syntax = "proto3"; import "google/api/annotations.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "google/protobuf/duration.proto"; import "protoc-gen-swagger/options/annotations.proto"; import "validate/validate.proto"; import "authoption/options.proto"; import "proto/message.proto"; package caos.zitadel.management.api.v1; option go_package = "github.com/caos/zitadel/pkg/grpc/management"; option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { info: { title: "Management API"; version: "0.1"; contact:{ url: "https://github.com/caos/zitadel/pkg/management" }; }; schemes: HTTPS; consumes: "application/json"; consumes: "application/grpc"; produces: "application/json"; produces: "application/grpc"; }; // All requests are based on your context if nothing other is specified // Requests which have /me in the url get the parameter from the context service ManagementService { //READINESS rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { get: "/healthz" }; } rpc GetZitadelDocs(google.protobuf.Empty) returns (ZitadelDocs) { option (google.api.http) = { get: "/zitadel/docs" }; } // GetIam returns some needed settings of the iam (Global Organisation ID, Zitadel Project ID) rpc GetIam(google.protobuf.Empty) returns (Iam) { option (google.api.http) = { get: "/iam" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc IsUserUnique(UniqueUserRequest) returns (UniqueUserResponse) { option (google.api.http) = { get: "/users/_isunique" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc GetUserByID(UserID) returns (UserView) { option (google.api.http) = { get: "/users/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } // GetUserByLoginNameGlobal returns User, global search is overall organisations rpc GetUserByLoginNameGlobal(LoginName) returns (UserView) { option (google.api.http) = { get: "/global/users/_byloginname" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.global.read" }; } // Limit should always be set, there is a default limit set by the service rpc SearchUsers(UserSearchRequest) returns (UserSearchResponse) { option (google.api.http) = { post: "/users/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc CreateUser(CreateUserRequest) returns (UserResponse) { option (google.api.http) = { post: "/users" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc DeactivateUser(UserID) returns (UserResponse) { option (google.api.http) = { put: "/users/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc ReactivateUser(UserID) returns (UserResponse) { option (google.api.http) = { put: "/users/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc LockUser(UserID) returns (UserResponse) { option (google.api.http) = { put: "/users/{id}/_lock" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc UnlockUser(UserID) returns (UserResponse) { option (google.api.http) = { put: "/users/{id}/_unlock" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc DeleteUser(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.delete" }; } // UserChanges returns the event stream of the user object rpc UserChanges(ChangeRequest) returns (Changes) { option (google.api.http) = { get: "/users/{id}/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc AddMachineKey(AddMachineKeyRequest) returns (AddMachineKeyResponse) { option (google.api.http) = { post: "/users/{user_id}/keys" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc DeleteMachineKey(MachineKeyIDRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{user_id}/keys/{key_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc SearchMachineKeys(MachineKeySearchRequest) returns (MachineKeySearchResponse) { option (google.api.http) = { post: "/users/{user_id}/keys/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc GetMachineKey(MachineKeyIDRequest) returns (MachineKeyView) { option (google.api.http) = { get: "/users/{user_id}/keys/{key_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc GetUserProfile(UserID) returns (UserProfileView) { option (google.api.http) = { get: "/users/{id}/profile" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc UpdateUserProfile(UpdateUserProfileRequest) returns (UserProfile) { option (google.api.http) = { put: "/users/{id}/profile" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc GetUserEmail(UserID) returns (UserEmailView) { option (google.api.http) = { get: "/users/{id}/email" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc ChangeUserUserName(UpdateUserUserNameRequest) returns (google.protobuf.Empty) { option (google.api.http) = { get: "/users/{id}/username" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc ChangeUserEmail(UpdateUserEmailRequest) returns (UserEmail) { option (google.api.http) = { put: "/users/{id}/email" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc ResendEmailVerificationMail(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/email/_resendverification" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc GetUserPhone(UserID) returns (UserPhoneView) { option (google.api.http) = { get: "/users/{id}/phone" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc ChangeUserPhone(UpdateUserPhoneRequest) returns (UserPhone) { option (google.api.http) = { put: "/users/{id}/phone" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc RemoveUserPhone(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{id}/phone" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc ResendPhoneVerificationCode(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/phone/_resendverification" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc GetUserAddress(UserID) returns (UserAddressView) { option (google.api.http) = { get: "/users/{id}/address" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc UpdateUserAddress(UpdateUserAddressRequest) returns (UserAddress) { option (google.api.http) = { put: "/users/{id}/address" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc UpdateUserMachine(UpdateMachineRequest) returns (MachineResponse) { option (google.api.http) = { put: "/users/{id}/machine" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc SearchUserExternalIDPs(ExternalIDPSearchRequest) returns (ExternalIDPSearchResponse) { option (google.api.http) = { post: "/users/{user_id}/externalidps/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc RemoveExternalIDP(ExternalIDPRemoveRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{user_id}/externalidps/{idp_config_id}/{external_user_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc GetUserMfas(UserID) returns (UserMultiFactors) { option (google.api.http) = { get: "/users/{id}/mfas" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.read" }; } rpc RemoveMfaOTP(UserID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{id}/mfas/otp" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } // Sends an Notification (Email/SMS) with a password reset Link rpc SendSetPasswordNotification(SetPasswordNotificationRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/password/_sendsetnotification" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } // A Manager is only allowed to set an initial password, on the next login the user has to change his password rpc SetInitialPassword(PasswordRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/password/_initialize" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc ResendInitialMail(InitialMailRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/{id}/_resendinitialisation" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.write" }; } rpc SearchUserMemberships(UserMembershipSearchRequest) returns (UserMembershipSearchResponse) { option (google.api.http) = { post: "/users/{user_id}/memberships/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.membership.read" }; } rpc CreateOrg(OrgCreateRequest) returns (Org) { option (google.api.http) = { post: "/orgs" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.create" }; } // OrgChanges returns the event stream of the org object rpc OrgChanges(ChangeRequest) returns (Changes) { option (google.api.http) = { get: "/orgs/{id}/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.read" }; } rpc GetMyOrg(google.protobuf.Empty) returns (OrgView) { option (google.api.http) = { get: "/orgs/me" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.read" }; } // search a organisation by its domain overall organisations rpc GetOrgByDomainGlobal(Domain) returns (OrgView) { option (google.api.http) = { get: "/global/orgs/_bydomain" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.global.read" }; } rpc DeactivateMyOrg(google.protobuf.Empty) returns (Org) { option (google.api.http) = { put: "/orgs/me/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc ReactivateMyOrg(google.protobuf.Empty) returns (Org) { option (google.api.http) = { put: "/orgs/me/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc SearchMyOrgDomains(OrgDomainSearchRequest) returns (OrgDomainSearchResponse) { option (google.api.http) = { post: "/orgs/me/domains/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.read" }; } rpc AddMyOrgDomain(AddOrgDomainRequest) returns (OrgDomain) { option (google.api.http) = { post: "/orgs/me/domains" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc GenerateMyOrgDomainValidation(OrgDomainValidationRequest) returns (OrgDomainValidationResponse) { option (google.api.http) = { post: "/orgs/me/domains/{domain}/validation/create" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc ValidateMyOrgDomain(ValidateOrgDomainRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/orgs/me/domains/{domain}/validation/check" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc SetMyPrimaryOrgDomain(PrimaryOrgDomainRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/orgs/me/domains/{domain}/_primary" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc RemoveMyOrgDomain(RemoveOrgDomainRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/domains/{domain}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.write" }; } rpc GetMyOrgIamPolicy(google.protobuf.Empty) returns (OrgIamPolicyView) { option (google.api.http) = { get: "/orgs/me/iampolicy" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetOrgMemberRoles(google.protobuf.Empty) returns (OrgMemberRoles) { option (google.api.http) = { get: "/orgs/members/roles" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.read" }; } rpc AddMyOrgMember(AddOrgMemberRequest) returns (OrgMember) { option (google.api.http) = { post: "/orgs/me/members" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.write" }; } rpc ChangeMyOrgMember(ChangeOrgMemberRequest) returns (OrgMember) { option (google.api.http) = { put: "/orgs/me/members/{user_id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.write" }; } rpc RemoveMyOrgMember(RemoveOrgMemberRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/members/{user_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.delete" }; } rpc SearchMyOrgMembers(OrgMemberSearchRequest) returns (OrgMemberSearchResponse) { option (google.api.http) = { post: "/orgs/me/members/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.member.read" }; } // ProjectChanges returns the event stream of the project object rpc ProjectChanges(ChangeRequest) returns (Changes) { option (google.api.http) = { get: "/projects/{id}/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" }; } rpc SearchProjects(ProjectSearchRequest) returns (ProjectSearchResponse) { option (google.api.http) = { post: "/projects/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" }; } rpc ProjectByID(ProjectID) returns (ProjectView) { option (google.api.http) = { get: "/projects/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" check_field_name: "Id" }; } rpc CreateProject(ProjectCreateRequest) returns (Project) { option (google.api.http) = { post: "/projects" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.create" }; } rpc UpdateProject(ProjectUpdateRequest) returns (Project) { option (google.api.http) = { put: "/projects/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.write" check_field_name: "Id" }; } rpc DeactivateProject(ProjectID) returns (Project) { option (google.api.http) = { put: "/projects/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.write" check_field_name: "Id" }; } rpc ReactivateProject(ProjectID) returns (Project) { option (google.api.http) = { put: "/projects/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.write" check_field_name: "Id" }; } rpc RemoveProject(ProjectID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.delete" check_field_name: "Id" }; } // returns all projects my organisation got granted from another organisation rpc SearchGrantedProjects(GrantedProjectSearchRequest) returns (ProjectGrantSearchResponse) { option (google.api.http) = { post: "/grantedprojects/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" }; } // returns a project my organisation got granted from another organisation rpc GetGrantedProjectByID(ProjectGrantID) returns (ProjectGrantView) { option (google.api.http) = { get: "/grantedprojects/{project_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.read" }; } rpc GetProjectMemberRoles(google.protobuf.Empty) returns (ProjectMemberRoles) { option (google.api.http) = { get: "/projects/members/roles" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.read" }; } rpc SearchProjectMembers(ProjectMemberSearchRequest) returns (ProjectMemberSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/members/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.read" check_field_name: "ProjectId" }; } rpc AddProjectMember(ProjectMemberAdd) returns (ProjectMember) { option (google.api.http) = { post: "/projects/{id}/members" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.write" check_field_name: "Id" }; } rpc ChangeProjectMember(ProjectMemberChange) returns (ProjectMember) { option (google.api.http) = { put: "/projects/{id}/members/{user_id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.write" check_field_name: "Id" }; } rpc RemoveProjectMember(ProjectMemberRemove) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{id}/members/{user_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.member.delete" check_field_name: "Id" }; } rpc SearchProjectRoles(ProjectRoleSearchRequest) returns (ProjectRoleSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/roles/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.read" check_field_name: "ProjectId" }; } rpc AddProjectRole(ProjectRoleAdd) returns (ProjectRole) { option (google.api.http) = { post: "/projects/{id}/roles" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.write" check_field_name: "Id" }; } // add a list of project roles in one request rpc BulkAddProjectRole(ProjectRoleAddBulk) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/projects/{id}/roles/_bulk" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.write" check_field_name: "Id" }; } rpc ChangeProjectRole(ProjectRoleChange) returns (ProjectRole) { option (google.api.http) = { put: "/projects/{id}/roles/{key}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.write" check_field_name: "Id" }; } // RemoveProjectRole removes role from UserGrants, ProjectGrants and from Project rpc RemoveProjectRole(ProjectRoleRemove) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{id}/roles/{key}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.role.delete" check_field_name: "Id" }; } rpc SearchApplications(ApplicationSearchRequest) returns (ApplicationSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/applications/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.read" check_field_name: "ProjectId" }; } rpc ApplicationByID(ApplicationID) returns (ApplicationView) { option (google.api.http) = { get: "/projects/{project_id}/applications/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.read" check_field_name: "ProjectId" }; } // ApplicationChanges returns the event stream of the application object rpc ApplicationChanges(ChangeRequest) returns (Changes) { option (google.api.http) = { get: "/projects/{id}/applications/{sec_id}/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.read" }; } rpc CreateOIDCApplication(OIDCApplicationCreate) returns (Application) { option (google.api.http) = { post: "/projects/{project_id}/applications/oidc" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc UpdateApplication(ApplicationUpdate) returns (Application) { option (google.api.http) = { put: "/projects/{project_id}/applications/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc DeactivateApplication(ApplicationID) returns (Application) { option (google.api.http) = { put: "/projects/{project_id}/applications/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc ReactivateApplication(ApplicationID) returns (Application) { option (google.api.http) = { put: "/projects/{project_id}/applications/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc RemoveApplication(ApplicationID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{project_id}/applications/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.delete" check_field_name: "ProjectId" }; } rpc UpdateApplicationOIDCConfig(OIDCConfigUpdate) returns (OIDCConfig) { option (google.api.http) = { put: "/projects/{project_id}/applications/{application_id}/oidcconfig" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc RegenerateOIDCClientSecret(ApplicationID) returns (ClientSecret) { option (google.api.http) = { put: "/projects/{project_id}/applications/{id}/oidcconfig/_changeclientsecret" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.app.write" check_field_name: "ProjectId" }; } rpc SearchProjectGrants(ProjectGrantSearchRequest) returns (ProjectGrantSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/grants/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.read" check_field_name: "ProjectId" }; } rpc ProjectGrantByID(ProjectGrantID) returns (ProjectGrantView) { option (google.api.http) = { get: "/projects/{project_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.read" }; } rpc CreateProjectGrant(ProjectGrantCreate) returns (ProjectGrant) { option (google.api.http) = { post: "/projects/{project_id}/grants" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.write" }; } rpc UpdateProjectGrant(ProjectGrantUpdate) returns (ProjectGrant) { option (google.api.http) = { put: "/projects/{project_id}/grants/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.write" }; } rpc DeactivateProjectGrant(ProjectGrantID) returns (ProjectGrant) { option (google.api.http) = { put: "/projects/{project_id}/grants/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.write" }; } rpc ReactivateProjectGrant(ProjectGrantID) returns (ProjectGrant) { option (google.api.http) = { put: "/projects/{project_id}/grants/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.write" }; } // RemoveProjectGrant removes project grant and all user grants for this project grant rpc RemoveProjectGrant(ProjectGrantID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{project_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.delete" }; } rpc GetProjectGrantMemberRoles(google.protobuf.Empty) returns (ProjectGrantMemberRoles) { option (google.api.http) = { get: "/projects/grants/members/roles" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.read" }; } rpc SearchProjectGrantMembers(ProjectGrantMemberSearchRequest) returns (ProjectGrantMemberSearchResponse) { option (google.api.http) = { post: "/projects/{project_id}/grants/{grant_id}/members/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.read" }; } rpc AddProjectGrantMember(ProjectGrantMemberAdd) returns (ProjectGrantMember) { option (google.api.http) = { post: "/projects/{project_id}/grants/{grant_id}/members" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.write" }; } rpc ChangeProjectGrantMember(ProjectGrantMemberChange) returns (ProjectGrantMember) { option (google.api.http) = { put: "/projects/{project_id}/grants/{grant_id}/members/{user_id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.write" }; } rpc RemoveProjectGrantMember(ProjectGrantMemberRemove) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/projects/{project_id}/grants/{grant_id}/members/{user_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "project.grant.member.delete" }; } rpc SearchUserGrants(UserGrantSearchRequest) returns (UserGrantSearchResponse) { option (google.api.http) = { post: "/users/grants/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.read" }; } rpc UserGrantByID(UserGrantID) returns (UserGrantView) { option (google.api.http) = { get: "/users/{user_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.read" }; } rpc CreateUserGrant(UserGrantCreate) returns (UserGrant) { option (google.api.http) = { post: "/users/{user_id}/grants" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.write" }; } rpc UpdateUserGrant(UserGrantUpdate) returns (UserGrant) { option (google.api.http) = { put: "/users/{user_id}/grants/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.write" }; } rpc DeactivateUserGrant(UserGrantID) returns (UserGrant) { option (google.api.http) = { put: "/users/{user_id}/grants/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.write" }; } rpc ReactivateUserGrant(UserGrantID) returns (UserGrant) { option (google.api.http) = { put: "/users/{user_id}/grants/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.write" }; } rpc RemoveUserGrant(UserGrantID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/{user_id}/grants/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.delete" }; } // remove a list of user grants in one request rpc BulkRemoveUserGrant(UserGrantRemoveBulk) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/usersgrants/_bulk" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "user.grant.delete" }; } rpc IdpByID(IdpID) returns (IdpView) { option (google.api.http) = { get: "/orgs/me/idps/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.idp.read" }; } rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) { option (google.api.http) = { post: "/orgs/me/idps/oidc" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.idp.write" }; } rpc UpdateIdpConfig(IdpUpdate) returns (Idp) { option (google.api.http) = { put: "/orgs/me/idps/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.idp.write" }; } rpc DeactivateIdpConfig(IdpID) returns (Idp) { option (google.api.http) = { put: "/orgs/me/idps/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.idp.write" }; } rpc ReactivateIdpConfig(IdpID) returns (Idp) { option (google.api.http) = { put: "/orgs/me/idps/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.idp.write" }; } rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/idps/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.idp.write" }; } rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) { option (google.api.http) = { put: "/orgs/me/idps/{idp_id}/oidcconfig" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.idp.write" }; } rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) { option (google.api.http) = { post: "/orgs/me/idps/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "org.idp.read" }; } rpc GetLoginPolicy(google.protobuf.Empty) returns (LoginPolicyView) { option (google.api.http) = { get: "/orgs/me/policies/login" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc GetDefaultLoginPolicy(google.protobuf.Empty) returns (LoginPolicyView) { option (google.api.http) = { get: "/orgs/default/policies/login" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc CreateLoginPolicy(LoginPolicyRequest) returns (LoginPolicy) { option (google.api.http) = { post: "/orgs/me/policies/login" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc UpdateLoginPolicy(LoginPolicyRequest) returns (LoginPolicy) { option (google.api.http) = { put: "/orgs/me/policies/login" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc RemoveLoginPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/policies/login" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.delete" }; } rpc GetLoginPolicyIdpProviders(IdpProviderSearchRequest) returns (IdpProviderSearchResponse) { option (google.api.http) = { post: "/orgs/me/policies/login/idpproviders/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc AddIdpProviderToLoginPolicy(IdpProviderAdd) returns (IdpProvider) { option (google.api.http) = { post: "/orgs/me/policies/login/idpproviders" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc RemoveIdpProviderFromLoginPolicy(IdpProviderID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/policies/login/idpproviders/{idp_config_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc GetLoginPolicySecondFactors(google.protobuf.Empty) returns (SecondFactorsResult) { option (google.api.http) = { get: "/orgs/me/policies/login/secondfactors/_search" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.read" }; } rpc AddSecondFactorToLoginPolicy(SecondFactor) returns (SecondFactor) { option (google.api.http) = { post: "/orgs/me/policies/login/secondfactors" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } rpc RemoveSecondFactorFromLoginPolicy(SecondFactor) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/policies/login/secondfactors/{second_factor}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } rpc GetLoginPolicyMultiFactors(google.protobuf.Empty) returns (MultiFactorsResult) { option (google.api.http) = { get: "/orgs/me/policies/login/multifactors/_search" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.read" }; } rpc AddMultiFactorToLoginPolicy(MultiFactor) returns (MultiFactor) { option (google.api.http) = { post: "/orgs/me/policies/login/multifactors" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } rpc RemoveMultiFactorFromLoginPolicy(MultiFactor) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/policies/login/multifactors/{multi_factor}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } rpc GetPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) { option (google.api.http) = { get: "/orgs/me/policies/password/complexity" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc GetDefaultPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicyView) { option (google.api.http) = { get: "/orgs/default/policies/password/complexity" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc CreatePasswordComplexityPolicy(PasswordComplexityPolicyRequest) returns (PasswordComplexityPolicy) { option (google.api.http) = { post: "/orgs/me/policies/password/complexity" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc UpdatePasswordComplexityPolicy(PasswordComplexityPolicyRequest) returns (PasswordComplexityPolicy) { option (google.api.http) = { put: "/orgs/me/policies/password/complexity" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc RemovePasswordComplexityPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/policies/password/complexity" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.delete" }; } rpc GetPasswordAgePolicy(google.protobuf.Empty) returns (PasswordAgePolicyView) { option (google.api.http) = { get: "/orgs/me/policies/password/age" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc GetDefaultPasswordAgePolicy(google.protobuf.Empty) returns (PasswordAgePolicyView) { option (google.api.http) = { get: "/orgs/default/policies/password/age" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc CreatePasswordAgePolicy(PasswordAgePolicyRequest) returns (PasswordAgePolicy) { option (google.api.http) = { post: "/orgs/me/policies/password/age" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc UpdatePasswordAgePolicy(PasswordAgePolicyRequest) returns (PasswordAgePolicy) { option (google.api.http) = { put: "/orgs/me/policies/password/age" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc RemovePasswordAgePolicy(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/policies/password/age" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.delete" }; } rpc GetPasswordLockoutPolicy(google.protobuf.Empty) returns (PasswordLockoutPolicyView) { option (google.api.http) = { get: "/orgs/me/policies/password/lockout" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc GetDefaultPasswordLockoutPolicy(google.protobuf.Empty) returns (PasswordLockoutPolicyView) { option (google.api.http) = { get: "/orgs/default/policies/password/lockout" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.read" }; } rpc CreatePasswordLockoutPolicy(PasswordLockoutPolicyRequest) returns (PasswordLockoutPolicy) { option (google.api.http) = { post: "/orgs/me/policies/password/lockout" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc UpdatePasswordLockoutPolicy(PasswordLockoutPolicyRequest) returns (PasswordLockoutPolicy) { option (google.api.http) = { put: "/orgs/me/policies/password/lockout" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.write" }; } rpc RemovePasswordLockoutPolicy(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/me/policies/password/lockout" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "policy.delete" }; } } message ZitadelDocs { string issuer = 1; string discovery_endpoint = 2; } message Iam { string global_org_id = 1; string iam_project_id = 2; IamSetupStep set_up_done = 3; IamSetupStep set_up_started = 4; } enum IamSetupStep { iam_setup_step_UNDEFINED = 0; iam_setup_step_1 = 1; iam_setup_step_2 = 2; } message ChangeRequest { string id = 1; string sec_id = 2; uint64 limit = 3; uint64 sequence_offset = 4; bool asc = 5; } message Changes { repeated Change changes = 1; uint64 offset = 2; uint64 limit = 3; } message Change { google.protobuf.Timestamp change_date = 1; caos.zitadel.api.v1.LocalizedMessage event_type = 2; uint64 sequence = 3; string editor_id = 4; string editor = 5; google.protobuf.Struct data = 6; } message ApplicationID { string id = 1 [(validate.rules).string.min_len = 1]; string project_id = 2 [(validate.rules).string.min_len = 1]; } message ProjectID { string id = 1 [(validate.rules).string.min_len = 1]; } message UserID { string id = 1 [(validate.rules).string.min_len = 1]; } message LoginName { string login_name = 1 [(validate.rules).string.min_len = 1]; } message UniqueUserRequest { string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"]; string email = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message UniqueUserResponse { bool is_unique = 1; } message CreateUserRequest { string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"]; oneof user { option (validate.required) = true; CreateHumanRequest human = 2; CreateMachineRequest machine = 3; } } message CreateHumanRequest { string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string nick_name = 3 [(validate.rules).string = {max_len: 200}]; string preferred_language = 4 [(validate.rules).string = {max_len: 200}]; Gender gender = 5; string email = 6 [(validate.rules).string = {min_len: 1, max_len: 200, email: true}]; bool is_email_verified = 7; string phone = 8 [(validate.rules).string = {max_len: 20}]; bool is_phone_verified = 9; string country = 10 [(validate.rules).string = {max_len: 200}]; string locality = 11 [(validate.rules).string = {max_len: 200}]; string postal_code = 12 [(validate.rules).string = {max_len: 200}]; string region = 13 [(validate.rules).string = {max_len: 200}]; string street_address = 14 [(validate.rules).string = {max_len: 200}]; string password = 15 [(validate.rules).string = {max_len: 72}]; } message CreateMachineRequest { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string description = 2 [(validate.rules).string.max_len = 500]; } message UserResponse { string id = 1; UserState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; uint64 sequence = 5; string user_name = 6; oneof user { option (validate.required) = true; HumanResponse human = 7; MachineResponse machine = 8; } } enum UserState { USERSTATE_UNSPECIFIED = 0; USERSTATE_ACTIVE = 1; USERSTATE_INACTIVE = 2; USERSTATE_DELETED = 3; USERSTATE_LOCKED = 4; USERSTATE_SUSPEND = 5; USERSTATE_INITIAL = 6; } enum Gender { GENDER_UNSPECIFIED = 0; GENDER_FEMALE = 1; GENDER_MALE = 2; GENDER_DIVERSE = 3; } message UserView { string id = 1; UserState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; uint64 sequence = 5; repeated string login_names = 6; string preferred_login_name = 7; google.protobuf.Timestamp last_login = 8; string resource_owner = 9; string user_name = 10; oneof user { option (validate.required) = true; HumanView human = 11; MachineView machine = 12; } } message HumanResponse { string first_name = 1; string last_name = 2; string display_name = 3; string nick_name = 4; string preferred_language = 5; Gender gender = 6; string email = 7; bool is_email_verified = 8; string phone = 9; bool is_phone_verified = 10; string country = 11; string locality = 12; string postal_code = 13; string region = 14; string street_address = 15; } message HumanView { google.protobuf.Timestamp password_changed = 1; string first_name = 2; string last_name = 3; string display_name = 4; string nick_name = 5; string preferred_language = 6; Gender gender = 7; string email = 8; bool is_email_verified = 9; string phone = 10; bool is_phone_verified = 11; string country = 12; string locality = 13; string postal_code = 14; string region = 15; string street_address = 16; } message MachineResponse { string name = 1; string description = 2; } message MachineView { google.protobuf.Timestamp last_key_added = 1; string name = 2; string description = 3; } message UpdateMachineRequest { string id = 1 [(validate.rules).string.min_len = 1]; string description = 2 [(validate.rules).string.max_len = 500]; } message AddMachineKeyRequest { string user_id = 1 [(validate.rules).string.min_len = 1]; MachineKeyType type = 2 [(validate.rules).enum = {not_in: [0]}]; google.protobuf.Timestamp expiration_date = 3; } message AddMachineKeyResponse { string id = 1; google.protobuf.Timestamp creation_date = 2; uint64 sequence = 3; MachineKeyType type = 4; google.protobuf.Timestamp expiration_date = 5; bytes key_details = 6; } message MachineKeyIDRequest { string user_id = 1 [(validate.rules).string.min_len = 1]; string key_id = 2 [(validate.rules).string.min_len = 1]; } message MachineKeyView { string id = 1; MachineKeyType type = 2; uint64 sequence = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp expiration_date = 5; } enum MachineKeyType { MACHINEKEY_UNSPECIFIED = 0; MACHINEKEY_JSON = 1; } message MachineKeySearchRequest { uint64 offset = 1; uint64 limit = 2; bool asc = 3; string user_id = 4 [(validate.rules).string.min_len = 1]; } message MachineKeySearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated MachineKeyView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message UserSearchRequest { uint64 offset = 1; uint64 limit = 2; UserSearchKey sorting_column = 3; bool asc = 4; repeated UserSearchQuery queries = 5; } message UserSearchQuery { UserSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum UserSearchKey { USERSEARCHKEY_UNSPECIFIED = 0; USERSEARCHKEY_USER_NAME = 1; USERSEARCHKEY_FIRST_NAME = 2; USERSEARCHKEY_LAST_NAME = 3; USERSEARCHKEY_NICK_NAME = 4; USERSEARCHKEY_DISPLAY_NAME = 5; USERSEARCHKEY_EMAIL = 6; USERSEARCHKEY_STATE = 7; USERSEARCHKEY_TYPE = 8; } message UserSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated UserView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } enum SearchMethod { SEARCHMETHOD_EQUALS = 0; SEARCHMETHOD_STARTS_WITH = 1; SEARCHMETHOD_CONTAINS = 2; SEARCHMETHOD_EQUALS_IGNORE_CASE = 3; SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4; SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5; SEARCHMETHOD_NOT_EQUALS = 6; SEARCHMETHOD_GREATER_THAN = 7; SEARCHMETHOD_LESS_THAN = 8; SEARCHMETHOD_IS_ONE_OF = 9; SEARCHMETHOD_LIST_CONTAINS = 10; } message UserProfile { string id = 1; string first_name = 2; string last_name = 3; string nick_name = 4; string display_name = 5; string preferred_language = 6; Gender gender = 7; uint64 sequence = 8; google.protobuf.Timestamp creation_date = 9; google.protobuf.Timestamp change_date = 10; } message UserProfileView { string id = 1; string first_name = 2; string last_name = 3; string nick_name = 4; string display_name = 5; string preferred_language = 6; Gender gender = 7; uint64 sequence = 8; google.protobuf.Timestamp creation_date = 9; google.protobuf.Timestamp change_date = 10; repeated string login_names = 11; string preferred_login_name = 12; } message UpdateUserProfileRequest { string id = 1; string first_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string last_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string nick_name = 4 [(validate.rules).string = {max_len: 200}]; string preferred_language = 5 [(validate.rules).string = {max_len: 200}]; Gender gender = 6; } message UpdateUserUserNameRequest { string id = 1; string user_name = 2 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"]; } message UserEmail { string id = 1; string email = 2; bool is_email_verified = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message UserEmailView { string id = 1; string email = 2; bool is_email_verified = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message UpdateUserEmailRequest { string id = 1; string email = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; bool is_email_verified = 3; } message UserPhone { string id = 1; string phone = 2; bool is_phone_verified = 3; uint64 sequence = 5; google.protobuf.Timestamp creation_date = 6; google.protobuf.Timestamp change_date = 7; } message UserPhoneView { string id = 1; string phone = 2; bool is_phone_verified = 3; uint64 sequence = 5; google.protobuf.Timestamp creation_date = 6; google.protobuf.Timestamp change_date = 7; } message UpdateUserPhoneRequest { string id = 1 [(validate.rules).string.min_len = 1]; string phone = 2 [(validate.rules).string = {min_len: 1, max_len: 20}]; bool is_phone_verified = 3; } message UserAddress { string id = 1; string country = 2; string locality = 3; string postal_code = 4; string region = 5; string street_address = 6; uint64 sequence = 7; google.protobuf.Timestamp creation_date = 8; google.protobuf.Timestamp change_date = 9; } message UserAddressView { string id = 1; string country = 2; string locality = 3; string postal_code = 4; string region = 5; string street_address = 6; uint64 sequence = 7; google.protobuf.Timestamp creation_date = 8; google.protobuf.Timestamp change_date = 9; } message UpdateUserAddressRequest { string id = 1 [(validate.rules).string.min_len = 1]; string country = 2 [(validate.rules).string = {max_len: 200}]; string locality = 3 [(validate.rules).string = {max_len: 200}]; string postal_code = 4 [(validate.rules).string = {max_len: 200}]; string region = 5 [(validate.rules).string = {max_len: 200}]; string street_address = 6 [(validate.rules).string = {max_len: 200}]; } message UserMultiFactors { repeated UserMultiFactor mfas = 1; } message UserMultiFactor { MfaType type = 1; MFAState state = 2; } enum MfaType { MFATYPE_UNSPECIFIED = 0; MFATYPE_SMS = 1; MFATYPE_OTP = 2; } enum MFAState { MFASTATE_UNSPECIFIED = 0; MFASTATE_NOT_READY = 1; MFASTATE_READY = 2; MFASTATE_REMOVED = 3; } message PasswordRequest { string id = 1 [(validate.rules).string.min_len = 1]; string password = 2 [(validate.rules).string = {min_len: 1, max_len: 72}]; } message SetPasswordNotificationRequest { string id = 1 [(validate.rules).string.min_len = 1]; NotificationType type = 2; } enum NotificationType { NOTIFICATIONTYPE_EMAIL = 0; NOTIFICATIONTYPE_SMS = 1; } message InitialMailRequest { string id = 1 [(validate.rules).string.min_len = 1]; string email = 2; } enum PolicyState { POLICYSTATE_UNSPECIFIED = 0; POLICYSTATE_ACTIVE = 1; POLICYSTATE_INACTIVE = 2; POLICYSTATE_DELETED = 3; } message OrgIamPolicyView { bool user_login_must_be_domain = 1; bool default = 2; } message OrgCreateRequest { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message Org { string id = 1; OrgState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; uint64 sequence = 6; } message OrgView { string id = 1; OrgState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; uint64 sequence = 6; } enum OrgState { ORGSTATE_UNSPECIFIED = 0; ORGSTATE_ACTIVE = 1; ORGSTATE_INACTIVE = 2; } message Domain { string domain = 1 [(validate.rules).string = {min_len: 1}]; } message OrgDomain { string org_id = 1; google.protobuf.Timestamp creation_date = 2; google.protobuf.Timestamp change_date = 3; string domain = 4; bool verified = 5; bool primary = 6; uint64 sequence = 7; } message OrgDomainView { string org_id = 1; google.protobuf.Timestamp creation_date = 2; google.protobuf.Timestamp change_date = 3; string domain = 4; bool verified = 5; bool primary = 6; uint64 sequence = 7; OrgDomainValidationType validation_type = 8; } message AddOrgDomainRequest { string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message OrgDomainValidationRequest { string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; OrgDomainValidationType type = 2 [(validate.rules).enum = {not_in: [0]}]; } enum OrgDomainValidationType { ORGDOMAINVALIDATIONTYPE_UNSPECIFIED = 0; ORGDOMAINVALIDATIONTYPE_HTTP = 1; ORGDOMAINVALIDATIONTYPE_DNS = 2; } message OrgDomainValidationResponse { string token = 1; string url = 2; } message ValidateOrgDomainRequest { string domain = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message PrimaryOrgDomainRequest { string domain = 1 [(validate.rules).string = {min_len: 1}]; } message RemoveOrgDomainRequest { string domain = 1 [(validate.rules).string = {min_len: 1}]; } message OrgDomainSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated OrgDomainView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message OrgDomainSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated OrgDomainSearchQuery queries = 3; } message OrgDomainSearchQuery { OrgDomainSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum OrgDomainSearchKey { ORGDOMAINSEARCHKEY_UNSPECIFIED = 0; ORGDOMAINSEARCHKEY_DOMAIN = 1; } message OrgMemberRoles { repeated string roles = 1; } message OrgMember { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; } message AddOrgMemberRequest { string user_id = 1 [(validate.rules).string = {min_len: 1}]; repeated string roles = 2; } message ChangeOrgMemberRequest { string user_id = 1 [(validate.rules).string = {min_len: 1}]; repeated string roles = 2; } message RemoveOrgMemberRequest { string user_id = 1 [(validate.rules).string = {min_len: 1}]; } message OrgMemberSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated OrgMemberView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message OrgMemberView { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; string user_name = 6; string email = 7; string first_name = 8; string last_name = 9; string display_name = 10; } message OrgMemberSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated OrgMemberSearchQuery queries = 3; } message OrgMemberSearchQuery { OrgMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum OrgMemberSearchKey { ORGMEMBERSEARCHKEY_UNSPECIFIED = 0; ORGMEMBERSEARCHKEY_FIRST_NAME = 1; ORGMEMBERSEARCHKEY_LAST_NAME = 2; ORGMEMBERSEARCHKEY_EMAIL = 3; ORGMEMBERSEARCHKEY_USER_ID = 4; } message ProjectCreateRequest { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; bool project_role_assertion = 2; bool project_role_check = 3; } message ProjectUpdateRequest { string id = 1 [(validate.rules).string = {min_len: 1}]; string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; bool project_role_assertion = 3; bool project_role_check = 4; } message ProjectSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ProjectView { string project_id = 1; string name = 2; ProjectState state = 3; google.protobuf.Timestamp change_date = 4; google.protobuf.Timestamp creation_date = 5; string resource_owner = 6; uint64 sequence = 7; bool project_role_assertion = 8; bool project_role_check = 9; } message ProjectSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated ProjectSearchQuery queries = 3; } message ProjectSearchQuery { ProjectSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectSearchKey { PROJECTSEARCHKEY_UNSPECIFIED = 0; PROJECTSEARCHKEY_PROJECT_NAME = 1; } message Projects { repeated Project projects = 1; } message Project { string id = 1; string name = 2; ProjectState state = 3; google.protobuf.Timestamp change_date = 4; google.protobuf.Timestamp creation_date = 5; uint64 sequence = 6; bool project_role_assertion = 7; bool project_role_check = 8; } enum ProjectState { PROJECTSTATE_UNSPECIFIED = 0; PROJECTSTATE_ACTIVE = 1; PROJECTSTATE_INACTIVE = 2; } message ProjectMemberRoles { repeated string roles = 1; } message ProjectMember { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; } message ProjectMemberAdd { string id = 1 [(validate.rules).string = {min_len: 1}]; string user_id = 2 [(validate.rules).string = {min_len: 1}]; repeated string roles = 3; } message ProjectMemberChange { string id = 1 [(validate.rules).string = {min_len: 1}]; string user_id = 2 [(validate.rules).string = {min_len: 1}]; repeated string roles = 3; } message ProjectMemberRemove { string id = 1 [(validate.rules).string = {min_len: 1}]; string user_id = 2 [(validate.rules).string = {min_len: 1}]; } message ProjectRoleAdd { string id = 1 [(validate.rules).string = {min_len: 1}]; string key = 2; string display_name = 3; string group = 4; } message ProjectRoleAddBulk { string id = 1 [(validate.rules).string = {min_len: 1}]; repeated ProjectRoleAdd project_roles = 2; } message ProjectRoleChange { string id = 1 [(validate.rules).string = {min_len: 1}]; string key = 2 [(validate.rules).string = {min_len: 1}]; string display_name = 3; string group = 4; } message ProjectRole { string project_id = 1; string key = 2; string display_name = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp change_date = 5; string group = 6; uint64 sequence = 7; } message ProjectRoleView { string project_id = 1; string key = 2; string display_name = 3; google.protobuf.Timestamp creation_date = 4; string group = 6; uint64 sequence = 7; } message ProjectRoleRemove { string id = 1 [(validate.rules).string = {min_len: 1}]; string key = 2 [(validate.rules).string = {min_len: 1}]; } message ProjectRoleSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectRoleView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ProjectRoleSearchRequest { string project_id = 1 [(validate.rules).string = {min_len: 1}]; uint64 offset = 2; uint64 limit = 3; repeated ProjectRoleSearchQuery queries = 4; } message ProjectRoleSearchQuery { ProjectRoleSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectRoleSearchKey { PROJECTROLESEARCHKEY_UNSPECIFIED = 0; PROJECTROLESEARCHKEY_KEY = 1; PROJECTROLESEARCHKEY_DISPLAY_NAME = 2; } message ProjectMemberView { string user_id = 1; string user_name = 2; string email = 3; string first_name = 4; string last_name = 5; repeated string roles = 6; google.protobuf.Timestamp change_date = 7; google.protobuf.Timestamp creation_date = 8; uint64 sequence = 10; string display_name = 11; } message ProjectMemberSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectMemberView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ProjectMemberSearchRequest { string project_id = 1 [(validate.rules).string = {min_len: 1}]; uint64 offset = 2; uint64 limit = 3; repeated ProjectMemberSearchQuery queries = 4; } message ProjectMemberSearchQuery { ProjectMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectMemberSearchKey { PROJECTMEMBERSEARCHKEY_UNSPECIFIED = 0; PROJECTMEMBERSEARCHKEY_FIRST_NAME = 1; PROJECTMEMBERSEARCHKEY_LAST_NAME = 2; PROJECTMEMBERSEARCHKEY_EMAIL = 3; PROJECTMEMBERSEARCHKEY_USER_ID = 4; PROJECTMEMBERSEARCHKEY_USER_NAME = 5; } enum AppState { APPSTATE_UNSPECIFIED = 0; APPSTATE_ACTIVE = 1; APPSTATE_INACTIVE = 2; } message Application { string id = 1; AppState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; oneof app_config { OIDCConfig oidc_config = 8; } uint64 sequence = 9; } message ApplicationUpdate { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string id = 2 [(validate.rules).string = {min_len: 1}]; string name = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message OIDCConfig { repeated string redirect_uris = 1; repeated OIDCResponseType response_types = 2; repeated OIDCGrantType grant_types = 3; OIDCApplicationType application_type = 4; string client_id = 5; string client_secret = 6; OIDCAuthMethodType auth_method_type = 7; repeated string post_logout_redirect_uris = 8; OIDCVersion version = 9; bool none_compliant = 10; repeated caos.zitadel.api.v1.LocalizedMessage compliance_problems = 11; bool dev_mode = 12; OIDCTokenType access_token_type = 13; bool access_token_role_assertion = 14; bool id_token_role_assertion = 15; bool id_token_userinfo_assertion = 16; google.protobuf.Duration clock_skew = 17; } message OIDCApplicationCreate { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; repeated string redirect_uris = 3; repeated OIDCResponseType response_types = 4; repeated OIDCGrantType grant_types = 5; OIDCApplicationType application_type = 6; OIDCAuthMethodType auth_method_type = 7; repeated string post_logout_redirect_uris = 8; OIDCVersion version = 9; bool dev_mode = 10; OIDCTokenType access_token_type = 11; bool access_token_role_assertion = 12; bool id_token_role_assertion = 13; bool id_token_userinfo_assertion = 14; google.protobuf.Duration clock_skew = 15 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}]; } enum OIDCVersion { OIDCV1_0 = 0; } enum OIDCTokenType { OIDCTokenType_Bearer = 0; OIDCTokenType_JWT = 1; } message OIDCConfigUpdate { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string application_id = 2 [(validate.rules).string = {min_len: 1}]; repeated string redirect_uris = 3; repeated OIDCResponseType response_types = 4; repeated OIDCGrantType grant_types = 5; OIDCApplicationType application_type = 6; OIDCAuthMethodType auth_method_type = 7; repeated string post_logout_redirect_uris = 8; bool dev_mode = 9; OIDCTokenType access_token_type = 10; bool access_token_role_assertion = 11; bool id_token_role_assertion = 12; bool id_token_userinfo_assertion = 13; google.protobuf.Duration clock_skew = 14 [(validate.rules).duration = {gte: {}, lte: {seconds: 5}}]; } enum OIDCResponseType { OIDCRESPONSETYPE_CODE = 0; OIDCRESPONSETYPE_ID_TOKEN = 1; OIDCRESPONSETYPE_ID_TOKEN_TOKEN = 2; } enum OIDCGrantType { OIDCGRANTTYPE_AUTHORIZATION_CODE = 0; OIDCGRANTTYPE_IMPLICIT = 1; OIDCGRANTTYPE_REFRESH_TOKEN = 2; } enum OIDCApplicationType { OIDCAPPLICATIONTYPE_WEB = 0; OIDCAPPLICATIONTYPE_USER_AGENT = 1; OIDCAPPLICATIONTYPE_NATIVE = 2; } enum OIDCAuthMethodType { OIDCAUTHMETHODTYPE_BASIC = 0; OIDCAUTHMETHODTYPE_POST = 1; OIDCAUTHMETHODTYPE_NONE = 2; } message ClientSecret { string client_secret = 1; } message ApplicationView { string id = 1; AppState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; oneof app_config { OIDCConfig oidc_config = 8; } uint64 sequence = 9; } message ApplicationSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ApplicationView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ApplicationSearchRequest { string project_id = 1 [(validate.rules).string = {min_len: 1}]; uint64 offset = 2; uint64 limit = 3; repeated ApplicationSearchQuery queries = 4; } message ApplicationSearchQuery { ApplicationSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ApplicationSearchKey { APPLICATIONSERACHKEY_UNSPECIFIED = 0; APPLICATIONSEARCHKEY_APP_NAME = 1; } message ProjectGrant { string id = 1; string project_id = 2; string granted_org_id = 3; repeated string role_keys = 4; ProjectGrantState state = 5; google.protobuf.Timestamp creation_date = 6; google.protobuf.Timestamp change_date = 7; uint64 sequence = 9; } message ProjectGrantCreate { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string granted_org_id = 2 [(validate.rules).string = {min_len: 1}]; repeated string role_keys = 3; } message ProjectGrantUpdate { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string id = 2 [(validate.rules).string = {min_len: 1}]; repeated string role_keys = 3; } message ProjectGrantID { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string id = 2 [(validate.rules).string = {min_len: 1}]; } enum ProjectGrantState { PROJECTGRANTSTATE_UNSPECIFIED = 0; PROJECTGRANTSTATE_ACTIVE = 1; PROJECTGRANTSTATE_INACTIVE = 2; } message ProjectGrantView { string id = 1; string project_id = 2; string granted_org_id = 3; string granted_org_name = 4; repeated string role_keys = 5; ProjectGrantState state = 6; google.protobuf.Timestamp creation_date = 7; google.protobuf.Timestamp change_date = 8; string project_name = 9; uint64 sequence = 10; string resource_owner = 11; string resource_owner_name = 12; } message ProjectGrantSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectGrantView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message GrantedProjectSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated ProjectSearchQuery queries = 3; } message ProjectGrantSearchRequest { string project_id = 1 [(validate.rules).string = {min_len: 1}]; uint64 offset = 2; uint64 limit = 3; repeated ProjectGrantSearchQuery queries = 4; } message ProjectGrantSearchQuery { ProjectGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectGrantSearchKey { PROJECTGRANTSEARCHKEY_UNSPECIFIED = 0; PROJECTGRANTSEARCHKEY_PROJECT_NAME = 1; PROJECTGRANTSEARCHKEY_ROLE_KEY = 2; } message ProjectGrantMemberRoles { repeated string roles = 1; } message ProjectGrantMember { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; } message ProjectGrantMemberAdd { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string grant_id = 2 [(validate.rules).string = {min_len: 1}]; string user_id = 3 [(validate.rules).string = {min_len: 1}]; repeated string roles = 4; } message ProjectGrantMemberChange { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string grant_id = 2 [(validate.rules).string = {min_len: 1}]; string user_id = 3 [(validate.rules).string = {min_len: 1}]; repeated string roles = 4; } message ProjectGrantMemberRemove { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string grant_id = 2 [(validate.rules).string = {min_len: 1}]; string user_id = 3 [(validate.rules).string = {min_len: 1}]; } message ProjectGrantMemberView { string user_id = 1; string user_name = 2; string email = 3; string first_name = 4; string last_name = 5; repeated string roles = 6; google.protobuf.Timestamp change_date = 7; google.protobuf.Timestamp creation_date = 8; uint64 sequence = 9; string display_name = 10; } message ProjectGrantMemberSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ProjectGrantMemberView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ProjectGrantMemberSearchRequest { string project_id = 1 [(validate.rules).string = {min_len: 1}]; string grant_id = 2 [(validate.rules).string = {min_len: 1}]; uint64 offset = 3; uint64 limit = 4; repeated ProjectGrantMemberSearchQuery queries = 5; } message ProjectGrantMemberSearchQuery { ProjectGrantMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum ProjectGrantMemberSearchKey { PROJECTGRANTMEMBERSEARCHKEY_UNSPECIFIED = 0; PROJECTGRANTMEMBERSEARCHKEY_FIRST_NAME = 1; PROJECTGRANTMEMBERSEARCHKEY_LAST_NAME = 2; PROJECTGRANTMEMBERSEARCHKEY_EMAIL = 3; PROJECTGRANTMEMBERSEARCHKEY_USER_ID = 4; PROJECTGRANTMEMBERSEARCHKEY_USER_NAME = 5; } message UserGrant { string id = 1; string user_id = 2; string org_id = 3; string project_id = 4; repeated string role_keys = 5; UserGrantState state = 6; google.protobuf.Timestamp creation_date = 7; google.protobuf.Timestamp change_date = 8; uint64 sequence = 9; string grant_id = 10; } message UserGrantCreate { string user_id = 1 [(validate.rules).string = {min_len: 1}]; string project_id = 2 [(validate.rules).string = {min_len: 1}]; repeated string role_keys = 3; string grant_id = 4; } message UserGrantUpdate { string user_id = 1 [(validate.rules).string = {min_len: 1}]; string id = 2 [(validate.rules).string = {min_len: 1}]; repeated string role_keys = 3; } message UserGrantRemoveBulk { repeated string ids = 1 [(validate.rules).repeated.min_items = 1]; } message UserGrantID { string user_id = 1 [(validate.rules).string = {min_len: 1}]; string id = 2 [(validate.rules).string = {min_len: 1}]; } enum UserGrantState { USERGRANTSTATE_UNSPECIFIED = 0; USERGRANTSTATE_ACTIVE = 1; USERGRANTSTATE_INACTIVE = 2; } message UserGrantView { string id = 1; string user_id = 2; string org_id = 3; string project_id = 4; repeated string role_keys = 5; UserGrantState state = 6; google.protobuf.Timestamp creation_date = 7; google.protobuf.Timestamp change_date = 8; string user_name = 9; string first_name = 10; string last_name = 11; string email = 12; string org_name = 13; string org_domain = 14; string project_name = 15; uint64 sequence = 16; string resource_owner = 17; string display_name = 18; string grant_id = 19; } message UserGrantSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated UserGrantView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message UserGrantSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated UserGrantSearchQuery queries = 3; } message UserGrantSearchQuery { UserGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2 [(validate.rules).enum.defined_only = true]; string value = 3; } enum UserGrantSearchKey { USERGRANTSEARCHKEY_UNSPECIFIED = 0; USERGRANTSEARCHKEY_PROJECT_ID = 1; USERGRANTSEARCHKEY_USER_ID = 2; USERGRANTSEARCHKEY_WITH_GRANTED = 3; USERGRANTSEARCHKEY_ROLE_KEY = 4; USERGRANTSEARCHKEY_GRANT_ID = 5; USERGRANTSEARCHKEY_USER_NAME = 6; USERGRANTSEARCHKEY_FIRST_NAME = 7; USERGRANTSEARCHKEY_LAST_NAME = 8; USERGRANTSEARCHKEY_EMAIL = 9; USERGRANTSEARCHKEY_ORG_NAME = 10; USERGRANTSEARCHKEY_ORG_DOMAIN = 11; USERGRANTSEARCHKEY_PROJECT_NAME = 12; USERGRANTSEARCHKEY_DISPLAY_NAME = 13; } message UserMembershipSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated UserMembershipView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message UserMembershipSearchRequest { string user_id = 1 [(validate.rules).string = {min_len: 1}]; uint64 offset = 2; uint64 limit = 3; repeated UserMembershipSearchQuery queries = 4; } message UserMembershipSearchQuery { UserMembershipSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2 [(validate.rules).enum = {in: [0]}]; string value = 3; } enum UserMembershipSearchKey { USERMEMBERSHIPSEARCHKEY_UNSPECIFIED = 0; USERMEMBERSHIPSEARCHKEY_TYPE = 1; USERMEMBERSHIPSEARCHKEY_OBJECT_ID = 2; } message UserMembershipView { string user_id = 1; MemberType member_type = 2; string aggregate_id = 3; string object_id = 4; repeated string roles = 5; string display_name = 6; google.protobuf.Timestamp creation_date = 7; google.protobuf.Timestamp change_date = 8; uint64 sequence = 9; string resource_owner = 10; } enum MemberType { MEMBERTYPE_UNSPECIFIED = 0; MEMBERTYPE_ORGANISATION = 1; MEMBERTYPE_PROJECT = 2; MEMBERTYPE_PROJECT_GRANT = 3; } message IdpID { string id = 1 [(validate.rules).string = {min_len: 1}]; } message Idp { string id = 1; IdpState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; IdpStylingType styling_type = 6; oneof idp_config { OidcIdpConfig oidc_config = 7; } uint64 sequence = 8; } message IdpUpdate { string id = 1 [(validate.rules).string = {min_len: 1}]; string name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; IdpStylingType styling_type = 3; } message OidcIdpConfig { string client_id = 1; string client_secret = 2; string issuer = 3; repeated string scopes = 4; OIDCMappingField idp_display_name_mapping = 5; OIDCMappingField username_mapping = 6; } enum IdpStylingType { IDPSTYLINGTYPE_UNSPECIFIED = 0; IDPSTYLINGTYPE_GOOGLE = 1; } enum IdpState { IDPCONFIGSTATE_UNSPECIFIED = 0; IDPCONFIGSTATE_ACTIVE = 1; IDPCONFIGSTATE_INACTIVE = 2; } enum OIDCMappingField { OIDCMAPPINGFIELD_UNSPECIFIED = 0; OIDCMAPPINGFIELD_PREFERRED_USERNAME = 1; OIDCMAPPINGFIELD_EMAIL = 2; } message OidcIdpConfigCreate { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; IdpStylingType styling_type = 2; string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; repeated string scopes = 6; OIDCMappingField idp_display_name_mapping = 7; OIDCMappingField username_mapping = 8; } message OidcIdpConfigUpdate { string idp_id = 1 [(validate.rules).string = {min_len: 1}]; string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string client_secret = 3; string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; repeated string scopes = 5; OIDCMappingField idp_display_name_mapping = 6; OIDCMappingField username_mapping = 7; } message IdpSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated IdpView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message IdpView { string id = 1; IdpState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; IdpStylingType styling_type = 6; IdpProviderType provider_type = 7; oneof idp_config_view { OidcIdpConfigView oidc_config = 8; } uint64 sequence = 9; } message OidcIdpConfigView { string client_id = 1; string issuer = 2; repeated string scopes = 3; OIDCMappingField idp_display_name_mapping = 4; OIDCMappingField username_mapping = 5; } message IdpSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated IdpSearchQuery queries = 3; } message IdpSearchQuery { IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum IdpSearchKey { IDPSEARCHKEY_UNSPECIFIED = 0; IDPSEARCHKEY_IDP_CONFIG_ID = 1; IDPSEARCHKEY_NAME = 2; IDPSEARCHKEY_PROVIDER_TYPE = 3; } message LoginPolicy { bool allow_username_password = 1; bool allow_register = 2; bool allow_external_idp = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp change_date = 5; bool force_mfa = 6; } message LoginPolicyRequest { bool allow_username_password = 1; bool allow_register = 2; bool allow_external_idp = 3; bool force_mfa = 4; } message IdpProviderID { string idp_config_id = 1 [(validate.rules).string = {min_len: 1}]; } message IdpProviderAdd { string idp_config_id = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; IdpProviderType idp_provider_type = 2 [(validate.rules).enum = {not_in: [0]}]; } message IdpProvider { string idp_config_id = 1; IdpProviderType idp_provider_Type = 2; } message LoginPolicyView { bool default = 1; bool allow_username_password = 2; bool allow_register = 3; bool allow_external_idp = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; bool force_mfa = 7; } message IdpProviderView { string idp_config_id = 1; string name = 2; IdpType type = 3; } enum IdpType { IDPTYPE_UNSPECIFIED = 0; IDPTYPE_OIDC = 1; IDPTYPE_SAML = 2; } enum IdpProviderType { IDPPROVIDERTYPE_UNSPECIFIED = 0; IDPPROVIDERTYPE_SYSTEM = 1; IDPPROVIDERTYPE_ORG = 2; } message IdpProviderSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated IdpProviderView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message IdpProviderSearchRequest { uint64 offset = 1; uint64 limit = 2; } //ProjectType is deprecated, remove as soon as console is ready enum ProjectType { PROJECTTYPE_UNSPECIFIED = 0; PROJECTTYPE_OWNED = 1; PROJECTTYPE_GRANTED = 2; } message ExternalIDPSearchRequest { uint64 offset = 1; uint64 limit = 2; string user_id = 3; } message ExternalIDPSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated ExternalIDPView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message ExternalIDPView { string user_id = 1; string idp_config_id = 2; string external_user_id = 3; string idp_name = 4; string external_user_display_name = 5; google.protobuf.Timestamp creation_date = 6; google.protobuf.Timestamp change_date = 7; } message ExternalIDPRemoveRequest { string user_id = 1; string idp_config_id = 2; string external_user_id = 3; } message SecondFactorsResult { repeated SecondFactorType second_factors = 1; } message SecondFactor { SecondFactorType second_factor = 1; } enum SecondFactorType { SECONDFACTORTYPE_UNSPECIFIED = 0; SECONDFACTORTYPE_OTP = 1; SECONDFACTORTYPE_U2F = 2; } message MultiFactorsResult { repeated MultiFactorType multi_factors = 1; } message MultiFactor { MultiFactorType multi_factor = 1; } enum MultiFactorType { MULTIFACTORTYPE_UNSPECIFIED = 0; MULTIFACTORTYPE_U2F_WITH_PIN = 1; } message PasswordComplexityPolicy { uint64 min_length = 1; bool has_lowercase = 2; bool has_uppercase = 3; bool has_number = 4; bool has_symbol = 5; uint64 sequence = 6; google.protobuf.Timestamp creation_date = 7; google.protobuf.Timestamp change_date = 8; } message PasswordComplexityPolicyRequest { uint64 min_length = 1; bool has_lowercase = 2; bool has_uppercase = 3; bool has_number = 4; bool has_symbol = 5; } message PasswordComplexityPolicyView { bool default = 1; uint64 min_length = 2; bool has_lowercase = 3; bool has_uppercase = 4; bool has_number = 5; bool has_symbol = 6; uint64 sequence = 7; google.protobuf.Timestamp creation_date = 8; google.protobuf.Timestamp change_date = 9; } message PasswordAgePolicy { uint64 max_age_days = 1; uint64 expire_warn_days = 2; uint64 sequence = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp change_date = 5; } message PasswordAgePolicyRequest { uint64 max_age_days = 1; uint64 expire_warn_days = 2; } message PasswordAgePolicyView { bool default = 1; uint64 max_age_days = 2; uint64 expire_warn_days = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message PasswordLockoutPolicy { uint64 max_attempts = 1; bool show_lockout_failure = 2; uint64 sequence = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp change_date = 5; } message PasswordLockoutPolicyRequest { uint64 max_attempts = 1; bool show_lockout_failure = 2; } message PasswordLockoutPolicyView { bool default = 1; uint64 max_attempts = 2; bool show_lockout_failure = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; }