field will effectively result in a no-op.\n' +
"\n" +
"This project is in beta state. It can AND will continue breaking until a stable version is released.",
'This API is intended to manage features for ZITADEL. Feature settings that are available on multiple "levels", such as instance and organization. The higher level instance acts as a default for the lower level. When a feature is set on multiple levels, the lower level takes precedence. Features can be experimental where ZITADEL will assume a sane default, such as disabled. When over time confidence in such a feature grows, ZITADEL can default to enabling the feature. As a final step we might choose to always enable a feature and remove the setting from this API, reserving the proto field number. Such removal is not considered a breaking change. Setting a removed field will effectively result in a no-op.\n'
},
items: require("./docs/apis/resources/feature_service_v2/sidebar.ts"),
},

68
proto/zitadel/feature/v2/feature.proto Normal file
View File

@@ -0,0 +1,68 @@
syntax = "proto3";
package zitadel.feature.v2;
import "protoc-gen-openapiv2/options/annotations.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
enum Source {
SOURCE_UNSPECIFIED = 0;
reserved 1; // in case we want to implement a "DEFAULT" level
SOURCE_SYSTEM = 2;
SOURCE_INSTANCE = 3;
SOURCE_ORGANIZATION = 4;
SOURCE_PROJECT = 5; // reserved for future use
SOURCE_APP = 6; // reserved for future use
SOURCE_USER = 7;
}
// FeatureFlag is a simple boolean Feature setting, without further payload.
message FeatureFlag {
bool enabled = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "false";
description: "Whether a feature is enabled.";
}
];
Source source = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "The source where the setting of the feature was defined. The source may be the resource itself or a resource owner through inheritance.";
}
];
}
message ImprovedPerformanceFeatureFlag {
repeated ImprovedPerformance execution_paths = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";
description: "Which of the performance improvements is enabled";
}
];
Source source = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "The source where the setting of the feature was defined. The source may be the resource itself or a resource owner through inheritance.";
}
];
}
enum ImprovedPerformance {
IMPROVED_PERFORMANCE_UNSPECIFIED = 0;
// Uses the eventstore to query the org by id
// instead of the sql table.
IMPROVED_PERFORMANCE_ORG_BY_ID = 1;
// Improves performance on write side by using
// optimized processes to query data to determine
// correctnes of data.
IMPROVED_PERFORMANCE_PROJECT_GRANT = 2;
IMPROVED_PERFORMANCE_PROJECT = 3;
IMPROVED_PERFORMANCE_USER_GRANT = 4;
// Improve performance on write side when
// users are checked against verified domains
// from other organizations.
IMPROVED_PERFORMANCE_ORG_DOMAIN_VERIFIED = 5;
}

395
proto/zitadel/feature/v2/feature_service.proto Normal file
View File

@@ -0,0 +1,395 @@
syntax = "proto3";
package zitadel.feature.v2;
import "google/api/annotations.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "zitadel/feature/v2/system.proto";
import "zitadel/feature/v2/instance.proto";
import "zitadel/feature/v2/organization.proto";
import "zitadel/feature/v2/user.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Feature Service";
version: "2.0";
description: "This API is intended to manage features for ZITADEL. Feature settings that are available on multiple \"levels\", such as instance and organization. The higher level instance acts as a default for the lower level. When a feature is set on multiple levels, the lower level takes precedence. Features can be experimental where ZITADEL will assume a sane default, such as disabled. When over time confidence in such a feature grows, ZITADEL can default to enabling the feature. As a final step we might choose to always enable a feature and remove the setting from this API, reserving the proto field number. Such removal is not considered a breaking change. Setting a removed field will effectively result in a no-op.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource has no feature flag settings and inheritance from the parent is disabled.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
// FeatureService is intended to manage features for ZITADEL.
//
// Feature settings that are available on multiple "levels", such as instance and organization.
// The higher level (instance) acts as a default for the lower level (organization).
// When a feature is set on multiple levels, the lower level takes precedence.
//
// Features can be experimental where ZITADEL will assume a sane default, such as disabled.
// When over time confidence in such a feature grows, ZITADEL can default to enabling the feature.
// As a final step we might choose to always enable a feature and remove the setting from this API,
// reserving the proto field number. Such removal is not considered a breaking change.
// Setting a removed field will effectively result in a no-op.
service FeatureService {
rpc SetSystemFeatures (SetSystemFeaturesRequest) returns (SetSystemFeaturesResponse) {
option (google.api.http) = {
put: "/v2/features/system"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "system.feature.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set system level features";
description: "Configure and set features that apply to the complete system. Only fields present in the request are set or unset."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc ResetSystemFeatures (ResetSystemFeaturesRequest) returns (ResetSystemFeaturesResponse) {
option (google.api.http) = {
delete: "/v2/features/system"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "system.feature.delete"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reset system level features";
description: "Deletes ALL configured features for the system, reverting the behaviors to system defaults."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc GetSystemFeatures (GetSystemFeaturesRequest) returns (GetSystemFeaturesResponse) {
option (google.api.http) = {
get: "/v2/features/system"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "system.feature.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get system level features";
description: "Returns all configured features for the system. Unset fields mean the feature is the current system default."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc SetInstanceFeatures (SetInstanceFeaturesRequest) returns (SetInstanceFeaturesResponse) {
option (google.api.http) = {
put: "/v2/features/instance"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.feature.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set instance level features";
description: "Configure and set features that apply to a complete instance. Only fields present in the request are set or unset."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc ResetInstanceFeatures (ResetInstanceFeaturesRequest) returns (ResetInstanceFeaturesResponse) {
option (google.api.http) = {
delete: "/v2/features/instance"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.feature.delete"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reset instance level features";
description: "Deletes ALL configured features for an instance, reverting the behaviors to system defaults."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc GetInstanceFeatures (GetInstanceFeaturesRequest) returns (GetInstanceFeaturesResponse) {
option (google.api.http) = {
get: "/v2/features/instance"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.feature.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get instance level features";
description: "Returns all configured features for an instance. Unset fields mean the feature is the current system default."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc SetOrganizationFeatures (SetOrganizationFeaturesRequest) returns (SetOrganizationFeaturesResponse) {
option (google.api.http) = {
put: "/v2/features/organization/{organization_id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "org.feature.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set organization level features";
description: "Configure and set features that apply to a complete instance. Only fields present in the request are set or unset."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc ResetOrganizationFeatures (ResetOrganizationFeaturesRequest) returns (ResetOrganizationFeaturesResponse) {
option (google.api.http) = {
delete: "/v2/features/organization/{organization_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "org.feature.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reset organization level features";
description: "Deletes ALL configured features for an organization, reverting the behaviors to instance defaults."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc GetOrganizationFeatures(GetOrganizationFeaturesRequest) returns (GetOrganizationFeaturesResponse) {
option (google.api.http) = {
get: "/v2/features/organization/{organization_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "org.feature.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get organization level features";
description: "Returns all configured features for an organization. Unset fields mean the feature is the current instance default."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc SetUserFeatures(SetUserFeatureRequest) returns (SetUserFeaturesResponse) {
option (google.api.http) = {
put: "/v2/features/user/{user_id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "user.feature.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set user level features";
description: "Configure and set features that apply to an user. Only fields present in the request are set or unset."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc ResetUserFeatures(ResetUserFeaturesRequest) returns (ResetUserFeaturesResponse) {
option (google.api.http) = {
delete: "/v2/features/user/{user_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "user.feature.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reset user level features";
description: "Deletes ALL configured features for a user, reverting the behaviors to organization defaults."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc GetUserFeatures(GetUserFeaturesRequest) returns (GetUserFeaturesResponse) {
option (google.api.http) = {
get: "/v2/features/user/{user_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "user.feature.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get organization level features";
description: "Returns all configured features for an organization. Unset fields mean the feature is the current instance default."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
}

132
proto/zitadel/feature/v2/instance.proto Normal file
View File

@@ -0,0 +1,132 @@
syntax = "proto3";
package zitadel.feature.v2;
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/feature/v2/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
message SetInstanceFeaturesRequest{
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "The login UI will use the settings of the default org (and not from the instance) if no organization context is set";
}
];
optional bool oidc_trigger_introspection_projections = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
optional bool oidc_legacy_introspection = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
optional bool user_schema = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
optional bool oidc_token_exchange = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable the experimental `urn:ietf:params:oauth:grant-type:token-exchange` grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.";
}
];
optional bool actions = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
repeated ImprovedPerformance improved_performance = 7 [
(validate.rules).repeated.unique = true,
(validate.rules).repeated.items.enum = {defined_only: true, not_in: [0]},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";
description: "Improves performance of specified execution paths.";
}
];
}
message SetInstanceFeaturesResponse {
zitadel.object.v2.Details details = 1;
}
message ResetInstanceFeaturesRequest {}
message ResetInstanceFeaturesResponse {
zitadel.object.v2.Details details = 1;
}
message GetInstanceFeaturesRequest {
bool inheritance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Inherit unset features from the resource owners. This option is recursive: if the flag is set, the resource's ancestors are consulted up to system defaults. If this option is disabled and the feature is not set on the instance, it will be omitted from the response or Not Found is returned when the instance has no features flags at all.";
}
];
}
message GetInstanceFeaturesResponse {
zitadel.object.v2.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "The login UI will use the settings of the default org (and not from the instance) if no organization context is set";
}
];
FeatureFlag oidc_trigger_introspection_projections = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag oidc_legacy_introspection = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag user_schema = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
FeatureFlag oidc_token_exchange = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable the experimental `urn:ietf:params:oauth:grant-type:token-exchange` grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.";
}
];
FeatureFlag actions = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions v2 allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
ImprovedPerformanceFeatureFlag improved_performance = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";
description: "Improves performance of specified execution paths.";
}
];
}

62
proto/zitadel/feature/v2/organization.proto Normal file
View File

@@ -0,0 +1,62 @@
syntax = "proto3";
package zitadel.feature.v2;
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/feature/v2/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
message SetOrganizationFeaturesRequest {
string organization_id = 1[
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629023906488334\"";
}
];
}
message SetOrganizationFeaturesResponse {
zitadel.object.v2.Details details = 1;
}
message ResetOrganizationFeaturesRequest {
string organization_id = 1[
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629023906488334\"";
}
];
}
message ResetOrganizationFeaturesResponse {
zitadel.object.v2.Details details = 1;
}
message GetOrganizationFeaturesRequest {
string organization_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629023906488334\"";
}
];
bool inheritance = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Inherit unset features from the resource owners. This option is recursive: if the flag is set, the resource's ancestors are consulted up to system defaults. If this option is disabled and the feature is not set on the organization, it will be omitted from the response or Not Found is returned when the organization has no features flags at all.";
}
];
}
message GetOrganizationFeaturesResponse {
zitadel.object.v2.Details details = 1;
}

128
proto/zitadel/feature/v2/system.proto Normal file
View File

@@ -0,0 +1,128 @@
syntax = "proto3";
package zitadel.feature.v2;
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/feature/v2/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
message SetSystemFeaturesRequest{
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "The login UI will use the settings of the default org (and not from the instance) if no organization context is set";
}
];
optional bool oidc_trigger_introspection_projections = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
optional bool oidc_legacy_introspection = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
optional bool user_schema = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
optional bool oidc_token_exchange = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable the experimental `urn:ietf:params:oauth:grant-type:token-exchange` grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.";
}
];
optional bool actions = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
repeated ImprovedPerformance improved_performance = 7 [
(validate.rules).repeated.unique = true,
(validate.rules).repeated.items.enum = {defined_only: true, not_in: [0]},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";
description: "Improves performance of specified execution paths.";
}
];
}
message SetSystemFeaturesResponse {
zitadel.object.v2.Details details = 1;
}
message ResetSystemFeaturesRequest {}
message ResetSystemFeaturesResponse {
zitadel.object.v2.Details details = 1;
}
message GetSystemFeaturesRequest {}
message GetSystemFeaturesResponse {
zitadel.object.v2.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "The login UI will use the settings of the default org (and not from the instance) if no organization context is set";
}
];
FeatureFlag oidc_trigger_introspection_projections = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable projection triggers during an introspection request. This can act as workaround if there are noticeable consistency issues in the introspection response but can have an impact on performance. We are planning to remove triggers for introspection requests in the future. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag oidc_legacy_introspection = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "We have recently refactored the introspection endpoint for performance reasons. This feature can be used to rollback to the legacy implementation if unexpected bugs arise. Please raise an issue if you needed to enable this feature.";
}
];
FeatureFlag user_schema = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "User Schemas allow to manage data schemas of user. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
FeatureFlag oidc_token_exchange = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Enable the experimental `urn:ietf:params:oauth:grant-type:token-exchange` grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.";
}
];
FeatureFlag actions = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions v2 allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
ImprovedPerformanceFeatureFlag improved_performance = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";
description: "Improves performance of specified execution paths.";
}
];
}

62
proto/zitadel/feature/v2/user.proto Normal file
View File

@@ -0,0 +1,62 @@
syntax = "proto3";
package zitadel.feature.v2;
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/feature/v2/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
message SetUserFeatureRequest {
string user_id = 1[
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629023906488334\"";
}
];
}
message SetUserFeaturesResponse {
zitadel.object.v2.Details details = 1;
}
message ResetUserFeaturesRequest {
string user_id = 1[
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629023906488334\"";
}
];
}
message ResetUserFeaturesResponse {
zitadel.object.v2.Details details = 1;
}
message GetUserFeaturesRequest {
string user_id = 1[
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629023906488334\"";
}
];
bool inheritance = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Inherit unset features from the resource owners. This option is recursive: if the flag is set, the resource's ancestors are consulted up to system defaults. If this option is disabled and the feature is not set on the user, it will be ommitted from the response or Not Found is returned when the user has no features flags at all.";
}
];
}
message GetUserFeaturesResponse {
zitadel.object.v2.Details details = 1;
}

144
proto/zitadel/management.proto
View File

@@ -280,6 +280,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ListUsers, with InUserIDQuery
rpc GetUserByID(GetUserByIDRequest) returns (GetUserByIDResponse) {
option (google.api.http) = {
get: "/users/{id}"
@@ -291,8 +292,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "User by ID";
description: "Returns the full user object (human or machine) including the profile, email, etc."
description: "Returns the full user object (human or machine) including the profile, email, etc.\n\nDeprecated: please use user service v2 GetUserByID"
tags: "Users";
deprecated: true;
responses: {
key: "200"
value: {
@@ -310,6 +312,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ListUsers, with LoginNameQuery
rpc GetUserByLoginNameGlobal(GetUserByLoginNameGlobalRequest) returns (GetUserByLoginNameGlobalResponse) {
option (google.api.http) = {
get: "/global/users/_by_login_name"
@@ -321,9 +324,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get User by login name (globally)";
description: "Get a user by login name searched over all organizations. The request only returns data if the login name matches exactly."
description: "Get a user by login name searched over all organizations. The request only returns data if the login name matches exactly.\n\nDeprecated: please use user service v2 ListUsers, with LoginNameQuery"
tags: "Users";
tags: "Global";
deprecated: true;
responses: {
key: "200"
value: {
@@ -333,6 +337,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ListUsers
rpc ListUsers(ListUsersRequest) returns (ListUsersResponse) {
option (google.api.http) = {
post: "/users/_search"
@@ -345,8 +350,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Users";
deprecated: true;
summary: "Search Users";
description: "Search for users within an organization. By default, we will return users of your organization. Make sure to include a limit and sorting for pagination."
description: "Search for users within an organization. By default, we will return users of your organization. Make sure to include a limit and sorting for pagination.\n\nDeprecated: please use user service v2 ListUsers"
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -400,6 +406,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ListUsers, is unique when no user is returned
rpc IsUserUnique(IsUserUniqueRequest) returns (IsUserUniqueResponse) {
option (google.api.http) = {
get: "/users/_is_unique"
@@ -411,8 +418,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Users";
deprecated: true;
summary: "Check for existing user";
description: "Returns if a user with the requested email or username is unique. So you can create the user."
description: "Returns if a user with the requested email or username is unique. So you can create the user. \n\nDeprecated: please use user service v2 ListUsers, is unique when no user is returned"
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -424,7 +432,7 @@ service ManagementService {
};
}
// deprecated: use ImportHumanUser
// Deprecated: use ImportHumanUser
rpc AddHumanUser(AddHumanUserRequest) returns (AddHumanUserResponse) {
option (google.api.http) = {
post: "/users/human"
@@ -437,7 +445,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Deprecated: Create User (Human)";
description: "Create a new user with the type human. The newly created user will get an initialization email if either the email address is not marked as verified or no password is set. If a password is set the user will not be requested to set a new one on the first login."
description: "Create a new user with the type human. The newly created user will get an initialization email if either the email address is not marked as verified or no password is set. If a password is set the user will not be requested to set a new one on the first login.\n\nDeprecated: use ImportHumanUser"
tags: "Users";
deprecated: true;
parameters: {
@@ -451,6 +459,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 AddHumanUser
rpc ImportHumanUser(ImportHumanUserRequest) returns (ImportHumanUserResponse) {
option (google.api.http) = {
post: "/users/human/_import"
@@ -463,9 +472,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create/Import User (Human)";
description: "Create/import a new user with the type human. The newly created user will get an initialization email if either the email address is not marked as verified or no password is set. If a password is set the user will not be requested to set a new one on the first login."
description: "Create/import a new user with the type human. The newly created user will get an initialization email if either the email address is not marked as verified or no password is set. If a password is set the user will not be requested to set a new one on the first login.\n\nDeprecated: please use user service v2 AddHumanUser"
tags: "Users";
tags: "User Human"
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -509,6 +519,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 DeactivateUser
rpc DeactivateUser(DeactivateUserRequest) returns (DeactivateUserResponse) {
option (google.api.http) = {
post: "/users/{id}/_deactivate"
@@ -521,8 +532,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Deactivate user";
description: "The state of the user will be changed to 'deactivated'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'deactivated'. Use deactivate user when the user should not be able to use the account anymore, but you still need access to the user data."
description: "The state of the user will be changed to 'deactivated'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'deactivated'. Use deactivate user when the user should not be able to use the account anymore, but you still need access to the user data.\n\nDeprecated: please use user service v2 DeactivateUser"
tags: "Users";
deprecated: true;
responses: {
key: "200"
value: {
@@ -540,6 +552,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ReactivateUser
rpc ReactivateUser(ReactivateUserRequest) returns (ReactivateUserResponse) {
option (google.api.http) = {
post: "/users/{id}/_reactivate"
@@ -552,8 +565,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reactivate user";
description: "Reactivate a user with the state 'deactivated'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'deactivated'."
description: "Reactivate a user with the state 'deactivated'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'deactivated'.\n\nDeprecated: please use user service v2 ReactivateUser"
tags: "Users";
deprecated: true;
responses: {
key: "200"
value: {
@@ -571,6 +585,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 LockUser
rpc LockUser(LockUserRequest) returns (LockUserResponse) {
option (google.api.http) = {
post: "/users/{id}/_lock"
@@ -583,8 +598,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Lock user";
description: "The state of the user will be changed to 'locked'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'locked'. Use this endpoint if the user should not be able to log in temporarily because of an event that happened (wrong password, etc.)"
description: "The state of the user will be changed to 'locked'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'locked'. Use this endpoint if the user should not be able to log in temporarily because of an event that happened (wrong password, etc.),\n\nDeprecated: please use user service v2 LockUser"
tags: "Users";
deprecated: true;
responses: {
key: "200"
value: {
@@ -602,6 +618,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 UnlockUser
rpc UnlockUser(UnlockUserRequest) returns (UnlockUserResponse) {
option (google.api.http) = {
post: "/users/{id}/_unlock"
@@ -614,8 +631,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Unlock user";
description: "Unlock a user with the state 'locked'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'locked'."
description: "Unlock a user with the state 'locked'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'locked'.\n\nDeprecated: please use user service v2 UnlockUser"
tags: "Users";
deprecated: true;
responses: {
key: "200"
value: {
@@ -633,6 +651,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RemoveUser
rpc RemoveUser(RemoveUserRequest) returns (RemoveUserResponse) {
option (google.api.http) = {
delete: "/users/{id}"
@@ -644,8 +663,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Delete user";
description: "The state of the user will be changed to 'deleted'. The user will not be able to log in anymore. Endpoints requesting this user will return an error 'User not found"
description: "The state of the user will be changed to 'deleted'. The user will not be able to log in anymore. Endpoints requesting this user will return an error 'User not found.\n\nDeprecated: please use user service v2 RemoveUser"
tags: "Users";
deprecated: true;
responses: {
key: "200"
value: {
@@ -663,6 +683,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 UpdateHumanUser
rpc UpdateUserName(UpdateUserNameRequest) returns (UpdateUserNameResponse) {
option (google.api.http) = {
put: "/users/{user_id}/username"
@@ -675,8 +696,9 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Change user name";
description: "Change the username of the user. Be aware that the user has to log in with the newly added username afterward."
description: "Change the username of the user. Be aware that the user has to log in with the newly added username afterward.\n\nDeprecated: please use user service v2 UpdateHumanUser"
tags: "Users";
deprecated: true;
responses: {
key: "200"
value: {
@@ -848,6 +870,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 GetUserByID
rpc GetHumanProfile(GetHumanProfileRequest) returns (GetHumanProfileResponse) {
option (google.api.http) = {
get: "/users/{user_id}/profile"
@@ -859,9 +882,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get User Profile (Human)";
description: "Get basic information like first_name and last_name of a user."
description: "Get basic information like first_name and last_name of a user.\n\nDeprecated: please use user service v2 GetUserByID"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -879,6 +903,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 UpdateHumanUser
rpc UpdateHumanProfile(UpdateHumanProfileRequest) returns (UpdateHumanProfileResponse) {
option (google.api.http) = {
put: "/users/{user_id}/profile"
@@ -891,9 +916,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update User Profile (Human)";
description: "Update the profile information from a user. The profile includes basic information like first_name and last_name."
description: "Update the profile information from a user. The profile includes basic information like first_name and last_name.\n\nDeprecated: please use user service v2 UpdateHumanUser"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -911,6 +937,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 GetUserByID
rpc GetHumanEmail(GetHumanEmailRequest) returns (GetHumanEmailResponse) {
option (google.api.http) = {
get: "/users/{user_id}/email"
@@ -922,9 +949,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get User Email (Human)";
description: "Get the email address and the verification state of the address."
description: "Get the email address and the verification state of the address.\n\nDeprecated: please use user service v2 GetUserByID"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -942,6 +970,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetEmail
rpc UpdateHumanEmail(UpdateHumanEmailRequest) returns (UpdateHumanEmailResponse) {
option (google.api.http) = {
put: "/users/{user_id}/email"
@@ -954,9 +983,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update User Email (Human)";
description: "Change the email address of a user. If the state is set to not verified, the user will get a verification email."
description: "Change the email address of a user. If the state is set to not verified, the user will get a verification email.\n\nDeprecated: please use user service v2 SetEmail"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -974,6 +1004,7 @@ service ManagementService {
};
}
// Deprecated: not used anymore in user state
rpc ResendHumanInitialization(ResendHumanInitializationRequest) returns (ResendHumanInitializationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/_resend_initialization"
@@ -986,9 +1017,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Resend User Initialization Email";
description: "A newly created user will get an initialization email to verify the email address and set a password. Resend the email with this request to the user's email address, or a newly added address."
description: "A newly created user will get an initialization email to verify the email address and set a password. Resend the email with this request to the user's email address, or a newly added address.\n\nDeprecated: not used anymore in user state"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1006,6 +1038,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ResendEmailCode
rpc ResendHumanEmailVerification(ResendHumanEmailVerificationRequest) returns (ResendHumanEmailVerificationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/email/_resend_verification"
@@ -1018,9 +1051,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Resend User Email Verification";
description: "Resend the email verification notification to the given email address of the user."
description: "Resend the email verification notification to the given email address of the user.\n\nDeprecated: please use user service v2 ResendEmailCode"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1038,6 +1072,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 GetUserByID
rpc GetHumanPhone(GetHumanPhoneRequest) returns (GetHumanPhoneResponse) {
option (google.api.http) = {
get: "/users/{user_id}/phone"
@@ -1049,9 +1084,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get User Phone (Human)";
description: "Get the phone number and the verification state of the number. The phone number is only for informational purposes and to send messages, not for Authentication (2FA)."
description: "Get the phone number and the verification state of the number. The phone number is only for informational purposes and to send messages, not for Authentication (2FA).\n\nDeprecated: please use user service v2 GetUserByID"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1069,6 +1105,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetPhone
rpc UpdateHumanPhone(UpdateHumanPhoneRequest) returns (UpdateHumanPhoneResponse) {
option (google.api.http) = {
put: "/users/{user_id}/phone"
@@ -1081,9 +1118,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update User Phone (Human)";
description: "Change the phone number of a user. If the state is set to not verified, the user will get an SMS to verify (if a notification provider is configured). The phone number is only for informational purposes and to send messages, not for Authentication (2FA)."
description: "Change the phone number of a user. If the state is set to not verified, the user will get an SMS to verify (if a notification provider is configured). The phone number is only for informational purposes and to send messages, not for Authentication (2FA).\n\nDeprecated: please use user service v2 SetPhone"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1101,6 +1139,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetPhone
rpc RemoveHumanPhone(RemoveHumanPhoneRequest) returns (RemoveHumanPhoneResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/phone"
@@ -1112,9 +1151,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove User Phone (Human)";
description: "Remove the configured phone number of a user."
description: "Remove the configured phone number of a user.\n\nDeprecated: please use user service v2 SetPhone"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1132,6 +1172,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ResendPhoneCode
rpc ResendHumanPhoneVerification(ResendHumanPhoneVerificationRequest) returns (ResendHumanPhoneVerificationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/phone/_resend_verification"
@@ -1144,9 +1185,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Resend User Phone Verification";
description: "Resend the notification for the verification of the phone number, to the number stored on the user."
description: "Resend the notification for the verification of the phone number, to the number stored on the user.\n\nDeprecated: please use user service v2 ResendPhoneCode"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1195,7 +1237,7 @@ service ManagementService {
};
}
// deprecated: use SetHumanPassword
// Deprecated: please use user service v2 SetPassword
rpc SetHumanInitialPassword(SetHumanInitialPasswordRequest) returns (SetHumanInitialPasswordResponse) {
option (google.api.http) = {
post: "/users/{user_id}/password/_initialize"
@@ -1209,7 +1251,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Users";
tags: "User Human";
summary: "Set Human Initial Password";
summary: "Set Human Initial Password\n\nDeprecated: please use user service v2 SetPassword";
deprecated: true;
parameters: {
headers: {
@@ -1222,6 +1264,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 SetPassword
rpc SetHumanPassword(SetHumanPasswordRequest) returns (SetHumanPasswordResponse) {
option (google.api.http) = {
post: "/users/{user_id}/password"
@@ -1234,9 +1277,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set User Password";
description: "Set a new password for a user. Per default, the user has to change the password on the next login. You can set no_change_required to true, to avoid the change on the next login."
description: "Set a new password for a user. Per default, the user has to change the password on the next login. You can set no_change_required to true, to avoid the change on the next login.\n\nDeprecated: please use user service v2 SetPassword"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1254,6 +1298,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 PasswordReset
rpc SendHumanResetPasswordNotification(SendHumanResetPasswordNotificationRequest) returns (SendHumanResetPasswordNotificationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/password/_reset"
@@ -1266,9 +1311,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Send Reset Password Notification";
description: "The user will receive an email with a link to change the password."
description: "The user will receive an email with a link to change the password.\n\nDeprecated: please use user service v2 PasswordReset"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1286,6 +1332,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ListAuthenticationMethodTypes
rpc ListHumanAuthFactors(ListHumanAuthFactorsRequest) returns (ListHumanAuthFactorsResponse) {
option (google.api.http) = {
post: "/users/{user_id}/auth_factors/_search"
@@ -1297,9 +1344,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get User Authentication Factors (2FA/MFA)";
description: "Get a list of authentication factors the user has set. Including Second-Factors (2FA) and Multi-Factors (MFA)."
description: "Get a list of authentication factors the user has set. Including Second-Factors (2FA) and Multi-Factors (MFA).\n\nDeprecated: please use user service v2 ListAuthenticationMethodTypes"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1317,6 +1365,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RemoveTOTP
rpc RemoveHumanAuthFactorOTP(RemoveHumanAuthFactorOTPRequest) returns (RemoveHumanAuthFactorOTPResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/auth_factors/otp"
@@ -1328,9 +1377,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove Multi-Factor OTP";
description: "Remove the configured One-Time-Password (OTP) as a factor from the user. OTP is an authentication app, like Authy or Google/Microsoft Authenticator."
description: "Remove the configured One-Time-Password (OTP) as a factor from the user. OTP is an authentication app, like Authy or Google/Microsoft Authenticator.\n\nDeprecated: please use user service v2 RemoveTOTP"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1348,6 +1398,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RemoveU2F
rpc RemoveHumanAuthFactorU2F(RemoveHumanAuthFactorU2FRequest) returns (RemoveHumanAuthFactorU2FResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/auth_factors/u2f/{token_id}"
@@ -1359,7 +1410,8 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove Multi-Factor U2F";
description: "Remove the configured Universal-Second-Factor (U2F) as a factor from the user. U2F is a device-dependent factor like FingerPrint, Windows-Hello, etc."
deprecated: true;
description: "Remove the configured Universal-Second-Factor (U2F) as a factor from the user. U2F is a device-dependent factor like FingerPrint, Windows-Hello, etc.\n\nDeprecated: please use user service v2 RemoveU2F"
tags: "Users";
tags: "User Human";
responses: {
@@ -1379,6 +1431,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RemoveOTPSMS
rpc RemoveHumanAuthFactorOTPSMS(RemoveHumanAuthFactorOTPSMSRequest) returns (RemoveHumanAuthFactorOTPSMSResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/auth_factors/otp_sms"
@@ -1390,9 +1443,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove Multi-Factor OTP SMS";
description: "Remove the configured One-Time-Password (OTP) SMS as a factor from the user. As only one OTP SMS per user is allowed, the user will not have OTP SMS as a second-factor afterward."
description: "Remove the configured One-Time-Password (OTP) SMS as a factor from the user. As only one OTP SMS per user is allowed, the user will not have OTP SMS as a second-factor afterward.\n\nDeprecated: please use user service v2 RemoveOTPSMS"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1410,6 +1464,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RemoveOTPEmail
rpc RemoveHumanAuthFactorOTPEmail(RemoveHumanAuthFactorOTPEmailRequest) returns (RemoveHumanAuthFactorOTPEmailResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/auth_factors/otp_email"
@@ -1421,9 +1476,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove Multi-Factor OTP SMS";
description: "Remove the configured One-Time-Password (OTP) Email as a factor from the user. As only one OTP Email per user is allowed, the user will not have OTP Email as a second-factor afterward."
description: "Remove the configured One-Time-Password (OTP) Email as a factor from the user. As only one OTP Email per user is allowed, the user will not have OTP Email as a second-factor afterward.\n\nDeprecated: please use user service v2 RemoveOTPEmail"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1441,6 +1497,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ListPasskeys
rpc ListHumanPasswordless(ListHumanPasswordlessRequest) returns (ListHumanPasswordlessResponse) {
option (google.api.http) = {
post: "/users/{user_id}/passwordless/_search"
@@ -1452,7 +1509,8 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Search Passwordless/Passkey authentication";
description: "Get a list of configured passwordless/passkey authentication methods from the user. Passwordless/passkey is a device-dependent authentication like FingerScan, WindowsHello or a Hardware Token."
deprecated: true;
description: "Get a list of configured passwordless/passkey authentication methods from the user. Passwordless/passkey is a device-dependent authentication like FingerScan, WindowsHello or a Hardware Token.\n\nDeprecated: please use user service v2 ListPasskeys"
tags: "Users";
tags: "User Human";
responses: {
@@ -1472,6 +1530,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RegisterPasskey
rpc AddPasswordlessRegistration(AddPasswordlessRegistrationRequest) returns (AddPasswordlessRegistrationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/passwordless/_link"
@@ -1482,9 +1541,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Add Passwordless/Passkey Registration Link";
description: "Adds a new passwordless/passkey authenticator link to the user and returns it in the response. The link enables the user to register a new device if current passwordless/passkey devices are all platform authenticators. e.g. User has already registered Windows Hello and wants to register FaceID on the iPhone"
description: "Adds a new passwordless/passkey authenticator link to the user and returns it in the response. The link enables the user to register a new device if current passwordless/passkey devices are all platform authenticators. e.g. User has already registered Windows Hello and wants to register FaceID on the iPhone\n\nDeprecated: please use user service v2 RegisterPasskey"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1502,6 +1562,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RegisterPasskey
rpc SendPasswordlessRegistration(SendPasswordlessRegistrationRequest) returns (SendPasswordlessRegistrationResponse) {
option (google.api.http) = {
post: "/users/{user_id}/passwordless/_send_link"
@@ -1513,9 +1574,10 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Send Passwordless/Passkey Registration Link";
description: "Adds a new passwordless/passkey authenticator link to the user and sends it to the user per email. The link enables the user to register a new device if current passwordless/passkey devices are all platform authenticators. e.g. User has already registered Windows Hello and wants to register FaceID on the iPhone"
description: "Adds a new passwordless/passkey authenticator link to the user and sends it to the user per email. The link enables the user to register a new device if current passwordless/passkey devices are all platform authenticators. e.g. User has already registered Windows Hello and wants to register FaceID on the iPhone.\n\nDeprecated: please use user service v2 RegisterPasskey"
tags: "Users";
tags: "User Human";
deprecated: true;
responses: {
key: "200"
value: {
@@ -1533,6 +1595,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RemovePasskey
rpc RemoveHumanPasswordless(RemoveHumanPasswordlessRequest) returns (RemoveHumanPasswordlessResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/passwordless/{token_id}"
@@ -1544,7 +1607,8 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Delete Passwordless/Passkey";
description: "Remove a configured passwordless/passkey authentication method from the user. (e.g FaceID, FingerScane, WindowsHello, etc.)"
deprecated: true;
description: "Remove a configured passwordless/passkey authentication method from the user. (e.g FaceID, FingerScane, WindowsHello, etc.).\n\nDeprecated: please use user service v2 RemovePasskey"
tags: "Users";
tags: "User Human";
responses: {
@@ -1911,6 +1975,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 ListLinkedIDPs
rpc ListHumanLinkedIDPs(ListHumanLinkedIDPsRequest) returns (ListHumanLinkedIDPsResponse) {
option (google.api.http) = {
post: "/users/{user_id}/idps/_search"
@@ -1924,7 +1989,8 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Users"
summary: "List Social Logins";
description: "Returns a list of all linked identity providers/social logins of the user. (e. Google, Microsoft, AzureAD, etc.)"
deprecated: true;
description: "Returns a list of all linked identity providers/social logins of the user. (e. Google, Microsoft, AzureAD, etc.).\n\nDeprecated: please use user service v2 ListLinkedIDPs"
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -1936,6 +2002,7 @@ service ManagementService {
};
}
// Deprecated: please use user service v2 RemoveLinkedIDP
rpc RemoveHumanLinkedIDP(RemoveHumanLinkedIDPRequest) returns (RemoveHumanLinkedIDPResponse) {
option (google.api.http) = {
delete: "/users/{user_id}/idps/{idp_id}/{linked_user_id}"
@@ -1948,7 +2015,8 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Users"
summary: "Remove Social Login";
description: "Remove a configured social logins/identity providers of the user (e.g. Google, Microsoft, AzureAD, etc.). The user will not be able to log in with the given provider afterward. Make sure the user does have other possibilities to authenticate."
deprecated: true;
description: "Remove a configured social logins/identity providers of the user (e.g. Google, Microsoft, AzureAD, etc.). The user will not be able to log in with the given provider afterward. Make sure the user does have other possibilities to authenticate.\n\nDeprecated: please use user service v2 RemoveLinkedIDP"
parameters: {
headers: {
name: "x-zitadel-orgid";

122
proto/zitadel/object/v2/object.proto Normal file
View File

@@ -0,0 +1,122 @@
syntax = "proto3";
package zitadel.object.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/object/v2;object";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
// Deprecated: use Organization
message Organisation {
oneof org {
string org_id = 1;
string org_domain = 2;
}
}
message Organization {
oneof org {
string org_id = 1;
string org_domain = 2;
}
}
message RequestContext {
oneof resource_owner {
string org_id = 1;
bool instance = 2 [(validate.rules).bool = {const: true}];
}
}
message ListQuery {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
json_schema: {
title: "General List Query"
description: "Object unspecific list filters like offset, limit and asc/desc."
}
};
uint64 offset = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"0\"";
}
];
uint32 limit = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "100";
description: "Maximum amount of events returned. The default is set to 1000 in https://github.com/zitadel/zitadel/blob/new-eventstore/cmd/zitadel/startup.yaml. If the limit exceeds the maximum configured ZITADEL will throw an error. If no limit is present the default is taken.";
}
];
bool asc = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "default is descending"
}
];
}
message Details {
//sequence represents the order of events. It's always counting
//
// on read: the sequence of the last event reduced by the projection
//
// on manipulation: the timestamp of the event(s) added by the manipulation
uint64 sequence = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2\"";
}
];
//change_date is the timestamp when the object was changed
//
// on read: the timestamp of the last event reduced by the projection
//
// on manipulation: the timestamp of the event(s) added by the manipulation
google.protobuf.Timestamp change_date = 2;
//resource_owner is the organization or instance_id an object belongs to
string resource_owner = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\"";
}
];
}
message ListDetails {
uint64 total_result = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2\"";
}
];
uint64 processed_sequence = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"267831\"";
}
];
google.protobuf.Timestamp timestamp = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the last time the projection got updated"
}
];
}
enum TextQueryMethod {
TEXT_QUERY_METHOD_EQUALS = 0;
TEXT_QUERY_METHOD_EQUALS_IGNORE_CASE = 1;
TEXT_QUERY_METHOD_STARTS_WITH = 2;
TEXT_QUERY_METHOD_STARTS_WITH_IGNORE_CASE = 3;
TEXT_QUERY_METHOD_CONTAINS = 4;
TEXT_QUERY_METHOD_CONTAINS_IGNORE_CASE = 5;
TEXT_QUERY_METHOD_ENDS_WITH = 6;
TEXT_QUERY_METHOD_ENDS_WITH_IGNORE_CASE = 7;
}
enum ListQueryMethod {
LIST_QUERY_METHOD_IN = 0;
}
enum TimestampQueryMethod {
TIMESTAMP_QUERY_METHOD_EQUALS = 0;
TIMESTAMP_QUERY_METHOD_GREATER = 1;
TIMESTAMP_QUERY_METHOD_GREATER_OR_EQUALS = 2;
TIMESTAMP_QUERY_METHOD_LESS = 3;
TIMESTAMP_QUERY_METHOD_LESS_OR_EQUALS = 4;
}

117
proto/zitadel/oidc/v2/authorization.proto Normal file
View File

@@ -0,0 +1,117 @@
syntax = "proto3";
package zitadel.oidc.v2;
import "google/protobuf/duration.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/oidc/v2;oidc";
message AuthRequest{
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
external_docs: {
url: "https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest";
description: "Find out more about OIDC Auth Request parameters";
}
};
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "ID of the authorization request";
}
];
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Time when the auth request was created";
}
];
string client_id = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "OIDC client ID of the application that created the auth request";
}
];
repeated string scope = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Requested scopes by the application, which the user must consent to.";
}
];
string redirect_uri = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Base URI that points back to the application";
}
];
repeated Prompt prompt = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Prompts that must be displayed to the user";
}
];
repeated string ui_locales = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "End-User's preferred languages and scripts for the user interface, represented as a list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value [fr-CA, fr, en] represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported.";
}
];
optional string login_hint = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Login hint can be set by the application with a user identifier such as an email or phone number.";
}
];
optional google.protobuf.Duration max_age = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated. If the elapsed time is greater than this value, or the field is present with 0 duration, the user must be re-authenticated.";
}
];
optional string hint_user_id = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "User ID taken from a ID Token Hint if it was present and valid.";
}
];
}
enum Prompt {
PROMPT_UNSPECIFIED = 0;
PROMPT_NONE = 1;
PROMPT_LOGIN = 2;
PROMPT_CONSENT = 3;
PROMPT_SELECT_ACCOUNT = 4;
PROMPT_CREATE = 5;
}
message AuthorizationError {
ErrorReason error = 1;
optional string error_description = 2;
optional string error_uri = 3;
}
enum ErrorReason {
ERROR_REASON_UNSPECIFIED = 0;
// Error states from https://datatracker.ietf.org/doc/html/rfc6749#section-4.2.2.1
ERROR_REASON_INVALID_REQUEST = 1;
ERROR_REASON_UNAUTHORIZED_CLIENT = 2;
ERROR_REASON_ACCESS_DENIED = 3;
ERROR_REASON_UNSUPPORTED_RESPONSE_TYPE = 4;
ERROR_REASON_INVALID_SCOPE = 5;
ERROR_REASON_SERVER_ERROR = 6;
ERROR_REASON_TEMPORARY_UNAVAILABLE = 7;
// Error states from https://openid.net/specs/openid-connect-core-1_0.html#AuthError
ERROR_REASON_INTERACTION_REQUIRED = 8;
ERROR_REASON_LOGIN_REQUIRED = 9;
ERROR_REASON_ACCOUNT_SELECTION_REQUIRED = 10;
ERROR_REASON_CONSENT_REQUIRED = 11;
ERROR_REASON_INVALID_REQUEST_URI = 12;
ERROR_REASON_INVALID_REQUEST_OBJECT = 13;
ERROR_REASON_REQUEST_NOT_SUPPORTED = 14;
ERROR_REASON_REQUEST_URI_NOT_SUPPORTED = 15;
ERROR_REASON_REGISTRATION_NOT_SUPPORTED = 16;
}

219
proto/zitadel/oidc/v2/oidc_service.proto Normal file
View File

@@ -0,0 +1,219 @@
syntax = "proto3";
package zitadel.oidc.v2;
import "zitadel/object/v2/object.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/oidc/v2/authorization.proto";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/oidc/v2;oidc";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "OIDC Service";
version: "2.0";
description: "Get OIDC Auth Request details and create callback URLs.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
service OIDCService {
rpc GetAuthRequest (GetAuthRequestRequest) returns (GetAuthRequestResponse) {
option (google.api.http) = {
get: "/v2/oidc/auth_requests/{auth_request_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get OIDC Auth Request details";
description: "Get OIDC Auth Request details by ID, obtained from the redirect URL. Returns details that are parsed from the application's Auth Request."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc CreateCallback (CreateCallbackRequest) returns (CreateCallbackResponse) {
option (google.api.http) = {
post: "/v2/oidc/auth_requests/{auth_request_id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Finalize an Auth Request and get the callback URL.";
description: "Finalize an Auth Request and get the callback URL for success or failure. The user must be redirected to the URL in order to inform the application about the success or failure. On success, the URL contains details for the application to obtain the tokens. This method can only be called once for an Auth request."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
}
message GetAuthRequestRequest {
string auth_request_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
description: "ID of the Auth Request, as obtained from the redirect URL.";
example: "\"163840776835432705\"";
}
];
}
message GetAuthRequestResponse {
AuthRequest auth_request = 1;
}
message CreateCallbackRequest {
string auth_request_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Set this field when the authorization flow failed. It creates a callback URL to the application, with the error details set.";
ref: "https://openid.net/specs/openid-connect-core-1_0.html#AuthError";
}
];
oneof callback_kind {
option (validate.required) = true;
Session session = 2;
AuthorizationError error = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Set this field when the authorization flow failed. It creates a callback URL to the application, with the error details set.";
ref: "https://openid.net/specs/openid-connect-core-1_0.html#AuthError";
}
];
}
}
message Session {
string session_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
description: "ID of the session, used to login the user. Connects the session to the Auth Request.";
example: "\"163840776835432705\"";
}
];
string session_token = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
description: "Token to verify the session is valid";
}
];
}
message CreateCallbackResponse {
zitadel.object.v2.Details details = 1;
string callback_url = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Callback URL where the user should be redirected, using a \"302 FOUND\" status. Contains details for the application to obtain the tokens on success, or error details on failure. Note that this field must be treated as credentials, as the contained code can be used to obtain tokens on behalve of the user.";
example: "\"https://client.example.org/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj\""
}
];
}

174
proto/zitadel/org/v2/org_service.proto Normal file
View File

@@ -0,0 +1,174 @@
syntax = "proto3";
package zitadel.org.v2;
import "zitadel/object/v2/object.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/user/v2/auth.proto";
import "zitadel/user/v2/email.proto";
import "zitadel/user/v2/phone.proto";
import "zitadel/user/v2/idp.proto";
import "zitadel/user/v2/password.proto";
import "zitadel/user/v2/user.proto";
import "zitadel/user/v2/user_service.proto";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/org/v2;org";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "User Service";
version: "2.0";
description: "This API is intended to manage organizations in a ZITADEL instance.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
service OrganizationService {
// Create a new organization and grant the user(s) permission to manage it
rpc AddOrganization(AddOrganizationRequest) returns (AddOrganizationResponse) {
option (google.api.http) = {
post: "/v2/organizations"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "org.create"
}
http_response: {
success_code: 201
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create an Organization";
description: "Create a new organization with an administrative user. If no specific roles are sent for the users, they will be granted the role ORG_OWNER."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
}
message AddOrganizationRequest{
message Admin {
oneof user_type{
string user_id = 1;
zitadel.user.v2.AddHumanUserRequest human = 2;
}
// specify Org Member Roles for the provided user (default is ORG_OWNER if roles are empty)
repeated string roles = 3;
}
string name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"ZITADEL\"";
}
];
repeated Admin admins = 2;
}
message AddOrganizationResponse{
message CreatedAdmin {
string user_id = 1;
optional string email_code = 2;
optional string phone_code = 3;
}
zitadel.object.v2.Details details = 1;
string organization_id = 2;
repeated CreatedAdmin created_admins = 3;
}

82
proto/zitadel/session/v2/challenge.proto Normal file
View File

@@ -0,0 +1,82 @@
syntax = "proto3";
package zitadel.session.v2;
import "google/api/field_behavior.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/session/v2;session";
enum UserVerificationRequirement {
USER_VERIFICATION_REQUIREMENT_UNSPECIFIED = 0;
USER_VERIFICATION_REQUIREMENT_REQUIRED = 1;
USER_VERIFICATION_REQUIREMENT_PREFERRED = 2;
USER_VERIFICATION_REQUIREMENT_DISCOURAGED = 3;
}
message RequestChallenges {
message WebAuthN {
string domain = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Domain on which the session was created. Will be used in the WebAuthN challenge.\"";
}
];
UserVerificationRequirement user_verification_requirement = 2 [
(validate.rules).enum = {
defined_only: true,
not_in: [0]
},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"User verification that is required during validation. When set to `USER_VERIFICATION_REQUIREMENT_REQUIRED` the behaviour is for passkey authentication. Other values will mean U2F\"";
ref: "https://www.w3.org/TR/webauthn/#enum-userVerificationRequirement";
}
];
}
message OTPSMS {
bool return_code = 1;
}
message OTPEmail {
message SendCode {
optional string url_template = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"https://example.com/otp/verify?userID={{.UserID}}&code={{.Code}}\"";
description: "\"Optionally set a url_template, which will be used in the mail sent by ZITADEL to guide the user to your verification page. If no template is set, the default ZITADEL url will be used.\""
}
];
}
message ReturnCode {}
// if no delivery_type is specified, an email is sent with the default url
oneof delivery_type {
SendCode send_code = 2;
ReturnCode return_code = 3;
}
}
optional WebAuthN web_auth_n = 1;
optional OTPSMS otp_sms = 2;
optional OTPEmail otp_email = 3;
}
message Challenges {
message WebAuthN {
google.protobuf.Struct public_key_credential_request_options = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Options for Assertion Generaration (dictionary PublicKeyCredentialRequestOptions). Generated helper methods transform the field to JSON, for use in a WebauthN client. See also: https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions"
example: "{\"publicKey\":{\"allowCredentials\":[{\"id\":\"ATmqBg-99qyOZk2zloPdJQyS2R7IkFT7v9Hoos_B_nM\",\"type\":\"public-key\"}],\"challenge\":\"GAOHYz2jE69kJMYo6Laij8yWw9-dKKgbViNhfuy0StA\",\"rpId\":\"localhost\",\"timeout\":300000,\"userVerification\":\"required\"}}"
}
];
}
optional WebAuthN web_auth_n = 1;
optional string otp_sms = 2;
optional string otp_email = 3;
}

178
proto/zitadel/session/v2/session.proto Normal file
View File

@@ -0,0 +1,178 @@
syntax = "proto3";
package zitadel.session.v2;
import "zitadel/object.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/session/v2;session";
message Session {
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"id of the session\"";
}
];
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time when the session was created\"";
}
];
google.protobuf.Timestamp change_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time when the session was last updated\"";
}
];
uint64 sequence = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"sequence of the session\"";
}
];
Factors factors = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"checked factors of the session, e.g. the user, password and more\"";
}
];
map<string, bytes> metadata = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"custom key value list\"";
}
];
UserAgent user_agent = 7;
optional google.protobuf.Timestamp expiration_date = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time the session will be automatically invalidated\"";
}
];
}
message Factors {
UserFactor user = 1;
PasswordFactor password = 2;
WebAuthNFactor web_auth_n = 3;
IntentFactor intent = 4;
TOTPFactor totp = 5;
OTPFactor otp_sms = 6;
OTPFactor otp_email = 7;
}
message UserFactor {
reserved 5;
reserved "organisation_id";
google.protobuf.Timestamp verified_at = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time when the user was last checked\"";
}
];
string id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"id of the checked user\"";
}
];
string login_name = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"login name of the checked user\"";
}
];
string display_name = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"display name of the checked user\"";
}
];
string organization_id = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"organization id of the checked user\"";
}
];
}
message PasswordFactor {
google.protobuf.Timestamp verified_at = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time when the password was last checked\"";
}
];
}
message IntentFactor {
google.protobuf.Timestamp verified_at = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time when an intent was last checked\"";
}
];
}
message WebAuthNFactor {
google.protobuf.Timestamp verified_at = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time when the passkey challenge was last checked\"";
}
];
bool user_verified = 2;
}
message TOTPFactor {
google.protobuf.Timestamp verified_at = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time when the Time-based One-Time Password was last checked\"";
}
];
}
message OTPFactor {
google.protobuf.Timestamp verified_at = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"time when the One-Time Password was last checked\"";
}
];
}
message SearchQuery {
oneof query {
option (validate.required) = true;
IDsQuery ids_query = 1;
UserIDQuery user_id_query = 2;
CreationDateQuery creation_date_query = 3;
}
}
message IDsQuery {
repeated string ids = 1;
}
message UserIDQuery {
string id = 1;
}
message CreationDateQuery {
google.protobuf.Timestamp creation_date = 1;
zitadel.v1.TimestampQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which timestamp comparison method is used";
}
];
}
message UserAgent {
optional string fingerprint_id = 1;
optional string ip = 2;
optional string description = 3;
// A header may have multiple values.
// In Go, headers are defined
// as map[string][]string, but protobuf
// doesn't allow this scheme.
message HeaderValues {
repeated string values = 1;
}
map<string,HeaderValues> header = 4;
}
enum SessionFieldName {
SESSION_FIELD_NAME_UNSPECIFIED = 0;
SESSION_FIELD_NAME_CREATION_DATE = 1;
}

496
proto/zitadel/session/v2/session_service.proto Normal file
View File

@@ -0,0 +1,496 @@
syntax = "proto3";
package zitadel.session.v2;
import "zitadel/object/v2/object.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/session/v2/challenge.proto";
import "zitadel/session/v2/session.proto";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/duration.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/session/v2;session";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Session Service";
version: "2.0";
description: "This API is intended to manage sessions in a ZITADEL instance. Follow the guides on how to [build your own Login UI](/docs/guides/integrate/login-ui) and learn how to use the Session API.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
service SessionService {
// Search sessions
rpc ListSessions (ListSessionsRequest) returns (ListSessionsResponse) {
option (google.api.http) = {
post: "/v2/sessions/search"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Search sessions";
description: "Search for sessions"
responses: {
key: "200"
value: {
description: "OK";
}
};
responses: {
key: "400";
value: {
description: "invalid list query";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
};
};
};
};
};
}
// GetSession a session
rpc GetSession (GetSessionRequest) returns (GetSessionResponse) {
option (google.api.http) = {
get: "/v2/sessions/{session_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get a session";
description: "Get a session and all its information like the time of the user or password verification"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Create a new session
rpc CreateSession (CreateSessionRequest) returns (CreateSessionResponse) {
option (google.api.http) = {
post: "/v2/sessions"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
http_response: {
success_code: 201
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create a new session";
description: "Create a new session. A token will be returned, which is required for further updates of the session."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Update a session
rpc SetSession (SetSessionRequest) returns (SetSessionResponse) {
option (google.api.http) = {
patch: "/v2/sessions/{session_id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update an existing session";
description: "Update an existing session with new information."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Terminate a session
rpc DeleteSession (DeleteSessionRequest) returns (DeleteSessionResponse) {
option (google.api.http) = {
delete: "/v2/sessions/{session_id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Terminate an existing session";
description: "Terminate your own session or if granted any other session."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
}
message ListSessionsRequest{
zitadel.object.v2.ListQuery query = 1;
repeated SearchQuery queries = 2;
zitadel.session.v2.SessionFieldName sorting_column = 3;
}
message ListSessionsResponse{
zitadel.object.v2.ListDetails details = 1;
repeated Session sessions = 2;
}
message GetSessionRequest{
string session_id = 1;
optional string session_token = 2;
}
message GetSessionResponse{
Session session = 1;
}
message CreateSessionRequest{
Checks checks = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Check for user and password. Successful checks will be stated as factors on the session.\"";
}
];
map<string, bytes> metadata = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"custom key value list to be stored on the session\"";
}
];
RequestChallenges challenges = 3;
UserAgent user_agent = 4;
optional google.protobuf.Duration lifetime = 5 [
(validate.rules).duration = {gt: {seconds: 0}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"duration (in seconds) after which the session will be automatically invalidated\"";
example:"\"18000s\""
}
];
}
message CreateSessionResponse{
zitadel.object.v2.Details details = 1;
string session_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"id of the session\"";
example: "\"222430354126975533\"";
}
];
string session_token = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"The current token of the session, which is required for delete session, get session or the request of other resources.\"";
}
];
Challenges challenges = 4;
}
message SetSessionRequest{
string session_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
description: "\"id of the session to update\"";
example: "\"222430354126975533\"";
}
];
string session_token = 2 [
(validate.rules).string = {min_len: 0, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
description: "\"DEPRECATED: this field is ignored.\"";
}
];
Checks checks = 3[
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Check for user and password. Successful checks will be stated as factors on the session.\"";
}
];
map<string, bytes> metadata = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"custom key value list to be stored on the session\"";
}
];
RequestChallenges challenges = 5;
optional google.protobuf.Duration lifetime = 6 [
(validate.rules).duration = {gt: {seconds: 0}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"duration (in seconds) after which the session will be automatically invalidated\"";
example:"\"18000s\""
}
];
}
message SetSessionResponse{
zitadel.object.v2.Details details = 1;
string session_token = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"The current token of the session, which is required for delete session, get session or the request of other resources.\"";
}
];
Challenges challenges = 3;
}
message DeleteSessionRequest{
string session_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
description: "\"id of the session to terminate\"";
example: "\"222430354126975533\"";
}
];
optional string session_token = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"The current token of the session, previously returned on the create / update request. The token is required unless the authenticated user terminates the own session or is granted the `session.delete` permission.\"";
}
];
}
message DeleteSessionResponse{
zitadel.object.v2.Details details = 1;
}
message Checks {
optional CheckUser user = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"checks the user and updates the session on success\"";
}
];
optional CheckPassword password = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Checks the password and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
}
];
optional CheckWebAuthN web_auth_n = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Checks the public key credential issued by the WebAuthN client. Requires that the user is already checked and a WebAuthN challenge to be requested, in any previous request.\"";
}
];
optional CheckIDPIntent idp_intent = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Checks the IDP intent. Requires that the userlink is already checked and a successful idp intent.\"";
}
];
optional CheckTOTP totp = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Checks the Time-based One-Time Password and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
}
];
optional CheckOTP otp_sms = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Checks the One-Time Password sent over SMS and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
}
];
optional CheckOTP otp_email = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"Checks the One-Time Password sent over Email and updates the session on success. Requires that the user is already checked, either in the previous or the same request.\"";
}
];
}
message CheckUser {
oneof search {
string user_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"d654e6ba-70a3-48ef-a95d-37c8d8a7901a\"";
}
];
string login_name = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"mini@mouse.com\"";
}
];
}
}
message CheckPassword {
string password = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"V3ryS3cure!\"";
}
];
}
message CheckWebAuthN {
google.protobuf.Struct credential_assertion_data = 1 [
(validate.rules).message.required = true,
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "JSON representation of public key credential issued by the webAuthN client";
min_length: 55;
max_length: 1048576; //1 MB
}
];
}
message CheckIDPIntent {
string idp_intent_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "ID of the idp intent, previously returned on the success response of the IDP callback"
min_length: 1;
max_length: 200;
example: "\"d654e6ba-70a3-48ef-a95d-37c8d8a7901a\"";
}
];
string idp_intent_token = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "token of the idp intent, previously returned on the success response of the IDP callback"
min_length: 1;
max_length: 200;
example: "\"SJKL3ioIDpo342ioqw98fjp3sdf32wahb=\"";
}
];
}
message CheckTOTP {
string code = 1 [
(validate.rules).string = {min_len: 6, max_len: 6},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 6;
max_length: 6;
example: "\"323764\"";
}
];
}
message CheckOTP {
string code = 1 [
(validate.rules).string = {min_len: 1},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
example: "\"3237642\"";
}
];
}

93
proto/zitadel/settings/v2/branding_settings.proto Normal file
View File

@@ -0,0 +1,93 @@
syntax = "proto3";
package zitadel.settings.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
import "protoc-gen-openapiv2/options/annotations.proto";
import "zitadel/settings/v2/settings.proto";
message BrandingSettings {
Theme light_theme = 1;
Theme dark_theme = 2;
string font_url = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "url to the font used";
example: "\"https://acme.com/assets/v1/165617850692654601/policy/label/font-180950243237405441\"";
}
];
// hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set
bool hide_login_name_suffix = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set";
}
];
bool disable_watermark = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "boolean to disable the watermark";
}
];
// resource_owner_type returns if the setting is managed on the organization or on the instance
ResourceOwnerType resource_owner_type = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "resource_owner_type returns if the setting is managed on the organization or on the instance";
}
];
ThemeMode theme_mode = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "states whether both or only dark or light theme will be used";
}
];
}
message Theme {
// hex value for primary color
string primary_color = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "hex value for primary color";
example: "\"#5469d4\"";
}
];
// hex value for background color
string background_color = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "hex value for background color";
example: "\"#FAFAFA\"";
}
];
// hex value for warning color
string warn_color = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "hex value for warn color";
example: "\"#CD3D56\"";
}
];
// hex value for font color
string font_color = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "hex value for font color";
example: "\"#000000\"";
}
];
// url where the logo is served
string logo_url = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "url to the logo";
example: "\"https://acme.com/assets/v1/165617850692654601/policy/label/logo-180950416321494657\"";
}
];
// url where the icon is served
string icon_url = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "url to the icon";
example: "\"https://acme.com/assets/v1/165617850692654601/policy/label/icon-180950498874178817\"";
}
];
}
enum ThemeMode {
THEME_MODE_UNSPECIFIED = 0;
THEME_MODE_AUTO = 1;
THEME_MODE_LIGHT = 2;
THEME_MODE_DARK = 3;
}

33
proto/zitadel/settings/v2/domain_settings.proto Normal file
View File

@@ -0,0 +1,33 @@
syntax = "proto3";
package zitadel.settings.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
import "protoc-gen-openapiv2/options/annotations.proto";
import "zitadel/settings/v2/settings.proto";
message DomainSettings {
bool login_name_includes_domain = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the username has to end with the domain of its organization"
}
];
bool require_org_domain_verification = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if organization domains should be verified upon creation, otherwise will be created already verified"
}
];
bool smtp_sender_address_matches_instance_domain = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if the SMTP sender address domain should match an existing domain on the instance"
}
];
// resource_owner_type returns if the setting is managed on the organization or on the instance
ResourceOwnerType resource_owner_type = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "resource_owner_type returns if the setting is managed on the organization or on the instance";
}
];
}

58
proto/zitadel/settings/v2/legal_settings.proto Normal file
View File

@@ -0,0 +1,58 @@
syntax = "proto3";
package zitadel.settings.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
import "protoc-gen-openapiv2/options/annotations.proto";
import "zitadel/settings/v2/settings.proto";
import "validate/validate.proto";
message LegalAndSupportSettings {
string tos_link = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://zitadel.com/docs/legal/terms-of-service\"";
}
];
string privacy_policy_link = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://zitadel.com/docs/legal/privacy-policy\"";
}
];
string help_link = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://zitadel.com/docs/manuals/introduction\"";
}
];
string support_email = 4 [
(validate.rules).string = {ignore_empty: true, max_len: 320, email: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"support-email@test.com\"";
description: "help / support email address."
}
];
// resource_owner_type returns if the setting is managed on the organization or on the instance
ResourceOwnerType resource_owner_type = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "resource_owner_type returns if the setting is managed on the organization or on the instance";
}
];
string docs_link = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Link to documentation to be shown in the console.";
example: "\"https://zitadel.com/docs\"";
}
];
string custom_link = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Link to an external resource that will be available to users in the console.";
example: "\"https://external.link\"";
}
];
string custom_link_text = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "The button text that would be shown in console pointing to custom link.";
example: "\"External\"";
}
];
}

29
proto/zitadel/settings/v2/lockout_settings.proto Normal file
View File

@@ -0,0 +1,29 @@
syntax = "proto3";
package zitadel.settings.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
import "protoc-gen-openapiv2/options/annotations.proto";
import "zitadel/settings/v2/settings.proto";
message LockoutSettings {
uint64 max_password_attempts = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Maximum password check attempts before the account gets locked. Attempts are reset as soon as the password is entered correctly or the password is reset. If set to 0 the account will never be locked."
example: "\"10\""
}
];
// resource_owner_type returns if the settings is managed on the organization or on the instance
ResourceOwnerType resource_owner_type = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "resource_owner_type returns if the settings is managed on the organization or on the instance";
}
];
uint64 max_otp_attempts = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Maximum failed attempts for a single OTP type (TOTP, SMS, Email) before the account gets locked. Attempts are reset as soon as the OTP is entered correctly. If set to 0 the account will never be locked."
example: "\"10\""
}
];
}

152
proto/zitadel/settings/v2/login_settings.proto Normal file
View File

@@ -0,0 +1,152 @@
syntax = "proto3";
package zitadel.settings.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
import "protoc-gen-openapiv2/options/annotations.proto";
import "zitadel/settings/v2/settings.proto";
import "google/protobuf/duration.proto";
message LoginSettings {
bool allow_username_password = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if a user is allowed to log in with username and password";
}
];
bool allow_register = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if a person is allowed to register a user on this organization";
}
];
bool allow_external_idp = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if a user is allowed to add a defined identity provider. E.g. Google auth";
}
];
bool force_mfa = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if a user MUST use a multi-factor to log in";
}
];
PasskeysType passkeys_type = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if passkeys are allowed for users"
}
];
bool hide_password_reset = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if password reset link should be shown in the login screen"
}
];
bool ignore_unknown_usernames = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if unknown username on login screen directly returns an error or always displays the password screen"
}
];
string default_redirect_uri = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines where the user will be redirected to if the login is started without app context (e.g. from mail)";
example: "\"https://acme.com/ui/console\"";
}
];
google.protobuf.Duration password_check_lifetime = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines after how much time the user has to re-authenticate with the password.";
example: "\"864000s\"";
}
];
google.protobuf.Duration external_login_check_lifetime = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines after how much time the user has to re-authenticate with an external provider.";
example: "\"864000s\"";
}
];
google.protobuf.Duration mfa_init_skip_lifetime = 11 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines after how much time the mfa prompt will be shown again.";
example: "\"2592000s\"";
}
];
google.protobuf.Duration second_factor_check_lifetime = 12 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines after how long the second-factor check is valid.";
example: "\"64800s\"";
}
];
google.protobuf.Duration multi_factor_check_lifetime = 13 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines how long the multi-factor check is valid.";
example: "\"43200s\"";
}
];
repeated SecondFactorType second_factors = 14;
repeated MultiFactorType multi_factors = 15;
// If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
bool allow_domain_discovery = 16 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success."
}
];
bool disable_login_with_email = 17 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if the user can additionally (to the login name) be identified by their verified email address"
}
];
bool disable_login_with_phone = 18 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if the user can additionally (to the login name) be identified by their verified phone number"
}
];
// resource_owner_type returns if the settings is managed on the organization or on the instance
ResourceOwnerType resource_owner_type = 19 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "resource_owner_type returns if the settings is managed on the organization or on the instance";
}
];
bool force_mfa_local_only = 22 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login."
}
];
}
enum SecondFactorType {
SECOND_FACTOR_TYPE_UNSPECIFIED = 0;
// This is the type for TOTP
SECOND_FACTOR_TYPE_OTP = 1;
SECOND_FACTOR_TYPE_U2F = 2;
SECOND_FACTOR_TYPE_OTP_EMAIL = 3;
SECOND_FACTOR_TYPE_OTP_SMS = 4;
}
enum MultiFactorType {
MULTI_FACTOR_TYPE_UNSPECIFIED = 0;
MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION = 1;
}
enum PasskeysType {
PASSKEYS_TYPE_NOT_ALLOWED = 0;
PASSKEYS_TYPE_ALLOWED = 1;
}
message IdentityProvider {
string id = 1;
string name = 2;
IdentityProviderType type = 3;
}
enum IdentityProviderType {
IDENTITY_PROVIDER_TYPE_UNSPECIFIED = 0;
IDENTITY_PROVIDER_TYPE_OIDC = 1;
IDENTITY_PROVIDER_TYPE_JWT = 2;
IDENTITY_PROVIDER_TYPE_LDAP = 3;
IDENTITY_PROVIDER_TYPE_OAUTH = 4;
IDENTITY_PROVIDER_TYPE_AZURE_AD = 5;
IDENTITY_PROVIDER_TYPE_GITHUB = 6;
IDENTITY_PROVIDER_TYPE_GITHUB_ES = 7;
IDENTITY_PROVIDER_TYPE_GITLAB = 8;
IDENTITY_PROVIDER_TYPE_GITLAB_SELF_HOSTED = 9;
IDENTITY_PROVIDER_TYPE_GOOGLE = 10;
IDENTITY_PROVIDER_TYPE_SAML=11;
}

60
proto/zitadel/settings/v2/password_settings.proto Normal file
View File

@@ -0,0 +1,60 @@
syntax = "proto3";
package zitadel.settings.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
import "protoc-gen-openapiv2/options/annotations.proto";
import "zitadel/settings/v2/settings.proto";
message PasswordComplexitySettings {
uint64 min_length = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines the minimum length of a password.";
example: "\"8\""
}
];
bool requires_uppercase = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if the password MUST contain an upper case letter"
}
];
bool requires_lowercase = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if the password MUST contain a lowercase letter"
}
];
bool requires_number = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if the password MUST contain a number"
}
];
bool requires_symbol = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines if the password MUST contain a symbol. E.g. \"$\""
}
];
// resource_owner_type returns if the settings is managed on the organization or on the instance
ResourceOwnerType resource_owner_type = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "resource_owner_type returns if the settings is managed on the organization or on the instance";
}
];
}
message PasswordExpirySettings {
// Amount of days after which a password will expire. The user will be forced to change the password on the following authentication.
uint64 max_age_days = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"365\""
}
];
// Amount of days after which the user should be notified of the upcoming expiry. ZITADEL will not notify the user.
uint64 expire_warn_days = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"10\""
}
];
// resource_owner_type returns if the settings is managed on the organization or on the instance
ResourceOwnerType resource_owner_type = 3;
}

31
proto/zitadel/settings/v2/security_settings.proto Normal file
View File

@@ -0,0 +1,31 @@
syntax = "proto3";
package zitadel.settings.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
import "protoc-gen-openapiv2/options/annotations.proto";
message SecuritySettings {
EmbeddedIframeSettings embedded_iframe = 1;
bool enable_impersonation = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "default language for the current context"
example: "\"en\""
}
];
}
message EmbeddedIframeSettings{
bool enabled = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "states if iframe embedding is enabled or disabled"
}
];
repeated string allowed_origins = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "origins allowed loading ZITADEL in an iframe if enabled."
example: "[\"foo.bar.com\", \"localhost:8080\"]"
}
];
}

13
proto/zitadel/settings/v2/settings.proto Normal file
View File

@@ -0,0 +1,13 @@
syntax = "proto3";
package zitadel.settings.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
import "protoc-gen-openapiv2/options/annotations.proto";
enum ResourceOwnerType {
RESOURCE_OWNER_TYPE_UNSPECIFIED = 0;
RESOURCE_OWNER_TYPE_INSTANCE = 1;
RESOURCE_OWNER_TYPE_ORG = 2;
}

479
proto/zitadel/settings/v2/settings_service.proto Normal file
View File

@@ -0,0 +1,479 @@
syntax = "proto3";
package zitadel.settings.v2;
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/settings/v2/branding_settings.proto";
import "zitadel/settings/v2/domain_settings.proto";
import "zitadel/settings/v2/legal_settings.proto";
import "zitadel/settings/v2/lockout_settings.proto";
import "zitadel/settings/v2/login_settings.proto";
import "zitadel/settings/v2/password_settings.proto";
import "zitadel/settings/v2/security_settings.proto";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/settings/v2;settings";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Settings Service";
version: "2.0";
description: "This API is intended to manage settings in a ZITADEL instance.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
service SettingsService {
// Get basic information over the instance
rpc GetGeneralSettings (GetGeneralSettingsRequest) returns (GetGeneralSettingsResponse) {
option (google.api.http) = {
get: "/v2/settings"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get basic information over the instance";
description: "Return the basic information of the instance for the requested context"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the login settings
rpc GetLoginSettings (GetLoginSettingsRequest) returns (GetLoginSettingsResponse) {
option (google.api.http) = {
get: "/v2/settings/login"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get the login settings";
description: "Return the settings for the requested context"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the current active identity providers
rpc GetActiveIdentityProviders (GetActiveIdentityProvidersRequest) returns (GetActiveIdentityProvidersResponse) {
option (google.api.http) = {
get: "/v2/settings/login/idps"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get the current active identity providers";
description: "Return the current active identity providers for the requested context"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the password complexity settings
rpc GetPasswordComplexitySettings (GetPasswordComplexitySettingsRequest) returns (GetPasswordComplexitySettingsResponse) {
option (google.api.http) = {
get: "/v2/settings/password/complexity"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get the password complexity settings";
description: "Return the password complexity settings for the requested context"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the password expiry settings
rpc GetPasswordExpirySettings (GetPasswordExpirySettingsRequest) returns (GetPasswordExpirySettingsResponse) {
option (google.api.http) = {
get: "/v2/settings/password/expiry"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get the password expiry settings";
description: "Return the password expiry settings for the requested context"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the current active branding settings
rpc GetBrandingSettings (GetBrandingSettingsRequest) returns (GetBrandingSettingsResponse) {
option (google.api.http) = {
get: "/v2/settings/branding"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get the current active branding settings";
description: "Return the current active branding settings for the requested context"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the domain settings
rpc GetDomainSettings (GetDomainSettingsRequest) returns (GetDomainSettingsResponse) {
option (google.api.http) = {
get: "/v2/settings/domain"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get the domain settings";
description: "Return the domain settings for the requested context"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the legal and support settings
rpc GetLegalAndSupportSettings (GetLegalAndSupportSettingsRequest) returns (GetLegalAndSupportSettingsResponse) {
option (google.api.http) = {
get: "/v2/settings/legal_support"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get the legal and support settings";
description: "Return the legal settings for the requested context"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the lockout settings
rpc GetLockoutSettings (GetLockoutSettingsRequest) returns (GetLockoutSettingsResponse) {
option (google.api.http) = {
get: "/v2/settings/lockout"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get the lockout settings";
description: "Return the lockout settings for the requested context, which define when a user will be locked"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Get the security settings
rpc GetSecuritySettings(GetSecuritySettingsRequest) returns (GetSecuritySettingsResponse) {
option (google.api.http) = {
get: "/v2/settings/security";
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.policy.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Settings";
summary: "Get Security Settings";
description: "Returns the security settings of the ZITADEL instance."
};
}
// Set the security settings
rpc SetSecuritySettings(SetSecuritySettingsRequest) returns (SetSecuritySettingsResponse) {
option (google.api.http) = {
put: "/v2/policies/security";
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.policy.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Settings";
summary: "Set Security Settings";
description: "Set the security settings of the ZITADEL instance."
};
}
}
message GetLoginSettingsRequest {
zitadel.object.v2.RequestContext ctx = 1;
}
message GetLoginSettingsResponse {
zitadel.object.v2.Details details = 1;
zitadel.settings.v2.LoginSettings settings = 2;
}
message GetPasswordComplexitySettingsRequest {
zitadel.object.v2.RequestContext ctx = 1;
}
message GetPasswordComplexitySettingsResponse {
zitadel.object.v2.Details details = 1;
zitadel.settings.v2.PasswordComplexitySettings settings = 2;
}
message GetPasswordExpirySettingsRequest {
zitadel.object.v2.RequestContext ctx = 1;
}
message GetPasswordExpirySettingsResponse {
zitadel.object.v2.Details details = 1;
zitadel.settings.v2.PasswordExpirySettings settings = 2;
}
message GetBrandingSettingsRequest {
zitadel.object.v2.RequestContext ctx = 1;
}
message GetBrandingSettingsResponse {
zitadel.object.v2.Details details = 1;
zitadel.settings.v2.BrandingSettings settings = 2;
}
message GetDomainSettingsRequest {
zitadel.object.v2.RequestContext ctx = 1;
}
message GetDomainSettingsResponse {
zitadel.object.v2.Details details = 1;
zitadel.settings.v2.DomainSettings settings = 2;
}
message GetLegalAndSupportSettingsRequest {
zitadel.object.v2.RequestContext ctx = 1;
}
message GetLegalAndSupportSettingsResponse {
zitadel.object.v2.Details details = 1;
zitadel.settings.v2.LegalAndSupportSettings settings = 2;
}
message GetLockoutSettingsRequest {
zitadel.object.v2.RequestContext ctx = 1;
}
message GetLockoutSettingsResponse {
zitadel.object.v2.Details details = 1;
zitadel.settings.v2.LockoutSettings settings = 2;
}
message GetActiveIdentityProvidersRequest {
zitadel.object.v2.RequestContext ctx = 1;
}
message GetActiveIdentityProvidersResponse {
zitadel.object.v2.ListDetails details = 1;
repeated zitadel.settings.v2.IdentityProvider identity_providers = 2;
}
message GetGeneralSettingsRequest {}
message GetGeneralSettingsResponse {
string default_org_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "default organization for the current context"
}
];
string default_language = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "default language for the current context"
example: "\"en\""
}
];
repeated string supported_languages = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"en\", \"de\", \"it\"]"
}
];
}
// This is an empty request
message GetSecuritySettingsRequest{}
message GetSecuritySettingsResponse{
zitadel.object.v2.Details details = 1;
SecuritySettings settings = 2;
}
message SetSecuritySettingsRequest{
EmbeddedIframeSettings embedded_iframe = 1;
bool enable_impersonation = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "allows users to impersonate other users. The impersonator needs the appropriate `*_IMPERSONATOR` roles assigned as well"
}
];
}
message SetSecuritySettingsResponse{
zitadel.object.v2.Details details = 1;
}

50
proto/zitadel/user/v2/auth.proto Normal file
View File

@@ -0,0 +1,50 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
enum PasskeyAuthenticator {
PASSKEY_AUTHENTICATOR_UNSPECIFIED = 0;
PASSKEY_AUTHENTICATOR_PLATFORM = 1;
PASSKEY_AUTHENTICATOR_CROSS_PLATFORM = 2;
}
message SendPasskeyRegistrationLink {
optional string url_template = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"https://example.com/passkey/register?userID={{.UserID}}&orgID={{.OrgID}}&codeID={{.CodeID}}&code={{.Code}}\"";
description: "\"Optionally set a url_template, which will be used in the mail sent by ZITADEL to guide the user to your passkey registration page. If no template is set, the default ZITADEL url will be used.\""
}
];
}
message ReturnPasskeyRegistrationCode {}
message PasskeyRegistrationCode {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"id to the one time code generated by ZITADEL\"";
example: "\"e2a48d6a-362b-4db6-a1fb-34feab84dc62\"";
max_length: 200;
}
];
string code = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "\"one time code generated by ZITADEL\"";
example: "\"SomeSpecialCode\"";
max_length: 200;
}
];
}

54
proto/zitadel/user/v2/email.proto Normal file
View File

@@ -0,0 +1,54 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
message SetHumanEmail {
string email = 1 [
(validate.rules).string = {min_len: 1, max_len: 200, email: true},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"mini@mouse.com\"";
}
];
// if no verification is specified, an email is sent with the default url
oneof verification {
SendEmailVerificationCode send_code = 2;
ReturnEmailVerificationCode return_code = 3;
bool is_verified = 4 [(validate.rules).bool.const = true];
}
}
message HumanEmail {
string email = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"mini@mouse.com\"";
}
];
bool is_verified = 2;
}
message SendEmailVerificationCode {
optional string url_template = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"https://example.com/email/verify?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}\"";
description: "\"Optionally set a url_template, which will be used in the verification mail sent by ZITADEL to guide the user to your verification page. If no template is set, the default ZITADEL url will be used.\""
}
];
}
message ReturnEmailVerificationCode {}

164
proto/zitadel/user/v2/idp.proto Normal file
View File

@@ -0,0 +1,164 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "google/api/field_behavior.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
message LDAPCredentials {
string username = 1[
(validate.rules).string = {min_len: 1, max_len: 200, uri_ref: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Username used to login through LDAP"
min_length: 1;
max_length: 200;
example: "\"username\"";
}
];
string password = 2[
(validate.rules).string = {min_len: 1, max_len: 200, uri_ref: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Password used to login through LDAP"
min_length: 1;
max_length: 200;
example: "\"Password1!\"";
}
];
}
message RedirectURLs {
string success_url = 1 [
(validate.rules).string = {min_len: 1, max_len: 200, uri_ref: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "URL on which the user will be redirected after a successful login"
min_length: 1;
max_length: 200;
example: "\"https://custom.com/login/idp/success\"";
}
];
string failure_url = 2 [
(validate.rules).string = {min_len: 1, max_len: 200, uri_ref: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "URL on which the user will be redirected after a failed login"
min_length: 1;
max_length: 200;
example: "\"https://custom.com/login/idp/fail\"";
}
];
}
message IDPIntent {
string idp_intent_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "ID of the IDP intent"
min_length: 1;
max_length: 200;
example: "\"163840776835432705\"";
}
];
string idp_intent_token = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "token of the IDP intent"
min_length: 1;
max_length: 200;
example: "\"SJKL3ioIDpo342ioqw98fjp3sdf32wahb=\"";
}
];
string user_id = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "ID of the ZITADEL user if external user already linked"
max_length: 200;
example: "\"163840776835432345\"";
}
];
}
message IDPInformation{
oneof access{
IDPOAuthAccessInformation oauth = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "OAuth/OIDC access (and id_token) returned by the identity provider"
}
];
IDPLDAPAccessInformation ldap = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "LDAP entity attributes returned by the identity provider"
}
];
IDPSAMLAccessInformation saml = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "SAMLResponse returned by the identity provider"
}
];
}
string idp_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "ID of the identity provider"
example: "\"d654e6ba-70a3-48ef-a95d-37c8d8a7901a\"";
}
];
string user_id = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "ID of the user of the identity provider"
example: "\"6516849804890468048461403518\"";
}
];
string user_name = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "username of the user of the identity provider"
example: "\"user@external.com\"";
}
];
google.protobuf.Struct raw_information = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "complete information returned by the identity provider"
}
];
}
message IDPOAuthAccessInformation{
string access_token = 1;
optional string id_token = 2;
}
message IDPLDAPAccessInformation{
google.protobuf.Struct attributes = 1;
}
message IDPSAMLAccessInformation{
bytes assertion = 1;
}
message IDPLink {
string idp_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "ID of the identity provider"
min_length: 1;
max_length: 200;
example: "\"d654e6ba-70a3-48ef-a95d-37c8d8a7901a\"";
}
];
string user_id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "ID of the user of the identity provider"
min_length: 1;
max_length: 200;
example: "\"6516849804890468048461403518\"";
}
];
string user_name = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "username of the user of the identity provider"
min_length: 1;
max_length: 200;
example: "\"user@external.com\"";
}
];
}

85
proto/zitadel/user/v2/password.proto Normal file
View File

@@ -0,0 +1,85 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
message Password {
string password = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"Secr3tP4ssw0rd!\"";
min_length: 1,
max_length: 200;
}
];
bool change_required = 2;
}
message HashedPassword {
string hash = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"$2a$12$lJ08fqVr8bFJilRVnDT9QeULI7YW.nT3iwUv6dyg0aCrfm3UY8XR2\"";
description: "\"Encoded hash of a password in Modular Crypt Format: https://zitadel.com/docs/concepts/architecture/secrets#hashed-secrets\"";
min_length: 1,
max_length: 200;
}
];
bool change_required = 2;
}
message SendPasswordResetLink {
NotificationType notification_type = 1;
optional string url_template = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"https://example.com/password/changey?userID={{.UserID}}&code={{.Code}}&orgID={{.OrgID}}\"";
description: "\"Optionally set a url_template, which will be used in the password reset mail sent by ZITADEL to guide the user to your password change page. If no template is set, the default ZITADEL url will be used.\""
}
];
}
message ReturnPasswordResetCode {}
enum NotificationType {
NOTIFICATION_TYPE_Unspecified = 0;
NOTIFICATION_TYPE_Email = 1;
NOTIFICATION_TYPE_SMS = 2;
}
message SetPassword {
oneof password_type {
Password password = 1;
HashedPassword hashed_password = 2;
}
oneof verification {
string current_password = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Secr3tP4ssw0rd!\"";
}
];
string verification_code = 4 [
(validate.rules).string = {min_len: 1, max_len: 20},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 20;
example: "\"SKJd342k\"";
description: "\"the verification code generated during password reset request\"";
}
];
}
}

40
proto/zitadel/user/v2/phone.proto Normal file
View File

@@ -0,0 +1,40 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
message SetHumanPhone {
string phone = 1 [
(validate.rules).string = {min_len: 0, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"+41791234567\"";
}
];
oneof verification {
SendPhoneVerificationCode send_code = 2;
ReturnPhoneVerificationCode return_code = 3;
bool is_verified = 4 [(validate.rules).bool.const = true];
}
}
message HumanPhone {
string phone = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"+41791234567\"";
}
];
bool is_verified = 2;
}
message SendPhoneVerificationCode {}
message ReturnPhoneVerificationCode {}

268
proto/zitadel/user/v2/query.proto Normal file
View File

@@ -0,0 +1,268 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/user/v2/user.proto";
import "zitadel/object/v2/object.proto";
message SearchQuery {
oneof query {
option (validate.required) = true;
UserNameQuery user_name_query = 1;
FirstNameQuery first_name_query = 2;
LastNameQuery last_name_query = 3;
NickNameQuery nick_name_query = 4;
DisplayNameQuery display_name_query = 5;
EmailQuery email_query = 6;
StateQuery state_query = 7;
TypeQuery type_query = 8;
LoginNameQuery login_name_query = 9;
InUserIDQuery in_user_ids_query = 10;
OrQuery or_query = 11;
AndQuery and_query = 12;
NotQuery not_query = 13;
InUserEmailsQuery in_user_emails_query = 14;
OrganizationIdQuery organization_id_query = 15;
}
}
// Connect multiple sub-condition with and OR operator.
message OrQuery {
repeated SearchQuery queries = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the sub queries to 'OR'"
}
];
}
// Connect multiple sub-condition with and AND operator.
message AndQuery {
repeated SearchQuery queries = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the sub queries to 'AND'"
}
];
}
// Negate the sub-condition.
message NotQuery {
SearchQuery query = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the sub query to negate (NOT)"
}
];
}
// Query for users with ID in list of IDs.
message InUserIDQuery {
repeated string user_ids = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the ids of the users to include"
example: "[\"69629023906488334\",\"69622366012355662\"]";
}
];
}
// Query for users with a specific user name.
message UserNameQuery {
string user_name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"gigi-giraffe\"";
}
];
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}
// Query for users with a specific first name.
message FirstNameQuery {
string first_name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Gigi\"";
}
];
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}
// Query for users with a specific last name.
message LastNameQuery {
string last_name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Giraffe\"";
}
];
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}
// Query for users with a specific nickname.
message NickNameQuery {
string nick_name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Gigi\"";
}
];
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}
// Query for users with a specific display name.
message DisplayNameQuery {
string display_name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Gigi Giraffe\"";
}
];
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}
// Query for users with a specific email.
message EmailQuery {
string email_address = 1 [
(validate.rules).string = {max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "email address of the user"
max_length: 200;
example: "\"gigi@zitadel.com\"";
}
];
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}
// Query for users with a specific state.
message LoginNameQuery {
string login_name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"gigi@zitadel.cloud\"";
}
];
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}
// Query for users with a specific state.
message StateQuery {
UserState state = 1 [
(validate.rules).enum.defined_only = true,
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the user";
}
];
}
// Query for users with a specific type.
message TypeQuery {
Type type = 1 [
(validate.rules).enum.defined_only = true,
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the type of the user";
}
];
}
// Query for users with email in list of emails.
message InUserEmailsQuery {
repeated string user_emails = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the emails of the users to include"
example: "[\"test@example.com\",\"test@example.org\"]";
}
];
}
// Query for users under a specific organization as resource owner.
message OrganizationIdQuery {
string organization_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"69629023906488334\""
}
];
}
enum Type {
TYPE_UNSPECIFIED = 0;
TYPE_HUMAN = 1;
TYPE_MACHINE = 2;
}
enum UserFieldName {
USER_FIELD_NAME_UNSPECIFIED = 0;
USER_FIELD_NAME_USER_NAME = 1;
USER_FIELD_NAME_FIRST_NAME = 2;
USER_FIELD_NAME_LAST_NAME = 3;
USER_FIELD_NAME_NICK_NAME = 4;
USER_FIELD_NAME_DISPLAY_NAME = 5;
USER_FIELD_NAME_EMAIL = 6;
USER_FIELD_NAME_STATE = 7;
USER_FIELD_NAME_TYPE = 8;
USER_FIELD_NAME_CREATION_DATE = 9;
}

284
proto/zitadel/user/v2/user.proto Normal file
View File

@@ -0,0 +1,284 @@
syntax = "proto3";
package zitadel.user.v2;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v2;user";
import "google/api/field_behavior.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/user/v2/email.proto";
import "zitadel/user/v2/phone.proto";
enum Gender {
GENDER_UNSPECIFIED = 0;
GENDER_FEMALE = 1;
GENDER_MALE = 2;
GENDER_DIVERSE = 3;
}
message SetHumanProfile {
string given_name = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Minnie\"";
}
];
string family_name = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Mouse\"";
}
];
optional string nick_name = 3 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"Mini\"";
}
];
optional string display_name = 4 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"Minnie Mouse\"";
}
];
optional string preferred_language = 5 [
(validate.rules).string = {max_len: 10},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 10;
example: "\"en\"";
}
];
optional Gender gender = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"GENDER_FEMALE\"";
}
];
}
message HumanProfile {
string given_name = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Minnie\"";
}
];
string family_name = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"Mouse\"";
}
];
optional string nick_name = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"Mini\"";
}
];
optional string display_name = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"Minnie Mouse\"";
}
];
optional string preferred_language = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 10;
example: "\"en\"";
}
];
optional Gender gender = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"GENDER_FEMALE\"";
}
];
string avatar_url = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "avatar URL of the user"
example: "\"https://api.zitadel.ch/assets/v1/avatar-32432jkh4kj32\"";
}
];
}
message SetMetadataEntry {
string key = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"my-key\"";
min_length: 1,
max_length: 200;
}
];
bytes value = 2 [
(validate.rules).bytes = {min_len: 1, max_len: 500000},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "The value has to be base64 encoded.";
example: "\"VGhpcyBpcyBteSB0ZXN0IHZhbHVl\"";
min_length: 1,
max_length: 500000;
}
];
}
message HumanUser {
// Unique identifier of the user.
string user_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"d654e6ba-70a3-48ef-a95d-37c8d8a7901a\"";
}
];
// State of the user, for example active, inactive, locked, deleted, initial.
UserState state = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the user";
}
];
// Username of the user, which can be globally unique or unique on organization level.
string username = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"minnie-mouse\"";
}
];
// Possible usable login names for the user.
repeated string login_names = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"gigi@zitadel.com\", \"gigi@zitadel.zitadel.ch\"]";
}
];
// Preferred login name of the user.
string preferred_login_name = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"gigi@zitadel.com\"";
}
];
// Profile information of the user.
HumanProfile profile = 6;
// Email of the user, if defined.
HumanEmail email = 7;
// Phone of the user, if defined.
HumanPhone phone = 8;
// User is required to change the used password on the next login.
bool password_change_required = 9;
// The time the user last changed their password.
google.protobuf.Timestamp password_changed = 10;
}
message User {
string user_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"d654e6ba-70a3-48ef-a95d-37c8d8a7901a\"";
}
];
zitadel.object.v2.Details details = 8;
UserState state = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the user";
}
];
string username = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"minnie-mouse\"";
}
];
repeated string login_names = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"gigi@zitadel.com\", \"gigi@zitadel.zitadel.ch\"]";
}
];
string preferred_login_name = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"gigi@zitadel.com\"";
}
];
oneof type {
HumanUser human = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "one of type use human or machine"
}
];
MachineUser machine = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "one of type use human or machine"
}
];
}
}
message MachineUser {
string name = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"zitadel\"";
}
];
string description = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"The one and only IAM\"";
}
];
bool has_secret = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"true\"";
}
];
AccessTokenType access_token_type = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Type of access token to receive";
}
];
}
enum AccessTokenType {
ACCESS_TOKEN_TYPE_BEARER = 0;
ACCESS_TOKEN_TYPE_JWT = 1;
}
enum UserState {
USER_STATE_UNSPECIFIED = 0;
USER_STATE_ACTIVE = 1;
USER_STATE_INACTIVE = 2;
USER_STATE_DELETED = 3;
USER_STATE_LOCKED = 4;
USER_STATE_INITIAL = 5;
}
message Passkey {
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
AuthFactorState state = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the passkey";
}
];
string name = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"fido key\""
}
];
}
enum AuthFactorState {
AUTH_FACTOR_STATE_UNSPECIFIED = 0;
AUTH_FACTOR_STATE_NOT_READY = 1;
AUTH_FACTOR_STATE_READY = 2;
AUTH_FACTOR_STATE_REMOVED = 3;
}

2081
proto/zitadel/user/v2/user_service.proto Normal file
View File

File diff suppressed because it is too large Load Diff

8
proto/zitadel/user/v2beta/idp.proto
View File

@@ -32,20 +32,20 @@ message LDAPCredentials {
message RedirectURLs {
string success_url = 1 [
(validate.rules).string = {min_len: 1, max_len: 2048, uri_ref: true},
(validate.rules).string = {min_len: 1, max_len: 200, uri_ref: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "URL on which the user will be redirected after a successful login"
min_length: 1;
max_length: 2048;
max_length: 200;
example: "\"https://custom.com/login/idp/success\"";
}
];
string failure_url = 2 [
(validate.rules).string = {min_len: 1, max_len: 2048, uri_ref: true},
(validate.rules).string = {min_len: 1, max_len: 200, uri_ref: true},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "URL on which the user will be redirected after a failed login"
min_length: 1;
max_length: 2048;
max_length: 200;
example: "\"https://custom.com/login/idp/fail\"";
}
];

277
proto/zitadel/user/v2beta/user_service.proto
View File

@@ -111,6 +111,10 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
service UserService {
// Create a new human user
//
// Create/import a new user with the type human. The newly created user will get a verification email if either the email address is not marked as verified and you did not request the verification to be returned.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA)
rpc AddHumanUser (AddHumanUserRequest) returns (AddHumanUserResponse) {
option (google.api.http) = {
post: "/v2beta/users/human"
@@ -128,8 +132,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create a user (Human)";
description: "Create/import a new user with the type human. The newly created user will get a verification email if either the email address is not marked as verified and you did not request the verification to be returned."
deprecated: true;
responses: {
key: "200"
value: {
@@ -139,7 +142,11 @@ service UserService {
};
}
// User by ID
//
// Returns the full user object (human or machine) including the profile, email, etc.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc GetUserByID(GetUserByIDRequest) returns (GetUserByIDResponse) {
option (google.api.http) = {
get: "/v2beta/users/{user_id}"
@@ -155,8 +162,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "User by ID";
description: "Returns the full user object (human or machine) including the profile, email, etc."
deprecated: true;
responses: {
key: "200"
value: {
@@ -166,6 +172,11 @@ service UserService {
};
}
// Search Users
//
// Search for users. By default, we will return users of your organization. Make sure to include a limit and sorting for pagination.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc ListUsers(ListUsersRequest) returns (ListUsersResponse) {
option (google.api.http) = {
post: "/v2beta/users"
@@ -182,8 +193,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Search Users";
description: "Search for users. By default, we will return users of your organization. Make sure to include a limit and sorting for pagination."
deprecated: true;
responses: {
key: "200";
value: {
@@ -204,7 +214,11 @@ service UserService {
};
}
// Change the email of a user
// Change the user email
//
// Change the email address of a user. If the state is set to not verified, a verification code will be generated, which can be either returned or sent to the user by email.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc SetEmail (SetEmailRequest) returns (SetEmailResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/email"
@@ -218,8 +232,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Change the user email";
description: "Change the email address of a user. If the state is set to not verified, a verification code will be generated, which can be either returned or sent to the user by email."
deprecated: true;
responses: {
key: "200"
value: {
@@ -229,8 +242,11 @@ service UserService {
};
}
// Resend code to verify user email
//
// Resend code to verify user email
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc ResendEmailCode (ResendEmailCodeRequest) returns (ResendEmailCodeResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/email/resend"
@@ -244,8 +260,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Resend code to verify user email";
description: "Resend code to verify user email."
deprecated: true;
responses: {
key: "200"
value: {
@@ -255,7 +270,11 @@ service UserService {
};
}
// Verify the email with the provided code
// Verify the email
//
// Verify the email with the generated code.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc VerifyEmail (VerifyEmailRequest) returns (VerifyEmailResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/email/verify"
@@ -269,8 +288,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Verify the email";
description: "Verify the email with the generated code."
deprecated: true;
responses: {
key: "200"
value: {
@@ -280,7 +298,11 @@ service UserService {
};
}
// Change the phone of a user
// Set the user phone
//
// Set the phone number of a user. If the state is set to not verified, a verification code will be generated, which can be either returned or sent to the user by sms.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc SetPhone(SetPhoneRequest) returns (SetPhoneResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/phone"
@@ -294,8 +316,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set the user phone";
description: "Set the phone number of a user. If the state is set to not verified, a verification code will be generated, which can be either returned or sent to the user by sms."
deprecated: true;
responses: {
key: "200"
value: {
@@ -305,6 +326,11 @@ service UserService {
};
}
// Remove the user phone
//
// Remove the user phone
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc RemovePhone(RemovePhoneRequest) returns (RemovePhoneResponse) {
option (google.api.http) = {
delete: "/v2beta/users/{user_id}/phone"
@@ -318,6 +344,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
summary: "Delete the user phone";
description: "Delete the phone number of a user."
responses: {
@@ -329,6 +356,11 @@ service UserService {
};
}
// Resend code to verify user phone
//
// Resend code to verify user phone
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc ResendPhoneCode (ResendPhoneCodeRequest) returns (ResendPhoneCodeResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/phone/resend"
@@ -342,8 +374,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Resend code to verify user phone";
description: "Resend code to verify user phone."
deprecated: true;
responses: {
key: "200"
value: {
@@ -353,7 +384,11 @@ service UserService {
};
}
// Verify the phone with the provided code
// Verify the phone
//
// Verify the phone with the generated code.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc VerifyPhone (VerifyPhoneRequest) returns (VerifyPhoneResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/phone/verify"
@@ -367,8 +402,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Verify the phone";
description: "Verify the phone with the generated code."
deprecated: true;
responses: {
key: "200"
value: {
@@ -378,6 +412,11 @@ service UserService {
};
}
// Update User
//
// Update all information from a user.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc UpdateHumanUser(UpdateHumanUserRequest) returns (UpdateHumanUserResponse) {
option (google.api.http) = {
put: "/v2beta/users/{user_id}"
@@ -390,8 +429,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Update User";
description: "Update all information from a user."
deprecated: true;
responses: {
key: "200"
value: {
@@ -401,6 +439,11 @@ service UserService {
};
}
// Deactivate user
//
// The state of the user will be changed to 'deactivated'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'deactivated'. Use deactivate user when the user should not be able to use the account anymore, but you still need access to the user data.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc DeactivateUser(DeactivateUserRequest) returns (DeactivateUserResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/deactivate"
@@ -414,8 +457,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Deactivate user";
description: "The state of the user will be changed to 'deactivated'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'deactivated'. Use deactivate user when the user should not be able to use the account anymore, but you still need access to the user data."
deprecated: true;
responses: {
key: "200"
value: {
@@ -425,6 +467,11 @@ service UserService {
};
}
// Reactivate user
//
// Reactivate a user with the state 'deactivated'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'deactivated'.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc ReactivateUser(ReactivateUserRequest) returns (ReactivateUserResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/reactivate"
@@ -438,8 +485,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reactivate user";
description: "Reactivate a user with the state 'deactivated'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'deactivated'."
deprecated: true;
responses: {
key: "200"
value: {
@@ -449,6 +495,11 @@ service UserService {
};
}
// Lock user
//
// The state of the user will be changed to 'locked'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'locked'. Use this endpoint if the user should not be able to log in temporarily because of an event that happened (wrong password, etc.).
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc LockUser(LockUserRequest) returns (LockUserResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/lock"
@@ -462,8 +513,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Lock user";
description: "The state of the user will be changed to 'locked'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'locked'. Use this endpoint if the user should not be able to log in temporarily because of an event that happened (wrong password, etc.)"
deprecated: true;
responses: {
key: "200"
value: {
@@ -473,6 +523,11 @@ service UserService {
};
}
// Unlock user
//
// The state of the user will be changed to 'locked'. The user will not be able to log in anymore. The endpoint returns an error if the user is already in the state 'locked'. Use this endpoint if the user should not be able to log in temporarily because of an event that happened (wrong password, etc.).
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc UnlockUser(UnlockUserRequest) returns (UnlockUserResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/unlock"
@@ -486,8 +541,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Unlock user";
description: "Unlock a user with the state 'locked'. The user will be able to log in again afterward. The endpoint returns an error if the user is not in the state 'locked'."
deprecated: true;
responses: {
key: "200"
value: {
@@ -497,6 +551,11 @@ service UserService {
};
}
// Delete user
//
// The state of the user will be changed to 'deleted'. The user will not be able to log in anymore. Endpoints requesting this user will return an error 'User not found.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc DeleteUser(DeleteUserRequest) returns (DeleteUserResponse) {
option (google.api.http) = {
delete: "/v2beta/users/{user_id}"
@@ -509,8 +568,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Delete user";
description: "The state of the user will be changed to 'deleted'. The user will not be able to log in anymore. Endpoints requesting this user will return an error 'User not found"
deprecated: true;
responses: {
key: "200"
value: {
@@ -520,6 +578,11 @@ service UserService {
};
}
// Start the registration of passkey for a user
//
// Start the registration of a passkey for a user, as a response the public key credential creation options are returned, which are used to verify the passkey.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc RegisterPasskey (RegisterPasskeyRequest) returns (RegisterPasskeyResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/passkeys"
@@ -532,8 +595,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Start the registration of passkey for a user";
description: "Start the registration of a passkey for a user, as a response the public key credential creation options are returned, which are used to verify the passkey."
deprecated: true;
responses: {
key: "200"
value: {
@@ -542,6 +604,12 @@ service UserService {
};
};
}
// Verify a passkey for a user
//
// Verify the passkey registration with the public key credential.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc VerifyPasskeyRegistration (VerifyPasskeyRegistrationRequest) returns (VerifyPasskeyRegistrationResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/passkeys/{passkey_id}"
@@ -554,8 +622,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Verify a passkey for a user";
description: "Verify the passkey registration with the public key credential."
deprecated: true;
responses: {
key: "200"
value: {
@@ -564,6 +631,12 @@ service UserService {
};
};
}
// Create a passkey registration link for a user
//
// Create a passkey registration link which includes a code and either return it or send it to the user.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc CreatePasskeyRegistrationLink (CreatePasskeyRegistrationLinkRequest) returns (CreatePasskeyRegistrationLinkResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/passkeys/registration_link"
@@ -576,8 +649,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Create a passkey registration link for a user";
description: "Create a passkey registration link which includes a code and either return it or send it to the user."
deprecated: true;
responses: {
key: "200"
value: {
@@ -587,6 +659,11 @@ service UserService {
};
}
// Start the registration of a u2f token for a user
//
// Start the registration of a u2f token for a user, as a response the public key credential creation options are returned, which are used to verify the u2f token.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc RegisterU2F (RegisterU2FRequest) returns (RegisterU2FResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/u2f"
@@ -599,8 +676,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Start the registration of a u2f token for a user";
description: "Start the registration of a u2f token for a user, as a response the public key credential creation options are returned, which are used to verify the u2f token."
deprecated: true;
responses: {
key: "200"
value: {
@@ -610,6 +686,11 @@ service UserService {
};
}
// Verify a u2f token for a user
//
// Verify the u2f token registration with the public key credential.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc VerifyU2FRegistration (VerifyU2FRegistrationRequest) returns (VerifyU2FRegistrationResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/u2f/{u2f_id}"
@@ -622,8 +703,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Verify a u2f token for a user";
description: "Verify the u2f token registration with the public key credential."
deprecated: true;
responses: {
key: "200"
value: {
@@ -633,6 +713,11 @@ service UserService {
};
}
// Start the registration of a TOTP generator for a user
//
// Start the registration of a TOTP generator for a user, as a response a secret returned, which is used to initialize a TOTP app or device.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc RegisterTOTP (RegisterTOTPRequest) returns (RegisterTOTPResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/totp"
@@ -645,8 +730,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Start the registration of a TOTP generator for a user";
description: "Start the registration of a TOTP generator for a user, as a response a secret returned, which is used to initialize a TOTP app or device."
deprecated: true;
responses: {
key: "200"
value: {
@@ -656,6 +740,11 @@ service UserService {
};
}
// Verify a TOTP generator for a user
//
// Verify the TOTP registration with a generated code.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc VerifyTOTPRegistration (VerifyTOTPRegistrationRequest) returns (VerifyTOTPRegistrationResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/totp/verify"
@@ -668,8 +757,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Verify a TOTP generator for a user";
description: "Verify the TOTP registration with a generated code."
deprecated: true;
responses: {
key: "200"
value: {
@@ -679,6 +767,11 @@ service UserService {
};
}
// Remove TOTP generator from a user
//
// Remove the configured TOTP generator of a user. As only one TOTP generator per user is allowed, the user will not have TOTP as a second-factor afterward.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc RemoveTOTP (RemoveTOTPRequest) returns (RemoveTOTPResponse) {
option (google.api.http) = {
delete: "/v2beta/users/{user_id}/totp"
@@ -690,8 +783,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove TOTP generator from a user";
description: "Remove the configured TOTP generator of a user. As only one TOTP generator per user is allowed, the user will not have TOTP as a second-factor afterward."
deprecated: true;
responses: {
key: "200"
value: {
@@ -701,6 +793,11 @@ service UserService {
};
}
// Add OTP SMS for a user
//
// Add a new One-Time-Password (OTP) SMS factor to the authenticated user. OTP SMS will enable the user to verify a OTP with the latest verified phone number. The phone number has to be verified to add the second factor.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc AddOTPSMS (AddOTPSMSRequest) returns (AddOTPSMSResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/otp_sms"
@@ -713,8 +810,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Add OTP SMS for a user";
description: "Add a new One-Time-Password (OTP) SMS factor to the authenticated user. OTP SMS will enable the user to verify a OTP with the latest verified phone number. The phone number has to be verified to add the second factor."
deprecated: true;
responses: {
key: "200"
value: {
@@ -724,6 +820,11 @@ service UserService {
};
}
// Remove One-Time-Password (OTP) SMS from a user
//
// Remove the configured One-Time-Password (OTP) SMS factor of a user. As only one OTP SMS per user is allowed, the user will not have OTP SMS as a second-factor afterward.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc RemoveOTPSMS (RemoveOTPSMSRequest) returns (RemoveOTPSMSResponse) {
option (google.api.http) = {
delete: "/v2beta/users/{user_id}/otp_sms"
@@ -735,8 +836,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove One-Time-Password (OTP) SMS from a user";
description: "Remove the configured One-Time-Password (OTP) SMS factor of a user. As only one OTP SMS per user is allowed, the user will not have OTP SMS as a second-factor afterward."
deprecated: true;
responses: {
key: "200"
value: {
@@ -746,6 +846,11 @@ service UserService {
};
}
// Add OTP Email for a user
//
// Add a new One-Time-Password (OTP) Email factor to the authenticated user. OTP Email will enable the user to verify a OTP with the latest verified email. The email has to be verified to add the second factor.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc AddOTPEmail (AddOTPEmailRequest) returns (AddOTPEmailResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/otp_email"
@@ -758,8 +863,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Add OTP Email for a user";
description: "Add a new One-Time-Password (OTP) Email factor to the authenticated user. OTP Email will enable the user to verify a OTP with the latest verified email. The email has to be verified to add the second factor."
deprecated: true;
responses: {
key: "200"
value: {
@@ -769,6 +873,11 @@ service UserService {
};
}
// Remove One-Time-Password (OTP) Email from a user
//
// Remove the configured One-Time-Password (OTP) Email factor of a user. As only one OTP Email per user is allowed, the user will not have OTP Email as a second-factor afterward.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc RemoveOTPEmail (RemoveOTPEmailRequest) returns (RemoveOTPEmailResponse) {
option (google.api.http) = {
delete: "/v2beta/users/{user_id}/otp_email"
@@ -780,8 +889,7 @@ service UserService {
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Remove One-Time-Password (OTP) Email from a user";
description: "Remove the configured One-Time-Password (OTP) Email factor of a user. As only one OTP Email per user is allowed, the user will not have OTP Email as a second-factor afterward."
deprecated: true;
responses: {
key: "200"
value: {
@@ -791,7 +899,11 @@ service UserService {
};
}
// Start an IDP authentication (for external login, registration or linking)
// Start flow with an identity provider
//
// Start a flow with an identity provider, for external login, registration or linking.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc StartIdentityProviderIntent (StartIdentityProviderIntentRequest) returns (StartIdentityProviderIntentResponse) {
option (google.api.http) = {
post: "/v2beta/idp_intents"
@@ -805,8 +917,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Start flow with an identity provider";
description: "Start a flow with an identity provider, for external login, registration or linking";
deprecated: true;
responses: {
key: "200"
value: {
@@ -816,6 +927,11 @@ service UserService {
};
}
// Retrieve the information returned by the identity provider
//
// Retrieve the information returned by the identity provider for registration or updating an existing user with new information.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc RetrieveIdentityProviderIntent (RetrieveIdentityProviderIntentRequest) returns (RetrieveIdentityProviderIntentResponse) {
option (google.api.http) = {
post: "/v2beta/idp_intents/{idp_intent_id}"
@@ -829,8 +945,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Retrieve the information returned by the identity provider";
description: "Retrieve the information returned by the identity provider for registration or updating an existing user with new information";
deprecated: true;
responses: {
key: "200"
value: {
@@ -840,7 +955,11 @@ service UserService {
};
}
// Link an IDP to an existing user
// Add link to an identity provider to an user
//
// Add link to an identity provider to an user.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc AddIDPLink (AddIDPLinkRequest) returns (AddIDPLinkResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/links"
@@ -854,8 +973,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Add link to an identity provider to an user";
description: "Add link to an identity provider to an user";
deprecated: true;
responses: {
key: "200"
value: {
@@ -865,7 +983,11 @@ service UserService {
};
}
// Request password reset
// Request a code to reset a password
//
// Request a code to reset a password.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc PasswordReset (PasswordResetRequest) returns (PasswordResetResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/password_reset"
@@ -879,8 +1001,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Request a code to reset a password";
description: "Request a code to reset a password";
deprecated: true;
responses: {
key: "200"
value: {
@@ -891,6 +1012,10 @@ service UserService {
}
// Change password
//
// Change the password of a user with either a verification code or the current password.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc SetPassword (SetPasswordRequest) returns (SetPasswordResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/password"
@@ -904,8 +1029,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Change password";
description: "Change the password of a user with either a verification code or the current password.";
deprecated: true;
responses: {
key: "200"
value: {
@@ -916,6 +1040,10 @@ service UserService {
}
// List all possible authentication methods of a user
//
// List all possible authentication methods of a user like password, passwordless, (T)OTP and more.
//
// Deprecated: please move to the corresponding endpoint under user service v2 (GA).
rpc ListAuthenticationMethodTypes (ListAuthenticationMethodTypesRequest) returns (ListAuthenticationMethodTypesResponse) {
option (google.api.http) = {
get: "/v2beta/users/{user_id}/authentication_methods"
@@ -928,8 +1056,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "List all possible authentication methods of a user";
description: "List all possible authentication methods of a user like password, passwordless, (T)OTP and more";
deprecated: true;
responses: {
key: "200"
value: {

12
proto/zitadel/user/v3alpha/authenticator.proto
View File

@@ -7,7 +7,7 @@ import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/object/v2beta/object.proto";
import "zitadel/object/v2/object.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/user/v3alpha";
@@ -167,7 +167,7 @@ message AuthenticationKey {
example: "\"69629023906488334\"";
}
];
zitadel.object.v2beta.Details details = 2;
zitadel.object.v2.Details details = 2;
// the file type of the key
AuthNKeyType type = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -315,21 +315,21 @@ message ReturnWebAuthNRegistrationCode {}
message RedirectURLs {
// URL to which the user will be redirected after a successful login.
string success_url = 1 [
(validate.rules).string = {min_len: 1, max_len: 2048, uri_ref: true},
(validate.rules).string = {min_len: 1, max_len: 200, uri_ref: true},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 2048;
max_length: 200;
example: "\"https://custom.com/login/idp/success\"";
}
];
// URL to which the user will be redirected after a failed login.
string failure_url = 2 [
(validate.rules).string = {min_len: 1, max_len: 2048, uri_ref: true},
(validate.rules).string = {min_len: 1, max_len: 200, uri_ref: true},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 2048;
max_length: 200;
example: "\"https://custom.com/login/idp/fail\"";
}
];

14
proto/zitadel/user/v3alpha/query.proto
View File

@@ -8,7 +8,7 @@ import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/user/v3alpha/user.proto";
import "zitadel/object/v2beta/object.proto";
import "zitadel/object/v2/object.proto";
message SearchQuery {
oneof query {
@@ -78,7 +78,7 @@ message UserIDQuery {
}
];
// Defines which text comparison method used for the id query.
zitadel.object.v2beta.TextQueryMethod method = 2 [
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}
@@ -95,7 +95,7 @@ message OrganizationIDQuery {
}
];
// Defines which text comparison method used for the id query.
zitadel.object.v2beta.TextQueryMethod method = 2 [
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}
@@ -112,7 +112,7 @@ message UsernameQuery {
}
];
// Defines which text comparison method used for the username query.
zitadel.object.v2beta.TextQueryMethod method = 2 [
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true
];
// Defines that the username must only be unique in the organisation.
@@ -131,7 +131,7 @@ message EmailQuery {
}
];
// Defines which text comparison method used for the email query.
zitadel.object.v2beta.TextQueryMethod method = 2 [
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}
@@ -148,7 +148,7 @@ message PhoneQuery {
}
];
// Defines which text comparison method used for the phone query.
zitadel.object.v2beta.TextQueryMethod method = 2 [
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}
@@ -189,7 +189,7 @@ message SchemaTypeQuery {
}
];
// Defines which text comparison method used for the type query.
zitadel.object.v2beta.TextQueryMethod method = 2 [
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}

4
proto/zitadel/user/v3alpha/user.proto
View File

@@ -7,7 +7,7 @@ import "google/protobuf/struct.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/object/v2beta/object.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/user/v3alpha/authenticator.proto";
import "zitadel/user/v3alpha/communication.proto";
@@ -22,7 +22,7 @@ message User {
}
];
// Details provide some base information (such as the last change date) of the user.
zitadel.object.v2beta.Details details = 2;
zitadel.object.v2.Details details = 2;
// The user's authenticators. They are used to identify and authenticate the user
// during the authentication process.
Authenticators authenticators = 3;

80
proto/zitadel/user/v3alpha/user_service.proto
View File

@@ -8,7 +8,7 @@ import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/object/v2beta/object.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/user/v3alpha/authenticator.proto";
import "zitadel/user/v3alpha/communication.proto";
@@ -573,7 +573,7 @@ service UserService {
// Add, update or reset a user's password with either a verification code or the current password.
rpc SetPassword (SetPasswordRequest) returns (SetPasswordResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/password"
post: "/v2/users/{user_id}/password"
body: "*"
};
@@ -598,7 +598,7 @@ service UserService {
// Request a code to be able to set a new password.
rpc RequestPasswordReset (RequestPasswordResetRequest) returns (RequestPasswordResetResponse) {
option (google.api.http) = {
post: "/v2beta/users/{user_id}/password/reset"
post: "/v2/users/{user_id}/password/reset"
body: "*"
};
@@ -1039,7 +1039,7 @@ service UserService {
message ListUsersRequest {
// list limitations and ordering.
zitadel.object.v2beta.ListQuery query = 1;
zitadel.object.v2.ListQuery query = 1;
// the field the result is sorted.
zitadel.user.v3alpha.FieldName sorting_column = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1052,7 +1052,7 @@ message ListUsersRequest {
message ListUsersResponse {
// Details provides information about the returned result including total amount found.
zitadel.object.v2beta.ListDetails details = 1;
zitadel.object.v2.ListDetails details = 1;
// States by which field the results are sorted.
zitadel.user.v3alpha.FieldName sorting_column = 2;
// The result contains the user schemas, which matched the queries.
@@ -1087,7 +1087,7 @@ message CreateUserRequest {
}
];
// Set the organization the user belongs to.
zitadel.object.v2beta.Organization organization = 2 [
zitadel.object.v2.Organization organization = 2 [
(validate.rules).message = {required: true},
(google.api.field_behavior) = REQUIRED
];
@@ -1115,7 +1115,7 @@ message CreateUserRequest {
message CreateUserResponse {
string user_id = 1;
zitadel.object.v2beta.Details details = 2;
zitadel.object.v2.Details details = 2;
// The email code will be set if a contact email was set with a return_code verification option.
optional string email_code = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1157,7 +1157,7 @@ message UpdateUserRequest {
}
message UpdateUserResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// The email code will be set if a contact email was set with a return_code verification option.
optional string email_code = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1186,7 +1186,7 @@ message DeactivateUserRequest {
}
message DeactivateUserResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
@@ -1204,7 +1204,7 @@ message ReactivateUserRequest {
}
message ReactivateUserResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message LockUserRequest {
@@ -1221,7 +1221,7 @@ message LockUserRequest {
}
message LockUserResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message UnlockUserRequest {
@@ -1238,7 +1238,7 @@ message UnlockUserRequest {
}
message UnlockUserResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message DeleteUserRequest {
@@ -1255,7 +1255,7 @@ message DeleteUserRequest {
}
message DeleteUserResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message SetContactEmailRequest {
@@ -1274,7 +1274,7 @@ message SetContactEmailRequest {
}
message SetContactEmailResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// The verification code will be set if a contact email was set with a return_code verification option.
optional string verification_code = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1307,7 +1307,7 @@ message VerifyContactEmailRequest {
}
message VerifyContactEmailResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message ResendContactEmailCodeRequest {
@@ -1331,7 +1331,7 @@ message ResendContactEmailCodeRequest {
}
message ResendContactEmailCodeResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// in case the verification was set to return_code, the code will be returned.
optional string verification_code = 2;
}
@@ -1352,7 +1352,7 @@ message SetContactPhoneRequest {
}
message SetContactPhoneResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// The phone verification code will be set if a contact phone was set with a return_code verification option.
optional string email_code = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1385,7 +1385,7 @@ message VerifyContactPhoneRequest {
}
message VerifyContactPhoneResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message ResendContactPhoneCodeRequest {
@@ -1409,7 +1409,7 @@ message ResendContactPhoneCodeRequest {
}
message ResendContactPhoneCodeResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// in case the verification was set to return_code, the code will be returned.
optional string verification_code = 2;
}
@@ -1430,7 +1430,7 @@ message AddUsernameRequest {
}
message AddUsernameResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// unique identifier of the username.
string username_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1463,7 +1463,7 @@ message RemoveUsernameRequest {
}
message RemoveUsernameResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message SetPasswordRequest {
@@ -1506,7 +1506,7 @@ message SetPasswordRequest {
}
message SetPasswordResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message RequestPasswordResetRequest {
@@ -1532,7 +1532,7 @@ message RequestPasswordResetRequest {
}
message RequestPasswordResetResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// In case the medium was set to return_code, the code will be returned.
optional string verification_code = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1571,7 +1571,7 @@ message StartWebAuthNRegistrationRequest {
}
message StartWebAuthNRegistrationResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// unique identifier of the WebAuthN registration.
string web_auth_n_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1634,7 +1634,7 @@ message VerifyWebAuthNRegistrationRequest {
}
message VerifyWebAuthNRegistrationResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message CreateWebAuthNRegistrationLinkRequest {
@@ -1658,7 +1658,7 @@ message CreateWebAuthNRegistrationLinkRequest {
}
message CreateWebAuthNRegistrationLinkResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// In case the medium was set to return_code, the code will be returned.
optional AuthenticatorRegistrationCode code = 2;
}
@@ -1687,7 +1687,7 @@ message RemoveWebAuthNAuthenticatorRequest {
}
message RemoveWebAuthNAuthenticatorResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message StartTOTPRegistrationRequest {
@@ -1704,7 +1704,7 @@ message StartTOTPRegistrationRequest {
}
message StartTOTPRegistrationResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// unique identifier of the TOTP registration.
string totp_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1759,7 +1759,7 @@ message VerifyTOTPRegistrationRequest {
}
message VerifyTOTPRegistrationResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message RemoveTOTPAuthenticatorRequest {
@@ -1786,7 +1786,7 @@ message RemoveTOTPAuthenticatorRequest {
}
message RemoveTOTPAuthenticatorResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message AddOTPSMSAuthenticatorRequest {
@@ -1805,7 +1805,7 @@ message AddOTPSMSAuthenticatorRequest {
}
message AddOTPSMSAuthenticatorResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// unique identifier of the OTP SMS registration.
string otp_sms_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1855,7 +1855,7 @@ message VerifyOTPSMSRegistrationRequest {
}
message VerifyOTPSMSRegistrationResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message RemoveOTPSMSAuthenticatorRequest {
@@ -1882,7 +1882,7 @@ message RemoveOTPSMSAuthenticatorRequest {
}
message RemoveOTPSMSAuthenticatorResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message AddOTPEmailAuthenticatorRequest {
@@ -1901,7 +1901,7 @@ message AddOTPEmailAuthenticatorRequest {
}
message AddOTPEmailAuthenticatorResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// unique identifier of the OTP Email registration.
string otp_email_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -1950,7 +1950,7 @@ message VerifyOTPEmailRegistrationRequest {
}
message VerifyOTPEmailRegistrationResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message RemoveOTPEmailAuthenticatorRequest {
@@ -1977,7 +1977,7 @@ message RemoveOTPEmailAuthenticatorRequest {
}
message RemoveOTPEmailAuthenticatorResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message StartIdentityProviderIntentRequest {
@@ -1999,7 +1999,7 @@ message StartIdentityProviderIntentRequest {
}
message StartIdentityProviderIntentResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// the next step to take in the idp intent flow.
oneof next_step {
// The authentication URL to which the client should redirect.
@@ -2040,7 +2040,7 @@ message RetrieveIdentityProviderIntentRequest {
}
message RetrieveIdentityProviderIntentResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
// Information returned by the identity provider (IDP) such as the identification of the user
// and detailed / profile information.
IDPInformation idp_information = 2;
@@ -2067,7 +2067,7 @@ message AddIDPAuthenticatorRequest {
}
message AddIDPAuthenticatorResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}
message RemoveIDPAuthenticatorRequest {
@@ -2094,6 +2094,6 @@ message RemoveIDPAuthenticatorRequest {
}
message RemoveIDPAuthenticatorResponse {
zitadel.object.v2beta.Details details = 1;
zitadel.object.v2.Details details = 1;
}