chore(ux): Change wording for project / application settings (#10775)

<!--
Please inform yourself about the contribution guidelines on submitting a
PR here:
https://github.com/zitadel/zitadel/blob/main/CONTRIBUTING.md#submit-a-pull-request-pr.
Take note of how PR/commit titles should be written and replace the
template texts in the sections below. Don't remove any of the sections.
It is important that the commit history clearly shows what is changed
and why.
Important: By submitting a contribution you agree to the terms from our
Licensing Policy as described here:
https://github.com/zitadel/zitadel/blob/main/LICENSING.md#community-contributions.
-->

# Which Problems Are Solved

Close #10623: The terms, language, and spelling used on the project and
application settings for receiving roles is unnecessarily complicated or
wrong.

# How the Problems Are Solved

Update Settings in English. Translations are currently not considered.

# Additional Changes

Align proto documentation

# Additional Context

(cherry picked from commit 7e11f7a032)

console/src/assets/i18n/en.json

@@ -2131,17 +2131,17 @@
       "CHANGEDATE": "Last Modified",
       "SELECTGROUPTOOLTIP": "Select all Roles of the group {{group}}.",
       "OPTIONS": "Options",
-      "ASSERTION": "Assert Roles on Authentication",
-      "ASSERTION_DESCRIPTION": "Role information is sent from Userinfo endpoint and depending on your application settings in tokens and other types.",
-      "CHECK": "Check authorization on Authentication",
-      "CHECK_DESCRIPTION": "If set, users are only allowed to authenticate if any role is assigned to their account.",
+      "ASSERTION": "Return user roles during authentication",
+      "ASSERTION_DESCRIPTION": "When a user authenticates, their role information is provided to your application. For OpenID Connect, the roles can be requested from the UserInfo endpoint or sent in the ID or Access Token, based on your application's configuration.",
+      "CHECK": "Only authorized users can authenticate",
+      "CHECK_DESCRIPTION": "Deny authentication if the user has no authorization assigned to this project. Authorizations to the project without assigned a specific role to the user are allowed.",
       "DIALOG": {
         "DELETE_TITLE": "Delete role",
         "DELETE_DESCRIPTION": "You are about to delete a project role. Are you sure?"
       }
     },
-    "HAS_PROJECT": "Check for Project on Authentication",
-    "HAS_PROJECT_DESCRIPTION": "It is checked whether the user's organization has this project. If not, the user cannot be authenticated.",
+    "HAS_PROJECT": "Authentication is restricted to users from organizations that have been granted access to this project",
+    "HAS_PROJECT_DESCRIPTION": "Before a user can be authenticated, it is verified that their affiliated organization has been granted access to this project. Authentication is not permitted for users from unauthorized organizations.",
     "TABLE": {
       "TOTAL": "Entries total:",
       "SELECTION": "Selected Elements",
@@ -2647,8 +2647,8 @@
       "ACCESSTOKENROLEASSERTION": "Add user roles to the access token",
       "ACCESSTOKENROLEASSERTION_DESCRIPTION": "If selected, the requested roles of the authenticated user are added to the access token.",
       "IDTOKENROLEASSERTION": "User roles inside ID Token",
-      "IDTOKENROLEASSERTION_DESCRIPTION": "If selected, the requested roles of the authenticated user are added to the ID token.",
-      "IDTOKENUSERINFOASSERTION": "User Info inside ID Token",
+      "IDTOKENROLEASSERTION_DESCRIPTION": "When this option is enabled, the authenticated user's assigned roles will be added directly to their ID token. Ensure to enable the Project setting 'Assign user roles during authentication' or request via custom scope.",
+      "IDTOKENUSERINFOASSERTION": "Include user's roles in the ID Token",
       "IDTOKENUSERINFOASSERTION_DESCRIPTION": "Enables clients to retrieve profile, email, phone and address claims from ID token.",
       "CLOCKSKEW": "Enables clients to handle clock skew of OP and client. The duration (0-5s) will be added to exp claim and subtracted from iats, auth_time and nbf.",
       "RECOMMENDED": "recommended",

proto/zitadel/management.proto

@@ -9867,17 +9867,17 @@ message AddProjectRequest {
     ];
     bool project_role_assertion = 2 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-            description: "Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.";
+            description: "Enable this setting to provide role information to your application. For OpenID Connect, the roles can be requested from the UserInfo endpoint or sent in the ID or Access Token, based on your application's configuration.";
         }
     ];
     bool project_role_check = 3 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-            description: "When enabled ZITADEL will check if a user has a role of this project assigned when login into an application of this project.";
+            description: "Deny authentication if the user has no authorization assigned to this project. Authorizations to the project without assigned a specific role to the user are allowed.";
         }
     ];
     bool has_project_check = 4 [
         (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-            description: "When enabled ZITADEL will check if the organization of the user, that is trying to log in, has a grant to this project.";
+            description: "Before a user can be authenticated, it is verified that their affiliated organization has been granted access to this project. Authentication is not permitted for users from unauthorized organizations.";
         }
     ];
     zitadel.project.v1.PrivateLabelingSetting private_labeling_setting = 5 [

proto/zitadel/project/v2beta/project_service.proto

@@ -705,11 +705,11 @@ message CreateProjectRequest {
       example: "\"MyProject\"";
     }
   ];
-  // Enable this setting to have role information included in the user info endpoint. It is also dependent on your application settings to include it in tokens and other types.
+  // Enable this setting to provide role information to your application. For OpenID Connect, the roles can be requested from the UserInfo endpoint or sent in the ID or Access Token, based on your application's configuration.
   bool project_role_assertion = 4;
-  // When enabled ZITADEL will check if a user has an authorization to use this project assigned when login into an application of this project.
+  //Deny authentication if the user has no authorization assigned to this project. Authorizations to the project without assigned a specific role to the user are allowed.
   bool authorization_required = 5;
-  // When enabled ZITADEL will check if the organization of the user, that is trying to log in, has access to this project (either owns the project or is granted).
+  // Before a user can be authenticated, it is verified that their affiliated organization has been granted access to this project. Authentication is not permitted for users from unauthorized organizations.
   bool project_access_required = 6;
   // Define which private labeling/branding should trigger when getting to a login of this project.
   PrivateLabelingSetting private_labeling_setting = 7 [
@@ -1244,4 +1244,4 @@ message ListProjectGrantsRequest {
 message ListProjectGrantsResponse {
   zitadel.filter.v2beta.PaginationResponse pagination = 1;
   repeated ProjectGrant project_grants = 2;
-}
+}