feat: idps (#1188)

* add setup steps

* refactoring

* omitempty

* cleanup

* begin org

* create org

* setup org

* setup org

* merge

* fixes

* fixes

* fixes

* add project

* add oidc application

* fix app creation

* add resourceOwner to writemodels

* resource owner

* cleanup

* global org, iam project and iam member in setup

* logs

* logs

* logs

* cleanup

* Update internal/v2/command/project.go

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

* check project state

* add org domain commands

* add org status changes and member commands

* fixes

* policies

* login policy

* fix iam project event

* mapper

* label policy

* change to command

* fix

* fix

* handle change event differently and lot of fixes

* idps

* fixes

* fixes

* fixes

* changedEvent handling

* fix change events

* remove creation date

Co-authored-by: Fabi <38692350+fgerschwiler@users.noreply.github.com>

internal/admin/repository/iam.go

@@ -12,11 +12,9 @@ type IAMRepository interface {
 	GetIAMMemberRoles() []string
 
 	SearchIDPConfigs(ctx context.Context, request *iam_model.IDPConfigSearchRequest) (*iam_model.IDPConfigSearchResponse, error)
-	RemoveIDPConfig(ctx context.Context, idpConfigID string) error
 
 	GetDefaultLoginPolicy(ctx context.Context) (*iam_model.LoginPolicyView, error)
 	SearchDefaultIDPProviders(ctx context.Context, request *iam_model.IDPProviderSearchRequest) (*iam_model.IDPProviderSearchResponse, error)
-	RemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) error
 	SearchDefaultSecondFactors(ctx context.Context) (*iam_model.SecondFactorsSearchResponse, error)
 	SearchDefaultMultiFactors(ctx context.Context) (*iam_model.MultiFactorsSearchResponse, error)
 

internal/admin/repository/org.go

@@ -14,5 +14,4 @@ type OrgRepository interface {
 	SearchOrgs(ctx context.Context, query *org_model.OrgSearchRequest) (*org_model.OrgSearchResult, error)
 
 	GetOrgIAMPolicyByID(ctx context.Context, id string) (*iam_model.OrgIAMPolicyView, error)
-	RemoveOrgIAMPolicy(ctx context.Context, id string) error
 }

internal/api/grpc/admin/iam_member_converter.go

@@ -4,6 +4,7 @@ import (
 	"github.com/caos/logging"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/model"
@@ -19,16 +20,9 @@ func changeIamMemberToDomain(member *admin.ChangeIamMemberRequest) *domain.Membe
 }
 
 func iamMemberFromDomain(member *domain.Member) *admin.IamMember {
-	creationDate, err := ptypes.TimestampProto(member.CreationDate)
-	logging.Log("GRPC-Lsp76").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(member.ChangeDate)
-	logging.Log("GRPC-3fG5s").OnError(err).Debug("date parse failed")
-
 	return &admin.IamMember{
 		UserId:     member.UserID,
-		CreationDate: creationDate,
+		ChangeDate: timestamppb.New(member.ChangeDate),
-		ChangeDate:   changeDate,
 		Roles:      member.Roles,
 		Sequence:   member.Sequence,
 	}

internal/api/grpc/admin/idp_config.go

@@ -31,20 +31,14 @@ func (s *Server) UpdateIdpConfig(ctx context.Context, idpConfig *admin.IdpUpdate
 	return idpFromDomain(config), nil
 }
 
-func (s *Server) DeactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*admin.Idp, error) {
+func (s *Server) DeactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*empty.Empty, error) {
-	config, err := s.command.DeactivateDefaultIDPConfig(ctx, id.Id)
+	err := s.command.DeactivateDefaultIDPConfig(ctx, id.Id)
-	if err != nil {
+	return &empty.Empty{}, err
-		return nil, err
-	}
-	return idpFromDomain(config), nil
 }
 
-func (s *Server) ReactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*admin.Idp, error) {
+func (s *Server) ReactivateIdpConfig(ctx context.Context, id *admin.IdpID) (*empty.Empty, error) {
-	config, err := s.command.ReactivateDefaultIDPConfig(ctx, id.Id)
+	err := s.command.ReactivateDefaultIDPConfig(ctx, id.Id)
-	if err != nil {
+	return &empty.Empty{}, err
-		return nil, err
-	}
-	return idpFromDomain(config), nil
 }
 
 func (s *Server) RemoveIdpConfig(ctx context.Context, id *admin.IdpID) (*empty.Empty, error) {

internal/api/grpc/admin/idp_config_converter.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func createOIDCIDPToDomain(idp *admin.OidcIdpConfigCreate) *domain.IDPConfig {
@@ -45,16 +46,9 @@ func updateOIDCIDPToDomain(idp *admin.OidcIdpConfigUpdate) *domain.OIDCIDPConfig
 }
 
 func idpFromDomain(idp *domain.IDPConfig) *admin.Idp {
-	creationDate, err := ptypes.TimestampProto(idp.CreationDate)
-	logging.Log("GRPC-8dju8").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(idp.ChangeDate)
-	logging.Log("GRPC-Dsj8i").OnError(err).Debug("date parse failed")
-
 	return &admin.Idp{
 		Id:          idp.IDPConfigID,
-		CreationDate: creationDate,
+		ChangeDate:  timestamppb.New(idp.ChangeDate),
-		ChangeDate:   changeDate,
 		Sequence:    idp.Sequence,
 		Name:        idp.Name,
 		StylingType: idpConfigStylingTypeFromDomain(idp.StylingType),

internal/api/grpc/admin/label_policy_converter.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func labelPolicyToDomain(policy *admin.DefaultLabelPolicyUpdate) *domain.LabelPolicy {
@@ -16,17 +17,10 @@ func labelPolicyToDomain(policy *admin.DefaultLabelPolicyUpdate) *domain.LabelPo
 }
 
 func labelPolicyFromDomain(policy *domain.LabelPolicy) *admin.DefaultLabelPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("ADMIN-QwQG9").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("ADMIN-mAgcI").OnError(err).Debug("date parse failed")
-
 	return &admin.DefaultLabelPolicy{
 		PrimaryColor:   policy.PrimaryColor,
 		SecondaryColor: policy.SecondaryColor,
-		CreationDate:   creationDate,
+		ChangeDate:     timestamppb.New(policy.ChangeDate),
-		ChangeDate:     changeDate,
 	}
 }
 

internal/api/grpc/admin/login_policy_converter.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func loginPolicyToDomain(policy *admin.DefaultLoginPolicyRequest) *domain.LoginPolicy {
@@ -19,20 +20,13 @@ func loginPolicyToDomain(policy *admin.DefaultLoginPolicyRequest) *domain.LoginP
 }
 
 func loginPolicyFromDomain(policy *domain.LoginPolicy) *admin.DefaultLoginPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-3Fsm9").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-5Gsko").OnError(err).Debug("date parse failed")
-
 	return &admin.DefaultLoginPolicy{
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
 		ForceMfa:              policy.ForceMFA,
 		PasswordlessType:      passwordlessTypeFromDomain(policy.PasswordlessType),
-		CreationDate:          creationDate,
+		ChangeDate:            timestamppb.New(policy.ChangeDate),
-		ChangeDate:            changeDate,
 	}
 }
 

internal/api/grpc/admin/org_converter.go

@@ -3,6 +3,7 @@ package admin
 import (
 	"github.com/caos/logging"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	iam_model "github.com/caos/zitadel/internal/iam/model"
 	"github.com/caos/zitadel/internal/v2/domain"
@@ -57,15 +58,11 @@ func orgViewsFromModel(orgs []*org_model.OrgView) []*admin.Org {
 }
 
 func orgFromModel(org *org_model.Org) *admin.Org {
-	creationDate, err := ptypes.TimestampProto(org.CreationDate)
-	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
-
 	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
 	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
 
 	return &admin.Org{
 		ChangeDate: changeDate,
-		CreationDate: creationDate,
 		Id:         org.AggregateID,
 		Name:       org.Name,
 		State:      orgStateFromModel(org.State),
@@ -73,15 +70,11 @@ func orgFromModel(org *org_model.Org) *admin.Org {
 }
 
 func orgViewFromModel(org *org_model.OrgView) *admin.Org {
-	creationDate, err := ptypes.TimestampProto(org.CreationDate)
-	logging.Log("GRPC-GTHsZ").OnError(err).Debug("unable to get timestamp from time")
-
 	changeDate, err := ptypes.TimestampProto(org.ChangeDate)
 	logging.Log("GRPC-dVnoj").OnError(err).Debug("unable to get timestamp from time")
 
 	return &admin.Org{
 		ChangeDate: changeDate,
-		CreationDate: creationDate,
 		Id:         org.ID,
 		Name:       org.Name,
 		State:      orgStateFromModel(org.State),
@@ -193,17 +186,10 @@ func orgQueryMethodToModel(method admin.OrgSearchMethod) model.SearchMethod {
 }
 
 func orgIAMPolicyFromDomain(policy *domain.OrgIAMPolicy) *admin.OrgIamPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-ush36").OnError(err).Debug("unable to get timestamp from time")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-Ps9fW").OnError(err).Debug("unable to get timestamp from time")
-
 	return &admin.OrgIamPolicy{
 		OrgId:                 policy.AggregateID,
 		UserLoginMustBeDomain: policy.UserLoginMustBeDomain,
-		CreationDate:          creationDate,
+		ChangeDate:            timestamppb.New(policy.ChangeDate),
-		ChangeDate:            changeDate,
 	}
 }
 

internal/api/grpc/admin/password_age_policy_converter.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func passwordAgePolicyToDomain(policy *admin.DefaultPasswordAgePolicyRequest) *domain.PasswordAgePolicy {
@@ -16,17 +17,10 @@ func passwordAgePolicyToDomain(policy *admin.DefaultPasswordAgePolicyRequest) *d
 }
 
 func passwordAgePolicyFromDomain(policy *domain.PasswordAgePolicy) *admin.DefaultPasswordAgePolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-mH9os").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-3tGs9").OnError(err).Debug("date parse failed")
-
 	return &admin.DefaultPasswordAgePolicy{
 		MaxAgeDays:     policy.MaxAgeDays,
 		ExpireWarnDays: policy.ExpireWarnDays,
-		CreationDate:   creationDate,
+		ChangeDate:     timestamppb.New(policy.ChangeDate),
-		ChangeDate:     changeDate,
 	}
 }
 

internal/api/grpc/admin/password_complexity_policy_converter.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func passwordComplexityPolicyToDomain(policy *admin.DefaultPasswordComplexityPolicyRequest) *domain.PasswordComplexityPolicy {
@@ -19,20 +20,13 @@ func passwordComplexityPolicyToDomain(policy *admin.DefaultPasswordComplexityPol
 }
 
 func passwordComplexityPolicyFromDomain(policy *domain.PasswordComplexityPolicy) *admin.DefaultPasswordComplexityPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-6Zhs9").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-bMso0").OnError(err).Debug("date parse failed")
-
 	return &admin.DefaultPasswordComplexityPolicy{
 		MinLength:    policy.MinLength,
 		HasUppercase: policy.HasUppercase,
 		HasLowercase: policy.HasLowercase,
 		HasNumber:    policy.HasNumber,
 		HasSymbol:    policy.HasSymbol,
-		CreationDate: creationDate,
+		ChangeDate:   timestamppb.New(policy.ChangeDate),
-		ChangeDate:   changeDate,
 	}
 }
 

internal/api/grpc/admin/password_lockout_policy_converter.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/admin"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
 )
 
 func passwordLockoutPolicyToDomain(policy *admin.DefaultPasswordLockoutPolicyRequest) *domain.PasswordLockoutPolicy {
@@ -16,17 +17,10 @@ func passwordLockoutPolicyToDomain(policy *admin.DefaultPasswordLockoutPolicyReq
 }
 
 func passwordLockoutPolicyFromDomain(policy *domain.PasswordLockoutPolicy) *admin.DefaultPasswordLockoutPolicy {
-	creationDate, err := ptypes.TimestampProto(policy.CreationDate)
-	logging.Log("GRPC-4Gsm9f").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(policy.ChangeDate)
-	logging.Log("GRPC-3Gms9").OnError(err).Debug("date parse failed")
-
 	return &admin.DefaultPasswordLockoutPolicy{
 		MaxAttempts:        policy.MaxAttempts,
 		ShowLockoutFailure: policy.ShowLockOutFailures,
-		CreationDate:       creationDate,
+		ChangeDate:         timestamppb.New(policy.ChangeDate),
-		ChangeDate:         changeDate,
 	}
 }
 

internal/api/grpc/management/idp_config.go

@@ -2,8 +2,10 @@ package management
 
 import (
 	"context"
+
 	"github.com/golang/protobuf/ptypes/empty"
 
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/pkg/grpc/management"
 )
 
@@ -16,48 +18,42 @@ func (s *Server) IdpByID(ctx context.Context, id *management.IdpID) (*management
 }
 
 func (s *Server) CreateOidcIdp(ctx context.Context, oidcIdpConfig *management.OidcIdpConfigCreate) (*management.Idp, error) {
-	config, err := s.org.AddOIDCIDPConfig(ctx, createOidcIdpToModel(oidcIdpConfig))
+	config, err := s.command.AddIDPConfig(ctx, createOidcIdpToDomain(oidcIdpConfig))
 	if err != nil {
 		return nil, err
 	}
-	return idpFromModel(config), nil
+	return idpFromDomain(config), nil
 }
 
 func (s *Server) UpdateIdpConfig(ctx context.Context, idpConfig *management.IdpUpdate) (*management.Idp, error) {
-	config, err := s.org.ChangeIDPConfig(ctx, updateIdpToModel(idpConfig))
+	config, err := s.command.ChangeIDPConfig(ctx, updateIdpToDomain(ctx, idpConfig))
 	if err != nil {
 		return nil, err
 	}
-	return idpFromModel(config), nil
+	return idpFromDomain(config), nil
 }
 
-func (s *Server) DeactivateIdpConfig(ctx context.Context, id *management.IdpID) (*management.Idp, error) {
+func (s *Server) DeactivateIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
-	config, err := s.org.DeactivateIDPConfig(ctx, id.Id)
+	err := s.command.DeactivateIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
+	return &empty.Empty{}, err
-		return nil, err
-	}
-	return idpFromModel(config), nil
 }
 
-func (s *Server) ReactivateIdpConfig(ctx context.Context, id *management.IdpID) (*management.Idp, error) {
+func (s *Server) ReactivateIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
-	config, err := s.org.ReactivateIDPConfig(ctx, id.Id)
+	err := s.command.ReactivateIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
-	if err != nil {
+	return &empty.Empty{}, err
-		return nil, err
-	}
-	return idpFromModel(config), nil
 }
 
 func (s *Server) RemoveIdpConfig(ctx context.Context, id *management.IdpID) (*empty.Empty, error) {
-	err := s.org.RemoveIDPConfig(ctx, id.Id)
+	err := s.command.RemoveIDPConfig(ctx, id.Id, authz.GetCtxData(ctx).OrgID)
 	return &empty.Empty{}, err
 }
 
 func (s *Server) UpdateOidcIdpConfig(ctx context.Context, request *management.OidcIdpConfigUpdate) (*management.OidcIdpConfig, error) {
-	config, err := s.org.ChangeOIDCIDPConfig(ctx, updateOidcIdpToModel(request))
+	config, err := s.command.ChangeIDPOIDCConfig(ctx, updateOidcIdpToDomain(ctx, request))
 	if err != nil {
 		return nil, err
 	}
-	return oidcIdpConfigFromModel(config), nil
+	return oidcIdpConfigFromDomain(config), nil
 }
 
 func (s *Server) SearchIdps(ctx context.Context, request *management.IdpSearchRequest) (*management.IdpSearchResponse, error) {

internal/api/grpc/management/idp_config_converter.go

@@ -1,66 +1,72 @@
 package management
 
 import (
+	"context"
+
 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
 	caos_errors "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/eventstore/models"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
+	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/pkg/grpc/management"
 	"github.com/golang/protobuf/ptypes"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
 	"strconv"
 )
 
-func createOidcIdpToModel(idp *management.OidcIdpConfigCreate) *iam_model.IDPConfig {
+func createOidcIdpToDomain(idp *management.OidcIdpConfigCreate) *domain.IDPConfig {
-	return &iam_model.IDPConfig{
+	return &domain.IDPConfig{
 		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToModel(idp.StylingType),
+		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
-		Type:        iam_model.IDPConfigTypeOIDC,
+		Type:        domain.IDPConfigTypeOIDC,
-		OIDCConfig: &iam_model.OIDCIDPConfig{
+		OIDCConfig: &domain.OIDCIDPConfig{
 			ClientID:              idp.ClientId,
 			ClientSecretString:    idp.ClientSecret,
 			Issuer:                idp.Issuer,
 			Scopes:                idp.Scopes,
-			IDPDisplayNameMapping: oidcMappingFieldToModel(idp.IdpDisplayNameMapping),
+			IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
-			UsernameMapping:       oidcMappingFieldToModel(idp.UsernameMapping),
+			UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
 		},
 	}
 }
 
-func updateIdpToModel(idp *management.IdpUpdate) *iam_model.IDPConfig {
+func updateIdpToDomain(ctx context.Context, idp *management.IdpUpdate) *domain.IDPConfig {
-	return &iam_model.IDPConfig{
+	return &domain.IDPConfig{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		IDPConfigID: idp.Id,
 		Name:        idp.Name,
-		StylingType: idpConfigStylingTypeToModel(idp.StylingType),
+		StylingType: idpConfigStylingTypeToDomain(idp.StylingType),
 	}
 }
 
-func updateOidcIdpToModel(idp *management.OidcIdpConfigUpdate) *iam_model.OIDCIDPConfig {
+func updateOidcIdpToDomain(ctx context.Context, idp *management.OidcIdpConfigUpdate) *domain.OIDCIDPConfig {
-	return &iam_model.OIDCIDPConfig{
+	return &domain.OIDCIDPConfig{
+		ObjectRoot: models.ObjectRoot{
+			AggregateID: authz.GetCtxData(ctx).OrgID,
+		},
 		IDPConfigID:           idp.IdpId,
 		ClientID:              idp.ClientId,
 		ClientSecretString:    idp.ClientSecret,
 		Issuer:                idp.Issuer,
 		Scopes:                idp.Scopes,
-		IDPDisplayNameMapping: oidcMappingFieldToModel(idp.IdpDisplayNameMapping),
+		IDPDisplayNameMapping: oidcMappingFieldToDomain(idp.IdpDisplayNameMapping),
-		UsernameMapping:       oidcMappingFieldToModel(idp.UsernameMapping),
+		UsernameMapping:       oidcMappingFieldToDomain(idp.UsernameMapping),
 	}
 }
 
-func idpFromModel(idp *iam_model.IDPConfig) *management.Idp {
+func idpFromDomain(idp *domain.IDPConfig) *management.Idp {
-	creationDate, err := ptypes.TimestampProto(idp.CreationDate)
-	logging.Log("GRPC-8dju8").OnError(err).Debug("date parse failed")
-
-	changeDate, err := ptypes.TimestampProto(idp.ChangeDate)
-	logging.Log("GRPC-Dsj8i").OnError(err).Debug("date parse failed")
-
 	return &management.Idp{
 		Id:          idp.IDPConfigID,
-		CreationDate: creationDate,
+		ChangeDate:  timestamppb.New(idp.ChangeDate),
-		ChangeDate:   changeDate,
 		Sequence:    idp.Sequence,
 		Name:        idp.Name,
-		StylingType:  idpConfigStylingTypeFromModel(idp.StylingType),
+		StylingType: idpConfigStylingTypeFromDomain(idp.StylingType),
-		State:        idpConfigStateFromModel(idp.State),
+		State:       idpConfigStateFromDomain(idp.State),
-		IdpConfig:    idpConfigFromModel(idp),
+		IdpConfig:   idpConfigFromDomain(idp),
 	}
 }
 
@@ -84,6 +90,15 @@ func idpViewFromModel(idp *iam_model.IDPConfigView) *management.IdpView {
 	}
 }
 
+func idpConfigFromDomain(idp *domain.IDPConfig) *management.Idp_OidcConfig {
+	if idp.Type == domain.IDPConfigTypeOIDC {
+		return &management.Idp_OidcConfig{
+			OidcConfig: oidcIdpConfigFromDomain(idp.OIDCConfig),
+		}
+	}
+	return nil
+}
+
 func idpConfigFromModel(idp *iam_model.IDPConfig) *management.Idp_OidcConfig {
 	if idp.Type == iam_model.IDPConfigTypeOIDC {
 		return &management.Idp_OidcConfig{
@@ -93,6 +108,16 @@ func idpConfigFromModel(idp *iam_model.IDPConfig) *management.Idp_OidcConfig {
 	return nil
 }
 
+func oidcIdpConfigFromDomain(idp *domain.OIDCIDPConfig) *management.OidcIdpConfig {
+	return &management.OidcIdpConfig{
+		ClientId:              idp.ClientID,
+		Issuer:                idp.Issuer,
+		Scopes:                idp.Scopes,
+		IdpDisplayNameMapping: oidcMappingFieldFromDomain(idp.IDPDisplayNameMapping),
+		UsernameMapping:       oidcMappingFieldFromDomain(idp.UsernameMapping),
+	}
+}
+
 func oidcIdpConfigFromModel(idp *iam_model.OIDCIDPConfig) *management.OidcIdpConfig {
 	return &management.OidcIdpConfig{
 		ClientId:              idp.ClientID,
@@ -122,6 +147,17 @@ func oidcIdpConfigViewFromModel(idp *iam_model.IDPConfigView) *management.OidcId
 	}
 }
 
+func idpConfigStateFromDomain(state domain.IDPConfigState) management.IdpState {
+	switch state {
+	case domain.IDPConfigStateActive:
+		return management.IdpState_IDPCONFIGSTATE_ACTIVE
+	case domain.IDPConfigStateInactive:
+		return management.IdpState_IDPCONFIGSTATE_INACTIVE
+	default:
+		return management.IdpState_IDPCONFIGSTATE_UNSPECIFIED
+	}
+}
+
 func idpConfigStateFromModel(state iam_model.IDPConfigState) management.IdpState {
 	switch state {
 	case iam_model.IDPConfigStateActive:
@@ -210,6 +246,17 @@ func idpConfigsFromView(viewIdps []*iam_model.IDPConfigView) []*management.IdpVi
 	return idps
 }
 
+func oidcMappingFieldFromDomain(field domain.OIDCMappingField) management.OIDCMappingField {
+	switch field {
+	case domain.OIDCMappingFieldPreferredLoginName:
+		return management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME
+	case domain.OIDCMappingFieldEmail:
+		return management.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL
+	default:
+		return management.OIDCMappingField_OIDCMAPPINGFIELD_UNSPECIFIED
+	}
+}
+
 func oidcMappingFieldFromModel(field iam_model.OIDCMappingField) management.OIDCMappingField {
 	switch field {
 	case iam_model.OIDCMappingFieldPreferredLoginName:
@@ -221,6 +268,17 @@ func oidcMappingFieldFromModel(field iam_model.OIDCMappingField) management.OIDC
 	}
 }
 
+func oidcMappingFieldToDomain(field management.OIDCMappingField) domain.OIDCMappingField {
+	switch field {
+	case management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME:
+		return domain.OIDCMappingFieldPreferredLoginName
+	case management.OIDCMappingField_OIDCMAPPINGFIELD_EMAIL:
+		return domain.OIDCMappingFieldEmail
+	default:
+		return domain.OIDCMappingFieldUnspecified
+	}
+}
+
 func oidcMappingFieldToModel(field management.OIDCMappingField) iam_model.OIDCMappingField {
 	switch field {
 	case management.OIDCMappingField_OIDCMAPPINGFIELD_PREFERRED_USERNAME:
@@ -232,6 +290,15 @@ func oidcMappingFieldToModel(field management.OIDCMappingField) iam_model.OIDCMa
 	}
 }
 
+func idpConfigStylingTypeFromDomain(stylingType domain.IDPConfigStylingType) management.IdpStylingType {
+	switch stylingType {
+	case domain.IDPConfigStylingTypeGoogle:
+		return management.IdpStylingType_IDPSTYLINGTYPE_GOOGLE
+	default:
+		return management.IdpStylingType_IDPSTYLINGTYPE_UNSPECIFIED
+	}
+}
+
 func idpConfigStylingTypeFromModel(stylingType iam_model.IDPStylingType) management.IdpStylingType {
 	switch stylingType {
 	case iam_model.IDPStylingTypeGoogle:
@@ -241,12 +308,12 @@ func idpConfigStylingTypeFromModel(stylingType iam_model.IDPStylingType) managem
 	}
 }
 
-func idpConfigStylingTypeToModel(stylingType management.IdpStylingType) iam_model.IDPStylingType {
+func idpConfigStylingTypeToDomain(stylingType management.IdpStylingType) domain.IDPConfigStylingType {
 	switch stylingType {
 	case management.IdpStylingType_IDPSTYLINGTYPE_GOOGLE:
-		return iam_model.IDPStylingTypeGoogle
+		return domain.IDPConfigStylingTypeGoogle
 	default:
-		return iam_model.IDPStylingTypeUnspecified
+		return domain.IDPConfigStylingTypeUnspecified
 	}
 }
 

internal/api/grpc/management/login_policy_converter.go

@@ -32,7 +32,6 @@ func loginPolicyFromDomain(policy *domain.LoginPolicy) *management.LoginPolicy {
 		AllowUsernamePassword: policy.AllowUsernamePassword,
 		AllowExternalIdp:      policy.AllowExternalIdp,
 		AllowRegister:         policy.AllowRegister,
-		CreationDate:          timestamppb.New(policy.CreationDate),
 		ChangeDate:            timestamppb.New(policy.ChangeDate),
 		ForceMfa:              policy.ForceMFA,
 		PasswordlessType:      passwordlessTypeFromDomain(policy.PasswordlessType),

internal/api/grpc/management/org_converter.go

@@ -24,7 +24,6 @@ import (
 func orgFromDomain(org *domain.Org) *management.Org {
 	return &management.Org{
 		ChangeDate: timestamppb.New(org.ChangeDate),
-		CreationDate: timestamppb.New(org.CreationDate),
 		Id:         org.AggregateID,
 		Name:       org.Name,
 		State:      orgStateFromDomain(org.State),
@@ -140,7 +139,6 @@ func removeOrgDomainToDomain(ctx context.Context, ordDomain *management.RemoveOr
 func orgDomainFromDomain(orgDomain *domain.OrgDomain) *management.OrgDomain {
 	return &management.OrgDomain{
 		ChangeDate: timestamppb.New(orgDomain.ChangeDate),
-		CreationDate: timestamppb.New(orgDomain.CreationDate),
 		OrgId:      orgDomain.AggregateID,
 		Domain:     orgDomain.Domain,
 		Verified:   orgDomain.Verified,

internal/api/grpc/management/org_member_converter.go

@@ -25,7 +25,6 @@ func changeOrgMemberToModel(ctx context.Context, member *management.ChangeOrgMem
 func orgMemberFromDomain(member *domain.Member) *management.OrgMember {
 	return &management.OrgMember{
 		UserId:     member.UserID,
-		CreationDate: timestamppb.New(member.CreationDate),
 		ChangeDate: timestamppb.New(member.ChangeDate),
 		Roles:      member.Roles,
 		Sequence:   member.Sequence,

internal/api/grpc/management/password_age_policy_converter.go

@@ -27,7 +27,6 @@ func passwordAgePolicyFromDomain(policy *domain.PasswordAgePolicy) *management.P
 	return &management.PasswordAgePolicy{
 		MaxAgeDays:     policy.MaxAgeDays,
 		ExpireWarnDays: policy.ExpireWarnDays,
-		CreationDate:   timestamppb.New(policy.CreationDate),
 		ChangeDate:     timestamppb.New(policy.ChangeDate),
 	}
 }

internal/api/grpc/management/password_complexity_policy_converter.go

@@ -33,7 +33,6 @@ func passwordComplexityPolicyFromDomain(policy *domain.PasswordComplexityPolicy)
 		HasUppercase: policy.HasUppercase,
 		HasSymbol:    policy.HasSymbol,
 		HasNumber:    policy.HasNumber,
-		CreationDate: timestamppb.New(policy.CreationDate),
 		ChangeDate:   timestamppb.New(policy.ChangeDate),
 	}
 }

internal/api/grpc/management/password_lockout_policy_converter.go

@@ -27,7 +27,6 @@ func passwordLockoutPolicyFromDomain(policy *domain.PasswordLockoutPolicy) *mana
 	return &management.PasswordLockoutPolicy{
 		MaxAttempts:        policy.MaxAttempts,
 		ShowLockoutFailure: policy.ShowLockOutFailures,
-		CreationDate:       timestamppb.New(policy.CreationDate),
 		ChangeDate:         timestamppb.New(policy.ChangeDate),
 	}
 }

internal/management/repository/org.go

@@ -11,7 +11,6 @@ import (
 type OrgRepository interface {
 	OrgByID(ctx context.Context, id string) (*org_model.OrgView, error)
 	OrgByDomainGlobal(ctx context.Context, domain string) (*org_model.OrgView, error)
-	UpdateOrg(ctx context.Context, org *org_model.Org) (*org_model.Org, error)
 	OrgChanges(ctx context.Context, id string, lastSequence uint64, limit uint64, sortAscending bool) (*org_model.OrgChanges, error)
 
 	SearchMyOrgDomains(ctx context.Context, request *org_model.OrgDomainSearchRequest) (*org_model.OrgDomainSearchResponse, error)
@@ -22,29 +21,14 @@ type OrgRepository interface {
 
 	SearchIDPConfigs(ctx context.Context, request *iam_model.IDPConfigSearchRequest) (*iam_model.IDPConfigSearchResponse, error)
 	IDPConfigByID(ctx context.Context, id string) (*iam_model.IDPConfigView, error)
-	AddOIDCIDPConfig(ctx context.Context, idp *iam_model.IDPConfig) (*iam_model.IDPConfig, error)
-	ChangeIDPConfig(ctx context.Context, idp *iam_model.IDPConfig) (*iam_model.IDPConfig, error)
-	DeactivateIDPConfig(ctx context.Context, idpConfigID string) (*iam_model.IDPConfig, error)
-	ReactivateIDPConfig(ctx context.Context, idpConfigID string) (*iam_model.IDPConfig, error)
-	RemoveIDPConfig(ctx context.Context, idpConfigID string) error
-	ChangeOIDCIDPConfig(ctx context.Context, oidcConfig *iam_model.OIDCIDPConfig) (*iam_model.OIDCIDPConfig, error)
 
 	GetMyOrgIamPolicy(ctx context.Context) (*iam_model.OrgIAMPolicyView, error)
 
 	GetLoginPolicy(ctx context.Context) (*iam_model.LoginPolicyView, error)
 	GetDefaultLoginPolicy(ctx context.Context) (*iam_model.LoginPolicyView, error)
-	AddLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error)
-	ChangeLoginPolicy(ctx context.Context, policy *iam_model.LoginPolicy) (*iam_model.LoginPolicy, error)
-	RemoveLoginPolicy(ctx context.Context) error
 	SearchIDPProviders(ctx context.Context, request *iam_model.IDPProviderSearchRequest) (*iam_model.IDPProviderSearchResponse, error)
-	AddIDPProviderToLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) (*iam_model.IDPProvider, error)
-	RemoveIDPProviderFromLoginPolicy(ctx context.Context, provider *iam_model.IDPProvider) error
 	SearchSecondFactors(ctx context.Context) (*iam_model.SecondFactorsSearchResponse, error)
-	AddSecondFactorToLoginPolicy(ctx context.Context, mfa iam_model.SecondFactorType) (iam_model.SecondFactorType, error)
-	RemoveSecondFactorFromLoginPolicy(ctx context.Context, mfa iam_model.SecondFactorType) error
 	SearchMultiFactors(ctx context.Context) (*iam_model.MultiFactorsSearchResponse, error)
-	AddMultiFactorToLoginPolicy(ctx context.Context, mfa iam_model.MultiFactorType) (iam_model.MultiFactorType, error)
-	RemoveMultiFactorFromLoginPolicy(ctx context.Context, mfa iam_model.MultiFactorType) error
 
 	GetPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error)
 	GetDefaultPasswordComplexityPolicy(ctx context.Context) (*iam_model.PasswordComplexityPolicyView, error)

internal/v2/command/iam_converter.go

@@ -86,7 +86,7 @@ func writeModelToPasswordLockoutPolicy(wm *PasswordLockoutPolicyWriteModel) *dom
 	}
 }
 
-func writeModelToIDPConfig(wm *IAMIDPConfigWriteModel) *domain.IDPConfig {
+func writeModelToIDPConfig(wm *IDPConfigWriteModel) *domain.IDPConfig {
 	return &domain.IDPConfig{
 		ObjectRoot:  writeModelToObjectRoot(wm.WriteModel),
 		OIDCConfig:  writeModelToIDPOIDCConfig(wm.OIDCConfig),

internal/v2/command/iam_idp_config.go

@@ -55,7 +55,7 @@ func (r *CommandSide) AddDefaultIDPConfig(ctx context.Context, config *domain.ID
 	if err != nil {
 		return nil, err
 	}
-	return writeModelToIDPConfig(addedConfig), nil
+	return writeModelToIDPConfig(&addedConfig.IDPConfigWriteModel), nil
 }
 
 func (r *CommandSide) ChangeDefaultIDPConfig(ctx context.Context, config *domain.IDPConfig) (*domain.IDPConfig, error) {
@@ -78,44 +78,35 @@ func (r *CommandSide) ChangeDefaultIDPConfig(ctx context.Context, config *domain
 	if err != nil {
 		return nil, err
 	}
-	return writeModelToIDPConfig(existingIDP), nil
+	return writeModelToIDPConfig(&existingIDP.IDPConfigWriteModel), nil
 }
 
-func (r *CommandSide) DeactivateDefaultIDPConfig(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
+func (r *CommandSide) DeactivateDefaultIDPConfig(ctx context.Context, idpID string) error {
 	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if existingIDP.State != domain.IDPConfigStateActive {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-4M9so", "Errors.IAM.IDPConfig.NotActive")
+		return caos_errs.ThrowPreconditionFailed(nil, "IAM-4M9so", "Errors.IAM.IDPConfig.NotActive")
 	}
 	iamAgg := IAMAggregateFromWriteModel(&existingIDP.WriteModel)
 	iamAgg.PushEvents(iam_repo.NewIDPConfigDeactivatedEvent(ctx, idpID))
 
-	err = r.eventstore.PushAggregate(ctx, existingIDP, iamAgg)
+	return r.eventstore.PushAggregate(ctx, existingIDP, iamAgg)
-	if err != nil {
-		return nil, err
-	}
-	return writeModelToIDPConfig(existingIDP), nil
 }
 
-func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, idpID string) (*domain.IDPConfig, error) {
+func (r *CommandSide) ReactivateDefaultIDPConfig(ctx context.Context, idpID string) error {
 	existingIDP, err := r.iamIDPConfigWriteModelByID(ctx, idpID)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if existingIDP.State != domain.IDPConfigStateInactive {
-		return nil, caos_errs.ThrowPreconditionFailed(nil, "IAM-5Mo0d", "Errors.IAM.IDPConfig.NotInactive")
+		return caos_errs.ThrowPreconditionFailed(nil, "IAM-5Mo0d", "Errors.IAM.IDPConfig.NotInactive")
 	}
 	iamAgg := IAMAggregateFromWriteModel(&existingIDP.WriteModel)
 	iamAgg.PushEvents(iam_repo.NewIDPConfigReactivatedEvent(ctx, idpID))
 
-	err = r.eventstore.PushAggregate(ctx, existingIDP, iamAgg)
+	return r.eventstore.PushAggregate(ctx, existingIDP, iamAgg)
-	if err != nil {
-		return nil, err
-	}
-
-	return writeModelToIDPConfig(existingIDP), nil
 }
 
 func (r *CommandSide) RemoveDefaultIDPConfig(ctx context.Context, idpID string) error {

internal/v2/command/iam_idp_config_model.go

@@ -6,6 +6,7 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/idpconfig"
 )
 
 type IAMIDPConfigWriteModel struct {
@@ -88,16 +89,19 @@ func (wm *IAMIDPConfigWriteModel) NewChangedEvent(
 	stylingType domain.IDPConfigStylingType,
 ) (*iam.IDPConfigChangedEvent, bool) {
 
-	hasChanged := false
+	changes := make([]idpconfig.IDPConfigChanges, 0)
-	changedEvent := iam.NewIDPConfigChangedEvent(ctx)
-	changedEvent.ConfigID = configID
 	if wm.Name != name {
-		hasChanged = true
+		changes = append(changes, idpconfig.ChangeName(name))
-		changedEvent.Name = name
 	}
 	if stylingType.Valid() && wm.StylingType != stylingType {
-		hasChanged = true
+		changes = append(changes, idpconfig.ChangeStyleType(stylingType))
-		changedEvent.StylingType = stylingType
 	}
-	return changedEvent, hasChanged
+	if len(changes) == 0 {
+		return nil, false
+	}
+	changeEvent, err := iam.NewIDPConfigChangedEvent(ctx, configID, changes)
+	if err != nil {
+		return nil, false
+	}
+	return changeEvent, true
 }

internal/v2/command/iam_idp_oidc_config.go

@@ -19,6 +19,7 @@ func (r *CommandSide) ChangeDefaultIDPOIDCConfig(ctx context.Context, config *do
 
 	changedEvent, hasChanged, err := existingConfig.NewChangedEvent(
 		ctx,
+		config.IDPConfigID,
 		config.ClientID,
 		config.Issuer,
 		config.ClientSecretString,

internal/v2/command/iam_idp_oidc_config_model.go

@@ -8,14 +8,15 @@ import (
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/v2/domain"
 	"github.com/caos/zitadel/internal/v2/repository/iam"
+	"github.com/caos/zitadel/internal/v2/repository/idpconfig"
 )
 
-type IDPOIDCConfigWriteModel struct {
+type IAMIDPOIDCConfigWriteModel struct {
 	OIDCConfigWriteModel
 }
 
-func NewIAMIDPOIDCConfigWriteModel(idpConfigID string) *IDPOIDCConfigWriteModel {
+func NewIAMIDPOIDCConfigWriteModel(idpConfigID string) *IAMIDPOIDCConfigWriteModel {
-	return &IDPOIDCConfigWriteModel{
+	return &IAMIDPOIDCConfigWriteModel{
 		OIDCConfigWriteModel{
 			WriteModel: eventstore.WriteModel{
 				AggregateID:   domain.IAMID,
@@ -26,7 +27,7 @@ func NewIAMIDPOIDCConfigWriteModel(idpConfigID string) *IDPOIDCConfigWriteModel
 	}
 }
 
-func (wm *IDPOIDCConfigWriteModel) AppendEvents(events ...eventstore.EventReader) {
+func (wm *IAMIDPOIDCConfigWriteModel) AppendEvents(events ...eventstore.EventReader) {
 	for _, event := range events {
 		switch e := event.(type) {
 		case *iam.IDPOIDCConfigAddedEvent:
@@ -60,21 +61,22 @@ func (wm *IDPOIDCConfigWriteModel) AppendEvents(events ...eventstore.EventReader
 	}
 }
 
-func (wm *IDPOIDCConfigWriteModel) Reduce() error {
+func (wm *IAMIDPOIDCConfigWriteModel) Reduce() error {
 	if err := wm.OIDCConfigWriteModel.Reduce(); err != nil {
 		return err
 	}
 	return wm.WriteModel.Reduce()
 }
 
-func (wm *IDPOIDCConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
+func (wm *IAMIDPOIDCConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
 	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, iam.AggregateType).
 		AggregateIDs(wm.AggregateID).
 		ResourceOwner(wm.ResourceOwner)
 }
 
-func (wm *IDPOIDCConfigWriteModel) NewChangedEvent(
+func (wm *IAMIDPOIDCConfigWriteModel) NewChangedEvent(
 	ctx context.Context,
+	idpConfigID,
 	clientID,
 	issuer,
 	clientSecretString string,
@@ -83,8 +85,8 @@ func (wm *IDPOIDCConfigWriteModel) NewChangedEvent(
 	userNameMapping domain.OIDCMappingField,
 	scopes ...string,
 ) (*iam.IDPOIDCConfigChangedEvent, bool, error) {
-	hasChanged := false
+
-	changedEvent := iam.NewIDPOIDCConfigChangedEvent(ctx)
+	changes := make([]idpconfig.OIDCConfigChanges, 0)
 	var clientSecret *crypto.CryptoValue
 	var err error
 	if clientSecretString != "" {
@@ -92,27 +94,29 @@ func (wm *IDPOIDCConfigWriteModel) NewChangedEvent(
 		if err != nil {
 			return nil, false, err
 		}
-		changedEvent.ClientSecret = clientSecret
+		changes = append(changes, idpconfig.ChangeClientSecret(clientSecret))
 	}
 	if wm.ClientID != clientID {
-		hasChanged = true
+		changes = append(changes, idpconfig.ChangeClientID(clientID))
-		changedEvent.ClientID = clientID
 	}
 	if wm.Issuer != issuer {
-		hasChanged = true
+		changes = append(changes, idpconfig.ChangeIssuer(issuer))
-		changedEvent.Issuer = issuer
 	}
 	if idpDisplayNameMapping.Valid() && wm.IDPDisplayNameMapping != idpDisplayNameMapping {
-		hasChanged = true
+		changes = append(changes, idpconfig.ChangeIDPDisplayNameMapping(idpDisplayNameMapping))
-		changedEvent.IDPDisplayNameMapping = idpDisplayNameMapping
 	}
 	if userNameMapping.Valid() && wm.UserNameMapping != userNameMapping {
-		hasChanged = true
+		changes = append(changes, idpconfig.ChangeUserNameMapping(userNameMapping))
-		changedEvent.UserNameMapping = userNameMapping
 	}
 	if reflect.DeepEqual(wm.Scopes, scopes) {
-		hasChanged = true
+		changes = append(changes, idpconfig.ChangeScopes(scopes))
-		changedEvent.Scopes = scopes
 	}
-	return changedEvent, hasChanged, nil
+	if len(changes) == 0 {
+		return nil, false, nil
+	}
+	changeEvent, err := iam.NewIDPOIDCConfigChangedEvent(ctx, idpConfigID, changes)
+	if err != nil {
+		return nil, false, err
+	}
+	return changeEvent, true, nil
 }

internal/v2/command/idp_config_model.go

@@ -62,11 +62,11 @@ func (rm *IDPConfigWriteModel) reduceConfigAddedEvent(e *idpconfig.IDPConfigAdde
 }
 
 func (rm *IDPConfigWriteModel) reduceConfigChangedEvent(e *idpconfig.IDPConfigChangedEvent) {
-	if e.Name != "" {
+	if e.Name != nil {
-		rm.Name = e.Name
+		rm.Name = *e.Name
 	}
-	if e.StylingType.Valid() {
+	if e.StylingType != nil && e.StylingType.Valid() {
-		rm.StylingType = e.StylingType
+		rm.StylingType = *e.StylingType
 	}
 }
 

internal/v2/command/oidc_config_model.go

@@ -52,19 +52,19 @@ func (wm *OIDCConfigWriteModel) reduceConfigAddedEvent(e *idpconfig.OIDCConfigAd
 }
 
 func (wm *OIDCConfigWriteModel) reduceConfigChangedEvent(e *idpconfig.OIDCConfigChangedEvent) {
-	if e.ClientID != "" {
+	if e.ClientID != nil {
-		wm.ClientID = e.ClientID
+		wm.ClientID = *e.ClientID
 	}
-	if e.Issuer != "" {
+	if e.Issuer != nil {
-		wm.Issuer = e.Issuer
+		wm.Issuer = *e.Issuer
 	}
 	if len(e.Scopes) > 0 {
 		wm.Scopes = e.Scopes
 	}
-	if e.IDPDisplayNameMapping.Valid() {
+	if e.IDPDisplayNameMapping != nil && e.IDPDisplayNameMapping.Valid() {
-		wm.IDPDisplayNameMapping = e.IDPDisplayNameMapping
+		wm.IDPDisplayNameMapping = *e.IDPDisplayNameMapping
 	}
-	if e.UserNameMapping.Valid() {
+	if e.UserNameMapping != nil && e.UserNameMapping.Valid() {
-		wm.UserNameMapping = e.UserNameMapping
+		wm.UserNameMapping = *e.UserNameMapping
 	}
 }

internal/v2/command/org_idp_config.go

@@ -0,0 +1,146 @@
+package command
+
+import (
+	"context"
+
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/telemetry/tracing"
+	"github.com/caos/zitadel/internal/v2/domain"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/v2/repository/org"
+	org_repo "github.com/caos/zitadel/internal/v2/repository/org"
+)
+
+func (r *CommandSide) AddIDPConfig(ctx context.Context, config *domain.IDPConfig) (*domain.IDPConfig, error) {
+	if config.OIDCConfig == nil {
+		return nil, errors.ThrowInvalidArgument(nil, "Org-eUpQU", "Errors.idp.config.notset")
+	}
+
+	idpConfigID, err := r.idGenerator.Next()
+	if err != nil {
+		return nil, err
+	}
+	//TODO: check name unique on aggregate
+	addedConfig := NewOrgIDPConfigWriteModel(idpConfigID, config.AggregateID)
+
+	clientSecret, err := crypto.Crypt([]byte(config.OIDCConfig.ClientSecretString), r.idpConfigSecretCrypto)
+	if err != nil {
+		return nil, err
+	}
+
+	orgAgg := OrgAggregateFromWriteModel(&addedConfig.WriteModel)
+	orgAgg.PushEvents(
+		org_repo.NewIDPConfigAddedEvent(
+			ctx,
+			idpConfigID,
+			config.Name,
+			config.Type,
+			config.StylingType,
+		),
+	)
+	orgAgg.PushEvents(
+		org_repo.NewIDPOIDCConfigAddedEvent(
+			ctx, config.OIDCConfig.ClientID,
+			idpConfigID,
+			config.OIDCConfig.Issuer,
+			clientSecret,
+			config.OIDCConfig.IDPDisplayNameMapping,
+			config.OIDCConfig.UsernameMapping,
+			config.OIDCConfig.Scopes...,
+		),
+	)
+	err = r.eventstore.PushAggregate(ctx, addedConfig, orgAgg)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToIDPConfig(&addedConfig.IDPConfigWriteModel), nil
+}
+
+func (r *CommandSide) ChangeIDPConfig(ctx context.Context, config *domain.IDPConfig) (*domain.IDPConfig, error) {
+	existingIDP, err := r.orgIDPConfigWriteModelByID(ctx, config.IDPConfigID, config.AggregateID)
+	if err != nil {
+		return nil, err
+	}
+	if existingIDP.State == domain.IDPConfigStateRemoved || existingIDP.State == domain.IDPConfigStateUnspecified {
+		return nil, caos_errs.ThrowNotFound(nil, "Org-4M9so", "Errors.Org.IDPConfig.NotExisting")
+	}
+
+	changedEvent, hasChanged := existingIDP.NewChangedEvent(ctx, config.IDPConfigID, config.Name, config.StylingType)
+	if !hasChanged {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-4M9vs", "Errors.Org.LabelPolicy.NotChanged")
+	}
+	orgAgg := OrgAggregateFromWriteModel(&existingIDP.WriteModel)
+	orgAgg.PushEvents(changedEvent)
+
+	err = r.eventstore.PushAggregate(ctx, existingIDP, orgAgg)
+	if err != nil {
+		return nil, err
+	}
+	return writeModelToIDPConfig(&existingIDP.IDPConfigWriteModel), nil
+}
+
+func (r *CommandSide) DeactivateIDPConfig(ctx context.Context, idpID, orgID string) error {
+	existingIDP, err := r.orgIDPConfigWriteModelByID(ctx, idpID, orgID)
+	if err != nil {
+		return err
+	}
+	if existingIDP.State != domain.IDPConfigStateActive {
+		return caos_errs.ThrowPreconditionFailed(nil, "Org-4M9so", "Errors.Org.IDPConfig.NotActive")
+	}
+	orgAgg := OrgAggregateFromWriteModel(&existingIDP.WriteModel)
+	orgAgg.PushEvents(org_repo.NewIDPConfigDeactivatedEvent(ctx, idpID))
+
+	return r.eventstore.PushAggregate(ctx, existingIDP, orgAgg)
+}
+
+func (r *CommandSide) ReactivateIDPConfig(ctx context.Context, idpID, orgID string) error {
+	existingIDP, err := r.orgIDPConfigWriteModelByID(ctx, idpID, orgID)
+	if err != nil {
+		return err
+	}
+	if existingIDP.State != domain.IDPConfigStateInactive {
+		return caos_errs.ThrowPreconditionFailed(nil, "Org-5Mo0d", "Errors.Org.IDPConfig.NotInactive")
+	}
+	orgAgg := OrgAggregateFromWriteModel(&existingIDP.WriteModel)
+	orgAgg.PushEvents(org_repo.NewIDPConfigReactivatedEvent(ctx, idpID))
+
+	return r.eventstore.PushAggregate(ctx, existingIDP, orgAgg)
+}
+
+func (r *CommandSide) RemoveIDPConfig(ctx context.Context, idpID, orgID string) error {
+	_, err := r.pushIDPWriteModel(ctx, idpID, orgID, func(a *org.Aggregate, _ *OrgIDPConfigWriteModel) *org.Aggregate {
+		a.Aggregate = *a.PushEvents(org_repo.NewIDPConfigRemovedEvent(ctx, idpID))
+		return a
+	})
+	return err
+}
+
+func (r *CommandSide) pushIDPWriteModel(ctx context.Context, idpID, orgID string, eventSetter func(*org.Aggregate, *OrgIDPConfigWriteModel) *org.Aggregate) (*OrgIDPConfigWriteModel, error) {
+	writeModel := NewOrgIDPConfigWriteModel(idpID, orgID)
+	err := r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+
+	aggregate := eventSetter(OrgAggregateFromWriteModel(&writeModel.WriteModel), writeModel)
+	err = r.eventstore.PushAggregate(ctx, writeModel, aggregate)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModel, nil
+}
+
+func (r *CommandSide) orgIDPConfigWriteModelByID(ctx context.Context, idpID, orgID string) (policy *OrgIDPConfigWriteModel, err error) {
+	ctx, span := tracing.NewSpan(ctx)
+	defer func() { span.EndWithError(err) }()
+
+	writeModel := NewOrgIDPConfigWriteModel(idpID, orgID)
+	err = r.eventstore.FilterToQueryReducer(ctx, writeModel)
+	if err != nil {
+		return nil, err
+	}
+	return writeModel, nil
+}

internal/v2/command/org_idp_config_model.go

@@ -0,0 +1,107 @@
+package command
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/idpconfig"
+	"github.com/caos/zitadel/internal/v2/repository/org"
+)
+
+type OrgIDPConfigWriteModel struct {
+	IDPConfigWriteModel
+}
+
+func NewOrgIDPConfigWriteModel(configID, orgID string) *OrgIDPConfigWriteModel {
+	return &OrgIDPConfigWriteModel{
+		IDPConfigWriteModel{
+			WriteModel: eventstore.WriteModel{
+				AggregateID:   orgID,
+				ResourceOwner: orgID,
+			},
+			ConfigID: configID,
+		},
+	}
+}
+
+func (wm *OrgIDPConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, org.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
+}
+
+func (wm *OrgIDPConfigWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *org.IDPConfigAddedEvent:
+			if wm.ConfigID != e.ConfigID {
+				continue
+			}
+			wm.IDPConfigWriteModel.AppendEvents(&e.IDPConfigAddedEvent)
+		case *org.IDPConfigChangedEvent:
+			if wm.ConfigID != e.ConfigID {
+				continue
+			}
+			wm.IDPConfigWriteModel.AppendEvents(&e.IDPConfigChangedEvent)
+		case *org.IDPConfigDeactivatedEvent:
+			if wm.ConfigID != e.ConfigID {
+				continue
+			}
+			wm.IDPConfigWriteModel.AppendEvents(&e.IDPConfigDeactivatedEvent)
+		case *org.IDPConfigReactivatedEvent:
+			if wm.ConfigID != e.ConfigID {
+				continue
+			}
+			wm.IDPConfigWriteModel.AppendEvents(&e.IDPConfigReactivatedEvent)
+		case *org.IDPConfigRemovedEvent:
+			if wm.ConfigID != e.ConfigID {
+				continue
+			}
+			wm.IDPConfigWriteModel.AppendEvents(&e.IDPConfigRemovedEvent)
+		case *org.IDPOIDCConfigAddedEvent:
+			if wm.ConfigID != e.IDPConfigID {
+				continue
+			}
+			wm.IDPConfigWriteModel.AppendEvents(&e.OIDCConfigAddedEvent)
+		case *org.IDPOIDCConfigChangedEvent:
+			if wm.ConfigID != e.IDPConfigID {
+				continue
+			}
+			wm.IDPConfigWriteModel.AppendEvents(&e.OIDCConfigChangedEvent)
+		}
+	}
+}
+
+func (wm *OrgIDPConfigWriteModel) Reduce() error {
+	return wm.IDPConfigWriteModel.Reduce()
+}
+
+func (wm *OrgIDPConfigWriteModel) AppendAndReduce(events ...eventstore.EventReader) error {
+	wm.AppendEvents(events...)
+	return wm.Reduce()
+}
+
+func (wm *OrgIDPConfigWriteModel) NewChangedEvent(
+	ctx context.Context,
+	configID,
+	name string,
+	stylingType domain.IDPConfigStylingType,
+) (*org.IDPConfigChangedEvent, bool) {
+
+	changes := make([]idpconfig.IDPConfigChanges, 0)
+	if wm.Name != name {
+		changes = append(changes, idpconfig.ChangeName(name))
+	}
+	if stylingType.Valid() && wm.StylingType != stylingType {
+		changes = append(changes, idpconfig.ChangeStyleType(stylingType))
+	}
+	if len(changes) == 0 {
+		return nil, false
+	}
+	changeEvent, err := org.NewIDPConfigChangedEvent(ctx, configID, changes)
+	if err != nil {
+		return nil, false
+	}
+	return changeEvent, true
+}

internal/v2/command/org_idp_oidc_config.go

@@ -0,0 +1,46 @@
+package command
+
+import (
+	"context"
+	caos_errs "github.com/caos/zitadel/internal/errors"
+	"github.com/caos/zitadel/internal/v2/domain"
+)
+
+func (r *CommandSide) ChangeIDPOIDCConfig(ctx context.Context, config *domain.OIDCIDPConfig) (*domain.OIDCIDPConfig, error) {
+	existingConfig := NewOrgIDPOIDCConfigWriteModel(config.IDPConfigID, config.AggregateID)
+	err := r.eventstore.FilterToQueryReducer(ctx, existingConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	if existingConfig.State == domain.IDPConfigStateRemoved || existingConfig.State == domain.IDPConfigStateUnspecified {
+		return nil, caos_errs.ThrowAlreadyExists(nil, "Org-67J9d", "Errors.Org.IDPConfig.AlreadyExists")
+	}
+
+	changedEvent, hasChanged, err := existingConfig.NewChangedEvent(
+		ctx,
+		config.IDPConfigID,
+		config.ClientID,
+		config.Issuer,
+		config.ClientSecretString,
+		r.idpConfigSecretCrypto,
+		config.IDPDisplayNameMapping,
+		config.UsernameMapping,
+		config.Scopes...)
+	if err != nil {
+		return nil, err
+	}
+	if !hasChanged {
+		return nil, caos_errs.ThrowPreconditionFailed(nil, "Org-4M9vs", "Errors.Org.LabelPolicy.NotChanged")
+	}
+
+	orgAgg := OrgAggregateFromWriteModel(&existingConfig.WriteModel)
+	orgAgg.PushEvents(changedEvent)
+
+	err = r.eventstore.PushAggregate(ctx, existingConfig, orgAgg)
+	if err != nil {
+		return nil, err
+	}
+
+	return writeModelToIDPOIDCConfig(&existingConfig.OIDCConfigWriteModel), nil
+}

internal/v2/command/org_idp_oidc_config_model.go

@@ -0,0 +1,122 @@
+package command
+
+import (
+	"context"
+	"reflect"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/idpconfig"
+	"github.com/caos/zitadel/internal/v2/repository/org"
+)
+
+type IDPOIDCConfigWriteModel struct {
+	OIDCConfigWriteModel
+}
+
+func NewOrgIDPOIDCConfigWriteModel(idpConfigID, orgID string) *IDPOIDCConfigWriteModel {
+	return &IDPOIDCConfigWriteModel{
+		OIDCConfigWriteModel{
+			WriteModel: eventstore.WriteModel{
+				AggregateID:   orgID,
+				ResourceOwner: orgID,
+			},
+			IDPConfigID: idpConfigID,
+		},
+	}
+}
+
+func (wm *IDPOIDCConfigWriteModel) AppendEvents(events ...eventstore.EventReader) {
+	for _, event := range events {
+		switch e := event.(type) {
+		case *org.IDPOIDCConfigAddedEvent:
+			if wm.IDPConfigID != e.IDPConfigID {
+				continue
+			}
+			wm.OIDCConfigWriteModel.AppendEvents(&e.OIDCConfigAddedEvent)
+		case *org.IDPOIDCConfigChangedEvent:
+			if wm.IDPConfigID != e.IDPConfigID {
+				continue
+			}
+			wm.OIDCConfigWriteModel.AppendEvents(&e.OIDCConfigChangedEvent)
+		case *org.IDPConfigReactivatedEvent:
+			if wm.IDPConfigID != e.ConfigID {
+				continue
+			}
+			wm.OIDCConfigWriteModel.AppendEvents(&e.IDPConfigReactivatedEvent)
+		case *org.IDPConfigDeactivatedEvent:
+			if wm.IDPConfigID != e.ConfigID {
+				continue
+			}
+			wm.OIDCConfigWriteModel.AppendEvents(&e.IDPConfigDeactivatedEvent)
+		case *org.IDPConfigRemovedEvent:
+			if wm.IDPConfigID != e.ConfigID {
+				continue
+			}
+			wm.OIDCConfigWriteModel.AppendEvents(&e.IDPConfigRemovedEvent)
+		default:
+			wm.OIDCConfigWriteModel.AppendEvents(e)
+		}
+	}
+}
+
+func (wm *IDPOIDCConfigWriteModel) Reduce() error {
+	if err := wm.OIDCConfigWriteModel.Reduce(); err != nil {
+		return err
+	}
+	return wm.WriteModel.Reduce()
+}
+
+func (wm *IDPOIDCConfigWriteModel) Query() *eventstore.SearchQueryBuilder {
+	return eventstore.NewSearchQueryBuilder(eventstore.ColumnsEvent, org.AggregateType).
+		AggregateIDs(wm.AggregateID).
+		ResourceOwner(wm.ResourceOwner)
+}
+
+func (wm *IDPOIDCConfigWriteModel) NewChangedEvent(
+	ctx context.Context,
+	idpConfigID,
+	clientID,
+	issuer,
+	clientSecretString string,
+	secretCrypto crypto.Crypto,
+	idpDisplayNameMapping,
+	userNameMapping domain.OIDCMappingField,
+	scopes ...string,
+) (*org.IDPOIDCConfigChangedEvent, bool, error) {
+
+	changes := make([]idpconfig.OIDCConfigChanges, 0)
+	var clientSecret *crypto.CryptoValue
+	var err error
+	if clientSecretString != "" {
+		clientSecret, err = crypto.Crypt([]byte(clientSecretString), secretCrypto)
+		if err != nil {
+			return nil, false, err
+		}
+		changes = append(changes, idpconfig.ChangeClientSecret(clientSecret))
+	}
+	if wm.ClientID != clientID {
+		changes = append(changes, idpconfig.ChangeClientID(clientID))
+	}
+	if wm.Issuer != issuer {
+		changes = append(changes, idpconfig.ChangeIssuer(issuer))
+	}
+	if idpDisplayNameMapping.Valid() && wm.IDPDisplayNameMapping != idpDisplayNameMapping {
+		changes = append(changes, idpconfig.ChangeIDPDisplayNameMapping(idpDisplayNameMapping))
+	}
+	if userNameMapping.Valid() && wm.UserNameMapping != userNameMapping {
+		changes = append(changes, idpconfig.ChangeUserNameMapping(userNameMapping))
+	}
+	if reflect.DeepEqual(wm.Scopes, scopes) {
+		changes = append(changes, idpconfig.ChangeScopes(scopes))
+	}
+	if len(changes) == 0 {
+		return nil, false, nil
+	}
+	changeEvent, err := org.NewIDPOIDCConfigChangedEvent(ctx, idpConfigID, changes)
+	if err != nil {
+		return nil, false, err
+	}
+	return changeEvent, true, nil
+}

internal/v2/domain/oidc_mapping_field.go

@@ -3,7 +3,8 @@ package domain
 type OIDCMappingField int32
 
 const (
-	OIDCMappingFieldPreferredLoginName OIDCMappingField = iota + 1
+	OIDCMappingFieldUnspecified OIDCMappingField = iota
+	OIDCMappingFieldPreferredLoginName
 	OIDCMappingFieldEmail
 	// count is for validation purposes
 	oidcMappingFieldCount

internal/v2/query/idp_config_model.go

@@ -80,11 +80,11 @@ func (rm *IDPConfigReadModel) reduceConfigAddedEvent(e *idpconfig.IDPConfigAdded
 }
 
 func (rm *IDPConfigReadModel) reduceConfigChangedEvent(e *idpconfig.IDPConfigChangedEvent) {
-	if e.Name != "" {
+	if e.Name != nil {
-		rm.Name = e.Name
+		rm.Name = *e.Name
 	}
-	if e.StylingType.Valid() {
+	if e.StylingType != nil && e.StylingType.Valid() {
-		rm.StylingType = e.StylingType
+		rm.StylingType = *e.StylingType
 	}
 }
 

internal/v2/query/oidc_config_model.go

@@ -43,19 +43,19 @@ func (rm *OIDCConfigReadModel) reduceConfigAddedEvent(e *idpconfig.OIDCConfigAdd
 }
 
 func (rm *OIDCConfigReadModel) reduceConfigChangedEvent(e *idpconfig.OIDCConfigChangedEvent) {
-	if e.ClientID != "" {
+	if e.ClientID != nil {
-		rm.ClientID = e.ClientID
+		rm.ClientID = *e.ClientID
 	}
-	if e.Issuer != "" {
+	if e.Issuer != nil {
-		rm.Issuer = e.Issuer
+		rm.Issuer = *e.Issuer
 	}
 	if len(e.Scopes) > 0 {
 		rm.Scopes = e.Scopes
 	}
-	if e.IDPDisplayNameMapping.Valid() {
+	if e.IDPDisplayNameMapping != nil && e.IDPDisplayNameMapping.Valid() {
-		rm.IDPDisplayNameMapping = e.IDPDisplayNameMapping
+		rm.IDPDisplayNameMapping = *e.IDPDisplayNameMapping
 	}
-	if e.UserNameMapping.Valid() {
+	if e.UserNameMapping != nil && e.UserNameMapping.Valid() {
-		rm.UserNameMapping = e.UserNameMapping
+		rm.UserNameMapping = *e.UserNameMapping
 	}
 }

internal/v2/repository/iam/idp_config.go

@@ -2,6 +2,7 @@ package iam
 
 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/eventstore/v2/repository"
 	"github.com/caos/zitadel/internal/v2/domain"
@@ -57,12 +58,18 @@ type IDPConfigChangedEvent struct {
 
 func NewIDPConfigChangedEvent(
 	ctx context.Context,
-) *IDPConfigChangedEvent {
+	configID string,
-	return &IDPConfigChangedEvent{
+	changes []idpconfig.IDPConfigChanges,
-		IDPConfigChangedEvent: *idpconfig.NewIDPConfigChangedEvent(
+) (*IDPConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewIDPConfigChangedEvent(
 		eventstore.NewBaseEventForPush(ctx, IDPConfigChangedEventType),
-		),
+		configID,
+		changes,
+	)
+	if err != nil {
+		return nil, err
 	}
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *changeEvent}, nil
 }
 
 func IDPConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {

internal/v2/repository/iam/idp_oidc_config.go

@@ -2,6 +2,7 @@ package iam
 
 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/eventstore/v2/repository"
@@ -61,12 +62,18 @@ type IDPOIDCConfigChangedEvent struct {
 
 func NewIDPOIDCConfigChangedEvent(
 	ctx context.Context,
-) *IDPOIDCConfigChangedEvent {
+	idpConfigID string,
-	return &IDPOIDCConfigChangedEvent{
+	changes []idpconfig.OIDCConfigChanges,
-		OIDCConfigChangedEvent: *idpconfig.NewOIDCConfigChangedEvent(
+) (*IDPOIDCConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewOIDCConfigChangedEvent(
 		eventstore.NewBaseEventForPush(ctx, IDPOIDCConfigChangedEventType),
-		),
+		idpConfigID,
+		changes,
+	)
+	if err != nil {
+		return nil, err
 	}
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *changeEvent}, nil
 }
 
 func IDPOIDCConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {

internal/v2/repository/idpconfig/idp_config.go

@@ -2,6 +2,7 @@ package idpconfig
 
 import (
 	"encoding/json"
+
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/v2"
 	"github.com/caos/zitadel/internal/eventstore/v2/repository"
@@ -55,8 +56,8 @@ type IDPConfigChangedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
 	ConfigID    string                       `json:"idpConfigId"`
-	Name        string                      `json:"name,omitempty"`
+	Name        *string                      `json:"name,omitempty"`
-	StylingType domain.IDPConfigStylingType `json:"stylingType,omitempty"`
+	StylingType *domain.IDPConfigStylingType `json:"stylingType,omitempty"`
 }
 
 func (e *IDPConfigChangedEvent) Data() interface{} {
@@ -65,9 +66,33 @@ func (e *IDPConfigChangedEvent) Data() interface{} {
 
 func NewIDPConfigChangedEvent(
 	base *eventstore.BaseEvent,
-) *IDPConfigChangedEvent {
+	configID string,
-	return &IDPConfigChangedEvent{
+	changes []IDPConfigChanges,
+) (*IDPConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IDPCONFIG-Dsg21", "Errors.NoChangesFound")
+	}
+	changeEvent := &IDPConfigChangedEvent{
 		BaseEvent: *base,
+		ConfigID:  configID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type IDPConfigChanges func(*IDPConfigChangedEvent)
+
+func ChangeName(name string) func(*IDPConfigChangedEvent) {
+	return func(e *IDPConfigChangedEvent) {
+		e.Name = &name
+	}
+}
+
+func ChangeStyleType(styleType domain.IDPConfigStylingType) func(*IDPConfigChangedEvent) {
+	return func(e *IDPConfigChangedEvent) {
+		e.StylingType = &styleType
 	}
 }
 
@@ -87,7 +112,7 @@ func IDPConfigChangedEventMapper(event *repository.Event) (eventstore.EventReade
 type IDPConfigDeactivatedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	ConfigID string `idpConfigId`
+	ConfigID string `json:"idpConfigId"`
 }
 
 func NewIDPConfigDeactivatedEvent(
@@ -121,7 +146,7 @@ func IDPConfigDeactivatedEventMapper(event *repository.Event) (eventstore.EventR
 type IDPConfigReactivatedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	ConfigID string `idpConfigId`
+	ConfigID string `json:"idpConfigId"`
 }
 
 func NewIDPConfigReactivatedEvent(
@@ -155,7 +180,7 @@ func IDPConfigReactivatedEventMapper(event *repository.Event) (eventstore.EventR
 type IDPConfigRemovedEvent struct {
 	eventstore.BaseEvent `json:"-"`
 
-	ConfigID string `idpConfigId`
+	ConfigID string `json:"idpConfigId"`
 }
 
 func NewIDPConfigRemovedEvent(

internal/v2/repository/idpconfig/oidc_config.go

@@ -2,6 +2,7 @@ package idpconfig
 
 import (
 	"encoding/json"
+
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore/v2"
@@ -72,13 +73,13 @@ type OIDCConfigChangedEvent struct {
 
 	IDPConfigID string `json:"idpConfigId"`
 
-	ClientID     string              `json:"clientId,omitempty"`
+	ClientID     *string             `json:"clientId,omitempty"`
 	ClientSecret *crypto.CryptoValue `json:"clientSecret,omitempty"`
-	Issuer       string              `json:"issuer,omitempty"`
+	Issuer       *string             `json:"issuer,omitempty"`
 	Scopes       []string            `json:"scpoes,omitempty"`
 
-	IDPDisplayNameMapping domain.OIDCMappingField `json:"idpDisplayNameMapping,omitempty"`
+	IDPDisplayNameMapping *domain.OIDCMappingField `json:"idpDisplayNameMapping,omitempty"`
-	UserNameMapping       domain.OIDCMappingField `json:"usernameMapping,omitempty"`
+	UserNameMapping       *domain.OIDCMappingField `json:"usernameMapping,omitempty"`
 }
 
 func (e *OIDCConfigChangedEvent) Data() interface{} {
@@ -87,9 +88,57 @@ func (e *OIDCConfigChangedEvent) Data() interface{} {
 
 func NewOIDCConfigChangedEvent(
 	base *eventstore.BaseEvent,
-) *OIDCConfigChangedEvent {
+	idpConfigID string,
-	return &OIDCConfigChangedEvent{
+	changes []OIDCConfigChanges,
+) (*OIDCConfigChangedEvent, error) {
+	if len(changes) == 0 {
+		return nil, errors.ThrowPreconditionFailed(nil, "IDPCONFIG-ADzr5", "Errors.NoChangesFound")
+	}
+	changeEvent := &OIDCConfigChangedEvent{
 		BaseEvent:   *base,
+		IDPConfigID: idpConfigID,
+	}
+	for _, change := range changes {
+		change(changeEvent)
+	}
+	return changeEvent, nil
+}
+
+type OIDCConfigChanges func(*OIDCConfigChangedEvent)
+
+func ChangeClientID(clientID string) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ClientID = &clientID
+	}
+}
+
+func ChangeClientSecret(secret *crypto.CryptoValue) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.ClientSecret = secret
+	}
+}
+
+func ChangeIssuer(issuer string) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.Issuer = &issuer
+	}
+}
+
+func ChangeIDPDisplayNameMapping(idpDisplayNameMapping domain.OIDCMappingField) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.IDPDisplayNameMapping = &idpDisplayNameMapping
+	}
+}
+
+func ChangeUserNameMapping(userNameMapping domain.OIDCMappingField) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.UserNameMapping = &userNameMapping
+	}
+}
+
+func ChangeScopes(scopes []string) func(*OIDCConfigChangedEvent) {
+	return func(e *OIDCConfigChangedEvent) {
+		e.Scopes = scopes
 	}
 }
 

internal/v2/repository/org/idp_config.go

@@ -0,0 +1,168 @@
+package org
+
+import (
+	"context"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/idpconfig"
+)
+
+const (
+	IDPConfigAddedEventType       eventstore.EventType = "org.idp.config.added"
+	IDPConfigChangedEventType     eventstore.EventType = "org.idp.config.changed"
+	IDPConfigRemovedEventType     eventstore.EventType = "org.idp.config.removed"
+	IDPConfigDeactivatedEventType eventstore.EventType = "org.idp.config.deactivated"
+	IDPConfigReactivatedEventType eventstore.EventType = "org.idp.config.reactivated"
+)
+
+type IDPConfigAddedEvent struct {
+	idpconfig.IDPConfigAddedEvent
+}
+
+func NewIDPConfigAddedEvent(
+	ctx context.Context,
+	configID string,
+	name string,
+	configType domain.IDPConfigType,
+	stylingType domain.IDPConfigStylingType,
+) *IDPConfigAddedEvent {
+
+	return &IDPConfigAddedEvent{
+		IDPConfigAddedEvent: *idpconfig.NewIDPConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				IDPConfigAddedEventType,
+			),
+			configID,
+			name,
+			configType,
+			stylingType,
+		),
+	}
+}
+
+func IDPConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigAddedEvent{IDPConfigAddedEvent: *e.(*idpconfig.IDPConfigAddedEvent)}, nil
+}
+
+type IDPConfigChangedEvent struct {
+	idpconfig.IDPConfigChangedEvent
+}
+
+func NewIDPConfigChangedEvent(
+	ctx context.Context,
+	configID string,
+	changes []idpconfig.IDPConfigChanges,
+) (*IDPConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewIDPConfigChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, IDPConfigChangedEventType),
+		configID,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigChangedEvent{IDPConfigChangedEvent: *e.(*idpconfig.IDPConfigChangedEvent)}, nil
+}
+
+type IDPConfigRemovedEvent struct {
+	idpconfig.IDPConfigRemovedEvent
+}
+
+func NewIDPConfigRemovedEvent(
+	ctx context.Context,
+	configID string,
+) *IDPConfigRemovedEvent {
+
+	return &IDPConfigRemovedEvent{
+		IDPConfigRemovedEvent: *idpconfig.NewIDPConfigRemovedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				IDPConfigRemovedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigRemovedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigRemovedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigRemovedEvent{IDPConfigRemovedEvent: *e.(*idpconfig.IDPConfigRemovedEvent)}, nil
+}
+
+type IDPConfigDeactivatedEvent struct {
+	idpconfig.IDPConfigDeactivatedEvent
+}
+
+func NewIDPConfigDeactivatedEvent(
+	ctx context.Context,
+	configID string,
+) *IDPConfigDeactivatedEvent {
+
+	return &IDPConfigDeactivatedEvent{
+		IDPConfigDeactivatedEvent: *idpconfig.NewIDPConfigDeactivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				IDPConfigDeactivatedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigDeactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigDeactivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigDeactivatedEvent{IDPConfigDeactivatedEvent: *e.(*idpconfig.IDPConfigDeactivatedEvent)}, nil
+}
+
+type IDPConfigReactivatedEvent struct {
+	idpconfig.IDPConfigReactivatedEvent
+}
+
+func NewIDPConfigReactivatedEvent(
+	ctx context.Context,
+	configID string,
+) *IDPConfigReactivatedEvent {
+
+	return &IDPConfigReactivatedEvent{
+		IDPConfigReactivatedEvent: *idpconfig.NewIDPConfigReactivatedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				IDPConfigReactivatedEventType,
+			),
+			configID,
+		),
+	}
+}
+
+func IDPConfigReactivatedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.IDPConfigReactivatedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPConfigReactivatedEvent{IDPConfigReactivatedEvent: *e.(*idpconfig.IDPConfigReactivatedEvent)}, nil
+}

internal/v2/repository/org/idp_oidc_config.go

@@ -0,0 +1,86 @@
+package org
+
+import (
+	"context"
+
+	"github.com/caos/zitadel/internal/crypto"
+	"github.com/caos/zitadel/internal/eventstore/v2"
+	"github.com/caos/zitadel/internal/eventstore/v2/repository"
+	"github.com/caos/zitadel/internal/v2/domain"
+	"github.com/caos/zitadel/internal/v2/repository/idpconfig"
+)
+
+const (
+	IDPOIDCConfigAddedEventType   eventstore.EventType = "org.idp." + idpconfig.OIDCConfigAddedEventType
+	IDPOIDCConfigChangedEventType eventstore.EventType = "org.idp." + idpconfig.ConfigChangedEventType
+)
+
+type IDPOIDCConfigAddedEvent struct {
+	idpconfig.OIDCConfigAddedEvent
+}
+
+func NewIDPOIDCConfigAddedEvent(
+	ctx context.Context,
+	clientID,
+	idpConfigID,
+	issuer string,
+	clientSecret *crypto.CryptoValue,
+	idpDisplayNameMapping,
+	userNameMapping domain.OIDCMappingField,
+	scopes ...string,
+) *IDPOIDCConfigAddedEvent {
+
+	return &IDPOIDCConfigAddedEvent{
+		OIDCConfigAddedEvent: *idpconfig.NewOIDCConfigAddedEvent(
+			eventstore.NewBaseEventForPush(
+				ctx,
+				IDPOIDCConfigAddedEventType,
+			),
+			clientID,
+			idpConfigID,
+			issuer,
+			clientSecret,
+			idpDisplayNameMapping,
+			userNameMapping,
+			scopes...,
+		),
+	}
+}
+
+func IDPOIDCConfigAddedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.OIDCConfigAddedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPOIDCConfigAddedEvent{OIDCConfigAddedEvent: *e.(*idpconfig.OIDCConfigAddedEvent)}, nil
+}
+
+type IDPOIDCConfigChangedEvent struct {
+	idpconfig.OIDCConfigChangedEvent
+}
+
+func NewIDPOIDCConfigChangedEvent(
+	ctx context.Context,
+	idpConfigID string,
+	changes []idpconfig.OIDCConfigChanges,
+) (*IDPOIDCConfigChangedEvent, error) {
+	changeEvent, err := idpconfig.NewOIDCConfigChangedEvent(
+		eventstore.NewBaseEventForPush(ctx, IDPOIDCConfigChangedEventType),
+		idpConfigID,
+		changes,
+	)
+	if err != nil {
+		return nil, err
+	}
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *changeEvent}, nil
+}
+
+func IDPOIDCConfigChangedEventMapper(event *repository.Event) (eventstore.EventReader, error) {
+	e, err := idpconfig.OIDCConfigChangedEventMapper(event)
+	if err != nil {
+		return nil, err
+	}
+
+	return &IDPOIDCConfigChangedEvent{OIDCConfigChangedEvent: *e.(*idpconfig.OIDCConfigChangedEvent)}, nil
+}

pkg/grpc/admin/proto/admin.proto

@@ -274,7 +274,7 @@ service AdminService {
         };
     }
 
-    rpc DeactivateIdpConfig(IdpID) returns (Idp) {
+    rpc DeactivateIdpConfig(IdpID) returns (google.protobuf.Empty) {
         option (google.api.http) = {
             put: "/idps/{id}/_deactivate"
             body: "*"
@@ -285,7 +285,7 @@ service AdminService {
         };
     }
 
-    rpc ReactivateIdpConfig(IdpID) returns (Idp) {
+    rpc ReactivateIdpConfig(IdpID) returns (google.protobuf.Empty) {
         option (google.api.http) = {
             put: "/idps/{id}/_reactivate"
             body: "*"
@@ -544,10 +544,9 @@ message UniqueOrgResponse {
 message Org {
     string id = 1;
     OrgState state = 2;
-    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 3;
-    google.protobuf.Timestamp change_date = 4;
+    string name = 4;
-    string name = 5;
+    string domain = 5;
-    string domain = 6;
 }
 
 enum OrgState {
@@ -717,8 +716,7 @@ message OrgIamPolicy {
     bool user_login_must_be_domain = 2;
     bool default = 3;
     uint64 sequence = 4;
-    google.protobuf.Timestamp creation_date = 5;
+    google.protobuf.Timestamp change_date = 5;
-    google.protobuf.Timestamp change_date = 6;
 }
 
 message OrgIamPolicyView {
@@ -748,8 +746,7 @@ message IamMember {
     string user_id = 1;
     repeated string roles = 2;
     google.protobuf.Timestamp change_date = 3;
-    google.protobuf.Timestamp creation_date = 4;
+    uint64 sequence = 4;
-    uint64 sequence = 5;
 }
 
 message AddIamMemberRequest {
@@ -864,14 +861,13 @@ message IdpID {
 message Idp {
     string id = 1;
     IdpState state = 2;
-    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 3;
-    google.protobuf.Timestamp change_date = 4;
+    string name = 4;
-    string name = 5;
+    IdpStylingType styling_type = 5;
-    IdpStylingType styling_type = 6;
     oneof idp_config {
-        OidcIdpConfig oidc_config = 7;
+        OidcIdpConfig oidc_config = 6;
     }
-    uint64 sequence = 8;
+    uint64 sequence = 7;
 }
 
 message IdpUpdate {
@@ -976,8 +972,7 @@ enum IdpSearchKey {
 message DefaultLabelPolicy {
     string primary_color = 1;
     string secondary_color = 2;
-    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 3;
-    google.protobuf.Timestamp change_date = 4;
 }
 
 message DefaultLabelPolicyUpdate {
@@ -996,10 +991,9 @@ message DefaultLoginPolicy {
     bool allow_username_password = 1;
     bool allow_register = 2;
     bool allow_external_idp = 3;
-    google.protobuf.Timestamp creation_date = 4;
+    google.protobuf.Timestamp change_date = 4;
-    google.protobuf.Timestamp change_date = 5;
+    bool force_mfa = 5;
-    bool force_mfa = 6;
+    PasswordlessType passwordless_type = 6;
-    PasswordlessType passwordless_type = 7;
 }
 
 message DefaultLoginPolicyRequest {
@@ -1088,8 +1082,7 @@ message DefaultPasswordComplexityPolicy {
     bool has_lowercase = 3;
     bool has_number = 4;
     bool has_symbol = 5;
-    google.protobuf.Timestamp creation_date = 6;
+    google.protobuf.Timestamp change_date = 6;
-    google.protobuf.Timestamp change_date = 7;
 }
 
 message DefaultPasswordComplexityPolicyRequest {
@@ -1113,8 +1106,7 @@ message DefaultPasswordComplexityPolicyView {
 message DefaultPasswordAgePolicy {
     uint64 max_age_days = 1;
     uint64 expire_warn_days = 2;
-    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 3;
-    google.protobuf.Timestamp change_date = 4;
 }
 
 message DefaultPasswordAgePolicyRequest {
@@ -1132,8 +1124,7 @@ message DefaultPasswordAgePolicyView {
 message DefaultPasswordLockoutPolicy {
     uint64 max_attempts = 1;
     bool show_lockout_failure = 2;
-    google.protobuf.Timestamp creation_date = 3;
+    google.protobuf.Timestamp change_date = 3;
-    google.protobuf.Timestamp change_date = 4;
 }
 
 message DefaultPasswordLockoutPolicyRequest {

pkg/grpc/management/proto/management.proto

@@ -1265,7 +1265,7 @@ service ManagementService {
     };
   }
 
-  rpc DeactivateIdpConfig(IdpID) returns (Idp) {
+  rpc DeactivateIdpConfig(IdpID) returns (google.protobuf.Empty) {
     option (google.api.http) = {
       put: "/orgs/me/idps/{id}/_deactivate"
       body: "*"
@@ -1276,7 +1276,7 @@ service ManagementService {
     };
   }
 
-  rpc ReactivateIdpConfig(IdpID) returns (Idp) {
+  rpc ReactivateIdpConfig(IdpID) returns (google.protobuf.Empty) {
     option (google.api.http) = {
       put: "/orgs/me/idps/{id}/_reactivate"
       body: "*"
@@ -2126,10 +2126,9 @@ message OrgCreateRequest {
 message Org {
   string id = 1;
   OrgState state = 2;
-  google.protobuf.Timestamp creation_date = 3;
+  google.protobuf.Timestamp change_date = 3;
-  google.protobuf.Timestamp change_date = 4;
+  string name = 4;
-  string name = 5;
+  uint64 sequence = 5;
-  uint64 sequence = 6;
 }
 
 message OrgView {
@@ -2153,12 +2152,11 @@ message Domain {
 
 message OrgDomain {
   string org_id = 1;
-  google.protobuf.Timestamp creation_date = 2;
+  google.protobuf.Timestamp change_date = 2;
-  google.protobuf.Timestamp change_date = 3;
+  string domain = 3;
-  string domain = 4;
+  bool verified = 4;
-  bool verified = 5;
+  bool primary = 5;
-  bool primary = 6;
+  uint64 sequence = 6;
-  uint64 sequence = 7;
 }
 
 message OrgDomainView {
@@ -2238,8 +2236,7 @@ message OrgMember {
   string user_id = 1;
   repeated string roles = 2;
   google.protobuf.Timestamp change_date = 3;
-  google.protobuf.Timestamp creation_date = 4;
+  uint64 sequence = 4;
-  uint64 sequence = 5;
 }
 
 message AddOrgMemberRequest {
@@ -2986,14 +2983,13 @@ message IdpID {
 message Idp {
   string id = 1;
   IdpState state = 2;
-  google.protobuf.Timestamp creation_date = 3;
+  google.protobuf.Timestamp change_date = 3;
-  google.protobuf.Timestamp change_date = 4;
+  string name = 4;
-  string name = 5;
+  IdpStylingType styling_type = 5;
-  IdpStylingType styling_type = 6;
   oneof idp_config {
-    OidcIdpConfig oidc_config = 7;
+    OidcIdpConfig oidc_config = 6;
   }
-  uint64 sequence = 8;
+  uint64 sequence = 7;
 }
 
 message IdpUpdate {
@@ -3103,10 +3099,9 @@ message LoginPolicy {
   bool allow_username_password = 1;
   bool allow_register = 2;
   bool allow_external_idp = 3;
-  google.protobuf.Timestamp creation_date = 4;
+  google.protobuf.Timestamp change_date = 4;
-  google.protobuf.Timestamp change_date = 5;
+  bool force_mfa = 5;
-  bool force_mfa = 6;
+  PasswordlessType passwordless_type = 6;
-  PasswordlessType passwordless_type = 7;
 }
 
 message LoginPolicyRequest {
@@ -3252,8 +3247,7 @@ message PasswordComplexityPolicy {
   bool has_number = 4;
   bool has_symbol = 5;
   uint64 sequence = 6;
-  google.protobuf.Timestamp creation_date = 7;
+  google.protobuf.Timestamp change_date = 7;
-  google.protobuf.Timestamp change_date = 8;
 }
 
 message PasswordComplexityPolicyRequest {
@@ -3280,8 +3274,7 @@ message PasswordAgePolicy {
   uint64 max_age_days = 1;
   uint64 expire_warn_days = 2;
   uint64 sequence = 3;
-  google.protobuf.Timestamp creation_date = 4;
+  google.protobuf.Timestamp change_date = 4;
-  google.protobuf.Timestamp change_date = 5;
 }
 
 message PasswordAgePolicyRequest {
@@ -3302,8 +3295,7 @@ message PasswordLockoutPolicy {
   uint64 max_attempts = 1;
   bool show_lockout_failure = 2;
   uint64 sequence = 3;
-  google.protobuf.Timestamp creation_date = 4;
+  google.protobuf.Timestamp change_date = 4;
-  google.protobuf.Timestamp change_date = 5;
 }
 
 message PasswordLockoutPolicyRequest {