feat: support client_credentials for service users (#5134)

Request an access_token for service users with OAuth 2.0 Client Credentials Grant. Added functionality to generate and remove a secret on service users.
2025-08-12 01:37:31 +00:00 · 2023-01-31 20:52:47 +01:00
parent 7c7c93117b
commit e2fdd3f077
48 changed files with 2113 additions and 311 deletions
--- a/proto/zitadel/management.proto
+++ b/proto/zitadel/management.proto
@@ -625,6 +625,29 @@ service ManagementService {
        };
    }

+    // Generates and sets a new machine secret
+    rpc GenerateMachineSecret(GenerateMachineSecretRequest) returns (GenerateMachineSecretResponse) {
+        option (google.api.http) = {
+            put: "/users/{user_id}/secret"
+            body: "*"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
+    // Removes the machine secret
+    rpc RemoveMachineSecret(RemoveMachineSecretRequest) returns (RemoveMachineSecretResponse) {
+        option (google.api.http) = {
+            delete: "/users/{user_id}/secret"
+        };
+
+        option (zitadel.v1.auth_option) = {
+            permission: "user.write"
+        };
+    }
+
    // Returns a machine key of a (machine) user
    rpc GetMachineKeyByIDs(GetMachineKeyByIDsRequest) returns (GetMachineKeyByIDsResponse) {
        option (google.api.http) = {
@@ -3616,6 +3639,24 @@ message UpdateMachineResponse {
    zitadel.v1.ObjectDetails details = 1;
 }

+message GenerateMachineSecretRequest {
+    string user_id = 1 [(validate.rules).string.min_len = 1];
+}
+
+message GenerateMachineSecretResponse {
+    string client_id = 1;
+    string client_secret = 2;
+    zitadel.v1.ObjectDetails details = 3;
+}
+
+message RemoveMachineSecretRequest {
+    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
+}
+
+message RemoveMachineSecretResponse {
+    zitadel.v1.ObjectDetails details = 1;
+}
+
 message GetMachineKeyByIDsRequest {
    string user_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}];
    string key_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}];
--- a/proto/zitadel/user.proto
+++ b/proto/zitadel/user.proto
@@ -78,6 +78,11 @@ message Machine {
            example: "\"The one and only IAM\"";
        }
    ];
+    bool has_secret = 3 [
+        (grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+            example: "\"true\"";
+        }
+    ];
 }

 message Profile {