syntax = "proto3"; import "google/api/annotations.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/timestamp.proto"; import "validate/validate.proto"; import "protoc-gen-swagger/options/annotations.proto"; import "authoption/options.proto"; import "proto/message.proto"; package caos.zitadel.auth.api.v1; option go_package = "github.com/caos/zitadel/pkg/grpc/auth"; option (grpc.gateway.protoc_gen_swagger.options.openapiv2_swagger) = { info: { title: "Auth API"; version: "0.1"; contact:{ url: "https://github.com/caos/zitadel/pkg/auth" }; }; schemes: HTTPS; consumes: "application/json"; consumes: "application/grpc"; produces: "application/json"; produces: "application/grpc"; }; service AuthService { // Readiness rpc Healthz(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { get: "/healthz" }; } rpc Ready(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { get: "/ready" }; } rpc Validate(google.protobuf.Empty) returns (google.protobuf.Struct) { option (google.api.http) = { get: "/validate" }; } // Authorization rpc GetMyUserSessions(google.protobuf.Empty) returns (UserSessionViews) { option (google.api.http) = { get: "/me/usersessions" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } //User rpc GetMyUser(google.protobuf.Empty) returns (UserView) { option (google.api.http) = { get: "/users/me" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetMyUserProfile(google.protobuf.Empty) returns (UserProfileView) { option (google.api.http) = { get: "/users/me/profile" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc UpdateMyUserProfile(UpdateUserProfileRequest) returns (UserProfile) { option (google.api.http) = { put: "/users/me/profile" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetMyUserEmail(google.protobuf.Empty) returns (UserEmailView) { option (google.api.http) = { get: "/users/me/email" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc ChangeMyUserEmail(UpdateUserEmailRequest) returns (UserEmail) { option (google.api.http) = { put: "/users/me/email" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc VerifyMyUserEmail(VerifyMyUserEmailRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/me/email/_verify" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc ResendMyEmailVerificationMail(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/me/email/_resendverification" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetMyUserPhone(google.protobuf.Empty) returns (UserPhoneView) { option (google.api.http) = { get: "/users/me/phone" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc ChangeMyUserPhone(UpdateUserPhoneRequest) returns (UserPhone) { option (google.api.http) = { put: "/users/me/phone" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc RemoveMyUserPhone(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/me/phone" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc VerifyMyUserPhone(VerifyUserPhoneRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/me/phone/_verify" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc ResendMyPhoneVerificationCode(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/users/me/phone/_resendverification" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetMyUserAddress(google.protobuf.Empty) returns (UserAddressView) { option (google.api.http) = { get: "/users/me/address" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetMyUserChanges(ChangesRequest) returns (Changes) { option (google.api.http) = { get: "/users/me/changes" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc UpdateMyUserAddress(UpdateUserAddressRequest) returns (UserAddress) { option (google.api.http) = { put: "/users/me/address" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetMyMfas(google.protobuf.Empty) returns (MultiFactors) { option (google.api.http) = { get: "/users/me/mfas" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } //Password rpc ChangeMyPassword(PasswordChange) returns (google.protobuf.Empty) { option (google.api.http) = { put: "/users/me/passwords/_change" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetMyPasswordComplexityPolicy(google.protobuf.Empty) returns (PasswordComplexityPolicy) { option (google.api.http) = { get: "/policies/passwords/complexity" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } // MFA rpc AddMfaOTP(google.protobuf.Empty) returns (MfaOtpResponse) { option (google.api.http) = { post: "/users/me/mfa/otp" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc VerifyMfaOTP(VerifyMfaOtp) returns (google.protobuf.Empty) { option (google.api.http) = { put: "/users/me/mfa/otp/_verify" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc RemoveMfaOTP(google.protobuf.Empty) returns (google.protobuf.Empty) { option (google.api.http) = { delete: "/users/me/mfa/otp" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc SearchMyUserGrant(UserGrantSearchRequest) returns (UserGrantSearchResponse) { option (google.api.http) = { post: "/usergrants/me/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc SearchMyProjectOrgs(MyProjectOrgSearchRequest) returns (MyProjectOrgSearchResponse) { option (google.api.http) = { post: "/global/projectorgs/_search" body: "*" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } //Permission rpc GetMyZitadelPermissions(google.protobuf.Empty) returns (MyPermissions) { option (google.api.http) = { get: "/permissions/zitadel/me" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } rpc GetMyProjectPermissions(google.protobuf.Empty) returns (MyPermissions) { option (google.api.http) = { get: "/permissions/me" }; option (caos.zitadel.utils.v1.auth_option) = { permission: "authenticated" }; } } message UserSessionViews { repeated UserSessionView user_sessions = 1; } message UserSessionView { string id = 1; string agent_id = 2; UserSessionState auth_state = 3; string user_id = 4; string user_name = 5; uint64 sequence = 6; string login_name = 7; string display_name = 8; } enum UserSessionState { USERSESSIONSTATE_UNSPECIFIED = 0; USERSESSIONSTATE_ACTIVE = 1; USERSESSIONSTATE_TERMINATED = 2; } enum OIDCResponseType { OIDCRESPONSETYPE_CODE = 0; OIDCRESPONSETYPE_ID_TOKEN = 1; OIDCRESPONSETYPE_ID_TOKEN_TOKEN = 2; } message UserView { string id = 1; UserState state = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; google.protobuf.Timestamp last_login = 5; google.protobuf.Timestamp password_changed = 6; string user_name = 7; string first_name = 8; string last_name = 9; string display_name = 10; string nick_name = 11; string preferred_language = 12; Gender gender = 13; string email = 14; bool is_email_verified = 15; string phone = 16; bool is_phone_verified = 17; string country = 18; string locality = 19; string postal_code = 20; string region = 21; string street_address = 22; uint64 sequence = 23; string resource_owner = 24; repeated string login_names = 25; string preferred_login_name = 26; } enum UserState { USERSTATE_UNSPECIFIED = 0; USERSTATE_ACTIVE = 1; USERSTATE_INACTIVE = 2; USERSTATE_DELETED = 3; USERSTATE_LOCKED = 4; USERSTATE_SUSPEND = 5; USERSTATE_INITIAL = 6; } enum Gender { GENDER_UNSPECIFIED = 0; GENDER_FEMALE = 1; GENDER_MALE = 2; GENDER_DIVERSE = 3; } message UserProfile { string id = 1; string user_name = 2; string first_name = 3; string last_name = 4; string nick_name = 5; string display_name = 6; string preferred_language = 7; Gender gender = 8; uint64 sequence = 9; google.protobuf.Timestamp creation_date = 10; google.protobuf.Timestamp change_date = 11; } message UserProfileView { string id = 1; string user_name = 2; string first_name = 3; string last_name = 4; string nick_name = 5; string display_name = 6; string preferred_language = 7; Gender gender = 8; uint64 sequence = 9; google.protobuf.Timestamp creation_date = 10; google.protobuf.Timestamp change_date = 11; repeated string login_names = 12; string preferred_login_name = 13; } message UpdateUserProfileRequest { string first_name = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; string last_name = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; string nick_name = 3 [(validate.rules).string = {min_len: 1, max_len: 200}]; string preferred_language = 4 [(validate.rules).string = {min_len: 1, max_len: 200}]; Gender gender = 5; } message UserEmail { string id = 1; string email = 2; bool isEmailVerified = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message UserEmailView { string id = 1; string email = 2; bool isEmailVerified = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message VerifyMyUserEmailRequest { string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message VerifyUserEmailRequest { string id = 1; string code = 2 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message UpdateUserEmailRequest { string email = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message UserPhone { string id = 1; string phone = 2; bool is_phone_verified = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message UserPhoneView { string id = 1; string phone = 2; bool is_phone_verified = 3; uint64 sequence = 4; google.protobuf.Timestamp creation_date = 5; google.protobuf.Timestamp change_date = 6; } message UpdateUserPhoneRequest { string phone = 1 [(validate.rules).string = {min_len: 1, max_len: 20}]; } message VerifyUserPhoneRequest { string code = 1 [(validate.rules).string = {min_len: 1, max_len: 200}]; } message UserAddress { string id = 1; string country = 2; string locality = 3; string postal_code = 4; string region = 5; string street_address = 6; uint64 sequence = 7; google.protobuf.Timestamp creation_date = 8; google.protobuf.Timestamp change_date = 9; } message UserAddressView { string id = 1; string country = 2; string locality = 3; string postal_code = 4; string region = 5; string street_address = 6; uint64 sequence = 7; google.protobuf.Timestamp creation_date = 8; google.protobuf.Timestamp change_date = 9; } message UpdateUserAddressRequest { string country = 1 [(validate.rules).string = {max_len: 200}]; string locality = 2 [(validate.rules).string = {max_len: 200}]; string postal_code = 3 [(validate.rules).string = {max_len: 200}]; string region = 4 [(validate.rules).string = {max_len: 200}]; string street_address = 5 [(validate.rules).string = {max_len: 200}]; } message PasswordID { string id = 1; } message PasswordRequest { string password = 1 [(validate.rules).string = {min_len: 1, max_len: 72}]; } message PasswordChange { string old_password = 1 [(validate.rules).string = {min_len: 1, max_len: 72}]; string new_password = 2 [(validate.rules).string = {min_len: 1, max_len: 72}]; } enum MfaType { MFATYPE_UNSPECIFIED = 0; MFATYPE_SMS = 1; MFATYPE_OTP = 2; } message VerifyMfaOtp { string code = 1; } message MultiFactors { repeated MultiFactor mfas = 1; } message MultiFactor { MfaType type = 1; MFAState state = 2; } message MfaOtpResponse { string user_id = 1; string url = 2; string secret = 3; MFAState state = 4; } enum MFAState { MFASTATE_UNSPECIFIED = 0; MFASTATE_NOT_READY = 1; MFASTATE_READY = 2; MFASTATE_REMOVED = 3; } message OIDCClientAuth { string client_id = 1; string client_secret = 2; } message UserGrantSearchRequest { uint64 offset = 1; uint64 limit = 2; UserGrantSearchKey sorting_column = 3 [(validate.rules).enum = {not_in: [0]}];; bool asc = 4; repeated UserGrantSearchQuery queries = 5; } message UserGrantSearchQuery { UserGrantSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];; SearchMethod method = 2; string value = 3; } enum UserGrantSearchKey { UserGrantSearchKey_UNKNOWN = 0; UserGrantSearchKey_ORG_ID = 1; UserGrantSearchKey_PROJECT_ID = 2; } message UserGrantSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated UserGrantView result = 4; } message UserGrantView { string OrgId = 1; string ProjectId = 2; string UserId = 3; repeated string Roles = 4; string OrgName = 5; string GrantId = 6; } message MyProjectOrgSearchRequest { uint64 offset = 1; uint64 limit = 2; bool asc = 4; repeated MyProjectOrgSearchQuery queries = 5; } message MyProjectOrgSearchQuery { MyProjectOrgSearchKey key = 1 [(validate.rules).enum = {not_in: [0]}];; SearchMethod method = 2; string value = 3; } enum MyProjectOrgSearchKey { MYPROJECTORGSEARCHKEY_UNSPECIFIED = 0; MYPROJECTORGSEARCHKEY_ORG_NAME = 1; } message MyProjectOrgSearchResponse { uint64 offset = 1; uint64 limit = 2; uint64 total_result = 3; repeated Org result = 4; } message Org { string id = 1; string name = 2; } message MyPermissions { repeated string permissions = 1; } enum SearchMethod { SEARCHMETHOD_EQUALS = 0; SEARCHMETHOD_STARTS_WITH = 1; SEARCHMETHOD_CONTAINS = 2; SEARCHMETHOD_EQUALS_IGNORE_CASE = 3; SEARCHMETHOD_STARTS_WITH_IGNORE_CASE = 4; SEARCHMETHOD_CONTAINS_IGNORE_CASE = 5; } message ChangesRequest { uint64 limit= 1; uint64 sequence_offset = 2; bool asc = 3; } message Changes { repeated Change changes = 1; uint64 offset = 2; uint64 limit = 3; } message Change { google.protobuf.Timestamp change_date = 1; caos.zitadel.api.v1.LocalizedMessage event_type = 2; uint64 sequence = 3; string editor_id = 4; string editor = 5; google.protobuf.Struct data = 6; } message PasswordComplexityPolicy { string id = 1; string description = 2; google.protobuf.Timestamp creation_date = 3; google.protobuf.Timestamp change_date = 4; uint64 min_length = 5; bool has_lowercase = 6; bool has_uppercase = 7; bool has_number = 8; bool has_symbol = 9; uint64 sequence = 10; bool is_default = 11; }