diff --git a/console/src/assets/i18n/de.json b/console/src/assets/i18n/de.json index 5eb01ed24b..11759e3830 100644 --- a/console/src/assets/i18n/de.json +++ b/console/src/assets/i18n/de.json @@ -1699,7 +1699,7 @@ "AZUREADTENANTTYPES": { "0": "Common", "1": "Organizations", - "2": "Customers" + "2": "Consumers" }, "ADD": "Identitätsanbieter hinzufügen", "AZUREADTENANTTYPE": "Tenant Typ", diff --git a/console/src/assets/i18n/en.json b/console/src/assets/i18n/en.json index c9864c9222..758b8ffed6 100644 --- a/console/src/assets/i18n/en.json +++ b/console/src/assets/i18n/en.json @@ -1695,7 +1695,7 @@ "AZUREADTENANTTYPES": { "0": "Common", "1": "Organizations", - "2": "Customers" + "2": "Consumers" }, "AZUREADTENANTTYPE": "Tenant Type", "AZUREADTENANTID": "Tenant ID", diff --git a/console/src/assets/i18n/fr.json b/console/src/assets/i18n/fr.json index 2cd44a1b67..25a521b55d 100644 --- a/console/src/assets/i18n/fr.json +++ b/console/src/assets/i18n/fr.json @@ -1703,7 +1703,7 @@ "AZUREADTENANTTYPES": { "0": "Common", "1": "Organizations", - "2": "Customers" + "2": "Consumers" }, "AZUREADTENANTTYPE": "Type de locataire", "AZUREADTENANTID": "ID du locataire", diff --git a/console/src/assets/i18n/it.json b/console/src/assets/i18n/it.json index 0e42e01a64..4776e30904 100644 --- a/console/src/assets/i18n/it.json +++ b/console/src/assets/i18n/it.json @@ -1704,7 +1704,7 @@ "AZUREADTENANTTYPES": { "0": "Common", "1": "Organizations", - "2": "Customers" + "2": "Consumers" }, "ADD": "Aggiungi fornitore di identità", "AZUREADTENANTTYPE": "Tipo tenant", diff --git a/console/src/assets/i18n/pl.json b/console/src/assets/i18n/pl.json index 4b5bedde76..9c93e1688f 100644 --- a/console/src/assets/i18n/pl.json +++ b/console/src/assets/i18n/pl.json @@ -1703,7 +1703,7 @@ "AZUREADTENANTTYPES": { "0": "Common", "1": "Organizations", - "2": "Customers" + "2": "Consumers" }, "AZUREADTENANTTYPE": "Rodzaj najemcy", "AZUREADTENANTID": "Identyfikator najemcy", diff --git a/console/src/assets/i18n/zh.json b/console/src/assets/i18n/zh.json index 9fed206931..b40de11ce1 100644 --- a/console/src/assets/i18n/zh.json +++ b/console/src/assets/i18n/zh.json @@ -1702,7 +1702,7 @@ "AZUREADTENANTTYPES": { "0": "Common", "1": "Organizations", - "2": "Customers" + "2": "Consumers" }, "AZUREADTENANTTYPE": "租户类型", "AZUREADTENANTID": "租户编号", diff --git a/docs/README.md b/docs/README.md index b3a1dfdd28..89e080a31d 100644 --- a/docs/README.md +++ b/docs/README.md @@ -12,6 +12,13 @@ To add a new site to the already existing structure simply save the `md` file in yarn install ``` +## Generate + +``` +yarn generate +``` + + ## Local Development ``` @@ -29,4 +36,4 @@ docker build -f docs/Dockerfile . -t zitadel-docs ```shell docker run -p 8080:8080 zitadel-docs -``` \ No newline at end of file +``` diff --git a/docs/docs/guides/integrate/identity-providers/_activate.mdx b/docs/docs/guides/integrate/identity-providers/_activate.mdx new file mode 100644 index 0000000000..1ddfeab8eb --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/_activate.mdx @@ -0,0 +1 @@ +Once you created the IdP, you need to activate it. \ No newline at end of file diff --git a/docs/docs/guides/integrate/identity-providers/_custom_login_policy.mdx b/docs/docs/guides/integrate/identity-providers/_custom_login_policy.mdx new file mode 100644 index 0000000000..fe7b882a61 --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/_custom_login_policy.mdx @@ -0,0 +1,10 @@ +The login policy can be configured on two levels. Once as default on the instance and this can be overwritten for each organization. +The only difference is where you configure it. Go either to the settings page of a specific organization or to the settings page of your instance. +Instance: $YOUR-DOMAIN/ui/console/settings?id=general +Organization: Choose the organization in the menu and go to $YOUR-DOMAIN/ui/console/org-settings?id=login + +1. Go to the Settings +2. Modify your login policy in the menu "Login Behavior and Security" +3. Enable the attribute "External IDP allowed" + +![Allow External IDP](/img/guides/zitadel_allow_external_idp.png) diff --git a/docs/docs/guides/integrate/identity-providers/_general_config_description.mdx b/docs/docs/guides/integrate/identity-providers/_general_config_description.mdx new file mode 100644 index 0000000000..975695bc91 --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/_general_config_description.mdx @@ -0,0 +1,8 @@ +

Automatic creation: If this setting is enabled the user will be created automatically within ZITADEL, if it doesn't exist.

+

Automatic update: If this setting is enabled, the user will be updated within ZITADEL, if some user data is changed withing the provider. E.g if the lastname changes on the {props.provider_account}, the information will be changed on the ZITADEL account on the next login.

+

Account creation allowed: This setting determines if account creation within ZITADEL is allowed or not.

+

Account linking allowed: This setting determines if account linking is allowed. When logging in with a {props.provider_account}, a linkable ZITADEL account has to exist already.

+ +:::info +Either account creation or account linking have to be enabled. Otherwise, the provider can't be used. +::: \ No newline at end of file diff --git a/docs/docs/guides/integrate/identity-providers/_intro.mdx b/docs/docs/guides/integrate/identity-providers/_intro.mdx new file mode 100644 index 0000000000..01e386ca1d --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/_intro.mdx @@ -0,0 +1,9 @@ +

This guides shows you how to connect {props.provider} as an identity provider in ZITADEL.

+ +:::info +

+In ZITADEL you can connect an Identity Provider (IdP) like {props.provider} to your instance and provide it as default to all organizations. +Also, you can register the IdP to a specific organization only. +If you allow so, your organizations members can do the same in self-service. +

+::: diff --git a/docs/docs/guides/integrate/identity-providers/_prefill_action.mdx b/docs/docs/guides/integrate/identity-providers/_prefill_action.mdx new file mode 100644 index 0000000000..a63a3fcb48 --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/_prefill_action.mdx @@ -0,0 +1,7 @@ +import CodeBlock from '@theme/CodeBlock'; + +

You can use a ZITADEL action if you want to prefill the fields {props.fields} with {props.provider} data.

+ +1. Go to the users target organizations settings page. +2. Add a new action with the body below. Make sure the action name equals the scripts function name. Also change the id in the script to match your provider configurations id. +3. Add the action to the flow "External Authentication" and trigger it on "Post Authentication" diff --git a/docs/docs/guides/integrate/identity-providers/_test_setup.mdx b/docs/docs/guides/integrate/identity-providers/_test_setup.mdx new file mode 100644 index 0000000000..10f742b341 --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/_test_setup.mdx @@ -0,0 +1,11 @@ +

+To test the setup, use incognito mode and browse to your login page. +You see a new button which redirects you to {props.loginscreen} screen. +

+ +By default, ZITADEL shows what you define in the instance settings. +If you overwrite the instance settings for an organization, you need to send the organization scope in your auth request. + +The organization scope looks like this: ```urn:zitadel:iam:org:id:{id}```. +You can [read more about the reserved scopes](/apis/openidoauth/scopes#reserved-scopes) +or [use the ZITADEL OIDC Playground](/apis/openidoauth/authrequest) to see what happens with the login when you send different scopes. diff --git a/docs/docs/guides/integrate/identity-providers/_unlinked_oauth.mdx b/docs/docs/guides/integrate/identity-providers/_unlinked_oauth.mdx new file mode 100644 index 0000000000..56b506829a --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/_unlinked_oauth.mdx @@ -0,0 +1,5 @@ +

+New unlinked users are presented with the screen below. + {props.provider} is an OAuth provider and does not provide a standardized way to get the user data. +This means that ZITADEL has no way to prefill the first and lastname fields. +

\ No newline at end of file diff --git a/docs/docs/guides/integrate/identity-providers/azure-ad.mdx b/docs/docs/guides/integrate/identity-providers/azure-ad.mdx new file mode 100644 index 0000000000..c61773540f --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/azure-ad.mdx @@ -0,0 +1,108 @@ +--- +title: Configure Azure AD as Identity Provider +sidebar_label: Azure AD +--- + +import GeneralConfigDescription from './_general_config_description.mdx'; +import Intro from './_intro.mdx'; +import CustomLoginPolicy from './_custom_login_policy.mdx'; +import TestSetup from './_test_setup.mdx'; +import Activate from './_activate.mdx'; + + + +## Azure AD Configuration + +You need to have access to an AzureAD Tenant. If you do not yet have one follow [this guide from Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant) to create one for free. + +### Register a new client + +1. Browse to the [App registration menus create dialog](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false) to create a new app. +2. Give the application a name and choose who should be able to login (Single-Tenant, Multi-Tenant, Personal Accounts, etc.) This setting will also have an impact on how to configure the provider later on in ZITADEL. +3. Choose "Web" in the redirect uri field and add the URL: + - {your-domain}/ui/login/login/externalidp/callback + - Example redirect url for the domain `https://acme-gzoe4x.zitadel.cloud` would look like this: `https://acme-gzoe4x.zitadel.cloud/ui/login/login/externalidp/callback` +5. Save the Application (client) ID and the Directory (tenant) ID from the detail page + +![Azure App Registration](/img/guides/azure_app_registration.png) + +![Azure Client ID and Tenant ID](/img/guides/azure_client_tenant_id.png) + +### Add client secret + +Generate a new client secret to authenticate your user. + +1. Click on client credentials on the detail page of the application or use the menu "Certificates & secrets" +2. Click on "+ New client secret" and enter a description and an expiry date, add the secret afterwards +3. Copy the value of the secret. You will not be able to see the value again after some time + +![Azure Client Secret](/img/guides/azure_client_secret.png) + +### Token configuration + +To allow ZITADEL to get the information from the authenticating user you have to configure what kind of optional claims should be returned in the token. + +1. Click on Token configuration in the side menu +2. Click on "+ Add optional claim" +3. Add email, family_name, given_name and preferred_username to the id token + +![Azure Token configuration](/img/guides/azure_token_configuration.png) + +### API permissions + +To be able to get all the information that ZITADEL needs, you have to configure the correct permissions. + +1. Go to "API permissions" in the side menu +2. Make sure the permissions include "Microsoft Graph": email, profile and User.Read +3. The "Other permissions granted" should include "Microsoft Graph: openid" + +![Azure API permissions](/img/guides/azure_api_permissions.png) + +## ZITADEL Configuration + +### Add custom login policy + + + +### Create new Azure AD Provider + +Go to the settings of your ZITADEL instance or the organization where you like to add a new **Azure AD** provider. +Choose the **Microsoft** provider template. +This template has everything you need preconfigured. +You only have to add the client ID and secret, you have created in the step before. + +You can configure the following settings if you like, a useful default will be filled if you don't change anything: + +**Scopes**: The scopes define which scopes will be sent to the provider, `openid`, `profile`, and `email` are prefilled. +This information will be taken to create/update the user within ZITADEL. Make sure to also add `User.Read` + +**Email Verified**: Azure AD doesn't send the email verified claim in the users token, if you don't enable this setting. +The user is then created with an unverified email, which results in an email verification message. +If you want to avoid that, make sure to enable "Email verified". +In that case, the user is created with a verified email address. + +**Tenant Type**: Configure the tenant type according to what you have chosen in the settings of your Azure AD application previously. +- Common: Choose common if you want all Microsoft accounts being able to login. +In this case, configure "Accounts in any organizational directory and personal Microsoft accounts" in your Azure AD App. +- Organizations: Choose organization if you have Azure AD Tenants and no personal accounts. (You have configured either "Accounts in this organization" or "Accounts in any organizational directory" on your Azure APP) +- Consumers: Choose this if you want to allow public accounts. (In your Azure AD App you have configured "Personal Microsoft accounts only") + +**Tenant ID**: If you have selected either the *Organizations* or *Customers* as the *Tenant Type*, you have to enter the *Directory (Tenant) ID*, copied previously in the Azure App configuration, here. + + + +![Azure Provider](/img/guides/zitadel_azure_provider.png) + +### Activate IdP + + + +![Activate Azure AD](/img/guides/zitadel_activate_azure.png) + +## Test the setup + + + +![Azure AD Button](/img/guides/zitadel_login_azure.png) + +![Azure AD Login](/img/guides/microsoft_login.png) diff --git a/docs/docs/guides/integrate/identity-providers/azuread-oidc.md b/docs/docs/guides/integrate/identity-providers/azuread-oidc.md index b0d2e793e2..9b7b1c899a 100644 --- a/docs/docs/guides/integrate/identity-providers/azuread-oidc.md +++ b/docs/docs/guides/integrate/identity-providers/azuread-oidc.md @@ -1,8 +1,14 @@ --- title: Configure AzureAD as Identity Provider -sidebar_label: AzureAD +sidebar_label: AzureAD OIDC (Deprecated) --- +:::caution deprecated + +This configuration is based on the generic OIDC configuration. You can use the [Azure AD Template](./azure-ad) instead. + +::: + ## AzureAD Tenant as Identity Provider for ZITADEL This guides shows you how to connect an AzureAD Tenant to ZITADEL. @@ -35,7 +41,6 @@ You can leave the second field empty since we will change this in the next step. For this to work you need to whitelist the redirect URIs from your ZITADEL Instance. In this example our test instance has the domain `test-qcon0h.zitadel.cloud`. In this case we need to whitelist these two entries: -- `https://test-qcon0h.zitadel.cloud/ui/login/register/externalidp/callback` - `https://test-qcon0h.zitadel.cloud/ui/login/login/externalidp/callback` :::info diff --git a/docs/docs/guides/integrate/identity-providers/github.mdx b/docs/docs/guides/integrate/identity-providers/github.mdx new file mode 100644 index 0000000000..aa58ee6ddd --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/github.mdx @@ -0,0 +1,90 @@ +--- +title: Configure GitHub as Identity Provider +sidebar_label: GitHub +--- + +import GeneralConfigDescription from './_general_config_description.mdx'; +import Intro from './_intro.mdx'; +import CustomLoginPolicy from './_custom_login_policy.mdx'; +import Activate from './_activate.mdx'; +import TestSetup from './_test_setup.mdx'; +import UnlinkedOAuth from './_unlinked_oauth.mdx'; +import PrefillAction from './_prefill_action.mdx'; + + + +## GitHub Configuration + +### Register a new application + +For **GitHub** browse to the [Register a new OAuth application](https://github.com/settings/applications/new). You can find this link withing [Settings](https://github.com/settings/profile) - [Developer Settings](https://github.com/settings/apps) - - [OAuth Apps](https://github.com/settings/developers). + +For **GitHub Enterprise** go to your GitHub Enterprise home page and then to Settings - Developer Settings - OAuth Apps - Register a new application/New OAuth App + +Fill in the application name and homepage URL. + +You have to add the authorization callback URL, where GitHub should redirect, after the user has authenticated himself. +In this example our test instance has the domain `https://acme-gzoe4x.zitadel.cloud`. +This results in the following authorization callback URL: + `https://acme-gzoe4x.zitadel.cloud/ui/login/login/externalidp/callback` + +:::info +To adapt this for you setup just replace the domain +::: + +![Register an OAuth application](/img/guides/github_oauth_app_registration.png) + +### Client ID and Secret + +After clicking "Register application", you see the detail page of the application you have just created. +Copy the client ID directly from the detail page. +Generate a new secret by clicking "Generate new client secret". +Make sure to save the secret, as you will not be able to show it again. + +![Client ID and Secret](/img/guides/github_oauth_client_id_secret.png) + +## ZITADEL Configuration + +### Add custom login policy + + + +### Create new GitHub Provider + +Go to the settings of your ZITADEL instance or the organization where you like to add a new GitHub provider. +Choose the GitHub provider template. This template has everything you need preconfigured. You only have to add the client ID and secret, you have created in the step before. + +You can configure the following settings if you like, a useful default will be filled if you don't change anything: + +**Scopes**: The scopes define which scopes will be sent to the provider, `openid`, `profile`, and `email` are prefilled. +This information is used to create and/or update the user within ZITADEL. + + + +![GitHub Provider](/img/guides/zitadel_github_create_provider.png) + +### Activate IdP + + + +![Activate the GitHub](/img/guides/zitadel_activate_github.png) + +## Test the setup + + + +![GitHub Button](/img/guides/zitadel_login_github.png) + +![GitHub Login](/img/guides/github_login.png) + + + +![GitHub Login](/img/guides/zitadel_login_external_not_found_registration.png) + +## Optional: Add ZITADEL action to autofill userdata + + + +```js reference +https://github.com/zitadel/actions/blob/main/examples/github_identity_provider.js +``` diff --git a/docs/docs/guides/integrate/identity-providers/gitlab.mdx b/docs/docs/guides/integrate/identity-providers/gitlab.mdx new file mode 100644 index 0000000000..25e8e19a50 --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/gitlab.mdx @@ -0,0 +1,92 @@ +--- +title: Configure GitLab as Identity Provider +sidebar_label: GitLab +--- + +import GeneralConfigDescription from './_general_config_description.mdx'; +import Intro from './_intro.mdx'; +import CustomLoginPolicy from './_custom_login_policy.mdx'; +import Activate from './_activate.mdx'; +import TestSetup from './_test_setup.mdx'; +import UnlinkedOAuth from './_unlinked_oauth.mdx'; +import PrefillAction from './_prefill_action.mdx'; + + + +## GitLab Configuration + +### Register a new application + +1. Login to [gitlab.com](https://gitlab.com) +2. Select [Edit Profile](https://gitlab.com/-/profile) +3. Click on [Applications](https://gitlab.com/-/profile/applications) in the side navigation + +For **GitLab Self-Hosted** go to your GitLab self-hosted instance and follow the same steps as for GitLab. + +Fill in the application name. + +You have to add the redirect URI, where GitLab should redirect, after the user has authenticated himself. +In this example our test instance has the domain `https://acme-gzoe4x.zitadel.cloud`. +This results in the following redirect URI: + `https://acme-gzoe4x.zitadel.cloud/ui/login/login/externalidp/callback` + +:::info +To adapt this for you setup just replace the domain +::: + +![Register an OAuth application](/img/guides/gitlab_app_registration.png) + +### Client ID and Secret + +After clicking "Save application", you will see the detail page of the application you have just created. +To be able to connect GitLab to ZITADEL you will need a client ID and a client secret. +Save the ID and the Secret, you will not be able to copy the secret again, if you lose it you have to generate a new one. + +![Client ID and Secret](/img/guides/gitlab_app_id_secret.png) + +## ZITADEL Configuration + +### Add custom login policy + + + +### Create new GitLab Provider + +Go to the settings of your ZITADEL instance or the organization where you like to add a new Gitlab provider. +Choose the GitLab provider template. +This template has everything you need preconfigured. +Add the client ID and secret you have created in the Gitlab Application. + +You can configure the following settings if you like, a useful default will be filled if you don't change anything: + +**Scopes**: The scopes define which scopes will be sent to the provider, `openid`, `profile`, and `email` are prefilled. This informations will be taken to create/update the user within ZITADEL. + + + +![GitLab Provider](/img/guides/zitadel_gitlab_create_provider.png) + +### Activate IdP + + + +![Activate the GitLab](/img/guides/zitadel_activate_gitlab.png) + +## Test the setup + + + +![GitLab Button](/img/guides/zitadel_login_gitlab.png) + +![GitLab Login](/img/guides/gitlab_login.png) + + + +![GitLab Login](/img/guides/zitadel_login_external_not_found_registration.png) + +## Optional: Add ZITADEL action to autofill userdata + + + +```js reference +https://github.com/zitadel/actions/blob/main/examples/gitlab_identity_provider.js +``` diff --git a/docs/docs/guides/integrate/identity-providers/google-oidc.mdx b/docs/docs/guides/integrate/identity-providers/google-oidc.mdx index 640eced4a2..d4ac3ccde4 100644 --- a/docs/docs/guides/integrate/identity-providers/google-oidc.mdx +++ b/docs/docs/guides/integrate/identity-providers/google-oidc.mdx @@ -1,8 +1,14 @@ --- title: Configure Google as Identity Provider -sidebar_label: Google +sidebar_label: Google OIDC (Deprecated) --- +:::caution deprecated + +This configuration is based on the generic OIDC configuration. You can use the [Google Template](./google) instead. + +::: + ## Register an external identity provider In this step we will add a new Google identity provider to federate identities with ZITADEL. @@ -11,7 +17,6 @@ In this step we will add a new Google identity provider to federate identities w 1. Register an OIDC Client in your preferred provider 2. Make sure you add the ZITADEL callback redirect uris - - {your-domain}/ui/login/register/externalidp/callback - {your-domain}/ui/login/login/externalidp/callback > **Information:** Make sure the provider is OIDC 1.0 compliant with a proper Discovery Endpoint diff --git a/docs/docs/guides/integrate/identity-providers/google.mdx b/docs/docs/guides/integrate/identity-providers/google.mdx new file mode 100644 index 0000000000..ad8ba06258 --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/google.mdx @@ -0,0 +1,64 @@ +--- +title: Configure Google as Identity Provider +sidebar_label: Google +--- + +import GeneralConfigDescription from './_general_config_description.mdx'; +import Intro from './_intro.mdx'; +import CustomLoginPolicy from './_custom_login_policy.mdx'; +import Activate from './_activate.mdx'; +import TestSetup from './_test_setup.mdx'; + + + +## Google Configuration + +### Register a new client + +1. Go to the Google Cloud Platform and choose your project: [https://console.cloud.google.com/apis/credentials](https://console.cloud.google.com/apis/credentials) +2. Click on "+ CREATE CREDENTIALS" and choose "OAuth client ID" +3. Choose "Web application" as application type and give a name +4. Add the redirect uri + - {your-domain}/ui/login/login/externalidp/callback + - Example redirect url for the domain `https://acme-gzoe4x.zitadel.cloud` would look like this: `https://acme-gzoe4x.zitadel.cloud/ui/login/login/externalidp/callback` +5. Save the Client ID and Client secret + +![Google OAuth App Registration](/img/guides/google_oauth_app_registration.png) + +![Google Client ID and Secret](/img/guides/google_client_id_secret.png) + +## ZITADEL Configuration + +### Add custom login policy + + + +### Create new Google Provider + +Go to the settings of your ZITADEL instance or the organization where you want to add a new Google provider. +Choose the Google provider template. This template has everything you need preconfigured. +Add the client ID and secret created before on your Google App. + +You can configure the following settings if you like, a useful default will be filled if you don't change anything: + +**Scopes**: The scopes define which scopes will be sent to the provider, `openid`, `profile`, and `email` are prefilled. This information will be taken to create/update the user within ZITADEL. + + + + +![Google Provider](/img/guides/zitadel_google_create_provider.png) + +### Activate IdP + + + +![Activate the Google Provider](/img/guides/zitadel_activate_google.png) + +## Test the setup + + + + +![Google Button](/img/guides/zitadel_login_google.png) + +![Google Login](/img/guides/google_login.png) diff --git a/docs/docs/guides/integrate/identity-providers/ldap.mdx b/docs/docs/guides/integrate/identity-providers/ldap.mdx new file mode 100644 index 0000000000..632752aab5 --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/ldap.mdx @@ -0,0 +1,74 @@ +--- +title: Configure LDAP as Identity Provider +sidebar_label: LDAP +--- + +import GeneralConfigDescription from './_general_config_description.mdx'; +import Intro from './_intro.mdx'; +import CustomLoginPolicy from './_custom_login_policy.mdx'; +import Activate from './_activate.mdx'; +import TestSetup from './_test_setup.mdx'; + + + +## ZITADEL Configuration + +### Add custom login policy + + + +### Resulting process to connect LDAP + +When you wnat to use a LDAP provider in ZITADEL, the following process is followed to login: + +1. ZITADEL tries to connect to the LDAP server with or without TLS depending on the configuration +2. If the connection fails, the next server in the list will be used to try again. +3. ZITADEL tries a bind with the BindDN and BindPassword to check if it's possible to proceed +4. ZITADEL does a SearchQuery to find the UserDN with the provided configuration of base, filters and objectClasses +5. ZITADEL tries a bind with the provided loginname and password +6. LDAP attributes get mapped to ZITADEL attributes as provided by the configuration + +### Create new LDAP Provider + +Go to the settings of your ZITADEL instance or the organization where you like to add a new LDAP provider. +Choose the LDAP provider template. + +To configure the LDAP template please fill out the following fields: + +**Name**: Name of the identity provider + +**Servers**: List of servers in a format of "schema://host:port", as example "ldap://localhost:389", if TLS should be used then replace "ldap" with "ldaps" with the corresponding port. + +**BaseDN**: BaseDN which will be used with each request to the LDAP server + +**BindDn** and **BindPassword**: BindDN and password used to connect to the LDAP for the SearchQuery, should be an admin or user with enough permissions to search for the users to login. + +**Userbase**: Base used for the user, normally "dn" but can also be configured. + +**User filters**: Attributes of the user which are "or"-joined in the query for the user, used value is the input of the loginname, for example if you try to login with user@example.com and filters "uid" and "email" the resulting SearchQuery contains "(|(uid=user@example.com)(email=user@example.com))" + +**User Object Classes**: ObjectClasses which are "and"-joined in the SearchQuery and the user has to have in the LDAP. + +**LDAP Attributes**: Mapping of LDAP attributes to ZITADEL attributes, the ID attributes is required, the rest depends on usage of the identity provider + +**StartTLS**: If this setting is enabled after the initial connection ZITADEL tries to build a TLS connection. + +**Timeout**: If this setting is set all connection run with a set timeout, if it is 0s the default timeout of 60s is used. + + + +![LDAP Provider](/img/guides/zitadel_ldap_create_provider.png) + +### Activate IdP + + + +![Activate the LDAP Provider](/img/guides/zitadel_activate_ldap.png) + +## Test the setup + + + +![LDAP Button](/img/guides/zitadel_login_ldap.png) + +![LDAP Login](/img/guides/zitadel_login_ldap_input.png) diff --git a/docs/docs/guides/integrate/identity-providers/openldap.mdx b/docs/docs/guides/integrate/identity-providers/openldap.mdx new file mode 100644 index 0000000000..95b7a7b673 --- /dev/null +++ b/docs/docs/guides/integrate/identity-providers/openldap.mdx @@ -0,0 +1,185 @@ +--- +title: Configure local OpenLDAP as Identity Provider +sidebar_label: Local OpenLDAP +--- + +import GeneralConfigDescription from './_general_config_description.mdx'; +import Intro from './_intro.mdx'; +import CustomLoginPolicy from './_custom_login_policy.mdx'; +import Activate from './_activate.mdx'; +import TestSetup from './_test_setup.mdx'; + + + +## OpenLDAP Configuration + +### Basic configuration + +To run LDAP locally to test it with ZITADEL please refer to [OpenLDAP](https://www.openldap.org/) with [slapd](https://www.openldap.org/software/man.cgi?query=slapd). + +For a quickstart guide please refer to their [official documentation](https://www.openldap.org/doc/admin22/quickstart.html). + +A basic configuration would be like this +``` +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /usr/local/etc/openldap/schema/core.schema +include /usr/local/etc/openldap/schema/cosine.schema +include /usr/local/etc/openldap/schema/inetorgperson.schema +include /usr/local/etc/openldap/schema/nis.schema +include /usr/local/etc/openldap/schema/misc.schema + +# Define global ACLs to disable default read access. + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#referral ldap://root.openldap.org + +pidfile /usr/local/var/run/slapd.pid +argsfile /usr/local/var/run/slapd.args + +# Load dynamic backend modules: +modulepath /usr/local/Cellar/openldap/2.4.53/libexec/openldap +moduleload back_mdb.la +moduleload back_ldap.la + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 + +# Sample access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# Directives needed to implement policy: +# access to dn.base="" by * read +# access to dn.base="cn=Subschema" by * read +# access to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! + +####################################################################### +# MDB database definitions +####################################################################### + +database ldif +#maxsize 1073741824 +suffix "dc=example,dc=com" +rootdn "cn=admin,dc=example,dc=com" +# Cleartext passwords, especially for the rootdn, should +# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# Use of strong authentication encouraged. +rootpw {SSHA}6FTOTIITpkP9IAf22VjHqu4JisyBmW5A +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +directory /usr/local/var/openldap-data +# Indices to maintain +#index objectClass eq +``` + +Which is the default configuration with an admin user under the DN `cn=admin,dc=example,dc=com` and password `Password1!`, BaseDN `"dc=example,dc=com` and database set to `ldif`. +In addition, there are some schemas included which can be used to create the users. + +### Example users + +For a basic structure and an example user you can use this structure in a `.ldif` file: +``` +dn: dc=example,dc=com +dc: example +description: Company +objectClass: dcObject +objectClass: organization +o: Example, Inc. + +dn: ou=people, dc=example,dc=com +ou: people +description: All people in organisation +objectclass: organizationalunit + +dn: cn=test,ou=people,dc=example,dc=com +objectclass: inetOrgPerson +cn: testuser +sn: test +uid: test +userpassword: {SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M= +mail: test@example.com +description: Person +ou: Human Resources +``` + +Which in essence creates a user with DN `cn=test,ou=people,dc=example,dc=com`, uid `test` and password `test`. + +The user can be applied after OpenLDAP is running with +```bash +ldapadd -x -h localhost -D "cn=admin,dc=example,dc=com" -f example.ldif -w 'Password1!' +``` + +## ZITADEL Configuration + +### Add custom login policy + + + +### Create new LDAP Provider + +Go to the settings of your ZITADEL instance or the organization where you like to add a new LDAP provider. +Choose the LDAP provider template. + +To get basic information on what is possible to configure, please refer to the [LDAP guide](./ldap). +To configure the LDAP template to work with the before configured OpenLDAP, please fill out the following fields: + +**Name**: OpenLDAP + +**Servers**: "ldap://localhost:389" + +**BaseDN**: "dc=example,dc=com" + +**BindDn**: "cn=admin,dc=example,dc=com" + +**BindPassword**: "Password1!" + +**Userbase**: "dn" + +**User filters**: "uid" + +**User Object Classes**: "inetOrgPerson" + +**LDAP Attributes**: id attributes = "uid" + +**StartTLS**: For this example should be left untouched, if this setting is enabled after the initial connection ZITADEL tries to build a TLS connection. + +**Timeout**: Can be left empty, if this setting is set all connection run with a set timeout, if it is 0s the default timeout of 60s is used. + + + + +![LDAP Provider](/img/guides/zitadel_ldap_create_provider.png) + +### Activate IdP + + + +![Activate the LDAP Provider](/img/guides/zitadel_activate_ldap.png) + +## Test the setup + + + +![LDAP Button](/img/guides/zitadel_login_ldap.png) + +![LDAP Login](/img/guides/zitadel_login_ldap_input.png) diff --git a/docs/sidebars.js b/docs/sidebars.js index 48c2d2f257..b967f0183f 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -22,8 +22,8 @@ module.exports = { type: "category", label: "Backend", items: [ - "examples/secure-api/go", - "examples/secure-api/python-flask", + "examples/secure-api/go", + "examples/secure-api/python-flask", "examples/secure-api/dot-net" ], collapsed: true, @@ -126,14 +126,8 @@ module.exports = { { type: "category", label: "Integrate", - collapsed: true, - link: { - type: 'generated-index', - title: 'Overview', - slug: 'guides/integrate', - }, items: [ - + { type: "category", label: "Authenticate Users", @@ -150,6 +144,12 @@ module.exports = { collapsed: true, items: [ "guides/integrate/identity-providers/introduction", + "guides/integrate/identity-providers/google", + "guides/integrate/identity-providers/azure-ad", + "guides/integrate/identity-providers/github", + "guides/integrate/identity-providers/gitlab", + "guides/integrate/identity-providers/ldap", + "guides/integrate/identity-providers/openldap", "guides/integrate/identity-providers/google-oidc", "guides/integrate/identity-providers/azuread-oidc", ], @@ -294,8 +294,8 @@ module.exports = { title: "Auth API", slug: "/apis/auth", description: - "The authentication API (aka Auth API) is used for all operations on the currently logged in user. The user id is taken from the sub claim in the token.", - + "The authentication API (aka Auth API) is used for all operations on the currently logged in user. The user id is taken from the sub claim in the token.", + }, items: require("./docs/apis/auth/sidebar.js"), }, @@ -307,7 +307,7 @@ module.exports = { title: "Management API", slug: "/apis/mgmt", description: - "The management API is as the name states the interface where systems can mutate IAM objects like, organizations, projects, clients, users and so on if they have the necessary access rights. To identify the current organization you can send a header x-zitadel-orgid or if no header is set, the organization of the authenticated user is set.", + "The management API is as the name states the interface where systems can mutate IAM objects like, organizations, projects, clients, users and so on if they have the necessary access rights. To identify the current organization you can send a header x-zitadel-orgid or if no header is set, the organization of the authenticated user is set.", }, items: require("./docs/apis/mgmt/sidebar.js"), }, @@ -319,7 +319,7 @@ module.exports = { title: "Admin API", slug: "/apis/admin", description: - "This API is intended to configure and manage one ZITADEL instance itself.", + "This API is intended to configure and manage one ZITADEL instance itself.", }, items: require("./docs/apis/admin/sidebar.js"), }, @@ -331,9 +331,9 @@ module.exports = { title: "System API", slug: "/apis/system", description: - "This API is intended to manage the different ZITADEL instances within the system.\n" + - "\n" + - "Checkout the guide how to access the ZITADEL System API.", + "This API is intended to manage the different ZITADEL instances within the system.\n" + + "\n" + + "Checkout the guide how to access the ZITADEL System API.", }, items: require("./docs/apis/system/sidebar.js"), }, diff --git a/docs/static/img/guides/azure_api_permissions.png b/docs/static/img/guides/azure_api_permissions.png new file mode 100644 index 0000000000..a3826fb09b Binary files /dev/null and b/docs/static/img/guides/azure_api_permissions.png differ diff --git a/docs/static/img/guides/azure_app_registration.png b/docs/static/img/guides/azure_app_registration.png new file mode 100644 index 0000000000..578666492b Binary files /dev/null and b/docs/static/img/guides/azure_app_registration.png differ diff --git a/docs/static/img/guides/azure_client_secret.png b/docs/static/img/guides/azure_client_secret.png new file mode 100644 index 0000000000..715bdeb898 Binary files /dev/null and b/docs/static/img/guides/azure_client_secret.png differ diff --git a/docs/static/img/guides/azure_client_tenant_id.png b/docs/static/img/guides/azure_client_tenant_id.png new file mode 100644 index 0000000000..28976b2c8e Binary files /dev/null and b/docs/static/img/guides/azure_client_tenant_id.png differ diff --git a/docs/static/img/guides/azure_token_configuration.png b/docs/static/img/guides/azure_token_configuration.png new file mode 100644 index 0000000000..9b20ea619e Binary files /dev/null and b/docs/static/img/guides/azure_token_configuration.png differ diff --git a/docs/static/img/guides/github_login.png b/docs/static/img/guides/github_login.png new file mode 100644 index 0000000000..e71d0e30e1 Binary files /dev/null and b/docs/static/img/guides/github_login.png differ diff --git a/docs/static/img/guides/github_oauth_app_registration.png b/docs/static/img/guides/github_oauth_app_registration.png new file mode 100644 index 0000000000..4350ea5e2a Binary files /dev/null and b/docs/static/img/guides/github_oauth_app_registration.png differ diff --git a/docs/static/img/guides/github_oauth_client_id_secret.png b/docs/static/img/guides/github_oauth_client_id_secret.png new file mode 100644 index 0000000000..79ab4e849e Binary files /dev/null and b/docs/static/img/guides/github_oauth_client_id_secret.png differ diff --git a/docs/static/img/guides/gitlab_app_id_secret.png b/docs/static/img/guides/gitlab_app_id_secret.png new file mode 100644 index 0000000000..c5495e1027 Binary files /dev/null and b/docs/static/img/guides/gitlab_app_id_secret.png differ diff --git a/docs/static/img/guides/gitlab_app_registration.png b/docs/static/img/guides/gitlab_app_registration.png new file mode 100644 index 0000000000..3cec036e71 Binary files /dev/null and b/docs/static/img/guides/gitlab_app_registration.png differ diff --git a/docs/static/img/guides/gitlab_login.png b/docs/static/img/guides/gitlab_login.png new file mode 100644 index 0000000000..9589abf322 Binary files /dev/null and b/docs/static/img/guides/gitlab_login.png differ diff --git a/docs/static/img/guides/google_client_id_secret.png b/docs/static/img/guides/google_client_id_secret.png new file mode 100644 index 0000000000..6a6917271e Binary files /dev/null and b/docs/static/img/guides/google_client_id_secret.png differ diff --git a/docs/static/img/guides/google_login.png b/docs/static/img/guides/google_login.png new file mode 100644 index 0000000000..769b34edf0 Binary files /dev/null and b/docs/static/img/guides/google_login.png differ diff --git a/docs/static/img/guides/google_oauth_app_registration.png b/docs/static/img/guides/google_oauth_app_registration.png new file mode 100644 index 0000000000..1008388ba9 Binary files /dev/null and b/docs/static/img/guides/google_oauth_app_registration.png differ diff --git a/docs/static/img/guides/microsoft_login.png b/docs/static/img/guides/microsoft_login.png new file mode 100644 index 0000000000..8c3347f4db Binary files /dev/null and b/docs/static/img/guides/microsoft_login.png differ diff --git a/docs/static/img/guides/zitadel_activate_azure.png b/docs/static/img/guides/zitadel_activate_azure.png new file mode 100644 index 0000000000..226b615748 Binary files /dev/null and b/docs/static/img/guides/zitadel_activate_azure.png differ diff --git a/docs/static/img/guides/zitadel_activate_github.png b/docs/static/img/guides/zitadel_activate_github.png new file mode 100644 index 0000000000..c490766f63 Binary files /dev/null and b/docs/static/img/guides/zitadel_activate_github.png differ diff --git a/docs/static/img/guides/zitadel_activate_gitlab.png b/docs/static/img/guides/zitadel_activate_gitlab.png new file mode 100644 index 0000000000..2d15dca4ac Binary files /dev/null and b/docs/static/img/guides/zitadel_activate_gitlab.png differ diff --git a/docs/static/img/guides/zitadel_activate_google.png b/docs/static/img/guides/zitadel_activate_google.png new file mode 100644 index 0000000000..cd0a69d305 Binary files /dev/null and b/docs/static/img/guides/zitadel_activate_google.png differ diff --git a/docs/static/img/guides/zitadel_activate_ldap.png b/docs/static/img/guides/zitadel_activate_ldap.png new file mode 100644 index 0000000000..98c3499737 Binary files /dev/null and b/docs/static/img/guides/zitadel_activate_ldap.png differ diff --git a/docs/static/img/guides/zitadel_allow_external_idp.png b/docs/static/img/guides/zitadel_allow_external_idp.png new file mode 100644 index 0000000000..22ec28dad7 Binary files /dev/null and b/docs/static/img/guides/zitadel_allow_external_idp.png differ diff --git a/docs/static/img/guides/zitadel_azure_provider.png b/docs/static/img/guides/zitadel_azure_provider.png new file mode 100644 index 0000000000..371148b6a7 Binary files /dev/null and b/docs/static/img/guides/zitadel_azure_provider.png differ diff --git a/docs/static/img/guides/zitadel_github_create_provider.png b/docs/static/img/guides/zitadel_github_create_provider.png new file mode 100644 index 0000000000..84431c609a Binary files /dev/null and b/docs/static/img/guides/zitadel_github_create_provider.png differ diff --git a/docs/static/img/guides/zitadel_gitlab_create_provider.png b/docs/static/img/guides/zitadel_gitlab_create_provider.png new file mode 100644 index 0000000000..20650e4174 Binary files /dev/null and b/docs/static/img/guides/zitadel_gitlab_create_provider.png differ diff --git a/docs/static/img/guides/zitadel_google_create_provider.png b/docs/static/img/guides/zitadel_google_create_provider.png new file mode 100644 index 0000000000..d6ec6a9d34 Binary files /dev/null and b/docs/static/img/guides/zitadel_google_create_provider.png differ diff --git a/docs/static/img/guides/zitadel_identity_provider_overview.png b/docs/static/img/guides/zitadel_identity_provider_overview.png new file mode 100644 index 0000000000..055917aee4 Binary files /dev/null and b/docs/static/img/guides/zitadel_identity_provider_overview.png differ diff --git a/docs/static/img/guides/zitadel_ldap_create_provider.png b/docs/static/img/guides/zitadel_ldap_create_provider.png new file mode 100644 index 0000000000..4286d93ad2 Binary files /dev/null and b/docs/static/img/guides/zitadel_ldap_create_provider.png differ diff --git a/docs/static/img/guides/zitadel_login_azure.png b/docs/static/img/guides/zitadel_login_azure.png new file mode 100644 index 0000000000..32b6ba45e1 Binary files /dev/null and b/docs/static/img/guides/zitadel_login_azure.png differ diff --git a/docs/static/img/guides/zitadel_login_external_not_found_registration.png b/docs/static/img/guides/zitadel_login_external_not_found_registration.png new file mode 100644 index 0000000000..41f95e7916 Binary files /dev/null and b/docs/static/img/guides/zitadel_login_external_not_found_registration.png differ diff --git a/docs/static/img/guides/zitadel_login_github.png b/docs/static/img/guides/zitadel_login_github.png new file mode 100644 index 0000000000..efd79e28a8 Binary files /dev/null and b/docs/static/img/guides/zitadel_login_github.png differ diff --git a/docs/static/img/guides/zitadel_login_gitlab.png b/docs/static/img/guides/zitadel_login_gitlab.png new file mode 100644 index 0000000000..d4daedb11e Binary files /dev/null and b/docs/static/img/guides/zitadel_login_gitlab.png differ diff --git a/docs/static/img/guides/zitadel_login_google.png b/docs/static/img/guides/zitadel_login_google.png new file mode 100644 index 0000000000..7890809102 Binary files /dev/null and b/docs/static/img/guides/zitadel_login_google.png differ diff --git a/docs/static/img/guides/zitadel_login_ldap.png b/docs/static/img/guides/zitadel_login_ldap.png new file mode 100644 index 0000000000..751b5de25d Binary files /dev/null and b/docs/static/img/guides/zitadel_login_ldap.png differ diff --git a/docs/static/img/guides/zitadel_login_ldap_input.png b/docs/static/img/guides/zitadel_login_ldap_input.png new file mode 100644 index 0000000000..e176fbe6db Binary files /dev/null and b/docs/static/img/guides/zitadel_login_ldap_input.png differ diff --git a/proto/zitadel/admin.proto b/proto/zitadel/admin.proto index 5bcc5284ad..da7ccb4e48 100644 --- a/proto/zitadel/admin.proto +++ b/proto/zitadel/admin.proto @@ -877,8 +877,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Get Identity Provider (IDP) by ID"; - description: "Returns an identity provider (social/enterprise login) by its ID e.g Google, AzureAD, etc." + summary: "Deprecated: Get Identity Provider (IDP) by ID"; + description: "Returns an identity provider (social/enterprise login) by its ID e.g Google, AzureAD, etc."; + deprecated: true; responses: { key: "200"; value: { @@ -911,8 +912,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Search Identity Providers (IDP)"; - description: "Returns a list of identity providers (social/enterprise login) configured on an instance level. e.g Google, AzureAD, etc." + summary: "Deprecated: Search Identity Providers (IDP)"; + description: "Returns a list of identity providers (social/enterprise login) configured on an instance level. e.g Google, AzureAD, etc."; + deprecated: true; responses: { key: "200"; value: { @@ -945,8 +947,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Add OIDC Identity Provider (IDP)"; - description: "Create a new identity provider configuration to enable your users to log in with social/enterprise login. The provider has to be OIDC compliant." + summary: "Deprecated: Add OIDC Identity Provider (IDP)"; + description: "Create a new identity provider configuration to enable your users to log in with social/enterprise login. The provider has to be OIDC compliant."; + deprecated: true; responses: { key: "200"; value: { @@ -979,8 +982,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Add JWT Identity Provider (IDP)"; - description: "Create a new identity provider configuration to enable your users to log in with social/enterprise login. JSON Web Token Identity Provider (JWT IDP) gives you the possibility to use an (existing) JWT as a federated identity. You have to provide an endpoint where ZITADEL can get the existing JWT token." + summary: "Deprecated: Add JWT Identity Provider (IDP)"; + description: "Create a new identity provider configuration to enable your users to log in with social/enterprise login. JSON Web Token Identity Provider (JWT IDP) gives you the possibility to use an (existing) JWT as a federated identity. You have to provide an endpoint where ZITADEL can get the existing JWT token."; + deprecated: true; responses: { key: "200"; value: { @@ -1013,8 +1017,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Update Identity Provider (IDP)"; - description: "Update an existing IDP. All fields are updated. If you do not send a value in a field, it will be empty afterward." + summary: "Deprecated: Update Identity Provider (IDP)"; + description: "Update an existing IDP. All fields are updated. If you do not send a value in a field, it will be empty afterward."; + deprecated: true; responses: { key: "200"; value: { @@ -1046,8 +1051,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Deactivate Identity Provider (IDP)"; - description: "Sets the state of the provider to inactive. It can only be called for the provider with the state active. Users will not be able to log in with the given provider afterward. It might cause troubles if it is the only authentication method of the user." + summary: "Deprecated: Deactivate Identity Provider (IDP)"; + description: "Sets the state of the provider to inactive. It can only be called for the provider with the state active. Users will not be able to log in with the given provider afterward. It might cause troubles if it is the only authentication method of the user."; + deprecated: true; responses: { key: "200"; value: { @@ -1079,8 +1085,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Reactivate Identity Provider (IDP)"; - description: "Sets the state of the provider to active. It can only be called for providers with the state inactive. Users will not be able to log in again with the given provider." + summary: "Deprecated: Reactivate Identity Provider (IDP)"; + description: "Sets the state of the provider to active. It can only be called for providers with the state inactive. Users will not be able to log in again with the given provider."; + deprecated: true; responses: { key: "200"; value: { @@ -1112,8 +1119,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Remove Identity Provider (IDP)"; - description: "Removes the identity provider permanently. All links to the given IDP on users will be deleted as well. They will not be able to log in with the provider afterward. If it is their only authentication possibility it might cause problems." + summary: "Deprecated: Remove Identity Provider (IDP)"; + description: "Removes the identity provider permanently. All links to the given IDP on users will be deleted as well. They will not be able to log in with the provider afterward. If it is their only authentication possibility it might cause problems."; + deprecated: true; responses: { key: "200"; value: { @@ -1146,8 +1154,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Update OIDC Identity Provider (IDP)"; - description: "Update the OIDC-specific configuration of an identity provider. All fields will be updated. If a field has no value it will be empty afterward." + summary: "Deprecated: Update OIDC Identity Provider (IDP)"; + description: "Update the OIDC-specific configuration of an identity provider. All fields will be updated. If a field has no value it will be empty afterward."; + deprecated: true; responses: { key: "200"; value: { @@ -1191,8 +1200,9 @@ service AdminService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Update JWT Identity Provider (IDP)"; - description: "Update the JWT-specific configuration of an identity provider. All fields will be updated. If a field has no value it will be empty afterward." + summary: "Deprecated: Update JWT Identity Provider (IDP)"; + description: "Update the JWT-specific configuration of an identity provider. All fields will be updated. If a field has no value it will be empty afterward."; + deprecated: true; responses: { key: "200"; value: { @@ -1235,6 +1245,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "org.idp.read" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "List Identity Providers"; + description: "Returns a list of identity providers (social/enterprise login) configured on an instance level. e.g Google, AzureAD, etc."; + }; } // Returns an identity provider of the instance @@ -1246,6 +1262,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "org.idp.read" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Get Identity Provider By ID"; + description: ""; + }; } // Add a new OAuth2 identity provider on the instance @@ -1258,6 +1280,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add Generic OAuth Identity Provider"; + description: ""; + }; } // Change an existing OAuth2 identity provider on the instance @@ -1270,6 +1298,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update Generic OAuth Identity Provider"; + description: ""; + }; } // Add a new OIDC identity provider on the instance @@ -1282,6 +1316,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add Generic OIDC Identity Provider"; + description: ""; + }; } // Change an existing OIDC identity provider on the instance @@ -1294,6 +1334,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update Generic OIDC Identity Provider"; + description: ""; + }; } // Add a new JWT identity provider on the instance @@ -1306,6 +1352,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add JWT Identity Provider"; + description: ""; + }; } // Change an existing JWT identity provider on the instance @@ -1318,6 +1370,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update JWT Identity Provider"; + description: ""; + }; } // Add a new Azure AD identity provider on the instance @@ -1330,6 +1388,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add AzureAD Identity Provider"; + description: ""; + }; } // Change an existing Azure AD identity provider on the instance @@ -1342,6 +1406,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update AzureAD Identity Provider"; + description: ""; + }; } // Add a new GitHub identity provider on the instance @@ -1354,6 +1424,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add GitHub Identity Provider"; + description: ""; + }; } // Change an existing GitHub identity provider on the instance @@ -1366,6 +1442,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update GitHub Identity Provider"; + description: ""; + }; } // Add a new GitHub Enterprise Server identity provider on the instance @@ -1378,6 +1460,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add GitHub Enterprise Identity Provider"; + description: ""; + }; } // Change an existing GitHub Enterprise Server identity provider on the instance @@ -1390,6 +1478,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update GitHub Enterprise Identity Provider"; + description: ""; + }; } // Add a new GitLab identity provider on the instance @@ -1402,6 +1496,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add GitLab Identity Provider"; + description: ""; + }; } // Change an existing GitLab identity provider on the instance @@ -1414,6 +1514,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update GitLab Identity Provider"; + description: ""; + }; } // Add a new self hosted GitLab identity provider on the instance @@ -1426,6 +1532,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add GitLab Selfhost Identity Provider"; + description: ""; + }; } // Change an existing self hosted GitLab identity provider on the instance @@ -1438,6 +1550,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update GitLab Selfhost Identity Provider"; + description: ""; + }; } // Add a new Google identity provider on the instance @@ -1450,6 +1568,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add Google Identity Provider"; + description: ""; + }; } // Change an existing Google identity provider on the instance @@ -1462,6 +1586,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "iam.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update Google Identity Provider"; + description: ""; + }; } // Add a new LDAP identity provider on the instance @@ -1474,6 +1604,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add LDAP Identity Provider"; + description: ""; + }; } // Change an existing LDAP identity provider on the instance @@ -1486,6 +1622,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update LDAP Identity Provider"; + description: ""; + }; } // Remove an identity provider @@ -1498,6 +1640,12 @@ service AdminService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Delete Identity Provider"; + description: ""; + }; } rpc GetOrgIAMPolicy(GetOrgIAMPolicyRequest) returns (GetOrgIAMPolicyResponse) { @@ -4456,15 +4604,62 @@ message GetProviderByIDResponse { } message AddGenericOAuthProviderRequest { - string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string authorization_endpoint = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string token_endpoint = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string user_endpoint = 6 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 7 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"My Provider\""; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the identity provider"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-secret\""; + description: "Client secret generated by the identity provider"; + } + ]; + string authorization_endpoint = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/o/oauth2/v2/auth\""; + description: "The endpoint where ZITADEL send the user to authenticate"; + } + ]; + string token_endpoint = 5 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://oauth2.googleapis.com/token\""; + description: "The endpoint where ZITADEL can get the token"; + } + ]; + string user_endpoint = 6 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://openidconnect.googleapis.com/v1/userinfo\""; + description: "The endpoint where ZITADEL can get the user information"; + } + ]; + repeated string scopes = 7 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request on the identity provider"; + } + ]; // identifying attribute of the user in the response of the user_endpoint - string id_attribute = 8 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string id_attribute = 8 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"user_id\""; + description: "Identifying attribute of the user in the response of the user_endpoint"; + } + ]; zitadel.idp.v1.Options provider_options = 9; } @@ -4475,16 +4670,63 @@ message AddGenericOAuthProviderResponse { message UpdateGenericOAuthProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"My Provider\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by the identity provider"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; - string authorization_endpoint = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string token_endpoint = 6 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string user_endpoint = 7 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 8 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-secret\""; + description: "Client secret will only be updated if provided"; + } + ]; + string authorization_endpoint = 5 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/o/oauth2/v2/auth\""; + description: "The endpoint where ZITADEL send the user to authenticate"; + } + ]; + string token_endpoint = 6 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://oauth2.googleapis.com/token\""; + description: "The endpoint where ZITADEL can get the token"; + } + ]; + string user_endpoint = 7 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://openidconnect.googleapis.com/v1/userinfo\""; + description: "The endpoint where ZITADEL can get the user information"; + } + ]; + repeated string scopes = 8 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request on the identity provider"; + } + ]; // identifying attribute of the user in the response of the user_endpoint - string id_attribute = 9 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string id_attribute = 9 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"user_id\""; + description: "Identifying attribute of the user in the response of the user_endpoint"; + } + ]; zitadel.idp.v1.Options provider_options = 10; } @@ -4493,11 +4735,40 @@ message UpdateGenericOAuthProviderResponse { } message AddGenericOIDCProviderRequest { - string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + } + ]; + string issuer = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/\""; + description: "the OIDC issuer of the identity provider"; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the identity provider"; + } + ]; + string client_secret = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "secret generated by the identity provider" + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request on the identity provider"; + } + ]; zitadel.idp.v1.Options provider_options = 6; bool is_id_token_mapping = 7; } @@ -4508,13 +4779,47 @@ message AddGenericOIDCProviderResponse { } message UpdateGenericOIDCProviderRequest { - string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string issuer = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string id = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"69629023906488334\""; + } + ]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + } + ]; + string issuer = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/\""; + description: "the OIDC issuer of the identity provider"; + } + ]; + string client_id = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the identity provider"; + } + ]; // client_secret will only be updated if provided - string client_secret = 5 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 6 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 5 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "client secret will only be updated if provided"; + } + ]; + repeated string scopes = 6 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request on the identity provider"; + } + ]; zitadel.idp.v1.Options provider_options = 7; bool is_id_token_mapping = 8; } @@ -4524,7 +4829,12 @@ message UpdateGenericOIDCProviderResponse { } message AddJWTProviderRequest { - string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"My Provider\""; + } + ]; string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string jwt_endpoint = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string keys_endpoint = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; @@ -4539,7 +4849,12 @@ message AddJWTProviderResponse { message UpdateJWTProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"My Provider\""; + } + ]; string issuer = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string jwt_endpoint = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string keys_endpoint = 5 [(validate.rules).string = {max_len: 200}]; @@ -4552,13 +4867,44 @@ message UpdateJWTProviderResponse { } message AddAzureADProviderRequest { - string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Azure AD\""; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the Azure AD"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "client secret generated by the Azure AD"; + } + ]; // if not provided the `common` tenant will be used - zitadel.idp.v1.AzureADTenant tenant = 4; - bool email_verified = 5; - repeated string scopes = 6 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + zitadel.idp.v1.AzureADTenant tenant = 4 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Defines what kind of accounts are allowed to authenticate (Personal, Organizational, All). If not provided the `common` tenant will be used (All accounts)"; + } + ]; + bool email_verified = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)"; + } + ]; + repeated string scopes = 6 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\", \"User.Read\"]"; + description: "the scopes requested by ZITADEL during the request to Azure AD"; + } + ]; zitadel.idp.v1.Options provider_options = 7; } @@ -4569,14 +4915,45 @@ message AddAzureADProviderResponse { message UpdateAzureADProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Azure AD\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by the Azure AD"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client_secret will only be updated if provided"; + } + ]; // if not provided the `common` tenant will be used - zitadel.idp.v1.AzureADTenant tenant = 5; - bool email_verified = 6; - repeated string scopes = 7 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + zitadel.idp.v1.AzureADTenant tenant = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Defines what kind of accounts are allowed to authenticate (Personal, Organizational, All). If not provided the `common` tenant will be used (All accounts)"; + } + ]; + bool email_verified = 6 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)"; + } + ]; + repeated string scopes = 7 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\", \"User.Read\"]"; + description: "the scopes requested by ZITADEL during the request to Azure AD"; + } + ]; zitadel.idp.v1.Options provider_options = 8; } @@ -4586,10 +4963,34 @@ message UpdateAzureADProviderResponse { message AddGitHubProviderRequest { // GitHub will be used as default, if no name is provided - string name = 1 [(validate.rules).string = {max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 4 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitHub\""; + description: "GitHub will be used as default, if no name is provided"; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitHub"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by the GitHub"; + } + ]; + repeated string scopes = 4 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitHub"; + } + ]; zitadel.idp.v1.Options provider_options = 5; } @@ -4600,11 +5001,34 @@ message AddGitHubProviderResponse { message UpdateGitHubProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitHub\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitHub"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client_secret will only be updated if provided"; + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitHub"; + } + ]; zitadel.idp.v1.Options provider_options = 6; } @@ -4613,13 +5037,36 @@ message UpdateGitHubProviderResponse { } message AddGitHubEnterpriseServerProviderRequest { - string client_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string client_id = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitHub"; + } + ]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitHub\""; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by GitHub"; + } + ]; string authorization_endpoint = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string token_endpoint = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; string user_endpoint = 6 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 7 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + repeated string scopes = 7 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitHub"; + } + ]; zitadel.idp.v1.Options provider_options = 8; } @@ -4630,14 +5077,37 @@ message AddGitHubEnterpriseServerProviderResponse { message UpdateGitHubEnterpriseServerProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitHub\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitHub"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret will only be updated if provided"; + } + ]; string authorization_endpoint = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; string token_endpoint = 6 [(validate.rules).string = {min_len: 1, max_len: 200}]; string user_endpoint = 7 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 8 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + repeated string scopes = 8 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitHub"; + } + ]; zitadel.idp.v1.Options provider_options = 9; } @@ -4647,10 +5117,34 @@ message UpdateGitHubEnterpriseServerProviderResponse { message AddGitLabProviderRequest { // GitLab will be used as default, if no name is provided - string name = 1 [(validate.rules).string = {max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 4 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitLab\""; + description: "GitLab will be used as default, if no name is provided"; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitLab"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by GitLab"; + } + ]; + repeated string scopes = 4 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitLab"; + } + ]; zitadel.idp.v1.Options provider_options = 5; } @@ -4661,11 +5155,35 @@ message AddGitLabProviderResponse { message UpdateGitLabProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitLab\""; + description: "GitLab will be used as default, if no name is provided"; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitLab"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret will only be updated if provided"; + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitLab"; + } + ]; zitadel.idp.v1.Options provider_options = 6; } @@ -4675,10 +5193,33 @@ message UpdateGitLabProviderResponse { message AddGitLabSelfHostedProviderRequest { string issuer = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitLab\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitLab"; + } + ]; + string client_secret = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by GitLab"; + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitLab"; + } + ]; zitadel.idp.v1.Options provider_options = 6; } @@ -4690,11 +5231,34 @@ message AddGitLabSelfHostedProviderResponse { message UpdateGitLabSelfHostedProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitLab\""; + } + ]; + string client_id = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitLab"; + } + ]; // client_secret will only be updated if provided - string client_secret = 5 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 6 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 5 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret will only be updated if provided"; + } + ]; + repeated string scopes = 6 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitLab"; + } + ]; zitadel.idp.v1.Options provider_options = 7; } @@ -4704,10 +5268,34 @@ message UpdateGitLabSelfHostedProviderResponse { message AddGoogleProviderRequest { // Google will be used as default, if no name is provided - string name = 1 [(validate.rules).string = {max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 4 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + description: "Google will be used as default, if no name is provided"; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by Google"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by Google"; + } + ]; + repeated string scopes = 4 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to Google"; + } + ]; zitadel.idp.v1.Options provider_options = 5; } @@ -4718,11 +5306,34 @@ message AddGoogleProviderResponse { message UpdateGoogleProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by Google"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret will only be updated if provided"; + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to Google"; + } + ]; zitadel.idp.v1.Options provider_options = 6; } diff --git a/proto/zitadel/idp.proto b/proto/zitadel/idp.proto index fb9c154391..645642f30c 100644 --- a/proto/zitadel/idp.proto +++ b/proto/zitadel/idp.proto @@ -237,10 +237,18 @@ enum IDPFieldName { } message Provider { - string id = 1; + string id = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"69629023906488334\""; + } + ]; zitadel.v1.ObjectDetails details = 2; IDPState state = 3; - string name = 4; + string name = 4 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + } + ]; IDPOwnerType owner = 5; ProviderType type = 6; ProviderConfig config = 7; @@ -277,48 +285,143 @@ message ProviderConfig { } message OAuthConfig { - string client_id = 1; - string authorization_endpoint = 2; - string token_endpoint = 3; - string user_endpoint = 4; - repeated string scopes = 5; - string id_attribute = 6; + string client_id = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the identity provider"; + } + ]; + string authorization_endpoint = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/o/oauth2/v2/auth\""; + description: "the endpoint where ZITADEL send the user to authenticate"; + } + ]; + string token_endpoint = 3 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://oauth2.googleapis.com/token\""; + description: "the endpoint where ZITADEL can get the token"; + } + ]; + string user_endpoint = 4 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://openidconnect.googleapis.com/v1/userinfo\""; + description: "the endpoint where ZITADEL can get the user information"; + } + ]; + repeated string scopes = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request on the identity provider"; + } + ]; + string id_attribute = 6 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"user_id\""; + description: "defines how the attribute is called where ZITADEL can get the id of the user"; + } + ]; } message GenericOIDCConfig { - string issuer = 1; - string client_id = 2; - repeated string scopes = 3; + string issuer = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/\""; + description: "the OIDC issuer of the identity provider"; + } + ]; + string client_id = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the identity provider"; + } + ]; + repeated string scopes = 3 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request on the identity provider"; + } + ]; bool is_id_token_mapping = 4; } message GitHubConfig { - string client_id = 1; - repeated string scopes = 2; + string client_id = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "the client ID of the GitHub App"; + } + ]; + repeated string scopes = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request to GitHub"; + } + ]; } message GitHubEnterpriseServerConfig { - string client_id = 1; + string client_id = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "the client ID of the GitHub App"; + } + ]; string authorization_endpoint = 2; string token_endpoint = 3; string user_endpoint = 4; - repeated string scopes = 5; + repeated string scopes = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request to GitHub"; + } + ]; } message GoogleConfig { - string client_id = 1; - repeated string scopes = 2; + string client_id = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id of the Google application"; + } + ]; + repeated string scopes = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request to Google"; + } + ]; } message GitLabConfig { - string client_id = 1; - repeated string scopes = 2; + string client_id = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id of the GitLab application"; + } + ]; + repeated string scopes = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request to GitLab"; + } + ]; } message GitLabSelfHostedConfig { string issuer = 1; - string client_id = 2; - repeated string scopes = 3; + string client_id = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id of the GitLab application"; + } + ]; + repeated string scopes = 3 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request to GitLab"; + } + ]; } message LDAPConfig { @@ -334,17 +437,51 @@ message LDAPConfig { } message AzureADConfig { - string client_id = 1; - AzureADTenant tenant = 2; - bool email_verified = 3; - repeated string scopes = 4; + string client_id = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id of the Azure AD application"; + } + ]; + AzureADTenant tenant = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Defines what user accounts should be able to login (Personal, Organizational, All)"; + } + ]; + bool email_verified = 3 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)"; + } + ]; + repeated string scopes = 4 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\", \"User.Read\"]"; + description: "the scopes requested by ZITADEL during the request to Azure AD"; + } + ]; } message Options { - bool is_linking_allowed = 1; - bool is_creation_allowed = 2; - bool is_auto_creation = 3; - bool is_auto_update = 4; + bool is_linking_allowed = 1 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Enable if users should be able to link an existing ZITADEL user with an external account."; + } + ]; + bool is_creation_allowed = 2 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Enable if users should be able to create a new account in ZITADEL when using an external account."; + } + ]; + bool is_auto_creation = 3 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Enable if a new account in ZITADEL should be created automatically when login with an external account."; + } + ]; + bool is_auto_update = 4 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Enable if a the ZITADEL account fields should be updated automatically on each login."; + } + ]; } message LDAPAttributes { diff --git a/proto/zitadel/management.proto b/proto/zitadel/management.proto index e410d839ae..1c92cffd83 100644 --- a/proto/zitadel/management.proto +++ b/proto/zitadel/management.proto @@ -6203,8 +6203,9 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Get Identity Provider (IDP) by ID"; - description: "Returns an identity provider (social/enterprise login) by its ID e.g Google, AzureAD, etc that is configured on the organization." + summary: "Deprecated: Get Identity Provider (IDP) by ID"; + description: "Returns an identity provider (social/enterprise login) by its ID e.g Google, AzureAD, etc that is configured on the organization."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6228,8 +6229,9 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Search Identity Providers (IDPs)"; - description: "Returns a list of identity providers (social/enterprise login) configured on the organization. e.g Google, AzureAD, etc." + summary: "Deprecated: Search Identity Providers (IDPs)"; + description: "Returns a list of identity providers (social/enterprise login) configured on the organization. e.g Google, AzureAD, etc."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6253,8 +6255,9 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Add OIDC Identity Provider (IDP)"; - description: "Create a new identity provider configuration on the organization to enable your users to log in with social/enterprise login. The provider has to be OIDC-compliant. This configuration can only be used by the organization itself." + summary: "Deprecated: Add OIDC Identity Provider (IDP)"; + description: "Create a new identity provider configuration on the organization to enable your users to log in with social/enterprise login. The provider has to be OIDC-compliant. This configuration can only be used by the organization itself."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6278,8 +6281,9 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Add JWT Identity Provider (IDP)"; - description: "Create a new identity provider configuration on the organization to enable your users to log in with social/enterprise login. JSON Web Token Identity Provider (JWT IDP) gives you the possibility to use an (existing) JWT as a federated identity. You have to provide an endpoint where ZITADEL can get the existing JWT token." + summary: "Deprecated: Add JWT Identity Provider (IDP)"; + description: "Create a new identity provider configuration on the organization to enable your users to log in with social/enterprise login. JSON Web Token Identity Provider (JWT IDP) gives you the possibility to use an (existing) JWT as a federated identity. You have to provide an endpoint where ZITADEL can get the existing JWT token."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6303,8 +6307,9 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Deactivate Identity Provider (IDP)"; - description: "Sets the state of the provider to inactive. It can only be called for the provider with the state active. Users will not be able to log in with the given provider afterward. It might cause troubles if it is the only authentication method of the user." + summary: "Deprecated: Deactivate Identity Provider (IDP)"; + description: "Sets the state of the provider to inactive. It can only be called for the provider with the state active. Users will not be able to log in with the given provider afterward. It might cause troubles if it is the only authentication method of the user."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6329,7 +6334,8 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; summary: "Reactivate Identity Provider (IDP)"; - description: "Sets the state of the provider to active. It can only be called for providers with the state inactive. Users will not be able to log in again with the given provider." + description: "Deprecated: Sets the state of the provider to active. It can only be called for providers with the state inactive. Users will not be able to log in again with the given provider."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6353,7 +6359,8 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; summary: "Remove Identity Provider (IDP)"; - description: "Removes the identity provider permanently. All links to the given IDP on users will be deleted as well. They will not be able to log in with the provider afterward. If it is their only authentication possibility it might cause problems." + description: "Removes the identity provider permanently. All links to the given IDP on users will be deleted as well. They will not be able to log in with the provider afterward. If it is their only authentication possibility it might cause problems."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6377,8 +6384,9 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Update Identity Provider (IDP)"; - description: "Update an existing IDP. All fields are updated. If you do not send a value in a field, it will be empty afterward." + summary: "Deprecated: Update Identity Provider (IDP)"; + description: "Update an existing IDP. All fields are updated. If you do not send a value in a field, it will be empty afterward."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6402,8 +6410,9 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Update OIDC Identity Provider (IDP)"; - description: "Update the OIDC-specific configuration of an identity provider. All fields will be updated. If a field has no value it will be empty afterward." + summary: "Deprecated: Update OIDC Identity Provider (IDP)"; + description: "Update the OIDC-specific configuration of an identity provider. All fields will be updated. If a field has no value it will be empty afterward."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6427,8 +6436,9 @@ service ManagementService { option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { tags: "Identity Providers"; - summary: "Update JWT Identity Provider (IDP)"; - description: "Update the JWT-specific configuration of an identity provider. All fields will be updated. If a field has no value it will be empty afterward." + summary: "Deprecated: Update JWT Identity Provider (IDP)"; + description: "Update the JWT-specific configuration of an identity provider. All fields will be updated. If a field has no value it will be empty afterward."; + deprecated: true; parameters: { headers: { name: "x-zitadel-orgid"; @@ -6451,6 +6461,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.read" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "List Identity Providers"; + description: ""; + }; } // Returns an identity provider of the organization @@ -6462,6 +6478,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.read" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Get Identity Provider By ID"; + description: ""; + }; } // Add a new OAuth2 identity provider in the organization @@ -6474,6 +6496,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add Generic OAuth Identity Provider"; + description: ""; + }; } // Change an existing OAuth2 identity provider in the organization @@ -6486,6 +6514,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update Generic OAuth Identity Provider"; + description: ""; + }; } // Add a new OIDC identity provider in the organization @@ -6498,6 +6532,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add Generic OIDC Identity Provider"; + description: ""; + }; } // Change an existing OIDC identity provider in the organization @@ -6510,6 +6550,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update Generic OIDC Identity Provider"; + description: ""; + }; } // Add a new JWT identity provider in the organization @@ -6522,6 +6568,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add JWT Identity Provider"; + description: ""; + }; } // Change an existing JWT identity provider in the organization @@ -6534,6 +6586,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update JWT Identity Provider"; + description: ""; + }; } // Add a new Azure AD identity provider in the organisation @@ -6546,6 +6604,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add Azure AD Identity Provider"; + description: ""; + }; } // Change an existing Azure AD identity provider in the organisation @@ -6558,6 +6622,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update Azure AD Identity Provider"; + description: ""; + }; } // Add a new GitHub identity provider in the organization @@ -6570,6 +6640,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add GitHub Identity Provider"; + description: ""; + }; } // Change an existing GitHub identity provider in the organization @@ -6582,6 +6658,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update GitHub Identity Provider"; + description: ""; + }; } // Add a new GitHub Enterprise Server identity provider in the organization @@ -6594,6 +6676,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add GitHub Enterprise Identity Provider"; + description: ""; + }; } // Change an existing GitHub Enterprise Server identity provider in the organization @@ -6606,6 +6694,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update GitHub Enterprise Identity Provider"; + description: ""; + }; } // Add a new GitLab identity provider in the organization @@ -6618,6 +6712,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add GitLab Identity Provider"; + description: ""; + }; } // Change an existing GitLab identity provider in the organization @@ -6630,6 +6730,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update GitLab Identity Provider"; + description: ""; + }; } // Add a new self hosted GitLab identity provider in the organization @@ -6642,6 +6748,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add GitLab Selfhosted Identity Provider"; + description: ""; + }; } // Change an existing self hosted GitLab identity provider in the organization @@ -6654,6 +6766,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update GitLab Selfhosted Identity Provider"; + description: ""; + }; } // Add a new Google identity provider in the organization @@ -6666,6 +6784,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add Google Identity Provider"; + description: ""; + }; } // Change an existing Google identity provider in the organization @@ -6678,6 +6802,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update Google Identity Provider"; + description: ""; + }; } // Add a new LDAP identity provider in the organization @@ -6690,6 +6820,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Add LDAP Identity Provider"; + description: ""; + }; } // Change an existing LDAP identity provider in the organization @@ -6702,6 +6838,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Update LDAP Identity Provider"; + description: ""; + }; } // Remove an identity provider @@ -6714,6 +6856,12 @@ service ManagementService { option (zitadel.v1.auth_option) = { permission: "org.idp.write" }; + + option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = { + tags: "Identity Providers"; + summary: "Delete Identity Provider"; + description: ""; + }; } rpc ListActions(ListActionsRequest) returns (ListActionsResponse) { @@ -11154,15 +11302,62 @@ message GetProviderByIDResponse { } message AddGenericOAuthProviderRequest { - string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string authorization_endpoint = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string token_endpoint = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string user_endpoint = 6 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 7 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"My Provider\""; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by the identity provider"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-secret\""; + description: "Client secret generated by the identity provider"; + } + ]; + string authorization_endpoint = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/o/oauth2/v2/auth\""; + description: "The endpoint where ZITADEL send the user to authenticate"; + } + ]; + string token_endpoint = 5 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://oauth2.googleapis.com/token\""; + description: "The endpoint where ZITADEL can get the token"; + } + ]; + string user_endpoint = 6 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://openidconnect.googleapis.com/v1/userinfo\""; + description: "The endpoint where ZITADEL can get the user information"; + } + ]; + repeated string scopes = 7 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request on the identity provider"; + } + ]; // identifying attribute of the user in the response of the user_endpoint - string id_attribute = 8 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string id_attribute = 8 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"user_id\""; + description: "Identifying attribute of the user in the response of the user_endpoint"; + } + ]; zitadel.idp.v1.Options provider_options = 9; } @@ -11173,16 +11368,63 @@ message AddGenericOAuthProviderResponse { message UpdateGenericOAuthProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"My Provider\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by the identity provider"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; - string authorization_endpoint = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string token_endpoint = 6 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string user_endpoint = 7 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 8 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-secret\""; + description: "Client secret will only be updated if provided"; + } + ]; + string authorization_endpoint = 5 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/o/oauth2/v2/auth\""; + description: "The endpoint where ZITADEL send the user to authenticate"; + } + ]; + string token_endpoint = 6 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://oauth2.googleapis.com/token\""; + description: "The endpoint where ZITADEL can get the token"; + } + ]; + string user_endpoint = 7 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://openidconnect.googleapis.com/v1/userinfo\""; + description: "The endpoint where ZITADEL can get the user information"; + } + ]; + repeated string scopes = 8 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request on the identity provider"; + } + ]; // identifying attribute of the user in the response of the user_endpoint - string id_attribute = 9 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string id_attribute = 9 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"user_id\""; + description: "Identifying attribute of the user in the response of the user_endpoint"; + } + ]; zitadel.idp.v1.Options provider_options = 10; } @@ -11191,11 +11433,40 @@ message UpdateGenericOAuthProviderResponse { } message AddGenericOIDCProviderRequest { - string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + } + ]; + string issuer = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/\""; + description: "the OIDC issuer of the identity provider"; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the identity provider"; + } + ]; + string client_secret = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "secret generated by the identity provider" + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request on the identity provider"; + } + ]; zitadel.idp.v1.Options provider_options = 6; bool is_id_token_mapping = 7; } @@ -11206,13 +11477,47 @@ message AddGenericOIDCProviderResponse { } message UpdateGenericOIDCProviderRequest { - string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string issuer = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string id = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"69629023906488334\""; + } + ]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + } + ]; + string issuer = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"https://accounts.google.com/\""; + description: "the OIDC issuer of the identity provider"; + } + ]; + string client_id = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the identity provider"; + } + ]; // client_secret will only be updated if provided - string client_secret = 5 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 6 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 5 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "client secret will only be updated if provided"; + } + ]; + repeated string scopes = 6 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "the scopes requested by ZITADEL during the request on the identity provider"; + } + ]; zitadel.idp.v1.Options provider_options = 7; bool is_id_token_mapping = 8; } @@ -11223,7 +11528,12 @@ message UpdateGenericOIDCProviderResponse { message AddJWTProviderRequest { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string issuer = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"My Provider\""; + } + ]; string jwt_endpoint = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string keys_endpoint = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string header_name = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; @@ -11237,7 +11547,12 @@ message AddJWTProviderResponse { message UpdateJWTProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"My Provider\""; + } + ]; string issuer = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string jwt_endpoint = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string keys_endpoint = 5 [(validate.rules).string = {max_len: 200}]; @@ -11250,13 +11565,44 @@ message UpdateJWTProviderResponse { } message AddAzureADProviderRequest { - string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Azure AD\""; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "client id generated by the Azure AD"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "client secret generated by the Azure AD"; + } + ]; // if not provided the `common` tenant will be used - zitadel.idp.v1.AzureADTenant tenant = 4; - bool email_verified = 5; - repeated string scopes = 6 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + zitadel.idp.v1.AzureADTenant tenant = 4 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Defines what kind of accounts are allowed to authenticate (Personal, Organizational, All). If not provided the `common` tenant will be used (All accounts)"; + } + ]; + bool email_verified = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)"; + } + ]; + repeated string scopes = 6 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\", \"User.Read\"]"; + description: "the scopes requested by ZITADEL during the request to Azure AD"; + } + ]; zitadel.idp.v1.Options provider_options = 7; } @@ -11267,14 +11613,45 @@ message AddAzureADProviderResponse { message UpdateAzureADProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Azure AD\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by the Azure AD"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client_secret will only be updated if provided"; + } + ]; // if not provided the `common` tenant will be used - zitadel.idp.v1.AzureADTenant tenant = 5; - bool email_verified = 6; - repeated string scopes = 7 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + zitadel.idp.v1.AzureADTenant tenant = 5 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Defines what kind of accounts are allowed to authenticate (Personal, Organizational, All). If not provided the `common` tenant will be used (All accounts)"; + } + ]; + bool email_verified = 6 [ + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + description: "Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent)"; + } + ]; + repeated string scopes = 7 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\", \"User.Read\"]"; + description: "the scopes requested by ZITADEL during the request to Azure AD"; + } + ]; zitadel.idp.v1.Options provider_options = 8; } @@ -11284,10 +11661,34 @@ message UpdateAzureADProviderResponse { message AddGitHubProviderRequest { // GitHub will be used as default, if no name is provided - string name = 1 [(validate.rules).string = {max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 4 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitHub\""; + description: "GitHub will be used as default, if no name is provided"; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitHub"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by the GitHub"; + } + ]; + repeated string scopes = 4 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitHub"; + } + ]; zitadel.idp.v1.Options provider_options = 5; } @@ -11298,11 +11699,34 @@ message AddGitHubProviderResponse { message UpdateGitHubProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitHub\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitHub"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client_secret will only be updated if provided"; + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitHub"; + } + ]; zitadel.idp.v1.Options provider_options = 6; } @@ -11311,13 +11735,36 @@ message UpdateGitHubProviderResponse { } message AddGitHubEnterpriseServerProviderRequest { - string client_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string client_id = 1 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitHub"; + } + ]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitHub\""; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by GitHub"; + } + ]; string authorization_endpoint = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string token_endpoint = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; string user_endpoint = 6 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 7 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + repeated string scopes = 7 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitHub"; + } + ]; zitadel.idp.v1.Options provider_options = 8; } @@ -11328,14 +11775,37 @@ message AddGitHubEnterpriseServerProviderResponse { message UpdateGitHubEnterpriseServerProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitHub\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitHub"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret will only be updated if provided"; + } + ]; string authorization_endpoint = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; string token_endpoint = 6 [(validate.rules).string = {min_len: 1, max_len: 200}]; string user_endpoint = 7 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 8 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + repeated string scopes = 8 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitHub"; + } + ]; zitadel.idp.v1.Options provider_options = 9; } @@ -11345,10 +11815,34 @@ message UpdateGitHubEnterpriseServerProviderResponse { message AddGitLabProviderRequest { // GitLab will be used as default, if no name is provided - string name = 1 [(validate.rules).string = {max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 4 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitLab\""; + description: "GitLab will be used as default, if no name is provided"; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitLab"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by GitLab"; + } + ]; + repeated string scopes = 4 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitLab"; + } + ]; zitadel.idp.v1.Options provider_options = 5; } @@ -11359,11 +11853,35 @@ message AddGitLabProviderResponse { message UpdateGitLabProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitLab\""; + description: "GitLab will be used as default, if no name is provided"; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitLab"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret will only be updated if provided"; + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitLab"; + } + ]; zitadel.idp.v1.Options provider_options = 6; } @@ -11373,10 +11891,33 @@ message UpdateGitLabProviderResponse { message AddGitLabSelfHostedProviderRequest { string issuer = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitLab\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitLab"; + } + ]; + string client_secret = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by GitLab"; + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitLab"; + } + ]; zitadel.idp.v1.Options provider_options = 6; } @@ -11388,11 +11929,34 @@ message AddGitLabSelfHostedProviderResponse { message UpdateGitLabSelfHostedProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string issuer = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_id = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"GitLab\""; + } + ]; + string client_id = 4 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by GitLab"; + } + ]; // client_secret will only be updated if provided - string client_secret = 5 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 6 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 5 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret will only be updated if provided"; + } + ]; + repeated string scopes = 6 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to GitLab"; + } + ]; zitadel.idp.v1.Options provider_options = 7; } @@ -11402,10 +11966,34 @@ message UpdateGitLabSelfHostedProviderResponse { message AddGoogleProviderRequest { // Google will be used as default, if no name is provided - string name = 1 [(validate.rules).string = {max_len: 200}]; - string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string client_secret = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; - repeated string scopes = 4 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string name = 1 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + description: "Google will be used as default, if no name is provided"; + } + ]; + string client_id = 2 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by Google"; + } + ]; + string client_secret = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret generated by Google"; + } + ]; + repeated string scopes = 4 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to Google"; + } + ]; zitadel.idp.v1.Options provider_options = 5; } @@ -11416,11 +12004,34 @@ message AddGoogleProviderResponse { message UpdateGoogleProviderRequest { string id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; - string name = 2 [(validate.rules).string = {max_len: 200}]; - string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; + string name = 2 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"Google\""; + } + ]; + string client_id = 3 [ + (validate.rules).string = {min_len: 1, max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"client-id\""; + description: "Client id generated by Google"; + } + ]; // client_secret will only be updated if provided - string client_secret = 4 [(validate.rules).string = {max_len: 200}]; - repeated string scopes = 5 [(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}]; + string client_secret = 4 [ + (validate.rules).string = {max_len: 200}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "\"secret\""; + description: "Client secret will only be updated if provided"; + } + ]; + repeated string scopes = 5 [ + (validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}}, + (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = { + example: "[\"openid\", \"profile\", \"email\"]"; + description: "The scopes requested by ZITADEL during the request to Google"; + } + ]; zitadel.idp.v1.Options provider_options = 6; }