syntax = "proto3"; import "google/api/annotations.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/timestamp.proto"; import "google/protobuf/struct.proto"; import "validate/validate.proto"; import "protoc-gen-swagger/options/annotations.proto"; import "authoption/options.proto"; package caos.zitadel.admin.api.v1; option go_package ="github.com/caos/zitadel/pkg/grpc/admin"; option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { info: { title: "admin service"; version: "0.1"; contact:{ url: "https://github.com/caos/zitadel/pkg/admin" }; }; schemes: HTTPS; consumes: "application/json"; consumes: "application/grpc"; produces: "application/json"; produces: "application/grpc"; }; service AdminService { // --------- // Probes // --------- // Healthz returns status OK as soon as the service started rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { get: "/healthz" }; } // Ready returns status OK as soon as all dependent services are available rpc Ready(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { get: "/ready" }; } rpc Validate(google.protobuf.Empty) returns (google.protobuf.Struct) { option (google.api.http) = { get: "/validate" }; } //ORG rpc IsOrgUnique(UniqueOrgRequest) returns (UniqueOrgResponse) { option (google.api.http) = { get: "/orgs/_isunique" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.read" }; } rpc GetOrgByID(OrgID) returns (Org) { option (google.api.http) = { get: "/orgs/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.read" }; } rpc SearchOrgs(OrgSearchRequest) returns (OrgSearchResponse) { option (google.api.http) = { post: "/orgs/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.read" }; } rpc SetUpOrg(OrgSetUpRequest) returns (OrgSetUpResponse) { option (google.api.http) = { post: "/orgs/_setup" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.write" }; } //ORG_IAM_POLICY rpc GetOrgIamPolicy(OrgIamPolicyID) returns (OrgIamPolicy) { option (google.api.http) = { get: "/orgs/{org_id}/iampolicy" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.read" }; } rpc CreateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) { option (google.api.http) = { post: "/orgs/{org_id}/iampolicy" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } rpc UpdateOrgIamPolicy(OrgIamPolicyRequest) returns (OrgIamPolicy) { option (google.api.http) = { put: "/orgs/{org_id}/iampolicy" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } rpc DeleteOrgIamPolicy(OrgIamPolicyID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/orgs/{org_id}/iampolicy" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.delete" }; } rpc GetIamMemberRoles(google.protobuf.Empty) returns (IamMemberRoles) { option (google.api.http) = { get: "/members/roles" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.member.read" }; } rpc AddIamMember(AddIamMemberRequest) returns (IamMember) { option (google.api.http) = { post: "/members" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.member.write" }; } rpc ChangeIamMember(ChangeIamMemberRequest) returns (IamMember) { option (google.api.http) = { put: "/members/{user_id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.member.write" }; } rpc RemoveIamMember(RemoveIamMemberRequest) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/members/{user_id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.member.delete" }; } rpc SearchIamMembers(IamMemberSearchRequest) returns (IamMemberSearchResponse) { option (google.api.http) = { post: "/members/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.member.read" }; } rpc GetViews(google.protobuf.Empty) returns (Views) { option (google.api.http) = { get: "/views" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.read" }; } rpc ClearView(ViewID) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/views/{database}/{view_name}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.write" }; } rpc GetFailedEvents(google.protobuf.Empty) returns (FailedEvents) { option (google.api.http) = { get: "/failedevents" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.read" }; } rpc RemoveFailedEvent(FailedEventID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/failedevents/{database}/{view_name}/{failed_sequence}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.write" }; } rpc IdpByID(IdpID) returns (IdpView) { option (google.api.http) = { get: "/idps/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.idp.read" }; } rpc CreateOidcIdp(OidcIdpConfigCreate) returns (Idp) { option (google.api.http) = { post: "/idps/oidc" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.idp.write" }; } rpc UpdateIdpConfig(IdpUpdate) returns (Idp) { option (google.api.http) = { put: "/idps/{id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.idp.write" }; } rpc DeactivateIdpConfig(IdpID) returns (Idp) { option (google.api.http) = { put: "/idps/{id}/_deactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.idp.write" }; } rpc ReactivateIdpConfig(IdpID) returns (Idp) { option (google.api.http) = { put: "/idps/{id}/_reactivate" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.idp.write" }; } rpc RemoveIdpConfig(IdpID) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/idps/{id}" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.idp.write" }; } rpc UpdateOidcIdpConfig(OidcIdpConfigUpdate) returns (OidcIdpConfig) { option (google.api.http) = { put: "/idps/{idp_id}/oidcconfig" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.idp.write" }; } rpc SearchIdps(IdpSearchRequest) returns (IdpSearchResponse) { option (google.api.http) = { post: "/idps/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.idp.read" }; } rpc GetDefaultLoginPolicy(google.protobuf.Empty) returns (DefaultLoginPolicyView) { option (google.api.http) = { get: "/policies/login" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.read" }; } rpc UpdateDefaultLoginPolicy(DefaultLoginPolicy) returns (DefaultLoginPolicy) { option (google.api.http) = { put: "/policies/login" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } rpc GetDefaultLoginPolicyIdpProviders(IdpProviderSearchRequest) returns (IdpProviderSearchResponse) { option (google.api.http) = { post: "/policies/login/idpproviders/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.read" }; } rpc AddIdpProviderToDefaultLoginPolicy(IdpProviderID) returns (IdpProviderID) { option (google.api.http) = { post: "/policies/login/idpproviders" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } rpc RemoveIdpProviderFromDefaultLoginPolicy(IdpProviderID) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/policies/login/idpproviders/{idp_config_id}" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "iam.policy.write" }; } } message OrgID { string id = 1 [(validate.rules).string = {min_len: 1}]; } message UniqueOrgRequest { string name = 1 [(validate.rules).string.min_len = 1]; string domain = 2 [(validate.rules).string.min_len = 1]; } message UniqueOrgResponse { bool is_unique = 1; } message Org { string id = 1; OrgState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; string domain = 6; } enum OrgState { ORGSTATE_UNSPECIFIED = 0; ORGSTATE_ACTIVE = 1; ORGSTATE_INACTIVE = 2; } message OrgSearchRequest { uint64 offset = 1; uint64 limit = 2; OrgSearchKey sorting_column = 3 [(validate.rules).enum = {not_in: [0]}];; bool asc = 4; repeated OrgSearchQuery queries = 5; } message OrgSearchQuery { OrgSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];; OrgSearchMethod method = 2; string value = 3; } enum OrgSearchKey { ORGSEARCHKEY_UNSPECIFIED = 0; ORGSEARCHKEY_NAME = 1; ORGSEARCHKEY_DOMAIN = 2; ORGSEARCHKEY_STATE = 3; } message OrgSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated Org result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } enum OrgSearchMethod { ORGSEARCHMETHOD_EQUALS = 0; ORGSEARCHMETHOD_STARTS_WITH = 1; ORGSEARCHMETHOD_CONTAINS = 2; } message OrgSetUpRequest { CreateOrgRequest org = 1 [(validate.rules).message.required = true]; CreateUserRequest user = 2 [(validate.rules).message.required = true]; } message OrgSetUpResponse { Org org = 1; UserResponse user = 2; } message CreateUserRequest { string user_name = 1 [(validate.rules).string.pattern = "^[^[:space:]]{1,200}$"]; oneof user { option (validate.required) = true; CreateHumanRequest human = 2; CreateMachineRequest machine = 3; } } message CreateHumanRequest { string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string nick_name = 3 [(validate.rules).string = {max_len: 200}]; string preferred_language = 4 [(validate.rules).string = {max_len: 200}]; Gender gender = 5; string email = 6 [(validate.rules).string = {min_len: 1, max_len: 200, email: true}]; bool is_email_verified = 7; string phone = 8 [(validate.rules).string = {max_len: 20}]; bool is_phone_verified = 9; string country = 10 [(validate.rules).string = {max_len: 200}]; string locality = 11 [(validate.rules).string = {max_len: 200}]; string postal_code = 12 [(validate.rules).string = {max_len: 200}]; string region = 13 [(validate.rules).string = {max_len: 200}]; string street_address = 14 [(validate.rules).string = {max_len: 200}]; string password = 15 [(validate.rules).string = {max_len: 72}]; } message CreateMachineRequest { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string description = 2 [(validate.rules).string = {max_len: 500}]; } message UserResponse { string id = 1; UserState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; uint64 sequence = 5; string user_name = 6; oneof user { option (validate.required) = true; HumanResponse human = 7; MachineResponse machine = 8; } } enum UserState { USERSTATE_UNSPECIFIED = 0; USERSTATE_ACTIVE = 1; USERSTATE_INACTIVE = 2; USERSTATE_DELETED = 3; USERSTATE_LOCKED = 4; USERSTATE_SUSPEND = 5; USERSTATE_INITIAL= 6; } enum Gender { GENDER_UNSPECIFIED = 0; GENDER_FEMALE = 1; GENDER_MALE = 2; GENDER_DIVERSE = 3; } message HumanResponse { string first_name = 1; string last_name = 2; string display_name = 3; string nick_name = 4; string preferred_language = 5; Gender gender = 6; string email = 7; bool is_email_verified = 8; string phone = 9; bool is_phone_verified = 10; string country = 11; string locality = 12; string postal_code = 13; string region = 14; string street_address = 15; } message MachineResponse { string name = 1; string description = 2; repeated MachineKeyResponse keys = 3; } message MachineKeyResponse { string id = 1; MachineKeyType type = 2; uint64 sequence = 3; google.protobuf.Timestamp creation_date = 4; google.protobuf.Timestamp expiration_date = 5; } enum MachineKeyType { MACHINEKEY_UNSPECIFIED = 0; MACHINEKEY_JSON = 1; } message CreateOrgRequest { string name = 1 [(validate.rules).string.min_len = 1]; string domain = 2; } message OrgIamPolicy { string org_id = 1; string description = 2; bool user_login_must_be_domain = 3; bool default = 4; uint64 sequence = 5; google.protobuf.Timestamp creation_date = 6; google.protobuf.Timestamp change_date = 7; } message OrgIamPolicyRequest { string org_id = 1 [(validate.rules).string = {min_len: 1}]; string description = 2; bool user_login_must_be_domain = 3; } message OrgIamPolicyID { string org_id = 1 [(validate.rules).string = {min_len: 1}]; } message IamMemberRoles { repeated string roles = 1; } message IamMember { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; } message AddIamMemberRequest { string user_id = 1 [(validate.rules).string = {min_len: 1}]; repeated string roles = 2; } message ChangeIamMemberRequest { string user_id = 1 [(validate.rules).string = {min_len: 1}]; repeated string roles = 2; } message RemoveIamMemberRequest { string user_id = 1 [(validate.rules).string = {min_len: 1}]; } message IamMemberSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated IamMemberView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message IamMemberView { string user_id = 1; repeated string roles = 2; google.protobuf.Timestamp change_date = 3; google.protobuf.Timestamp creation_date = 4; uint64 sequence = 5; string user_name = 6; string email = 7; string first_name = 8; string last_name = 9; string display_name = 10; } message IamMemberSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated IamMemberSearchQuery queries = 3; } message IamMemberSearchQuery { IamMemberSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum IamMemberSearchKey { IAMMEMBERSEARCHKEY_UNSPECIFIED = 0; IAMMEMBERSEARCHKEY_FIRST_NAME = 1; IAMMEMBERSEARCHKEY_LAST_NAME = 2; IAMMEMBERSEARCHKEY_EMAIL = 3; IAMMEMBERSEARCHKEY_USER_ID = 4; } enum SearchMethod { SEARCHMETHOD_EQUALS = 0; SEARCHMETHOD_STARTS_WITH = 1; SEARCHMETHOD_CONTAINS = 2; SEARCHMETHOD_EQUALS_IGNORE_CASE = 3; SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4; SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5; SEARCHMETHOD_NOT_EQUALS = 6; SEARCHMETHOD_GREATER_THAN = 7; SEARCHMETHOD_LESS_THAN = 8; SEARCHMETHOD_IS_ONE_OF = 9; SEARCHMETHOD_LIST_CONTAINS = 10; } message FailedEventID { string database = 1 [(validate.rules).string = {min_len: 1}]; string view_name = 2 [(validate.rules).string = {min_len: 1}]; uint64 failed_sequence = 3; } message FailedEvents { repeated FailedEvent failed_events = 1; } message FailedEvent { string database = 1; string view_name = 2; uint64 failed_sequence = 3; uint64 failure_count = 4; string error_message = 5; } message ViewID { string database = 1 [(validate.rules).string = {min_len: 1}]; string view_name = 2 [(validate.rules).string = {min_len: 1}]; } message Views { repeated View views = 1; } message View { string database = 1; string view_name = 2; uint64 processed_sequence = 3; google.protobuf.Timestamp view_timestamp = 4; } message IdpID { string id = 1 [(validate.rules).string = {min_len: 1}]; } message Idp { string id = 1; IdpState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; bytes logo_src = 6; oneof idp_config { OidcIdpConfig oidc_config = 7; } uint64 sequence = 8; } message IdpUpdate { string id = 1 [(validate.rules).string = {min_len: 1}]; string name = 2; bytes logo_src = 3; } message OidcIdpConfig { string client_id = 1; string client_secret = 2; string issuer = 3; repeated string scopes = 4; } enum IdpState { IDPCONFIGSTATE_UNSPECIFIED = 0; IDPCONFIGSTATE_ACTIVE = 1; IDPCONFIGSTATE_INACTIVE = 2; } message OidcIdpConfigCreate { string name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; bytes logo_src = 2; string client_id = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string client_secret = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; string issuer = 5 [(validate.rules).string = {min_len: 1, max_len: 200}]; repeated string scopes = 6; } message OidcIdpConfigUpdate { string idp_id = 1 [(validate.rules).string = {min_len: 1}]; string client_id = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string client_secret = 3; string issuer = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; repeated string scopes = 5; } message IdpSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated IdpView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message IdpView { string id = 1; IdpState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; string name = 5; bytes logo_src = 6; oneof idp_config_view { OidcIdpConfigView oidc_config = 7; } uint64 sequence = 8; } message OidcIdpConfigView { string client_id = 1; string issuer = 2; repeated string scopes = 3; } message IdpSearchRequest { uint64 offset = 1; uint64 limit = 2; repeated IdpSearchQuery queries = 3; } message IdpSearchQuery { IdpSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}]; SearchMethod method = 2; string value = 3; } enum IdpSearchKey { IDPSEARCHKEY_UNSPECIFIED = 0; IDPSEARCHKEY_IDP_CONFIG_ID = 1; IDPSEARCHKEY_NAME = 2; } message DefaultLoginPolicy { bool allow_username_password = 1; bool allow_register = 2; bool allow_external_idp = 3; } message IdpProviderID { string idp_config_id = 1 [(validate.rules).string = {min_len: 1}]; } message DefaultLoginPolicyView { bool allow_username_password = 1; bool allow_register = 2; bool allow_external_idp = 3; } message IdpProviderView { string idp_config_id = 1; string name = 2; IdpType type = 3; } enum IdpType { IDPTYPE_UNSPECIFIED = 0; IDPTYPE_OIDC = 1; IDPTYPE_SAML = 2; } message IdpProviderSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated IdpProviderView result = 4; uint64 processed_sequence = 5; google.protobuf.Timestamp view_timestamp = 6; } message IdpProviderSearchRequest { uint64 offset = 1; uint64 limit = 2; }