TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-08-14 10:37:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into api-user-profile-requests

Browse Source
This commit is contained in:
Elio Bischof
2025-05-27 10:24:42 +02:00
parent 88728b00ae 833f6279e1
commit dbe00ee2a6
1270 changed files with 70321 additions and 25026 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
proto/buf.yaml
View File

@@ -7,6 +7,10 @@ deps:
breaking:
use:
- FILE
- FIELD_NO_DELETE_UNLESS_NAME_RESERVED
- FIELD_NO_DELETE_UNLESS_NUMBER_RESERVED
except:
- FIELD_NO_DELETE
ignore_unstable_packages: true
lint:
use:

725
proto/zitadel/action/v2beta/action_service.proto Normal file
View File

@@ -0,0 +1,725 @@
syntax = "proto3";
package zitadel.action.v2beta;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/action/v2beta/target.proto";
import "zitadel/action/v2beta/execution.proto";
import "zitadel/action/v2beta/query.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/filter/v2beta/filter.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/action/v2beta;action";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Action Service";
version: "2.0-beta";
description: "This API is intended to manage custom executions (previously known as actions) in a ZITADEL instance. This service is in beta state. It can AND will continue breaking until a stable version is released.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
// Service to manage custom executions.
// The service provides methods to create, update, delete and list targets and executions.
service ActionService {
// Create Target
//
// Create a new target to your endpoint, which can be used in executions.
//
// Required permission:
// - `action.target.write`
//
// Required feature flag:
// - `actions`
rpc CreateTarget (CreateTargetRequest) returns (CreateTargetResponse) {
option (google.api.http) = {
post: "/v2beta/actions/targets"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Target created successfully";
};
};
responses: {
key: "409"
value: {
description: "The target to create already exists.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `actions` is not enabled.";
}
};
};
}
// Update Target
//
// Update an existing target.
// To generate a new signing key set the optional expirationSigningKey.
//
// Required permission:
// - `action.target.write`
//
// Required feature flag:
// - `actions`
rpc UpdateTarget (UpdateTargetRequest) returns (UpdateTargetResponse) {
option (google.api.http) = {
post: "/v2beta/actions/targets/{id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Target successfully updated or left unchanged";
};
};
responses: {
key: "404"
value: {
description: "The target to update does not exist.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `actions` is not enabled.";
}
};
};
}
// Delete Target
//
// Delete an existing target. This will remove it from any configured execution as well.
// In case the target is not found, the request will return a successful response as
// the desired state is already achieved.
//
// Required permission:
// - `action.target.delete`
//
// Required feature flag:
// - `actions`
rpc DeleteTarget (DeleteTargetRequest) returns (DeleteTargetResponse) {
option (google.api.http) = {
delete: "/v2beta/actions/targets/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.delete"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Target deleted successfully";
};
};
responses: {
key: "400"
value: {
description: "The feature flag `actions` is not enabled.";
}
};
};
}
// Get Target
//
// Returns the target identified by the requested ID.
//
// Required permission:
// - `action.target.read`
//
// Required feature flag:
// - `actions`
rpc GetTarget (GetTargetRequest) returns (GetTargetResponse) {
option (google.api.http) = {
get: "/v2beta/actions/targets/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Target retrieved successfully";
}
};
responses: {
key: "404"
value: {
description: "The target to update does not exist.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `actions` is not enabled.";
}
};
};
}
// List targets
//
// List all matching targets. By default all targets of the instance are returned.
// Make sure to include a limit and sorting for pagination.
//
// Required permission:
// - `action.target.read`
//
// Required feature flag:
// - `actions`
rpc ListTargets (ListTargetsRequest) returns (ListTargetsResponse) {
option (google.api.http) = {
post: "/v2beta/actions/targets/_search",
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "A list of all targets matching the query";
};
};
responses: {
key: "400";
value: {
description: "invalid list query";
};
};
responses: {
key: "400"
value: {
description: "The feature flag `actions` is not enabled.";
}
};
};
}
// Set Execution
//
// Sets an execution to call a target or include the targets of another execution.
// Setting an empty list of targets will remove all targets from the execution, making it a noop.
//
// Required permission:
// - `action.execution.write`
//
// Required feature flag:
// - `actions`
rpc SetExecution (SetExecutionRequest) returns (SetExecutionResponse) {
option (google.api.http) = {
put: "/v2beta/actions/executions"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.execution.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Execution successfully updated or left unchanged";
};
};
responses: {
key: "400"
value: {
description: "Condition to set execution does not exist or the feature flag `actions` is not enabled.";
}
};
};
}
// List Executions
//
// List all matching executions. By default all executions of the instance are returned that have at least one execution target.
// Make sure to include a limit and sorting for pagination.
//
// Required permission:
// - `action.execution.read`
//
// Required feature flag:
// - `actions`
rpc ListExecutions (ListExecutionsRequest) returns (ListExecutionsResponse) {
option (google.api.http) = {
post: "/v2beta/actions/executions/_search"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.execution.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "A list of all non noop executions matching the query";
};
};
responses: {
key: "400";
value: {
description: "Invalid list query or the feature flag `actions` is not enabled.";
};
};
};
}
// List Execution Functions
//
// List all available functions which can be used as condition for executions.
rpc ListExecutionFunctions (ListExecutionFunctionsRequest) returns (ListExecutionFunctionsResponse) {
option (google.api.http) = {
get: "/v2beta/actions/executions/functions"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "List all functions successfully";
};
};
};
}
// List Execution Methods
//
// List all available methods which can be used as condition for executions.
rpc ListExecutionMethods (ListExecutionMethodsRequest) returns (ListExecutionMethodsResponse) {
option (google.api.http) = {
get: "/v2beta/actions/executions/methods"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "List all methods successfully";
};
};
};
}
// List Execution Services
//
// List all available services which can be used as condition for executions.
rpc ListExecutionServices (ListExecutionServicesRequest) returns (ListExecutionServicesResponse) {
option (google.api.http) = {
get: "/v2beta/actions/executions/services"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "List all services successfully";
};
};
};
}
}
message CreateTargetRequest {
string name = 1 [
(validate.rules).string = {min_len: 1, max_len: 1000},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ip_allow_list\"";
min_length: 1
max_length: 1000
}
];
// Defines the target type and how the response of the target is treated.
oneof target_type {
option (validate.required) = true;
// Wait for response but response body is ignored, status is checked, call is sent as post.
RESTWebhook rest_webhook = 2;
// Wait for response and response body is used, status is checked, call is sent as post.
RESTCall rest_call = 3;
// Call is executed in parallel to others, ZITADEL does not wait until the call is finished. The state is ignored, call is sent as post.
RESTAsync rest_async = 4;
}
// Timeout defines the duration until ZITADEL cancels the execution.
// If the target doesn't respond before this timeout expires, then the connection is closed and the action fails. Depending on the target type and possible setting on `interrupt_on_error` following targets will not be called. In case of a `rest_async` target only this specific target will fail, without any influence on other targets of the same execution.
google.protobuf.Duration timeout = 5 [
(validate.rules).duration = {gte: {}, lte: {seconds: 270}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"10s\"";
}
];
string endpoint = 6 [
(validate.rules).string = {min_len: 1, max_len: 1000},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://example.com/hooks/ip_check\""
min_length: 1
max_length: 1000
}
];
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
example: "{\"name\": \"ip_allow_list\",\"restWebhook\":{\"interruptOnError\":true},\"timeout\":\"10s\",\"endpoint\":\"https://example.com/hooks/ip_check\"}";
};
}
message CreateTargetResponse {
// The unique identifier of the newly created target.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The timestamp of the target creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// Key used to sign and check payload sent to the target.
string signing_key = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"98KmsU67\""
}
];
}
message UpdateTargetRequest {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
optional string name = 2 [
(validate.rules).string = {min_len: 1, max_len: 1000},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ip_allow_list\""
min_length: 1
max_length: 1000
}
];
// Defines the target type and how the response of the target is treated.
oneof target_type {
// Wait for response but response body is ignored, status is checked, call is sent as post.
RESTWebhook rest_webhook = 3;
// Wait for response and response body is used, status is checked, call is sent as post.
RESTCall rest_call = 4;
// Call is executed in parallel to others, ZITADEL does not wait until the call is finished. The state is ignored, call is sent as post.
RESTAsync rest_async = 5;
}
// Timeout defines the duration until ZITADEL cancels the execution.
// If the target doesn't respond before this timeout expires, then the connection is closed and the action fails. Depending on the target type and possible setting on `interrupt_on_error` following targets will not be called. In case of a `rest_async` target only this specific target will fail, without any influence on other targets of the same execution.
optional google.protobuf.Duration timeout = 6 [
(validate.rules).duration = {gte: {}, lte: {seconds: 270}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"10s\"";
}
];
optional string endpoint = 7 [
(validate.rules).string = {min_len: 1, max_len: 1000},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://example.com/hooks/ip_check\""
min_length: 1
max_length: 1000
}
];
// Regenerate the key used for signing and checking the payload sent to the target.
// Set the graceful period for the existing key. During that time, the previous
// signing key and the new one will be used to sign the request to allow you a smooth
// transition onf your API.
//
// Note that we currently only allow an immediate rotation ("0s") and will support
// longer expirations in the future.
optional google.protobuf.Duration expiration_signing_key = 8 [
(validate.rules).duration = {const: {seconds: 0, nanos: 0}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"0s\""
minimum: 0
maximum: 0
}
];
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
example: "{\"name\": \"ip_allow_list\",\"restCall\":{\"interruptOnError\":true},\"timeout\":\"10s\",\"endpoint\":\"https://example.com/hooks/ip_check\",\"expirationSigningKey\":\"0s\"}";
};
}
message UpdateTargetResponse {
// The timestamp of the change of the target.
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// Key used to sign and check payload sent to the target.
optional string signing_key = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"98KmsU67\""
}
];
}
message DeleteTargetRequest {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message DeleteTargetResponse {
// The timestamp of the deletion of the target.
// Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
// In case the deletion occurred in a previous request, the deletion date might be empty.
google.protobuf.Timestamp deletion_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message GetTargetRequest {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message GetTargetResponse {
Target target = 1;
}
message ListTargetsRequest {
// List limitations and ordering.
optional zitadel.filter.v2beta.PaginationRequest pagination = 1;
// The field the result is sorted by. The default is the creation date. Beware that if you change this, your result pagination might be inconsistent.
optional TargetFieldName sorting_column = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"TARGET_FIELD_NAME_CREATION_DATE\""
}
];
// Define the criteria to query for.
repeated TargetSearchFilter filters = 3;
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
example: "{\"pagination\":{\"offset\":0,\"limit\":0,\"asc\":true},\"sortingColumn\":\"TARGET_FIELD_NAME_CREATION_DATE\",\"filters\":[{\"targetNameFilter\":{\"targetName\":\"ip_allow_list\",\"method\":\"TEXT_FILTER_METHOD_EQUALS\"}},{\"inTargetIdsFilter\":{\"targetIds\":[\"69629023906488334\",\"69622366012355662\"]}}]}";
};
}
message ListTargetsResponse {
zitadel.filter.v2beta.PaginationResponse pagination = 1;
repeated Target result = 2;
}
message SetExecutionRequest {
// Condition defining when the execution should be used.
Condition condition = 1;
// Ordered list of targets called during the execution.
repeated string targets = 2;
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
example: "{\"condition\":{\"request\":{\"method\":\"zitadel.session.v2.SessionService/ListSessions\"}},\"targets\":[{\"target\":\"69629026806489455\"}]}";
};
}
message SetExecutionResponse {
// The timestamp of the execution set.
google.protobuf.Timestamp set_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message ListExecutionsRequest {
// List limitations and ordering.
optional zitadel.filter.v2beta.PaginationRequest pagination = 1;
// The field the result is sorted by. The default is the creation date. Beware that if you change this, your result pagination might be inconsistent.
optional ExecutionFieldName sorting_column = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"EXECUTION_FIELD_NAME_CREATION_DATE\""
}
];
// Define the criteria to query for.
repeated ExecutionSearchFilter filters = 3;
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
example: "{\"pagination\":{\"offset\":0,\"limit\":0,\"asc\":true},\"sortingColumn\":\"EXECUTION_FIELD_NAME_ID\",\"filters\":[{\"targetFilter\":{\"targetId\":\"69629023906488334\"}}]}";
};
}
message ListExecutionsResponse {
zitadel.filter.v2beta.PaginationResponse pagination = 1;
repeated Execution result = 2;
}
message ListExecutionFunctionsRequest{}
message ListExecutionFunctionsResponse{
// All available methods
repeated string functions = 1;
}
message ListExecutionMethodsRequest{}
message ListExecutionMethodsResponse{
// All available methods
repeated string methods = 1;
}
message ListExecutionServicesRequest{}
message ListExecutionServicesResponse{
// All available methods
repeated string services = 1;
}

38
proto/zitadel/resources/action/v3alpha/execution.proto → proto/zitadel/action/v2beta/execution.proto
View File

@@ -1,6 +1,6 @@
syntax = "proto3";
package zitadel.resources.action.v3alpha;
package zitadel.action.v2beta;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
@@ -10,31 +10,27 @@ import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/resources/object/v3alpha/object.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/object/v3alpha/object.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/resources/action/v3alpha;action";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/action/v2beta;action";
message Execution {
// Ordered list of targets/includes called during the execution.
repeated ExecutionTargetType targets = 1;
}
message GetExecution {
zitadel.resources.object.v3alpha.Details details = 1;
Condition condition = 2;
Execution execution = 3;
}
message ExecutionTargetType {
oneof type {
option (validate.required) = true;
// Unique identifier of existing target to call.
string target = 1;
// Unique identifier of existing execution to include targets of.
Condition include = 2;
}
Condition condition = 1;
// The timestamp of the execution creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change to the execution.
google.protobuf.Timestamp change_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// Ordered list of targets called during the execution.
repeated string targets = 4;
}
message Condition {

43
proto/zitadel/resources/action/v3alpha/query.proto → proto/zitadel/action/v2beta/query.proto
View File

@@ -1,15 +1,16 @@
syntax = "proto3";
package zitadel.resources.action.v3alpha;
package zitadel.action.v2beta;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/resources/action/v3alpha;action";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/action/v2beta;action";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/resources/object/v3alpha/object.proto";
import "zitadel/resources/action/v3alpha/execution.proto";
import "zitadel/action/v2beta/execution.proto";
import "zitadel/filter/v2beta/filter.proto";
message ExecutionSearchFilter {
oneof filter {
@@ -18,7 +19,6 @@ message ExecutionSearchFilter {
InConditionsFilter in_conditions_filter = 1;
ExecutionTypeFilter execution_type_filter = 2;
TargetFilter target_filter = 3;
IncludeFilter include_filter = 4;
}
}
@@ -42,14 +42,16 @@ message TargetFilter {
];
}
message IncludeFilter {
// Defines the include to query for.
Condition include = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the id of the include"
example: "\"request.zitadel.session.v2.SessionService\"";
}
];
enum TargetFieldName {
TARGET_FIELD_NAME_UNSPECIFIED = 0;
TARGET_FIELD_NAME_ID = 1;
TARGET_FIELD_NAME_CREATED_DATE = 2;
TARGET_FIELD_NAME_CHANGED_DATE = 3;
TARGET_FIELD_NAME_NAME = 4;
TARGET_FIELD_NAME_TARGET_TYPE = 5;
TARGET_FIELD_NAME_URL = 6;
TARGET_FIELD_NAME_TIMEOUT = 7;
TARGET_FIELD_NAME_INTERRUPT_ON_ERROR = 8;
}
message TargetSearchFilter {
@@ -71,7 +73,7 @@ message TargetNameFilter {
}
];
// Defines which text comparison method used for the name query.
zitadel.resources.object.v3alpha.TextFilterMethod method = 2 [
zitadel.filter.v2beta.TextFilterMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
@@ -97,21 +99,10 @@ enum ExecutionType {
EXECUTION_TYPE_FUNCTION = 4;
}
enum TargetFieldName {
TARGET_FIELD_NAME_UNSPECIFIED = 0;
TARGET_FIELD_NAME_ID = 1;
TARGET_FIELD_NAME_CREATED_DATE = 2;
TARGET_FIELD_NAME_CHANGED_DATE = 3;
TARGET_FIELD_NAME_NAME = 4;
TARGET_FIELD_NAME_TARGET_TYPE = 5;
TARGET_FIELD_NAME_URL = 6;
TARGET_FIELD_NAME_TIMEOUT = 7;
TARGET_FIELD_NAME_INTERRUPT_ON_ERROR = 8;
}
enum ExecutionFieldName {
EXECUTION_FIELD_NAME_UNSPECIFIED = 0;
EXECUTION_FIELD_NAME_ID = 1;
EXECUTION_FIELD_NAME_CREATED_DATE = 2;
EXECUTION_FIELD_NAME_CHANGED_DATE = 3;
}
}

75
proto/zitadel/action/v2beta/target.proto Normal file
View File

@@ -0,0 +1,75 @@
syntax = "proto3";
package zitadel.action.v2beta;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "google/protobuf/timestamp.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/action/v2beta;action";
message Target {
// The unique identifier of the target.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The timestamp of the target creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change to the target (e.g. creation, activation, deactivation).
google.protobuf.Timestamp change_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
string name = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ip_allow_list\"";
}
];
// Defines the target type and how the response of the target is treated.
oneof target_type {
RESTWebhook rest_webhook = 5;
RESTCall rest_call = 6;
RESTAsync rest_async = 7;
}
// Timeout defines the duration until ZITADEL cancels the execution.
// If the target doesn't respond before this timeout expires, the the connection is closed and the action fails. Depending on the target type and possible setting on `interrupt_on_error` following targets will not be called. In case of a `rest_async` target only this specific target will fail, without any influence on other targets of the same execution.
google.protobuf.Duration timeout = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"10s\"";
}
];
string endpoint = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://example.com/hooks/ip_check\""
}
];
string signing_key = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"98KmsU67\""
}
];
}
message RESTWebhook {
// Define if any error stops the whole execution. By default the process continues as normal.
bool interrupt_on_error = 1;
}
message RESTCall {
// Define if any error stops the whole execution. By default the process continues as normal.
bool interrupt_on_error = 1;
}
message RESTAsync {}

61
proto/zitadel/admin.proto
View File

@@ -41,7 +41,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
tags: [
@@ -307,6 +307,7 @@ service AdminService {
};
}
// Deprecated: Use [ListCustomDomains](apis/resources/instance_service_v2/instance-service-list-custom-domains.api.mdx) instead to list custom domains
rpc ListInstanceDomains(ListInstanceDomainsRequest) returns (ListInstanceDomainsResponse) {
option (google.api.http) = {
post: "/domains/_search";
@@ -319,10 +320,12 @@ service AdminService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Instance";
summary: "List Instance Domains";
description: "Returns a list of domains that are configured for this ZITADEL instance. These domains are the URLs where ZITADEL is running."
description: "Returns a list of domains that are configured for this ZITADEL instance. These domains are the URLs where ZITADEL is running.";
deprecated: true;
};
}
// Deprecated: Use [ListTrustedDomains](apis/resources/instance_service_v2/instance-service-list-trusted-domains.api.mdx) instead to list trusted domains
rpc ListInstanceTrustedDomains(ListInstanceTrustedDomainsRequest) returns (ListInstanceTrustedDomainsResponse) {
option (google.api.http) = {
post: "/trusted_domains/_search";
@@ -335,10 +338,12 @@ service AdminService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Instance";
summary: "List Instance Trusted Domains";
description: "Returns a list of domains that are configured for this ZITADEL instance. These domains are trusted to be used as public hosts."
description: "Returns a list of domains that are configured for this ZITADEL instance. These domains are trusted to be used as public hosts.";
deprecated: true;
};
}
// Deprecated: Use [AddTrustedDomain](apis/resources/instance_service_v2/instance-service-add-trusted-domain.api.mdx) instead to add a trusted domain
rpc AddInstanceTrustedDomain(AddInstanceTrustedDomainRequest) returns (AddInstanceTrustedDomainResponse) {
option (google.api.http) = {
post: "/trusted_domains";
@@ -352,10 +357,12 @@ service AdminService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Instance";
summary: "Add an Instance Trusted Domain";
description: "Returns a list of domains that are configured for this ZITADEL instance. These domains are trusted to be used as public hosts."
description: "Returns a list of domains that are configured for this ZITADEL instance. These domains are trusted to be used as public hosts.";
deprecated: true;
};
}
// Deprecated: Use [RemoveTrustedDomain](apis/resources/instance_service_v2/instance-service-remove-trusted-domain.api.mdx) instead to remove a trusted domain
rpc RemoveInstanceTrustedDomain(RemoveInstanceTrustedDomainRequest) returns (RemoveInstanceTrustedDomainResponse) {
option (google.api.http) = {
delete: "/trusted_domains/{domain}";
@@ -368,7 +375,8 @@ service AdminService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Instance";
summary: "Remove an Instance Trusted Domain";
description: "Returns a list of domains that are configured for this ZITADEL instance. These domains are trusted to be used as public hosts."
description: "Returns a list of domains that are configured for this ZITADEL instance. These domains are trusted to be used as public hosts.";
deprecated: true;
};
}
@@ -1715,7 +1723,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "org.idp.read"
permission: "iam.idp.read"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -1732,7 +1740,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "org.idp.read"
permission: "iam.idp.read"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -2092,7 +2100,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "org.idp.write"
permission: "iam.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -2110,7 +2118,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "org.idp.write"
permission: "iam.idp.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -2561,7 +2569,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "policy.write"
permission: "iam.policy.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -2578,7 +2586,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "policy.write"
permission: "iam.policy.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -2595,7 +2603,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "policy.write"
permission: "iam.policy.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -2612,7 +2620,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "policy.write"
permission: "iam.policy.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -2629,7 +2637,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "policy.write"
permission: "iam.policy.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -2646,7 +2654,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "policy.write"
permission: "iam.policy.write"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -3777,7 +3785,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "policy.delete"
permission: "iam.policy.delete"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -3972,7 +3980,7 @@ service AdminService {
};
option (zitadel.v1.auth_option) = {
permission: "policy.delete"
permission: "iam.policy.delete"
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
@@ -6124,6 +6132,8 @@ message AddGenericOAuthProviderRequest {
}
];
zitadel.idp.v1.Options provider_options = 9;
// Enable the use of Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
bool use_pkce = 10;
}
message AddGenericOAuthProviderResponse {
@@ -6191,6 +6201,8 @@ message UpdateGenericOAuthProviderRequest {
}
];
zitadel.idp.v1.Options provider_options = 10;
// Enable the use of Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
bool use_pkce = 11;
}
message UpdateGenericOAuthProviderResponse {
@@ -6234,6 +6246,8 @@ message AddGenericOIDCProviderRequest {
];
zitadel.idp.v1.Options provider_options = 6;
bool is_id_token_mapping = 7;
// Enable the use of Proof Key for Code Exchange (PKCE) for the OIDC flow.
bool use_pkce = 8;
}
message AddGenericOIDCProviderResponse {
@@ -6285,6 +6299,8 @@ message UpdateGenericOIDCProviderRequest {
];
zitadel.idp.v1.Options provider_options = 7;
bool is_id_token_mapping = 8;
// Enable the use of Proof Key for Code Exchange (PKCE) for the OIDC flow.
bool use_pkce = 9;
}
message UpdateGenericOIDCProviderResponse {
@@ -6834,6 +6850,8 @@ message AddLDAPProviderRequest {
google.protobuf.Duration timeout = 10;
zitadel.idp.v1.LDAPAttributes attributes = 11;
zitadel.idp.v1.Options provider_options = 12;
// Root_ca is for self signing certificates for TLS connections to LDAP servers it is intended to be filled with a .pem file.
bytes root_ca = 13 [(validate.rules).bytes.max_len = 12000];
}
message AddLDAPProviderResponse {
@@ -6855,6 +6873,8 @@ message UpdateLDAPProviderRequest {
google.protobuf.Duration timeout = 11;
zitadel.idp.v1.LDAPAttributes attributes = 12;
zitadel.idp.v1.Options provider_options = 13;
// Root_ca is for self signing certificates for TLS connections to LDAP servers it is intended to be filled with a .pem file.
bytes root_ca = 14 [(validate.rules).bytes.max_len = 12000];
}
message UpdateLDAPProviderResponse {
@@ -7015,6 +7035,9 @@ message AddSAMLProviderRequest {
// Optionally specify the name of the attribute, which will be used to map the user
// in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
optional string transient_mapping_attribute_name = 8;
// Optionally enable federated logout. If enabled, ZITADEL will send a logout request to the identity provider,
// if the user terminates the session in ZITADEL. Be sure to provide a SLO endpoint as part of the metadata.
optional bool federated_logout_enabled = 9;
}
message AddSAMLProviderResponse {
@@ -7049,6 +7072,9 @@ message UpdateSAMLProviderRequest {
// Optionally specify the name of the attribute, which will be used to map the user
// in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
optional string transient_mapping_attribute_name = 9;
// Optionally enable federated logout. If enabled, ZITADEL will send a logout request to the identity provider,
// if the user terminates the session in ZITADEL. Be sure to provide a SLO endpoint as part of the metadata.
optional bool federated_logout_enabled = 10;
}
message UpdateSAMLProviderResponse {
@@ -8778,6 +8804,7 @@ message ListIAMMembersRequest {
zitadel.v1.ListQuery query = 1;
//criteria the client is looking for
repeated zitadel.member.v1.SearchQuery queries = 2;
zitadel.member.v1.MemberFieldColumnName sorting_column = 3;
}
message ListIAMMembersResponse {

5
proto/zitadel/app.proto
View File

@@ -222,6 +222,11 @@ message SAMLConfig {
bytes metadata_xml = 1;
string metadata_url = 2;
}
LoginVersion login_version = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}
enum APIAuthMethodType {

112
proto/zitadel/feature/v2/feature_service.proto
View File

@@ -25,7 +25,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
@@ -113,6 +113,12 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
// reserving the proto field number. Such removal is not considered a breaking change.
// Setting a removed field will effectively result in a no-op.
service FeatureService {
// Set System Features
//
// Configure and set features that apply to the complete system. Only fields present in the request are set or unset.
//
// Required permissions:
// - system.feature.write
rpc SetSystemFeatures (SetSystemFeaturesRequest) returns (SetSystemFeaturesResponse) {
option (google.api.http) = {
put: "/v2/features/system"
@@ -126,8 +132,6 @@ service FeatureService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set system level features";
description: "Configure and set features that apply to the complete system. Only fields present in the request are set or unset."
responses: {
key: "200"
value: {
@@ -137,6 +141,12 @@ service FeatureService {
};
}
// Reset System Features
//
// Deletes ALL configured features for the system, reverting the behaviors to system defaults.
//
// Required permissions:
// - system.feature.delete
rpc ResetSystemFeatures (ResetSystemFeaturesRequest) returns (ResetSystemFeaturesResponse) {
option (google.api.http) = {
delete: "/v2/features/system"
@@ -149,8 +159,6 @@ service FeatureService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reset system level features";
description: "Deletes ALL configured features for the system, reverting the behaviors to system defaults."
responses: {
key: "200"
value: {
@@ -160,6 +168,12 @@ service FeatureService {
};
}
// Get System Features
//
// Returns all configured features for the system. Unset fields mean the feature is the current system default.
//
// Required permissions:
// - none
rpc GetSystemFeatures (GetSystemFeaturesRequest) returns (GetSystemFeaturesResponse) {
option (google.api.http) = {
get: "/v2/features/system"
@@ -167,13 +181,11 @@ service FeatureService {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "system.feature.read"
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get system level features";
description: "Returns all configured features for the system. Unset fields mean the feature is the current system default."
responses: {
key: "200"
value: {
@@ -183,6 +195,12 @@ service FeatureService {
};
}
// Set Instance Features
//
// Configure and set features that apply to a complete instance. Only fields present in the request are set or unset.
//
// Required permissions:
// - iam.feature.write
rpc SetInstanceFeatures (SetInstanceFeaturesRequest) returns (SetInstanceFeaturesResponse) {
option (google.api.http) = {
put: "/v2/features/instance"
@@ -196,8 +214,6 @@ service FeatureService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set instance level features";
description: "Configure and set features that apply to a complete instance. Only fields present in the request are set or unset."
responses: {
key: "200"
value: {
@@ -207,6 +223,12 @@ service FeatureService {
};
}
// Reset Instance Features
//
// Deletes ALL configured features for an instance, reverting the behaviors to system defaults.
//
// Required permissions:
// - iam.feature.delete
rpc ResetInstanceFeatures (ResetInstanceFeaturesRequest) returns (ResetInstanceFeaturesResponse) {
option (google.api.http) = {
delete: "/v2/features/instance"
@@ -219,8 +241,6 @@ service FeatureService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reset instance level features";
description: "Deletes ALL configured features for an instance, reverting the behaviors to system defaults."
responses: {
key: "200"
value: {
@@ -230,6 +250,12 @@ service FeatureService {
};
}
// Get Instance Features
//
// Returns all configured features for an instance. Unset fields mean the feature is the current system default.
//
// Required permissions:
// - none
rpc GetInstanceFeatures (GetInstanceFeaturesRequest) returns (GetInstanceFeaturesResponse) {
option (google.api.http) = {
get: "/v2/features/instance"
@@ -237,13 +263,11 @@ service FeatureService {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.feature.read"
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get instance level features";
description: "Returns all configured features for an instance. Unset fields mean the feature is the current system default."
responses: {
key: "200"
value: {
@@ -253,6 +277,12 @@ service FeatureService {
};
}
// Set Organization Features
//
// Configure and set features that apply to a complete instance. Only fields present in the request are set or unset.
//
// Required permissions:
// - org.feature.write
rpc SetOrganizationFeatures (SetOrganizationFeaturesRequest) returns (SetOrganizationFeaturesResponse) {
option (google.api.http) = {
put: "/v2/features/organization/{organization_id}"
@@ -266,8 +296,6 @@ service FeatureService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set organization level features";
description: "Configure and set features that apply to a complete instance. Only fields present in the request are set or unset."
responses: {
key: "200"
value: {
@@ -277,6 +305,12 @@ service FeatureService {
};
}
// Reset Organization Features
//
// Deletes ALL configured features for an organization, reverting the behaviors to instance defaults.
//
// Required permissions:
// - org.feature.delete
rpc ResetOrganizationFeatures (ResetOrganizationFeaturesRequest) returns (ResetOrganizationFeaturesResponse) {
option (google.api.http) = {
delete: "/v2/features/organization/{organization_id}"
@@ -284,13 +318,11 @@ service FeatureService {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "org.feature.write"
permission: "org.feature.delete"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reset organization level features";
description: "Deletes ALL configured features for an organization, reverting the behaviors to instance defaults."
responses: {
key: "200"
value: {
@@ -300,6 +332,13 @@ service FeatureService {
};
}
// Get Organization Features
//
// Returns all configured features for an organization. Unset fields mean the feature is the current instance default.
//
// Required permissions:
// - org.feature.read
// - no permission required for the organization the user belongs to
rpc GetOrganizationFeatures(GetOrganizationFeaturesRequest) returns (GetOrganizationFeaturesResponse) {
option (google.api.http) = {
get: "/v2/features/organization/{organization_id}"
@@ -307,13 +346,11 @@ service FeatureService {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "org.feature.read"
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get organization level features";
description: "Returns all configured features for an organization. Unset fields mean the feature is the current instance default."
responses: {
key: "200"
value: {
@@ -323,6 +360,12 @@ service FeatureService {
};
}
// Set User Features
//
// Configure and set features that apply to an user. Only fields present in the request are set or unset.
//
// Required permissions:
// - user.feature.write
rpc SetUserFeatures(SetUserFeatureRequest) returns (SetUserFeaturesResponse) {
option (google.api.http) = {
put: "/v2/features/user/{user_id}"
@@ -336,8 +379,6 @@ service FeatureService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Set user level features";
description: "Configure and set features that apply to an user. Only fields present in the request are set or unset."
responses: {
key: "200"
value: {
@@ -347,6 +388,12 @@ service FeatureService {
};
}
// Reset User Features
//
// Deletes ALL configured features for a user, reverting the behaviors to organization defaults.
//
// Required permissions:
// - user.feature.delete
rpc ResetUserFeatures(ResetUserFeaturesRequest) returns (ResetUserFeaturesResponse) {
option (google.api.http) = {
delete: "/v2/features/user/{user_id}"
@@ -354,13 +401,11 @@ service FeatureService {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "user.feature.write"
permission: "user.feature.delete"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Reset user level features";
description: "Deletes ALL configured features for a user, reverting the behaviors to organization defaults."
responses: {
key: "200"
value: {
@@ -370,6 +415,13 @@ service FeatureService {
};
}
// Get User Features
//
// Returns all configured features for a user. Unset fields mean the feature is the current organization default.
//
// Required permissions:
// - user.feature.read
// - no permission required for the own user
rpc GetUserFeatures(GetUserFeaturesRequest) returns (GetUserFeaturesResponse) {
option (google.api.http) = {
get: "/v2/features/user/{user_id}"
@@ -377,13 +429,11 @@ service FeatureService {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "user.feature.read"
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Get organization level features";
description: "Returns all configured features for an organization. Unset fields mean the feature is the current instance default."
responses: {
key: "200"
value: {

31
proto/zitadel/feature/v2/instance.proto
View File

@@ -11,6 +11,8 @@ import "zitadel/feature/v2/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
message SetInstanceFeaturesRequest{
reserved 6;
reserved "actions";
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -43,12 +45,6 @@ message SetInstanceFeaturesRequest{
description: "Enable the experimental `urn:ietf:params:oauth:grant-type:token-exchange` grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.";
}
];
optional bool actions = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
repeated ImprovedPerformance improved_performance = 7 [
(validate.rules).repeated.unique = true,
@@ -106,6 +102,13 @@ message SetInstanceFeaturesRequest{
description: "Enable a newer, more performant, permission check used for v2 and v3 resource based APIs.";
}
];
optional bool console_use_v2_user_api = 15 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "If this is enabled the console web client will use the new User v2 API for certain calls";
}
];
}
message SetInstanceFeaturesResponse {
@@ -128,6 +131,8 @@ message GetInstanceFeaturesRequest {
}
message GetInstanceFeaturesResponse {
reserved 7;
reserved "actions";
zitadel.object.v2.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -164,13 +169,6 @@ message GetInstanceFeaturesResponse {
}
];
FeatureFlag actions = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions v2 allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
ImprovedPerformanceFeatureFlag improved_performance = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";
@@ -225,4 +223,11 @@ message GetInstanceFeaturesResponse {
description: "Enable a newer, more performant, permission check used for v2 and v3 resource based APIs.";
}
];
FeatureFlag console_use_v2_user_api = 16 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "If this is enabled the console web client will use the new User v2 API for certain calls";
}
];
}

18
proto/zitadel/feature/v2/system.proto
View File

@@ -11,6 +11,8 @@ import "zitadel/feature/v2/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2;feature";
message SetSystemFeaturesRequest{
reserved 6;
reserved "actions";
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -46,13 +48,6 @@ message SetSystemFeaturesRequest{
}
];
optional bool actions = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
repeated ImprovedPerformance improved_performance = 7 [
(validate.rules).repeated.unique = true,
(validate.rules).repeated.items.enum = {defined_only: true, not_in: [0]},
@@ -110,6 +105,8 @@ message ResetSystemFeaturesResponse {
message GetSystemFeaturesRequest {}
message GetSystemFeaturesResponse {
reserved 7;
reserved "actions";
zitadel.object.v2.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -146,13 +143,6 @@ message GetSystemFeaturesResponse {
}
];
FeatureFlag actions = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions v2 allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
ImprovedPerformanceFeatureFlag improved_performance = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";

2
proto/zitadel/feature/v2beta/feature_service.proto
View File

@@ -25,7 +25,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

17
proto/zitadel/feature/v2beta/instance.proto
View File

@@ -11,6 +11,8 @@ import "zitadel/feature/v2beta/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta;feature";
message SetInstanceFeaturesRequest{
reserved 6;
reserved "actions";
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -43,12 +45,6 @@ message SetInstanceFeaturesRequest{
description: "Enable the experimental `urn:ietf:params:oauth:grant-type:token-exchange` grant type for the OIDC token endpoint. Token exchange can be used to request tokens with a lesser scope or impersonate other users. See the security policy to allow impersonation on an instance.";
}
];
optional bool actions = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
repeated ImprovedPerformance improved_performance = 7 [
(validate.rules).repeated.unique = true,
@@ -101,6 +97,8 @@ message GetInstanceFeaturesRequest {
}
message GetInstanceFeaturesResponse {
reserved 7;
reserved "actions";
zitadel.object.v2beta.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -137,13 +135,6 @@ message GetInstanceFeaturesResponse {
}
];
FeatureFlag actions = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions v2 allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
ImprovedPerformanceFeatureFlag improved_performance = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";

18
proto/zitadel/feature/v2beta/system.proto
View File

@@ -11,6 +11,8 @@ import "zitadel/feature/v2beta/feature.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/feature/v2beta;feature";
message SetSystemFeaturesRequest{
reserved 6;
reserved "actions";
optional bool login_default_org = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
@@ -46,13 +48,6 @@ message SetSystemFeaturesRequest{
}
];
optional bool actions = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
repeated ImprovedPerformance improved_performance = 7 [
(validate.rules).repeated.unique = true,
(validate.rules).repeated.items.enum = {defined_only: true, not_in: [0]},
@@ -83,6 +78,8 @@ message ResetSystemFeaturesResponse {
message GetSystemFeaturesRequest {}
message GetSystemFeaturesResponse {
reserved 7;
reserved "actions";
zitadel.object.v2beta.Details details = 1;
FeatureFlag login_default_org = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
@@ -119,13 +116,6 @@ message GetSystemFeaturesResponse {
}
];
FeatureFlag actions = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
description: "Actions v2 allow to manage data executions and targets. If the flag is enabled, you'll be able to use the new API and its features. Note that it is still in an early stage.";
}
];
ImprovedPerformanceFeatureFlag improved_performance = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[1]";

59
proto/zitadel/filter/v2beta/filter.proto Normal file
View File

@@ -0,0 +1,59 @@
syntax = "proto3";
package zitadel.filter.v2beta;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/filter/v2beta;filter";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
enum TextFilterMethod {
TEXT_FILTER_METHOD_EQUALS = 0;
TEXT_FILTER_METHOD_EQUALS_IGNORE_CASE = 1;
TEXT_FILTER_METHOD_STARTS_WITH = 2;
TEXT_FILTER_METHOD_STARTS_WITH_IGNORE_CASE = 3;
TEXT_FILTER_METHOD_CONTAINS = 4;
TEXT_FILTER_METHOD_CONTAINS_IGNORE_CASE = 5;
TEXT_FILTER_METHOD_ENDS_WITH = 6;
TEXT_FILTER_METHOD_ENDS_WITH_IGNORE_CASE = 7;
}
enum ListFilterMethod {
LIST_FILTER_METHOD_IN = 0;
}
enum TimestampFilterMethod {
TIMESTAMP_FILTER_METHOD_EQUALS = 0;
TIMESTAMP_FILTER_METHOD_GREATER = 1;
TIMESTAMP_FILTER_METHOD_GREATER_OR_EQUALS = 2;
TIMESTAMP_FILTER_METHOD_LESS = 3;
TIMESTAMP_FILTER_METHOD_LESS_OR_EQUALS = 4;
}
message PaginationRequest {
// Starting point for retrieval, in combination of offset used to query a set list of objects.
uint64 offset = 1;
// limit is the maximum amount of objects returned. The default is set to 100
// with a maximum of 1000 in the runtime configuration.
// If the limit exceeds the maximum configured ZITADEL will throw an error.
// If no limit is present the default is taken.
uint32 limit = 2;
// Asc is the sorting order. If true the list is sorted ascending, if false
// the list is sorted descending. The default is descending.
bool asc = 3;
}
message PaginationResponse {
// Absolute number of objects matching the query, regardless of applied limit.
uint64 total_result = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"100\"";
}
];
// Applied limit from query, defines maximum amount of objects per request, to compare if all objects are returned.
uint64 applied_limit = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"100\"";
}
];
}

12
proto/zitadel/idp.proto
View File

@@ -338,6 +338,8 @@ message OAuthConfig {
description: "defines how the attribute is called where ZITADEL can get the id of the user";
}
];
// Defines if the Proof Key for Code Exchange (PKCE) is used for the authorization code flow.
bool use_pkce = 7;
}
message GenericOIDCConfig {
@@ -365,6 +367,12 @@ message GenericOIDCConfig {
description: "if true, provider information get mapped from the id token, not from the userinfo endpoint";
}
];
// Defines if the Proof Key for Code Exchange (PKCE) is used for the authorization code flow.
bool use_pkce = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
}
];
}
message GitHubConfig {
@@ -456,6 +464,7 @@ message LDAPConfig {
repeated string user_filters = 7;
google.protobuf.Duration timeout = 8;
LDAPAttributes attributes = 9;
bytes root_ca = 10;
}
message SAMLConfig {
@@ -470,6 +479,9 @@ message SAMLConfig {
// Optional name of the attribute, which will be used to map the user
// in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
optional string transient_mapping_attribute_name = 5;
// Boolean weather federated logout is enabled. If enabled, ZITADEL will send a logout request to the identity provider,
// if the user terminates the session in ZITADEL. Be sure to provide a SLO endpoint as part of the metadata.
optional bool federated_logout_enabled = 6;
}
message AzureADConfig {

399
proto/zitadel/idp/v2/idp.proto
View File

@@ -10,24 +10,23 @@ import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "google/protobuf/duration.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/idp/v2;idp";
message IDP {
// Unique identifier for the identity provider.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\"";
}
];
string id = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"69629023906488334\"";
} ];
zitadel.object.v2.Details details = 2;
// Current state of the identity provider.
IDPState state = 3;
string name = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"Google\"";
}
];
string name = 4
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"Google\"";
} ];
// Type of the identity provider, for example OIDC, JWT, LDAP and SAML.
IDPType type = 5;
// Configuration for the type of the identity provider.
@@ -93,177 +92,189 @@ message IDPConfig {
message JWTConfig {
// The endpoint where the JWT can be extracted.
string jwt_endpoint = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com\"";
(validate.rules).string = {min_len : 1, max_len : 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) =
{
example:
"\"https://accounts.google.com\"";
}
];
// The issuer of the JWT (for validation).
string issuer = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com\"";
(validate.rules).string = {min_len : 1, max_len : 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) =
{
example:
"\"https://accounts.google.com\"";
}
];
// The endpoint to the key (JWK) which is used to sign the JWT with.
string keys_endpoint = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com/keys\"";
(validate.rules).string = {min_len : 1, max_len : 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) =
{
example:
"\"https://accounts.google.com/keys\"";
}
];
// The name of the header where the JWT is sent in, default is authorization.
string header_name = 4 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"x-auth-token\"";
(validate.rules).string = {min_len : 1, max_len : 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) =
{
example:
"\"x-auth-token\"";
}
];
}
message OAuthConfig {
// Client id generated by the identity provider.
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"client-id\"";
}
];
string client_id = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"client-id\"";
} ];
// The endpoint where ZITADEL send the user to authenticate.
string authorization_endpoint = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com/o/oauth2/v2/auth\"";
}
];
string authorization_endpoint = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"https://accounts.google.com/o/oauth2/v2/auth\"";
} ];
// The endpoint where ZITADEL can get the token.
string token_endpoint = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://oauth2.googleapis.com/token\"";
}
];
string token_endpoint = 3
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"https://oauth2.googleapis.com/token\"";
} ];
// The endpoint where ZITADEL can get the user information.
string user_endpoint = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://openidconnect.googleapis.com/v1/userinfo\"";
}
];
// The scopes requested by ZITADEL during the request on the identity provider.
repeated string scopes = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"openid\", \"profile\", \"email\"]";
}
];
// Defines how the attribute is called where ZITADEL can get the id of the user.
string id_attribute = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"user_id\"";
}
];
string user_endpoint = 4
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"https://openidconnect.googleapis.com/v1/userinfo\"";
} ];
// The scopes requested by ZITADEL during the request on the identity
// provider.
repeated string scopes = 5
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"openid\", \"profile\", \"email\"]";
} ];
// Defines how the attribute is called where ZITADEL can get the id of the
// user.
string id_attribute = 6
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"user_id\"";
} ];
}
message GenericOIDCConfig {
// The OIDC issuer of the identity provider.
string issuer = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://accounts.google.com/\"";
}
];
string issuer = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"https://accounts.google.com/\"";
} ];
// Client id generated by the identity provider.
string client_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"client-id\"";
}
];
// The scopes requested by ZITADEL during the request on the identity provider.
repeated string scopes = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"openid\", \"profile\", \"email\"]";
}
];
// If true, provider information get mapped from the id token, not from the userinfo endpoint.
bool is_id_token_mapping = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "true";
}
];
string client_id = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"client-id\"";
} ];
// The scopes requested by ZITADEL during the request on the identity
// provider.
repeated string scopes = 3
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"openid\", \"profile\", \"email\"]";
} ];
// If true, provider information get mapped from the id token, not from the
// userinfo endpoint.
bool is_id_token_mapping = 4
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"true";
} ];
}
message GitHubConfig {
// The client ID of the GitHub App.
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"client-id\"";
}
];
string client_id = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"client-id\"";
} ];
// The scopes requested by ZITADEL during the request to GitHub.
repeated string scopes = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"openid\", \"profile\", \"email\"]";
}
];
repeated string scopes = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"openid\", \"profile\", \"email\"]";
} ];
}
message GitHubEnterpriseServerConfig {
// The client ID of the GitHub App.
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"client-id\"";
}
];
string client_id = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"client-id\"";
} ];
string authorization_endpoint = 2;
string token_endpoint = 3;
string user_endpoint = 4;
// The scopes requested by ZITADEL during the request to GitHub.
repeated string scopes = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"openid\", \"profile\", \"email\"]";
}
];
repeated string scopes = 5
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"openid\", \"profile\", \"email\"]";
} ];
}
message GoogleConfig {
// Client id of the Google application.
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"client-id\"";
}
];
string client_id = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"client-id\"";
} ];
// The scopes requested by ZITADEL during the request to Google.
repeated string scopes = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"openid\", \"profile\", \"email\"]";
}
];
repeated string scopes = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"openid\", \"profile\", \"email\"]";
} ];
}
message GitLabConfig {
// Client id of the GitLab application.
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"client-id\"";
}
];
string client_id = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"client-id\"";
} ];
// The scopes requested by ZITADEL during the request to GitLab.
repeated string scopes = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"openid\", \"profile\", \"email\"]";
}
];
repeated string scopes = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"openid\", \"profile\", \"email\"]";
} ];
}
message GitLabSelfHostedConfig {
string issuer = 1;
// Client id of the GitLab application.
string client_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"client-id\"";
}
];
string client_id = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"client-id\"";
} ];
// The scopes requested by ZITADEL during the request to GitLab.
repeated string scopes = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"openid\", \"profile\", \"email\"]";
}
];
repeated string scopes = 3
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"openid\", \"profile\", \"email\"]";
} ];
}
message LDAPConfig {
@@ -276,6 +287,7 @@ message LDAPConfig {
repeated string user_filters = 7;
google.protobuf.Duration timeout = 8;
LDAPAttributes attributes = 9;
bytes root_ca = 10;
}
message SAMLConfig {
@@ -288,66 +300,87 @@ message SAMLConfig {
// `nameid-format` for the SAML Request.
SAMLNameIDFormat name_id_format = 4;
// Optional name of the attribute, which will be used to map the user
// in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
// in case the nameid-format returned is
// `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
optional string transient_mapping_attribute_name = 5;
// Boolean weather federated logout is enabled. If enabled, ZITADEL will send a logout request to the identity provider,
// if the user terminates the session in ZITADEL. Be sure to provide a SLO endpoint as part of the metadata.
optional bool federated_logout_enabled = 6;
}
message AzureADConfig {
// Client id of the Azure AD application
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"client-id\"";
}
];
// Defines what user accounts should be able to login (Personal, Organizational, All).
string client_id = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"client-id\"";
} ];
// Defines what user accounts should be able to login (Personal,
// Organizational, All).
AzureADTenant tenant = 2;
// Azure AD doesn't send if the email has been verified. Enable this if the user email should always be added verified in ZITADEL (no verification emails will be sent).
// Azure AD doesn't send if the email has been verified. Enable this if the
// user email should always be added verified in ZITADEL (no verification
// emails will be sent).
bool email_verified = 3;
// The scopes requested by ZITADEL during the request to Azure AD.
repeated string scopes = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"openid\", \"profile\", \"email\", \"User.Read\"]";
}
];
repeated string scopes = 4
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"openid\", \"profile\", \"email\", \"User.Read\"]";
} ];
}
message Options {
// Enable if users should be able to link an existing ZITADEL user with an external account.
// Enable if users should be able to link an existing ZITADEL user with an
// external account.
bool is_linking_allowed = 1;
// Enable if users should be able to create a new account in ZITADEL when using an external account.
// Enable if users should be able to create a new account in ZITADEL when
// using an external account.
bool is_creation_allowed = 2;
// Enable if a new account in ZITADEL should be created automatically when login with an external account.
// Enable if a new account in ZITADEL should be created automatically when
// login with an external account.
bool is_auto_creation = 3;
// Enable if a the ZITADEL account fields should be updated automatically on each login.
// Enable if a the ZITADEL account fields should be updated automatically on
// each login.
bool is_auto_update = 4;
// Enable if users should get prompted to link an existing ZITADEL user to an external account if the selected attribute matches.
AutoLinkingOption auto_linking = 5 ;
// Enable if users should get prompted to link an existing ZITADEL user to an
// external account if the selected attribute matches.
AutoLinkingOption auto_linking = 5;
}
enum AutoLinkingOption {
// AUTO_LINKING_OPTION_UNSPECIFIED disables the auto linking prompt.
AUTO_LINKING_OPTION_UNSPECIFIED = 0;
// AUTO_LINKING_OPTION_USERNAME will use the username of the external user to check for a corresponding ZITADEL user.
// AUTO_LINKING_OPTION_USERNAME will use the username of the external user to
// check for a corresponding ZITADEL user.
AUTO_LINKING_OPTION_USERNAME = 1;
// AUTO_LINKING_OPTION_EMAIL will use the email of the external user to check for a corresponding ZITADEL user with the same verified email
// Note that in case multiple users match, no prompt will be shown.
// AUTO_LINKING_OPTION_EMAIL will use the email of the external user to check
// for a corresponding ZITADEL user with the same verified email Note that in
// case multiple users match, no prompt will be shown.
AUTO_LINKING_OPTION_EMAIL = 2;
}
message LDAPAttributes {
string id_attribute = 1 [(validate.rules).string = {max_len: 200}];
string first_name_attribute = 2 [(validate.rules).string = {max_len: 200}];
string last_name_attribute = 3 [(validate.rules).string = {max_len: 200}];
string display_name_attribute = 4 [(validate.rules).string = {max_len: 200}];
string nick_name_attribute = 5 [(validate.rules).string = {max_len: 200}];
string preferred_username_attribute = 6 [(validate.rules).string = {max_len: 200}];
string email_attribute = 7 [(validate.rules).string = {max_len: 200}];
string email_verified_attribute = 8 [(validate.rules).string = {max_len: 200}];
string phone_attribute = 9 [(validate.rules).string = {max_len: 200}];
string phone_verified_attribute = 10 [(validate.rules).string = {max_len: 200}];
string preferred_language_attribute = 11 [(validate.rules).string = {max_len: 200}];
string avatar_url_attribute = 12 [(validate.rules).string = {max_len: 200}];
string profile_attribute = 13 [(validate.rules).string = {max_len: 200}];
string id_attribute = 1 [ (validate.rules).string = {max_len : 200} ];
string first_name_attribute = 2 [ (validate.rules).string = {max_len : 200} ];
string last_name_attribute = 3 [ (validate.rules).string = {max_len : 200} ];
string display_name_attribute = 4
[ (validate.rules).string = {max_len : 200} ];
string nick_name_attribute = 5 [ (validate.rules).string = {max_len : 200} ];
string preferred_username_attribute = 6
[ (validate.rules).string = {max_len : 200} ];
string email_attribute = 7 [ (validate.rules).string = {max_len : 200} ];
string email_verified_attribute = 8
[ (validate.rules).string = {max_len : 200} ];
string phone_attribute = 9 [ (validate.rules).string = {max_len : 200} ];
string phone_verified_attribute = 10
[ (validate.rules).string = {max_len : 200} ];
string preferred_language_attribute = 11
[ (validate.rules).string = {max_len : 200} ];
string avatar_url_attribute = 12
[ (validate.rules).string = {max_len : 200} ];
string profile_attribute = 13 [ (validate.rules).string = {max_len : 200} ];
string root_ca= 14;
}
enum AzureADTenantType {
@@ -365,27 +398,27 @@ message AzureADTenant {
message AppleConfig {
// Client id (App ID or Service ID) provided by Apple.
string client_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"com.client.id\"";
}
];
string client_id = 1
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"com.client.id\"";
} ];
// Team ID provided by Apple.
string team_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ALT03JV3OS\"";
}
];
string team_id = 2
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"ALT03JV3OS\"";
} ];
// ID of the private key generated by Apple.
string key_id = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"OGKDK25KD\"";
}
];
string key_id = 3
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"\"OGKDK25KD\"";
} ];
// The scopes requested by ZITADEL during the request to Apple.
repeated string scopes = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"name\", \"email\"]";
}
];
}
repeated string scopes = 4
[ (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example:
"[\"name\", \"email\"]";
} ];
}

2
proto/zitadel/idp/v2/idp_service.proto
View File

@@ -24,7 +24,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

192
proto/zitadel/instance/v2beta/instance.proto Normal file
View File

@@ -0,0 +1,192 @@
syntax = "proto3";
import "protoc-gen-openapiv2/options/annotations.proto";
import "zitadel/object/v2/object.proto";
import "validate/validate.proto";
import "google/protobuf/timestamp.proto";
package zitadel.instance.v2beta;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/instance/v2beta;instance";
message Instance {
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
// change_date is the timestamp when the object was changed
//
// on read: the timestamp of the last event reduced by the projection
//
// on manipulation: the timestamp of the event(s) added by the manipulation
google.protobuf.Timestamp change_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
google.protobuf.Timestamp creation_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
State state = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the instance";
}
];
string name = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ZITADEL\"";
}
];
string version = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"1.0.0\"";
}
];
repeated Domain domains = 7;
}
enum State {
STATE_UNSPECIFIED = 0;
STATE_CREATING = 1;
STATE_RUNNING = 2;
STATE_STOPPING = 3;
STATE_STOPPED = 4;
}
message Domain {
string instance_id = 1;
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
string domain = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"zitadel.com\""
}
];
bool primary = 4;
bool generated = 5;
}
enum FieldName {
FIELD_NAME_UNSPECIFIED = 0;
FIELD_NAME_ID = 1;
FIELD_NAME_NAME = 2;
FIELD_NAME_CREATION_DATE = 3;
}
message Query {
oneof query {
option (validate.required) = true;
IdsQuery id_query = 1;
DomainsQuery domain_query = 2;
}
}
message IdsQuery {
repeated string ids = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Instance ID";
example: "[\"4820840938402429\",\"4820840938402422\"]"
}
];
}
message DomainsQuery {
repeated string domains = 1 [
(validate.rules).repeated = {max_items: 20, items: {string: {min_len: 1, max_len: 100}}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_items: 20;
example: "[\"my-instace.zitadel.cloud\", \"auth.custom.com\"]";
description: "Return the instances that have the requested domains";
}
];
}
message DomainSearchQuery {
oneof query {
option (validate.required) = true;
DomainQuery domain_query = 1;
DomainGeneratedQuery generated_query = 2;
DomainPrimaryQuery primary_query = 3;
}
}
message DomainQuery {
string domain = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"zitadel.com\"";
}
];
zitadel.object.v2.TextQueryMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Defines which text equality method is used";
}
];
}
message DomainGeneratedQuery {
bool generated = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Generated domains";
}
];
}
message DomainPrimaryQuery {
bool primary = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Primary domains";
}
];
}
enum DomainFieldName {
DOMAIN_FIELD_NAME_UNSPECIFIED = 0;
DOMAIN_FIELD_NAME_DOMAIN = 1;
DOMAIN_FIELD_NAME_PRIMARY = 2;
DOMAIN_FIELD_NAME_GENERATED = 3;
DOMAIN_FIELD_NAME_CREATION_DATE = 4;
}
message TrustedDomain {
string instance_id = 1;
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
string domain = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"zitadel.com\""
}
];
}
message TrustedDomainSearchQuery {
oneof query {
option (validate.required) = true;
DomainQuery domain_query = 1;
}
}
enum TrustedDomainFieldName {
TRUSTED_DOMAIN_FIELD_NAME_UNSPECIFIED = 0;
TRUSTED_DOMAIN_FIELD_NAME_DOMAIN = 1;
TRUSTED_DOMAIN_FIELD_NAME_CREATION_DATE = 2;
}

648
proto/zitadel/instance/v2beta/instance_service.proto Normal file
View File

@@ -0,0 +1,648 @@
syntax = "proto3";
package zitadel.instance.v2beta;
import "validate/validate.proto";
import "zitadel/object/v2/object.proto";
import "zitadel/instance/v2beta/instance.proto";
import "zitadel/filter/v2beta/filter.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "google/protobuf/empty.proto";
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/instance/v2beta;instance";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Instance Service";
version: "2.0-beta";
description: "This API is intended to manage instances in ZITADEL.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "AGPL-3.0-only",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
// Service to manage instances and their domains.
// The service provides methods to create, update, delete and list instances and their domains.
service InstanceService {
// Delete Instance
//
// Deletes an instance with the given ID.
//
// Required permissions:
// - `system.instance.delete`
rpc DeleteInstance(DeleteInstanceRequest) returns (DeleteInstanceResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The deleted instance.";
}
};
};
option (google.api.http) = {
delete: "/v2beta/instances/{instance_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "system.instance.delete"
}
};
}
// Get Instance
//
// Returns the instance in the current context.
//
// The instace_id in the input message will be used in the future.
//
// Required permissions:
// - `iam.read`
rpc GetInstance(GetInstanceRequest) returns (GetInstanceResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The instance of the context.";
}
};
};
option (google.api.http) = {
get: "/v2beta/instances/{instance_id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.read"
}
};
}
// Update Instance
//
// Updates instance in context with the given name.
//
// The instance_id in the input message will be used in the future.
//
// Required permissions:
// - `iam.write`
rpc UpdateInstance(UpdateInstanceRequest) returns (UpdateInstanceResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The instance was successfully updated.";
}
};
};
option (google.api.http) = {
put: "/v2beta/instances/{instance_id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.write"
}
};
}
// List Instances
//
// Lists instances matching the given query.
// The query can be used to filter either by instance ID or domain.
// The request is paginated and returns 100 results by default.
//
// Required permissions:
// - `system.instance.read`
rpc ListInstances(ListInstancesRequest) returns (ListInstancesResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The list of instances.";
}
};
};
option (google.api.http) = {
post: "/v2beta/instances/search"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "system.instance.read"
}
};
}
// Add Custom Domain
//
// Adds a custom domain to the instance in context.
//
// The instance_id in the input message will be used in the future
//
// Required permissions:
// - `system.domain.write`
rpc AddCustomDomain(AddCustomDomainRequest) returns (AddCustomDomainResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The added custom domain.";
}
};
};
option (google.api.http) = {
post: "/v2beta/instances/{instance_id}/custom-domains"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "system.domain.write"
}
};
}
// Remove Custom Domain
//
// Removes a custom domain from the instance.
//
// The instance_id in the input message will be used in the future.
//
// Required permissions:
// - `system.domain.write`
rpc RemoveCustomDomain(RemoveCustomDomainRequest) returns (RemoveCustomDomainResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The removed custom domain.";
}
};
};
option (google.api.http) = {
delete: "/v2beta/instances/{instance_id}/custom-domains/{domain}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "system.domain.write"
}
};
}
// List Custom Domains
//
// Lists custom domains of the instance.
//
// The instance_id in the input message will be used in the future.
//
// Required permissions:
// - `iam.read`
rpc ListCustomDomains(ListCustomDomainsRequest) returns (ListCustomDomainsResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The list of custom domains.";
}
};
};
option (google.api.http) = {
post: "/v2beta/instances/{instance_id}/custom-domains/search"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.read"
}
};
}
// Add Trusted Domain
//
// Adds a trusted domain to the instance.
//
// The instance_id in the input message will be used in the future.
//
// Required permissions:
// - `iam.write`
rpc AddTrustedDomain(AddTrustedDomainRequest) returns (AddTrustedDomainResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The added trusted domain.";
}
};
};
option (google.api.http) = {
post: "/v2beta/instances/{instance_id}/trusted-domains"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.write"
}
};
}
// Remove Trusted Domain
//
// Removes a trusted domain from the instance.
//
// The instance_id in the input message will be used in the future.
//
// Required permissions:
// - `iam.write`
rpc RemoveTrustedDomain(RemoveTrustedDomainRequest) returns (RemoveTrustedDomainResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The removed trusted domain.";
}
};
};
option (google.api.http) = {
delete: "/v2beta/instances/{instance_id}/trusted-domains/{domain}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.write"
}
};
}
// List Trusted Domains
//
// Lists trusted domains of the instance.
//
// The instance_id in the input message will be used in the future.
//
// Required permissions:
// - `iam.read`
rpc ListTrustedDomains(ListTrustedDomainsRequest) returns (ListTrustedDomainsResponse) {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "The list of trusted domains.";
}
};
};
option (google.api.http) = {
post: "/v2beta/instances/{instance_id}/trusted-domains/search"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.read"
}
};
}
}
message DeleteInstanceRequest {
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
}
message DeleteInstanceResponse {
google.protobuf.Timestamp deletion_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message GetInstanceRequest {
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
}
message GetInstanceResponse {
zitadel.instance.v2beta.Instance instance = 1;
}
message UpdateInstanceRequest {
// used only to identify the instance to change.
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
string instance_name = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
description: "\"name of the instance to update\"";
example: "\"my instance\"";
}
];
}
message UpdateInstanceResponse {
google.protobuf.Timestamp change_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListInstancesRequest {
// Criterias the client is looking for.
repeated Query queries = 1;
// Pagination and sorting.
zitadel.filter.v2beta.PaginationRequest pagination = 2;
// The field the result is sorted by.
optional FieldName sorting_column = 3;
}
message ListInstancesResponse {
// The list of instances.
repeated Instance instances = 1;
// Contains the total number of instances matching the query and the applied limit.
zitadel.filter.v2beta.PaginationResponse pagination = 2;
}
message AddCustomDomainRequest {
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
string domain = 2 [
(validate.rules).string = {min_len: 1, max_len: 253},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 253;
}
];
}
message AddCustomDomainResponse {
google.protobuf.Timestamp creation_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message RemoveCustomDomainRequest {
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
string domain = 2 [
(validate.rules).string = {min_len: 1, max_len: 253},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 253;
}
];
}
message RemoveCustomDomainResponse {
google.protobuf.Timestamp deletion_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListCustomDomainsRequest {
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
// Pagination and sorting.
zitadel.filter.v2beta.PaginationRequest pagination = 2;
// The field the result is sorted by.
DomainFieldName sorting_column = 3;
// Criterias the client is looking for.
repeated DomainSearchQuery queries = 4;
}
message ListCustomDomainsResponse {
repeated Domain domains = 1;
// Contains the total number of domains matching the query and the applied limit.
zitadel.filter.v2beta.PaginationResponse pagination = 2;
}
message AddTrustedDomainRequest {
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
string domain = 2 [
(validate.rules).string = {min_len: 1, max_len: 253},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"login.example.com\"";
min_length: 1;
max_length: 253;
}
];
}
message AddTrustedDomainResponse {
google.protobuf.Timestamp creation_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message RemoveTrustedDomainRequest {
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
string domain = 2 [
(validate.rules).string = {min_len: 1, max_len: 253},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"login.example.com\"";
min_length: 1;
max_length: 253;
}
];
}
message RemoveTrustedDomainResponse {
google.protobuf.Timestamp deletion_date = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListTrustedDomainsRequest {
string instance_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
example: "\"222430354126975533\"";
}
];
// Pagination and sorting.
zitadel.filter.v2beta.PaginationRequest pagination = 2;
// The field the result is sorted by.
TrustedDomainFieldName sorting_column = 3;
// Criterias the client is looking for.
repeated TrustedDomainSearchQuery queries = 4;
}
message ListTrustedDomainsResponse {
repeated TrustedDomain trusted_domain = 1;
// Contains the total number of domains matching the query and the applied limit.
zitadel.filter.v2beta.PaginationResponse pagination = 2;
}

222
proto/zitadel/management.proto
View File

@@ -2678,6 +2678,11 @@ service ManagementService {
};
}
// Get Project By ID
//
// Deprecated: [Get Project](apis/resources/project_service_v2/project-service-get-project.api.mdx) to get project by ID.
//
// Returns a project owned by the organization (no granted projects). A Project is a vessel for different applications sharing the same role context.
rpc GetProjectByID(GetProjectByIDRequest) returns (GetProjectByIDResponse) {
option (google.api.http) = {
get: "/projects/{id}"
@@ -2690,8 +2695,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Get Project By ID";
description: "Returns a project owned by the organization (no granted projects). A Project is a vessel for different applications sharing the same role context."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2703,6 +2707,11 @@ service ManagementService {
};
}
// Get Granted Project By ID
//
// Deprecated: [List Projects](apis/resources/project_service_v2/project-service-list-projects.api.mdx) to get granted projects.
//
// Returns a project owned by another organization and granted to my organization. A Project is a vessel for different applications sharing the same role context.
rpc GetGrantedProjectByID(GetGrantedProjectByIDRequest) returns (GetGrantedProjectByIDResponse) {
option (google.api.http) = {
get: "/granted_projects/{project_id}/grants/{grant_id}"
@@ -2715,8 +2724,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Get Granted Project By ID";
description: "Returns a project owned by another organization and granted to my organization. A Project is a vessel for different applications sharing the same role context."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2728,6 +2736,11 @@ service ManagementService {
};
}
// List Projects
//
// Deprecated: [List Projects](apis/resources/project_service_v2/project-service-list-projects.api.mdx) to list all projects and granted projects.
//
// Lists projects my organization is the owner of (no granted projects). A Project is a vessel for different applications sharing the same role context.
rpc ListProjects(ListProjectsRequest) returns (ListProjectsResponse) {
option (google.api.http) = {
post: "/projects/_search"
@@ -2740,8 +2753,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Search Project";
description: "Lists projects my organization is the owner of (no granted projects). A Project is a vessel for different applications sharing the same role context."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2753,6 +2765,11 @@ service ManagementService {
};
}
// List Granted Projects
//
// Deprecated: [List Projects](apis/resources/project_service_v2/project-service-list-projects.api.mdx) to list all projects and granted projects.
//
// Lists projects my organization got granted from another organization. A Project is a vessel for different applications sharing the same role context.
rpc ListGrantedProjects(ListGrantedProjectsRequest) returns (ListGrantedProjectsResponse) {
option (google.api.http) = {
post: "/granted_projects/_search"
@@ -2765,8 +2782,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Search Granted Project";
description: "Lists projects my organization got granted from another organization. A Project is a vessel for different applications sharing the same role context."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2828,6 +2844,11 @@ service ManagementService {
};
}
// Create Project
//
// Deprecated: [Create Project](apis/resources/project_service_v2/project-service-create-project.api.mdx) to create a project.
//
// Create a new project. A Project is a vessel for different applications sharing the same role context.
rpc AddProject(AddProjectRequest) returns (AddProjectResponse) {
option (google.api.http) = {
post: "/projects"
@@ -2840,8 +2861,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Create Project";
description: "Create a new project. A Project is a vessel for different applications sharing the same role context."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2853,6 +2873,11 @@ service ManagementService {
};
}
// Update Project
//
// Deprecated: [Update Project](apis/resources/project_service_v2/project-service-update-project.api.mdx) to update a project.
//
// Update a project and its settings. A Project is a vessel for different applications sharing the same role context.
rpc UpdateProject(UpdateProjectRequest) returns (UpdateProjectResponse) {
option (google.api.http) = {
put: "/projects/{id}"
@@ -2866,8 +2891,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Update Project";
description: "Update a project and its settings. A Project is a vessel for different applications sharing the same role context."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2879,6 +2903,11 @@ service ManagementService {
};
}
// Deactivate Project
//
// Deprecated: [Deactivate Project](apis/resources/project_service_v2/project-service-deactivate-project.api.mdx) to deactivate a project.
//
// Set the state of a project to deactivated. Request returns an error if the project is already deactivated.
rpc DeactivateProject(DeactivateProjectRequest) returns (DeactivateProjectResponse) {
option (google.api.http) = {
post: "/projects/{id}/_deactivate"
@@ -2892,8 +2921,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Deactivate Project";
description: "Set the state of a project to deactivated. Request returns an error if the project is already deactivated."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2905,6 +2933,11 @@ service ManagementService {
};
}
// Activate Project
//
// Deprecated: [Activate Project](apis/resources/project_service_v2/project-service-activate-project.api.mdx) to activate a project.
//
// Set the state of a project to active. Request returns an error if the project is not deactivated.
rpc ReactivateProject(ReactivateProjectRequest) returns (ReactivateProjectResponse) {
option (google.api.http) = {
post: "/projects/{id}/_reactivate"
@@ -2918,8 +2951,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Reactivate Project";
description: "Set the state of a project to active. Request returns an error if the project is not deactivated."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2931,6 +2963,11 @@ service ManagementService {
};
}
// Remove Project
//
// Deprecated: [Delete Project](apis/resources/project_service_v2/project-service-delete-project.api.mdx) to remove a project.
//
// Project and all its sub-resources like project grants, applications, roles and user grants will be removed.
rpc RemoveProject(RemoveProjectRequest) returns (RemoveProjectResponse) {
option (google.api.http) = {
delete: "/projects/{id}"
@@ -2943,8 +2980,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Remove Project";
description: "Project and all its sub-resources like project grants, applications, roles and user grants will be removed."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2956,6 +2992,11 @@ service ManagementService {
};
}
// Search Project Roles
//
// Deprecated: [List Project Roles](apis/resources/project_service_v2/project-service-list-project-roles.api.mdx) to get project roles.
//
// Returns all roles of a project matching the search query.
rpc ListProjectRoles(ListProjectRolesRequest) returns (ListProjectRolesResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/roles/_search"
@@ -2969,8 +3010,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Roles";
summary: "Search Project Roles";
description: "Returns all roles of a project matching the search query."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -2982,6 +3022,11 @@ service ManagementService {
};
}
// Add Project Role
//
// Deprecated: [Add Project Role](apis/resources/project_service_v2/project-service-add-project-role.api.mdx) to add a project role.
//
// Add a new project role to a project. The key must be unique within the project.\n\nDeprecated: please use user service v2 AddProjectRole.
rpc AddProjectRole(AddProjectRoleRequest) returns (AddProjectRoleResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/roles"
@@ -2995,8 +3040,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Roles";
summary: "Add Project Role";
description: "Add a new project role to a project. The key must be unique within the project."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3008,6 +3052,11 @@ service ManagementService {
};
}
// Bulk add Project Role
//
// Deprecated: [Add Project Role](apis/resources/project_service_v2/project-service-add-project-role.api.mdx) to add a project role.
//
// Add a list of roles to a project. The keys must be unique within the project.
rpc BulkAddProjectRoles(BulkAddProjectRolesRequest) returns (BulkAddProjectRolesResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/roles/_bulk"
@@ -3021,8 +3070,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Roles";
summary: "Bulk Add Project Role";
description: "Add a list of roles to a project. The keys must be unique within the project."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3034,6 +3082,11 @@ service ManagementService {
};
}
// Update Project Role
//
// Deprecated: [Update Project Role](apis/resources/project_service_v2/project-service-update-project-role.api.mdx) to update a project role.
//
// Change a project role. The key is not editable. If a key should change, remove the role and create a new one.
rpc UpdateProjectRole(UpdateProjectRoleRequest) returns (UpdateProjectRoleResponse) {
option (google.api.http) = {
put: "/projects/{project_id}/roles/{role_key}"
@@ -3047,8 +3100,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Roles";
summary: "Change Project Role";
description: "Change a project role. The key is not editable. If a key should change, remove the role and create a new one."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3060,6 +3112,11 @@ service ManagementService {
};
}
// Remove Project Role
//
// Deprecated: [Delete Project Role](apis/resources/project_service_v2/project-service-update-project-role.api.mdx) to remove a project role.
//
// Removes the role from the project and on every resource it has a dependency. This includes project grants and user grants.
rpc RemoveProjectRole(RemoveProjectRoleRequest) returns (RemoveProjectRoleResponse) {
option (google.api.http) = {
delete: "/projects/{project_id}/roles/{role_key}"
@@ -3072,8 +3129,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Roles";
summary: "Remove Project Role";
description: "Removes the role from the project and on every resource it has a dependency. This includes project grants and user grants."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3737,6 +3793,11 @@ service ManagementService {
};
}
// Get Project Grant By ID
//
// Deprecated: [List Project Grants](apis/resources/project_service_v2/project-service-list-project-grants.api.mdx) to get a project grant.
//
// Returns a project grant. A project grant is when the organization grants its project to another organization.
rpc GetProjectGrantByID(GetProjectGrantByIDRequest) returns (GetProjectGrantByIDResponse) {
option (google.api.http) = {
get: "/projects/{project_id}/grants/{grant_id}"
@@ -3748,8 +3809,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Projects";
summary: "Project Grant By ID";
description: "Returns a project grant. A project grant is when the organization grants its project to another organization."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3761,6 +3821,11 @@ service ManagementService {
};
}
// List Project Grants
//
// Deprecated: [List Project Grants](apis/resources/project_service_v2/project-service-list-project-grants.api.mdx) to list project grants.
//
// Returns a list of project grants for a specific project. A project grant is when the organization grants its project to another organization.
rpc ListProjectGrants(ListProjectGrantsRequest) returns (ListProjectGrantsResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/grants/_search"
@@ -3774,8 +3839,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Grants";
summary: "Search Project Grants from Project";
description: "Returns a list of project grants for a specific project. A project grant is when the organization grants its project to another organization."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3787,6 +3851,11 @@ service ManagementService {
};
}
// Search Project Grants
//
// Deprecated: [List Project Grants](apis/resources/project_service_v2/project-service-list-project-grants.api.mdx) to list project grants.
//
// Returns a list of project grants. A project grant is when the organization grants its project to another organization.
rpc ListAllProjectGrants(ListAllProjectGrantsRequest) returns (ListAllProjectGrantsResponse) {
option (google.api.http) = {
post: "/projectgrants/_search"
@@ -3799,8 +3868,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Grants";
summary: "Search Project Grants";
description: "Returns a list of project grants. A project grant is when the organization grants its project to another organization."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3812,6 +3880,11 @@ service ManagementService {
};
}
// Add Project Grant
//
// Deprecated: [Create Project Grant](apis/resources/project_service_v2/project-service-create-project-grant.api.mdx) to add a project grant.
//
// Grant a project to another organization. The project grant will allow the granted organization to access the project and manage the authorizations for its users. Project Grant will be listed in the granted project of the granted organization.
rpc AddProjectGrant(AddProjectGrantRequest) returns (AddProjectGrantResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/grants"
@@ -3824,8 +3897,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Grants";
summary: "Add Project Grant";
description: "Grant a project to another organization. The project grant will allow the granted organization to access the project and manage the authorizations for its users. Project Grant will be listed in the granted project of the granted organization"
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3837,6 +3909,11 @@ service ManagementService {
};
}
// Update Project Grant
//
// Deprecated: [Update Project Grant](apis/resources/project_service_v2/project-service-update-project-grant.api.mdx) to update a project grant.
//
// Change the roles of the project that is granted to another organization. The project grant will allow the granted organization to access the project and manage the authorizations for its users. Project Grant will be listed in the granted project of the granted organization.
rpc UpdateProjectGrant(UpdateProjectGrantRequest) returns (UpdateProjectGrantResponse) {
option (google.api.http) = {
put: "/projects/{project_id}/grants/{grant_id}"
@@ -3849,8 +3926,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Grants";
summary: "Change Project Grant";
description: "Change the roles of the project that is granted to another organization. The project grant will allow the granted organization to access the project and manage the authorizations for its users. Project Grant will be listed in the granted project of the granted organization"
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3862,6 +3938,11 @@ service ManagementService {
};
}
// Deactivate Project Grant
//
// Deprecated: [Deactivate Project Grant](apis/resources/project_service_v2/project-service-deactivate-project-grant.api.mdx) to deactivate a project grant.
//
// Set the state of the project grant to deactivated. The grant has to be active to be able to deactivate.
rpc DeactivateProjectGrant(DeactivateProjectGrantRequest) returns (DeactivateProjectGrantResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/grants/{grant_id}/_deactivate"
@@ -3874,8 +3955,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Grants";
summary: "Deactivate Project Grant";
description: "Set the state of the project grant to deactivated. The grant has to be active to be able to deactivate."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3887,6 +3967,11 @@ service ManagementService {
};
}
// Reactivate Project Grant
//
// Deprecated: [Activate Project Grant](apis/resources/project_service_v2/project-service-activate-project-grant.api.mdx) to activate a project grant.
//
// Set the state of the project grant to active. The grant has to be deactivated to be able to reactivate.
rpc ReactivateProjectGrant(ReactivateProjectGrantRequest) returns (ReactivateProjectGrantResponse) {
option (google.api.http) = {
post: "/projects/{project_id}/grants/{grant_id}/_reactivate"
@@ -3899,8 +3984,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Grants";
summary: "Reactivate Project Grant";
description: "Set the state of the project grant to active. The grant has to be deactivated to be able to reactivate."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -3912,6 +3996,11 @@ service ManagementService {
};
}
// Remove Project Grant
//
// Deprecated: [Delete Project Grant](apis/resources/project_service_v2/project-service-delete-project-grant.api.mdx) to remove a project grant.
//
// Remove a project grant. All user grants for this project grant will also be removed. A user will not have access to the project afterward (if permissions are checked).
rpc RemoveProjectGrant(RemoveProjectGrantRequest) returns (RemoveProjectGrantResponse) {
option (google.api.http) = {
delete: "/projects/{project_id}/grants/{grant_id}"
@@ -3923,8 +4012,7 @@ service ManagementService {
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
tags: "Project Grants";
summary: "Remove Project Grant";
description: "Remove a project grant. All user grants for this project grant will also be removed. A user will not have access to the project afterward (if permissions are checked)."
deprecated: true;
parameters: {
headers: {
name: "x-zitadel-orgid";
@@ -9209,7 +9297,7 @@ message AddOrgMemberRequest {
repeated string roles = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"ORG_OWNER\"]";
description: "If no roles are provided the user won't have any rights"
description: "If no roles are provided the user won't have any rights, so the member definition will be regarded as invalid."
}
];
}
@@ -9222,7 +9310,7 @@ message UpdateOrgMemberRequest {
repeated string roles = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"IAM_OWNER\"]";
description: "If no roles are provided the user won't have any rights"
description: "If no roles are provided the user won't have any rights, so the member definition will be regarded as invalid."
}
];
}
@@ -9643,7 +9731,7 @@ message AddProjectMemberRequest {
repeated string roles = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"PROJECT_OWNER\"]";
description: "If no roles are provided the user won't have any rights"
description: "If no roles are provided the user won't have any rights, so the member definition will be regarded as invalid."
}
];
}
@@ -9658,7 +9746,7 @@ message UpdateProjectMemberRequest {
repeated string roles = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"PROJECT_OWNER\"]";
description: "If no roles are provided the user won't have any rights"
description: "If no roles are provided the user won't have any rights, so the member definition will be regarded as invalid."
}
];
}
@@ -9850,6 +9938,11 @@ message AddSAMLAppRequest {
bytes metadata_xml = 3 [(validate.rules).bytes.max_len = 500000];
string metadata_url = 4 [(validate.rules).string.max_len = 200];
}
zitadel.app.v1.LoginVersion login_version = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}
message AddSAMLAppResponse {
@@ -10014,6 +10107,11 @@ message UpdateSAMLAppConfigRequest {
bytes metadata_xml = 3 [(validate.rules).bytes.max_len = 500000];
string metadata_url = 4 [(validate.rules).string.max_len = 200];
}
zitadel.app.v1.LoginVersion login_version = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
}
];
}
message UpdateSAMLAppConfigResponse {
@@ -10303,7 +10401,7 @@ message AddProjectGrantMemberRequest {
repeated string roles = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"PROJECT_GRANT_OWNER\"]";
description: "If no roles are provided the user won't have any rights"
description: "If no roles are provided the user won't have any rights, so the member definition will be regarded as invalid."
}
];
}
@@ -10327,7 +10425,7 @@ message UpdateProjectGrantMemberRequest {
repeated string roles = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"PROJECT_GRANT_OWNER\"]";
description: "If no roles are provided the user won't have any rights"
description: "If no roles are provided the user won't have any rights, so the member definition will be regarded as invalid."
}
];
}
@@ -12535,6 +12633,8 @@ message AddGenericOAuthProviderRequest {
}
];
zitadel.idp.v1.Options provider_options = 9;
// Enable the use of Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
bool use_pkce = 10;
}
message AddGenericOAuthProviderResponse {
@@ -12602,6 +12702,8 @@ message UpdateGenericOAuthProviderRequest {
}
];
zitadel.idp.v1.Options provider_options = 10;
// Enable the use of Proof Key for Code Exchange (PKCE) for the OAuth2 flow.
bool use_pkce = 11;
}
message UpdateGenericOAuthProviderResponse {
@@ -12645,6 +12747,8 @@ message AddGenericOIDCProviderRequest {
];
zitadel.idp.v1.Options provider_options = 6;
bool is_id_token_mapping = 7;
// Enable the use of Proof Key for Code Exchange (PKCE) for the OIDC flow.
bool use_pkce = 8;
}
message AddGenericOIDCProviderResponse {
@@ -12696,6 +12800,8 @@ message UpdateGenericOIDCProviderRequest {
];
zitadel.idp.v1.Options provider_options = 7;
bool is_id_token_mapping = 8;
// Enable the use of Proof Key for Code Exchange (PKCE) for the OIDC flow.
bool use_pkce = 9;
}
message UpdateGenericOIDCProviderResponse {
@@ -13245,6 +13351,8 @@ message AddLDAPProviderRequest {
google.protobuf.Duration timeout = 10;
zitadel.idp.v1.LDAPAttributes attributes = 11;
zitadel.idp.v1.Options provider_options = 12;
// Root_ca is for self signing certificates for TLS connections to LDAP servers it is intended to be filled with a .pem file.
bytes root_ca = 13 [(validate.rules).bytes.max_len = 12000];
}
message AddLDAPProviderResponse {
@@ -13266,6 +13374,8 @@ message UpdateLDAPProviderRequest {
google.protobuf.Duration timeout = 11;
zitadel.idp.v1.LDAPAttributes attributes = 12;
zitadel.idp.v1.Options provider_options = 13;
// Root_ca is for self signing certificates for TLS connections to LDAP servers it is intended to be filled with a .pem file.
bytes root_ca = 14 [(validate.rules).bytes.max_len = 12000];
}
message UpdateLDAPProviderResponse {
@@ -13298,6 +13408,9 @@ message AddSAMLProviderRequest {
// Optionally specify the name of the attribute, which will be used to map the user
// in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
optional string transient_mapping_attribute_name = 8;
// Optionally enable federated logout. If enabled, ZITADEL will send a logout request to the identity provider,
// if the user terminates the session in ZITADEL. Be sure to provide a SLO endpoint as part of the metadata.
optional bool federated_logout_enabled = 9;
}
message AddSAMLProviderResponse {
@@ -13332,6 +13445,9 @@ message UpdateSAMLProviderRequest {
// Optionally specify the name of the attribute, which will be used to map the user
// in case the nameid-format returned is `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
optional string transient_mapping_attribute_name = 9;
// Optionally enable federated logout. If enabled, ZITADEL will send a logout request to the identity provider,
// if the user terminates the session in ZITADEL. Be sure to provide a SLO endpoint as part of the metadata.
optional bool federated_logout_enabled = 10;
}
message UpdateSAMLProviderResponse {
@@ -13653,7 +13769,7 @@ message SetTriggerActionsRequest {
* - Internal Authentication: 3
* - Complement Token: 2
* - Complement SAML Response: 4
*/
*/
string flow_type = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"1\"";
@@ -13664,11 +13780,11 @@ message SetTriggerActionsRequest {
* - External Authentication:
* - Post Authentication: TRIGGER_TYPE_POST_AUTHENTICATION or 1
* - Pre Creation: TRIGGER_TYPE_PRE_CREATION or 2
* - Post Creation: TRIGGER_TYPE_POST_CREATION or 3
* - Post Creation: TRIGGER_TYPE_POST_CREATION or 3
* - Internal Authentication:
* - Post Authentication: TRIGGER_TYPE_POST_AUTHENTICATION or 1
* - Pre Creation: TRIGGER_TYPE_PRE_CREATION or 2
* - Post Creation: TRIGGER_TYPE_POST_CREATION or 3
* - Post Creation: TRIGGER_TYPE_POST_CREATION or 3
* - Complement Token:
* - Pre Userinfo Creation: 4
* - Pre Access Token Creation: 5

8
proto/zitadel/member.proto
View File

@@ -143,3 +143,11 @@ message UserIDQuery {
}
];
}
enum MemberFieldColumnName {
MEMBER_FIELD_NAME_UNSPECIFIED = 0;
MEMBER_FIELD_NAME_USER_ID=1;
MEMBER_FIELD_NAME_CREATION_DATE = 2;
MEMBER_FIELD_NAME_CHANGE_DATE=3;
MEMBER_FIELD_NAME_USER_RESOURCE_OWNER=4;
}

2
proto/zitadel/object/v2/object.proto
View File

@@ -74,6 +74,8 @@ message Details {
example: "\"69629023906488334\"";
}
];
//creation_date is the timestamp where the first operation on the object was made
google.protobuf.Timestamp creation_date = 4;
}
message ListDetails {

2
proto/zitadel/object/v2beta/object.proto
View File

@@ -78,6 +78,8 @@ message Details {
example: "\"69629023906488334\"";
}
];
//creation_date is the timestamp where the first operation on the object was made
google.protobuf.Timestamp creation_date = 4;
}
message ListDetails {

13
proto/zitadel/oidc/v2/authorization.proto
View File

@@ -114,4 +114,17 @@ enum ErrorReason {
ERROR_REASON_REQUEST_NOT_SUPPORTED = 14;
ERROR_REASON_REQUEST_URI_NOT_SUPPORTED = 15;
ERROR_REASON_REGISTRATION_NOT_SUPPORTED = 16;
}
message DeviceAuthorizationRequest {
// The unique identifier of the device authorization request to be used for authorizing or denying the request.
string id = 1;
// The client_id of the application that initiated the device authorization request.
string client_id = 2;
// The scopes requested by the application.
repeated string scope = 3;
// Name of the client application.
string app_name = 4;
// Name of the project the client application is part of.
string project_name = 5;
}

93
proto/zitadel/oidc/v2/oidc_service.proto
View File

@@ -24,7 +24,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
@@ -147,6 +147,58 @@ service OIDCService {
};
};
}
// Get device authorization request
//
// Get the device authorization based on the provided "user code".
// This will return the device authorization request, which contains the device authorization id
// that is required to authorize the request once the user signed in or to deny it.
rpc GetDeviceAuthorizationRequest(GetDeviceAuthorizationRequestRequest) returns (GetDeviceAuthorizationRequestResponse) {
option (google.api.http) = {
get: "/v2/oidc/device_authorization/{user_code}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
// Authorize or deny device authorization
//
// Authorize or deny the device authorization request based on the provided device authorization id.
rpc AuthorizeOrDenyDeviceAuthorization(AuthorizeOrDenyDeviceAuthorizationRequest) returns (AuthorizeOrDenyDeviceAuthorizationResponse) {
option (google.api.http) = {
post: "/v2/oidc/device_authorization/{device_authorization_id}"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
}
message GetAuthRequestRequest {
@@ -217,3 +269,42 @@ message CreateCallbackResponse {
];
}
message GetDeviceAuthorizationRequestRequest {
// The user_code returned by the device authorization request and provided to the user by the device.
string user_code = 1 [
(validate.rules).string = {len: 9},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 9;
max_length: 9;
example: "\"K9LV-3DMQ\"";
}
];
}
message GetDeviceAuthorizationRequestResponse {
DeviceAuthorizationRequest device_authorization_request = 1;
}
message AuthorizeOrDenyDeviceAuthorizationRequest {
// The device authorization id returned when submitting the user code.
string device_authorization_id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1;
max_length: 200;
}
];
// The decision of the user to authorize or deny the device authorization request.
oneof decision {
option (validate.required) = true;
// To authorize the device authorization request, the user's session must be provided.
Session session = 2;
// Deny the device authorization request.
Deny deny = 3;
}
}
message Deny{}
message AuthorizeOrDenyDeviceAuthorizationResponse {}

2
proto/zitadel/oidc/v2beta/oidc_service.proto
View File

@@ -24,7 +24,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

10
proto/zitadel/org/v2/org_service.proto
View File

@@ -34,7 +34,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
@@ -197,6 +197,14 @@ message AddOrganizationRequest{
}
];
repeated Admin admins = 2;
// optionally set your own id unique for the organization.
optional string org_id = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"d654e6ba-70a3-48ef-a95d-37c8d8a7901a\"";
}
];
}
message AddOrganizationResponse{

10
proto/zitadel/org/v2beta/org_service.proto
View File

@@ -33,7 +33,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
@@ -160,6 +160,14 @@ message AddOrganizationRequest{
}
];
repeated Admin admins = 2;
// optionally set your own id unique for the organization.
optional string org_id = 3 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"d654e6ba-70a3-48ef-a95d-37c8d8a7901a\"";
}
];
}
message AddOrganizationResponse{

1237
proto/zitadel/project/v2beta/project_service.proto Normal file
View File

File diff suppressed because it is too large Load Diff

347
proto/zitadel/project/v2beta/query.proto Normal file
View File

@@ -0,0 +1,347 @@
syntax = "proto3";
package zitadel.project.v2beta;
option go_package = "github.com/zitadel/zitadel/pkg/grpc/project/v2beta;project";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/filter/v2beta/filter.proto";
message ProjectGrant {
// The unique identifier of the organization which granted the project to the granted_organization_id.
string organization_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The timestamp of the granted project creation.
google.protobuf.Timestamp creation_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change to the granted project (e.g. creation, activation, deactivation).
google.protobuf.Timestamp change_date = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// The ID of the organization the project is granted to.
string granted_organization_id = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
// The name of the organization the project is granted to.
string granted_organization_name = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"Some Organization\""
}
];
// The roles of the granted project.
repeated string granted_role_keys = 7 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[\"role.super.man\"]"
}
];
// The ID of the granted project.
string project_id = 8 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
// The name of the granted project.
string project_name = 9 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ZITADEL\""
}
];
// Describes the current state of the granted project.
ProjectGrantState state = 10 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the project";
}
];
}
enum ProjectGrantState {
PROJECT_GRANT_STATE_UNSPECIFIED = 0;
PROJECT_GRANT_STATE_ACTIVE = 1;
PROJECT_GRANT_STATE_INACTIVE = 2;
}
message Project {
// The unique identifier of the project.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The unique identifier of the organization the project belongs to.
string organization_id = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The timestamp of the project creation.
google.protobuf.Timestamp creation_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change to the project (e.g. creation, activation, deactivation).
google.protobuf.Timestamp change_date = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// The name of the project.
string name = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ip_allow_list\"";
}
];
// Describes the current state of the project.
ProjectState state = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the project";
}
];
// Describes if the roles of the user should be added to the token.
bool project_role_assertion = 7;
// When enabled ZITADEL will check if a user has an authorization to use this project assigned when login into an application of this project.
bool authorization_required = 8;
// When enabled ZITADEL will check if the organization of the user, that is trying to log in, has access to this project (either owns the project or is granted).
bool project_access_required = 9;
// Defines from where the private labeling should be triggered.
PrivateLabelingSetting private_labeling_setting = 10;
// The ID of the organization the project is granted to.
optional string granted_organization_id = 12 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
// The name of the organization the project is granted to.
optional string granted_organization_name = 13 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"Some Organization\""
}
];
// Describes the current state of the granted project.
GrantedProjectState granted_state = 14 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "current state of the granted project";
}
];
}
enum ProjectState {
PROJECT_STATE_UNSPECIFIED = 0;
PROJECT_STATE_ACTIVE = 1;
PROJECT_STATE_INACTIVE = 2;
}
enum GrantedProjectState {
GRANTED_PROJECT_STATE_UNSPECIFIED = 0;
GRANTED_PROJECT_STATE_ACTIVE = 1;
GRANTED_PROJECT_STATE_INACTIVE = 2;
}
enum PrivateLabelingSetting {
PRIVATE_LABELING_SETTING_UNSPECIFIED = 0;
PRIVATE_LABELING_SETTING_ENFORCE_PROJECT_RESOURCE_OWNER_POLICY = 1;
PRIVATE_LABELING_SETTING_ALLOW_LOGIN_USER_RESOURCE_OWNER_POLICY = 2;
}
enum ProjectFieldName {
PROJECT_FIELD_NAME_UNSPECIFIED = 0;
PROJECT_FIELD_NAME_ID = 1;
PROJECT_FIELD_NAME_CREATION_DATE = 2;
PROJECT_FIELD_NAME_CHANGE_DATE = 3;
PROJECT_FIELD_NAME_NAME = 4;
}
enum ProjectGrantFieldName {
PROJECT_GRANT_FIELD_NAME_UNSPECIFIED = 0;
PROJECT_GRANT_FIELD_NAME_PROJECT_ID = 1;
PROJECT_GRANT_FIELD_NAME_CREATION_DATE = 2;
PROJECT_GRANT_FIELD_NAME_CHANGE_DATE = 3;
}
enum ProjectRoleFieldName {
PROJECT_ROLE_FIELD_NAME_UNSPECIFIED = 0;
PROJECT_ROLE_FIELD_NAME_KEY = 1;
PROJECT_ROLE_FIELD_NAME_CREATION_DATE = 2;
PROJECT_ROLE_FIELD_NAME_CHANGE_DATE = 3;
}
message ProjectSearchFilter {
oneof filter {
option (validate.required) = true;
ProjectNameFilter project_name_filter = 1;
InProjectIDsFilter in_project_ids_filter = 2;
ProjectResourceOwnerFilter project_resource_owner_filter = 3;
ProjectGrantResourceOwnerFilter project_grant_resource_owner_filter = 4;
ProjectOrganizationIDFilter project_organization_id_filter = 5;
}
}
message ProjectNameFilter {
// Defines the name of the project to query for.
string project_name = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
max_length: 200;
example: "\"ip_allow_list\"";
}
];
// Defines which text comparison method used for the name query.
zitadel.filter.v2beta.TextFilterMethod method = 2 [
(validate.rules).enum.defined_only = true,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "defines which text equality method is used";
}
];
}
message InProjectIDsFilter {
// Defines the ids to query for.
repeated string project_ids = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "the ids of the projects to include"
example: "[\"69629023906488334\",\"69622366012355662\"]";
}
];
}
message ProjectResourceOwnerFilter {
// Defines the ID of organization the project belongs to query for.
string project_resource_owner = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
}
message ProjectGrantResourceOwnerFilter {
// Defines the ID of organization the project grant belongs to query for.
string project_grant_resource_owner = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
}
message ProjectOrganizationIDFilter {
// Defines the ID of organization the project and granted project belong to query for.
string project_organization_id = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
}
message ProjectGrantSearchFilter {
oneof filter {
option (validate.required) = true;
ProjectNameFilter project_name_filter = 1;
ProjectRoleKeyFilter role_key_filter = 2;
InProjectIDsFilter in_project_ids_filter = 3;
ProjectResourceOwnerFilter project_resource_owner_filter = 4;
ProjectGrantResourceOwnerFilter project_grant_resource_owner_filter = 5;
}
}
message GrantedOrganizationIDFilter {
// Defines the ID of organization the project is granted to query for.
string granted_organization_id = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629023906488334\""
}
];
}
message ProjectRole {
// ID of the project.
string project_id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629026806489455\"";
}
];
// Key of the project role.
string key = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"role.super.man\""
}
];
// The timestamp of the project role creation.
google.protobuf.Timestamp creation_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change to the project role.
google.protobuf.Timestamp change_date = 4 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// Display name of the project role.
string display_name = 5 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"Super man\""
}
];
// Group of the project role.
string group = 6 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"people\""
}
];
}
message ProjectRoleSearchFilter {
oneof filter {
option (validate.required) = true;
ProjectRoleKeyFilter role_key_filter = 1;
ProjectRoleDisplayNameFilter display_name_filter = 2;
}
}
message ProjectRoleKeyFilter {
string key = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"role.super.man\""
}
];
// Defines which text comparison method used for the name query.
zitadel.filter.v2beta.TextFilterMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}
message ProjectRoleDisplayNameFilter {
string display_name = 1 [
(validate.rules).string = {max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"SUPER\""
}
];
// Defines which text comparison method used for the name query.
zitadel.filter.v2beta.TextFilterMethod method = 2 [
(validate.rules).enum.defined_only = true
];
}

565
proto/zitadel/resources/action/v3alpha/action_service.proto
View File

@@ -1,565 +0,0 @@
syntax = "proto3";
package zitadel.resources.action.v3alpha;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/resources/action/v3alpha/target.proto";
import "zitadel/resources/action/v3alpha/execution.proto";
import "zitadel/resources/action/v3alpha/query.proto";
import "zitadel/resources/object/v3alpha/object.proto";
import "zitadel/object/v3alpha/object.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/resources/action/v3alpha;action";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Action Service";
version: "3.0-alpha";
description: "This API is intended to manage custom executions (previously known as actions) in a ZITADEL instance. It will continue breaking as long as it is in alpha state.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
consumes: "application/grpc";
produces: "application/json";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
service ZITADELActions {
// Create a target
//
// Create a new target, which can be used in executions.
rpc CreateTarget (CreateTargetRequest) returns (CreateTargetResponse) {
option (google.api.http) = {
post: "/resources/v3alpha/actions/targets"
body: "target"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.write"
}
http_response: {
success_code: 201
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "201";
value: {
description: "Target successfully created";
schema: {
json_schema: {
ref: "#/definitions/v3alphaCreateTargetResponse";
}
}
};
};
};
}
// Patch a target
//
// Patch an existing target.
rpc PatchTarget (PatchTargetRequest) returns (PatchTargetResponse) {
option (google.api.http) = {
patch: "/resources/v3alpha/actions/targets/{id}"
body: "target"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Target successfully updated or left unchanged";
};
};
};
}
// Delete a target
//
// Delete an existing target. This will remove it from any configured execution as well.
rpc DeleteTarget (DeleteTargetRequest) returns (DeleteTargetResponse) {
option (google.api.http) = {
delete: "/resources/v3alpha/actions/targets/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.delete"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Target successfully deleted";
};
};
};
}
// Target by ID
//
// Returns the target identified by the requested ID.
rpc GetTarget (GetTargetRequest) returns (GetTargetResponse) {
option (google.api.http) = {
get: "/resources/v3alpha/actions/targets/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Target successfully retrieved";
}
};
};
}
// Search targets
//
// Search all matching targets. By default all targets of the instance are returned.
// Make sure to include a limit and sorting for pagination.
rpc SearchTargets (SearchTargetsRequest) returns (SearchTargetsResponse) {
option (google.api.http) = {
post: "/resources/v3alpha/actions/targets/_search",
body: "filters"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.target.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "A list of all targets matching the query";
};
};
responses: {
key: "400";
value: {
description: "invalid list query";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
};
};
};
};
};
}
// Sets an execution to call a target or include the targets of another execution.
//
// Setting an empty list of targets will remove all targets from the execution, making it a noop.
rpc SetExecution (SetExecutionRequest) returns (SetExecutionResponse) {
option (google.api.http) = {
put: "/resources/v3alpha/actions/executions"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.execution.write"
}
http_response: {
success_code: 201
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "Execution successfully updated or left unchanged";
schema: {
json_schema: {
ref: "#/definitions/v3alphaSetExecutionResponse";
}
}
};
};
};
}
// Search executions
//
// Search all matching executions. By default all executions of the instance are returned that have at least one execution target.
// Make sure to include a limit and sorting for pagination.
rpc SearchExecutions (SearchExecutionsRequest) returns (SearchExecutionsResponse) {
option (google.api.http) = {
post: "/resources/v3alpha/actions/executions/_search"
body: "filters"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "action.execution.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "A list of all non noop executions matching the query";
};
};
responses: {
key: "400";
value: {
description: "invalid list query";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
};
};
};
};
};
}
// List all available functions
//
// List all available functions which can be used as condition for executions.
rpc ListExecutionFunctions (ListExecutionFunctionsRequest) returns (ListExecutionFunctionsResponse) {
option (google.api.http) = {
get: "/resources/v3alpha/actions/executions/functions"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "List all functions successfully";
};
};
};
}
// List all available methods
//
// List all available methods which can be used as condition for executions.
rpc ListExecutionMethods (ListExecutionMethodsRequest) returns (ListExecutionMethodsResponse) {
option (google.api.http) = {
get: "/resources/v3alpha/actions/executions/methods"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "List all methods successfully";
};
};
};
}
// List all available service
//
// List all available services which can be used as condition for executions.
rpc ListExecutionServices (ListExecutionServicesRequest) returns (ListExecutionServicesResponse) {
option (google.api.http) = {
get: "/resources/v3alpha/actions/executions/services"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "authenticated"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200";
value: {
description: "List all services successfully";
};
};
};
}
}
message CreateTargetRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
Target target = 2 [
(validate.rules).message = {
required: true
}
];
}
message CreateTargetResponse {
zitadel.resources.object.v3alpha.Details details = 1;
// Key used to sign and check payload sent to the target.
string signing_key = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"98KmsU67\""
}
];
}
message PatchTargetRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
string id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
PatchTarget target = 3 [
(validate.rules).message = {
required: true
}
];
}
message PatchTargetResponse {
zitadel.resources.object.v3alpha.Details details = 1;
// Key used to sign and check payload sent to the target.
optional string signing_key = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"98KmsU67\""
}
];
}
message DeleteTargetRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
string id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message DeleteTargetResponse {
zitadel.resources.object.v3alpha.Details details = 1;
}
message GetTargetRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
string id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message GetTargetResponse {
GetTarget target = 1;
}
message SearchTargetsRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
// list limitations and ordering.
optional zitadel.resources.object.v3alpha.SearchQuery query = 2;
// The field the result is sorted by. The default is the creation date. Beware that if you change this, your result pagination might be inconsistent.
optional TargetFieldName sorting_column = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"TARGET_FIELD_NAME_CREATION_DATE\""
}
];
// Define the criteria to query for.
repeated TargetSearchFilter filters = 4;
}
message SearchTargetsResponse {
zitadel.resources.object.v3alpha.ListDetails details = 1;
repeated GetTarget result = 2;
}
message SetExecutionRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
Condition condition = 2;
Execution execution = 3;
}
message SetExecutionResponse {
zitadel.resources.object.v3alpha.Details details = 1;
}
message SearchExecutionsRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
// list limitations and ordering.
optional zitadel.resources.object.v3alpha.SearchQuery query = 2;
// The field the result is sorted by. The default is the creation date. Beware that if you change this, your result pagination might be inconsistent.
optional ExecutionFieldName sorting_column = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"EXECUTION_FIELD_NAME_CREATION_DATE\""
}
];
// Define the criteria to query for.
repeated ExecutionSearchFilter filters = 4;
}
message SearchExecutionsResponse {
zitadel.resources.object.v3alpha.ListDetails details = 1;
repeated GetExecution result = 2;
}
message ListExecutionFunctionsRequest{}
message ListExecutionFunctionsResponse{
// All available methods
repeated string functions = 1;
}
message ListExecutionMethodsRequest{}
message ListExecutionMethodsResponse{
// All available methods
repeated string methods = 1;
}
message ListExecutionServicesRequest{}
message ListExecutionServicesResponse{
// All available methods
repeated string services = 1;
}

124
proto/zitadel/resources/action/v3alpha/target.proto
View File

@@ -1,124 +0,0 @@
syntax = "proto3";
package zitadel.resources.action.v3alpha;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "google/protobuf/timestamp.proto";
import "zitadel/resources/object/v3alpha/object.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/resources/action/v3alpha;action";
message Target {
string name = 1 [
(validate.rules).string = {min_len: 1, max_len: 1000},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ip_allow_list\"";
min_length: 1
max_length: 1000
}
];
// Defines the target type and how the response of the target is treated.
oneof target_type {
option (validate.required) = true;
SetRESTWebhook rest_webhook = 2;
SetRESTCall rest_call = 3;
SetRESTAsync rest_async = 4;
}
// Timeout defines the duration until ZITADEL cancels the execution.
google.protobuf.Duration timeout = 5 [
(validate.rules).duration = {gte: {}, lte: {seconds: 270}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "if the target doesn't respond before this timeout expires, the the connection is closed and the action fails";
example: "\"10s\"";
}
];
string endpoint = 6 [
(validate.rules).string = {min_len: 1, max_len: 1000},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://example.com/hooks/ip_check\""
min_length: 1
max_length: 1000
}
];
}
message GetTarget {
zitadel.resources.object.v3alpha.Details details = 1;
Target config = 2;
string signing_key = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"98KmsU67\""
}
];
}
message PatchTarget {
optional string name = 1 [
(validate.rules).string = {min_len: 1, max_len: 1000},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"ip_allow_list\""
min_length: 1
max_length: 1000
}
];
// Defines the target type and how the response of the target is treated.
oneof target_type {
SetRESTWebhook rest_webhook = 2;
SetRESTCall rest_call = 3;
SetRESTAsync rest_async = 4;
}
// Timeout defines the duration until ZITADEL cancels the execution.
optional google.protobuf.Duration timeout = 5 [
(validate.rules).duration = {gte: {}, lte: {seconds: 270}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
description: "if the target doesn't respond before this timeout expires, the the connection is closed and the action fails";
example: "\"10s\"";
}
];
optional string endpoint = 6 [
(validate.rules).string = {min_len: 1, max_len: 1000},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"https://example.com/hooks/ip_check\""
min_length: 1
max_length: 1000
}
];
// Regenerate the key used for signing and checking the payload sent to the target.
// Set the graceful period for the existing key. During that time, the previous
// signing key and the new one will be used to sign the request to allow you a smooth
// transition onf your API.
//
// Note that we currently only allow an immediate rotation ("0s") and will support
// longer expirations in the future.
optional google.protobuf.Duration expiration_signing_key = 7 [
(validate.rules).duration = {const: {seconds: 0, nanos: 0}},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"0s\""
minimum: 0
maximum: 0
}
];
}
// Wait for response but response body is ignored, status is checked, call is sent as post.
message SetRESTWebhook {
// Define if any error stops the whole execution. By default the process continues as normal.
bool interrupt_on_error = 1;
}
// Wait for response and response body is used, status is checked, call is sent as post.
message SetRESTCall {
// Define if any error stops the whole execution. By default the process continues as normal.
bool interrupt_on_error = 1;
}
// Call is executed in parallel to others, ZITADEL does not wait until the call is finished. The state is ignored, call is sent as post.
message SetRESTAsync {}

2
proto/zitadel/resources/debug_events/v3alpha/debug_events_service.proto
View File

@@ -27,7 +27,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

2
proto/zitadel/resources/user/v3alpha/user_service.proto
View File

@@ -30,7 +30,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

2
proto/zitadel/resources/userschema/v3alpha/user_schema_service.proto
View File

@@ -27,7 +27,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

41
proto/zitadel/resources/webkey/v3alpha/config.proto
View File

@@ -1,41 +0,0 @@
syntax = "proto3";
package zitadel.resources.webkey.v3alpha;
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/resources/webkey/v3alpha;webkey";
message WebKeyRSAConfig {
enum RSABits {
RSA_BITS_UNSPECIFIED = 0;
RSA_BITS_2048 = 1;
RSA_BITS_3072 = 2;
RSA_BITS_4096 = 3;
}
enum RSAHasher {
RSA_HASHER_UNSPECIFIED = 0;
RSA_HASHER_SHA256 = 1;
RSA_HASHER_SHA384 = 2;
RSA_HASHER_SHA512 = 3;
}
// bit size of the RSA key
RSABits bits = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
// signing algrithm used
RSAHasher hasher = 2 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
}
message WebKeyECDSAConfig {
enum ECDSACurve {
ECDSA_CURVE_UNSPECIFIED = 0;
ECDSA_CURVE_P256 = 1;
ECDSA_CURVE_P384 = 2;
ECDSA_CURVE_P512 = 3;
}
ECDSACurve curve = 1 [(validate.rules).enum = {defined_only: true, not_in: [0]}];
}
message WebKeyED25519Config {}

31
proto/zitadel/resources/webkey/v3alpha/key.proto
View File

@@ -1,31 +0,0 @@
syntax = "proto3";
package zitadel.resources.webkey.v3alpha;
import "google/protobuf/timestamp.proto";
import "zitadel/resources/webkey/v3alpha/config.proto";
import "zitadel/resources/object/v3alpha/object.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/resources/webkey/v3alpha;webkey";
enum WebKeyState {
STATE_UNSPECIFIED = 0;
STATE_INITIAL = 1;
STATE_ACTIVE = 2;
STATE_INACTIVE = 3;
STATE_REMOVED = 4;
}
message GetWebKey {
zitadel.resources.object.v3alpha.Details details = 1;
WebKey config = 2;
WebKeyState state = 3;
}
message WebKey {
oneof config {
WebKeyRSAConfig rsa = 6;
WebKeyECDSAConfig ecdsa = 7;
WebKeyED25519Config ed25519 = 8;
}
}

278
proto/zitadel/resources/webkey/v3alpha/webkey_service.proto
View File

@@ -1,278 +0,0 @@
syntax = "proto3";
package zitadel.resources.webkey.v3alpha;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/resources/webkey/v3alpha/key.proto";
import "zitadel/resources/object/v3alpha/object.proto";
import "zitadel/object/v3alpha/object.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/resources/webkey/v3alpha;webkey";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Web key Service";
version: "3.0-preview";
description: "This API is intended to manage web keys for a ZITADEL instance, used to sign and validate OIDC tokens. This project is in preview state. It can AND will continue breaking until a stable version is released.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
produces: "application/json";
consumes: "application/grpc";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
service ZITADELWebKeys {
rpc CreateWebKey(CreateWebKeyRequest) returns (CreateWebKeyResponse) {
option (google.api.http) = {
post: "/resources/v3alpha/web_keys"
body: "key"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.write"
}
http_response: {
success_code: 201
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Generate a web key pair for the instance";
description: "Generate a private and public key pair. The private key can be used to sign OIDC tokens after activation. The public key can be used to valite OIDC tokens."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc ActivateWebKey(ActivateWebKeyRequest) returns (ActivateWebKeyResponse) {
option (google.api.http) = {
post: "/resources/v3alpha/web_keys/{id}/_activate"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.write"
}
http_response: {
success_code: 200
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Activate a signing key for the instance";
description: "Switch the active signing web key. The previously active key will be deactivated. Note that the JWKs OIDC endpoint returns a cacheable response. Therefore it is not advised to activate a key that has been created within the cache duration (default is 5min), as the public key may not have been propagated to caches and clients yet."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc DeleteWebKey(DeleteWebKeyRequest) returns (DeleteWebKeyResponse) {
option (google.api.http) = {
delete: "/resources/v3alpha/web_keys/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.delete"
}
http_response: {
success_code: 200
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "Delete a web key pair for the instance";
description: "Delete a web key pair. Only inactive keys can be deleted. Once a key is deleted, any tokens signed by this key will be invalid."
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
rpc ListWebKeys(ListWebKeysRequest) returns (ListWebKeysResponse) {
option (google.api.http) = {
get: "/resources/v3alpha/web_keys"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.read"
}
http_response: {
success_code: 200
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
summary: "List web key details for the instance";
description: "List web key details for the instance"
responses: {
key: "200"
value: {
description: "OK";
}
};
};
}
}
message CreateWebKeyRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
WebKey key = 2;
}
message CreateWebKeyResponse {
zitadel.resources.object.v3alpha.Details details = 1;
}
message ActivateWebKeyRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
string id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message ActivateWebKeyResponse {
zitadel.resources.object.v3alpha.Details details = 1;
}
message DeleteWebKeyRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
string id = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message DeleteWebKeyResponse {
zitadel.resources.object.v3alpha.Details details = 1;
}
message ListWebKeysRequest {
optional zitadel.object.v3alpha.Instance instance = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "\"domain from HOST or :authority header\""
}
];
}
message ListWebKeysResponse {
repeated GetWebKey web_keys = 1;
}

2
proto/zitadel/saml/v2/saml_service.proto
View File

@@ -24,7 +24,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

2
proto/zitadel/session/v2/session_service.proto
View File

@@ -28,7 +28,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

2
proto/zitadel/session/v2beta/session_service.proto
View File

@@ -28,7 +28,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

2
proto/zitadel/settings/v2/settings_service.proto
View File

@@ -30,7 +30,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

2
proto/zitadel/settings/v2beta/settings_service.proto
View File

@@ -30,7 +30,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;

57
proto/zitadel/system.proto
View File

@@ -30,7 +30,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
tags: [
@@ -117,6 +117,8 @@ service SystemService {
}
// Returns a list of ZITADEL instances
//
// Deprecated: Use [ListInstances](apis/resources/instance_service_v2/instance-service-list-instances.api.mdx) instead to list instances
rpc ListInstances(ListInstancesRequest) returns (ListInstancesResponse) {
option (google.api.http) = {
post: "/instances/_search"
@@ -126,9 +128,15 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.instance.read";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
// Returns the detail of an instance
//
// Deprecated: Use [GetInstance](apis/resources/instance_service_v2/instance-service-get-instance.api.mdx) instead to get the details of the instance in context
rpc GetInstance(GetInstanceRequest) returns (GetInstanceResponse) {
option (google.api.http) = {
get: "/instances/{instance_id}";
@@ -137,6 +145,10 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.instance.read";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
// Deprecated: Use CreateInstance instead
@@ -151,9 +163,15 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.instance.write";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
// Updates name of an existing instance
//
// Deprecated: Use [UpdateInstance](apis/resources/instance_service_v2/instance-service-update-instance.api.mdx) instead to update the name of the instance in context
rpc UpdateInstance(UpdateInstanceRequest) returns (UpdateInstanceResponse) {
option (google.api.http) = {
put: "/instances/{instance_id}"
@@ -163,6 +181,10 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.instance.write";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
// Creates a new instance with all needed setup data
@@ -180,6 +202,8 @@ service SystemService {
// Removes an instance
// This might take some time
//
// Deprecated: Use [DeleteInstance](apis/resources/instance_service_v2/instance-service-delete-instance.api.mdx) instead to delete an instance
rpc RemoveInstance(RemoveInstanceRequest) returns (RemoveInstanceResponse) {
option (google.api.http) = {
delete: "/instances/{instance_id}"
@@ -188,6 +212,10 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.instance.delete";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
//Returns all instance members matching the request
@@ -204,7 +232,9 @@ service SystemService {
};
}
//Checks if a domain exists
// Checks if a domain exists
//
// Deprecated: Use [ListCustomDomains](apis/resources/instance_service_v2/instance-service-list-custom-domains.api.mdx) instead to check existence of an instance
rpc ExistsDomain(ExistsDomainRequest) returns (ExistsDomainResponse) {
option (google.api.http) = {
post: "/domains/{domain}/_exists";
@@ -214,10 +244,14 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.domain.read";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
// Returns the custom domains of an instance
//Checks if a domain exists
// Checks if a domain exists
// Deprecated: Use the Admin APIs ListInstanceDomains on the admin API instead
rpc ListDomains(ListDomainsRequest) returns (ListDomainsResponse) {
option (google.api.http) = {
@@ -228,9 +262,15 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.domain.read";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
// Adds a domain to an instance
//
// Deprecated: Use [AddCustomDomain](apis/resources/instance_service_v2/instance-service-add-custom-domain.api.mdx) instead to add a custom domain to the instance in context
rpc AddDomain(AddDomainRequest) returns (AddDomainResponse) {
option (google.api.http) = {
post: "/instances/{instance_id}/domains";
@@ -240,9 +280,15 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.domain.write";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
// Removes the domain of an instance
//
// Deprecated: Use [RemoveDomain](apis/resources/instance_service_v2/instance-service-remove-custom-domain.api.mdx) instead to remove a custom domain from the instance in context
rpc RemoveDomain(RemoveDomainRequest) returns (RemoveDomainResponse) {
option (google.api.http) = {
delete: "/instances/{instance_id}/domains/{domain}";
@@ -251,6 +297,10 @@ service SystemService {
option (zitadel.v1.auth_option) = {
permission: "system.domain.delete";
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
};
}
// Sets the primary domain of an instance
@@ -689,6 +739,7 @@ message ListIAMMembersRequest {
zitadel.v1.ListQuery query = 1;
string instance_id = 2;
repeated zitadel.member.v1.SearchQuery queries = 3;
zitadel.member.v1.MemberFieldColumnName sorting_column = 4;
}
message ListIAMMembersResponse {

4
proto/zitadel/user/v2/user.proto
View File

@@ -334,7 +334,7 @@ message AuthFactorU2F {
message SendInviteCode {
// Optionally set a url_template, which will be used in the invite mail sent by ZITADEL to guide the user to your invitation page.
// If no template is set, the default ZITADEL url will be used.
// If no template is set and no previous code was created, the default ZITADEL url will be used.
//
// The following placeholders can be used: UserID, OrgID, Code
optional string url_template = 1 [
@@ -346,7 +346,7 @@ message SendInviteCode {
}
];
// Optionally set an application name, which will be used in the invite mail sent by ZITADEL.
// If no application name is set, ZITADEL will be used as default.
// If no application name is set and no previous code was created, ZITADEL will be used as default.
optional string application_name = 2 [
(validate.rules).string = {min_len: 1, max_len: 200},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {

10
proto/zitadel/user/v2/user_service.proto
View File

@@ -34,7 +34,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
@@ -541,7 +541,7 @@ service UserService {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "user.delete"
permission: "authenticated"
}
};
@@ -1137,6 +1137,8 @@ service UserService {
// Create an invite code for a user
//
// Create an invite code for a user to initialize their first authentication method (password, passkeys, IdP) depending on the organization's available methods.
// If an invite code has been created previously, it's url template and application name will be used as defaults for the new code.
// The new code will overwrite the previous one and make it invalid.
rpc CreateInviteCode (CreateInviteCodeRequest) returns (CreateInviteCodeResponse) {
option (google.api.http) = {
post: "/v2/users/{user_id}/invite_code"
@@ -1160,6 +1162,8 @@ service UserService {
// Resend an invite code for a user
//
// Deprecated: Use [CreateInviteCode](apis/resources/user_service_v2/user-service-create-invite-code.api.mdx) instead.
//
// Resend an invite code for a user to initialize their first authentication method (password, passkeys, IdP) depending on the organization's available methods.
// A resend is only possible if a code has been created previously and sent to the user. If there is no code or it was directly returned, an error will be returned.
rpc ResendInviteCode (ResendInviteCodeRequest) returns (ResendInviteCodeResponse) {
@@ -1174,6 +1178,7 @@ service UserService {
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
deprecated: true;
responses: {
key: "200"
value: {
@@ -2131,6 +2136,7 @@ message RetrieveIdentityProviderIntentResponse{
example: "\"163840776835432345\"";
}
];
AddHumanUserRequest add_human_user = 4;
}
message AddIDPLinkRequest{

4
proto/zitadel/user/v2beta/user_service.proto
View File

@@ -32,7 +32,7 @@ option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSE";
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
@@ -563,7 +563,7 @@ service UserService {
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "user.delete"
permission: "authenticated"
}
};

109
proto/zitadel/webkey/v2beta/key.proto Normal file
View File

@@ -0,0 +1,109 @@
syntax = "proto3";
package zitadel.webkey.v2beta;
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/webkey/v2beta;webkey";
enum State {
STATE_UNSPECIFIED = 0;
// A newly created key is in the initial state and published to the public key endpoint.
STATE_INITIAL = 1;
// The active key is used to sign tokens. Only one key can be active at a time.
STATE_ACTIVE = 2;
// The inactive key is not used to sign tokens anymore, but still published to the public key endpoint.
STATE_INACTIVE = 3;
// The removed key is not used to sign tokens anymore and not published to the public key endpoint.
STATE_REMOVED = 4;
}
message WebKey {
// The unique identifier of the key.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The timestamp of the key creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
// The timestamp of the last change to the key (e.g. creation, activation, deactivation).
google.protobuf.Timestamp change_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
// State of the key
State state = 4;
// Configured type of the key (either RSA, ECDSA or ED25519)
oneof key {
RSA rsa = 5;
ECDSA ecdsa = 6;
ED25519 ed25519 = 7;
}
}
message RSA {
// Bit size of the RSA key. Default is 2048 bits.
RSABits bits = 1 [
(validate.rules).enum = {defined_only: true, not_in: [0]},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "RSA_BITS_2048";
}
];
// Signing algrithm used. Default is SHA256.
RSAHasher hasher = 2 [
(validate.rules).enum = {defined_only: true, not_in: [0]},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "RSA_HASHER_SHA256";
}
];
}
enum RSABits {
RSA_BITS_UNSPECIFIED = 0;
// 2048 bit RSA key
RSA_BITS_2048 = 1;
// 3072 bit RSA key
RSA_BITS_3072 = 2;
// 4096 bit RSA key
RSA_BITS_4096 = 3;
}
enum RSAHasher {
RSA_HASHER_UNSPECIFIED = 0;
// SHA256 hashing algorithm resulting in the RS256 algorithm header
RSA_HASHER_SHA256 = 1;
// SHA384 hashing algorithm resulting in the RS384 algorithm header
RSA_HASHER_SHA384 = 2;
// SHA512 hashing algorithm resulting in the RS512 algorithm header
RSA_HASHER_SHA512 = 3;
}
message ECDSA {
// Curve of the ECDSA key. Default is P-256.
ECDSACurve curve = 1 [
(validate.rules).enum = {defined_only: true, not_in: [0]},
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
default: "ECDSA_CURVE_P256";
}
];
}
enum ECDSACurve {
ECDSA_CURVE_UNSPECIFIED = 0;
// NIST P-256 curve resulting in the ES256 algorithm header
ECDSA_CURVE_P256 = 1;
// NIST P-384 curve resulting in the ES384 algorithm header
ECDSA_CURVE_P384 = 2;
// NIST P-512 curve resulting in the ES512 algorithm header
ECDSA_CURVE_P512 = 3;
}
message ED25519 {}

359
proto/zitadel/webkey/v2beta/webkey_service.proto Normal file
View File

@@ -0,0 +1,359 @@
syntax = "proto3";
package zitadel.webkey.v2beta;
import "google/api/annotations.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/timestamp.proto";
import "protoc-gen-openapiv2/options/annotations.proto";
import "validate/validate.proto";
import "zitadel/protoc_gen_zitadel/v2/options.proto";
import "zitadel/webkey/v2beta/key.proto";
option go_package = "github.com/zitadel/zitadel/pkg/grpc/webkey/v2beta;webkey";
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_swagger) = {
info: {
title: "Web key Service";
version: "2.0-beta";
description: "This API is intended to manage web keys for a ZITADEL instance, used to sign and validate OIDC tokens. This service is in beta state. It can AND will continue breaking until a stable version is released.\n\nThe public key endpoint (outside of this service) is used to retrieve the public keys of the active and inactive keys.\n\nPlease make sure to enable the `web_key` feature flag on your instance to use this service.";
contact:{
name: "ZITADEL"
url: "https://zitadel.com"
email: "hi@zitadel.com"
}
license: {
name: "Apache 2.0",
url: "https://github.com/zitadel/zitadel/blob/main/LICENSING.md";
};
};
schemes: HTTPS;
schemes: HTTP;
consumes: "application/json";
produces: "application/json";
consumes: "application/grpc";
produces: "application/grpc";
consumes: "application/grpc-web+proto";
produces: "application/grpc-web+proto";
host: "$CUSTOM-DOMAIN";
base_path: "/";
external_docs: {
description: "Detailed information about ZITADEL",
url: "https://zitadel.com/docs"
}
security_definitions: {
security: {
key: "OAuth2";
value: {
type: TYPE_OAUTH2;
flow: FLOW_ACCESS_CODE;
authorization_url: "$CUSTOM-DOMAIN/oauth/v2/authorize";
token_url: "$CUSTOM-DOMAIN/oauth/v2/token";
scopes: {
scope: {
key: "openid";
value: "openid";
}
scope: {
key: "urn:zitadel:iam:org:project:id:zitadel:aud";
value: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
}
}
security: {
security_requirement: {
key: "OAuth2";
value: {
scope: "openid";
scope: "urn:zitadel:iam:org:project:id:zitadel:aud";
}
}
}
responses: {
key: "403";
value: {
description: "Returned when the user does not have permission to access the resource.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
responses: {
key: "404";
value: {
description: "Returned when the resource does not exist.";
schema: {
json_schema: {
ref: "#/definitions/rpcStatus";
}
}
}
}
};
// Service to manage web keys for OIDC token signing and validation.
// The service provides methods to create, activate, delete and list web keys.
// The public key endpoint (outside of this service) is used to retrieve the public keys of the active and inactive keys.
//
// Please make sure to enable the `web_key` feature flag on your instance to use this service.
service WebKeyService {
// Create Web Key
//
// Generate a private and public key pair. The private key can be used to sign OIDC tokens after activation.
// The public key can be used to validate OIDC tokens.
// The newly created key will have the state `STATE_INITIAL` and is published to the public key endpoint.
// Note that the JWKs OIDC endpoint returns a cacheable response.
//
// If no key type is provided, a RSA key pair with 2048 bits and SHA256 hashing will be created.
//
// Required permission:
// - `iam.web_key.write`
//
// Required feature flag:
// - `web_key`
rpc CreateWebKey(CreateWebKeyRequest) returns (CreateWebKeyResponse) {
option (google.api.http) = {
post: "/v2beta/web_keys"
body: "*"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Web key created successfully.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `web_key` is not enabled.";
}
};
};
}
// Activate Web Key
//
// Switch the active signing web key. The previously active key will be deactivated.
// Note that the JWKs OIDC endpoint returns a cacheable response.
// Therefore it is not advised to activate a key that has been created within the cache duration (default is 5min),
// as the public key may not have been propagated to caches and clients yet.
//
// Required permission:
// - `iam.web_key.write`
//
// Required feature flag:
// - `web_key`
rpc ActivateWebKey(ActivateWebKeyRequest) returns (ActivateWebKeyResponse) {
option (google.api.http) = {
post: "/v2beta/web_keys/{id}/activate"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.write"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Web key activated successfully.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `web_key` is not enabled.";
}
};
responses: {
key: "404"
value: {
description: "The web key to active does not exist.";
}
};
};
}
// Delete Web Key
//
// Delete a web key pair. Only inactive keys can be deleted. Once a key is deleted,
// any tokens signed by this key will be invalid.
// Note that the JWKs OIDC endpoint returns a cacheable response.
// In case the web key is not found, the request will return a successful response as
// the desired state is already achieved.
// You can check the change date in the response to verify if the web key was deleted during the request.
//
// Required permission:
// - `iam.web_key.delete`
//
// Required feature flag:
// - `web_key`
rpc DeleteWebKey(DeleteWebKeyRequest) returns (DeleteWebKeyResponse) {
option (google.api.http) = {
delete: "/v2beta/web_keys/{id}"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.delete"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "Web key deleted successfully.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `web_key` is not enabled or the web key is currently active.";
}
};
};
}
// List Web Keys
//
// List all web keys and their states.
//
// Required permission:
// - `iam.web_key.read`
//
// Required feature flag:
// - `web_key`
rpc ListWebKeys(ListWebKeysRequest) returns (ListWebKeysResponse) {
option (google.api.http) = {
get: "/v2beta/web_keys"
};
option (zitadel.protoc_gen_zitadel.v2.options) = {
auth_option: {
permission: "iam.web_key.read"
}
};
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_operation) = {
responses: {
key: "200"
value: {
description: "List of all web keys.";
}
};
responses: {
key: "400"
value: {
description: "The feature flag `web_key` is not enabled.";
}
};
};
}
}
message CreateWebKeyRequest {
// The key type to create (RSA, ECDSA, ED25519).
// If no key type is provided, a RSA key pair with 2048 bits and SHA256 hashing will be created.
oneof key {
// Create a RSA key pair and specify the bit size and hashing algorithm.
// If no bits and hasher are provided, a RSA key pair with 2048 bits and SHA256 hashing will be created.
RSA rsa = 1;
// Create a ECDSA key pair and specify the curve.
// If no curve is provided, a ECDSA key pair with P-256 curve will be created.
ECDSA ecdsa = 2;
// Create a ED25519 key pair.
ED25519 ed25519 = 3;
}
option (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_schema) = {
example: "{\"rsa\":{\"bits\":\"RSA_BITS_2048\",\"hasher\":\"RSA_HASHER_SHA256\"}}";
};
}
message CreateWebKeyResponse {
// The unique identifier of the newly created key.
string id = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"69629012906488334\"";
}
];
// The timestamp of the key creation.
google.protobuf.Timestamp creation_date = 2 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2024-12-18T07:50:47.492Z\"";
}
];
}
message ActivateWebKeyRequest {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message ActivateWebKeyResponse {
// The timestamp of the activation of the key.
google.protobuf.Timestamp change_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message DeleteWebKeyRequest {
string id = 1 [
(validate.rules).string = {min_len: 1, max_len: 200},
(google.api.field_behavior) = REQUIRED,
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
min_length: 1,
max_length: 200,
example: "\"69629026806489455\"";
}
];
}
message DeleteWebKeyResponse {
// The timestamp of the deletion of the key.
// Note that the deletion date is only guaranteed to be set if the deletion was successful during the request.
// In case the deletion occurred in a previous request, the deletion date might be empty.
google.protobuf.Timestamp deletion_date = 3 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "\"2025-01-23T10:34:18.051Z\"";
}
];
}
message ListWebKeysRequest {}
message ListWebKeysResponse {
repeated WebKey web_keys = 1 [
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
example: "[{\"id\":\"69629012906488334\",\"creationDate\":\"2024-12-18T07:50:47.492Z\",\"changeDate\":\"2024-12-18T08:04:47.492Z\",\"state\":\"STATE_ACTIVE\",\"rsa\":{\"bits\":\"RSA_BITS_2048\",\"hasher\":\"RSA_HASHER_SHA256\"}},{\"id\":\"69629012909346200\",\"creationDate\":\"2025-01-18T12:05:47.492Z\",\"state\":\"STATE_INITIAL\",\"ecdsa\":{\"curve\":\"ECDSA_CURVE_P256\"}}]";
}
];
}