Merge branch 'next' into next-rc

.github/workflows/e2e.yml

@@ -5,6 +5,7 @@ on:
 
 jobs:
   test:
+    timeout-minutes: 10
     strategy:
       fail-fast: false
       matrix:

.github/workflows/ready_for_review.yml

@@ -9,7 +9,7 @@ jobs:
       - uses: actions/github-script@v7
         with:
           script: |
-            const content = `### Thanks for your contribution! 🎉
+            const content = `### Thanks for your contribution @${{ github.event.pull_request.user.login }}! 🎉
 
             Please make sure you tick the following checkboxes before marking this Pull Request (PR) as ready for review:
             

MEETING_SCHEDULE.md

@@ -0,0 +1,29 @@
+# ZITADEL Office Hours
+
+Dear community!
+We're excited to announce bi-weekly office hours.
+
+## #1 Dive Deep into Actions v2
+
+The first office hour is dedicated to exploring the [new Actions v2 feature](https://zitadel.com/docs/concepts/features/actions_v2).
+
+What to expect:
+
+* **Deep Dive**: @adlerhurst will walk you through the functionalities and benefits of Actions v2.
+* **Live Q&A**: Get your questions answered directly by the ZITADEL team during the dedicated Q&A session.
+
+Details:
+
+* **Target Audience**: Developers and IT Ops personnel using ZITADEL
+* **Topic**: Actions v2 deep dive and Q&A
+* **When**: Wednesday 29th of May 12 pm PST / 3 pm EST / 9 pm CEST
+* **Duration**: about 1 hour
+* **Platform**: Zitadel Discord Server (Join us here:  https://zitadel.com/office-hours?event=1243282884677341275 )
+
+In the meantime:
+
+Feel free to share any questions you already have about Actions v2 in the chat of the [office hours channel](https://zitadel.com/office-hours) on our Discord server.
+
+We look forward to seeing you there!
+
+P.S. Spread the word! Share this announcement with your fellow ZITADEL users who might be interested.

README.md

@@ -30,6 +30,9 @@
         <img src="./docs/static/logos/oidc-cert.png" /></a>
 </p>
 
+|Community Meeting|
+|------------------|
+|ZITADEL holds bi-weekly community calls. To join the community calls or to watch previous meeting notes and recordings, please visit the [meeting schedule](https://github.com/zitadel/zitadel/blob/main/MEETING_SCHEDULE.md).|
 
 Are you searching for a user management tool that is quickly set up like Auth0 and open source like Keycloak?
 

cmd/initialise/init.go

@@ -19,6 +19,7 @@ var (
 
 	createUserStmt           string
 	grantStmt                string
+	settingsStmt             string
 	databaseStmt             string
 	createEventstoreStmt     string
 	createProjectionsStmt    string
@@ -39,7 +40,7 @@ func New() *cobra.Command {
 		Long: `Sets up the minimum requirements to start ZITADEL.
 
 Prerequisites:
-- cockroachDB
+- database (PostgreSql or cockroachdb)
 
 The user provided by flags needs privileges to
 - create the database if it does not exist
@@ -53,7 +54,7 @@ The user provided by flags needs privileges to
 		},
 	}
 
-	cmd.AddCommand(newZitadel(), newDatabase(), newUser(), newGrant())
+	cmd.AddCommand(newZitadel(), newDatabase(), newUser(), newGrant(), newSettings())
 	return cmd
 }
 
@@ -62,6 +63,7 @@ func InitAll(ctx context.Context, config *Config) {
 		VerifyUser(config.Database.Username(), config.Database.Password()),
 		VerifyDatabase(config.Database.DatabaseName()),
 		VerifyGrant(config.Database.DatabaseName(), config.Database.Username()),
+		VerifySettings(config.Database.DatabaseName(), config.Database.Username()),
 	)
 	logging.OnError(err).Fatal("unable to initialize the database")
 
@@ -147,6 +149,11 @@ func ReadStmts(typ string) (err error) {
 		return err
 	}
 
+	settingsStmt, err = readStmt(typ, "11_settings")
+	if err != nil {
+		return err
+	}
+
 	return nil
 }
 

cmd/initialise/sql/cockroach/11_settings.sql

@@ -0,0 +1,4 @@
+-- replace the first %[1]q with the database in double quotes
+-- replace the second \%[2]q with the user in double quotes$
+-- For more information see technical advisory 10009 (https://zitadel.com/docs/support/advisory/a10009)
+ALTER ROLE %[2]q IN DATABASE %[1]q SET enable_durable_locking_for_serializable = on;

cmd/initialise/verify_settings.go

@@ -0,0 +1,44 @@
+package initialise
+
+import (
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+)
+
+func newSettings() *cobra.Command {
+	return &cobra.Command{
+		Use:   "settings",
+		Short: "Ensures proper settings on the database",
+		Long: `Ensures proper settings on the database.
+
+Prerequisites:
+- cockroachDB or postgreSQL
+
+Cockroach
+- Sets enable_durable_locking_for_serializable to on for the zitadel user and database
+`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := MustNewConfig(viper.GetViper())
+
+			err := initialise(config.Database, VerifySettings(config.Database.DatabaseName(), config.Database.Username()))
+			logging.OnError(err).Fatal("unable to set settings")
+		},
+	}
+}
+
+func VerifySettings(databaseName, username string) func(*database.DB) error {
+	return func(db *database.DB) error {
+		if db.Type() == "postgres" {
+			return nil
+		}
+		logging.WithFields("user", username, "database", databaseName).Info("verify settings")
+
+		return exec(db, fmt.Sprintf(settingsStmt, databaseName, username), nil)
+	}
+}

cmd/mirror/auth.go

@@ -0,0 +1,91 @@
+package mirror
+
+import (
+	"context"
+	_ "embed"
+	"io"
+	"time"
+
+	"github.com/jackc/pgx/v5/stdlib"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/database/dialect"
+)
+
+func authCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "auth",
+		Short: "mirrors the auth requests table from one database to another",
+		Long: `mirrors the auth requests table from one database to another
+ZITADEL needs to be initialized and set up with the --for-mirror flag
+Only auth requests are mirrored`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := mustNewMigrationConfig(viper.GetViper())
+			copyAuth(cmd.Context(), config)
+		},
+	}
+
+	cmd.Flags().BoolVar(&shouldReplace, "replace", false, "allow delete auth requests of defined instances before copy")
+
+	return cmd
+}
+
+func copyAuth(ctx context.Context, config *Migration) {
+	sourceClient, err := database.Connect(config.Source, false, dialect.DBPurposeQuery)
+	logging.OnError(err).Fatal("unable to connect to source database")
+	defer sourceClient.Close()
+
+	destClient, err := database.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+	logging.OnError(err).Fatal("unable to connect to destination database")
+	defer destClient.Close()
+
+	copyAuthRequests(ctx, sourceClient, destClient)
+}
+
+func copyAuthRequests(ctx context.Context, source, dest *database.DB) {
+	start := time.Now()
+
+	sourceConn, err := source.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire connection")
+	defer sourceConn.Close()
+
+	r, w := io.Pipe()
+	errs := make(chan error, 1)
+
+	go func() {
+		err = sourceConn.Raw(func(driverConn interface{}) error {
+			conn := driverConn.(*stdlib.Conn).Conn()
+			_, err := conn.PgConn().CopyTo(ctx, w, "COPY (SELECT id, regexp_replace(request::TEXT, '\\\\u0000', '', 'g')::JSON request, code, request_type, creation_date, change_date, instance_id FROM auth.auth_requests "+instanceClause()+") TO STDOUT")
+			w.Close()
+			return err
+		})
+		errs <- err
+	}()
+
+	destConn, err := dest.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire connection")
+	defer destConn.Close()
+
+	var affected int64
+	err = destConn.Raw(func(driverConn interface{}) error {
+		conn := driverConn.(*stdlib.Conn).Conn()
+
+		if shouldReplace {
+			_, err := conn.Exec(ctx, "DELETE FROM auth.auth_requests "+instanceClause())
+			if err != nil {
+				return err
+			}
+		}
+
+		tag, err := conn.PgConn().CopyFrom(ctx, r, "COPY auth.auth_requests FROM STDIN")
+		affected = tag.RowsAffected()
+
+		return err
+	})
+	logging.OnError(err).Fatal("unable to copy auth requests to destination")
+	logging.OnError(<-errs).Fatal("unable to copy auth requests from source")
+	logging.WithFields("took", time.Since(start), "count", affected).Info("auth requests migrated")
+}

cmd/mirror/config.go

@@ -0,0 +1,80 @@
+package mirror
+
+import (
+	_ "embed"
+	"time"
+
+	"github.com/mitchellh/mapstructure"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/cmd/hooks"
+	"github.com/zitadel/zitadel/internal/actions"
+	internal_authz "github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/config/hook"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/id"
+)
+
+type Migration struct {
+	Source      database.Config
+	Destination database.Config
+
+	EventBulkSize uint32
+
+	Log     *logging.Config
+	Machine *id.Config
+}
+
+var (
+	//go:embed defaults.yaml
+	defaultConfig []byte
+)
+
+func mustNewMigrationConfig(v *viper.Viper) *Migration {
+	config := new(Migration)
+	mustNewConfig(v, config)
+
+	err := config.Log.SetLogger()
+	logging.OnError(err).Fatal("unable to set logger")
+
+	id.Configure(config.Machine)
+
+	return config
+}
+
+func mustNewProjectionsConfig(v *viper.Viper) *ProjectionsConfig {
+	config := new(ProjectionsConfig)
+	mustNewConfig(v, config)
+
+	err := config.Log.SetLogger()
+	logging.OnError(err).Fatal("unable to set logger")
+
+	id.Configure(config.Machine)
+
+	return config
+}
+
+func mustNewConfig(v *viper.Viper, config any) {
+	err := v.Unmarshal(config,
+		viper.DecodeHook(mapstructure.ComposeDecodeHookFunc(
+			hooks.SliceTypeStringDecode[*domain.CustomMessageText],
+			hooks.SliceTypeStringDecode[*command.SetQuota],
+			hooks.SliceTypeStringDecode[internal_authz.RoleMapping],
+			hooks.MapTypeStringDecode[string, *internal_authz.SystemAPIUser],
+			hooks.MapTypeStringDecode[domain.Feature, any],
+			hooks.MapHTTPHeaderStringDecode,
+			hook.Base64ToBytesHookFunc(),
+			hook.TagToLanguageHookFunc(),
+			mapstructure.StringToTimeDurationHookFunc(),
+			mapstructure.StringToTimeHookFunc(time.RFC3339),
+			mapstructure.StringToSliceHookFunc(","),
+			database.DecodeHook,
+			actions.HTTPConfigDecodeHook,
+			hook.EnumHookFunc(internal_authz.MemberTypeString),
+		)),
+	)
+	logging.OnError(err).Fatal("unable to read default config")
+}

cmd/mirror/defaults.yaml

@@ -0,0 +1,114 @@
+Source:
+  cockroach:
+    Host: localhost # ZITADEL_DATABASE_COCKROACH_HOST
+    Port: 26257 # ZITADEL_DATABASE_COCKROACH_PORT
+    Database: zitadel # ZITADEL_DATABASE_COCKROACH_DATABASE
+    MaxOpenConns: 6 # ZITADEL_DATABASE_COCKROACH_MAXOPENCONNS
+    MaxIdleConns: 6 # ZITADEL_DATABASE_COCKROACH_MAXIDLECONNS
+    EventPushConnRatio: 0.33 # ZITADEL_DATABASE_COCKROACH_EVENTPUSHCONNRATIO
+    ProjectionSpoolerConnRatio: 0.33 # ZITADEL_DATABASE_COCKROACH_PROJECTIONSPOOLERCONNRATIO
+    MaxConnLifetime: 30m # ZITADEL_DATABASE_COCKROACH_MAXCONNLIFETIME
+    MaxConnIdleTime: 5m # ZITADEL_DATABASE_COCKROACH_MAXCONNIDLETIME
+    Options: "" # ZITADEL_DATABASE_COCKROACH_OPTIONS
+    User:
+      Username: zitadel # ZITADEL_DATABASE_COCKROACH_USER_USERNAME
+      Password: "" # ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
+      SSL:
+        Mode: disable # ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE
+        RootCert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT
+        Cert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT
+        Key: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY
+  # Postgres is used as soon as a value is set
+  # The values describe the possible fields to set values
+  postgres:
+    Host: # ZITADEL_DATABASE_POSTGRES_HOST
+    Port: # ZITADEL_DATABASE_POSTGRES_PORT
+    Database: # ZITADEL_DATABASE_POSTGRES_DATABASE
+    MaxOpenConns: # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS
+    MaxIdleConns: # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS
+    MaxConnLifetime: # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME
+    MaxConnIdleTime: # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME
+    Options: # ZITADEL_DATABASE_POSTGRES_OPTIONS
+    User:
+      Username: # ZITADEL_DATABASE_POSTGRES_USER_USERNAME
+      Password: # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
+      SSL:
+        Mode: # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
+        RootCert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
+        Cert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
+        Key: # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
+
+Destination:
+  cockroach:
+    Host: localhost # ZITADEL_DATABASE_COCKROACH_HOST
+    Port: 26257 # ZITADEL_DATABASE_COCKROACH_PORT
+    Database: zitadel # ZITADEL_DATABASE_COCKROACH_DATABASE
+    MaxOpenConns: 0 # ZITADEL_DATABASE_COCKROACH_MAXOPENCONNS
+    MaxIdleConns: 0 # ZITADEL_DATABASE_COCKROACH_MAXIDLECONNS
+    MaxConnLifetime: 30m # ZITADEL_DATABASE_COCKROACH_MAXCONNLIFETIME
+    MaxConnIdleTime: 5m # ZITADEL_DATABASE_COCKROACH_MAXCONNIDLETIME
+    EventPushConnRatio: 0.01 # ZITADEL_DATABASE_COCKROACH_EVENTPUSHCONNRATIO
+    ProjectionSpoolerConnRatio: 0.5 # ZITADEL_DATABASE_COCKROACH_PROJECTIONSPOOLERCONNRATIO
+    Options: "" # ZITADEL_DATABASE_COCKROACH_OPTIONS
+    User:
+      Username: zitadel # ZITADEL_DATABASE_COCKROACH_USER_USERNAME
+      Password: "" # ZITADEL_DATABASE_COCKROACH_USER_PASSWORD
+      SSL:
+        Mode: disable # ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE
+        RootCert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT
+        Cert: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT
+        Key: "" # ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY
+  # Postgres is used as soon as a value is set
+  # The values describe the possible fields to set values
+  postgres:
+    Host: # ZITADEL_DATABASE_POSTGRES_HOST
+    Port: # ZITADEL_DATABASE_POSTGRES_PORT
+    Database: # ZITADEL_DATABASE_POSTGRES_DATABASE
+    MaxOpenConns: # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS
+    MaxIdleConns: # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS
+    MaxConnLifetime: # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME
+    MaxConnIdleTime: # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME
+    Options: # ZITADEL_DATABASE_POSTGRES_OPTIONS
+    User:
+      Username: # ZITADEL_DATABASE_POSTGRES_USER_USERNAME
+      Password: # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD
+      SSL:
+        Mode: # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE
+        RootCert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT
+        Cert: # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT
+        Key: # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY
+
+EventBulkSize: 10000
+
+Projections:
+  # The maximum duration a transaction remains open 
+  # before it spots left folding additional events
+  # and updates the table.
+  TransactionDuration: 0s # ZITADEL_PROJECTIONS_TRANSACTIONDURATION
+  # turn off scheduler during operation
+  RequeueEvery: 0s
+  ConcurrentInstances: 7
+  EventBulkLimit: 1000
+  Customizations:
+    notifications:
+      MaxFailureCount: 1
+
+Eventstore:
+  MaxRetries: 3
+
+Auth:
+  Spooler:
+    TransactionDuration: 0s #ZITADEL_AUTH_SPOOLER_TRANSACTIONDURATION
+    BulkLimit: 1000 #ZITADEL_AUTH_SPOOLER_BULKLIMIT
+
+Admin:
+  Spooler:
+    TransactionDuration: 0s #ZITADEL_AUTH_SPOOLER_TRANSACTIONDURATION
+    BulkLimit: 10 #ZITADEL_AUTH_SPOOLER_BULKLIMIT
+
+FirstInstance:
+  # We only need to create an empty zitadel database so this step must be skipped
+  Skip: true
+
+Log:
+  Level: info

cmd/mirror/event.go

@@ -0,0 +1,96 @@
+package mirror
+
+import (
+	"context"
+
+	"github.com/zitadel/zitadel/internal/v2/eventstore"
+	"github.com/zitadel/zitadel/internal/v2/projection"
+	"github.com/zitadel/zitadel/internal/v2/readmodel"
+	"github.com/zitadel/zitadel/internal/v2/system"
+	mirror_event "github.com/zitadel/zitadel/internal/v2/system/mirror"
+)
+
+func queryLastSuccessfulMigration(ctx context.Context, destinationES *eventstore.EventStore, source string) (*readmodel.LastSuccessfulMirror, error) {
+	lastSuccess := readmodel.NewLastSuccessfulMirror(source)
+	if shouldIgnorePrevious {
+		return lastSuccess, nil
+	}
+	_, err := destinationES.Query(
+		ctx,
+		eventstore.NewQuery(
+			system.AggregateInstance,
+			lastSuccess,
+			eventstore.SetFilters(lastSuccess.Filter()),
+		),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return lastSuccess, nil
+}
+
+func writeMigrationStart(ctx context.Context, sourceES *eventstore.EventStore, id string, destination string) (_ float64, err error) {
+	var cmd *eventstore.Command
+	if len(instanceIDs) > 0 {
+		cmd, err = mirror_event.NewStartedInstancesCommand(destination, instanceIDs)
+		if err != nil {
+			return 0, err
+		}
+	} else {
+		cmd = mirror_event.NewStartedSystemCommand(destination)
+	}
+
+	var position projection.HighestPosition
+
+	err = sourceES.Push(
+		ctx,
+		eventstore.NewPushIntent(
+			system.AggregateInstance,
+			eventstore.AppendAggregate(
+				system.AggregateOwner,
+				system.AggregateType,
+				id,
+				eventstore.CurrentSequenceMatches(0),
+				eventstore.AppendCommands(cmd),
+			),
+			eventstore.PushReducer(&position),
+		),
+	)
+	if err != nil {
+		return 0, err
+	}
+	return position.Position, nil
+}
+
+func writeMigrationSucceeded(ctx context.Context, destinationES *eventstore.EventStore, id, source string, position float64) error {
+	return destinationES.Push(
+		ctx,
+		eventstore.NewPushIntent(
+			system.AggregateInstance,
+			eventstore.AppendAggregate(
+				system.AggregateOwner,
+				system.AggregateType,
+				id,
+				eventstore.CurrentSequenceMatches(0),
+				eventstore.AppendCommands(mirror_event.NewSucceededCommand(source, position)),
+			),
+		),
+	)
+}
+
+func writeMigrationFailed(ctx context.Context, destinationES *eventstore.EventStore, id, source string, err error) error {
+	return destinationES.Push(
+		ctx,
+		eventstore.NewPushIntent(
+			system.AggregateInstance,
+			eventstore.AppendAggregate(
+				system.AggregateOwner,
+				system.AggregateType,
+				id,
+				eventstore.CurrentSequenceMatches(0),
+				eventstore.AppendCommands(mirror_event.NewFailedCommand(source, err)),
+			),
+		),
+	)
+}

cmd/mirror/event_store.go

@@ -0,0 +1,250 @@
+package mirror
+
+import (
+	"context"
+	"database/sql"
+	_ "embed"
+	"errors"
+	"io"
+	"time"
+
+	"github.com/jackc/pgx/v5/stdlib"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	db "github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/database/dialect"
+	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/v2/database"
+	"github.com/zitadel/zitadel/internal/v2/eventstore"
+	"github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
+	"github.com/zitadel/zitadel/internal/zerrors"
+)
+
+var shouldIgnorePrevious bool
+
+func eventstoreCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "eventstore",
+		Short: "mirrors the eventstore of an instance from one database to another",
+		Long: `mirrors the eventstore of an instance from one database to another
+ZITADEL needs to be initialized and set up with the --for-mirror flag
+Migrate only copies events2 and unique constraints`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := mustNewMigrationConfig(viper.GetViper())
+			copyEventstore(cmd.Context(), config)
+		},
+	}
+
+	cmd.Flags().BoolVar(&shouldReplace, "replace", false, "allow delete unique constraints of defined instances before copy")
+	cmd.Flags().BoolVar(&shouldIgnorePrevious, "ignore-previous", false, "ignores previous migrations of the events table")
+
+	return cmd
+}
+
+func copyEventstore(ctx context.Context, config *Migration) {
+	sourceClient, err := db.Connect(config.Source, false, dialect.DBPurposeQuery)
+	logging.OnError(err).Fatal("unable to connect to source database")
+	defer sourceClient.Close()
+
+	destClient, err := db.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+	logging.OnError(err).Fatal("unable to connect to destination database")
+	defer destClient.Close()
+
+	copyEvents(ctx, sourceClient, destClient, config.EventBulkSize)
+	copyUniqueConstraints(ctx, sourceClient, destClient)
+}
+
+func positionQuery(db *db.DB) string {
+	switch db.Type() {
+	case "postgres":
+		return "SELECT EXTRACT(EPOCH FROM clock_timestamp())"
+	case "cockroach":
+		return "SELECT cluster_logical_timestamp()"
+	default:
+		logging.WithFields("db_type", db.Type()).Fatal("database type not recognized")
+		return ""
+	}
+}
+
+func copyEvents(ctx context.Context, source, dest *db.DB, bulkSize uint32) {
+	start := time.Now()
+	reader, writer := io.Pipe()
+
+	migrationID, err := id.SonyFlakeGenerator().Next()
+	logging.OnError(err).Fatal("unable to generate migration id")
+
+	sourceConn, err := source.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire source connection")
+
+	destConn, err := dest.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire dest connection")
+
+	sourceES := eventstore.NewEventstoreFromOne(postgres.New(source, &postgres.Config{
+		MaxRetries: 3,
+	}))
+	destinationES := eventstore.NewEventstoreFromOne(postgres.New(dest, &postgres.Config{
+		MaxRetries: 3,
+	}))
+
+	previousMigration, err := queryLastSuccessfulMigration(ctx, destinationES, source.DatabaseName())
+	logging.OnError(err).Fatal("unable to query latest successful migration")
+
+	maxPosition, err := writeMigrationStart(ctx, sourceES, migrationID, dest.DatabaseName())
+	logging.OnError(err).Fatal("unable to write migration started event")
+
+	logging.WithFields("from", previousMigration.Position, "to", maxPosition).Info("start event migration")
+
+	nextPos := make(chan bool, 1)
+	pos := make(chan float64, 1)
+	errs := make(chan error, 3)
+
+	go func() {
+		err := sourceConn.Raw(func(driverConn interface{}) error {
+			conn := driverConn.(*stdlib.Conn).Conn()
+			nextPos <- true
+			var i uint32
+			for position := range pos {
+				var stmt database.Statement
+				stmt.WriteString("COPY (SELECT instance_id, aggregate_type, aggregate_id, event_type, sequence, revision, created_at, regexp_replace(payload::TEXT, '\\\\u0000', '', 'g')::JSON payload, creator, owner, ")
+				stmt.WriteArg(position)
+				stmt.WriteString(" position, row_number() OVER (PARTITION BY instance_id ORDER BY position, in_tx_order) AS in_tx_order FROM eventstore.events2 ")
+				stmt.WriteString(instanceClause())
+				stmt.WriteString(" AND ")
+				database.NewNumberAtMost(maxPosition).Write(&stmt, "position")
+				stmt.WriteString(" AND ")
+				database.NewNumberGreater(previousMigration.Position).Write(&stmt, "position")
+				stmt.WriteString(" ORDER BY instance_id, position, in_tx_order")
+				stmt.WriteString(" LIMIT ")
+				stmt.WriteArg(bulkSize)
+				stmt.WriteString(" OFFSET ")
+				stmt.WriteArg(bulkSize * i)
+				stmt.WriteString(") TO STDOUT")
+
+				// Copy does not allow args so we use we replace the args in the statement
+				tag, err := conn.PgConn().CopyTo(ctx, writer, stmt.Debug())
+				if err != nil {
+					return zerrors.ThrowUnknownf(err, "MIGRA-KTuSq", "unable to copy events from source during iteration %d", i)
+				}
+				if tag.RowsAffected() < int64(bulkSize) {
+					return nil
+				}
+
+				nextPos <- true
+				i++
+			}
+			return nil
+		})
+		writer.Close()
+		close(nextPos)
+		errs <- err
+	}()
+
+	// generate next position for
+	go func() {
+		defer close(pos)
+		for range nextPos {
+			var position float64
+			err := dest.QueryRowContext(
+				ctx,
+				func(row *sql.Row) error {
+					return row.Scan(&position)
+				},
+				positionQuery(dest),
+			)
+			if err != nil {
+				errs <- zerrors.ThrowUnknown(err, "MIGRA-kMyPH", "unable to query next position")
+				return
+			}
+			pos <- position
+		}
+	}()
+
+	var eventCount int64
+	errs <- destConn.Raw(func(driverConn interface{}) error {
+		conn := driverConn.(*stdlib.Conn).Conn()
+
+		tag, err := conn.PgConn().CopyFrom(ctx, reader, "COPY eventstore.events2 FROM STDIN")
+		eventCount = tag.RowsAffected()
+		if err != nil {
+			return zerrors.ThrowUnknown(err, "MIGRA-DTHi7", "unable to copy events into destination")
+		}
+
+		return nil
+	})
+
+	close(errs)
+	writeCopyEventsDone(ctx, destinationES, migrationID, source.DatabaseName(), maxPosition, errs)
+
+	logging.WithFields("took", time.Since(start), "count", eventCount).Info("events migrated")
+}
+
+func writeCopyEventsDone(ctx context.Context, es *eventstore.EventStore, id, source string, position float64, errs <-chan error) {
+	joinedErrs := make([]error, 0, len(errs))
+	for err := range errs {
+		joinedErrs = append(joinedErrs, err)
+	}
+	err := errors.Join(joinedErrs...)
+
+	if err != nil {
+		logging.WithError(err).Error("unable to mirror events")
+		err := writeMigrationFailed(ctx, es, id, source, err)
+		logging.OnError(err).Fatal("unable to write failed event")
+		return
+	}
+
+	err = writeMigrationSucceeded(ctx, es, id, source, position)
+	logging.OnError(err).Fatal("unable to write failed event")
+}
+
+func copyUniqueConstraints(ctx context.Context, source, dest *db.DB) {
+	start := time.Now()
+	reader, writer := io.Pipe()
+	errs := make(chan error, 1)
+
+	sourceConn, err := source.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire source connection")
+
+	go func() {
+		err := sourceConn.Raw(func(driverConn interface{}) error {
+			conn := driverConn.(*stdlib.Conn).Conn()
+			var stmt database.Statement
+			stmt.WriteString("COPY (SELECT instance_id, unique_type, unique_field FROM eventstore.unique_constraints ")
+			stmt.WriteString(instanceClause())
+			stmt.WriteString(") TO stdout")
+
+			_, err := conn.PgConn().CopyTo(ctx, writer, stmt.String())
+			writer.Close()
+			return err
+		})
+		errs <- err
+	}()
+
+	destConn, err := dest.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire dest connection")
+
+	var eventCount int64
+	err = destConn.Raw(func(driverConn interface{}) error {
+		conn := driverConn.(*stdlib.Conn).Conn()
+
+		if shouldReplace {
+			var stmt database.Statement
+			stmt.WriteString("DELETE FROM eventstore.unique_constraints ")
+			stmt.WriteString(instanceClause())
+
+			_, err := conn.Exec(ctx, stmt.String())
+			if err != nil {
+				return err
+			}
+		}
+
+		tag, err := conn.PgConn().CopyFrom(ctx, reader, "COPY eventstore.unique_constraints FROM stdin")
+		eventCount = tag.RowsAffected()
+
+		return err
+	})
+	logging.OnError(err).Fatal("unable to copy unique constraints to destination")
+	logging.OnError(<-errs).Fatal("unable to copy unique constraints from source")
+	logging.WithFields("took", time.Since(start), "count", eventCount).Info("unique constraints migrated")
+}

cmd/mirror/mirror.go

@@ -0,0 +1,94 @@
+package mirror
+
+import (
+	"bytes"
+	_ "embed"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/cmd/key"
+)
+
+var (
+	instanceIDs   []string
+	isSystem      bool
+	shouldReplace bool
+)
+
+func New() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "mirror",
+		Short: "mirrors all data of ZITADEL from one database to another",
+		Long: `mirrors all data of ZITADEL from one database to another
+ZITADEL needs to be initialized and set up with --for-mirror
+
+The command does mirror all data needed and recomputes the projections.
+For more details call the help functions of the sub commands.
+
+Order of execution:
+1. mirror system tables
+2. mirror auth tables
+3. mirror event store tables
+4. recompute projections
+5. verify`,
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			err := viper.MergeConfig(bytes.NewBuffer(defaultConfig))
+			logging.OnError(err).Fatal("unable to read default config")
+		},
+		Run: func(cmd *cobra.Command, args []string) {
+			config := mustNewMigrationConfig(viper.GetViper())
+			projectionConfig := mustNewProjectionsConfig(viper.GetViper())
+
+			masterKey, err := key.MasterKey(cmd)
+			logging.OnError(err).Fatal("unable to read master key")
+
+			copySystem(cmd.Context(), config)
+			copyAuth(cmd.Context(), config)
+			copyEventstore(cmd.Context(), config)
+
+			projections(cmd.Context(), projectionConfig, masterKey)
+			verifyMigration(cmd.Context(), config)
+		},
+	}
+
+	mirrorFlags(cmd)
+	cmd.Flags().BoolVar(&shouldIgnorePrevious, "ignore-previous", false, "ignores previous migrations of the events table")
+	cmd.Flags().BoolVar(&shouldReplace, "replace", false, `replaces all data of the following tables for the provided instances or all if the "--system"-flag is set:
+* system.assets
+* auth.auth_requests
+* eventstore.unique_constraints
+The flag should be provided if you want to execute the mirror command multiple times so that the static data are also mirrored to prevent inconsistent states.`)
+	migrateProjectionsFlags(cmd)
+
+	cmd.AddCommand(
+		eventstoreCmd(),
+		systemCmd(),
+		projectionsCmd(),
+		authCmd(),
+		verifyCmd(),
+	)
+
+	return cmd
+}
+
+func mirrorFlags(cmd *cobra.Command) {
+	cmd.PersistentFlags().StringSliceVar(&instanceIDs, "instance", nil, "id or comma separated ids of the instance(s) to migrate. Either this or the `--system`-flag must be set. Make sure to always use the same flag if you execute the command multiple times.")
+	cmd.PersistentFlags().BoolVar(&isSystem, "system", false, "migrates the whole system. Either this or the `--instance`-flag must be set. Make sure to always use the same flag if you execute the command multiple times.")
+	cmd.MarkFlagsOneRequired("system", "instance")
+	cmd.MarkFlagsMutuallyExclusive("system", "instance")
+}
+
+func instanceClause() string {
+	if isSystem {
+		return "WHERE instance_id <> ''"
+	}
+	for i := range instanceIDs {
+		instanceIDs[i] = "'" + instanceIDs[i] + "'"
+	}
+
+	// COPY does not allow parameters so we need to set them directly
+	return "WHERE instance_id IN (" + strings.Join(instanceIDs, ", ") + ")"
+}

cmd/mirror/projections.go

@@ -0,0 +1,316 @@
+package mirror
+
+import (
+	"context"
+	"database/sql"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/cmd/encryption"
+	"github.com/zitadel/zitadel/cmd/key"
+	"github.com/zitadel/zitadel/cmd/tls"
+	admin_es "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing"
+	admin_handler "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing/handler"
+	admin_view "github.com/zitadel/zitadel/internal/admin/repository/eventsourcing/view"
+	internal_authz "github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/api/oidc"
+	"github.com/zitadel/zitadel/internal/api/ui/login"
+	auth_es "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing"
+	auth_handler "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/handler"
+	auth_view "github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/view"
+	"github.com/zitadel/zitadel/internal/authz"
+	authz_es "github.com/zitadel/zitadel/internal/authz/repository/eventsourcing/eventstore"
+	"github.com/zitadel/zitadel/internal/command"
+	"github.com/zitadel/zitadel/internal/config/systemdefaults"
+	crypto_db "github.com/zitadel/zitadel/internal/crypto/database"
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/database/dialect"
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/eventstore"
+	old_es "github.com/zitadel/zitadel/internal/eventstore/repository/sql"
+	new_es "github.com/zitadel/zitadel/internal/eventstore/v3"
+	"github.com/zitadel/zitadel/internal/i18n"
+	"github.com/zitadel/zitadel/internal/id"
+	"github.com/zitadel/zitadel/internal/notification"
+	"github.com/zitadel/zitadel/internal/notification/handlers"
+	"github.com/zitadel/zitadel/internal/query"
+	"github.com/zitadel/zitadel/internal/query/projection"
+	static_config "github.com/zitadel/zitadel/internal/static/config"
+	es_v4 "github.com/zitadel/zitadel/internal/v2/eventstore"
+	es_v4_pg "github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
+	"github.com/zitadel/zitadel/internal/webauthn"
+)
+
+func projectionsCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "projections",
+		Short: "calls the projections synchronously",
+		Run: func(cmd *cobra.Command, args []string) {
+			config := mustNewProjectionsConfig(viper.GetViper())
+
+			masterKey, err := key.MasterKey(cmd)
+			logging.OnError(err).Fatal("unable to read master key")
+
+			projections(cmd.Context(), config, masterKey)
+		},
+	}
+
+	migrateProjectionsFlags(cmd)
+
+	return cmd
+}
+
+type ProjectionsConfig struct {
+	Destination    database.Config
+	Projections    projection.Config
+	EncryptionKeys *encryption.EncryptionKeyConfig
+	SystemAPIUsers map[string]*internal_authz.SystemAPIUser
+	Eventstore     *eventstore.Config
+
+	Admin admin_es.Config
+	Auth  auth_es.Config
+
+	Log     *logging.Config
+	Machine *id.Config
+
+	ExternalPort    uint16
+	ExternalDomain  string
+	ExternalSecure  bool
+	InternalAuthZ   internal_authz.Config
+	SystemDefaults  systemdefaults.SystemDefaults
+	Telemetry       *handlers.TelemetryPusherConfig
+	Login           login.Config
+	OIDC            oidc.Config
+	WebAuthNName    string
+	DefaultInstance command.InstanceSetup
+	AssetStorage    static_config.AssetStorageConfig
+}
+
+func migrateProjectionsFlags(cmd *cobra.Command) {
+	key.AddMasterKeyFlag(cmd)
+	tls.AddTLSModeFlag(cmd)
+}
+
+func projections(
+	ctx context.Context,
+	config *ProjectionsConfig,
+	masterKey string,
+) {
+	start := time.Now()
+
+	client, err := database.Connect(config.Destination, false, dialect.DBPurposeQuery)
+	logging.OnError(err).Fatal("unable to connect to database")
+
+	keyStorage, err := crypto_db.NewKeyStorage(client, masterKey)
+	logging.OnError(err).Fatal("cannot start key storage")
+
+	keys, err := encryption.EnsureEncryptionKeys(ctx, config.EncryptionKeys, keyStorage)
+	logging.OnError(err).Fatal("unable to read encryption keys")
+
+	staticStorage, err := config.AssetStorage.NewStorage(client.DB)
+	logging.OnError(err).Fatal("unable create static storage")
+
+	config.Eventstore.Querier = old_es.NewCRDB(client)
+	esPusherDBClient, err := database.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+	logging.OnError(err).Fatal("unable to connect eventstore push client")
+	config.Eventstore.Pusher = new_es.NewEventstore(esPusherDBClient)
+	es := eventstore.NewEventstore(config.Eventstore)
+	esV4 := es_v4.NewEventstoreFromOne(es_v4_pg.New(client, &es_v4_pg.Config{
+		MaxRetries: config.Eventstore.MaxRetries,
+	}))
+
+	sessionTokenVerifier := internal_authz.SessionTokenVerifier(keys.OIDC)
+
+	queries, err := query.StartQueries(
+		ctx,
+		es,
+		esV4.Querier,
+		client,
+		client,
+		config.Projections,
+		config.SystemDefaults,
+		keys.IDPConfig,
+		keys.OTP,
+		keys.OIDC,
+		keys.SAML,
+		config.InternalAuthZ.RolePermissionMappings,
+		sessionTokenVerifier,
+		func(q *query.Queries) domain.PermissionCheck {
+			return func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+				return internal_authz.CheckPermission(ctx, &authz_es.UserMembershipRepo{Queries: q}, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
+			}
+		},
+		0,
+		config.SystemAPIUsers,
+		false,
+	)
+	logging.OnError(err).Fatal("unable to start queries")
+
+	authZRepo, err := authz.Start(queries, es, client, keys.OIDC, config.ExternalSecure)
+	logging.OnError(err).Fatal("unable to start authz repo")
+
+	webAuthNConfig := &webauthn.Config{
+		DisplayName:    config.WebAuthNName,
+		ExternalSecure: config.ExternalSecure,
+	}
+	commands, err := command.StartCommands(
+		es,
+		config.SystemDefaults,
+		config.InternalAuthZ.RolePermissionMappings,
+		staticStorage,
+		webAuthNConfig,
+		config.ExternalDomain,
+		config.ExternalSecure,
+		config.ExternalPort,
+		keys.IDPConfig,
+		keys.OTP,
+		keys.SMTP,
+		keys.SMS,
+		keys.User,
+		keys.DomainVerification,
+		keys.OIDC,
+		keys.SAML,
+		&http.Client{},
+		func(ctx context.Context, permission, orgID, resourceID string) (err error) {
+			return internal_authz.CheckPermission(ctx, authZRepo, config.InternalAuthZ.RolePermissionMappings, permission, orgID, resourceID)
+		},
+		sessionTokenVerifier,
+		config.OIDC.DefaultAccessTokenLifetime,
+		config.OIDC.DefaultRefreshTokenExpiration,
+		config.OIDC.DefaultRefreshTokenIdleExpiration,
+		config.DefaultInstance.SecretGenerators,
+	)
+	logging.OnError(err).Fatal("unable to start commands")
+
+	err = projection.Create(ctx, client, es, config.Projections, keys.OIDC, keys.SAML, config.SystemAPIUsers)
+	logging.OnError(err).Fatal("unable to start projections")
+
+	i18n.MustLoadSupportedLanguagesFromDir()
+
+	notification.Register(
+		ctx,
+		config.Projections.Customizations["notifications"],
+		config.Projections.Customizations["notificationsquotas"],
+		config.Projections.Customizations["telemetry"],
+		*config.Telemetry,
+		config.ExternalDomain,
+		config.ExternalPort,
+		config.ExternalSecure,
+		commands,
+		queries,
+		es,
+		config.Login.DefaultOTPEmailURLV2,
+		config.SystemDefaults.Notifications.FileSystemPath,
+		keys.User,
+		keys.SMTP,
+		keys.SMS,
+	)
+
+	config.Auth.Spooler.Client = client
+	config.Auth.Spooler.Eventstore = es
+	authView, err := auth_view.StartView(config.Auth.Spooler.Client, keys.OIDC, queries, config.Auth.Spooler.Eventstore)
+	logging.OnError(err).Fatal("unable to start auth view")
+	auth_handler.Register(ctx, config.Auth.Spooler, authView, queries)
+
+	config.Admin.Spooler.Client = client
+	config.Admin.Spooler.Eventstore = es
+	adminView, err := admin_view.StartView(config.Admin.Spooler.Client)
+	logging.OnError(err).Fatal("unable to start admin view")
+
+	admin_handler.Register(ctx, config.Admin.Spooler, adminView, staticStorage)
+
+	instances := make(chan string, config.Projections.ConcurrentInstances)
+	failedInstances := make(chan string)
+	wg := sync.WaitGroup{}
+	wg.Add(int(config.Projections.ConcurrentInstances))
+
+	go func() {
+		for instance := range failedInstances {
+			logging.WithFields("instance", instance).Error("projection failed")
+		}
+	}()
+
+	for i := 0; i < int(config.Projections.ConcurrentInstances); i++ {
+		go execProjections(ctx, instances, failedInstances, &wg)
+	}
+
+	for _, instance := range queryInstanceIDs(ctx, client) {
+		instances <- instance
+	}
+	close(instances)
+	wg.Wait()
+
+	close(failedInstances)
+
+	logging.WithFields("took", time.Since(start)).Info("projections executed")
+}
+
+func execProjections(ctx context.Context, instances <-chan string, failedInstances chan<- string, wg *sync.WaitGroup) {
+	for instance := range instances {
+		logging.WithFields("instance", instance).Info("start projections")
+		ctx = internal_authz.WithInstanceID(ctx, instance)
+
+		err := projection.ProjectInstance(ctx)
+		if err != nil {
+			logging.WithFields("instance", instance).OnError(err).Info("trigger failed")
+			failedInstances <- instance
+			continue
+		}
+
+		err = admin_handler.ProjectInstance(ctx)
+		if err != nil {
+			logging.WithFields("instance", instance).OnError(err).Info("trigger admin handler failed")
+			failedInstances <- instance
+			continue
+		}
+
+		err = auth_handler.ProjectInstance(ctx)
+		if err != nil {
+			logging.WithFields("instance", instance).OnError(err).Info("trigger auth handler failed")
+			failedInstances <- instance
+			continue
+		}
+
+		err = notification.ProjectInstance(ctx)
+		if err != nil {
+			logging.WithFields("instance", instance).OnError(err).Info("trigger notification failed")
+			failedInstances <- instance
+			continue
+		}
+		logging.WithFields("instance", instance).Info("projections done")
+	}
+	wg.Done()
+}
+
+// returns the instance configured by flag
+// or all instances which are not removed
+func queryInstanceIDs(ctx context.Context, source *database.DB) []string {
+	if len(instanceIDs) > 0 {
+		return instanceIDs
+	}
+
+	instances := []string{}
+	err := source.QueryContext(
+		ctx,
+		func(r *sql.Rows) error {
+			for r.Next() {
+				var instance string
+
+				if err := r.Scan(&instance); err != nil {
+					return err
+				}
+				instances = append(instances, instance)
+			}
+			return r.Err()
+		},
+		"SELECT DISTINCT instance_id FROM eventstore.events2 WHERE instance_id <> '' AND aggregate_type = 'instance' AND event_type = 'instance.added' AND instance_id NOT IN (SELECT instance_id FROM eventstore.events2 WHERE instance_id <> '' AND aggregate_type = 'instance' AND event_type = 'instance.removed')",
+	)
+	logging.OnError(err).Fatal("unable to query instances")
+
+	return instances
+}

cmd/mirror/system.go

@@ -0,0 +1,139 @@
+package mirror
+
+import (
+	"context"
+	_ "embed"
+	"io"
+	"time"
+
+	"github.com/jackc/pgx/v5/stdlib"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/database/dialect"
+)
+
+func systemCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "system",
+		Short: "mirrors the system tables of ZITADEL from one database to another",
+		Long: `mirrors the system tables of ZITADEL from one database to another
+ZITADEL needs to be initialized
+Only keys and assets are mirrored`,
+		Run: func(cmd *cobra.Command, args []string) {
+			config := mustNewMigrationConfig(viper.GetViper())
+			copySystem(cmd.Context(), config)
+		},
+	}
+
+	cmd.Flags().BoolVar(&shouldReplace, "replace", false, "allow delete ALL keys and assets of defined instances before copy")
+
+	return cmd
+}
+
+func copySystem(ctx context.Context, config *Migration) {
+	sourceClient, err := database.Connect(config.Source, false, dialect.DBPurposeQuery)
+	logging.OnError(err).Fatal("unable to connect to source database")
+	defer sourceClient.Close()
+
+	destClient, err := database.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+	logging.OnError(err).Fatal("unable to connect to destination database")
+	defer destClient.Close()
+
+	copyAssets(ctx, sourceClient, destClient)
+	copyEncryptionKeys(ctx, sourceClient, destClient)
+}
+
+func copyAssets(ctx context.Context, source, dest *database.DB) {
+	start := time.Now()
+
+	sourceConn, err := source.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire source connection")
+	defer sourceConn.Close()
+
+	r, w := io.Pipe()
+	errs := make(chan error, 1)
+
+	go func() {
+		err = sourceConn.Raw(func(driverConn interface{}) error {
+			conn := driverConn.(*stdlib.Conn).Conn()
+			// ignore hash column because it's computed
+			_, err := conn.PgConn().CopyTo(ctx, w, "COPY (SELECT instance_id, asset_type, resource_owner, name, content_type, data, updated_at FROM system.assets "+instanceClause()+") TO stdout")
+			w.Close()
+			return err
+		})
+		errs <- err
+	}()
+
+	destConn, err := dest.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire dest connection")
+	defer destConn.Close()
+
+	var eventCount int64
+	err = destConn.Raw(func(driverConn interface{}) error {
+		conn := driverConn.(*stdlib.Conn).Conn()
+
+		if shouldReplace {
+			_, err := conn.Exec(ctx, "DELETE FROM system.assets "+instanceClause())
+			if err != nil {
+				return err
+			}
+		}
+
+		tag, err := conn.PgConn().CopyFrom(ctx, r, "COPY system.assets (instance_id, asset_type, resource_owner, name, content_type, data, updated_at) FROM stdin")
+		eventCount = tag.RowsAffected()
+
+		return err
+	})
+	logging.OnError(err).Fatal("unable to copy assets to destination")
+	logging.OnError(<-errs).Fatal("unable to copy assets from source")
+	logging.WithFields("took", time.Since(start), "count", eventCount).Info("assets migrated")
+}
+
+func copyEncryptionKeys(ctx context.Context, source, dest *database.DB) {
+	start := time.Now()
+
+	sourceConn, err := source.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire source connection")
+	defer sourceConn.Close()
+
+	r, w := io.Pipe()
+	errs := make(chan error, 1)
+
+	go func() {
+		err = sourceConn.Raw(func(driverConn interface{}) error {
+			conn := driverConn.(*stdlib.Conn).Conn()
+			// ignore hash column because it's computed
+			_, err := conn.PgConn().CopyTo(ctx, w, "COPY system.encryption_keys TO stdout")
+			w.Close()
+			return err
+		})
+		errs <- err
+	}()
+
+	destConn, err := dest.Conn(ctx)
+	logging.OnError(err).Fatal("unable to acquire dest connection")
+	defer destConn.Close()
+
+	var eventCount int64
+	err = destConn.Raw(func(driverConn interface{}) error {
+		conn := driverConn.(*stdlib.Conn).Conn()
+
+		if shouldReplace {
+			_, err := conn.Exec(ctx, "TRUNCATE system.encryption_keys")
+			if err != nil {
+				return err
+			}
+		}
+
+		tag, err := conn.PgConn().CopyFrom(ctx, r, "COPY system.encryption_keys FROM stdin")
+		eventCount = tag.RowsAffected()
+
+		return err
+	})
+	logging.OnError(err).Fatal("unable to copy encryption keys to destination")
+	logging.OnError(<-errs).Fatal("unable to copy encryption keys from source")
+	logging.WithFields("took", time.Since(start), "count", eventCount).Info("encryption keys migrated")
+}

cmd/mirror/verify.go

@@ -0,0 +1,111 @@
+package mirror
+
+import (
+	"context"
+	"database/sql"
+	_ "embed"
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+	"github.com/zitadel/logging"
+
+	"github.com/zitadel/zitadel/internal/database"
+	"github.com/zitadel/zitadel/internal/database/dialect"
+)
+
+func verifyCmd() *cobra.Command {
+	return &cobra.Command{
+		Use:   "verify",
+		Short: "counts if source and dest have the same amount of entries",
+		Run: func(cmd *cobra.Command, args []string) {
+			config := mustNewMigrationConfig(viper.GetViper())
+			verifyMigration(cmd.Context(), config)
+		},
+	}
+}
+
+var schemas = []string{
+	"adminapi",
+	"auth",
+	"eventstore",
+	"projections",
+	"system",
+}
+
+func verifyMigration(ctx context.Context, config *Migration) {
+	sourceClient, err := database.Connect(config.Source, false, dialect.DBPurposeQuery)
+	logging.OnError(err).Fatal("unable to connect to source database")
+	defer sourceClient.Close()
+
+	destClient, err := database.Connect(config.Destination, false, dialect.DBPurposeEventPusher)
+	logging.OnError(err).Fatal("unable to connect to destination database")
+	defer destClient.Close()
+
+	for _, schema := range schemas {
+		for _, table := range append(getTables(ctx, destClient, schema), getViews(ctx, destClient, schema)...) {
+			sourceCount := countEntries(ctx, sourceClient, table)
+			destCount := countEntries(ctx, destClient, table)
+
+			entry := logging.WithFields("table", table, "dest", destCount, "source", sourceCount)
+			if sourceCount == destCount {
+				entry.Debug("equal count")
+				continue
+			}
+			entry.WithField("diff", destCount-sourceCount).Info("unequal count")
+		}
+	}
+}
+
+func getTables(ctx context.Context, dest *database.DB, schema string) (tables []string) {
+	err := dest.QueryContext(
+		ctx,
+		func(r *sql.Rows) error {
+			for r.Next() {
+				var table string
+				if err := r.Scan(&table); err != nil {
+					return err
+				}
+				tables = append(tables, table)
+			}
+			return r.Err()
+		},
+		"SELECT CONCAT(schemaname, '.', tablename) FROM pg_tables WHERE schemaname = $1",
+		schema,
+	)
+	logging.WithFields("schema", schema).OnError(err).Fatal("unable to query tables")
+	return tables
+}
+
+func getViews(ctx context.Context, dest *database.DB, schema string) (tables []string) {
+	err := dest.QueryContext(
+		ctx,
+		func(r *sql.Rows) error {
+			for r.Next() {
+				var table string
+				if err := r.Scan(&table); err != nil {
+					return err
+				}
+				tables = append(tables, table)
+			}
+			return r.Err()
+		},
+		"SELECT CONCAT(schemaname, '.', viewname) FROM pg_views WHERE schemaname = $1",
+		schema,
+	)
+	logging.WithFields("schema", schema).OnError(err).Fatal("unable to query views")
+	return tables
+}
+
+func countEntries(ctx context.Context, client *database.DB, table string) (count int) {
+	err := client.QueryRowContext(
+		ctx,
+		func(r *sql.Row) error {
+			return r.Scan(&count)
+		},
+		fmt.Sprintf("SELECT COUNT(*) FROM %s %s", table, instanceClause()),
+	)
+	logging.WithFields("table", table, "db", client.DatabaseName()).OnError(err).Error("unable to count")
+
+	return count
+}

cmd/setup/03.go

@@ -26,6 +26,8 @@ type FirstInstance struct {
 	PatPath         string
 	Features        *command.InstanceFeatures
 
+	Skip bool
+
 	instanceSetup     command.InstanceSetup
 	userEncryptionKey *crypto.KeyConfig
 	smtpEncryptionKey *crypto.KeyConfig
@@ -42,6 +44,9 @@ type FirstInstance struct {
 }
 
 func (mig *FirstInstance) Execute(ctx context.Context, _ eventstore.Event) error {
+	if mig.Skip {
+		return nil
+	}
 	keyStorage, err := mig.verifyEncryptionKeys(ctx)
 	if err != nil {
 		return err

cmd/setup/config.go

@@ -28,6 +28,7 @@ import (
 )
 
 type Config struct {
+	ForMirror       bool
 	Database        database.Config
 	SystemDefaults  systemdefaults.SystemDefaults
 	InternalAuthZ   internal_authz.Config

cmd/setup/setup.go

@@ -34,6 +34,8 @@ import (
 	notify_handler "github.com/zitadel/zitadel/internal/notification"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/query/projection"
+	es_v4 "github.com/zitadel/zitadel/internal/v2/eventstore"
+	es_v4_pg "github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
 	"github.com/zitadel/zitadel/internal/webauthn"
 )
 
@@ -57,13 +59,16 @@ Requirements:
 			err = BindInitProjections(cmd)
 			logging.OnError(err).Fatal("unable to bind \"init-projections\" flag")
 
+			err = bindForMirror(cmd)
+			logging.OnError(err).Fatal("unable to bind \"for-mirror\" flag")
+
 			config := MustNewConfig(viper.GetViper())
 			steps := MustNewSteps(viper.New())
 
 			masterKey, err := key.MasterKey(cmd)
 			logging.OnError(err).Panic("No master key provided")
 
-			Setup(config, steps, masterKey)
+			Setup(cmd.Context(), config, steps, masterKey)
 		},
 	}
 
@@ -77,6 +82,7 @@ Requirements:
 func Flags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringArrayVar(&stepFiles, "steps", nil, "paths to step files to overwrite default steps")
 	cmd.Flags().Bool("init-projections", viper.GetBool("InitProjections"), "beta feature: initializes projections after they are created, allows smooth start as projections are up to date")
+	cmd.Flags().Bool("for-mirror", viper.GetBool("ForMirror"), "use this flag if you want to mirror your existing data")
 	key.AddMasterKeyFlag(cmd)
 	tls.AddTLSModeFlag(cmd)
 }
@@ -85,8 +91,11 @@ func BindInitProjections(cmd *cobra.Command) error {
 	return viper.BindPFlag("InitProjections.Enabled", cmd.Flags().Lookup("init-projections"))
 }
 
-func Setup(config *Config, steps *Steps, masterKey string) {
-	ctx := context.Background()
+func bindForMirror(cmd *cobra.Command) error {
+	return viper.BindPFlag("ForMirror", cmd.Flags().Lookup("for-mirror"))
+}
+
+func Setup(ctx context.Context, config *Config, steps *Steps, masterKey string) {
 	logging.Info("setup started")
 
 	i18n.MustLoadSupportedLanguagesFromDir()
@@ -102,10 +111,14 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	config.Eventstore.Pusher = new_es.NewEventstore(esPusherDBClient)
 	eventstoreClient := eventstore.NewEventstore(config.Eventstore)
 	logging.OnError(err).Fatal("unable to start eventstore")
+	eventstoreV4 := es_v4.NewEventstoreFromOne(es_v4_pg.New(queryDBClient, &es_v4_pg.Config{
+		MaxRetries: config.Eventstore.MaxRetries,
+	}))
 
 	steps.s1ProjectionTable = &ProjectionTable{dbClient: queryDBClient.DB}
 	steps.s2AssetsTable = &AssetTable{dbClient: queryDBClient.DB}
 
+	steps.FirstInstance.Skip = config.ForMirror || steps.FirstInstance.Skip
 	steps.FirstInstance.instanceSetup = config.DefaultInstance
 	steps.FirstInstance.userEncryptionKey = config.EncryptionKeys.User
 	steps.FirstInstance.smtpEncryptionKey = config.EncryptionKeys.SMTP
@@ -197,10 +210,11 @@ func Setup(config *Config, steps *Steps, masterKey string) {
 	}
 
 	// projection initialization must be done last, since the steps above might add required columns to the projections
-	if config.InitProjections.Enabled {
+	if !config.ForMirror && config.InitProjections.Enabled {
 		initProjections(
 			ctx,
 			eventstoreClient,
+			eventstoreV4,
 			queryDBClient,
 			projectionDBClient,
 			masterKey,
@@ -222,6 +236,7 @@ func readStmt(fs embed.FS, folder, typ, filename string) (string, error) {
 func initProjections(
 	ctx context.Context,
 	eventstoreClient *eventstore.Eventstore,
+	eventstoreV4 *es_v4.EventStore,
 	queryDBClient,
 	projectionDBClient *database.DB,
 	masterKey string,
@@ -278,6 +293,7 @@ func initProjections(
 	queries, err := query.StartQueries(
 		ctx,
 		eventstoreClient,
+		eventstoreV4.Querier,
 		queryDBClient,
 		projectionDBClient,
 		config.Projections,

cmd/setup/steps.yaml

@@ -1,5 +1,7 @@
 # By using the FirstInstance section, you can overwrite the DefaultInstance configuration for the first instance created by zitadel setup.
 FirstInstance:
+  # If set to true zitadel is setup without initial data
+  Skip: false
   # The machine key from the section FirstInstance.Org.Machine.MachineKey is written to the MachineKeyPath.
   MachineKeyPath: # ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH
   # The personal access token from the section FirstInstance.Org.Machine.Pat is written to the PatPath.

cmd/start/start.go

@@ -78,6 +78,8 @@ import (
 	"github.com/zitadel/zitadel/internal/notification"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/static"
+	es_v4 "github.com/zitadel/zitadel/internal/v2/eventstore"
+	es_v4_pg "github.com/zitadel/zitadel/internal/v2/eventstore/postgres"
 	"github.com/zitadel/zitadel/internal/webauthn"
 	"github.com/zitadel/zitadel/openapi"
 )
@@ -153,12 +155,16 @@ func startZitadel(ctx context.Context, config *Config, masterKey string, server
 	config.Eventstore.Pusher = new_es.NewEventstore(esPusherDBClient)
 	config.Eventstore.Querier = old_es.NewCRDB(queryDBClient)
 	eventstoreClient := eventstore.NewEventstore(config.Eventstore)
+	eventstoreV4 := es_v4.NewEventstoreFromOne(es_v4_pg.New(queryDBClient, &es_v4_pg.Config{
+		MaxRetries: config.Eventstore.MaxRetries,
+	}))
 
 	sessionTokenVerifier := internal_authz.SessionTokenVerifier(keys.OIDC)
 
 	queries, err := query.StartQueries(
 		ctx,
 		eventstoreClient,
+		eventstoreV4.Querier,
 		queryDBClient,
 		projectionDBClient,
 		config.Projections,

cmd/start/start_from_init.go

@@ -36,7 +36,7 @@ Requirements:
 
 			setupConfig := setup.MustNewConfig(viper.GetViper())
 			setupSteps := setup.MustNewSteps(viper.New())
-			setup.Setup(setupConfig, setupSteps, masterKey)
+			setup.Setup(cmd.Context(), setupConfig, setupSteps, masterKey)
 
 			startConfig := MustNewConfig(viper.GetViper())
 

cmd/start/start_from_setup.go

@@ -34,7 +34,7 @@ Requirements:
 
 			setupConfig := setup.MustNewConfig(viper.GetViper())
 			setupSteps := setup.MustNewSteps(viper.New())
-			setup.Setup(setupConfig, setupSteps, masterKey)
+			setup.Setup(cmd.Context(), setupConfig, setupSteps, masterKey)
 
 			startConfig := MustNewConfig(viper.GetViper())
 

cmd/zitadel.go

@@ -15,6 +15,7 @@ import (
 	"github.com/zitadel/zitadel/cmd/build"
 	"github.com/zitadel/zitadel/cmd/initialise"
 	"github.com/zitadel/zitadel/cmd/key"
+	"github.com/zitadel/zitadel/cmd/mirror"
 	"github.com/zitadel/zitadel/cmd/ready"
 	"github.com/zitadel/zitadel/cmd/setup"
 	"github.com/zitadel/zitadel/cmd/start"
@@ -55,6 +56,7 @@ func New(out io.Writer, in io.Reader, args []string, server chan<- *start.Server
 		start.New(server),
 		start.NewStartFromInit(server),
 		start.NewStartFromSetup(server),
+		mirror.New(),
 		key.New(),
 		ready.New(),
 	)

console/src/app/modules/password-complexity-view/password-complexity-view.component.html

@@ -50,4 +50,12 @@
     <i *ngIf="password?.dirty && !password?.errors?.['errorslowercasemissing']" class="las la-check green"></i>
     <span class="cnsl-secondary-text">{{ 'ERRORS.LOWERCASEMISSING' | translate }}</span>
   </div>
+  <div class="val">
+    <i *ngIf="password?.value?.length === 0 || password?.value?.length <= 70" class="las la-check green"></i>
+    <i *ngIf="password?.value?.length > 70" class="las la-times red"></i>
+
+    <span class="cnsl-secondary-text"
+      >{{ 'USER.PASSWORD.MAXLENGTHERROR' | translate: { value: 70 } }} ({{ password?.value?.length }}/{{ 70 }})
+    </span>
+  </div>
 </div>

console/src/app/pages/projects/projects.component.html

@@ -6,9 +6,11 @@
         <mat-icon class="icon">info_outline</mat-icon>
       </a>
     </div>
-    <p class="sub cnsl-secondary-text max-width-description">
-      {{ 'DESCRIPTIONS.PROJECTS.DESCRIPTION' | translate }}
-    </p>
+    <p
+      class="sub cnsl-secondary-text max-width-description"
+      [innerHTML]="'DESCRIPTIONS.PROJECTS.DESCRIPTION' | translate"
+    ></p>
+
     <div class="projects-controls">
       <div class="project-toggle-group">
         <cnsl-nav-toggle

console/src/app/services/authentication.service.ts

@@ -35,6 +35,10 @@ export class AuthenticationService {
     return from(this.oauthService.loadUserProfile());
   }
 
+  public getIdToken(): string {
+    return this.oauthService.getIdToken();
+  }
+
   public async authenticate(partialConfig?: Partial<AuthConfig>, force: boolean = false): Promise<boolean> {
     if (partialConfig) {
       Object.assign(this.authConfig, partialConfig);

console/src/app/services/grpc.service.ts

@@ -18,6 +18,7 @@ import { I18nInterceptor } from './interceptors/i18n.interceptor';
 import { OrgInterceptor } from './interceptors/org.interceptor';
 import { StorageService } from './storage.service';
 import { FeatureServiceClient } from '../proto/generated/zitadel/feature/v2beta/Feature_serviceServiceClientPb';
+import { GrpcAuthService } from './grpc-auth.service';
 
 @Injectable({
   providedIn: 'root',

console/src/app/services/interceptors/auth.interceptor.ts

@@ -2,11 +2,13 @@ import { Injectable } from '@angular/core';
 import { MatDialog } from '@angular/material/dialog';
 import { Request, UnaryInterceptor, UnaryResponse } from 'grpc-web';
 import { Subject } from 'rxjs';
-import { debounceTime, filter, first, take } from 'rxjs/operators';
+import { debounceTime, filter, first, map, take, tap } from 'rxjs/operators';
 import { WarnDialogComponent } from 'src/app/modules/warn-dialog/warn-dialog.component';
 
 import { AuthenticationService } from '../authentication.service';
 import { StorageService } from '../storage.service';
+import { AuthConfig } from 'angular-oauth2-oidc';
+import { GrpcAuthService } from '../grpc-auth.service';
 
 const authorizationKey = 'Authorization';
 const bearerPrefix = 'Bearer';
@@ -44,7 +46,7 @@ export class AuthInterceptor<TReq = unknown, TResp = unknown> implements UnaryIn
         return response;
       })
       .catch(async (error: any) => {
-        if (error.code === 16) {
+        if (error.code === 16 || (error.code === 7 && error.message === 'mfa required (AUTHZ-Kl3p0)')) {
           this.triggerDialog.next(true);
         }
         return Promise.reject(error);
@@ -67,7 +69,13 @@ export class AuthInterceptor<TReq = unknown, TResp = unknown> implements UnaryIn
       .pipe(take(1))
       .subscribe((resp) => {
         if (resp) {
-          this.authenticationService.authenticate(undefined, true);
+          const idToken = this.authenticationService.getIdToken();
+          const configWithPrompt: Partial<AuthConfig> = {
+            customQueryParams: {
+              id_token_hint: idToken,
+            },
+          };
+          this.authenticationService.authenticate(configWithPrompt, true);
         }
       });
   }

console/src/assets/i18n/bg.json

@@ -588,6 +588,7 @@
     "INVALID_FORMAT": "Форматирането е невалидно.",
     "NOTANEMAIL": "Дадената стойност не е имейл адрес.",
     "MINLENGTH": "Трябва да е поне {{requiredLength}} знака дълги.",
+    "MAXLENGTH": "Трябва да е по-малко от {{requiredLength}} символа",
     "UPPERCASEMISSING": "Трябва да включва главна буква.",
     "LOWERCASEMISSING": "Трябва да включва малка буква.",
     "SYMBOLERROR": "Трябва да включва символ или препинателен знак.",
@@ -873,7 +874,8 @@
       "SET": "Задайте нова парола",
       "RESENDNOTIFICATION": "Изпратете връзка за повторно задаване на парола",
       "REQUIRED": "Някои задължителни полета липсват.",
-      "MINLENGTHERROR": "Трябва да бъде поне {{value}} знака дълги."
+      "MINLENGTHERROR": "Трябва да бъде поне {{value}} знака дълги.",
+      "MAXLENGTHERROR": "Трябва да съдържа по-малко от {{value}} знака."
     },
     "ID": "документ за самоличност",
     "EMAIL": "Електронна поща",

console/src/assets/i18n/cs.json

@@ -595,6 +595,7 @@
     "INVALID_FORMAT": "Formát je neplatný.",
     "NOTANEMAIL": "Zadaná hodnota není e-mailová adresa.",
     "MINLENGTH": "Musí být dlouhé alespoň {{requiredLength}} znaků.",
+    "MAXLENGTH": "Musí být kratší než {{requiredLength}} znaků",
     "UPPERCASEMISSING": "Musí obsahovat velké písmeno.",
     "LOWERCASEMISSING": "Musí obsahovat malé písmeno.",
     "SYMBOLERROR": "Musí obsahovat symbol nebo interpunkční znaménko.",
@@ -880,7 +881,8 @@
       "SET": "Nastavit nové heslo",
       "RESENDNOTIFICATION": "Odeslat odkaz pro reset hesla",
       "REQUIRED": "Některá povinná pole nejsou vyplněna.",
-      "MINLENGTHERROR": "Musí být alespoň {{value}} znaků dlouhé."
+      "MINLENGTHERROR": "Musí být alespoň {{value}} znaků dlouhé.",
+      "MAXLENGTHERROR": "Musí být kratší než {{value}} znaků."
     },
     "ID": "ID",
     "EMAIL": "E-mail",

console/src/assets/i18n/de.json

@@ -594,6 +594,7 @@
     "INVALID_FORMAT": "Das Format is ungültig.",
     "NOTANEMAIL": "Der eingegebene Wert ist keine E-Mail Adresse.",
     "MINLENGTH": "Muss mindestens {{requiredLength}} Zeichen lang sein.",
+    "MAXLENGTH": "Muss weniger als {{requiredLength}} Zeichen enthalten",
     "UPPERCASEMISSING": "Muss einen Grossbuchstaben beinhalten.",
     "LOWERCASEMISSING": "Muss einen Kleinbuchstaben beinhalten.",
     "SYMBOLERROR": "Muss ein Symbol/Satzzeichen beinhalten.",
@@ -879,7 +880,8 @@
       "SET": "Passwort neu setzen",
       "RESENDNOTIFICATION": "Email zum Zurücksetzen senden",
       "REQUIRED": "Bitte prüfe, dass alle notwendigen Felder ausgefüllt sind.",
-      "MINLENGTHERROR": "Muss mindestens {{value}} Zeichen lang sein."
+      "MINLENGTHERROR": "Muss mindestens {{value}} Zeichen lang sein.",
+      "MAXLENGTHERROR": "Muss weniger als {{value}} Zeichen umfassen."
     },
     "ID": "ID",
     "EMAIL": "E-Mail",

console/src/assets/i18n/en.json

@@ -54,7 +54,7 @@
       },
       "MACHINES": {
         "TITLE": "Service Users",
-        "DESCRIPTION": "Les utilisateurs du service s'authentifient de manière non interactive à l'aide d'un jeton de porteur JWT signé avec une clé privée. Ils peuvent également utiliser un jeton d'accès personnel.",
+        "DESCRIPTION": "Service Users authenticate non-interactively using a JWT bearer token signed with a private key. They can also use a personal access token.",
         "METADATA": "Add custom attributes to the user like the authenticating system. You can use this information in your actions."
       },
       "SELF": {
@@ -595,8 +595,9 @@
     "INVALID_FORMAT": "The formatting is invalid.",
     "NOTANEMAIL": "The given value is not an e-mail address.",
     "MINLENGTH": "Must be at least {{requiredLength}} characters long.",
-    "UPPERCASEMISSING": "Must include an uppercase character.",
-    "LOWERCASEMISSING": "Must include a lowercase character.",
+    "MAXLENGTH": "Must be less than {{requiredLength}} characters.",
+    "UPPERCASEMISSING": "Must include an uppercase letter.",
+    "LOWERCASEMISSING": "Must include a lowercase letter.",
     "SYMBOLERROR": "Must include a symbol or punctuation mark.",
     "NUMBERERROR": "Must include a digit.",
     "PWNOTEQUAL": "The passwords provided do not match.",
@@ -880,7 +881,8 @@
       "SET": "Set New Password",
       "RESENDNOTIFICATION": "Send Password Reset Link",
       "REQUIRED": "Some required fields are missing.",
-      "MINLENGTHERROR": "Has to be at least {{value}} characters long."
+      "MINLENGTHERROR": "Must be at least {{value}} characters long.",
+      "MAXLENGTHERROR": "Must be less than {{value}} characters."
     },
     "ID": "ID",
     "EMAIL": "E-mail",

console/src/assets/i18n/es.json

@@ -595,6 +595,7 @@
     "INVALID_FORMAT": "El formato no es valido.",
     "NOTANEMAIL": "El valor proporcionado no es una dirección de email.",
     "MINLENGTH": "Debe tener al menos {{requiredLength}} caracteres de longitud.",
+    "MAXLENGTH": "Debe tener menos de {{requiredLength}} caracteres.",
     "UPPERCASEMISSING": "Debe incluir un carácter en mayúscula.",
     "LOWERCASEMISSING": "Debe incluir un carácter en minúscula.",
     "SYMBOLERROR": "Debe incluir un símbolo o un signo de puntuación.",
@@ -880,7 +881,8 @@
       "SET": "Establecer nueva contraseña",
       "RESENDNOTIFICATION": "Enviar enlace para restablecer la contraseña",
       "REQUIRED": "Faltan algunos campos requeridos.",
-      "MINLENGTHERROR": "Debe tener al menos {{value}} caracteres de longitud."
+      "MINLENGTHERROR": "Debe tener al menos {{value}} caracteres de longitud.",
+      "MAXLENGTHERROR": "Debe tener menos de {{value}} caracteres"
     },
     "ID": "ID",
     "EMAIL": "Email",

console/src/assets/i18n/fr.json

@@ -594,6 +594,7 @@
     "INVALID_FORMAT": "Le format n'est pas valide.",
     "NOTANEMAIL": "La valeur donnée n'est pas une adresse e-mail.",
     "MINLENGTH": "Doit comporter au moins {{length}} caractères.",
+    "MAXLENGTH": "Doit contenir moins de {{requiredLength}} caractères.",
     "UPPERCASEMISSING": "Doit inclure un caractère majuscule.",
     "LOWERCASEMISSING": "Doit inclure un caractère minuscule.",
     "SYMBOLERROR": "Doit inclure un symbole ou un signe de ponctuation.",
@@ -879,7 +880,8 @@
       "SET": "Définir un nouveau mot de passe",
       "RESENDNOTIFICATION": "Envoyer le lien de réinitialisation du mot de passe",
       "REQUIRED": "Certains champs obligatoires sont manquants.",
-      "MINLENGTHERROR": "Doit comporter au moins {{value}} caractères."
+      "MINLENGTHERROR": "Doit comporter au moins {{value}} caractères.",
+      "MAXLENGTHERROR": "Doit contenir moins de {{value}} caractères"
     },
     "ID": "ID",
     "EMAIL": "E-mail",

console/src/assets/i18n/it.json

@@ -593,6 +593,7 @@
     "INVALID_FORMAT": "Il formato non è valido.",
     "NOTANEMAIL": "Il valore dato non è un indirizzo e-mail.",
     "MINLENGTH": "Deve essere lunga almeno {{requiredLength}} caratteri.",
+    "MAXLENGTH": "Deve contenere meno di {{requiredLength}} caratteri.",
     "UPPERCASEMISSING": "Deve includere un carattere maiuscolo.",
     "LOWERCASEMISSING": "Deve includere un carattere minuscolo.",
     "SYMBOLERROR": "Deve includere un simbolo o un segno di punteggiatura.",
@@ -878,7 +879,8 @@
       "SET": "Imposta nuova password",
       "RESENDNOTIFICATION": "Invia email per la reimpostazione",
       "REQUIRED": "Mancano alcuni campi obbligatori.",
-      "MINLENGTHERROR": "Deve essere lunga almeno {{valore}} caratteri."
+      "MINLENGTHERROR": "Deve essere lunga almeno {{valore}} caratteri.",
+      "MAXLENGTHERROR": "Deve contenere meno di {{value}} caratteri"
     },
     "ID": "ID",
     "EMAIL": "E-mail",

console/src/assets/i18n/ja.json

@@ -595,6 +595,7 @@
     "INVALID_FORMAT": "不正なフォーマットです",
     "NOTANEMAIL": "入力された値がメールアドレスではありません。",
     "MINLENGTH": "{{requiredLength}} 文字以上の文字列が必要です。",
+    "MAXLENGTH": "{{requiredLength}}文字以下でなければなりません.",
     "UPPERCASEMISSING": "大文字を含める必要があります。",
     "LOWERCASEMISSING": "小文字を含める必要があります。",
     "SYMBOLERROR": "記号を含める必要があります。",
@@ -880,7 +881,8 @@
       "SET": "新しいパスワードを設定する",
       "RESENDNOTIFICATION": "パスワードリセットのリンクを送信する",
       "REQUIRED": "一部の必須項目が不足しています。",
-      "MINLENGTHERROR": "最小で{{value}}文字の長さが必要です。"
+      "MINLENGTHERROR": "最小で{{value}}文字の長さが必要です。",
+      "MAXLENGTHERROR": "{{value}}文字以下でなければなりません"
     },
     "ID": "id",
     "EMAIL": "Eメール",

console/src/assets/i18n/mk.json

@@ -595,6 +595,7 @@
     "INVALID_FORMAT": "Невалиден формат.",
     "NOTANEMAIL": "Внесената вредност не е е-пошта.",
     "MINLENGTH": "Мора да биде најмалку {{requiredLength}} карактери долга.",
+    "MAXLENGTH": "Мора да биде помалку од {{requiredLength}} карактери.",
     "UPPERCASEMISSING": "Мора да содржи голема буква.",
     "LOWERCASEMISSING": "Мора да содржи мала буква.",
     "SYMBOLERROR": "Мора да содржи симбол или знак за интерпункција.",
@@ -880,7 +881,8 @@
       "SET": "Постави нова лозинка",
       "RESENDNOTIFICATION": "Испрати линк за ресетирање на лозинката",
       "REQUIRED": "Некои задолжителни полиња не се пополнети.",
-      "MINLENGTHERROR": "Мора да биде најмалку {{value}} карактери долга."
+      "MINLENGTHERROR": "Мора да биде најмалку {{value}} карактери долга.",
+      "MAXLENGTHERROR": "Мора да биде помалку од {{value}} карактери"
     },
     "ID": "ID",
     "EMAIL": "E-пошта",

console/src/assets/i18n/nl.json

@@ -595,6 +595,7 @@
     "INVALID_FORMAT": "De opmaak is ongeldig.",
     "NOTANEMAIL": "De opgegeven waarde is geen e-mailadres.",
     "MINLENGTH": "Moet minimaal {{requiredLength}} tekens lang zijn.",
+    "MAXLENGTH": "Moet minder dan {{requiredLength}} tekens bevatten.",
     "UPPERCASEMISSING": "Moet een hoofdletter bevatten.",
     "LOWERCASEMISSING": "Moet een kleine letter bevatten.",
     "SYMBOLERROR": "Moet een symbool of leesteken bevatten.",
@@ -880,7 +881,8 @@
       "SET": "Stel nieuw wachtwoord in",
       "RESENDNOTIFICATION": "Stuur wachtwoord reset link",
       "REQUIRED": "Sommige verplichte velden ontbreken.",
-      "MINLENGTHERROR": "Moet minstens {{value}} tekens lang zijn."
+      "MINLENGTHERROR": "Moet minstens {{value}} tekens lang zijn.",
+      "MAXLENGTHERROR": "Moet minder dan {{value}} tekens bevatten"
     },
     "ID": "ID",
     "EMAIL": "E-mail",

console/src/assets/i18n/pl.json

@@ -594,6 +594,7 @@
     "INVALID_FORMAT": "Format jest nieprawidłowy.",
     "NOTANEMAIL": "Podana wartość nie jest adresem e-mail.",
     "MINLENGTH": "Musi mieć co najmniej {{requiredLength}} znaków.",
+    "MAXLENGTH": "Musi zawierać mniej niż {{requiredLength}} znaków.",
     "UPPERCASEMISSING": "Musi zawierać wielką literę.",
     "LOWERCASEMISSING": "Musi zawierać małą literę.",
     "SYMBOLERROR": "Musi zawierać symbol lub znak interpunkcyjny.",
@@ -879,7 +880,8 @@
       "SET": "Ustaw nowe hasło",
       "RESENDNOTIFICATION": "Wyślij link resetowania hasła",
       "REQUIRED": "Brakuje niektórych wymaganych pól.",
-      "MINLENGTHERROR": "Musi mieć co najmniej {{value}} znaków."
+      "MINLENGTHERROR": "Musi mieć co najmniej {{value}} znaków.",
+      "MAXLENGTHERROR": "Musi zawierać mniej niż {{value}} znaków"
     },
     "ID": "ID",
     "EMAIL": "E-mail",

console/src/assets/i18n/pt.json

@@ -595,6 +595,7 @@
     "INVALID_FORMAT": "O formato é inválido.",
     "NOTANEMAIL": "O valor fornecido não é um endereço de e-mail.",
     "MINLENGTH": "Deve ter pelo menos {{requiredLength}} caracteres.",
+    "MAXLENGTH": "Deve ter menos de {{requiredLength}} caracteres.",
     "UPPERCASEMISSING": "Deve incluir uma letra maiúscula.",
     "LOWERCASEMISSING": "Deve incluir uma letra minúscula.",
     "SYMBOLERROR": "Deve incluir um símbolo ou caractere de pontuação.",
@@ -880,7 +881,8 @@
       "SET": "Definir Nova Senha",
       "RESENDNOTIFICATION": "Enviar Link de Redefinição de Senha",
       "REQUIRED": "Algumas informações obrigatórias estão faltando.",
-      "MINLENGTHERROR": "Deve ter pelo menos {{value}} caracteres."
+      "MINLENGTHERROR": "Deve ter pelo menos {{value}} caracteres.",
+      "MAXLENGTHERROR": "Deve ter menos de {{value}} caracteres"
     },
     "ID": "ID",
     "EMAIL": "E-mail",

console/src/assets/i18n/ru.json

@@ -594,6 +594,7 @@
     "INVALID_FORMAT": "Форматирование неверно.",
     "NOTANEMAIL": "Данное значение не является адресом электронной почты.",
     "MINLENGTH": "Должно быть не менее {{requiredLength}} символов.",
+    "MAXLENGTH": "Должно быть меньше {{requiredLength}} символов.",
     "UPPERCASEMISSING": "Должен содержать символ верхнего регистра.",
     "LOWERCASEMISSING": "Должен включать строчные буквы.",
     "SYMBOLERROR": "Должен содержать символ или знак препинания.",
@@ -887,7 +888,8 @@
       "RESENDNOTIFICATION": "Отправить ссылку для сброса пароля",
       "REQUIRED": "Отсутствуют некоторые обязательные поля.",
       "MINLENGTHERROR": "Должно быть не менее {{value}} символов.",
-      "NOTEQUAL": "Указанные пароли не совпадают."
+      "NOTEQUAL": "Указанные пароли не совпадают.",
+      "MAXLENGTHERROR": "Должно быть меньше {{value}} символов"
     },
     "ID": "Идентификатор",
     "EMAIL": "Электронная почта",

console/src/assets/i18n/zh.json

@@ -594,6 +594,7 @@
     "INVALID_FORMAT": "格式是无效的。",
     "NOTANEMAIL": "给定的值不是合法电子邮件地址。",
     "MINLENGTH": "长度必须至少是{{requiredLength}}字符。",
+    "MAXLENGTH": "必须少于{{requiredLength}}个字符.",
     "UPPERCASEMISSING": "密码必须包含大写字符。",
     "LOWERCASEMISSING": "密码必须包含小写字符。",
     "SYMBOLERROR": "密码必须包含符号或标点符号。",
@@ -879,7 +880,8 @@
       "SET": "设置新密码",
       "RESENDNOTIFICATION": "发送重置密码链接",
       "REQUIRED": "缺少必填字段。",
-      "MINLENGTHERROR": "密码长度必须至少为 {{value}} 个字符。"
+      "MINLENGTHERROR": "密码长度必须至少为 {{value}} 个字符。",
+      "MAXLENGTHERROR": "必须少于{{value}}个字符"
     },
     "ID": "ID",
     "EMAIL": "电子邮件",

docs/docs/apis/introduction.mdx

@@ -281,7 +281,7 @@ ZITADEL hosts everything under a single domain: `{instance}.zitadel.cloud` or yo
 
 The domain is used as the OIDC issuer and as the base url for the gRPC and REST APIs, the Login and Console UI, which you'll find under `{your_domain}/ui/console/`.
 
-Are you self-hosting and having troubles with *Instance not found* errors? [Check out this page](https://zitadel.com/docs/self-hosting/manage/custom-domain).
+Are you self-hosting and having troubles with *Instance not found* errors? [Check out this page](/docs/self-hosting/manage/custom-domain).
 
 ## API path prefixes
 

docs/docs/concepts/features/audit-trail.md

@@ -14,6 +14,15 @@ This form of audit log has several benefits over storing classic audit logs.
 You can view past data in-context of the whole system at a single point in time.
 Reviewing a past state of the application can be important when tracing an incident that happened months back. Moreover the eventstore provides a truly complete and clean audit log.
 
+:::info Future Plans
+There will be three major areas for future development on the audit data
+
+- [Metrics](https://github.com/zitadel/zitadel/issues/4458) and [standard reports](https://github.com/zitadel/zitadel/discussions/2162#discussioncomment-1153259)
+- [Feedback loop](https://github.com/zitadel/zitadel/issues/5102) and threat detection
+- Forensics and replay of events
+
+:::
+
 ## Accessing the Audit Log
 
 ### Last changes of an object
@@ -42,24 +51,6 @@ Access to the API is possible with a [Service User](/docs/guides/integrate/servi
 
 ## Using logs in external systems
 
-You can use the [Event API](#event-api) to pull data and ingest it in an external system.
+You can use the events from the audit log in external systems such as a SOC/SIEM solution.
 
-[Actions](actions.md) can be used to write events to the stdout and [process the events as logs](../../self-hosting/manage/production#logging).
-Please refer to the zitadel/actions repository for a [code sample](https://github.com/zitadel/actions/blob/main/examples/post_auth_log.js).
-You can use your log processing pipeline to parse and ingest the events in your favorite analytics tool.
-
-It is possible to send events directly with an http request to an external tool.
-We don't recommend this approach since this would create back-pressure and increase the overall processing time for requests.
-
-:::info Scope of Actions
-At this moment Actions can be invoked on certain events, but not generally on every event.  
-This is not a technical limitation, but a [feature on our backlog](https://github.com/zitadel/zitadel/issues/5101).  
-:::
-
-## Future plans
-
-There will be three major areas for future development on the audit data
-
-- [Metrics](https://github.com/zitadel/zitadel/issues/4458) and [standard reports](https://github.com/zitadel/zitadel/discussions/2162#discussioncomment-1153259)
-- [Feedback loop](https://github.com/zitadel/zitadel/issues/5102) and threat detection
-- Forensics and replay of events
+Follow our guide on how to [integrate ZITADEL with external systems for streaming events and audit logs](/docs/guides/integrate/external-audit-log).

docs/docs/examples/login/symfony.md

@@ -102,7 +102,7 @@ composer require drenso/symfony-oidc-bundle
 
 First, we need to create a User class for the database, so we can persist user info between requests. In this case you don't need password authentication.
 Email addresses are not unique for ZITADEL users. There can be multiple user accounts with the same email address.
-See [User Constraints](https://zitadel.com/docs/concepts/structure/users#constraints) for more details.
+See [User Constraints](/docs/concepts/structure/users#constraints) for more details.
 We will use the User Info `sub` claim as unique "display" name for the user. `sub` equals the unique User ID from ZITADEL.
 This creates a User Repository and Entity that implements the `UserInterface`:
 

docs/docs/examples/secure-api/nodejs-nestjs.md

@@ -9,9 +9,9 @@ This documentation section guides you through the process of integrating ZITADEL
 
 ## Overview
 
-The NestJS API includes a single secured route that prints "Hello World!" when authenticated. The API expects an authorization header with a valid JWT, serving as a bearer token to authenticate the user when calling the API. The API will validate the access token on the [introspect endpoint](https://zitadel.com/docs/apis/openidoauth/endpoints#introspection_endpoint) and receive the user from ZITADEL.
+The NestJS API includes a single secured route that prints "Hello World!" when authenticated. The API expects an authorization header with a valid JWT, serving as a bearer token to authenticate the user when calling the API. The API will validate the access token on the [introspect endpoint](/docs/apis/openidoauth/endpoints#introspection_endpoint) and receive the user from ZITADEL.
 
-The API application utilizes [JWT with Private Key](https://zitadel.com/docs/apis/openidoauth/authn-methods#jwt-with-private-key) for authentication against ZITADEL and accessing the introspection endpoint. Make sure to create an API Application within Zitadel and download the JSON. In this instance, we use this service account, so make sure to provide the secrets in the example application via environmental variables.
+The API application utilizes [JWT with Private Key](/docs/apis/openidoauth/authn-methods#jwt-with-private-key) for authentication against ZITADEL and accessing the introspection endpoint. Make sure to create an API Application within Zitadel and download the JSON. In this instance, we use this service account, so make sure to provide the secrets in the example application via environmental variables.
 
 ## Overview
 
@@ -25,7 +25,7 @@ Make sure you have Node.js and npm installed on your machine.
 
 ### ZITADEL Configuration for the API
 
-1. Create a ZITADEL instance and a project by following the steps [here](https://zitadel.com/docs/guides/start/quickstart#2-create-your-first-instance).
+1. Create a ZITADEL instance and a project by following the steps [here](/docs/guides/start/quickstart#2-create-your-first-instance).
 
 2. Set up an API application within your project:
    - Create a new application of type "API" with authentication method "Private Key".

docs/docs/examples/secure-api/python-django.mdx

@@ -145,7 +145,7 @@ python manage.py runserver
 ### Call the API
 
 To call the API you need an access token, which is then verified by ZITADEL.
-Please follow [this guide here](https://zitadel.com/docs/guides/integrate/private-key-jwt#get-an-access-token), ignoring the first step as we already have the `.json`-key-file from the serviceaccount.
+Please follow [this guide here](/docs/guides/integrate/token-introspection/private-key-jwt#get-an-access-token), ignoring the first step as we already have the `.json`-key-file from the serviceaccount.
 
 Optionally set the token as an environment variable:
 ```

docs/docs/examples/secure-api/python-flask.mdx

@@ -12,11 +12,11 @@ This example shows you how to secure a Python3 Flask API with both authenticatio
 
 The Python API will have public, private, and private-scoped routes and check if a user is authenticated and authorized to access the routes.
 The private routes expect an authorization header with a valid access token in the request. The access token is used as a bearer token to authenticate the user when calling the API.
-The API will validate the access token on the [introspect endpoint](https://zitadel.com/docs/apis/openidoauth/endpoints#introspection_endpoint) and will receive the user's roles from ZITADEL.
+The API will validate the access token on the [introspect endpoint](/docs/apis/openidoauth/endpoints#introspection_endpoint) and will receive the user's roles from ZITADEL.
 
-The API application uses [Client Secret Basic](https://zitadel.com/docs/apis/openidoauth/authn-methods#client-secret-basic) to authenticate against ZITADEL and access the introspection endpoint.
+The API application uses [Client Secret Basic](/docs/apis/openidoauth/authn-methods#client-secret-basic) to authenticate against ZITADEL and access the introspection endpoint.
 You can use any valid access_token from a user or service account to send requests to the example API.
-In this example we will use a service account with a [personal access token](https://zitadel.com/docs/guides/integrate/service-users/personal-access-token) which can be used directly to access the example API.
+In this example we will use a service account with a [personal access token](/docs/guides/integrate/service-users/personal-access-token) which can be used directly to access the example API.
 
 
 ## Running the example
@@ -31,9 +31,9 @@ In order to run the example you need to have `python3` and `pip3` installed.
 
 You need to setup a couple of things in ZITADEL. 
 
-1. If you don't have an instance yet, please go ahead and create an instance as explained [here](https://zitadel.com/docs/guides/start/quickstart#2-create-your-first-instance). Also, create a new project by following the steps [here](https://zitadel.com/docs/guides/start/quickstart#2-create-your-first-instance).
+1. If you don't have an instance yet, please go ahead and create an instance as explained [here](/docs/guides/start/quickstart#2-create-your-first-instance). Also, create a new project by following the steps [here](/docs/guides/start/quickstart#2-create-your-first-instance).
 
-2. You must create an API application in your project. Follow [this guide](https://zitadel.com/docs/guides/manage/console/applications) to create a new application of type "API" with authentication method "Basic". Save both the ClientID and ClientSecret after you create the application. 
+2. You must create an API application in your project. Follow [this guide](/docs/guides/manage/console/applications) to create a new application of type "API" with authentication method "Basic". Save both the ClientID and ClientSecret after you create the application. 
 
 ### Create the API
 
@@ -179,7 +179,7 @@ class ZitadelIntrospectTokenValidator(IntrospectTokenValidator):
         res = self.introspect_token(*args, **kwargs)
         return res
 ```
-3. Create a new file named ".env" in the directory. Copy the configuration in the [".env.example"](https://github.com/zitadel/example-api-python3-flask/blob/main/.env.example) file to the newly created .env file. Set the values with your Instance Domain/Issuer URL, Client ID, and Client Secret from the previous steps. Obtain your Issuer URL by following [these steps](https://zitadel.com/docs/guides/start/quickstart#referred1).
+3. Create a new file named ".env" in the directory. Copy the configuration in the [".env.example"](https://github.com/zitadel/example-api-python3-flask/blob/main/.env.example) file to the newly created .env file. Set the values with your Instance Domain/Issuer URL, Client ID, and Client Secret from the previous steps. Obtain your Issuer URL by following [these steps](/docs/guides/start/quickstart#referred1).
 
 ```python
 ZITADEL_DOMAIN = "https://your-domain-abcdef.zitadel.cloud"
@@ -191,9 +191,9 @@ CLIENT_SECRET = "NVAp70IqiGmJldbS...."
 
 ![Create a service user](/img/python-flask/3.png)
 
-1. Create a service user and a Personal Access Token (PAT) for that user by following [this guide](https://zitadel.com/docs/guides/integrate/service-users/personal-access-token#create-a-service-user-with-a-pat). 
-2. To enable authorization, follow [this guide](https://zitadel.com/docs/guides/manage/console/roles) to create a role `read:messages` on your project. 
-3. Next, create an authorization for the service user you created by adding the role `read:messages` to the user. Follow this [guide](https://zitadel.com/docs/guides/manage/console/roles#authorizations) for more information on creating an authorization. 
+1. Create a service user and a Personal Access Token (PAT) for that user by following [this guide](/docs/guides/integrate/service-users/personal-access-token#create-a-service-user-with-a-pat). 
+2. To enable authorization, follow [this guide](/docs/guides/manage/console/roles) to create a role `read:messages` on your project. 
+3. Next, create an authorization for the service user you created by adding the role `read:messages` to the user. Follow this [guide](/docs/guides/manage/console/roles#authorizations) for more information on creating an authorization. 
 
 
 ### Run the API

docs/docs/guides/integrate/identity-providers/introduction.md

@@ -131,9 +131,9 @@ In the guides below, some of which utilize the Generic OIDC or SAML templates fo
 
 If ZITADEL doesn't offer a specific template for your Identity Provider (IdP) and your IdP is fully compliant with OpenID Connect (OIDC), you have the option to use the generic OIDC provider configuration.
 
-For those utilizing a SAML Service Provider, the SAML Service Provider option is available. You can learn how to set up a SAML Service Provider with our [MockSAML example](https://zitadel.com/docs/guides/integrate/identity-providers/mocksaml).
+For those utilizing a SAML Service Provider, the SAML Service Provider option is available. You can learn how to set up a SAML Service Provider with our [MockSAML example](/docs/guides/integrate/identity-providers/mocksaml).
 
-Should you wish to transition from a generic OIDC provider to Entra ID (formerly Azure Active Directory) or Google, consider following this [guide](https://zitadel.com/docs/guides/integrate/identity-providers/migrate).
+Should you wish to transition from a generic OIDC provider to Entra ID (formerly Azure Active Directory) or Google, consider following this [guide](/docs/guides/integrate/identity-providers/migrate).
 
 
 
@@ -176,6 +176,6 @@ Deciding whether to configure an external Identity Provider (IdP) at the organiz
 
 ## References
 
-- [Identity brokering in ZITADEL](https://zitadel.com/docs/concepts/features/identity-brokering)
-- [The ZITADEL API reference for managing external IdPs](https://zitadel.com/docs/category/apis/resources/admin/identity-providers)
-- [Handle external logins in a custom login UI](https://zitadel.com/docs/guides/integrate/login-ui/external-login)
+- [Identity brokering in ZITADEL](/docs/concepts/features/identity-brokering)
+- [The ZITADEL API reference for managing external IdPs](/docs/category/apis/resources/admin/identity-providers)
+- [Handle external logins in a custom login UI](/docs/guides/integrate/login-ui/external-login)

docs/docs/guides/integrate/login-ui/_logout.mdx

@@ -1,5 +1,5 @@
 When your user is done using your application and clicks on the logout button, you have to send a request to the terminate session endpoint.
-[Terminate Session Documentation](https://zitadel.com/docs/apis/resources/session_service/session-service-delete-session)
+[Terminate Session Documentation](/docs/apis/resources/session_service/session-service-delete-session)
 
 Sessions can be terminated by either:
 - the authenticated user

docs/docs/guides/integrate/login-ui/_select-account.mdx

@@ -3,7 +3,7 @@ If you want to build your own select account/account picker, you have to cache t
 We recommend storing a list of the session Ids with the corresponding session token in a cookie.
 The list of session IDs can be sent in the “search sessions” request to get a detailed list of sessions for the account selection.
 
-[Search Sessions Documentation](https://zitadel.com/docs/apis/resources/session_service/session-service-list-sessions)
+[Search Sessions Documentation](/docs/apis/resources/session_service/session-service-list-sessions)
 
 ### Request
 

docs/docs/guides/integrate/onboarding/end-users.mdx

@@ -115,7 +115,7 @@ We do have a guide series on how to build your own login ui, which also includes
 - Passkeys
 - External Login Providers
 
-You can find all the guides here: [Build your own login UI](https://zitadel.com/docs/guides/integrate/login-ui)
+You can find all the guides here: [Build your own login UI](/docs/guides/integrate/login-ui)
 
 The create user request also allows you to add metadata (key, value) to the user.
 This gives you the possibility to collect additional data from your users during the registration process and store it directly to the user in ZITADEL.

docs/docs/guides/integrate/service-users/client-credentials.md

@@ -26,7 +26,7 @@ If you lose it, you will have to generate a new one.
 
 ![Create new service user](/img/console_serviceusers_secret.gif)
 
-## 2. Authenticating a service user and request a token
+### 2. Authenticating a service user and request a token
 
 In this step, we will authenticate a service user and receive an access_token to use against the ZITADEL API.
 
@@ -36,13 +36,15 @@ You will need to craft a POST request to ZITADEL's token endpoint:
 curl --request POST \
   --url https://$CUSTOM-DOMAIN/oauth/v2/token \
   --header 'Content-Type: application/x-www-form-urlencoded' \
-  --header 'Authorization: Basic ${BASIC_AUTH}' \
   --data grant_type=client_credentials \
-  --data scope='openid profile'
+  --data scope='openid profile' \
+  --user "$CLIENT_ID:$CLIENT_SECRET"
 ```
 
+* `CUSTOM_DOMAIN` should be set to your [custom domain](/docs/concepts/features/custom-domain)
 * `grant_type` should be set to `client_credentials`
 * `scope` should contain any [Scopes](/apis/openidoauth/scopes) you want to include, but must include `openid`. For this example, please include `profile`
+* `CLIENT_ID` and `CLIENT_SECRET` should be set with the values shown in Console when generating a new secret to enable [basic authentication](/docs/apis/openidoauth/authn-methods)
 
 If you want to access ZITADEL APIs, make sure to include the required scopes `urn:zitadel:iam:org:project:id:zitadel:aud`.
 Read our guide [how to access ZITADEL APIs](../zitadel-apis/access-zitadel-apis) to learn more.

docs/docs/guides/integrate/token-introspection/basic-auth.mdx

@@ -5,7 +5,7 @@ sidebar_label: Basic Authentication
 
 import IntrospectionResponse from './_introspection-response.mdx';
 
-This is a guide on how to secure your API using [Basic Authentication](https://zitadel.com/docs/apis/openidoauth/authn-methods#client-secret-basic).
+This is a guide on how to secure your API using [Basic Authentication](/docs/apis/openidoauth/authn-methods#client-secret-basic).
 
 ## Register the API in ZITADEL
 

docs/docs/guides/integrate/zitadel-apis/event-api.md

@@ -7,7 +7,7 @@ ZITADEL leverages the power of eventsourcing, meaning every action and change wi
 To provide you with greater flexibility and access to these events, ZITADEL has introduced an Event API. 
 This API allows you to easily retrieve and utilize the events generated within the system, enabling you to integrate them into your own system and respond to specific events as they occur.
 
-You need to give a user the [manager role](https://zitadel.com/docs/guides/manage/console/managers) IAM_OWNER_VIEWER or IAM_OWNER to access the Event API.
+You need to give a user the [manager role](/docs/guides/manage/console/managers) IAM_OWNER_VIEWER or IAM_OWNER to access the Event API.
 
 If you like to know more about eventsourcing/eventstore and how this works in ZITADEL, head over to our [concepts](/docs/concepts/eventstore/overview).
 ## Request Events

docs/docs/guides/manage/cloud/settings.md

@@ -19,7 +19,7 @@ You can subscribe and unsubscribe to notifications and newsletters:
 - Security: Receive notifications related to security issues
 
 :::info Technical Advisories
-If you want to stay up to date on our technical advisories, we recommend [subscribing here to the mailing list](https://zitadel.com/docs/support/technical_advisory#subscribe-to-our-mailing-list).
+If you want to stay up to date on our technical advisories, we recommend [subscribing here to the mailing list](/docs/support/technical_advisory#subscribe-to-our-mailing-list).
 
 Technical advisories are notices that report major issues with ZITADEL Self-Hosted or the ZITADEL Cloud platform that could potentially impact security or stability in production environments.
 :::

docs/docs/guides/migrate/sources/keycloak.md

@@ -5,7 +5,7 @@ sidebar_label: From Keycloak
 
 ## Migrating from Keycloak to ZITADEL
 
-This guide will use [Docker installation](https://www.docker.com/) to run Keycloak and ZITADEL. However, both Keycloak and ZITADEL offer different installation methods. As a result, this guide won't include any required production tuning or security hardening for either system. However, it's advised you follow [recommended guidelines](https://zitadel.com/docs/guides/manage/self-hosted/production) before putting those systems into production. You can skip setting up Keycloak and ZITADEL if you already have running instances.  
+This guide will use [Docker installation](https://www.docker.com/) to run Keycloak and ZITADEL. However, both Keycloak and ZITADEL offer different installation methods. As a result, this guide won't include any required production tuning or security hardening for either system. However, it's advised you follow [recommended guidelines](/docs/self-hosting/manage/production) before putting those systems into production. You can skip setting up Keycloak and ZITADEL if you already have running instances.  
 
 ## Set up Keycloak
 ### Run Keycloak
@@ -77,7 +77,7 @@ docker cp <keycloak container ID>:/tmp/my-realm-users-0.json .
 
 ## Set up ZITADEL
 
-After creating a sample application that connects to Keycloak, you need to set up ZITADEL in order to migrate the application and users from Keycloak to ZITADEL. For this, ZITADEL offers a [Docker Compose](https://zitadel.com/docs/self-hosting/deploy/compose) installation guide. Follow the instructions under the [Docker compose](https://zitadel.com/docs/self-hosting/deploy/compose#docker-compose) section to run a ZITADEL instance locally. 
+After creating a sample application that connects to Keycloak, you need to set up ZITADEL in order to migrate the application and users from Keycloak to ZITADEL. For this, ZITADEL offers a [Docker Compose](/docs/self-hosting/deploy/compose) installation guide. Follow the instructions under the [Docker compose](/docs/self-hosting/deploy/compose#docker-compose) section to run a ZITADEL instance locally. 
 
 Next, the application will be available at [http://localhost:8080/ui/console/](http://localhost:8080/ui/console/).
 
@@ -91,13 +91,13 @@ Now you can access the console with the following default credentials:
 
 ## Import Keycloak users into ZITADEL
 
-As explained in this [ZITADEL user migration guide](https://zitadel.com/docs/guides/migrate/users), you can import users individually or in bulk. Since we are looking at importing a single user from Keycloak, migrating that individual user to ZITADEL can be done with the [ImportHumanUser](https://zitadel.com/docs/apis/resources/mgmt/management-service-import-human-user) endpoint. 
+As explained in this [ZITADEL user migration guide](/docs/guides/migrate/users), you can import users individually or in bulk. Since we are looking at importing a single user from Keycloak, migrating that individual user to ZITADEL can be done with the [ImportHumanUser](/docs/apis/resources/mgmt/management-service-import-human-user) endpoint. 
 
 > With this endpoint, an email will only be sent to the user if the email is marked as not verified or if there's no password set.
 
 ### Create a service user to consume ZITADEL API
 
-But first of all, in order to use this ZITADEL API, you need to create a [service user](https://zitadel.com/docs/guides/integrate/service-users/authenticate-service-users#exercise-create-a-service-user). 
+But first of all, in order to use this ZITADEL API, you need to create a [service user](/docs/guides/integrate/service-users/authenticate-service-users#exercise-create-a-service-user). 
 
 Go to the **Users** menu and select the **Service Users** tab. And click the **+ New** button. 
 
@@ -167,7 +167,7 @@ if your Keycloak Realm has a single user, your `my-realm-users-0.json` file, int
 }
 ```
 
-Now, you need to transform the JSON to the ZITADEL data format by adhering to the ZITADEL API [specification](https://zitadel.com/docs/apis/resources/mgmt/management-service-import-human-user) to import a user. The minimal format would be as shown below: 
+Now, you need to transform the JSON to the ZITADEL data format by adhering to the ZITADEL API [specification](/docs/apis/resources/mgmt/management-service-import-human-user) to import a user. The minimal format would be as shown below: 
 
 ```js 
 {

docs/docs/guides/migrate/users.md

@@ -42,7 +42,7 @@ Please also consult our [guide](/docs/guides/manage/user/reg-create-user) on how
 
 ## Bulk import
 
-For bulk import use the [import endpoint](https://zitadel.com/docs/apis/resources/admin/admin-service-import-data) on the admin API:
+For bulk import use the [import endpoint](/docs/apis/resources/admin/admin-service-import-data) on the admin API:
 
 ```json
 {
@@ -191,7 +191,7 @@ Currently it is not possible to migrate passkeys directly from another system.
 
 ## Users linked to an external IDP
 
-A users `sub` is bound to the external [IDP's Client ID](https://zitadel.com/docs/guides/manage/console/default-settings#identity-providers).
+A users `sub` is bound to the external [IDP's Client ID](/docs/guides/manage/console/default-settings#identity-providers).
 This means that the IDP Client ID configured in ZITADEL must be the same ID as in the legacy system.
 
 Users should be imported with their `externalUserId`.
@@ -211,7 +211,7 @@ _snippet from [bulk-import](#bulk-import) example:_
 }
 ```
 
-You can use an Action with [post-creation flow](https://zitadel.com/docs/apis/actions/external-authentication#post-creation) to pull information such as roles from the old system and apply them to the user in ZITADEL.
+You can use an Action with [post-creation flow](/docs/apis/actions/external-authentication#post-creation) to pull information such as roles from the old system and apply them to the user in ZITADEL.
 
 ## Metadata
 
@@ -220,7 +220,7 @@ Use metadata to store additional attributes of the users, such as organizational
 
 :::info
 Metadata must be added to users after the users were created. Currently metadata can't be added during user creation.  
-[API reference: User Metadata](https://zitadel.com/docs/category/apis/resources/mgmt/user-metadata)
+[API reference: User Metadata](/docs/category/apis/resources/mgmt/user-metadata)
 :::
 
 Request metadata from the userinfo endpoint by passing the required [reserved scope](/docs/apis/openidoauth/scopes#reserved-scopes) in your auth request.
@@ -232,5 +232,5 @@ You can assign roles from owned or granted projects to a user.
 
 :::info
 Authorizations must be added to users after the users were created. Currently metadata can't be added during user creation.  
-[API reference: User Authorization / Grants](https://zitadel.com/docs/category/apis/resources/auth/user-authorizations-grants)
+[API reference: User Authorization / Grants](/docs/category/apis/resources/auth/user-authorizations-grants)
 :::

docs/docs/guides/overview.mdx

@@ -39,6 +39,10 @@ Join our [Discord chat](https://zitadel.com/chat) or open a [discussion](https:/
 
 Cloud and enterprise customers can additionally reach us privately via our [support communication channels](/legal/service-description/support-services).
 
+## Office Hours
+
+ZITADEL holds bi-weekly community calls. To join the community calls use [this link](https://zitadel.com/office-hours), or find further information [here](https://github.com/zitadel/zitadel/blob/main/MEETING_SCHEDULE.md).
+
 ## Contribute
 
 ZITADEL is open source — and so is the documentation.

docs/docs/guides/start/quickstart.mdx

@@ -353,7 +353,7 @@ The provided config extends the `UserManagerSettings` of the `oidc-client-ts` li
 - redirect_uri (the URL to redirect to after the authorization flow is complete)
 - post_logout_redirect_uri (the URL to redirect to after the user logs out)
 - scope (the permissions requested from the user)
-- project_resource_id (To add a ZITADEL project scope. `urn:zitadel:iam:org:project:id:[projectId]:aud` and `urn:zitadel:iam:org:projects:roles` [scopes](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes).)
+- project_resource_id (To add a ZITADEL project scope. `urn:zitadel:iam:org:project:id:[projectId]:aud` and `urn:zitadel:iam:org:projects:roles` [scopes](/docs/apis/openidoauth/scopes#reserved-scopes).)
 - prompt ([the OIDC prompt parameter](/apis/openidoauth/endpoints#additional-parameters))
 
 2. Create a folder named components in the src directory. Create two files named Login.js and Callback.js.
@@ -412,4 +412,4 @@ And this brings us to the end of this quick start guide!
 
 This tutorial covered how to configure ZITADEL and how to use React to build an app that communicates with ZITADEL to access secured resources.
 
-We hope you enjoyed the tutorial and encourage you to check out the ZITADEL [documentation](https://zitadel.com/docs) for more information on how to use the ZITADEL platform to its full potential. Thanks for joining us!
+We hope you enjoyed the tutorial and encourage you to check out the ZITADEL [documentation](/docs) for more information on how to use the ZITADEL platform to its full potential. Thanks for joining us!

docs/docs/legal/policies/brand-trademark-policy.md

@@ -34,7 +34,7 @@ To ensure the logo is used as intended, we provide specific examples below and r
 
 - Use in architecture diagrams without implying affiliation or partnership
 - Editorial and informational purposes such as blog posts or news articles
-- Linking back to our [website](https://zitadel.com), official [repositories](https://github.com/zitadel), or [documentation](https://zitadel.com/docs)
+- Linking back to our [website](https://zitadel.com), official [repositories](https://github.com/zitadel), or [documentation](/docs)
 - Indicating that the software is available for use or installation without implying any affiliation or endorsement
 
 ### Not acceptable

docs/docs/legal/policies/rate-limit-policy.md

@@ -3,7 +3,7 @@ title: Rate Limit Policy
 custom_edit_url: null
 ---
 
-Last updated on April 20, 2023
+Last updated on April 24, 2024
 
 This policy is an annex to the [Terms of Service](../terms-of-service) and clarifies your obligations while using our Services, specifically how we will use rate limiting to enforce certain aspects of our [Acceptable Use Policy](acceptable-use-policy).
 
@@ -35,10 +35,12 @@ For ZITADEL Cloud, we have a rate limiting rule for login paths (login, register
 
 Rate limits are implemented with the following rules:
 
-| Path                     | Description                            | Rate Limiting                        | One Minute Banning                     |
-|--------------------------|----------------------------------------|--------------------------------------|----------------------------------------|
-| /ui/login*               | Global Login, Register and Reset Limit | 10 requests per second over a minute | 15 requests per second over 3 minutes |
-| All other paths | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute       | 10 requests per second over 3 minutes   |
+| Path                 | Description                                                    | Rate Limiting                        | One Minute Banning                    |
+| -------------------- | -------------------------------------------------------------- | ------------------------------------ | ------------------------------------- |
+| /ui/login\*          | Global Login, Register and Reset Limit                         | 10 requests per second over a minute | 15 requests per second over 3 minutes |
+| /oauth/v2/keys       | OAuth/OpenID Public Keys Endpoint                              | 20 requests per second over a minute | 15 requests per second over 3 minutes |
+| /oauth/v2/introspect | OAuth Introspection Endpoint                                   | 20 requests per second over a minute | 15 requests per second over 3 minutes |
+| All other paths      | All gRPC- and REST APIs as well as the ZITADEL Customer Portal | 10 requests per second over a minute | 10 requests per second over 3 minutes |
 
 ## Load Testing
 

docs/docs/legal/policies/vulnerability-disclosure-policy.mdx

@@ -57,7 +57,7 @@ We will not publish this information by default to protect your privacy.
 ### What not to report
 
 - Disclosure of known public files or directories, e.g. robots.txt, files under .well-known, or files that are included in our public repositories (eg, go.mod)
-- DoS of users when [Lockout Policy is enabled](https://zitadel.com/docs/guides/manage/console/default-settings#lockout)
+- DoS of users when [Lockout Policy is enabled](/docs/guides/manage/console/default-settings#lockout)
 - Suggestions on Certificate Authority Authorization (CAA) rules
 - Suggestions on DMARC/DKIM/SPF settings
 - Suggestions on DNSSEC settings

docs/docs/self-hosting/deploy/troubleshooting/_instance_not_found.mdx

@@ -1,5 +1,5 @@
 `ID=QUERY-n0wng Message=Instance not found`
 
 If you're self hosting with a custom domain, you need to instruct ZITADEL to use the `ExternalDomain`.
-You can find further instructions in our guide about [custom domains](https://zitadel.com/docs/self-hosting/manage/custom-domain).
-We also provide a guide on how to [configure](https://zitadel.com/docs/self-hosting/manage/configure) ZITADEL with variables from files or environment variables.
+You can find further instructions in our guide about [custom domains](/docs/self-hosting/manage/custom-domain).
+We also provide a guide on how to [configure](/docs/self-hosting/manage/configure) ZITADEL with variables from files or environment variables.

docs/docs/self-hosting/manage/cli/mirror.mdx

@@ -0,0 +1,232 @@
+---
+title: Mirror data to another database
+sidebar_label: Mirror command
+---
+
+The `mirror` command allows you to do database to database migrations. This functionality is useful to copy data from one database to another.
+
+The data can be mirrored to multiple database without influencing each other.
+
+## Use cases
+
+Migrate from cockroachdb to postgres or vice versa.
+
+Replicate data to a secondary environment for testing.
+
+## Prerequisites
+
+You need an existing source database, most probably the database ZITADEL currently serves traffic from.
+
+To mirror the data the destination database needs to be initialized and setup without an instance.
+
+### Start the destination database 
+
+Follow one of the following guides to start the database:
+
+* [Linux](/docs/self-hosting/deploy/linux#run-postgresql)
+* [MacOS](/docs/self-hosting/deploy/macos#install-postgresql)
+
+Or use the following commands for [Docker Compose](/docs/self-hosting/deploy/compose)
+
+```bash
+# Download the docker compose example configuration.
+wget https://raw.githubusercontent.com/zitadel/zitadel/main/docs/docs/self-hosting/deploy/docker-compose.yaml
+
+# Run the database and application containers.
+docker compose up db --detach
+```
+
+## Example
+
+The following commands setup the database as described above. See [configuration](#configuration) for more details about the configuration options.
+
+```bash
+zitadel init --config /path/to/your/new/config.yaml
+zitadel setup --for-init --config /path/to/your/new/config.yaml # make sure to set --tlsMode and masterkey analog to your current deployment
+zitadel mirror --system --config /path/to/your/mirror/config.yaml # make sure to set --tlsMode and masterkey analog to your current deployment
+```
+
+## Usage
+
+The general syntax for the mirror command is:
+
+```bash
+zitadel mirror [flags]
+
+Flags:
+  -h, --help                     help for mirror
+
+      --config stringArray       path to config file to overwrite system defaults
+
+      --ignore-previous          ignores previous migrations of the events table. This flag should be used if you manually dropped previously mirrored events.
+      --replace                  replaces all data of the following tables for the provided instances or all if the `--system`-flag is set:
+                                 * system.assets
+                                 * auth.auth_requests
+                                 * eventstore.unique_constraints
+                                 The should be provided if you want to execute the mirror command multiple times so that the static data are also mirrored to prevent inconsistent states.
+
+      --instance strings         id or comma separated ids of the instance(s) to migrate. Either this or the `--system`-flag must be set. Make sure to always use the same flag if you execute the command multiple times.
+      --system                   migrates the whole system. Either this or the `--instance`-flag must be set. Make sure to always use the same flag if you execute the command multiple times.
+
+# For the flags below use the same configuration you also use in the current deployment
+
+      --masterkey string         masterkey as argument for en/decryption keys
+  -m, --masterkeyFile string     path to the masterkey for en/decryption keys
+      --masterkeyFromEnv         read masterkey for en/decryption keys from environment variable (ZITADEL_MASTERKEY)
+      --tlsMode externalSecure   start ZITADEL with (enabled), without (disabled) TLS or external component e.g. reverse proxy (external) terminating TLS, this flag will overwrite externalSecure and `tls.enabled` in configs files
+```
+
+## Configuration
+
+```yaml
+# The source database the data are copied from. Use either cockroach or postgres, by default cockroach is used
+Source:
+  cockroach:
+    Host: localhost # ZITADEL_SOURCE_COCKROACH_HOST
+    Port: 26257 # ZITADEL_SOURCE_COCKROACH_PORT
+    Database: zitadel # ZITADEL_SOURCE_COCKROACH_DATABASE
+    MaxOpenConns: 6 # ZITADEL_SOURCE_COCKROACH_MAXOPENCONNS
+    MaxIdleConns: 6 # ZITADEL_SOURCE_COCKROACH_MAXIDLECONNS
+    EventPushConnRatio: 0.33 # ZITADEL_SOURCE_COCKROACH_EVENTPUSHCONNRATIO
+    ProjectionSpoolerConnRatio: 0.33 # ZITADEL_SOURCE_COCKROACH_PROJECTIONSPOOLERCONNRATIO
+    MaxConnLifetime: 30m # ZITADEL_SOURCE_COCKROACH_MAXCONNLIFETIME
+    MaxConnIdleTime: 5m # ZITADEL_SOURCE_COCKROACH_MAXCONNIDLETIME
+    Options: "" # ZITADEL_SOURCE_COCKROACH_OPTIONS
+    User:
+      Username: zitadel # ZITADEL_SOURCE_COCKROACH_USER_USERNAME
+      Password: "" # ZITADEL_SOURCE_COCKROACH_USER_PASSWORD
+      SSL:
+        Mode: disable # ZITADEL_SOURCE_COCKROACH_USER_SSL_MODE
+        RootCert: "" # ZITADEL_SOURCE_COCKROACH_USER_SSL_ROOTCERT
+        Cert: "" # ZITADEL_SOURCE_COCKROACH_USER_SSL_CERT
+        Key: "" # ZITADEL_SOURCE_COCKROACH_USER_SSL_KEY
+  # Postgres is used as soon as a value is set
+  # The values describe the possible fields to set values
+  postgres:
+    Host: # ZITADEL_SOURCE_POSTGRES_HOST
+    Port: # ZITADEL_SOURCE_POSTGRES_PORT
+    Database: # ZITADEL_SOURCE_POSTGRES_DATABASE
+    MaxOpenConns: # ZITADEL_SOURCE_POSTGRES_MAXOPENCONNS
+    MaxIdleConns: # ZITADEL_SOURCE_POSTGRES_MAXIDLECONNS
+    MaxConnLifetime: # ZITADEL_SOURCE_POSTGRES_MAXCONNLIFETIME
+    MaxConnIdleTime: # ZITADEL_SOURCE_POSTGRES_MAXCONNIDLETIME
+    Options: # ZITADEL_SOURCE_POSTGRES_OPTIONS
+    User:
+      Username: # ZITADEL_SOURCE_POSTGRES_USER_USERNAME
+      Password: # ZITADEL_SOURCE_POSTGRES_USER_PASSWORD
+      SSL:
+        Mode: # ZITADEL_SOURCE_POSTGRES_USER_SSL_MODE
+        RootCert: # ZITADEL_SOURCE_POSTGRES_USER_SSL_ROOTCERT
+        Cert: # ZITADEL_SOURCE_POSTGRES_USER_SSL_CERT
+        Key: # ZITADEL_SOURCE_POSTGRES_USER_SSL_KEY
+
+# The destination database the data are copied to. Use either cockroach or postgres, by default cockroach is used
+Destination:
+  cockroach:
+    Host: localhost # ZITADEL_DESTINATION_COCKROACH_HOST
+    Port: 26257 # ZITADEL_DESTINATION_COCKROACH_PORT
+    Database: zitadel # ZITADEL_DESTINATION_COCKROACH_DATABASE
+    MaxOpenConns: 0 # ZITADEL_DESTINATION_COCKROACH_MAXOPENCONNS
+    MaxIdleConns: 0 # ZITADEL_DESTINATION_COCKROACH_MAXIDLECONNS
+    MaxConnLifetime: 30m # ZITADEL_DESTINATION_COCKROACH_MAXCONNLIFETIME
+    MaxConnIdleTime: 5m # ZITADEL_DESTINATION_COCKROACH_MAXCONNIDLETIME
+    EventPushConnRatio: 0.01 # ZITADEL_DESTINATION_COCKROACH_EVENTPUSHCONNRATIO
+    ProjectionSpoolerConnRatio: 0.5 # ZITADEL_DESTINATION_COCKROACH_PROJECTIONSPOOLERCONNRATIO
+    Options: "" # ZITADEL_DESTINATION_COCKROACH_OPTIONS
+    User:
+      Username: zitadel # ZITADEL_DESTINATION_COCKROACH_USER_USERNAME
+      Password: "" # ZITADEL_DESTINATION_COCKROACH_USER_PASSWORD
+      SSL:
+        Mode: disable # ZITADEL_DESTINATION_COCKROACH_USER_SSL_MODE
+        RootCert: "" # ZITADEL_DESTINATION_COCKROACH_USER_SSL_ROOTCERT
+        Cert: "" # ZITADEL_DESTINATION_COCKROACH_USER_SSL_CERT
+        Key: "" # ZITADEL_DESTINATION_COCKROACH_USER_SSL_KEY
+  # Postgres is used as soon as a value is set
+  # The values describe the possible fields to set values
+  postgres:
+    Host: # ZITADEL_DESTINATION_POSTGRES_HOST
+    Port: # ZITADEL_DESTINATION_POSTGRES_PORT
+    Database: # ZITADEL_DESTINATION_POSTGRES_DATABASE
+    MaxOpenConns: # ZITADEL_DESTINATION_POSTGRES_MAXOPENCONNS
+    MaxIdleConns: # ZITADEL_DESTINATION_POSTGRES_MAXIDLECONNS
+    MaxConnLifetime: # ZITADEL_DESTINATION_POSTGRES_MAXCONNLIFETIME
+    MaxConnIdleTime: # ZITADEL_DESTINATION_POSTGRES_MAXCONNIDLETIME
+    Options: # ZITADEL_DESTINATION_POSTGRES_OPTIONS
+    User:
+      Username: # ZITADEL_DESTINATION_POSTGRES_USER_USERNAME
+      Password: # ZITADEL_DESTINATION_POSTGRES_USER_PASSWORD
+      SSL:
+        Mode: # ZITADEL_DESTINATION_POSTGRES_USER_SSL_MODE
+        RootCert: # ZITADEL_DESTINATION_POSTGRES_USER_SSL_ROOTCERT
+        Cert: # ZITADEL_DESTINATION_POSTGRES_USER_SSL_CERT
+        Key: # ZITADEL_DESTINATION_POSTGRES_USER_SSL_KEY
+
+# As cockroachdb first copies the data into memory this parameter is used to iterate through the events table and fetch only the given amount of events per iteration
+EventBulkSize: 10000 # ZITADEL_EVENTBULKSIZE
+
+Projections:
+  # Defines how many projections are allowed to run in parallel
+  ConcurrentInstances: 7 # ZITADEL_PROJECTIONS_CONCURRENTINSTANCES
+  # Limits the amount of events projected by each iteration
+  EventBulkLimit: 1000 # ZITADEL_PROJECTIONS_EVENTBULKLIMIT
+
+Auth:
+  Spooler:
+    # Limits the amount of events projected by each iteration
+    BulkLimit: 1000 #ZITADEL_AUTH_SPOOLER_BULKLIMIT
+
+Admin:
+  Spooler:
+    # Limits the amount of events projected by each iteration
+    BulkLimit: 10 #ZITADEL_ADMIN_SPOOLER_BULKLIMIT
+
+Log:
+  Level: info
+```
+
+## Sub commands
+
+The provided sub commands allow more fine grained execution of copying the data.
+
+The following commands are safe to execute multiple times by adding the `--replace`-flag which replaces the data not provided by the events in the destination database.
+
+### `zitadel mirror auth`
+
+Copies the auth requests to the destination database.
+
+### `zitadel mirror eventstore`
+
+Copies the events since the last migration and unique constraints to the destination database.
+
+### `zitadel mirror projections`
+
+Executes all projections in the destination database.
+
+It is NOOP if the projections are already up-to-date. 
+
+### `zitadel mirror system`
+
+Copies encryption keys and assets to the destination database.
+
+### `zitadel mirror verify`
+
+Prints the amount of rows of the source and destination database and the diff. Positive numbers indicate more rows in the destination table that in the source, negative numbers the opposite.
+
+The following tables will likely have an unequal count:
+
+* **projections.current_states**: If your deployment was upgraded several times, the number of entries in the destination will be lower
+* **projections.locks**: If your deployment was upgraded several times, the number of entries in the destination will be lower
+* **projections.keys4\***: Only not expired keys are inserted, the number of entries in the destination will be lower
+* **projections.failed_events**: Should be lower or equal.
+* **auth.users2**: Was replaced with auth.users3, the number of entries in the destination will be 0
+* **auth.users3**: Is the replacement of auth.users2, the number of entries in the destination will be equal or higher
+
+## Limitations
+
+It is not possible to use files as source or destination. See github issue [here](https://github.com/zitadel/zitadel/issues/7966)
+
+Currently the encryption keys of the source database must be copied to the destination database. See github issue [here](https://github.com/zitadel/zitadel/issues/7964)
+
+It is not possible to change the domain of the ZITADEL deployment.
+
+Once you mirrored an instance using the `--instance` flag, you have to make sure you don't mirror other preexisting instances. This means for example, you cannot mirror a few instances and then pass the `--system` flag. You have to pass all remaining instances explicitly, once you used the `--instance` flag 

docs/docs/self-hosting/manage/cli/overview.mdx

@@ -0,0 +1,34 @@
+---
+title: ZITADEL Command Line Interface
+sidebar_label: Overview
+---
+
+This documentation serves as your guide to interacting with Zitadel through the command line interface (CLI). The Zitadel CLI empowers you to manage various aspects of your Zitadel system efficiently from your terminal.
+
+This introductory section provides a brief overview of what the Zitadel CLI offers and who can benefit from using it.
+
+Let's dive in!
+
+## Download the CLI
+
+Download the CLI for [Linux](/docs/self-hosting/deploy/linux#install-zitadel) or [MacOS](/docs/self-hosting/deploy/macos#install-zitadel).
+
+## Quick start
+
+The easiest way to start ZITADEL is by following the [docker compose example](/docs/self-hosting/deploy/compose) which executes the commands for you.
+
+## Initialize the database
+
+The `zitadel init`-command sets up the zitadel database. The statements executed need a user with `ADMIN`-privilege. See [init phase](/docs/self-hosting/manage/updating_scaling#the-init-phase) for more information.
+
+## Setup ZITADEL
+
+The `zitadel setup`-command further sets up the database created using `zitadel init`. This command only requires the user created in the previous step.  See [setup phase](/docs/self-hosting/manage/updating_scaling#the-setup-phase) for more information.
+
+## Start ZITADEL
+
+The `zitadel start`-command runs the ZITADEL server.  See [runtime phase](/docs/self-hosting/manage/updating_scaling#the-runtime-phase) for more information.
+
+The `zitadel start-from-setup`-command first executes [the setup phase](#setup-zitadel) and afterwards runs the ZITADEL server.
+
+The `zitadel start-from-init`-command first executes [the init phase](#Initialize-the-database), afterwards [the setup phase](#setup-zitadel) and lastly runs the ZITADEL server.

docs/docs/self-hosting/manage/database/_cockroachdb.mdx

@@ -2,6 +2,8 @@
 
 The default database of ZITADEL is [CockroachDB](https://www.cockroachlabs.com). The SQL database provides a bunch of features like horizontal scalability, data regionality and many more.
 
+Currently versions >= 23.2 are supported.
+
 The default configuration of the database looks like this:
 
 ```yaml

docs/docs/self-hosting/manage/productionchecklist.md

@@ -25,7 +25,7 @@ To apply best practices to your production setup we created a step by step check
   - [ ] Secure database connections from outside your network and/or use an internal subnet for database connectivity
 - [ ] High Availability for critical infrastructure components (depending on your setup)
   - [ ] Loadbalancer
-  - [ ] [Reverse Proxies](https://zitadel.com/docs/self-hosting/manage/reverseproxy/reverse_proxy)
+  - [ ] [Reverse Proxies](/docs/self-hosting/manage/reverseproxy/reverse_proxy)
   - [ ] Web Application Firewall
 
 #### Networking
@@ -41,7 +41,7 @@ To apply best practices to your production setup we created a step by step check
 - [ ] Add [Custom Branding](/docs/guides/manage/customize/branding) if required
 - [ ] Configure a valid [SMS Service](/docs/guides/manage/console/default-settings#sms) such as Twilio if needed
 - [ ] Configure your privacy policy, terms of service and a help Link if needed
-- [ ] Keep your [masterkey](https://zitadel.com/docs/self-hosting/manage/configure) in a secure storage
+- [ ] Keep your [masterkey](/docs/self-hosting/manage/configure) in a secure storage
 - [ ] Declare and apply zitadel configuration using the zitadel terraform [provider](https://github.com/zitadel/terraform-provider-zitadel) 
 
 ### Security

docs/docs/support/advisory/a10003.md

@@ -21,7 +21,7 @@ If users are redirected to the Login-UI without any organizational context, they
 
 :::note
 If the registration (and also authentication) needs to occur on a specified organization, apps can already
-specify this by providing [an organization scope](https://zitadel.com/docs/apis/openidoauth/scopes#reserved-scopes).
+specify this by providing [an organization scope](/docs/apis/openidoauth/scopes#reserved-scopes).
 :::
 
 ## Statement
@@ -37,7 +37,7 @@ There's no action needed on your side currently as existing instances are not af
 
 Once this update has been released and deployed, newly created instances will always use the default organization and its settings as default context for the login.
 
-Already existing instances will still use the instance settings by default and can switch to the new default by ["Activating the 'LoginDefaultOrg' feature"](https://zitadel.com/docs/apis/resources/admin/admin-service-activate-feature-login-default-org) through the Admin API.
+Already existing instances will still use the instance settings by default and can switch to the new default by ["Activating the 'LoginDefaultOrg' feature"](/docs/apis/resources/admin/admin-service-activate-feature-login-default-org) through the Admin API.
 **This change is irreversible!**
 
 :::note

docs/docs/support/advisory/a10009.md

@@ -0,0 +1,27 @@
+---
+title: Technical Advisory 10009
+---
+
+## Date and Version
+
+Version: 2.53.0
+
+Date: 2024-05-28
+
+## Description
+
+There were rare cases where Cockroachdb got blocked during runtime of ZITADEL and returned `WRITE_TOO_OLD`-errors to ZITADEL. The root cause of the problem is described in [this github issue of the database](https://github.com/cockroachdb/cockroach/issues/77119). The workaround provided by the database is enabling the `enable_durable_locking_for_serializable`-flag as described [here](https://github.com/cockroachdb/cockroach/issues/75456#issuecomment-1936277716).
+
+Because enabling flags requires admin privileges the statement must be executed manually or by executing `zitadel init` command.
+
+## Statement
+
+Ensure lock distribution for `FOR UPDATE`-statements on Cockroachdb.
+
+## Mitigation
+
+Cockroachdb version >= 23.2.
+
+## Impact
+
+Adding additional raft queries to `FOR UPDATE`-statements can impact performance slightly but ensures availability of the system.

docs/docs/support/advisory/a10010.md

@@ -0,0 +1,30 @@
+---
+title: Technical Advisory 10010
+---
+
+## Date and Version
+
+Version: 2.53.0
+
+Date: 2024-05-28
+
+## Description
+
+Version 2.53.0 optimizes the way tokens are created and migrates them to the v2 implementation already used by OAuth / OIDC tokens created through the session API.
+
+Because of this tokens events are no longer created on the user itself. To be as backwards compatible as possible a separate event is created on the user for the audit log.
+
+## Statement
+
+This change was tracked in the following PR:
+[perf(oidc): optimize token creation](https://github.com/zitadel/zitadel/pull/7822), which was released in Version [2.53.0](https://github.com/zitadel/zitadel/releases/tag/v2.53.0)
+
+## Mitigation
+
+If you use the ListEvents API to check the audit trail of a user or being able to compute Daily or Monthly Active Users, be sure to also include the `user.token.v2.added` event type in your search
+if you already query for the `user.token.added` event type.
+
+## Impact
+
+Once this update has been released and deployed, the `user.token.added` event will no longer be created when a user access token is created, but instead a `user.token.v2.added`.
+Existing `user.token.added` events will be untouched.

docs/docs/support/software-release-cycles-support.md

@@ -74,7 +74,7 @@ During this phase, support is limited as we focus on testing and bug fixing.
 ### General available
 
 Generally available features are available to everyone and have the appropriate test coverage to be used for critical tasks.
-The software will be backwards-compatible with previous versions, for exceptions we will publish a [technical advisory](https://zitadel.com/docs/support/technical_advisory).
+The software will be backwards-compatible with previous versions, for exceptions we will publish a [technical advisory](/docs/support/technical_advisory).
 Features in General Availability are not marked explicitly.
 
 ## Release types

docs/docs/support/technical_advisory.mdx

@@ -149,11 +149,35 @@ We understand that these advisories may include breaking changes, and we aim to
     <td>New flag to prefill projections during setup instead of after start</td>
     <td>Feature description</td>
     <td>
-      new flag `--init-projections` introduced to `zitadel setup` commands (`setup`, `start-from-setup`, `start-from-init`)
+      New flag `--init-projections` introduced to `zitadel setup` commands (`setup`, `start-from-setup`, `start-from-init`)
     </td>
     <td>2.44.0, 2.43.6, 2.42.12</td>
     <td>2024-01-25</td>
   </tr>
+  <tr>
+    <td>
+      <a href="./advisory/a10009">A-10009</a>
+    </td>
+    <td>Ensure lock distribution for `FOR UPDATE`-statements on Cockroachdb</td>
+    <td>Feature description</td>
+    <td>
+      Fixes rare cases where updating projections was blocked by a `WRITE_TOO_OLD`-error when using cockroachdb.
+    </td>
+    <td>2.53.0</td>
+    <td>2024-05-28</td>
+  </tr>
+  <tr>
+    <td>
+      <a href="./advisory/a10010">A-10010</a>
+    </td>
+    <td>Event type of token added event changed</td>
+    <td>Breaking Behavior Change</td>
+    <td>
+      Version 2.53.0 improves the token issuance. Due to this there are changes to the event types created on token creation.
+    </td>
+    <td>2.53.0</td>
+    <td>2024-05-28</td>
+  </tr>
 </table>
 
 ## Subscribe to our Mailing List

docs/sidebars.js

@@ -881,6 +881,18 @@ module.exports = {
         "self-hosting/manage/database/database",
         "self-hosting/manage/updating_scaling",
         "self-hosting/manage/usage_control",
+        {
+          type: "category",
+          label: "Command Line Interface",
+          collapsed: false,
+          link: {
+            type: "doc",
+            id: "self-hosting/manage/cli/overview"
+          },
+          items: [
+            "self-hosting/manage/cli/mirror"
+          ],
+        },
       ],
     },
   ],

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/envoyproxy/protoc-gen-validate v1.0.4
 	github.com/fatih/color v1.16.0
 	github.com/gabriel-vasile/mimetype v1.4.3
-	github.com/go-jose/go-jose/v4 v4.0.1
+	github.com/go-jose/go-jose/v4 v4.0.2
 	github.com/go-ldap/ldap/v3 v3.4.7
 	github.com/go-webauthn/webauthn v0.10.2
 	github.com/gorilla/csrf v1.7.2
@@ -31,7 +31,7 @@ require (
 	github.com/gorilla/securecookie v1.1.2
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/grpc-gateway v1.16.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0
 	github.com/h2non/gock v1.2.0
 	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/improbable-eng/grpc-web v0.15.0
@@ -58,31 +58,31 @@ require (
 	github.com/superseriousbusiness/exifremove v0.0.0-20210330092427-6acd27eac203
 	github.com/ttacon/libphonenumber v1.2.1
 	github.com/zitadel/logging v0.6.0
-	github.com/zitadel/oidc/v3 v3.23.2
+	github.com/zitadel/oidc/v3 v3.25.0
 	github.com/zitadel/passwap v0.5.0
 	github.com/zitadel/saml v0.1.3
 	github.com/zitadel/schema v1.3.0
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0
-	go.opentelemetry.io/otel v1.26.0
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0
-	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0
-	go.opentelemetry.io/otel/metric v1.26.0
-	go.opentelemetry.io/otel/sdk v1.26.0
-	go.opentelemetry.io/otel/sdk/metric v1.26.0
-	go.opentelemetry.io/otel/trace v1.26.0
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0
+	go.opentelemetry.io/otel v1.27.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0
+	go.opentelemetry.io/otel/exporters/prometheus v0.49.0
+	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.27.0
+	go.opentelemetry.io/otel/metric v1.27.0
+	go.opentelemetry.io/otel/sdk v1.27.0
+	go.opentelemetry.io/otel/sdk/metric v1.27.0
+	go.opentelemetry.io/otel/trace v1.27.0
 	go.uber.org/mock v0.4.0
-	golang.org/x/crypto v0.22.0
+	golang.org/x/crypto v0.24.0
 	golang.org/x/exp v0.0.0-20240409090435-93d18d7e34b8
-	golang.org/x/net v0.24.0
-	golang.org/x/oauth2 v0.19.0
+	golang.org/x/net v0.26.0
+	golang.org/x/oauth2 v0.21.0
 	golang.org/x/sync v0.7.0
-	golang.org/x/text v0.14.0
+	golang.org/x/text v0.16.0
 	google.golang.org/api v0.172.0
-	google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6
-	google.golang.org/grpc v1.63.2
-	google.golang.org/protobuf v1.34.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3
+	google.golang.org/grpc v1.64.0
+	google.golang.org/protobuf v1.34.2
 	sigs.k8s.io/yaml v1.4.0
 )
 
@@ -91,7 +91,7 @@ require (
 	github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
 	github.com/crewjam/httperr v0.2.0 // indirect
 	github.com/go-chi/chi/v5 v5.0.12 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-sql-driver/mysql v1.7.1 // indirect
 	github.com/go-webauthn/x v0.1.9 // indirect
@@ -116,13 +116,12 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
 	google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3 // indirect
 )
 
 require (
 	cloud.google.com/go v0.112.2 // indirect
-	cloud.google.com/go/compute v1.25.1 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	cloud.google.com/go/iam v1.1.7 // indirect
 	cloud.google.com/go/trace v1.10.6 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
@@ -181,10 +180,10 @@ require (
 	github.com/muesli/clusters v0.0.0-20200529215643-2700303c1762 // indirect
 	github.com/muesli/kmeans v0.3.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.19.0
+	github.com/prometheus/client_golang v1.19.1
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.53.0 // indirect
-	github.com/prometheus/procfs v0.14.0 // indirect
+	github.com/prometheus/common v0.54.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rs/xid v1.5.0 // indirect
 	github.com/russellhaering/goxmldsig v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3
@@ -196,9 +195,9 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.2.0 // indirect
-	golang.org/x/sys v0.19.0
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
+	golang.org/x/sys v0.21.0
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -2,10 +2,8 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.112.2 h1:ZaGT6LiG7dBzi6zNOvVZwacaXlmf3lRqnC4DQzqyRQw=
 cloud.google.com/go v0.112.2/go.mod h1:iEqjp//KquGIJV/m+Pk3xecgKNhV+ry+vVTsy4TbDms=
-cloud.google.com/go/compute v1.25.1 h1:ZRpHJedLtTpKgr3RV1Fx23NuaAEN1Zfx9hw1u4aJdjU=
-cloud.google.com/go/compute v1.25.1/go.mod h1:oopOIR53ly6viBYxaDhBfJwzUAxf1zE//uf3IB011ls=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/iam v1.1.7 h1:z4VHOhwKLF/+UYXAJDFwGtNF0b6gjsW1Pk9Ml0U/IoM=
 cloud.google.com/go/iam v1.1.7/go.mod h1:J4PMPg8TtyurAUvSmPj8FF3EDgY1SPRZxcUGrn7WXGA=
 cloud.google.com/go/logging v1.9.0 h1:iEIOXFO9EmSiTjDmfpbRjOxECO7R8C7b8IXUGOj7xZw=
@@ -214,8 +212,8 @@ github.com/go-errors/errors v1.1.1/go.mod h1:psDX2osz5VnTOnFWbDeWwS7yejl+uV3FEWE
 github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
-github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
-github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
+github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.10.0/go.mod h1:xUsJbQ/Fp4kEt7AFgCuvyX4a71u8h9jB8tj/ORgOZ7o=
@@ -226,8 +224,8 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
@@ -357,8 +355,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0 h1:gmcG1KaJ57LophUzW0Hy8NmPhnMZb4M0+kPpLofRdBo=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 h1:/c3QmbOGMGTOumP2iT/rCwB7b0QDGLKzqOmktBjT+Is=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1/go.mod h1:5SN9VR2LTsRFsrEC6FHgRbTWrTHu6tqPeKxEQv15giM=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
 github.com/h2non/filetype v1.1.1/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
 github.com/h2non/filetype v1.1.3 h1:FKkx9QbD7HR/zjK1Ia5XiBsq9zdLi5Kf3zGyFTAFkGg=
 github.com/h2non/filetype v1.1.3/go.mod h1:319b3zT68BvV+WRj7cwy856M2ehB3HqNOt6sy1HndBY=
@@ -603,8 +601,8 @@ github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829/go.mod
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.3.0/go.mod h1:hJaj2vgQTGQmVCsAACORcieXFeDPbaTKGT+JTgUa3og=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
-github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
-github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -618,16 +616,16 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/common v0.7.0/go.mod h1:DjGbpBbp5NYNiECxcL/VnbXCCaQpKd3tt26CguLLsqA=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.15.0/go.mod h1:U+gB1OBLb1lF3O42bTCL+FK18tX9Oar16Clt/msog/s=
-github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE=
-github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
+github.com/prometheus/common v0.54.0 h1:ZlZy0BgJhTwVZUn7dLOkwCZHUkrAqd3WYtcFCWnM1D8=
+github.com/prometheus/common v0.54.0/go.mod h1:/TQgMJP5CuVYveyT7n/0Ix8yLNNXy9yRSkhnLTHPDIQ=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20190117184657-bf6a532e95b1/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.8/go.mod h1:7Qr8sr6344vo1JqZ6HhLceV9o3AJ1Ff+GxbHq6oeK9A=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.3.0/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
-github.com/prometheus/procfs v0.14.0 h1:Lw4VdGGoKEZilJsayHf0B+9YgLGREba2C6xr+Fdfq6s=
-github.com/prometheus/procfs v0.14.0/go.mod h1:XL+Iwz8k8ZabyZfMFHPiilCniixqQarAy5Mu67pHlNQ=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/rakyll/statik v0.1.7 h1:OF3QCZUuyPxuGEP7B4ypUa7sB/iHtqOTDYZXGM8KOdQ=
 github.com/rakyll/statik v0.1.7/go.mod h1:AlZONWzMtEnMs7W4e/1LURLiI49pIMmp6V9Unghqrcc=
 github.com/rcrowley/go-metrics v0.0.0-20181016184325-3113b8401b8a/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
@@ -636,8 +634,8 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.0/go.mod h1:WmiCO8CzOY8rg0OYDC4/i/2WRWAB6poM+XZ2dLUbcbE=
-github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
-github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/cors v1.7.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
 github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po=
 github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
@@ -731,8 +729,8 @@ github.com/zenazn/goji v1.0.1 h1:4lbD8Mx2h7IvloP7r2C0D6ltZP6Ufip8Hn0wmSK5LR8=
 github.com/zenazn/goji v1.0.1/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
 github.com/zitadel/logging v0.6.0 h1:t5Nnt//r+m2ZhhoTmoPX+c96pbMarqJvW1Vq6xFTank=
 github.com/zitadel/logging v0.6.0/go.mod h1:Y4CyAXHpl3Mig6JOszcV5Rqqsojj+3n7y2F591Mp/ow=
-github.com/zitadel/oidc/v3 v3.23.2 h1:vRUM6SKudr6WR/lqxue4cvCbgR+IdEJGVBklucKKXgk=
-github.com/zitadel/oidc/v3 v3.23.2/go.mod h1:9snlhm3W/GNURqxtchjL1AAuClWRZ2NTkn9sLs1WYfM=
+github.com/zitadel/oidc/v3 v3.25.0 h1:DosOUc31IPM9ZtKaT58+0iNicwDFTFk5Ctt7mgYtsA8=
+github.com/zitadel/oidc/v3 v3.25.0/go.mod h1:UDwD+PRFbUBzabyPd9JORrakty3/wec7VpKZYi9Ahh0=
 github.com/zitadel/passwap v0.5.0 h1:kFMoRyo0GnxtOz7j9+r/CsRwSCjHGRaAKoUe69NwPvs=
 github.com/zitadel/passwap v0.5.0/go.mod h1:uqY7D3jqdTFcKsW0Q3Pcv5qDMmSHpVTzUZewUKC1KZA=
 github.com/zitadel/saml v0.1.3 h1:LI4DOCVyyU1qKPkzs3vrGcA5J3H4pH3+CL9zr9ShkpM=
@@ -746,30 +744,30 @@ go.opencensus.io v0.20.2/go.mod h1:6WKK9ahsWS3RSO+PY9ZHZUfv2irvY6gN279GOPZjmmk=
 go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 h1:A3SayB3rNyt+1S6qpI9mHPkeHTZbD7XILEqWnYZb2l0=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0/go.mod h1:27iA5uvhuRNmalO+iEUdVn5ZMj2qy10Mm+XRIpRmyuU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
-go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
-go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0 h1:1u/AyyOqAWzy+SkPxDpahCNZParHV8Vid1RnI2clyDE=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.26.0/go.mod h1:z46paqbJ9l7c9fIPCXTqTGwhQZ5XoTIsfeFYWboizjs=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0 h1:Waw9Wfpo/IXzOI8bCB7DIk+0JZcqqsyn1JFnAc+iam8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.26.0/go.mod h1:wnJIG4fOqyynOnnQF/eQb4/16VlX2EJAHhHgqIqWfAo=
-go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s=
-go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0 h1:0W5o9SzoR15ocYHEQfvfipzcNog1lBxOLfnex91Hk6s=
-go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.26.0/go.mod h1:zVZ8nz+VSggWmnh6tTsJqXQ7rU4xLwRtna1M4x5jq58=
-go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30=
-go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4=
-go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8=
-go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs=
-go.opentelemetry.io/otel/sdk/metric v1.26.0 h1:cWSks5tfriHPdWFnl+qpX3P681aAYqlZHcAyHw5aU9Y=
-go.opentelemetry.io/otel/sdk/metric v1.26.0/go.mod h1:ClMFFknnThJCksebJwz7KIyEDHO+nTB6gK8obLy8RyE=
-go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
-go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
-go.opentelemetry.io/proto/otlp v1.2.0 h1:pVeZGk7nXDC9O2hncA6nHldxEjm6LByfA2aN8IOkz94=
-go.opentelemetry.io/proto/otlp v1.2.0/go.mod h1:gGpR8txAl5M03pDhMC79G6SdqNV26naRm/KDsgaHD8A=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0 h1:9l89oX4ba9kHbBol3Xin3leYJ+252h0zszDtBwyKe2A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.52.0/go.mod h1:XLZfZboOJWHNKUv7eH0inh0E9VV6eWDFB/9yJyTLPp0=
+go.opentelemetry.io/otel v1.27.0 h1:9BZoF3yMK/O1AafMiQTVu0YDj5Ea4hPhxCs7sGva+cg=
+go.opentelemetry.io/otel v1.27.0/go.mod h1:DMpAK8fzYRzs+bi3rS5REupisuqTheUlSZJ1WnZaPAQ=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0 h1:R9DE4kQ4k+YtfLI2ULwX82VtNQ2J8yZmA7ZIF/D+7Mc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.27.0/go.mod h1:OQFyQVrDlbe+R7xrEyDr/2Wr67Ol0hRUgsfA+V5A95s=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
+go.opentelemetry.io/otel/exporters/prometheus v0.49.0 h1:Er5I1g/YhfYv9Affk9nJLfH/+qCCVVg1f2R9AbJfqDQ=
+go.opentelemetry.io/otel/exporters/prometheus v0.49.0/go.mod h1:KfQ1wpjf3zsHjzP149P4LyAwWRupc6c7t1ZJ9eXpKQM=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.27.0 h1:/0YaXu3755A/cFbtXp+21lkXgI0QE5avTWA2HjU9/WE=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.27.0/go.mod h1:m7SFxp0/7IxmJPLIY3JhOcU9CoFzDaCPL6xxQIxhA+o=
+go.opentelemetry.io/otel/metric v1.27.0 h1:hvj3vdEKyeCi4YaYfNjv2NUje8FqKqUY8IlF0FxV/ik=
+go.opentelemetry.io/otel/metric v1.27.0/go.mod h1:mVFgmRlhljgBiuk/MP/oKylr4hs85GZAylncepAX/ak=
+go.opentelemetry.io/otel/sdk v1.27.0 h1:mlk+/Y1gLPLn84U4tI8d3GNJmGT/eXe3ZuOXN9kTWmI=
+go.opentelemetry.io/otel/sdk v1.27.0/go.mod h1:Ha9vbLwJE6W86YstIywK2xFfPjbWlCuwPtMkKdz/Y4A=
+go.opentelemetry.io/otel/sdk/metric v1.27.0 h1:5uGNOlpXi+Hbo/DRoI31BSb1v+OGcpv2NemcCrOL8gI=
+go.opentelemetry.io/otel/sdk/metric v1.27.0/go.mod h1:we7jJVrYN2kh3mVBlswtPU22K0SA+769l93J6bsyvqw=
+go.opentelemetry.io/otel/trace v1.27.0 h1:IqYb813p7cmbHk0a5y6pD5JPakbVfftRXABGt5/Rscw=
+go.opentelemetry.io/otel/trace v1.27.0/go.mod h1:6RiD1hkAprV4/q+yd2ln1HG9GoPx39SuvvstaLBl+l4=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
 go.uber.org/atomic v1.5.0/go.mod h1:sABNBOSYdrvTF6hTgEIbc7YasKWGhgEQZyfxyTvoXHQ=
@@ -801,8 +799,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
+golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
+golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20200331195152-e8c3332aa8e5/go.mod h1:4M0jN8W1tt0AVLNr8HDosyJCDCDuyL9N9+3m7wDWgKw=
@@ -863,13 +861,13 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.26.0 h1:soB7SVo0PWrY4vPW/+ay0jKDNScG2X9wFeYlXIvJsOQ=
+golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
-golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg=
-golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8=
+golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
+golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -924,8 +922,8 @@ golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
+golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -941,8 +939,9 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
@@ -991,10 +990,10 @@ google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEY
 google.golang.org/genproto v0.0.0-20210126160654-44e461bb6506/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56 h1:LlcUFJ4BLmJVS4Kly+WCK7LQqcevmycHj88EPgyhNx8=
 google.golang.org/genproto v0.0.0-20240412170617-26222e5d3d56/go.mod h1:n1CaIKYMIlxFt1zJE/1kU40YpSL0drGMbl0Idum1VSs=
-google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6 h1:DTJM0R8LECCgFeUwApvcEJHz85HLagW8uRENYxHh1ww=
-google.golang.org/genproto/googleapis/api v0.0.0-20240429193739-8cf5692501f6/go.mod h1:10yRODfgim2/T8csjQsMPgZOMvtytXKTDRzH6HRGzRw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6 h1:DujSIu+2tC9Ht0aPNA7jgj23Iq8Ewi5sgkQ++wdvonE=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240429193739-8cf5692501f6/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
+google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3 h1:QW9+G6Fir4VcRXVH8x3LilNAb6cxBGLa6+GM4hRwexE=
+google.golang.org/genproto/googleapis/api v0.0.0-20240610135401-a8a62080eff3/go.mod h1:kdrSS/OiLkPrNUpzD4aHgCq2rVuC/YRxok32HXZ4vRE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3 h1:9Xyg6I9IWQZhRVfCWjKK+l6kI0jHcPesVlMnT//aHNo=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240610135401-a8a62080eff3/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM=
@@ -1010,8 +1009,8 @@ google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3Iji
 google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
-google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
+google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
+google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1022,8 +1021,8 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.34.0 h1:Qo/qEd2RZPCf2nKuorzksSknv0d3ERwp1vFG38gSmH4=
-google.golang.org/protobuf v1.34.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
+google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

internal/admin/repository/eventsourcing/handler/handler.go

@@ -41,14 +41,24 @@ func Register(ctx context.Context, config Config, view *view.View, static static
 	))
 }
 
+func Projections() []*handler2.Handler {
+	return projections
+}
+
 func Start(ctx context.Context) {
 	for _, projection := range projections {
 		projection.Start(ctx)
 	}
 }
 
-func Projections() []*handler2.Handler {
-	return projections
+func ProjectInstance(ctx context.Context) error {
+	for _, projection := range projections {
+		_, err := projection.Trigger(ctx)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
 }
 
 func (config Config) overwrite(viewModel string) handler2.Config {

internal/api/grpc/admin/restrictions_integration_allow_public_org_registrations_test.go

@@ -22,7 +22,7 @@ import (
 func TestServer_Restrictions_DisallowPublicOrgRegistration(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	domain, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, ctx, SystemCTX)
+	domain, _, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, ctx, SystemCTX)
 	regOrgUrl, err := url.Parse("http://" + domain + ":8080/ui/login/register/org")
 	require.NoError(t, err)
 	// The CSRF cookie must be sent with every request.

internal/api/grpc/admin/restrictions_integration_allowed_languages_test.go

@@ -33,7 +33,7 @@ func TestServer_Restrictions_AllowedLanguages(t *testing.T) {
 		unsupportedLanguage       = language.Afrikaans
 	)
 
-	domain, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, ctx, SystemCTX)
+	domain, _, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, ctx, SystemCTX)
 	t.Run("assumed defaults are correct", func(tt *testing.T) {
 		tt.Run("languages are not restricted by default", func(ttt *testing.T) {
 			restrictions, err := Tester.Client.Admin.GetRestrictions(iamOwnerCtx, &admin.GetRestrictionsRequest{})

internal/api/grpc/feature/v2/converter.go

@@ -16,6 +16,7 @@ func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command.
 		UserSchema:                      req.UserSchema,
 		Actions:                         req.Actions,
 		TokenExchange:                   req.OidcTokenExchange,
+		ImprovedPerformance:             improvedPerformanceListToDomain(req.ImprovedPerformance),
 	}
 }
 
@@ -28,6 +29,7 @@ func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesRe
 		UserSchema:                          featureSourceToFlagPb(&f.UserSchema),
 		OidcTokenExchange:                   featureSourceToFlagPb(&f.TokenExchange),
 		Actions:                             featureSourceToFlagPb(&f.Actions),
+		ImprovedPerformance:                 featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
 	}
 }
 
@@ -39,6 +41,7 @@ func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *comm
 		UserSchema:                      req.UserSchema,
 		TokenExchange:                   req.OidcTokenExchange,
 		Actions:                         req.Actions,
+		ImprovedPerformance:             improvedPerformanceListToDomain(req.ImprovedPerformance),
 	}
 }
 
@@ -51,6 +54,14 @@ func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeat
 		UserSchema:                          featureSourceToFlagPb(&f.UserSchema),
 		OidcTokenExchange:                   featureSourceToFlagPb(&f.TokenExchange),
 		Actions:                             featureSourceToFlagPb(&f.Actions),
+		ImprovedPerformance:                 featureSourceToImprovedPerformanceFlagPb(&f.ImprovedPerformance),
+	}
+}
+
+func featureSourceToImprovedPerformanceFlagPb(fs *query.FeatureSource[[]feature.ImprovedPerformanceType]) *feature_pb.ImprovedPerformanceFeatureFlag {
+	return &feature_pb.ImprovedPerformanceFeatureFlag{
+		ExecutionPaths: improvedPerformanceTypesToPb(fs.Value),
+		Source:         featureLevelToSourcePb(fs.Level),
 	}
 }
 
@@ -81,3 +92,48 @@ func featureLevelToSourcePb(level feature.Level) feature_pb.Source {
 		return feature_pb.Source(level)
 	}
 }
+
+func improvedPerformanceTypesToPb(types []feature.ImprovedPerformanceType) []feature_pb.ImprovedPerformance {
+	res := make([]feature_pb.ImprovedPerformance, len(types))
+
+	for i, typ := range types {
+		res[i] = improvedPerformanceTypeToPb(typ)
+	}
+
+	return res
+}
+
+func improvedPerformanceTypeToPb(typ feature.ImprovedPerformanceType) feature_pb.ImprovedPerformance {
+	switch typ {
+	case feature.ImprovedPerformanceTypeUnknown:
+		return feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_UNSPECIFIED
+	case feature.ImprovedPerformanceTypeOrgByID:
+		return feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID
+	default:
+		return feature_pb.ImprovedPerformance(typ)
+	}
+}
+
+func improvedPerformanceListToDomain(list []feature_pb.ImprovedPerformance) []feature.ImprovedPerformanceType {
+	if list == nil {
+		return nil
+	}
+	res := make([]feature.ImprovedPerformanceType, len(list))
+
+	for i, typ := range list {
+		res[i] = improvedPerformanceToDomain(typ)
+	}
+
+	return res
+}
+
+func improvedPerformanceToDomain(typ feature_pb.ImprovedPerformance) feature.ImprovedPerformanceType {
+	switch typ {
+	case feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_UNSPECIFIED:
+		return feature.ImprovedPerformanceTypeUnknown
+	case feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID:
+		return feature.ImprovedPerformanceTypeOrgByID
+	default:
+		return feature.ImprovedPerformanceTypeUnknown
+	}
+}

internal/api/grpc/feature/v2/converter_test.go

@@ -24,6 +24,7 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		UserSchema:                          gu.Ptr(true),
 		Actions:                             gu.Ptr(true),
 		OidcTokenExchange:                   gu.Ptr(true),
+		ImprovedPerformance:                 nil,
 	}
 	want := &command.SystemFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -32,6 +33,7 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		UserSchema:                      gu.Ptr(true),
 		Actions:                         gu.Ptr(true),
 		TokenExchange:                   gu.Ptr(true),
+		ImprovedPerformance:             nil,
 	}
 	got := systemFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
@@ -68,6 +70,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Level: feature.LevelSystem,
 			Value: false,
 		},
+		ImprovedPerformance: query.FeatureSource[[]feature.ImprovedPerformanceType]{
+			Level: feature.LevelSystem,
+			Value: []feature.ImprovedPerformanceType{feature.ImprovedPerformanceTypeOrgByID},
+		},
 	}
 	want := &feature_pb.GetSystemFeaturesResponse{
 		Details: &object.Details{
@@ -99,6 +105,10 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Enabled: true,
 			Source:  feature_pb.Source_SOURCE_SYSTEM,
 		},
+		ImprovedPerformance: &feature_pb.ImprovedPerformanceFeatureFlag{
+			ExecutionPaths: []feature_pb.ImprovedPerformance{feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID},
+			Source:         feature_pb.Source_SOURCE_SYSTEM,
+		},
 	}
 	got := systemFeaturesToPb(arg)
 	assert.Equal(t, want, got)
@@ -112,6 +122,7 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		UserSchema:                          gu.Ptr(true),
 		OidcTokenExchange:                   gu.Ptr(true),
 		Actions:                             gu.Ptr(true),
+		ImprovedPerformance:                 nil,
 	}
 	want := &command.InstanceFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -120,6 +131,7 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		UserSchema:                      gu.Ptr(true),
 		TokenExchange:                   gu.Ptr(true),
 		Actions:                         gu.Ptr(true),
+		ImprovedPerformance:             nil,
 	}
 	got := instanceFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
@@ -156,6 +168,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Level: feature.LevelSystem,
 			Value: false,
 		},
+		ImprovedPerformance: query.FeatureSource[[]feature.ImprovedPerformanceType]{
+			Level: feature.LevelSystem,
+			Value: []feature.ImprovedPerformanceType{feature.ImprovedPerformanceTypeOrgByID},
+		},
 	}
 	want := &feature_pb.GetInstanceFeaturesResponse{
 		Details: &object.Details{
@@ -187,6 +203,10 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Enabled: false,
 			Source:  feature_pb.Source_SOURCE_SYSTEM,
 		},
+		ImprovedPerformance: &feature_pb.ImprovedPerformanceFeatureFlag{
+			ExecutionPaths: []feature_pb.ImprovedPerformance{feature_pb.ImprovedPerformance_IMPROVED_PERFORMANCE_ORG_BY_ID},
+			Source:         feature_pb.Source_SOURCE_SYSTEM,
+		},
 	}
 	got := instanceFeaturesToPb(arg)
 	assert.Equal(t, want, got)

internal/api/grpc/server/gateway.go

@@ -10,9 +10,11 @@ import (
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/zitadel/logging"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	healthpb "google.golang.org/grpc/health/grpc_health_v1"
+	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/proto"
 
@@ -36,6 +38,23 @@ var (
 		},
 	}
 
+	httpErrorHandler = runtime.RoutingErrorHandlerFunc(
+		func(ctx context.Context, mux *runtime.ServeMux, marshaler runtime.Marshaler, w http.ResponseWriter, r *http.Request, httpStatus int) {
+			if httpStatus != http.StatusMethodNotAllowed {
+				runtime.DefaultRoutingErrorHandler(ctx, mux, marshaler, w, r, httpStatus)
+				return
+			}
+
+			// Use HTTPStatusError to customize the DefaultHTTPErrorHandler status code
+			err := &runtime.HTTPStatusError{
+				HTTPStatus: httpStatus,
+				Err:        status.Error(codes.Unimplemented, http.StatusText(httpStatus)),
+			}
+
+			runtime.DefaultHTTPErrorHandler(ctx, mux, marshaler, w, r, err)
+		},
+	)
+
 	serveMuxOptions = []runtime.ServeMuxOption{
 		runtime.WithMarshalerOption(jsonMarshaler.ContentType(nil), jsonMarshaler),
 		runtime.WithMarshalerOption(mimeWildcard, jsonMarshaler),
@@ -43,6 +62,7 @@ var (
 		runtime.WithIncomingHeaderMatcher(headerMatcher),
 		runtime.WithOutgoingHeaderMatcher(runtime.DefaultHeaderMatcher),
 		runtime.WithForwardResponseOption(responseForwarder),
+		runtime.WithRoutingErrorHandler(httpErrorHandler),
 	}
 
 	headerMatcher = runtime.HeaderMatcherFunc(

internal/api/grpc/session/v2/session_integration_test.go

@@ -14,12 +14,15 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/zitadel/logging"
+	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/zitadel/zitadel/internal/integration"
+	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
 	object "github.com/zitadel/zitadel/pkg/grpc/object/v2beta"
 	session "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
@@ -27,6 +30,7 @@ import (
 
 var (
 	CTX             context.Context
+	IAMOwnerCTX     context.Context
 	Tester          *integration.Tester
 	Client          session.SessionServiceClient
 	User            *user.AddHumanUserResponse
@@ -44,6 +48,7 @@ func TestMain(m *testing.M) {
 		Client = Tester.Client.SessionV2
 
 		CTX, _ = Tester.WithAuthorization(ctx, integration.OrgOwner), errCtx
+		IAMOwnerCTX = Tester.WithAuthorization(ctx, integration.IAMOwner)
 		User = createFullUser(CTX)
 		DeactivatedUser = createDeactivatedUser(CTX)
 		LockedUser = createLockedUser(CTX)
@@ -341,6 +346,48 @@ func TestServer_CreateSession(t *testing.T) {
 	}
 }
 
+func TestServer_CreateSession_lock_user(t *testing.T) {
+	// create a separate org so we don't interfere with any other test
+	org := Tester.CreateOrganization(IAMOwnerCTX,
+		fmt.Sprintf("TestServer_CreateSession_lock_user_%d", time.Now().UnixNano()),
+		fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()),
+	)
+	userID := org.CreatedAdmins[0].GetUserId()
+	Tester.SetUserPassword(IAMOwnerCTX, userID, integration.UserPassword, false)
+
+	// enable password lockout
+	maxAttempts := 2
+	ctxOrg := metadata.AppendToOutgoingContext(IAMOwnerCTX, "x-zitadel-orgid", org.GetOrganizationId())
+	_, err := Tester.Client.Mgmt.AddCustomLockoutPolicy(ctxOrg, &mgmt.AddCustomLockoutPolicyRequest{
+		MaxPasswordAttempts: uint32(maxAttempts),
+	})
+	require.NoError(t, err)
+
+	for i := 0; i <= maxAttempts; i++ {
+		_, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
+			Checks: &session.Checks{
+				User: &session.CheckUser{
+					Search: &session.CheckUser_UserId{
+						UserId: userID,
+					},
+				},
+				Password: &session.CheckPassword{
+					Password: "invalid",
+				},
+			},
+		})
+		assert.Error(t, err)
+		statusCode := status.Code(err)
+		expectedCode := codes.InvalidArgument
+		// as soon as we hit the limit the user is locked and following request will
+		// already deny any check with a precondition failed since the user is locked
+		if i >= maxAttempts {
+			expectedCode = codes.FailedPrecondition
+		}
+		assert.Equal(t, expectedCode, statusCode)
+	}
+}
+
 func TestServer_CreateSession_webauthn(t *testing.T) {
 	// create new session with user and request the webauthn challenge
 	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
@@ -429,6 +476,14 @@ func TestServer_CreateSession_successfulIntent_instant(t *testing.T) {
 func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
 	idpID := Tester.AddGenericOAuthProvider(t, CTX)
 
+	// successful intent without known / linked user
+	idpUserID := "id"
+	intentID, token, _, _ := Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, "", idpUserID)
+
+	// link the user (with info from intent)
+	Tester.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId())
+
+	// session with intent check must now succeed
 	createResp, err := Client.CreateSession(CTX, &session.CreateSessionRequest{
 		Checks: &session.Checks{
 			User: &session.CheckUser{
@@ -436,28 +491,6 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
 					UserId: User.GetUserId(),
 				},
 			},
-		},
-	})
-	require.NoError(t, err)
-	verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId())
-
-	idpUserID := "id"
-	intentID, token, _, _ := Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, "", idpUserID)
-	updateResp, err := Client.SetSession(CTX, &session.SetSessionRequest{
-		SessionId: createResp.GetSessionId(),
-		Checks: &session.Checks{
-			IdpIntent: &session.CheckIDPIntent{
-				IdpIntentId:    intentID,
-				IdpIntentToken: token,
-			},
-		},
-	})
-	require.Error(t, err)
-	Tester.CreateUserIDPlink(CTX, User.GetUserId(), idpUserID, idpID, User.GetUserId())
-	intentID, token, _, _ = Tester.CreateSuccessfulOAuthIntent(t, CTX, idpID, User.GetUserId(), idpUserID)
-	updateResp, err = Client.SetSession(CTX, &session.SetSessionRequest{
-		SessionId: createResp.GetSessionId(),
-		Checks: &session.Checks{
 			IdpIntent: &session.CheckIDPIntent{
 				IdpIntentId:    intentID,
 				IdpIntentToken: token,
@@ -465,7 +498,7 @@ func TestServer_CreateSession_successfulIntentUnknownUserID(t *testing.T) {
 		},
 	})
 	require.NoError(t, err)
-	verifyCurrentSession(t, createResp.GetSessionId(), updateResp.GetSessionToken(), updateResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantIntentFactor)
+	verifyCurrentSession(t, createResp.GetSessionId(), createResp.GetSessionToken(), createResp.GetDetails().GetSequence(), time.Minute, nil, nil, 0, User.GetUserId(), wantUserFactor, wantIntentFactor)
 }
 
 func TestServer_CreateSession_startedIntentFalseToken(t *testing.T) {
@@ -916,15 +949,6 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
 	require.Nil(t, sessionResp)
 }
 
-func Test_ZITADEL_API_missing_mfa(t *testing.T) {
-	id, token, _, _ := Tester.CreatePasswordSession(t, CTX, User.GetUserId(), integration.UserPassword)
-
-	ctx := Tester.WithAuthorizationToken(context.Background(), token)
-	sessionResp, err := Tester.Client.SessionV2.GetSession(ctx, &session.GetSessionRequest{SessionId: id})
-	require.Error(t, err)
-	require.Nil(t, sessionResp)
-}
-
 func Test_ZITADEL_API_success(t *testing.T) {
 	id, token, _, _ := Tester.CreateVerifiedWebAuthNSession(t, CTX, User.GetUserId())
 

internal/api/grpc/system/instance_integration_test.go

@@ -14,7 +14,7 @@ import (
 )
 
 func TestServer_ListInstances(t *testing.T) {
-	domain, instanceID, _ := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+	domain, instanceID, _, _ := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
 
 	tests := []struct {
 		name    string

internal/api/grpc/system/limits_integration_auditlogretention_test.go

@@ -21,7 +21,7 @@ import (
 )
 
 func TestServer_Limits_AuditLogRetention(t *testing.T) {
-	_, instanceID, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+	_, instanceID, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
 	userID, projectID, appID, projectGrantID := seedObjects(iamOwnerCtx, t)
 	beforeTime := time.Now()
 	farPast := timestamppb.New(beforeTime.Add(-10 * time.Hour).UTC())

internal/api/grpc/system/limits_integration_block_test.go

@@ -27,7 +27,7 @@ import (
 )
 
 func TestServer_Limits_Block(t *testing.T) {
-	domain, instanceID, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+	domain, instanceID, _, iamOwnerCtx := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
 	tests := []*test{
 		publicAPIBlockingTest(domain),
 		{

internal/api/grpc/system/quotas_enabled/quota_integration_test.go

@@ -66,7 +66,7 @@ func TestServer_QuotaNotification_Limit(t *testing.T) {
 }
 
 func TestServer_QuotaNotification_NoLimit(t *testing.T) {
-	_, instanceID, IAMOwnerCTX := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+	_, instanceID, _, IAMOwnerCTX := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
 	amount := 10
 	percent := 50
 	percentAmount := amount * percent / 100
@@ -148,7 +148,7 @@ func awaitNotification(t *testing.T, bodies chan []byte, unit quota.Unit, percen
 }
 
 func TestServer_AddAndRemoveQuota(t *testing.T) {
-	_, instanceID, _ := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
+	_, instanceID, _, _ := Tester.UseIsolatedInstance(t, CTX, SystemCTX)
 
 	got, err := Tester.Client.System.SetQuota(SystemCTX, &system.SetQuotaRequest{
 		InstanceId:    instanceID,

internal/api/oidc/auth_request.go

@@ -471,7 +471,7 @@ func (s *Server) CreateTokenCallbackURL(ctx context.Context, req op.AuthRequest)
 	if err != nil {
 		return "", err
 	}
-	resp, err := s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion)
+	resp, err := s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion)
 	if err != nil {
 		return "", err
 	}
@@ -563,7 +563,7 @@ func (s *Server) authResponseToken(authReq *AuthRequest, authorizer op.Authorize
 		op.AuthRequestError(w, r, authReq, err, authorizer)
 		return err
 	}
-	resp, err := s.accessTokenResponseFromSession(ctx, client, session, authReq.GetState(), client.client.ProjectID, client.client.ProjectRoleAssertion)
+	resp, err := s.accessTokenResponseFromSession(ctx, client, session, authReq.GetState(), client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion)
 	if err != nil {
 		op.AuthRequestError(w, r, authReq, err, authorizer)
 		return err

internal/api/oidc/auth_request_integration_test.go

@@ -54,7 +54,7 @@ func TestOPStorage_CreateAccessToken_code(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, false)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// callback on a succeeded request must fail
 	linkResp, err = Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
@@ -108,7 +108,7 @@ func TestOPStorage_CreateAccessToken_implicit(t *testing.T) {
 	require.NoError(t, err)
 	claims, err := rp.VerifyTokens[*oidc.IDTokenClaims](context.Background(), accessToken, idToken, provider.IDTokenVerifier())
 	require.NoError(t, err)
-	assertIDTokenClaims(t, claims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, claims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// callback on a succeeded request must fail
 	linkResp, err = Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
@@ -143,7 +143,7 @@ func TestOPStorage_CreateAccessAndRefreshTokens_code(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 }
 
 func TestOPStorage_CreateAccessAndRefreshTokens_refresh(t *testing.T) {
@@ -168,14 +168,14 @@ func TestOPStorage_CreateAccessAndRefreshTokens_refresh(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// test actual refresh grant
 	newTokens, err := refreshTokens(t, clientID, tokens.RefreshToken)
 	require.NoError(t, err)
 	assertTokens(t, newTokens, true)
 	// auth time must still be the initial
-	assertIDTokenClaims(t, newTokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, newTokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// refresh with an old refresh_token must fail
 	_, err = rp.RefreshTokens[*oidc.IDTokenClaims](CTX, provider, tokens.RefreshToken, "", "")
@@ -204,7 +204,7 @@ func TestOPStorage_RevokeToken_access_token(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// revoke access token
 	err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "access_token")
@@ -247,7 +247,7 @@ func TestOPStorage_RevokeToken_access_token_invalid_token_hint_type(t *testing.T
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// revoke access token
 	err = rp.RevokeToken(CTX, provider, tokens.AccessToken, "refresh_token")
@@ -284,7 +284,7 @@ func TestOPStorage_RevokeToken_refresh_token(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// revoke refresh token -> invalidates also access token
 	err = rp.RevokeToken(CTX, provider, tokens.RefreshToken, "refresh_token")
@@ -327,7 +327,7 @@ func TestOPStorage_RevokeToken_refresh_token_invalid_token_type_hint(t *testing.
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// revoke refresh token even with a wrong hint
 	err = rp.RevokeToken(CTX, provider, tokens.RefreshToken, "access_token")
@@ -362,7 +362,7 @@ func TestOPStorage_RevokeToken_invalid_client(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// simulate second client (not part of the audience) trying to revoke the token
 	otherClientID, _ := createClient(t)
@@ -394,7 +394,7 @@ func TestOPStorage_TerminateSession(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, false)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// userinfo must not fail
 	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
@@ -431,7 +431,7 @@ func TestOPStorage_TerminateSession_refresh_grant(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// userinfo must not fail
 	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
@@ -475,7 +475,7 @@ func TestOPStorage_TerminateSession_empty_id_token_hint(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, false)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	postLogoutRedirect, err := rp.EndSession(CTX, provider, "", logoutRedirectURI, "state")
 	require.NoError(t, err)
@@ -528,10 +528,18 @@ func assertTokens(t *testing.T, tokens *oidc.Tokens[*oidc.IDTokenClaims], requir
 	} else {
 		assert.Empty(t, tokens.RefreshToken)
 	}
+	// since we test implicit flow directly, we can check that any token response must not
+	// return a `state` in the response
+	assert.Empty(t, tokens.Extra("state"))
 }
 
-func assertIDTokenClaims(t *testing.T, claims *oidc.IDTokenClaims, userID string, arm []string, sessionStart, sessionChange time.Time) {
+func assertIDTokenClaims(t *testing.T, claims *oidc.IDTokenClaims, userID string, arm []string, sessionStart, sessionChange time.Time, sessionID string) {
 	assert.Equal(t, userID, claims.Subject)
 	assert.Equal(t, arm, claims.AuthenticationMethodsReferences)
 	assertOIDCTimeRange(t, claims.AuthTime, sessionStart, sessionChange)
+	assert.Equal(t, sessionID, claims.SessionID)
+	assert.Empty(t, claims.Name)
+	assert.Empty(t, claims.GivenName)
+	assert.Empty(t, claims.FamilyName)
+	assert.Empty(t, claims.PreferredUsername)
 }

internal/api/oidc/client_integration_test.go

@@ -122,7 +122,7 @@ func TestServer_Introspect(t *testing.T) {
 			tokens, err := exchangeTokens(t, app.GetClientId(), code, redirectURI)
 			require.NoError(t, err)
 			assertTokens(t, tokens, true)
-			assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+			assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 			// test actual introspection
 			introspection, err := rs.Introspect[*oidc.IntrospectionResponse](context.Background(), resourceServer, tokens.AccessToken)
@@ -317,7 +317,7 @@ func TestServer_VerifyClient(t *testing.T) {
 			}
 			require.NoError(t, err)
 			assertTokens(t, tokens, false)
-			assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+			assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 		})
 	}
 }

internal/api/oidc/introspect.go

@@ -11,6 +11,7 @@ import (
 	"github.com/zitadel/oidc/v3/pkg/op"
 
 	"github.com/zitadel/zitadel/internal/api/authz"
+	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/query"
 	"github.com/zitadel/zitadel/internal/telemetry/tracing"
 	"github.com/zitadel/zitadel/internal/zerrors"
@@ -80,7 +81,11 @@ func (s *Server) Introspect(ctx context.Context, r *op.Request[op.IntrospectionR
 	// with active: false
 	defer func() {
 		if err != nil {
-			s.getLogger(ctx).ErrorContext(ctx, "oidc introspection", "err", err)
+			if zerrors.IsInternal(err) {
+				s.getLogger(ctx).ErrorContext(ctx, "oidc introspection", "err", err)
+			} else {
+				s.getLogger(ctx).InfoContext(ctx, "oidc introspection", "err", err)
+			}
 			resp, err = op.NewResponse(new(oidc.IntrospectionResponse)), nil
 		}
 	}()
@@ -99,7 +104,14 @@ func (s *Server) Introspect(ctx context.Context, r *op.Request[op.IntrospectionR
 	if err = validateIntrospectionAudience(token.audience, client.clientID, client.projectID); err != nil {
 		return nil, err
 	}
-	userInfo, err := s.userInfo(ctx, token.userID, token.scope, client.projectID, client.projectRoleAssertion, true)
+	userInfo, err := s.userInfo(
+		token.userID,
+		token.scope,
+		client.projectID,
+		client.projectRoleAssertion,
+		true,
+		true,
+	)(ctx, true, domain.TriggerTypePreUserinfoCreation)
 	if err != nil {
 		return nil, err
 	}

internal/api/oidc/oidc_integration_test.go

@@ -18,6 +18,7 @@ import (
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/integration"
 	"github.com/zitadel/zitadel/pkg/grpc/auth"
+	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2beta"
 	session "github.com/zitadel/zitadel/pkg/grpc/session/v2beta"
 	user "github.com/zitadel/zitadel/pkg/grpc/user/v2beta"
@@ -26,6 +27,7 @@ import (
 var (
 	CTX      context.Context
 	CTXLOGIN context.Context
+	CTXIAM   context.Context
 	Tester   *integration.Tester
 	User     *user.AddHumanUserResponse
 )
@@ -50,6 +52,7 @@ func TestMain(m *testing.M) {
 		Tester.SetUserPassword(CTX, User.GetUserId(), integration.UserPassword, false)
 		Tester.RegisterUserPasskey(CTX, User.GetUserId())
 		CTXLOGIN = Tester.WithAuthorization(ctx, integration.Login)
+		CTXIAM = Tester.WithAuthorization(ctx, integration.IAMOwner)
 		return m.Run()
 	}())
 }
@@ -74,7 +77,7 @@ func Test_ZITADEL_API_missing_audience_scope(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, false)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
 
@@ -117,10 +120,13 @@ func Test_ZITADEL_API_missing_authentication(t *testing.T) {
 	require.Nil(t, myUserResp)
 }
 
-func Test_ZITADEL_API_missing_mfa(t *testing.T) {
+func Test_ZITADEL_API_missing_mfa_policy(t *testing.T) {
 	clientID, _ := createClient(t)
+	org := Tester.CreateOrganization(CTXIAM, fmt.Sprintf("ZITADEL_API_MISSING_MFA_%d", time.Now().UnixNano()), fmt.Sprintf("%d@mouse.com", time.Now().UnixNano()))
+	userID := org.CreatedAdmins[0].GetUserId()
+	Tester.SetUserPassword(CTXIAM, userID, integration.UserPassword, false)
 	authRequestID := createAuthRequest(t, clientID, redirectURI, oidc.ScopeOpenID, zitadelAudienceScope)
-	sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTX, User.GetUserId(), integration.UserPassword)
+	sessionID, sessionToken, startTime, changeTime := Tester.CreatePasswordSession(t, CTXLOGIN, userID, integration.UserPassword)
 	linkResp, err := Tester.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
 		AuthRequestId: authRequestID,
 		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
@@ -136,11 +142,36 @@ func Test_ZITADEL_API_missing_mfa(t *testing.T) {
 	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPassword, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, userID, armPassword, startTime, changeTime, sessionID)
 
 	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
 
+	// pre check if request would succeed
 	myUserResp, err := Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
+	require.NoError(t, err)
+	require.Equal(t, userID, myUserResp.GetUser().GetId())
+
+	// require MFA
+	ctxOrg := metadata.AppendToOutgoingContext(CTXIAM, "x-zitadel-orgid", org.GetOrganizationId())
+	_, err = Tester.Client.Mgmt.AddCustomLoginPolicy(ctxOrg, &mgmt.AddCustomLoginPolicyRequest{
+		ForceMfa: true,
+	})
+	require.NoError(t, err)
+
+	// make sure policy is projected
+	retryDuration := 5 * time.Second
+	if ctxDeadline, ok := CTX.Deadline(); ok {
+		retryDuration = time.Until(ctxDeadline)
+	}
+	require.EventuallyWithT(t, func(ttt *assert.CollectT) {
+		got, getErr := Tester.Client.Mgmt.GetLoginPolicy(ctxOrg, &mgmt.GetLoginPolicyRequest{})
+		assert.NoError(ttt, getErr)
+		assert.False(ttt, got.GetPolicy().IsDefault)
+
+	}, retryDuration, time.Millisecond*100, "timeout waiting for login policy")
+
+	// now it must fail
+	myUserResp, err = Tester.Client.Auth.GetMyUser(ctx, &auth.GetMyUserRequest{})
 	require.Error(t, err)
 	require.Nil(t, myUserResp)
 }
@@ -165,7 +196,7 @@ func Test_ZITADEL_API_success(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, false)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
 
@@ -199,7 +230,7 @@ func Test_ZITADEL_API_glob_redirects(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, false)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
 
@@ -228,7 +259,7 @@ func Test_ZITADEL_API_inactive_access_token(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// make sure token works
 	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
@@ -270,7 +301,7 @@ func Test_ZITADEL_API_terminated_session(t *testing.T) {
 	tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 	require.NoError(t, err)
 	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime)
+	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
 	// make sure token works
 	ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))
@@ -340,7 +371,7 @@ func Test_ZITADEL_API_terminated_session_user_disabled(t *testing.T) {
 			tokens, err := exchangeTokens(t, clientID, code, redirectURI)
 			require.NoError(t, err)
 			assertTokens(t, tokens, true)
-			assertIDTokenClaims(t, tokens.IDTokenClaims, disabledUser.GetUserId(), armPassword, startTime, changeTime)
+			assertIDTokenClaims(t, tokens.IDTokenClaims, disabledUser.GetUserId(), armPassword, startTime, changeTime, sessionID)
 
 			// make sure token works
 			ctx := metadata.AppendToOutgoingContext(context.Background(), "Authorization", fmt.Sprintf("%s %s", tokens.TokenType, tokens.AccessToken))

internal/api/oidc/token.go

@@ -29,8 +29,8 @@ In some cases step 1 till 3 are completely implemented in the command package,
 for example the v2 code exchange and refresh token.
 */
 
-func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.Client, session *command.OIDCSession, state, projectID string, projectRoleAssertion bool) (_ *oidc.AccessTokenResponse, err error) {
-	getUserInfo := s.getUserInfoOnce(session.UserID, projectID, projectRoleAssertion, session.Scope)
+func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.Client, session *command.OIDCSession, state, projectID string, projectRoleAssertion, accessTokenRoleAssertion, idTokenRoleAssertion, userInfoAssertion bool) (_ *oidc.AccessTokenResponse, err error) {
+	getUserInfo := s.getUserInfo(session.UserID, projectID, projectRoleAssertion, userInfoAssertion, session.Scope)
 	getSigner := s.getSignerOnce()
 
 	resp := &oidc.AccessTokenResponse{
@@ -43,7 +43,7 @@ func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.C
 	// If the session does not have a token ID, it is an implicit ID-Token only response.
 	if session.TokenID != "" {
 		if client.AccessTokenType() == op.AccessTokenTypeJWT {
-			resp.AccessToken, err = s.createJWT(ctx, client, session, getUserInfo, getSigner)
+			resp.AccessToken, err = s.createJWT(ctx, client, session, getUserInfo, accessTokenRoleAssertion, getSigner)
 		} else {
 			resp.AccessToken, err = op.CreateBearerToken(session.TokenID, session.UserID, s.opCrypto)
 		}
@@ -53,7 +53,7 @@ func (s *Server) accessTokenResponseFromSession(ctx context.Context, client op.C
 	}
 
 	if slices.Contains(session.Scope, oidc.ScopeOpenID) {
-		resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, getSigner, session.SessionID, resp.AccessToken, session.Audience, session.AuthMethods, session.AuthTime, session.Nonce, session.Actor)
+		resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, idTokenRoleAssertion, getSigner, session.SessionID, resp.AccessToken, session.Audience, session.AuthMethods, session.AuthTime, session.Nonce, session.Actor)
 	}
 	return resp, err
 }
@@ -92,31 +92,22 @@ func (s *Server) getSignerOnce() signerFunc {
 }
 
 // userInfoFunc is a getter function that allows add-hoc retrieval of a user.
-type userInfoFunc func(ctx context.Context) (*oidc.UserInfo, error)
+type userInfoFunc func(ctx context.Context, roleAssertion bool, triggerType domain.TriggerType) (*oidc.UserInfo, error)
 
-// getUserInfoOnce returns a function which retrieves userinfo from the database once.
-// Repeated calls of the returned function return the same results.
-func (s *Server) getUserInfoOnce(userID, projectID string, projectRoleAssertion bool, scope []string) userInfoFunc {
-	var (
-		once     sync.Once
-		userInfo *oidc.UserInfo
-		err      error
-	)
-	return func(ctx context.Context) (*oidc.UserInfo, error) {
-		once.Do(func() {
-			ctx, span := tracing.NewSpan(ctx)
-			defer func() { span.EndWithError(err) }()
-			userInfo, err = s.userInfo(ctx, userID, scope, projectID, projectRoleAssertion, false)
-		})
-		return userInfo, err
+// getUserInfo returns a function which retrieves userinfo from the database once.
+// However, each time, role claims are asserted and also action flows will trigger.
+func (s *Server) getUserInfo(userID, projectID string, projectRoleAssertion, userInfoAssertion bool, scope []string) userInfoFunc {
+	userInfo := s.userInfo(userID, scope, projectID, projectRoleAssertion, userInfoAssertion, false)
+	return func(ctx context.Context, roleAssertion bool, triggerType domain.TriggerType) (*oidc.UserInfo, error) {
+		return userInfo(ctx, roleAssertion, triggerType)
 	}
 }
 
-func (*Server) createIDToken(ctx context.Context, client op.Client, getUserInfo userInfoFunc, getSigningKey signerFunc, sessionID, accessToken string, audience []string, authMethods []domain.UserAuthMethodType, authTime time.Time, nonce string, actor *domain.TokenActor) (idToken string, exp uint64, err error) {
+func (*Server) createIDToken(ctx context.Context, client op.Client, getUserInfo userInfoFunc, roleAssertion bool, getSigningKey signerFunc, sessionID, accessToken string, audience []string, authMethods []domain.UserAuthMethodType, authTime time.Time, nonce string, actor *domain.TokenActor) (idToken string, exp uint64, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	userInfo, err := getUserInfo(ctx)
+	userInfo, err := getUserInfo(ctx, roleAssertion, domain.TriggerTypePreUserinfoCreation)
 	if err != nil {
 		return "", 0, err
 	}
@@ -156,11 +147,11 @@ func timeToOIDCExpiresIn(exp time.Time) uint64 {
 	return uint64(time.Until(exp) / time.Second)
 }
 
-func (*Server) createJWT(ctx context.Context, client op.Client, session *command.OIDCSession, getUserInfo userInfoFunc, getSigner signerFunc) (_ string, err error) {
+func (s *Server) createJWT(ctx context.Context, client op.Client, session *command.OIDCSession, getUserInfo userInfoFunc, assertRoles bool, getSigner signerFunc) (_ string, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
-	userInfo, err := getUserInfo(ctx)
+	userInfo, err := getUserInfo(ctx, assertRoles, domain.TriggerTypePreAccessTokenCreation)
 	if err != nil {
 		return "", err
 	}

internal/api/oidc/token_client_credentials.go

@@ -46,6 +46,9 @@ func (s *Server) ClientCredentialsExchange(ctx context.Context, r *op.ClientRequ
 		nil,
 		false,
 	)
+	if err != nil {
+		return nil, err
+	}
 
-	return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false))
+	return response(s.accessTokenResponseFromSession(ctx, client, session, "", "", false, true, false, false))
 }

internal/api/oidc/token_client_credentials_integration_test.go

@@ -4,6 +4,7 @@ package oidc_test
 
 import (
 	"testing"
+	"time"
 
 	"github.com/brianvoe/gofakeit/v6"
 	"github.com/stretchr/testify/assert"
@@ -18,10 +19,13 @@ import (
 )
 
 func TestServer_ClientCredentialsExchange(t *testing.T) {
-	userID, clientID, clientSecret, err := Tester.CreateOIDCCredentialsClient(CTX)
+	machine, name, clientID, clientSecret, err := Tester.CreateOIDCCredentialsClient(CTX)
 	require.NoError(t, err)
 
 	type claims struct {
+		name                       string
+		username                   string
+		updated                    time.Time
 		resourceOwnerID            any
 		resourceOwnerName          any
 		resourceOwnerPrimaryDomain any
@@ -78,6 +82,17 @@ func TestServer_ClientCredentialsExchange(t *testing.T) {
 			clientSecret: clientSecret,
 			scope:        []string{oidc.ScopeOpenID},
 		},
+		{
+			name:         "openid, profile, email",
+			clientID:     clientID,
+			clientSecret: clientSecret,
+			scope:        []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail},
+			wantClaims: claims{
+				name:     name,
+				username: name,
+				updated:  machine.GetDetails().GetChangeDate().AsTime(),
+			},
+		},
 		{
 			name:         "org id and domain scope",
 			clientID:     clientID,
@@ -132,12 +147,20 @@ func TestServer_ClientCredentialsExchange(t *testing.T) {
 			}
 			require.NoError(t, err)
 			require.NotNil(t, tokens)
-			userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, userID, provider)
+			userinfo, err := rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, oidc.BearerToken, machine.GetUserId(), provider)
 			require.NoError(t, err)
 			assert.Equal(t, tt.wantClaims.resourceOwnerID, userinfo.Claims[oidc_api.ClaimResourceOwnerID])
 			assert.Equal(t, tt.wantClaims.resourceOwnerName, userinfo.Claims[oidc_api.ClaimResourceOwnerName])
 			assert.Equal(t, tt.wantClaims.resourceOwnerPrimaryDomain, userinfo.Claims[oidc_api.ClaimResourceOwnerPrimaryDomain])
 			assert.Equal(t, tt.wantClaims.orgDomain, userinfo.Claims[domain.OrgDomainPrimaryClaim])
+			assert.Equal(t, tt.wantClaims.name, userinfo.Name)
+			assert.Equal(t, tt.wantClaims.username, userinfo.PreferredUsername)
+			assertOIDCTime(t, userinfo.UpdatedAt, tt.wantClaims.updated)
+			assert.Empty(t, userinfo.UserInfoProfile.FamilyName)
+			assert.Empty(t, userinfo.UserInfoProfile.GivenName)
+			assert.Empty(t, userinfo.UserInfoEmail)
+			assert.Empty(t, userinfo.UserInfoPhone)
+			assert.Empty(t, userinfo.Address)
 		})
 	}
 }

internal/api/oidc/token_code.go

@@ -34,41 +34,40 @@ func (s *Server) CodeExchange(ctx context.Context, r *op.ClientRequest[oidc.Acce
 
 	var (
 		session *command.OIDCSession
-		state   string
 	)
 	if strings.HasPrefix(plainCode, command.IDPrefixV2) {
-		session, state, err = s.command.CreateOIDCSessionFromAuthRequest(
+		session, _, err = s.command.CreateOIDCSessionFromAuthRequest(
 			setContextUserSystem(ctx),
 			plainCode,
 			codeExchangeComplianceChecker(client, r.Data),
 			slices.Contains(client.GrantTypes(), oidc.GrantTypeRefreshToken),
 		)
 	} else {
-		session, state, err = s.codeExchangeV1(ctx, client, r.Data, r.Data.Code)
+		session, err = s.codeExchangeV1(ctx, client, r.Data, r.Data.Code)
 	}
 	if err != nil {
 		return nil, err
 	}
-	return response(s.accessTokenResponseFromSession(ctx, client, session, state, client.client.ProjectID, client.client.ProjectRoleAssertion))
+	return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
 }
 
 // codeExchangeV1 creates a v2 token from a v1 auth request.
-func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.AccessTokenRequest, code string) (session *command.OIDCSession, state string, err error) {
+func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.AccessTokenRequest, code string) (session *command.OIDCSession, err error) {
 	ctx, span := tracing.NewSpan(ctx)
 	defer func() { span.EndWithError(err) }()
 
 	authReq, err := s.getAuthRequestV1ByCode(ctx, code)
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
 
 	if challenge := authReq.GetCodeChallenge(); challenge != nil || client.AuthMethod() == oidc.AuthMethodNone {
 		if err = op.AuthorizeCodeChallenge(req.CodeVerifier, challenge); err != nil {
-			return nil, "", err
+			return nil, err
 		}
 	}
 	if req.RedirectURI != authReq.GetRedirectURI() {
-		return nil, "", oidc.ErrInvalidGrant().WithDescription("redirect_uri does not correspond")
+		return nil, oidc.ErrInvalidGrant().WithDescription("redirect_uri does not correspond")
 	}
 
 	scope := authReq.GetScopes()
@@ -88,9 +87,9 @@ func (s *Server) codeExchangeV1(ctx context.Context, client *Client, req *oidc.A
 		slices.Contains(scope, oidc.ScopeOfflineAccess),
 	)
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
-	return session, authReq.TransferState, s.repo.DeleteAuthRequest(ctx, authReq.ID)
+	return session, s.repo.DeleteAuthRequest(ctx, authReq.ID)
 }
 
 // getAuthRequestV1ByCode finds the v1 auth request by code.

internal/api/oidc/token_device.go

@@ -26,7 +26,7 @@ func (s *Server) DeviceToken(ctx context.Context, r *op.ClientRequest[oidc.Devic
 	}
 	session, err := s.command.CreateOIDCSessionFromDeviceAuth(ctx, r.Data.DeviceCode)
 	if err == nil {
-		return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion))
+		return response(s.accessTokenResponseFromSession(ctx, client, session, "", client.client.ProjectID, client.client.ProjectRoleAssertion, client.client.AccessTokenRoleAssertion, client.client.IDTokenRoleAssertion, client.client.IDTokenUserinfoAssertion))
 	}
 	if errors.Is(err, context.DeadlineExceeded) {
 		return nil, oidc.ErrSlowDown().WithParent(err)

internal/api/oidc/token_exchange.go

@@ -176,7 +176,7 @@ func (s *Server) jwtProfileUserCheck(ctx context.Context, resourceOwner *string,
 }
 
 func validateTokenExchangeScopes(client *Client, requestedScopes, subjectScopes, actorScopes []string) ([]string, error) {
-	// Scope always has 1 empty string is the space delimited array was an empty string.
+	// Scope always has 1 empty string if the space delimited array was an empty string.
 	scopes := slices.DeleteFunc(requestedScopes, func(s string) bool {
 		return s == ""
 	})
@@ -218,7 +218,7 @@ func validateTokenExchangeAudience(requestedAudience, subjectAudience, actorAudi
 // Both tokens may point to the same object (subjectToken) in case of a regular Token Exchange.
 // When the subject and actor Tokens point to different objects, the new tokens will be for impersonation / delegation.
 func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenType, client *Client, subjectToken, actorToken *exchangeToken, audience, scopes []string) (_ *oidc.TokenExchangeResponse, err error) {
-	getUserInfo := s.getUserInfoOnce(subjectToken.userID, client.client.ProjectID, client.client.ProjectRoleAssertion, scopes)
+	getUserInfo := s.getUserInfo(subjectToken.userID, client.client.ProjectID, client.client.ProjectRoleAssertion, client.IDTokenUserinfoClaimsAssertion(), scopes)
 	getSigner := s.getSignerOnce()
 
 	resp := &oidc.TokenExchangeResponse{
@@ -240,12 +240,12 @@ func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenT
 		resp.IssuedTokenType = oidc.AccessTokenType
 
 	case oidc.JWTTokenType:
-		resp.AccessToken, resp.RefreshToken, resp.ExpiresIn, err = s.createExchangeJWT(ctx, client, getUserInfo, getSigner, subjectToken.userID, subjectToken.resourceOwner, audience, scopes, actorToken.authMethods, actorToken.authTime, subjectToken.preferredLanguage, reason, actor)
+		resp.AccessToken, resp.RefreshToken, resp.ExpiresIn, err = s.createExchangeJWT(ctx, client, getUserInfo, client.client.AccessTokenRoleAssertion, getSigner, subjectToken.userID, subjectToken.resourceOwner, audience, scopes, actorToken.authMethods, actorToken.authTime, subjectToken.preferredLanguage, reason, actor)
 		resp.TokenType = oidc.BearerToken
 		resp.IssuedTokenType = oidc.JWTTokenType
 
 	case oidc.IDTokenType:
-		resp.AccessToken, resp.ExpiresIn, err = s.createIDToken(ctx, client, getUserInfo, getSigner, "", resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor)
+		resp.AccessToken, resp.ExpiresIn, err = s.createIDToken(ctx, client, getUserInfo, client.client.IDTokenRoleAssertion, getSigner, "", resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor)
 		resp.TokenType = TokenTypeNA
 		resp.IssuedTokenType = oidc.IDTokenType
 
@@ -259,7 +259,7 @@ func (s *Server) createExchangeTokens(ctx context.Context, tokenType oidc.TokenT
 	}
 
 	if slices.Contains(scopes, oidc.ScopeOpenID) && tokenType != oidc.IDTokenType {
-		resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, getSigner, sessionID, resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor)
+		resp.IDToken, _, err = s.createIDToken(ctx, client, getUserInfo, client.client.IDTokenRoleAssertion, getSigner, sessionID, resp.AccessToken, audience, actorToken.authMethods, actorToken.authTime, "", actor)
 		if err != nil {
 			return nil, err
 		}
@@ -313,6 +313,7 @@ func (s *Server) createExchangeJWT(
 	ctx context.Context,
 	client *Client,
 	getUserInfo userInfoFunc,
+	roleAssertion bool,
 	getSigner signerFunc,
 	userID,
 	resourceOwner string,
@@ -342,7 +343,7 @@ func (s *Server) createExchangeJWT(
 		actor,
 		slices.Contains(scope, oidc.ScopeOfflineAccess),
 	)
-	accessToken, err = s.createJWT(ctx, client, session, getUserInfo, getSigner)
+	accessToken, err = s.createJWT(ctx, client, session, getUserInfo, roleAssertion, getSigner)
 	if err != nil {
 		return "", "", 0, err
 	}