feat: Instance domains (#3444)

* feat: add domain list * feat: domain tests * feat: add redirect url on adding instance domain * Update internal/command/instance_domain.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * feat: remove unused code * fix Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-02-28 23:17:23 +00:00 · 2022-04-14 14:19:18 +02:00 · 2022-04-14 14:19:18 +02:00 · c25d853820
commit c25d853820
parent 820a21dce3
29 changed files with 858 additions and 145 deletions
--- a/docs/docs/apis/proto/admin.md
+++ b/docs/docs/apis/proto/admin.md
@ -56,6 +56,18 @@ Set the default language
    GET: /languages/default
 ### ListInstanceDomains
 > **rpc** ListInstanceDomains([ListInstanceDomainsRequest](#listinstancedomainsrequest))
 [ListInstanceDomainsResponse](#listinstancedomainsresponse)
 Returns the domains of an instance
    GET: /domains
 ### ListSecretGenerators
 > **rpc** ListSecretGenerators([ListSecretGeneratorsRequest](#listsecretgeneratorsrequest))
@ -2629,6 +2641,32 @@ This is an empty request
 ### ListInstanceDomainsRequest
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | query |  zitadel.v1.ListQuery | - |  |
 | sorting_column |  zitadel.instance.v1.DomainFieldName | the field the result is sorted |  |
 | queries | repeated zitadel.instance.v1.DomainSearchQuery | criterias the client is looking for |  |
 ### ListInstanceDomainsResponse
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | details |  zitadel.v1.ListDetails | - |  |
 | sorting_column |  zitadel.instance.v1.DomainFieldName | - |  |
 | result | repeated zitadel.instance.v1.Domain | - |  |
 ### ListLoginPolicyIDPsRequest
--- a/docs/docs/apis/proto/instance.md
+++ b/docs/docs/apis/proto/instance.md
@ -9,14 +9,63 @@ title: zitadel/instance.proto
 ## Messages
-### DomainsQuery
+### Domain
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
-| domains | repeated string | - | string.max_len: 200<br />  |
+| details |  zitadel.v1.ObjectDetails | - |  |
-| method |  zitadel.v1.ListQueryMethod | - | enum.defined_only: true<br />  |
+| domain |  string | - |  |
 | primary |  bool | - |  |
 | generated |  bool | - |  |
 ### DomainGeneratedQuery
 DomainGeneratedQuery is always equals
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | generated |  bool | - |  |
 ### DomainPrimaryQuery
 DomainPrimaryQuery is always equals
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | primary |  bool | - |  |
 ### DomainQuery
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | domain |  string | - | string.max_len: 200<br />  |
 | method |  zitadel.v1.TextQueryMethod | - | enum.defined_only: true<br />  |
 ### DomainSearchQuery
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) query.domain_query |  DomainQuery | - |  |
 | [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) query.generated_query |  DomainGeneratedQuery | - |  |
 | [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) query.primary_query |  DomainPrimaryQuery | - |  |
@ -41,8 +90,6 @@ IdQuery is always equals
 | id |  string | - |  |
 | details |  zitadel.v1.ObjectDetails | - |  |
 | state |  State | - |  |
 | generated_domain |  string | - |  |
 | custom_domains | repeated string | - |  |
 | name |  string | - |  |
 | version |  string | - |  |
@ -56,7 +103,6 @@ IdQuery is always equals
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) query.id_query |  IdQuery | - |  |
 | [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) query.domains_query |  DomainsQuery | - |  |
 | [**oneof**](https://developers.google.com/protocol-buffers/docs/proto3#oneof) query.state_query |  StateQuery | - |  |
@ -78,6 +124,20 @@ StateQuery is always equals
 ## Enums
 ### DomainFieldName {#domainfieldname}
 | Name | Number | Description |
 | ---- | ------ | ----------- |
 | DOMAIN_FIELD_NAME_UNSPECIFIED | 0 | - |
 | DOMAIN_FIELD_NAME_DOMAIN | 1 | - |
 | DOMAIN_FIELD_NAME_PRIMARY | 2 | - |
 | DOMAIN_FIELD_NAME_GENERATED | 3 | - |
 | DOMAIN_FIELD_NAME_CREATION_DATE | 4 | - |
 ### FieldName {#fieldname}
@ -85,9 +145,8 @@ StateQuery is always equals
 | ---- | ------ | ----------- |
 | FIELD_NAME_UNSPECIFIED | 0 | - |
 | FIELD_NAME_ID | 1 | - |
-| FIELD_NAME_GENERATED_DOMAIN | 2 | - |
+| FIELD_NAME_NAME | 2 | - |
-| FIELD_NAME_NAME | 3 | - |
+| FIELD_NAME_CREATION_DATE | 3 | - |
 | FIELD_NAME_CREATION_DATE | 4 | - |
--- a/docs/docs/apis/proto/system.md
+++ b/docs/docs/apis/proto/system.md
@ -82,40 +82,52 @@ Returns the usage metrics of an instance
    GET: /instances/{id}/usage
-### GetGeneratedDomain
+### ListDomains
-> **rpc** GetGeneratedDomain([GetGeneratedDomainRequest](#getgenerateddomainrequest))
+> **rpc** ListDomains([ListDomainsRequest](#listdomainsrequest))
-[GetGeneratedDomainResponse](#getgenerateddomainresponse)
+[ListDomainsResponse](#listdomainsresponse)
 Returns the domain of an instance
    GET: /instances/{id}/domains/generated
 ### GetCustomDomains
 > **rpc** GetCustomDomains([GetCustomDomainsRequest](#getcustomdomainsrequest))
 [GetCustomDomainsResponse](#getcustomdomainsresponse)
 Returns the custom domains of an instance
-    GET: /instances/{id}/domains/custom
+    GET: /instances/{id}/domains
-### AddCustomDomain
+### AddDomain
-> **rpc** AddCustomDomain([AddCustomDomainRequest](#addcustomdomainrequest))
+> **rpc** AddDomain([AddDomainRequest](#adddomainrequest))
-[AddCustomDomainResponse](#addcustomdomainresponse)
+[AddDomainResponse](#adddomainresponse)
 Returns the domain of an instance
-    POST: /instances/{id}/domains/custom
+    POST: /instances/{id}/domains
 ### RemoveDomain
 > **rpc** RemoveDomain([RemoveDomainRequest](#removedomainrequest))
 [RemoveDomainResponse](#removedomainresponse)
 Returns the domain of an instance
    DELETE: /instances/{id}/domains/{domain}
 ### SetPrimaryDomain
 > **rpc** SetPrimaryDomain([SetPrimaryDomainRequest](#setprimarydomainrequest))
 [SetPrimaryDomainResponse](#setprimarydomainresponse)
 Returns the domain of an instance
    POST: /instances/{id}/domains/_set_primary
 ### ListViews
@ -185,19 +197,19 @@ failed event. You can find out if it worked on the `failure_count`
 ## Messages
-### AddCustomDomainRequest
+### AddDomainRequest
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | id |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
-| custom_domain |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
+| domain |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
-### AddCustomDomainResponse
+### AddDomainResponse
@ -297,52 +309,6 @@ This is an empty response
 ### GetCustomDomainsRequest
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | id |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
 ### GetCustomDomainsResponse
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | details |  zitadel.v1.ObjectDetails | - |  |
 | domains | repeated string | - |  |
 ### GetGeneratedDomainRequest
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | id |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
 ### GetGeneratedDomainResponse
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | details |  zitadel.v1.ObjectDetails | - |  |
 | domain |  string | - |  |
 ### GetInstanceRequest
@ -401,6 +367,33 @@ This is an empty response
 ### ListDomainsRequest
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | id |  string | list limitations and ordering | string.min_len: 1<br /> string.max_len: 200<br />  |
 | query |  zitadel.v1.ListQuery | - |  |
 | sorting_column |  zitadel.instance.v1.DomainFieldName | the field the result is sorted |  |
 | queries | repeated zitadel.instance.v1.DomainSearchQuery | criterias the client is looking for |  |
 ### ListDomainsResponse
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | details |  zitadel.v1.ListDetails | - |  |
 | sorting_column |  zitadel.instance.v1.DomainFieldName | - |  |
 | result | repeated zitadel.instance.v1.Domain | - |  |
 ### ListFailedEventsRequest
 This is an empty request
@ -461,6 +454,29 @@ This is an empty request
 ### RemoveDomainRequest
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | id |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
 | domain |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
 ### RemoveDomainResponse
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | details |  zitadel.v1.ObjectDetails | - |  |
 ### RemoveFailedEventRequest
@ -502,6 +518,29 @@ This is an empty response
 ### SetPrimaryDomainRequest
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | id |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
 | domain |  string | - | string.min_len: 1<br /> string.max_len: 200<br />  |
 ### SetPrimaryDomainResponse
 | Field | Type | Description | Validation |
 | ----- | ---- | ----------- | ----------- |
 | details |  zitadel.v1.ObjectDetails | - |  |
 ### View
--- a/internal/api/authz/instance.go
+++ b/internal/api/authz/instance.go
@ -12,6 +12,7 @@ type Instance interface {
 	InstanceID() string
 	ProjectID() string
 	ConsoleClientID() string
 	ConsoleApplicationID() string
 	RequestedDomain() string
 }
@ -36,6 +37,10 @@ func (i *instance) ConsoleClientID() string {
 	return ""
 }
 func (i *instance) ConsoleApplicationID() string {
 	return ""
 }
 func (i *instance) RequestedDomain() string {
 	return i.Domain
 }
--- a/internal/api/authz/instance_test.go
+++ b/internal/api/authz/instance_test.go
@ -79,6 +79,10 @@ func (m *mockInstance) ConsoleClientID() string {
 	return "consoleID"
 }
 func (m *mockInstance) ConsoleApplicationID() string {
 	return "appID"
 }
 func (m *mockInstance) RequestedDomain() string {
 	return "zitadel.cloud"
 }
--- a/internal/api/grpc/admin/instance.go
+++ b/internal/api/grpc/admin/instance.go
@ -0,0 +1,29 @@
 package admin
 import (
 	"context"
 	instance_grpc "github.com/caos/zitadel/internal/api/grpc/instance"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 func (s *Server) GetInstanceDomains(ctx context.Context, req *admin_pb.ListInstanceDomainsRequest) (*admin_pb.ListInstanceDomainsResponse, error) {
 	queries, err := ListInstanceDomainsRequestToModel(req)
 	if err != nil {
 		return nil, err
 	}
 	domains, err := s.query.SearchInstanceDomains(ctx, queries)
 	if err != nil {
 		return nil, err
 	}
 	return &admin_pb.ListInstanceDomainsResponse{
 		Result: instance_grpc.DomainsToPb(domains.Domains),
 		Details: object.ToListDetails(
 			domains.Count,
 			domains.Sequence,
 			domains.Timestamp,
 		),
 	}, nil
 }
--- a/internal/api/grpc/admin/instance_converter.go
+++ b/internal/api/grpc/admin/instance_converter.go
@ -0,0 +1,25 @@
 package admin
 import (
 	instance_grpc "github.com/caos/zitadel/internal/api/grpc/instance"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/query"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )
 func ListInstanceDomainsRequestToModel(req *admin_pb.ListInstanceDomainsRequest) (*query.InstanceDomainSearchQueries, error) {
 	offset, limit, asc := object.ListQueryToModel(req.Query)
 	queries, err := instance_grpc.DomainQueriesToModel(req.Queries)
 	if err != nil {
 		return nil, err
 	}
 	return &query.InstanceDomainSearchQueries{
 		SearchRequest: query.SearchRequest{
 			Offset: offset,
 			Limit:  limit,
 			Asc:    asc,
 		},
 		//SortingColumn: //TODO: sorting
 		Queries: queries,
 	}, nil
 }
--- a/internal/api/grpc/instance/converter.go
+++ b/internal/api/grpc/instance/converter.go
@ -0,0 +1,54 @@
 package org
 import (
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/query"
 	instance_pb "github.com/caos/zitadel/pkg/grpc/instance"
 )
 func DomainQueriesToModel(queries []*instance_pb.DomainSearchQuery) (_ []query.SearchQuery, err error) {
 	q := make([]query.SearchQuery, len(queries))
 	for i, query := range queries {
 		q[i], err = DomainQueryToModel(query)
 		if err != nil {
 			return nil, err
 		}
 	}
 	return q, nil
 }
 func DomainQueryToModel(searchQuery *instance_pb.DomainSearchQuery) (query.SearchQuery, error) {
 	switch q := searchQuery.Query.(type) {
 	case *instance_pb.DomainSearchQuery_DomainQuery:
 		return query.NewInstanceDomainDomainSearchQuery(object.TextMethodToQuery(q.DomainQuery.Method), q.DomainQuery.Domain)
 	case *instance_pb.DomainSearchQuery_GeneratedQuery:
 		return query.NewInstanceDomainGeneratedSearchQuery(q.GeneratedQuery.Generated)
 	case *instance_pb.DomainSearchQuery_PrimaryQuery:
 		return query.NewInstanceDomainPrimarySearchQuery(q.PrimaryQuery.Primary)
 	default:
 		return nil, errors.ThrowInvalidArgument(nil, "ORG-Ags42", "List.Query.Invalid")
 	}
 }
 func DomainsToPb(domains []*query.InstanceDomain) []*instance_pb.Domain {
 	d := make([]*instance_pb.Domain, len(domains))
 	for i, domain := range domains {
 		d[i] = DomainToPb(domain)
 	}
 	return d
 }
 func DomainToPb(d *query.InstanceDomain) *instance_pb.Domain {
 	return &instance_pb.Domain{
 		Domain:    d.Domain,
 		Primary:   d.IsPrimary,
 		Generated: d.IsGenerated,
 		Details: object.ToViewDetailsPb(
 			d.Sequence,
 			d.CreationDate,
 			d.ChangeDate,
 			d.InstanceID,
 		),
 	}
 }
--- a/internal/api/grpc/server/middleware/instance_interceptor_test.go
+++ b/internal/api/grpc/server/middleware/instance_interceptor_test.go
@ -173,6 +173,10 @@ func (m *mockInstance) ConsoleClientID() string {
 	return "consoleClientID"
 }
 func (m *mockInstance) ConsoleApplicationID() string {
 	return "consoleApplicationID"
 }
 func (m *mockInstance) RequestedDomain() string {
 	return "localhost"
 }
--- a/internal/api/http/middleware/instance_interceptor_test.go
+++ b/internal/api/http/middleware/instance_interceptor_test.go
@ -257,6 +257,10 @@ func (m *mockInstance) ConsoleClientID() string {
 	return "consoleClientID"
 }
 func (m *mockInstance) ConsoleApplicationID() string {
 	return "consoleApplicationID"
 }
 func (m *mockInstance) RequestedDomain() string {
 	return "zitadel.cloud"
 }
--- a/internal/command/instance.go
+++ b/internal/command/instance.go
@ -356,7 +356,7 @@ func (c *commandNew) SetUpInstance(ctx context.Context, setup *InstanceSetup) (*
 		),
 		AddOIDCAppCommand(console, nil),
-		SetIAMConsoleID(instanceAgg, &console.ClientID),
+		SetIAMConsoleID(instanceAgg, &console.ClientID, &setup.Zitadel.consoleAppID),
 	)
 	cmds, err := preparation.PrepareCommands(ctx, c.es.Filter, validations...)
@ -387,11 +387,11 @@ func SetIAMProject(a *instance.Aggregate, projectID string) preparation.Validati
 }
 //SetIAMConsoleID defines the command to set the clientID of the Console App onto the instance
-func SetIAMConsoleID(a *instance.Aggregate, clientID *string) preparation.Validation {
+func SetIAMConsoleID(a *instance.Aggregate, clientID, appID *string) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			return []eventstore.Command{
-				instance.NewIAMConsoleSetEvent(ctx, &a.Aggregate, clientID),
+				instance.NewIAMConsoleSetEvent(ctx, &a.Aggregate, clientID, appID),
 			}, nil
 		}, nil
 	}
--- a/internal/command/instance_domain.go
+++ b/internal/command/instance_domain.go
@ -10,6 +10,7 @@ import (
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/repository/instance"
 	"github.com/caos/zitadel/internal/repository/project"
 )
 func (c *Commands) AddInstanceDomain(ctx context.Context, instanceDomain string) (*domain.ObjectDetails, error) {
@ -30,6 +31,24 @@ func (c *Commands) AddInstanceDomain(ctx context.Context, instanceDomain string)
 	}, nil
 }
 func (c *Commands) SetPrimaryInstanceDomain(ctx context.Context, instanceDomain string) (*domain.ObjectDetails, error) {
 	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
 	validation := c.setPrimaryInstanceDomain(instanceAgg, instanceDomain)
 	cmds, err := preparation.PrepareCommands(ctx, c.eventstore.Filter, validation)
 	if err != nil {
 		return nil, err
 	}
 	events, err := c.eventstore.Push(ctx, cmds...)
 	if err != nil {
 		return nil, err
 	}
 	return &domain.ObjectDetails{
 		Sequence:      events[len(events)-1].Sequence(),
 		EventDate:     events[len(events)-1].CreationDate(),
 		ResourceOwner: events[len(events)-1].Aggregate().InstanceID,
 	}, nil
 }
 func (c *Commands) RemoveInstanceDomain(ctx context.Context, instanceDomain string) (*domain.ObjectDetails, error) {
 	instanceAgg := instance.NewAggregate(authz.GetInstance(ctx).InstanceID())
 	validation := c.removeInstanceDomain(instanceAgg, instanceDomain)
@ -61,7 +80,46 @@ func (c *Commands) addInstanceDomain(a *instance.Aggregate, instanceDomain strin
 			if domainWriteModel.State == domain.InstanceDomainStateActive {
 				return nil, errors.ThrowAlreadyExists(nil, "INST-i2nl", "Errors.Instance.Domain.AlreadyExists")
 			}
-			return []eventstore.Command{instance.NewDomainAddedEvent(ctx, &a.Aggregate, instanceDomain, generated)}, nil
+			appWriteModel, err := c.getOIDCAppWriteModel(ctx, authz.GetInstance(ctx).ProjectID(), authz.GetInstance(ctx).ConsoleApplicationID(), "")
 			if err != nil {
 				return nil, err
 			}
 			redirectUrls := append(appWriteModel.RedirectUris, instanceDomain+consoleRedirectPath)
 			logoutUrls := append(appWriteModel.PostLogoutRedirectUris, instanceDomain+consolePostLogoutPath)
 			consoleChangeEvent, err := project.NewOIDCConfigChangedEvent(
 				ctx,
 				ProjectAggregateFromWriteModel(&appWriteModel.WriteModel),
 				appWriteModel.AppID,
 				[]project.OIDCConfigChanges{
 					project.ChangeRedirectURIs(redirectUrls),
 					project.ChangePostLogoutRedirectURIs(logoutUrls),
 				},
 			)
 			if err != nil {
 				return nil, err
 			}
 			return []eventstore.Command{
 				instance.NewDomainAddedEvent(ctx, &a.Aggregate, instanceDomain, generated),
 				consoleChangeEvent,
 			}, nil
 		}, nil
 	}
 }
 func (c *Commands) setPrimaryInstanceDomain(a *instance.Aggregate, instanceDomain string) preparation.Validation {
 	return func() (preparation.CreateCommands, error) {
 		if instanceDomain = strings.TrimSpace(instanceDomain); instanceDomain == "" {
 			return nil, errors.ThrowInvalidArgument(nil, "INST-9mWjf", "Errors.Invalid.Argument")
 		}
 		return func(ctx context.Context, filter preparation.FilterToQueryReducer) ([]eventstore.Command, error) {
 			domainWriteModel, err := c.getInstanceDomainWriteModel(ctx, instanceDomain)
 			if err != nil {
 				return nil, err
 			}
 			if !domainWriteModel.State.Exists() {
 				return nil, errors.ThrowNotFound(nil, "INSTANCE-9nkWf", "Errors.Instance.Domain.NotFound")
 			}
 			return []eventstore.Command{instance.NewDomainPrimarySetEvent(ctx, &a.Aggregate, instanceDomain)}, nil
 		}, nil
 	}
 }
--- a/internal/command/instance_domain_test.go
+++ b/internal/command/instance_domain_test.go
@ -3,8 +3,11 @@ package command
 import (
 	"context"
 	"testing"
 	"time"
 	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/repository/project"
 	"github.com/stretchr/testify/assert"
 	"github.com/caos/zitadel/internal/domain"
@ -77,6 +80,43 @@ func TestCommandSide_AddInstanceDomain(t *testing.T) {
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(),
 					expectFilter(
 						eventFromEventPusherWithInstanceID(
 							"INSTANCE",
 							project.NewApplicationAddedEvent(context.Background(),
 								&project.NewAggregate("project1", "org1").Aggregate,
 								"consoleApplicationID",
 								"app",
 							),
 						),
 						eventFromEventPusherWithInstanceID(
 							"INSTANCE",
 							project.NewOIDCConfigAddedEvent(context.Background(),
 								&project.NewAggregate("projectID", "org1").Aggregate,
 								domain.OIDCVersionV1,
 								"consoleApplicationID",
 								"client1@project",
 								&crypto.CryptoValue{
 									CryptoType: crypto.TypeEncryption,
 									Algorithm:  "enc",
 									KeyID:      "id",
 									Crypted:    []byte("a"),
 								},
 								[]string{"https://test.ch"},
 								[]domain.OIDCResponseType{domain.OIDCResponseTypeCode},
 								[]domain.OIDCGrantType{domain.OIDCGrantTypeAuthorizationCode},
 								domain.OIDCApplicationTypeWeb,
 								domain.OIDCAuthMethodTypePost,
 								[]string{"https://test.ch/logout"},
 								true,
 								domain.OIDCTokenTypeBearer,
 								true,
 								true,
 								true,
 								time.Second*1,
 								[]string{"https://sub.test.ch"}),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusherWithInstanceID(
@ -86,11 +126,121 @@ func TestCommandSide_AddInstanceDomain(t *testing.T) {
 									"domain.ch",
 									false,
 								)),
 							eventFromEventPusherWithInstanceID(
 								"INSTANCE",
 								newOIDCAppChangedEventInstanceDomain(context.Background(), "consoleApplicationID", "projectID", "org1"),
 							),
 						},
 						uniqueConstraintsFromEventConstraintWithInstanceID("INSTANCE", instance.NewAddInstanceDomainUniqueConstraint("domain.ch")),
 					),
 				),
 			},
 			args: args{
 				ctx:    authz.WithInstance(context.Background(), new(mockInstance)),
 				domain: "domain.ch",
 			},
 			res: res{
 				want: &domain.ObjectDetails{
 					ResourceOwner: "INSTANCE",
 				},
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore,
 			}
 			got, err := r.AddInstanceDomain(tt.args.ctx, tt.args.domain)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
 			if tt.res.err != nil && !tt.res.err(err) {
 				t.Errorf("got wrong err: %v ", err)
 			}
 			if tt.res.err == nil {
 				assert.Equal(t, tt.res.want, got)
 			}
 		})
 	}
 }
 func TestCommandSide_SetPrimaryInstanceDomain(t *testing.T) {
 	type fields struct {
 		eventstore *eventstore.Eventstore
 	}
 	type args struct {
 		ctx    context.Context
 		domain string
 	}
 	type res struct {
 		want *domain.ObjectDetails
 		err  func(error) bool
 	}
 	tests := []struct {
 		name   string
 		fields fields
 		args   args
 		res    res
 	}{
 		{
 			name: "invalid domain, error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 				),
 			},
 			args: args{
 				ctx:    context.Background(),
 				domain: "",
 			},
 			res: res{
 				err: caos_errs.IsErrorInvalidArgument,
 			},
 		},
 		{
 			name: "domain not exists, precondition error",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(),
 				),
 			},
 			args: args{
 				ctx:    context.Background(),
 				domain: "domain.ch",
 			},
 			res: res{
 				err: caos_errs.IsNotFound,
 			},
 		},
 		{
 			name: "set primary domain, ok",
 			fields: fields{
 				eventstore: eventstoreExpect(
 					t,
 					expectFilter(
 						eventFromEventPusherWithInstanceID(
 							"INSTANCE",
 							instance.NewDomainAddedEvent(context.Background(),
 								&instance.NewAggregate("INSTANCE").Aggregate,
 								"domain.ch",
 								false,
 							),
 						),
 					),
 					expectPush(
 						[]*repository.Event{
 							eventFromEventPusherWithInstanceID(
 								"INSTANCE",
 								instance.NewDomainPrimarySetEvent(context.Background(),
 									&instance.NewAggregate("INSTANCE").Aggregate,
 									"domain.ch",
 								)),
 						},
 					),
 				),
 			},
 			args: args{
 				ctx:    authz.WithInstanceID(context.Background(), "INSTANCE"),
 				domain: "domain.ch",
@ -107,7 +257,7 @@ func TestCommandSide_AddInstanceDomain(t *testing.T) {
 			r := &Commands{
 				eventstore: tt.fields.eventstore,
 			}
-			got, err := r.AddInstanceDomain(tt.args.ctx, tt.args.domain)
+			got, err := r.SetPrimaryInstanceDomain(tt.args.ctx, tt.args.domain)
 			if tt.res.err == nil {
 				assert.NoError(t, err)
 			}
@ -251,3 +401,16 @@ func TestCommandSide_RemoveInstanceDomain(t *testing.T) {
 		})
 	}
 }
 func newOIDCAppChangedEventInstanceDomain(ctx context.Context, appID, projectID, resourceOwner string) *project.OIDCConfigChangedEvent {
 	changes := []project.OIDCConfigChanges{
 		project.ChangeRedirectURIs([]string{"https://test.ch", "domain.ch/ui/console/auth/callback"}),
 		project.ChangePostLogoutRedirectURIs([]string{"https://test.ch/logout", "domain.ch/ui/console/signedout"}),
 	}
 	event, _ := project.NewOIDCConfigChangedEvent(ctx,
 		&project.NewAggregate(projectID, resourceOwner).Aggregate,
 		appID,
 		changes,
 	)
 	return event
 }
--- a/internal/command/main_test.go
+++ b/internal/command/main_test.go
@ -256,3 +256,25 @@ func (v *testVerifier) CheckOrgFeatures(ctx context.Context, orgID string, requi
 	}
 	return nil
 }
 type mockInstance struct{}
 func (m *mockInstance) InstanceID() string {
 	return "INSTANCE"
 }
 func (m *mockInstance) ProjectID() string {
 	return "projectID"
 }
 func (m *mockInstance) ConsoleClientID() string {
 	return "consoleID"
 }
 func (m *mockInstance) ConsoleApplicationID() string {
 	return "consoleApplicationID"
 }
 func (m *mockInstance) RequestedDomain() string {
 	return "zitadel.cloud"
 }
--- a/internal/command/project_application_oidc.go
+++ b/internal/command/project_application_oidc.go
@ -309,7 +309,7 @@ func (c *Commands) VerifyOIDCClientSecret(ctx context.Context, projectID, appID,
 		return err
 	}
 	_, err = c.eventstore.Push(ctx, project_repo.NewOIDCConfigSecretCheckFailedEvent(ctx, projectAgg, app.AppID))
-	logging.Log("COMMAND-ADfhz").OnError(err).Error("could not push event OIDCClientSecretCheckFailed")
+	logging.New().OnError(err).Error("could not push event OIDCClientSecretCheckFailed")
 	return caos_errs.ThrowInvalidArgument(nil, "COMMAND-Bz542", "Errors.Project.App.ClientSecretInvalid")
 }
--- a/internal/domain/instance_domain.go
+++ b/internal/domain/instance_domain.go
@ -18,6 +18,10 @@ func (f InstanceDomainState) Valid() bool {
 	return f >= 0 && f < instanceDomainStateCount
 }
 func (f InstanceDomainState) Exists() bool {
 	return f == InstanceDomainStateActive
 }
 func NewGeneratedInstanceDomain(instanceName, iamDomain string) string {
 	return strings.ToLower(strings.ReplaceAll(instanceName, " ", "-") + "." + iamDomain)
 }
--- a/internal/query/instance.go
+++ b/internal/query/instance.go
@ -43,6 +43,10 @@ var (
 		name:  projection.InstanceColumnConsoleID,
 		table: instanceTable,
 	}
 	InstanceColumnConsoleAppID = Column{
 		name:  projection.InstanceColumnConsoleAppID,
 		table: instanceTable,
 	}
 	InstanceColumnSetupStarted = Column{
 		name:  projection.InstanceColumnSetUpStarted,
 		table: instanceTable,
@ -65,6 +69,7 @@ type Instance struct {
 	GlobalOrgID     string
 	IAMProjectID    string
 	ConsoleID       string
 	ConsoleAppID    string
 	DefaultLanguage language.Tag
 	SetupStarted    domain.Step
 	SetupDone       domain.Step
@ -83,6 +88,10 @@ func (i *Instance) ConsoleClientID() string {
 	return i.ConsoleID
 }
 func (i *Instance) ConsoleApplicationID() string {
 	return i.ConsoleAppID
 }
 func (i *Instance) RequestedDomain() string {
 	return i.Host
 }
@ -142,6 +151,7 @@ func prepareInstanceQuery(host string) (sq.SelectBuilder, func(*sql.Row) (*Insta
 			InstanceColumnGlobalOrgID.identifier(),
 			InstanceColumnProjectID.identifier(),
 			InstanceColumnConsoleID.identifier(),
 			InstanceColumnConsoleAppID.identifier(),
 			InstanceColumnSetupStarted.identifier(),
 			InstanceColumnSetupDone.identifier(),
 			InstanceColumnDefaultLanguage.identifier(),
@ -157,6 +167,7 @@ func prepareInstanceQuery(host string) (sq.SelectBuilder, func(*sql.Row) (*Insta
 				&instance.GlobalOrgID,
 				&instance.IAMProjectID,
 				&instance.ConsoleID,
 				&instance.ConsoleAppID,
 				&instance.SetupStarted,
 				&instance.SetupDone,
 				&lang,
--- a/internal/query/instance_domain.go
+++ b/internal/query/instance_domain.go
@ -19,6 +19,7 @@ type InstanceDomain struct {
 	Domain       string
 	InstanceID   string
 	IsGenerated  bool
 	IsPrimary    bool
 }
 type InstanceDomains struct {
@ -47,8 +48,12 @@ func NewInstanceDomainInstanceIDSearchQuery(value string) (SearchQuery, error) {
 	return NewTextQuery(InstanceDomainInstanceIDCol, value, TextEquals)
 }
-func NewInstanceDomainGeneratedSearchQuery(verified bool) (SearchQuery, error) {
+func NewInstanceDomainGeneratedSearchQuery(generated bool) (SearchQuery, error) {
-	return NewBoolQuery(InstanceDomainIsGeneratedCol, verified)
+	return NewBoolQuery(InstanceDomainIsGeneratedCol, generated)
 }
 func NewInstanceDomainPrimarySearchQuery(primary bool) (SearchQuery, error) {
 	return NewBoolQuery(InstanceDomainIsPrimaryCol, primary)
 }
 func (q *Queries) SearchInstanceDomains(ctx context.Context, queries *InstanceDomainSearchQueries) (domains *InstanceDomains, err error) {
@ -81,6 +86,7 @@ func prepareInstanceDomainsQuery() (sq.SelectBuilder, func(*sql.Rows) (*Instance
 			InstanceDomainDomainCol.identifier(),
 			InstanceDomainInstanceIDCol.identifier(),
 			InstanceDomainIsGeneratedCol.identifier(),
 			InstanceDomainIsPrimaryCol.identifier(),
 			countColumn.identifier(),
 		).From(instanceDomainsTable.identifier()).PlaceholderFormat(sq.Dollar),
 		func(rows *sql.Rows) (*InstanceDomains, error) {
@ -95,6 +101,7 @@ func prepareInstanceDomainsQuery() (sq.SelectBuilder, func(*sql.Rows) (*Instance
 					&domain.Domain,
 					&domain.InstanceID,
 					&domain.IsGenerated,
 					&domain.IsPrimary,
 					&count,
 				)
 				if err != nil {
@ -145,4 +152,8 @@ var (
 		name:  projection.InstanceDomainIsGeneratedCol,
 		table: instanceDomainsTable,
 	}
 	InstanceDomainIsPrimaryCol = Column{
 		name:  projection.InstanceDomainIsPrimaryCol,
 		table: instanceDomainsTable,
 	}
 )
--- a/internal/query/instance_domain_test.go
+++ b/internal/query/instance_domain_test.go
@ -31,6 +31,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						` projections.instance_domains.domain,`+
 						` projections.instance_domains.instance_id,`+
 						` projections.instance_domains.is_generated,`+
 						` projections.instance_domains.is_primary,`+
 						` COUNT(*) OVER ()`+
 						` FROM projections.instance_domains`),
 					nil,
@ -50,6 +51,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						` projections.instance_domains.domain,`+
 						` projections.instance_domains.instance_id,`+
 						` projections.instance_domains.is_generated,`+
 						` projections.instance_domains.is_primary,`+
 						` COUNT(*) OVER ()`+
 						` FROM projections.instance_domains`),
 					[]string{
@ -59,6 +61,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						"domain",
 						"instance_id",
 						"is_generated",
 						"is_primary",
 						"count",
 					},
 					[][]driver.Value{
@ -69,6 +72,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 							"zitadel.ch",
 							"inst-id",
 							true,
 							true,
 						},
 					},
 				),
@ -85,6 +89,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						Domain:       "zitadel.ch",
 						InstanceID:   "inst-id",
 						IsGenerated:  true,
 						IsPrimary:    true,
 					},
 				},
 			},
@ -100,6 +105,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						` projections.instance_domains.domain,`+
 						` projections.instance_domains.instance_id,`+
 						` projections.instance_domains.is_generated,`+
 						` projections.instance_domains.is_primary,`+
 						` COUNT(*) OVER ()`+
 						` FROM projections.instance_domains`),
 					[]string{
@ -109,6 +115,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						"domain",
 						"instance_id",
 						"is_generated",
 						"is_primary",
 						"count",
 					},
 					[][]driver.Value{
@ -119,6 +126,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 							"zitadel.ch",
 							"inst-id",
 							true,
 							true,
 						},
 						{
 							testNow,
@ -127,6 +135,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 							"zitadel.com",
 							"inst-id",
 							false,
 							false,
 						},
 					},
 				),
@ -143,6 +152,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						Domain:       "zitadel.ch",
 						InstanceID:   "inst-id",
 						IsGenerated:  true,
 						IsPrimary:    true,
 					},
 					{
 						CreationDate: testNow,
@ -151,6 +161,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						Domain:       "zitadel.com",
 						InstanceID:   "inst-id",
 						IsGenerated:  false,
 						IsPrimary:    false,
 					},
 				},
 			},
@ -166,6 +177,7 @@ func Test_InstanceDomainPrepares(t *testing.T) {
 						` projections.instance_domains.domain,`+
 						` projections.instance_domains.instance_id,`+
 						` projections.instance_domains.is_generated,`+
 						` projections.instance_domains.is_primary,`+
 						` COUNT(*) OVER ()`+
 						` FROM projections.instance_domains`),
 					sql.ErrConnDone,
--- a/internal/query/instance_test.go
+++ b/internal/query/instance_test.go
@ -39,6 +39,7 @@ func Test_InstancePrepares(t *testing.T) {
 						` projections.instances.global_org_id,`+
 						` projections.instances.iam_project_id,`+
 						` projections.instances.console_client_id,`+
 						` projections.instances.console_app_id,`+
 						` projections.instances.setup_started,`+
 						` projections.instances.setup_done,`+
 						` projections.instances.default_language`+
@ -68,6 +69,7 @@ func Test_InstancePrepares(t *testing.T) {
 						` projections.instances.global_org_id,`+
 						` projections.instances.iam_project_id,`+
 						` projections.instances.console_client_id,`+
 						` projections.instances.console_app_id,`+
 						` projections.instances.setup_started,`+
 						` projections.instances.setup_done,`+
 						` projections.instances.default_language`+
@ -79,6 +81,7 @@ func Test_InstancePrepares(t *testing.T) {
 						"global_org_id",
 						"iam_project_id",
 						"console_client_id",
 						"console_app_id",
 						"setup_started",
 						"setup_done",
 						"default_language",
@ -90,6 +93,7 @@ func Test_InstancePrepares(t *testing.T) {
 						"global-org-id",
 						"project-id",
 						"client-id",
 						"app-id",
 						domain.Step2,
 						domain.Step1,
 						"en",
@ -103,6 +107,7 @@ func Test_InstancePrepares(t *testing.T) {
 				GlobalOrgID:     "global-org-id",
 				IAMProjectID:    "project-id",
 				ConsoleID:       "client-id",
 				ConsoleAppID:    "app-id",
 				SetupStarted:    domain.Step2,
 				SetupDone:       domain.Step1,
 				DefaultLanguage: language.English,
@ -121,6 +126,7 @@ func Test_InstancePrepares(t *testing.T) {
 						` projections.instances.global_org_id,`+
 						` projections.instances.iam_project_id,`+
 						` projections.instances.console_client_id,`+
 						` projections.instances.console_app_id,`+
 						` projections.instances.setup_started,`+
 						` projections.instances.setup_done,`+
 						` projections.instances.default_language`+
--- a/internal/query/projection/instance.go
+++ b/internal/query/projection/instance.go
@ -18,6 +18,7 @@ const (
 	InstanceColumnGlobalOrgID     = "global_org_id"
 	InstanceColumnProjectID       = "iam_project_id"
 	InstanceColumnConsoleID       = "console_client_id"
 	InstanceColumnConsoleAppID    = "console_app_id"
 	InstanceColumnSequence        = "sequence"
 	InstanceColumnSetUpStarted    = "setup_started"
 	InstanceColumnSetUpDone       = "setup_done"
@ -129,6 +130,7 @@ func (p *InstanceProjection) reduceConsoleSet(event eventstore.Event) (*handler.
 			handler.NewCol(InstanceColumnChangeDate, e.CreationDate()),
 			handler.NewCol(InstanceColumnSequence, e.Sequence()),
 			handler.NewCol(InstanceColumnConsoleID, e.ClientID),
 			handler.NewCol(InstanceColumnConsoleAppID, e.AppID),
 		},
 	), nil
 }
--- a/internal/query/projection/instance_domain.go
+++ b/internal/query/projection/instance_domain.go
@ -19,6 +19,7 @@ const (
 	InstanceDomainSequenceCol     = "sequence"
 	InstanceDomainDomainCol       = "domain"
 	InstanceDomainIsGeneratedCol  = "is_generated"
 	InstanceDomainIsPrimaryCol    = "is_primary"
 )
 type InstanceDomainProjection struct {
@ -37,6 +38,7 @@ func NewInstanceDomainProjection(ctx context.Context, config crdb.StatementHandl
 			crdb.NewColumn(InstanceDomainSequenceCol, crdb.ColumnTypeInt64),
 			crdb.NewColumn(InstanceDomainDomainCol, crdb.ColumnTypeText),
 			crdb.NewColumn(InstanceDomainIsGeneratedCol, crdb.ColumnTypeBool),
 			crdb.NewColumn(InstanceDomainIsPrimaryCol, crdb.ColumnTypeBool),
 		},
 			crdb.NewPrimaryKey(InstanceDomainInstanceIDCol, InstanceDomainDomainCol),
 		),
@ -54,6 +56,10 @@ func (p *InstanceDomainProjection) reducers() []handler.AggregateReducer {
 					Event:  instance.InstanceDomainAddedEventType,
 					Reduce: p.reduceDomainAdded,
 				},
 				{
 					Event:  instance.InstanceDomainAddedEventType,
 					Reduce: p.reduceDomainPrimarySet,
 				},
 				{
 					Event:  instance.InstanceDomainRemovedEventType,
 					Reduce: p.reduceDomainRemoved,
@ -77,10 +83,43 @@ func (p *InstanceDomainProjection) reduceDomainAdded(event eventstore.Event) (*h
 			handler.NewCol(InstanceDomainDomainCol, e.Domain),
 			handler.NewCol(InstanceDomainInstanceIDCol, e.Aggregate().ID),
 			handler.NewCol(InstanceDomainIsGeneratedCol, e.Generated),
 			handler.NewCol(InstanceDomainIsPrimaryCol, false),
 		},
 	), nil
 }
 func (p *InstanceDomainProjection) reduceDomainPrimarySet(event eventstore.Event) (*handler.Statement, error) {
 	e, ok := event.(*instance.DomainPrimarySetEvent)
 	if !ok {
 		return nil, errors.ThrowInvalidArgumentf(nil, "PROJE-f8nlw", "reduce.wrong.event.type %s", instance.InstanceDomainPrimarySetEventType)
 	}
 	return crdb.NewMultiStatement(
 		e,
 		crdb.AddUpdateStatement(
 			[]handler.Column{
 				handler.NewCol(InstanceDomainChangeDateCol, e.CreationDate()),
 				handler.NewCol(InstanceDomainSequenceCol, e.Sequence()),
 				handler.NewCol(InstanceDomainIsPrimaryCol, false),
 			},
 			[]handler.Condition{
 				handler.NewCond(InstanceDomainInstanceIDCol, e.Aggregate().InstanceID),
 				handler.NewCond(InstanceDomainIsPrimaryCol, true),
 			},
 		),
 		crdb.AddUpdateStatement(
 			[]handler.Column{
 				handler.NewCol(InstanceDomainChangeDateCol, e.CreationDate()),
 				handler.NewCol(InstanceDomainSequenceCol, e.Sequence()),
 				handler.NewCol(InstanceDomainIsPrimaryCol, true),
 			},
 			[]handler.Condition{
 				handler.NewCond(InstanceDomainDomainCol, e.Domain),
 				handler.NewCond(InstanceDomainInstanceIDCol, e.Aggregate().ID),
 			},
 		),
 	), nil
 }
 func (p *InstanceDomainProjection) reduceDomainRemoved(event eventstore.Event) (*handler.Statement, error) {
 	e, ok := event.(*instance.DomainRemovedEvent)
 	if !ok {
--- a/internal/query/projection/instance_domain_test.go
+++ b/internal/query/projection/instance_domain_test.go
@ -38,7 +38,7 @@ func TestInstanceDomainProjection_reduces(t *testing.T) {
 				executer: &testExecuter{
 					executions: []execution{
 						{
-							expectedStmt: "INSERT INTO projections.instance_domains (creation_date, change_date, sequence, domain, instance_id, is_generated) VALUES ($1, $2, $3, $4, $5, $6)",
+							expectedStmt: "INSERT INTO projections.instance_domains (creation_date, change_date, sequence, domain, instance_id, is_generated, is_primary) VALUES ($1, $2, $3, $4, $5, $6, $7)",
 							expectedArgs: []interface{}{
 								anyArg{},
 								anyArg{},
@ -46,6 +46,7 @@ func TestInstanceDomainProjection_reduces(t *testing.T) {
 								"domain.new",
 								"agg-id",
 								true,
 								false,
 							},
 						},
 					},
--- a/internal/repository/instance/domain.go
+++ b/internal/repository/instance/domain.go
@ -11,10 +11,11 @@ import (
 )
 const (
-	UniqueInstanceDomain           = "instance_domain"
+	UniqueInstanceDomain              = "instance_domain"
-	domainEventPrefix              = instanceEventTypePrefix + "domain."
+	domainEventPrefix                 = instanceEventTypePrefix + "domain."
-	InstanceDomainAddedEventType   = domainEventPrefix + "added"
+	InstanceDomainAddedEventType      = domainEventPrefix + "added"
-	InstanceDomainRemovedEventType = domainEventPrefix + "removed"
+	InstanceDomainPrimarySetEventType = domainEventPrefix + "primary.set"
 	InstanceDomainRemovedEventType    = domainEventPrefix + "removed"
 )
 func NewAddInstanceDomainUniqueConstraint(orgDomain string) *eventstore.EventUniqueConstraint {
@ -69,6 +70,43 @@ func DomainAddedEventMapper(event *repository.Event) (eventstore.Event, error) {
 	return orgDomainAdded, nil
 }
 type DomainPrimarySetEvent struct {
 	eventstore.BaseEvent `json:"-"`
 	Domain string `json:"domain,omitempty"`
 }
 func (e *DomainPrimarySetEvent) Data() interface{} {
 	return e
 }
 func (e *DomainPrimarySetEvent) UniqueConstraints() []*eventstore.EventUniqueConstraint {
 	return nil
 }
 func NewDomainPrimarySetEvent(ctx context.Context, aggregate *eventstore.Aggregate, domain string) *DomainPrimarySetEvent {
 	return &DomainPrimarySetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
 			ctx,
 			aggregate,
 			InstanceDomainPrimarySetEventType,
 		),
 		Domain: domain,
 	}
 }
 func DomainPrimarySetEventMapper(event *repository.Event) (eventstore.Event, error) {
 	orgDomainAdded := &DomainAddedEvent{
 		BaseEvent: *eventstore.BaseEventFromRepo(event),
 	}
 	err := json.Unmarshal(event.Data, orgDomainAdded)
 	if err != nil {
 		return nil, errors.ThrowInternal(err, "INSTANCE-29jöF", "unable to unmarshal instance domain added")
 	}
 	return orgDomainAdded, nil
 }
 type DomainRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`
--- a/internal/repository/instance/event_iam_project_set.go
+++ b/internal/repository/instance/event_iam_project_set.go
@ -60,6 +60,7 @@ type ConsoleSetEvent struct {
 	eventstore.BaseEvent `json:"-"`
 	ClientID string `json:"clientId"`
 	AppID    string `json:"appId"`
 }
 func (e *ConsoleSetEvent) Data() interface{} {
@ -73,7 +74,8 @@ func (e *ConsoleSetEvent) UniqueConstraints() []*eventstore.EventUniqueConstrain
 func NewIAMConsoleSetEvent(
 	ctx context.Context,
 	aggregate *eventstore.Aggregate,
-	clientID *string,
+	clientID,
 	appID *string,
 ) *ConsoleSetEvent {
 	return &ConsoleSetEvent{
 		BaseEvent: *eventstore.NewBaseEventForPush(
@ -82,6 +84,7 @@ func NewIAMConsoleSetEvent(
 			ConsoleSetEventType,
 		),
 		ClientID: *clientID,
 		AppID:    *appID,
 	}
 }
--- a/internal/repository/instance/eventstore.go
+++ b/internal/repository/instance/eventstore.go
@ -87,6 +87,7 @@ func RegisterEventMappers(es *eventstore.Eventstore) {
 		RegisterFilterEventMapper(CustomTextTemplateRemovedEventType, CustomTextTemplateRemovedEventMapper).
 		RegisterFilterEventMapper(FeaturesSetEventType, FeaturesSetEventMapper).
 		RegisterFilterEventMapper(InstanceDomainAddedEventType, DomainAddedEventMapper).
 		RegisterFilterEventMapper(InstanceDomainPrimarySetEventType, DomainPrimarySetEventMapper).
 		RegisterFilterEventMapper(InstanceDomainRemovedEventType, DomainRemovedEventMapper).
 		RegisterFilterEventMapper(InstanceAddedEventType, InstanceAddedEventMapper).
 		RegisterFilterEventMapper(InstanceChangedEventType, InstanceChangedEventMapper).
--- a/proto/zitadel/admin.proto
+++ b/proto/zitadel/admin.proto
@ -1,6 +1,7 @@
 syntax = "proto3";
 import "zitadel/idp.proto";
 import "zitadel/instance.proto";
 import "zitadel/user.proto";
 import "zitadel/object.proto";
 import "zitadel/options.proto";
@ -184,6 +185,13 @@ service AdminService {
        };
    }
    // Returns the domains of an instance
    rpc ListInstanceDomains(ListInstanceDomainsRequest) returns (ListInstanceDomainsResponse) {
        option (google.api.http) = {
            get: "/domains";
        };
    }
    // Set the default language
    rpc ListSecretGenerators(ListSecretGeneratorsRequest) returns (ListSecretGeneratorsResponse) {
        option (google.api.http) = {
@ -2642,6 +2650,20 @@ message GetDefaultLanguageResponse {
    string language = 1;
 }
 message ListInstanceDomainsRequest {
    zitadel.v1.ListQuery query = 1;
    // the field the result is sorted
    zitadel.instance.v1.DomainFieldName sorting_column = 2;
    //criterias the client is looking for
    repeated zitadel.instance.v1.DomainSearchQuery queries = 3;
 }
 message ListInstanceDomainsResponse {
    zitadel.v1.ListDetails details = 1;
    zitadel.instance.v1.DomainFieldName sorting_column = 2;
    repeated zitadel.instance.v1.Domain result = 3;
 }
 message ListSecretGeneratorsRequest {
    //list limitations and ordering
    zitadel.v1.ListQuery query = 1;
--- a/proto/zitadel/instance.proto
+++ b/proto/zitadel/instance.proto
@ -20,22 +20,12 @@ message Instance {
            description: "current state of the instance";
        }
    ];
-    string generated_domain = 4 [
+    string name = 4 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "\"organization.zitadel.com\"";
        }
    ];
    repeated string custom_domains = 5 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "[\"zitadel.com\", \"zitadel.cloud\", \"zitadel.ch\"]";
        }
    ];
    string name = 6 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "\"ZITADEL\"";
        }
    ];
-    string version = 7 [
+    string version = 5 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "\"v1.0.0\"";
        }
@ -55,8 +45,7 @@ message Query {
        option (validate.required) = true;
        IdQuery id_query = 1;
-        DomainsQuery domains_query = 2;
+        StateQuery state_query = 2;
        StateQuery state_query = 3;
    }
 }
@ -70,21 +59,6 @@ message IdQuery {
    ];
 }
 message DomainsQuery {
    repeated string domains = 1 [
        (validate.rules).string = {max_len: 200},
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "\"caos.ch\"";
        }
    ];
    zitadel.v1.ListQueryMethod method = 2 [
        (validate.rules).enum.defined_only = true,
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "defines which list equality method is used";
        }
    ];
 }
 //StateQuery is always equals
 message StateQuery {
    State state = 1 [
@ -98,7 +72,68 @@ message StateQuery {
 enum FieldName {
    FIELD_NAME_UNSPECIFIED = 0;
    FIELD_NAME_ID = 1;
-    FIELD_NAME_GENERATED_DOMAIN = 2;
+    FIELD_NAME_NAME = 2;
-    FIELD_NAME_NAME = 3;
+    FIELD_NAME_CREATION_DATE = 3;
-    FIELD_NAME_CREATION_DATE = 4;
+}
 message Domain {
    zitadel.v1.ObjectDetails details = 1;
    string domain = 2 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            example: "\"zitadel.com\""
        }
    ];
    bool primary = 3;
    bool generated = 4;
 }
 message DomainSearchQuery {
    oneof query {
        option (validate.required) = true;
        DomainQuery domain_query = 1;
        DomainGeneratedQuery generated_query = 2;
        DomainPrimaryQuery primary_query = 3;
    }
 }
 message DomainQuery {
    string domain = 1 [
        (validate.rules).string = {max_len: 200},
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "zitadel.com";
        }
    ];
    zitadel.v1.TextQueryMethod method = 2 [
        (validate.rules).enum.defined_only = true,
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "defines which text equality method is used";
        }
    ];
 }
 //DomainGeneratedQuery is always equals
 message DomainGeneratedQuery {
    bool generated = 1 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "generated domains";
        }
    ];
 }
 //DomainPrimaryQuery is always equals
 message DomainPrimaryQuery {
    bool primary = 1 [
        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
            description: "primary domains";
        }
    ];
 }
 enum DomainFieldName {
    DOMAIN_FIELD_NAME_UNSPECIFIED = 0;
    DOMAIN_FIELD_NAME_DOMAIN = 1;
    DOMAIN_FIELD_NAME_PRIMARY = 2;
    DOMAIN_FIELD_NAME_GENERATED = 3;
    DOMAIN_FIELD_NAME_CREATION_DATE = 4;
 }
--- a/proto/zitadel/system.proto
+++ b/proto/zitadel/system.proto
@ -141,28 +141,37 @@ service SystemService {
        };
    }
    // Returns the domain of an instance
    rpc GetGeneratedDomain(GetGeneratedDomainRequest) returns (GetGeneratedDomainResponse) {
        option (google.api.http) = {
            get: "/instances/{id}/domains/generated";
        };
    }
    // Returns the custom domains of an instance
-    rpc GetCustomDomains(GetCustomDomainsRequest) returns (GetCustomDomainsResponse) {
+    rpc ListDomains(ListDomainsRequest) returns (ListDomainsResponse) {
        option (google.api.http) = {
-            get: "/instances/{id}/domains/custom";
+            get: "/instances/{id}/domains";
        };
    }
    // Returns the domain of an instance
-    rpc AddCustomDomain(AddCustomDomainRequest) returns (AddCustomDomainResponse) {
+    rpc AddDomain(AddDomainRequest) returns (AddDomainResponse) {
        option (google.api.http) = {
-            post: "/instances/{id}/domains/custom";
+            post: "/instances/{id}/domains";
            body: "*"
        };
    }
    // Returns the domain of an instance
    rpc RemoveDomain(RemoveDomainRequest) returns (RemoveDomainResponse) {
        option (google.api.http) = {
            delete: "/instances/{id}/domains/{domain}";
        };
    }
    // Returns the domain of an instance
    rpc SetPrimaryDomain(SetPrimaryDomainRequest) returns (SetPrimaryDomainResponse) {
        option (google.api.http) = {
            post: "/instances/{id}/domains/_set_primary";
            body: "*"
        };
    }
    //Returns all stored read models of ZITADEL
    // views are used for search optimisation and optimise request latencies
    // they represent the delta of the event happend on the objects
@ -346,30 +355,45 @@ message GetUsageResponse {
    uint64 executed_action_mins = 3;
 }
-message GetGeneratedDomainRequest {
+message ListDomainsRequest {
-    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];//list limitations and ordering
    zitadel.v1.ListQuery query = 2;
    // the field the result is sorted
    zitadel.instance.v1.DomainFieldName sorting_column = 3;
    //criterias the client is looking for
    repeated zitadel.instance.v1.DomainSearchQuery queries = 4;
 }
-message GetGeneratedDomainResponse {
+message ListDomainsResponse {
    zitadel.v1.ListDetails details = 1;
    zitadel.instance.v1.DomainFieldName sorting_column = 2;
    repeated zitadel.instance.v1.Domain result = 3;
 }
 message AddDomainRequest {
    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string domain = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
 }
 message AddDomainResponse {
    zitadel.v1.ObjectDetails details = 1;
    string domain = 2;
 }
-message GetCustomDomainsRequest {
+message RemoveDomainRequest {
    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string domain = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
 }
-message GetCustomDomainsResponse {
+message RemoveDomainResponse {
    zitadel.v1.ObjectDetails details = 1;
    repeated string domains = 2;
 }
-message AddCustomDomainRequest {
+message SetPrimaryDomainRequest {
    string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
-    string custom_domain = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
+    string domain = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
 }
-message AddCustomDomainResponse {
+message SetPrimaryDomainResponse {
    zitadel.v1.ObjectDetails details = 1;
 }