feat: Instance commands (#3385)

* fix: add events for domain * fix: add/remove domain command side * fix: add/remove domain command side * fix: add/remove domain query side * fix: create instance * fix: merge v2 * fix: instance domain * fix: instance domain * fix: instance domain * fix: instance domain * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from writemodels * fix: remove domain.IAMID from api * fix: remove domain.IAMID * fix: remove domain.IAMID * fix: add instance domain queries * fix: fix after merge * Update auth_request.go * fix keypair * remove unused code * feat: read instance id from context * feat: remove unused code * feat: use instance id from context * some fixes Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 03:47:33 +00:00 · 2022-04-05 07:58:09 +02:00
parent 7d6a10015a
commit c740ee5d81
156 changed files with 6360 additions and 3951 deletions
--- a/internal/api/grpc/admin/custom_text.go
+++ b/internal/api/grpc/admin/custom_text.go
@@ -3,6 +3,7 @@ package admin
 import (
 	"context"

+	"github.com/caos/zitadel/internal/api/authz"
 	"golang.org/x/text/language"

 	"github.com/caos/zitadel/internal/api/grpc/object"
@@ -22,7 +23,7 @@ func (s *Server) GetDefaultInitMessageText(ctx context.Context, req *admin_pb.Ge
 }

 func (s *Server) GetCustomInitMessageText(ctx context.Context, req *admin_pb.GetCustomInitMessageTextRequest) (*admin_pb.GetCustomInitMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, domain.IAMID, domain.InitCodeMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.InitCodeMessageType, req.Language)
 	if err != nil {
 		return nil, err
 	}
@@ -32,7 +33,7 @@ func (s *Server) GetCustomInitMessageText(ctx context.Context, req *admin_pb.Get
 }

 func (s *Server) SetDefaultInitMessageText(ctx context.Context, req *admin_pb.SetDefaultInitMessageTextRequest) (*admin_pb.SetDefaultInitMessageTextResponse, error) {
-	result, err := s.command.SetDefaultMessageText(ctx, SetInitCustomTextToDomain(req))
+	result, err := s.command.SetDefaultMessageText(ctx, authz.GetInstance(ctx).InstanceID(), SetInitCustomTextToDomain(req))
 	if err != nil {
 		return nil, err
 	}
@@ -70,7 +71,7 @@ func (s *Server) GetDefaultPasswordResetMessageText(ctx context.Context, req *ad
 }

 func (s *Server) GetCustomPasswordResetMessageText(ctx context.Context, req *admin_pb.GetCustomPasswordResetMessageTextRequest) (*admin_pb.GetCustomPasswordResetMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, domain.IAMID, domain.PasswordResetMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.PasswordResetMessageType, req.Language)
 	if err != nil {
 		return nil, err
 	}
@@ -80,7 +81,7 @@ func (s *Server) GetCustomPasswordResetMessageText(ctx context.Context, req *adm
 }

 func (s *Server) SetDefaultPasswordResetMessageText(ctx context.Context, req *admin_pb.SetDefaultPasswordResetMessageTextRequest) (*admin_pb.SetDefaultPasswordResetMessageTextResponse, error) {
-	result, err := s.command.SetDefaultMessageText(ctx, SetPasswordResetCustomTextToDomain(req))
+	result, err := s.command.SetDefaultMessageText(ctx, authz.GetInstance(ctx).InstanceID(), SetPasswordResetCustomTextToDomain(req))
 	if err != nil {
 		return nil, err
 	}
@@ -118,7 +119,7 @@ func (s *Server) GetDefaultVerifyEmailMessageText(ctx context.Context, req *admi
 }

 func (s *Server) GetCustomVerifyEmailMessageText(ctx context.Context, req *admin_pb.GetCustomVerifyEmailMessageTextRequest) (*admin_pb.GetCustomVerifyEmailMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, domain.IAMID, domain.VerifyEmailMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.VerifyEmailMessageType, req.Language)
 	if err != nil {
 		return nil, err
 	}
@@ -128,7 +129,7 @@ func (s *Server) GetCustomVerifyEmailMessageText(ctx context.Context, req *admin
 }

 func (s *Server) SetDefaultVerifyEmailMessageText(ctx context.Context, req *admin_pb.SetDefaultVerifyEmailMessageTextRequest) (*admin_pb.SetDefaultVerifyEmailMessageTextResponse, error) {
-	result, err := s.command.SetDefaultMessageText(ctx, SetVerifyEmailCustomTextToDomain(req))
+	result, err := s.command.SetDefaultMessageText(ctx, authz.GetInstance(ctx).InstanceID(), SetVerifyEmailCustomTextToDomain(req))
 	if err != nil {
 		return nil, err
 	}
@@ -166,7 +167,7 @@ func (s *Server) GetDefaultVerifyPhoneMessageText(ctx context.Context, req *admi
 }

 func (s *Server) GetCustomVerifyPhoneMessageText(ctx context.Context, req *admin_pb.GetCustomVerifyPhoneMessageTextRequest) (*admin_pb.GetCustomVerifyPhoneMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, domain.IAMID, domain.VerifyPhoneMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.VerifyPhoneMessageType, req.Language)
 	if err != nil {
 		return nil, err
 	}
@@ -176,7 +177,7 @@ func (s *Server) GetCustomVerifyPhoneMessageText(ctx context.Context, req *admin
 }

 func (s *Server) SetDefaultVerifyPhoneMessageText(ctx context.Context, req *admin_pb.SetDefaultVerifyPhoneMessageTextRequest) (*admin_pb.SetDefaultVerifyPhoneMessageTextResponse, error) {
-	result, err := s.command.SetDefaultMessageText(ctx, SetVerifyPhoneCustomTextToDomain(req))
+	result, err := s.command.SetDefaultMessageText(ctx, authz.GetInstance(ctx).InstanceID(), SetVerifyPhoneCustomTextToDomain(req))
 	if err != nil {
 		return nil, err
 	}
@@ -214,7 +215,7 @@ func (s *Server) GetDefaultDomainClaimedMessageText(ctx context.Context, req *ad
 }

 func (s *Server) GetCustomDomainClaimedMessageText(ctx context.Context, req *admin_pb.GetCustomDomainClaimedMessageTextRequest) (*admin_pb.GetCustomDomainClaimedMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, domain.IAMID, domain.DomainClaimedMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.DomainClaimedMessageType, req.Language)
 	if err != nil {
 		return nil, err
 	}
@@ -224,7 +225,7 @@ func (s *Server) GetCustomDomainClaimedMessageText(ctx context.Context, req *adm
 }

 func (s *Server) SetDefaultDomainClaimedMessageText(ctx context.Context, req *admin_pb.SetDefaultDomainClaimedMessageTextRequest) (*admin_pb.SetDefaultDomainClaimedMessageTextResponse, error) {
-	result, err := s.command.SetDefaultMessageText(ctx, SetDomainClaimedCustomTextToDomain(req))
+	result, err := s.command.SetDefaultMessageText(ctx, authz.GetInstance(ctx).InstanceID(), SetDomainClaimedCustomTextToDomain(req))
 	if err != nil {
 		return nil, err
 	}
@@ -262,7 +263,7 @@ func (s *Server) GetDefaultPasswordlessRegistrationMessageText(ctx context.Conte
 }

 func (s *Server) GetCustomPasswordlessRegistrationMessageText(ctx context.Context, req *admin_pb.GetCustomPasswordlessRegistrationMessageTextRequest) (*admin_pb.GetCustomPasswordlessRegistrationMessageTextResponse, error) {
-	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, domain.IAMID, domain.PasswordlessRegistrationMessageType, req.Language)
+	msg, err := s.query.CustomMessageTextByTypeAndLanguage(ctx, authz.GetInstance(ctx).InstanceID(), domain.PasswordlessRegistrationMessageType, req.Language)
 	if err != nil {
 		return nil, err
 	}
@@ -272,7 +273,7 @@ func (s *Server) GetCustomPasswordlessRegistrationMessageText(ctx context.Contex
 }

 func (s *Server) SetDefaultPasswordlessRegistrationMessageText(ctx context.Context, req *admin_pb.SetDefaultPasswordlessRegistrationMessageTextRequest) (*admin_pb.SetDefaultPasswordlessRegistrationMessageTextResponse, error) {
-	result, err := s.command.SetDefaultMessageText(ctx, SetPasswordlessRegistrationCustomTextToDomain(req))
+	result, err := s.command.SetDefaultMessageText(ctx, authz.GetInstance(ctx).InstanceID(), SetPasswordlessRegistrationCustomTextToDomain(req))
 	if err != nil {
 		return nil, err
 	}
@@ -309,7 +310,7 @@ func (s *Server) GetDefaultLoginTexts(ctx context.Context, req *admin_pb.GetDefa
 	}, nil
 }
 func (s *Server) GetCustomLoginTexts(ctx context.Context, req *admin_pb.GetCustomLoginTextsRequest) (*admin_pb.GetCustomLoginTextsResponse, error) {
-	msg, err := s.query.GetCustomLoginTexts(ctx, domain.IAMID, req.Language)
+	msg, err := s.query.GetCustomLoginTexts(ctx, authz.GetInstance(ctx).InstanceID(), req.Language)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/iam_settings.go
+++ b/internal/api/grpc/admin/iam_settings.go
@@ -3,8 +3,8 @@ package admin
 import (
 	"context"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
-	"github.com/caos/zitadel/internal/domain"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )

@@ -46,7 +46,7 @@ func (s *Server) UpdateSecretGenerator(ctx context.Context, req *admin_pb.Update
 }

 func (s *Server) GetSMTPConfig(ctx context.Context, req *admin_pb.GetSMTPConfigRequest) (*admin_pb.GetSMTPConfigResponse, error) {
-	smtp, err := s.query.SMTPConfigByAggregateID(ctx, domain.IAMID)
+	smtp, err := s.query.SMTPConfigByAggregateID(ctx, authz.GetInstance(ctx).InstanceID())
 	if err != nil {
 		return nil, err
 	}
@@ -56,7 +56,7 @@ func (s *Server) GetSMTPConfig(ctx context.Context, req *admin_pb.GetSMTPConfigR
 }

 func (s *Server) UpdateSMTPConfig(ctx context.Context, req *admin_pb.UpdateSMTPConfigRequest) (*admin_pb.UpdateSMTPConfigResponse, error) {
-	details, err := s.command.ChangeSMTPConfig(ctx, UpdateSMTPToConfig(req))
+	details, err := s.command.ChangeSMTPConfig(ctx, authz.GetInstance(ctx).InstanceID(), UpdateSMTPToConfig(req))
 	if err != nil {
 		return nil, err
 	}
@@ -69,7 +69,7 @@ func (s *Server) UpdateSMTPConfig(ctx context.Context, req *admin_pb.UpdateSMTPC
 }

 func (s *Server) UpdateSMTPConfigPassword(ctx context.Context, req *admin_pb.UpdateSMTPConfigPasswordRequest) (*admin_pb.UpdateSMTPConfigPasswordResponse, error) {
-	details, err := s.command.ChangeSMTPConfigPassword(ctx, req.Password)
+	details, err := s.command.ChangeSMTPConfigPassword(ctx, authz.GetInstance(ctx).InstanceID(), req.Password)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/idp.go
+++ b/internal/api/grpc/admin/idp.go
@@ -3,15 +3,15 @@ package admin
 import (
 	"context"

+	"github.com/caos/zitadel/internal/api/authz"
 	idp_grpc "github.com/caos/zitadel/internal/api/grpc/idp"
 	object_pb "github.com/caos/zitadel/internal/api/grpc/object"
-	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/query"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )

 func (s *Server) GetIDPByID(ctx context.Context, req *admin_pb.GetIDPByIDRequest) (*admin_pb.GetIDPByIDResponse, error) {
-	idp, err := s.query.IDPByIDAndResourceOwner(ctx, req.Id, domain.IAMID)
+	idp, err := s.query.IDPByIDAndResourceOwner(ctx, req.Id, authz.GetInstance(ctx).InstanceID())
 	if err != nil {
 		return nil, err
 	}
@@ -19,7 +19,7 @@ func (s *Server) GetIDPByID(ctx context.Context, req *admin_pb.GetIDPByIDRequest
 }

 func (s *Server) ListIDPs(ctx context.Context, req *admin_pb.ListIDPsRequest) (*admin_pb.ListIDPsResponse, error) {
-	queries, err := listIDPsToModel(req)
+	queries, err := listIDPsToModel(authz.GetInstance(ctx).InstanceID(), req)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/idp_converter.go
+++ b/internal/api/grpc/admin/idp_converter.go
@@ -81,13 +81,13 @@ func updateJWTConfigToDomain(req *admin_pb.UpdateIDPJWTConfigRequest) *domain.JW
 	}
 }

-func listIDPsToModel(req *admin_pb.ListIDPsRequest) (*query.IDPSearchQueries, error) {
+func listIDPsToModel(instanceID string, req *admin_pb.ListIDPsRequest) (*query.IDPSearchQueries, error) {
 	offset, limit, asc := object.ListQueryToModel(req.Query)
 	queries, err := idpQueriesToModel(req.Queries)
 	if err != nil {
 		return nil, err
 	}
-	iamQuery, err := query.NewIDPResourceOwnerSearchQuery(domain.IAMID)
+	iamQuery, err := query.NewIDPResourceOwnerSearchQuery(instanceID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/language.go
+++ b/internal/api/grpc/admin/language.go
@@ -5,7 +5,6 @@ import (

 	"golang.org/x/text/language"

-	"github.com/caos/zitadel/internal/api/grpc/object"
 	"github.com/caos/zitadel/internal/api/grpc/text"
 	caos_errors "github.com/caos/zitadel/internal/errors"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
@@ -20,17 +19,19 @@ func (s *Server) GetSupportedLanguages(ctx context.Context, req *admin_pb.GetSup
 }

 func (s *Server) SetDefaultLanguage(ctx context.Context, req *admin_pb.SetDefaultLanguageRequest) (*admin_pb.SetDefaultLanguageResponse, error) {
-	lang, err := language.Parse(req.Language)
+	_, err := language.Parse(req.Language)
 	if err != nil {
 		return nil, caos_errors.ThrowInvalidArgument(err, "API-39nnf", "Errors.Language.Parse")
 	}
-	details, err := s.command.SetDefaultLanguage(ctx, lang)
-	if err != nil {
-		return nil, err
-	}
-	return &admin_pb.SetDefaultLanguageResponse{
-		Details: object.DomainToChangeDetailsPb(details),
-	}, nil
+	//TODO: Will be added by silvan
+	//details, err := s.command.SetDefaultLanguage(ctx, lang)
+	//if err != nil {
+	//	return nil, err
+	//}
+	//return &admin_pb.SetDefaultLanguageResponse{
+	//	Details: object.DomainToChangeDetailsPb(details),
+	//}, nil
+	return nil, nil
 }

 func (s *Server) GetDefaultLanguage(ctx context.Context, req *admin_pb.GetDefaultLanguageRequest) (*admin_pb.GetDefaultLanguageResponse, error) {
--- a/internal/api/grpc/admin/login_policy.go
+++ b/internal/api/grpc/admin/login_policy.go
@@ -3,6 +3,7 @@ package admin
 import (
 	"context"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/user"
 	"github.com/caos/zitadel/internal/query"

@@ -36,7 +37,7 @@ func (s *Server) UpdateLoginPolicy(ctx context.Context, p *admin_pb.UpdateLoginP
 }

 func (s *Server) ListLoginPolicyIDPs(ctx context.Context, req *admin_pb.ListLoginPolicyIDPsRequest) (*admin_pb.ListLoginPolicyIDPsResponse, error) {
-	res, err := s.query.IDPLoginPolicyLinks(ctx, domain.IAMID, ListLoginPolicyIDPsRequestToQuery(req))
+	res, err := s.query.IDPLoginPolicyLinks(ctx, authz.GetInstance(ctx).InstanceID(), ListLoginPolicyIDPsRequestToQuery(req))
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/notification_provider.go
+++ b/internal/api/grpc/admin/notification_provider.go
@@ -3,13 +3,14 @@ package admin
 import (
 	"context"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/settings"
 	"github.com/caos/zitadel/internal/domain"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )

 func (s *Server) GetFileSystemNotificationProvider(ctx context.Context, req *admin_pb.GetFileSystemNotificationProviderRequest) (*admin_pb.GetFileSystemNotificationProviderResponse, error) {
-	result, err := s.query.NotificationProviderByIDAndType(ctx, domain.IAMID, domain.NotificationProviderTypeFile)
+	result, err := s.query.NotificationProviderByIDAndType(ctx, authz.GetInstance(ctx).InstanceID(), domain.NotificationProviderTypeFile)
 	if err != nil {
 		return nil, err

@@ -20,7 +21,7 @@ func (s *Server) GetFileSystemNotificationProvider(ctx context.Context, req *adm
 }

 func (s *Server) GetLogNotificationProvider(ctx context.Context, req *admin_pb.GetLogNotificationProviderRequest) (*admin_pb.GetLogNotificationProviderResponse, error) {
-	result, err := s.query.NotificationProviderByIDAndType(ctx, domain.IAMID, domain.NotificationProviderTypeLog)
+	result, err := s.query.NotificationProviderByIDAndType(ctx, authz.GetInstance(ctx).InstanceID(), domain.NotificationProviderTypeLog)
 	if err != nil {
 		return nil, err

--- a/internal/api/grpc/admin/oidc_settings.go
+++ b/internal/api/grpc/admin/oidc_settings.go
@@ -3,13 +3,13 @@ package admin
 import (
 	"context"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
-	"github.com/caos/zitadel/internal/domain"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 )

 func (s *Server) GetOIDCSettings(ctx context.Context, _ *admin_pb.GetOIDCSettingsRequest) (*admin_pb.GetOIDCSettingsResponse, error) {
-	result, err := s.query.OIDCSettingsByAggID(ctx, domain.IAMID)
+	result, err := s.query.OIDCSettingsByAggID(ctx, authz.GetInstance(ctx).InstanceID())
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/grpc/admin/sms.go
+++ b/internal/api/grpc/admin/sms.go
@@ -3,6 +3,7 @@ package admin
 import (
 	"context"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/api/grpc/object"
 	admin_pb "github.com/caos/zitadel/pkg/grpc/admin"
 	settings_pb "github.com/caos/zitadel/pkg/grpc/settings"
@@ -40,7 +41,7 @@ func (s *Server) GetSMSProvider(ctx context.Context, req *admin_pb.GetSMSProvide
 }

 func (s *Server) AddSMSProviderTwilio(ctx context.Context, req *admin_pb.AddSMSProviderTwilioRequest) (*admin_pb.AddSMSProviderTwilioResponse, error) {
-	id, result, err := s.command.AddSMSConfigTwilio(ctx, AddSMSConfigTwilioToConfig(req))
+	id, result, err := s.command.AddSMSConfigTwilio(ctx, authz.GetInstance(ctx).InstanceID(), AddSMSConfigTwilioToConfig(req))
 	if err != nil {
 		return nil, err

@@ -52,7 +53,7 @@ func (s *Server) AddSMSProviderTwilio(ctx context.Context, req *admin_pb.AddSMSP
 }

 func (s *Server) UpdateSMSProviderTwilio(ctx context.Context, req *admin_pb.UpdateSMSProviderTwilioRequest) (*admin_pb.UpdateSMSProviderTwilioResponse, error) {
-	result, err := s.command.ChangeSMSConfigTwilio(ctx, req.Id, UpdateSMSConfigTwilioToConfig(req))
+	result, err := s.command.ChangeSMSConfigTwilio(ctx, authz.GetInstance(ctx).InstanceID(), req.Id, UpdateSMSConfigTwilioToConfig(req))
 	if err != nil {
 		return nil, err

@@ -63,7 +64,7 @@ func (s *Server) UpdateSMSProviderTwilio(ctx context.Context, req *admin_pb.Upda
 }

 func (s *Server) UpdateSMSProviderTwilioToken(ctx context.Context, req *admin_pb.UpdateSMSProviderTwilioTokenRequest) (*admin_pb.UpdateSMSProviderTwilioTokenResponse, error) {
-	result, err := s.command.ChangeSMSConfigTwilioToken(ctx, req.Id, req.Token)
+	result, err := s.command.ChangeSMSConfigTwilioToken(ctx, authz.GetInstance(ctx).InstanceID(), req.Id, req.Token)
 	if err != nil {
 		return nil, err

--- a/internal/api/grpc/auth/password.go
+++ b/internal/api/grpc/auth/password.go
@@ -2,6 +2,7 @@ package auth

 import (
 	"context"
+
 	"github.com/caos/zitadel/internal/api/grpc/object"

 	"github.com/caos/zitadel/internal/api/authz"
--- a/internal/api/grpc/management/idp_converter.go
+++ b/internal/api/grpc/management/idp_converter.go
@@ -91,7 +91,7 @@ func listIDPsToModel(ctx context.Context, req *mgmt_pb.ListOrgIDPsRequest) (quer
 	if err != nil {
 		return nil, err
 	}
-	resourceOwnerQuery, err := query.NewIDPResourceOwnerListSearchQuery(domain.IAMID, authz.GetCtxData(ctx).OrgID)
+	resourceOwnerQuery, err := query.NewIDPResourceOwnerListSearchQuery(authz.GetInstance(ctx).InstanceID(), authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -44,8 +44,7 @@ func (o *OPStorage) AuthRequestByID(ctx context.Context, id string) (_ op.AuthRe
 	if !ok {
 		return nil, errors.ThrowPreconditionFailed(nil, "OIDC-D3g21", "no user agent id")
 	}
-	instanceID := authz.GetInstance(ctx).InstanceID()
-	resp, err := o.repo.AuthRequestByIDCheckLoggedIn(ctx, id, userAgentID, instanceID)
+	resp, err := o.repo.AuthRequestByIDCheckLoggedIn(ctx, id, userAgentID)
 	if err != nil {
 		return nil, err
 	}
@@ -56,8 +55,7 @@ func (o *OPStorage) AuthRequestByCode(ctx context.Context, code string) (_ op.Au
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	instanceID := authz.GetInstance(ctx).InstanceID()
-	resp, err := o.repo.AuthRequestByCode(ctx, code, instanceID)
+	resp, err := o.repo.AuthRequestByCode(ctx, code)
 	if err != nil {
 		return nil, err
 	}
@@ -71,16 +69,14 @@ func (o *OPStorage) SaveAuthCode(ctx context.Context, id, code string) (err erro
 	if !ok {
 		return errors.ThrowPreconditionFailed(nil, "OIDC-Dgus2", "no user agent id")
 	}
-	instanceID := authz.GetInstance(ctx).InstanceID()
-	return o.repo.SaveAuthCode(ctx, id, code, userAgentID, instanceID)
+	return o.repo.SaveAuthCode(ctx, id, code, userAgentID)
 }

 func (o *OPStorage) DeleteAuthRequest(ctx context.Context, id string) (err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()

-	instanceID := authz.GetInstance(ctx).InstanceID()
-	return o.repo.DeleteAuthRequest(ctx, id, instanceID)
+	return o.repo.DeleteAuthRequest(ctx, id)
 }

 func (o *OPStorage) CreateAccessToken(ctx context.Context, req op.TokenRequest) (_ string, _ time.Time, err error) {
--- a/internal/api/oidc/key.go
+++ b/internal/api/oidc/key.go
@@ -11,7 +11,6 @@ import (
 	"github.com/caos/zitadel/internal/telemetry/tracing"

 	"github.com/caos/zitadel/internal/crypto"
-	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
 	"github.com/caos/zitadel/internal/eventstore"
 	"github.com/caos/zitadel/internal/query"
@@ -54,7 +53,7 @@ func (o *OPStorage) GetSigningKey(ctx context.Context, keyCh chan<- jose.Signing
 					<-renewTimer.C
 				}
 				checkAfter := o.resetTimer(renewTimer, true)
-				logging.Log("OIDC-dK432").Infof("requested next signing key check in %s", checkAfter)
+				logging.Infof("requested next signing key check in %s", checkAfter)
 			case <-renewTimer.C:
 				o.getSigningKey(ctx, renewTimer, keyCh)
 			}
@@ -66,7 +65,7 @@ func (o *OPStorage) getSigningKey(ctx context.Context, renewTimer *time.Timer, k
 	keys, err := o.query.ActivePrivateSigningKey(ctx, time.Now().Add(o.signingKeyGracefulPeriod))
 	if err != nil {
 		checkAfter := o.resetTimer(renewTimer, true)
-		logging.Log("OIDC-ASff").Infof("next signing key check in %s", checkAfter)
+		logging.Infof("next signing key check in %s", checkAfter)
 		return
 	}
 	if len(keys.Keys) == 0 {
@@ -76,13 +75,13 @@ func (o *OPStorage) getSigningKey(ctx context.Context, renewTimer *time.Timer, k
 		}
 		o.refreshSigningKey(ctx, keyCh, o.signingKeyAlgorithm, sequence)
 		checkAfter := o.resetTimer(renewTimer, true)
-		logging.Log("OIDC-ASDf3").Infof("next signing key check in %s", checkAfter)
+		logging.Infof("next signing key check in %s", checkAfter)
 		return
 	}
 	err = o.exchangeSigningKey(selectSigningKey(keys.Keys), keyCh)
-	logging.Log("OIDC-aDfg3").OnError(err).Error("could not exchange signing key")
+	logging.OnError(err).Error("could not exchange signing key")
 	checkAfter := o.resetTimer(renewTimer, err != nil)
-	logging.Log("OIDC-dK432").Infof("next signing key check in %s", checkAfter)
+	logging.Infof("next signing key check in %s", checkAfter)
 }

 func (o *OPStorage) resetTimer(timer *time.Timer, shortRefresh bool) (nextCheck time.Duration) {
@@ -100,20 +99,20 @@ func (o *OPStorage) resetTimer(timer *time.Timer, shortRefresh bool) (nextCheck

 func (o *OPStorage) refreshSigningKey(ctx context.Context, keyCh chan<- jose.SigningKey, algorithm string, sequence uint64) {
 	if o.currentKey != nil && o.currentKey.Expiry().Before(time.Now().UTC()) {
-		logging.Log("OIDC-ADg26").Info("unset current signing key")
+		logging.Info("unset current signing key")
 		keyCh <- jose.SigningKey{}
 	}
 	ok, err := o.ensureIsLatestKey(ctx, sequence)
 	if err != nil {
-		logging.Log("OIDC-sdz53").WithError(err).Error("could not ensure latest key")
+		logging.New().WithError(err).Error("could not ensure latest key")
 		return
 	}
 	if !ok {
-		logging.Log("EVENT-GBD23").Warn("view not up to date, retrying later")
+		logging.Warn("view not up to date, retrying later")
 		return
 	}
 	err = o.lockAndGenerateSigningKeyPair(ctx, algorithm)
-	logging.Log("EVENT-B4d21").OnError(err).Warn("could not create signing key")
+	logging.OnError(err).Warn("could not create signing key")
 }

 func (o *OPStorage) ensureIsLatestKey(ctx context.Context, sequence uint64) (bool, error) {
@@ -126,7 +125,7 @@ func (o *OPStorage) ensureIsLatestKey(ctx context.Context, sequence uint64) (boo

 func (o *OPStorage) exchangeSigningKey(key query.PrivateKey, keyCh chan<- jose.SigningKey) (err error) {
 	if o.currentKey != nil && o.currentKey.ID() == key.ID() {
-		logging.Log("OIDC-Abb3e").Info("no new signing key")
+		logging.Info("no new signing key")
 		return nil
 	}
 	keyData, err := crypto.Decrypt(key.Key(), o.encAlg)
@@ -145,12 +144,12 @@ func (o *OPStorage) exchangeSigningKey(key query.PrivateKey, keyCh chan<- jose.S
 		},
 	}
 	o.currentKey = key
-	logging.LogWithFields("OIDC-dsg54", "keyID", key.ID()).Info("exchanged signing key")
+	logging.WithFields("keyID", key.ID()).Info("exchanged signing key")
 	return nil
 }

 func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm string) error {
-	logging.Log("OIDC-sdz53").Info("lock and generate signing key pair")
+	logging.Info("lock and generate signing key pair")

 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
@@ -161,7 +160,7 @@ func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm
 		if errors.IsErrorAlreadyExists(err) {
 			return nil
 		}
-		logging.Log("OIDC-Dfg32").OnError(err).Warn("initial lock failed")
+		logging.OnError(err).Warn("initial lock failed")
 		return err
 	}

@@ -171,7 +170,7 @@ func (o *OPStorage) lockAndGenerateSigningKeyPair(ctx context.Context, algorithm
 func (o *OPStorage) getMaxKeySequence(ctx context.Context) (uint64, error) {
 	return o.eventstore.LatestSequence(ctx,
 		eventstore.NewSearchQueryBuilder(eventstore.ColumnsMaxSequence).
-			ResourceOwner(domain.IAMID).
+			ResourceOwner("system"). //TODO: change with multi issuer
 			AddQuery().
 			AggregateTypes(keypair.AggregateType).
 			Builder(),
--- a/internal/api/ui/login/auth_request.go
+++ b/internal/api/ui/login/auth_request.go
@@ -5,7 +5,6 @@ import (

 	"github.com/caos/zitadel/internal/domain"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 )

@@ -20,8 +19,7 @@ func (l *Login) getAuthRequest(r *http.Request) (*domain.AuthRequest, error) {
 		return nil, nil
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	return l.authRepo.AuthRequestByID(r.Context(), authRequestID, userAgentID, instanceID)
+	return l.authRepo.AuthRequestByID(r.Context(), authRequestID, userAgentID)
 }

 func (l *Login) getAuthRequestAndParseData(r *http.Request, data interface{}) (*domain.AuthRequest, error) {
--- a/internal/api/ui/login/custom_action.go
+++ b/internal/api/ui/login/custom_action.go
@@ -4,6 +4,7 @@ import (
 	"context"

 	"github.com/caos/oidc/pkg/oidc"
+	"github.com/caos/zitadel/internal/api/authz"

 	"github.com/caos/zitadel/internal/actions"
 	"github.com/caos/zitadel/internal/domain"
@@ -15,7 +16,7 @@ func (l *Login) customExternalUserMapping(ctx context.Context, user *domain.Exte
 	if resourceOwner == "" {
 		resourceOwner = config.AggregateID
 	}
-	if resourceOwner == domain.IAMID {
+	if resourceOwner == authz.GetInstance(ctx).InstanceID() {
 		iam, err := l.query.Instance(ctx)
 		if err != nil {
 			return nil, err
--- a/internal/api/ui/login/external_login_handler.go
+++ b/internal/api/ui/login/external_login_handler.go
@@ -11,8 +11,6 @@ import (
 	"github.com/caos/oidc/pkg/oidc"
 	"golang.org/x/oauth2"

-	"github.com/caos/zitadel/internal/api/authz"
-
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/crypto"
 	"github.com/caos/zitadel/internal/domain"
@@ -89,8 +87,7 @@ func (l *Login) handleIDP(w http.ResponseWriter, r *http.Request, authReq *domai
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, idpConfig.IDPConfigID, userAgentID, instanceID)
+	err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, idpConfig.IDPConfigID, userAgentID)
 	if err != nil {
 		l.renderLogin(w, r, authReq, err)
 		return
@@ -142,8 +139,7 @@ func (l *Login) handleExternalLoginCallback(w http.ResponseWriter, r *http.Reque
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.State, userAgentID, instanceID)
+	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.State, userAgentID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -202,8 +198,7 @@ func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.R
 		return
 	}

-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	err = l.authRepo.CheckExternalUserLogin(setContext(r.Context(), ""), authReq.ID, userAgentID, instanceID, externalUser, domain.BrowserInfoFromRequest(r))
+	err = l.authRepo.CheckExternalUserLogin(setContext(r.Context(), ""), authReq.ID, userAgentID, externalUser, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		if errors.IsNotFound(err) {
 			err = nil
@@ -231,7 +226,7 @@ func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.R
 			l.renderExternalNotFoundOption(w, r, authReq, iam, orgIAMPolicy, human, idpLinking, err)
 			return
 		}
-		authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID, instanceID)
+		authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID)
 		if err != nil {
 			l.renderExternalNotFoundOption(w, r, authReq, iam, orgIAMPolicy, human, idpLinking, err)
 			return
@@ -240,7 +235,7 @@ func (l *Login) handleExternalUserAuthenticated(w http.ResponseWriter, r *http.R
 		return
 	}
 	if len(externalUser.Metadatas) > 0 {
-		authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID, instanceID)
+		authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, userAgentID)
 		if err != nil {
 			return
 		}
@@ -329,8 +324,7 @@ func (l *Login) handleExternalNotFoundOptionCheck(w http.ResponseWriter, r *http
 		return
 	} else if data.ResetLinking {
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-		instanceID := authz.GetInstance(r.Context()).InstanceID()
-		err = l.authRepo.ResetLinkingUsers(r.Context(), authReq.ID, userAgentID, instanceID)
+		err = l.authRepo.ResetLinkingUsers(r.Context(), authReq.ID, userAgentID)
 		if err != nil {
 			l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
 		}
@@ -368,7 +362,6 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR
 	}

 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
 	if len(authReq.LinkingUsers) == 0 {
 		l.renderError(w, r, authReq, caos_errors.ThrowPreconditionFailed(nil, "LOGIN-asfg3", "Errors.ExternalIDP.NoExternalUserData"))
 		return
@@ -380,12 +373,12 @@ func (l *Login) handleAutoRegister(w http.ResponseWriter, r *http.Request, authR
 		l.renderExternalNotFoundOption(w, r, authReq, iam, orgIamPolicy, nil, nil, err)
 		return
 	}
-	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, memberRoles, authReq.ID, userAgentID, resourceOwner, instanceID, metadata, domain.BrowserInfoFromRequest(r))
+	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, memberRoles, authReq.ID, userAgentID, resourceOwner, metadata, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderExternalNotFoundOption(w, r, authReq, iam, orgIamPolicy, user, externalIDP, err)
 		return
 	}
-	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID, instanceID)
+	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
--- a/internal/api/ui/login/external_register_handler.go
+++ b/internal/api/ui/login/external_register_handler.go
@@ -8,7 +8,6 @@ import (
 	"github.com/caos/oidc/pkg/oidc"
 	"golang.org/x/text/language"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/domain"
 	iam_model "github.com/caos/zitadel/internal/iam/model"
@@ -68,8 +67,7 @@ func (l *Login) handleExternalRegister(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, idpConfig.IDPConfigID, userAgentID, instanceID)
+	err = l.authRepo.SelectExternalIDP(r.Context(), authReq.ID, idpConfig.IDPConfigID, userAgentID)
 	if err != nil {
 		l.renderLogin(w, r, authReq, err)
 		return
@@ -89,8 +87,7 @@ func (l *Login) handleExternalRegisterCallback(w http.ResponseWriter, r *http.Re
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.State, userAgentID, instanceID)
+	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.State, userAgentID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
--- a/internal/api/ui/login/jwt_handler.go
+++ b/internal/api/ui/login/jwt_handler.go
@@ -12,7 +12,6 @@ import (
 	"github.com/caos/oidc/pkg/client/rp"
 	"github.com/caos/oidc/pkg/oidc"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_util "github.com/caos/zitadel/internal/api/http"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
@@ -45,8 +44,7 @@ func (l *Login) handleJWTRequest(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, nil, err)
 		return
 	}
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.AuthRequestID, userAgentID, instanceID)
+	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.AuthRequestID, userAgentID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -84,13 +82,13 @@ func (l *Login) handleJWTExtraction(w http.ResponseWriter, r *http.Request, auth
 		return
 	}
 	metadata := externalUser.Metadatas
-	err = l.authRepo.CheckExternalUserLogin(setContext(r.Context(), ""), authReq.ID, authReq.AgentID, authReq.InstanceID, externalUser, domain.BrowserInfoFromRequest(r))
+	err = l.authRepo.CheckExternalUserLogin(setContext(r.Context(), ""), authReq.ID, authReq.AgentID, externalUser, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.jwtExtractionUserNotFound(w, r, authReq, idpConfig, tokens, err)
 		return
 	}
 	if len(metadata) > 0 {
-		authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID, authReq.InstanceID)
+		authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
 		if err != nil {
 			l.renderError(w, r, authReq, err)
 			return
@@ -117,7 +115,7 @@ func (l *Login) jwtExtractionUserNotFound(w http.ResponseWriter, r *http.Request
 		l.renderExternalNotFoundOption(w, r, authReq, nil, nil, nil, nil, err)
 		return
 	}
-	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID, authReq.InstanceID)
+	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -135,12 +133,12 @@ func (l *Login) jwtExtractionUserNotFound(w http.ResponseWriter, r *http.Request
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, nil, authReq.ID, authReq.AgentID, resourceOwner, authReq.InstanceID, metadata, domain.BrowserInfoFromRequest(r))
+	err = l.authRepo.AutoRegisterExternalUser(setContext(r.Context(), resourceOwner), user, externalIDP, nil, authReq.ID, authReq.AgentID, resourceOwner, metadata, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID, authReq.InstanceID)
+	authReq, err = l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
@@ -209,8 +207,7 @@ func (l *Login) handleJWTCallback(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, nil, err)
 		return
 	}
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.AuthRequestID, userAgentID, instanceID)
+	authReq, err := l.authRepo.AuthRequestByID(r.Context(), data.AuthRequestID, userAgentID)
 	if err != nil {
 		l.renderError(w, r, authReq, err)
 		return
--- a/internal/api/ui/login/link_users_handler.go
+++ b/internal/api/ui/login/link_users_handler.go
@@ -3,7 +3,6 @@ package login
 import (
 	"net/http"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/domain"
 )
@@ -14,8 +13,7 @@ const (

 func (l *Login) linkUsers(w http.ResponseWriter, r *http.Request, authReq *domain.AuthRequest, err error) {
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	err = l.authRepo.LinkExternalUsers(setContext(r.Context(), authReq.UserOrgID), authReq.ID, userAgentID, instanceID, domain.BrowserInfoFromRequest(r))
+	err = l.authRepo.LinkExternalUsers(setContext(r.Context(), authReq.UserOrgID), authReq.ID, userAgentID, domain.BrowserInfoFromRequest(r))
 	l.renderLinkUsersDone(w, r, authReq, err)
 }

--- a/internal/api/ui/login/login_handler.go
+++ b/internal/api/ui/login/login_handler.go
@@ -3,7 +3,6 @@ package login
 import (
 	"net/http"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/errors"
@@ -60,9 +59,8 @@ func (l *Login) handleLoginNameCheck(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
 	loginName := data.LoginName
-	err = l.authRepo.CheckLoginName(r.Context(), authReq.ID, loginName, userAgentID, instanceID)
+	err = l.authRepo.CheckLoginName(r.Context(), authReq.ID, loginName, userAgentID)
 	if err != nil {
 		l.renderLogin(w, r, authReq, err)
 		return
--- a/internal/api/ui/login/mfa_verify_handler.go
+++ b/internal/api/ui/login/mfa_verify_handler.go
@@ -3,7 +3,6 @@ package login
 import (
 	"net/http"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/domain"
 )
@@ -36,8 +35,7 @@ func (l *Login) handleMFAVerify(w http.ResponseWriter, r *http.Request) {
 	}
 	if data.MFAType == domain.MFATypeOTP {
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-		instanceID := authz.GetInstance(r.Context()).InstanceID()
-		err = l.authRepo.VerifyMFAOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, authReq.UserOrgID, data.Code, userAgentID, instanceID, domain.BrowserInfoFromRequest(r))
+		err = l.authRepo.VerifyMFAOTP(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, authReq.UserOrgID, data.Code, userAgentID, domain.BrowserInfoFromRequest(r))
 		if err != nil {
 			l.renderMFAVerifySelected(w, r, authReq, step, domain.MFATypeOTP, err)
 			return
--- a/internal/api/ui/login/mfa_verify_u2f_handler.go
+++ b/internal/api/ui/login/mfa_verify_u2f_handler.go
@@ -6,7 +6,6 @@ import (

 	"github.com/caos/zitadel/internal/domain"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 )

@@ -30,8 +29,7 @@ func (l *Login) renderU2FVerification(w http.ResponseWriter, r *http.Request, au
 	var webAuthNLogin *domain.WebAuthNLogin
 	if err == nil {
 		userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-		instanceID := authz.GetInstance(r.Context()).InstanceID()
-		webAuthNLogin, err = l.authRepo.BeginMFAU2FLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID, instanceID)
+		webAuthNLogin, err = l.authRepo.BeginMFAU2FLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID)
 	}
 	if err != nil {
 		errID, errMessage = l.getErrorMessage(r, err)
@@ -72,8 +70,7 @@ func (l *Login) handleU2FVerification(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	err = l.authRepo.VerifyMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID, instanceID, credData, domain.BrowserInfoFromRequest(r))
+	err = l.authRepo.VerifyMFAU2F(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, userAgentID, credData, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderU2FVerification(w, r, authReq, step.MFAProviders, err)
 		return
--- a/internal/api/ui/login/password_handler.go
+++ b/internal/api/ui/login/password_handler.go
@@ -38,7 +38,7 @@ func (l *Login) handlePasswordCheck(w http.ResponseWriter, r *http.Request) {
 		l.renderError(w, r, authReq, err)
 		return
 	}
-	err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, authReq.UserOrgID, data.Password, authReq.AgentID, authReq.InstanceID, domain.BrowserInfoFromRequest(r))
+	err = l.authRepo.VerifyPassword(setContext(r.Context(), authReq.UserOrgID), authReq.ID, authReq.UserID, authReq.UserOrgID, data.Password, authReq.AgentID, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderPassword(w, r, authReq, err)
 		return
--- a/internal/api/ui/login/passwordless_login_handler.go
+++ b/internal/api/ui/login/passwordless_login_handler.go
@@ -25,7 +25,7 @@ func (l *Login) renderPasswordlessVerification(w http.ResponseWriter, r *http.Re
 	var errID, errMessage, credentialData string
 	var webAuthNLogin *domain.WebAuthNLogin
 	if err == nil {
-		webAuthNLogin, err = l.authRepo.BeginPasswordlessLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, authReq.AgentID, authReq.InstanceID)
+		webAuthNLogin, err = l.authRepo.BeginPasswordlessLogin(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, authReq.AgentID)
 	}
 	if err != nil {
 		errID, errMessage = l.getErrorMessage(r, err)
@@ -62,7 +62,7 @@ func (l *Login) handlePasswordlessVerification(w http.ResponseWriter, r *http.Re
 		l.renderPasswordlessVerification(w, r, authReq, formData.PasswordLogin, err)
 		return
 	}
-	err = l.authRepo.VerifyPasswordless(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, authReq.AgentID, authReq.InstanceID, credData, domain.BrowserInfoFromRequest(r))
+	err = l.authRepo.VerifyPasswordless(setContext(r.Context(), authReq.UserOrgID), authReq.UserID, authReq.UserOrgID, authReq.ID, authReq.AgentID, credData, domain.BrowserInfoFromRequest(r))
 	if err != nil {
 		l.renderPasswordlessVerification(w, r, authReq, formData.PasswordLogin, err)
 		return
--- a/internal/api/ui/login/passwordless_registration_handler.go
+++ b/internal/api/ui/login/passwordless_registration_handler.go
@@ -5,7 +5,6 @@ import (
 	"net/http"

 	"github.com/caos/logging"
-
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/domain"
 	"github.com/caos/zitadel/internal/eventstore/v1/models"
--- a/internal/api/ui/login/register_handler.go
+++ b/internal/api/ui/login/register_handler.go
@@ -5,7 +5,6 @@ import (

 	"golang.org/x/text/language"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 	"github.com/caos/zitadel/internal/domain"
 	caos_errs "github.com/caos/zitadel/internal/errors"
@@ -95,8 +94,7 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	err = l.authRepo.SelectUser(r.Context(), authRequest.ID, user.AggregateID, userAgentID, instanceID)
+	err = l.authRepo.SelectUser(r.Context(), authRequest.ID, user.AggregateID, userAgentID)
 	if err != nil {
 		l.renderRegister(w, r, authRequest, data, err)
 		return
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -9,6 +9,7 @@ import (
 	"strings"

 	"github.com/caos/logging"
+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/gorilla/csrf"
 	"golang.org/x/text/language"

@@ -220,7 +221,7 @@ func CreateRenderer(pathPrefix string, staticDir http.FileSystem, staticStorage
 		tmplMapping, funcs,
 		i18n.TranslatorConfig{DefaultLanguage: defaultLanguage, CookieName: cookieName},
 	)
-	logging.Log("APP-40tSoJ").OnError(err).WithError(err).Panic("error creating renderer")
+	logging.New().OnError(err).WithError(err).Panic("error creating renderer")
 	return r
 }

@@ -229,7 +230,7 @@ func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *
 		l.renderInternalError(w, r, nil, caos_errs.ThrowInvalidArgument(nil, "LOGIN-Df3f2", "Errors.AuthRequest.NotFound"))
 		return
 	}
-	authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID, authReq.InstanceID)
+	authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID, authReq.AgentID)
 	if err != nil {
 		l.renderInternalError(w, r, authReq, err)
 		return
@@ -341,7 +342,7 @@ func (l *Login) getBaseData(r *http.Request, authReq *domain.AuthRequest, title
 		Theme:                  l.getTheme(r),
 		ThemeMode:              l.getThemeMode(r),
 		DarkMode:               l.isDarkMode(r),
-		PrivateLabelingOrgID:   l.getPrivateLabelingID(authReq),
+		PrivateLabelingOrgID:   l.getPrivateLabelingID(authz.GetInstance(r.Context()).InstanceID(), authReq),
 		OrgID:                  l.getOrgID(authReq),
 		OrgName:                l.getOrgName(authReq),
 		PrimaryDomain:          l.getOrgPrimaryDomain(authReq),
@@ -455,8 +456,8 @@ func (l *Login) getOrgID(authReq *domain.AuthRequest) string {
 	return authReq.UserOrgID
 }

-func (l *Login) getPrivateLabelingID(authReq *domain.AuthRequest) string {
-	privateLabelingOrgID := domain.IAMID
+func (l *Login) getPrivateLabelingID(instanceID string, authReq *domain.AuthRequest) string {
+	privateLabelingOrgID := instanceID
 	if authReq == nil {
 		return privateLabelingOrgID
 	}
--- a/internal/api/ui/login/resources_handler.go
+++ b/internal/api/ui/login/resources_handler.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"net/http"

+	"github.com/caos/zitadel/internal/api/authz"
 	"github.com/caos/zitadel/internal/domain"
 )

@@ -24,7 +25,7 @@ func (l *Login) handleDynamicResources(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	bucketName := domain.IAMID
+	bucketName := authz.GetInstance(r.Context()).InstanceID()
 	if data.OrgID != "" && !data.DefaultPolicy {
 		bucketName = data.OrgID
 	}
--- a/internal/api/ui/login/select_user_handler.go
+++ b/internal/api/ui/login/select_user_handler.go
@@ -5,7 +5,6 @@ import (

 	"github.com/caos/zitadel/internal/domain"

-	"github.com/caos/zitadel/internal/api/authz"
 	http_mw "github.com/caos/zitadel/internal/api/http/middleware"
 )

@@ -39,8 +38,7 @@ func (l *Login) handleSelectUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	userAgentID, _ := http_mw.UserAgentIDFromCtx(r.Context())
-	instanceID := authz.GetInstance(r.Context()).InstanceID()
-	err = l.authRepo.SelectUser(r.Context(), authSession.ID, data.UserID, userAgentID, instanceID)
+	err = l.authRepo.SelectUser(r.Context(), authSession.ID, data.UserID, userAgentID)
 	if err != nil {
 		l.renderError(w, r, authSession, err)
 		return