mirror of
https://github.com/zitadel/zitadel.git
synced 2025-12-06 15:02:13 +00:00
2691dae2b6
# Which Problems Are Solved This PR *partially* addresses #9450 . Specifically, it implements the resource based API for the apps. APIs for app keys ARE not part of this PR. # How the Problems Are Solved - `CreateApplication`, `PatchApplication` (update) and `RegenerateClientSecret` endpoints are now unique for all app types: API, SAML and OIDC apps. - All new endpoints have integration tests - All new endpoints are using permission checks V2 # Additional Changes - The `ListApplications` endpoint allows to do sorting (see protobuf for details) and filtering by app type (see protobuf). - SAML and OIDC update endpoint can now receive requests for partial updates # Additional Context Partially addresses #9450
166 lines
6.5 KiB
Protocol Buffer
166 lines
6.5 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
package zitadel.app.v2beta;
|
|
import "zitadel/app/v2beta/login.proto";
|
|
import "protoc-gen-openapiv2/options/annotations.proto";
|
|
import "google/protobuf/duration.proto";
|
|
|
|
option go_package = "github.com/zitadel/zitadel/pkg/grpc/app/v2beta;app";
|
|
|
|
message OIDCLocalizedMessage {
|
|
string key = 1;
|
|
string localized_message = 2;
|
|
}
|
|
|
|
enum OIDCResponseType {
|
|
OIDC_RESPONSE_TYPE_UNSPECIFIED = 0;
|
|
OIDC_RESPONSE_TYPE_CODE = 1;
|
|
OIDC_RESPONSE_TYPE_ID_TOKEN = 2;
|
|
OIDC_RESPONSE_TYPE_ID_TOKEN_TOKEN = 3;
|
|
}
|
|
|
|
enum OIDCGrantType{
|
|
OIDC_GRANT_TYPE_AUTHORIZATION_CODE = 0;
|
|
OIDC_GRANT_TYPE_IMPLICIT = 1;
|
|
OIDC_GRANT_TYPE_REFRESH_TOKEN = 2;
|
|
OIDC_GRANT_TYPE_DEVICE_CODE = 3;
|
|
OIDC_GRANT_TYPE_TOKEN_EXCHANGE = 4;
|
|
}
|
|
|
|
enum OIDCAppType {
|
|
OIDC_APP_TYPE_WEB = 0;
|
|
OIDC_APP_TYPE_USER_AGENT = 1;
|
|
OIDC_APP_TYPE_NATIVE = 2;
|
|
}
|
|
|
|
enum OIDCAuthMethodType {
|
|
OIDC_AUTH_METHOD_TYPE_BASIC = 0;
|
|
OIDC_AUTH_METHOD_TYPE_POST = 1;
|
|
OIDC_AUTH_METHOD_TYPE_NONE = 2;
|
|
OIDC_AUTH_METHOD_TYPE_PRIVATE_KEY_JWT = 3;
|
|
}
|
|
|
|
enum OIDCVersion {
|
|
OIDC_VERSION_1_0 = 0;
|
|
}
|
|
|
|
enum OIDCTokenType {
|
|
OIDC_TOKEN_TYPE_BEARER = 0;
|
|
OIDC_TOKEN_TYPE_JWT = 1;
|
|
}
|
|
|
|
message OIDCConfig {
|
|
repeated string redirect_uris = 1 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "[\"https://console.zitadel.ch/auth/callback\"]";
|
|
description: "Callback URI of the authorization request where the code or tokens will be sent to";
|
|
}
|
|
];
|
|
repeated OIDCResponseType response_types = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Determines whether a code, id_token token or just id_token will be returned"
|
|
}
|
|
];
|
|
repeated OIDCGrantType grant_types = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "The flow type the application uses to gain access";
|
|
}
|
|
];
|
|
OIDCAppType app_type = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "determines the paradigm of the application";
|
|
}
|
|
];
|
|
string client_id = 5 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"69629023906488334@ZITADEL\"";
|
|
description: "generated oauth2/oidc client id";
|
|
}
|
|
];
|
|
OIDCAuthMethodType auth_method_type = 6 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines how the application passes login credentials";
|
|
}
|
|
];
|
|
repeated string post_logout_redirect_uris = 7 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "[\"https://console.zitadel.ch/logout\"]";
|
|
description: "ZITADEL will redirect to this link after a successful logout";
|
|
}
|
|
];
|
|
OIDCVersion version = 8 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "the OIDC version used by the application";
|
|
}
|
|
];
|
|
bool none_compliant = 9 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "specifies whether the config is OIDC compliant. A production configuration SHOULD be compliant";
|
|
}
|
|
];
|
|
repeated OIDCLocalizedMessage compliance_problems = 10 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "lists the problems for non-compliancy";
|
|
}
|
|
];
|
|
bool dev_mode = 11 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "used for development";
|
|
}
|
|
];
|
|
OIDCTokenType access_token_type = 12 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "type of the access token returned from ZITADEL";
|
|
}
|
|
];
|
|
bool access_token_role_assertion = 13 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "adds roles to the claims of the access token (only if type == JWT) even if they are not requested by scopes";
|
|
}
|
|
];
|
|
bool id_token_role_assertion = 14 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "adds roles to the claims of the id token even if they are not requested by scopes";
|
|
}
|
|
];
|
|
bool id_token_userinfo_assertion = 15 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "claims of profile, email, address and phone scopes are added to the id token even if an access token is issued. Attention this violates the OIDC specification";
|
|
}
|
|
];
|
|
google.protobuf.Duration clock_skew = 16 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Used to compensate time difference of servers. Duration added to the \"exp\" claim and subtracted from \"iat\", \"auth_time\" and \"nbf\" claims";
|
|
// min: "0s";
|
|
// max: "5s";
|
|
}
|
|
];
|
|
repeated string additional_origins = 17 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "[\"https://console.zitadel.ch/auth/callback\"]";
|
|
description: "additional origins (other than the redirect_uris) from where the API can be used";
|
|
}
|
|
];
|
|
repeated string allowed_origins = 18 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "[\"https://console.zitadel.ch/auth/callback\"]";
|
|
description: "all allowed origins from where the API can be used";
|
|
}
|
|
];
|
|
bool skip_native_app_success_page = 19 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Skip the successful login page on native apps and directly redirect the user to the callback.";
|
|
}
|
|
];
|
|
string back_channel_logout_uri = 20 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "[\"https://example.com/auth/backchannel\"]";
|
|
description: "ZITADEL will use this URI to notify the application about terminated session according to the OIDC Back-Channel Logout (https://openid.net/specs/openid-connect-backchannel-1_0.html)";
|
|
}
|
|
];
|
|
LoginVersion login_version = 21 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Specify the preferred login UI, where the user is redirected to for authentication. If unset, the login UI is chosen by the instance default.";
|
|
}
|
|
];
|
|
} |