mirror of
https://github.com/zitadel/zitadel.git
synced 2025-04-15 13:21:30 +00:00
fed15574f6
This PR adds an option to the LoginPolicy to "Force MFA for local users", so that users authenticated through an IDP must not configure (and verify) an MFA.
372 lines
14 KiB
Protocol Buffer
372 lines
14 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
import "zitadel/object.proto";
|
|
import "zitadel/idp.proto";
|
|
import "google/protobuf/duration.proto";
|
|
import "protoc-gen-openapiv2/options/annotations.proto";
|
|
import "validate/validate.proto";
|
|
|
|
package zitadel.policy.v1;
|
|
|
|
option go_package ="github.com/zitadel/zitadel/pkg/grpc/policy";
|
|
|
|
//deprecated: please use DomainPolicy instead
|
|
message OrgIAMPolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
bool user_login_must_be_domain = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "the username has to end with the domain of its organization"
|
|
}
|
|
];
|
|
bool is_default = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the organization's admin changed the policy"
|
|
}
|
|
];
|
|
}
|
|
|
|
message DomainPolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
bool user_login_must_be_domain = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "the username has to end with the domain of its organization"
|
|
}
|
|
];
|
|
bool is_default = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the organization's admin changed the policy"
|
|
}
|
|
];
|
|
bool validate_org_domains = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if organization domains should be validated org count as validated automatically"
|
|
}
|
|
];
|
|
bool smtp_sender_address_matches_instance_domain = 5 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the SMTP sender address domain should match an existing domain on the instance"
|
|
}
|
|
];
|
|
}
|
|
|
|
message LabelPolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
// hex value for primary color
|
|
string primary_color = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for primary color";
|
|
example: "\"#5469d4\"";
|
|
}
|
|
];
|
|
// defines if the organization's admin changed the policy
|
|
bool is_default = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the organization's admin changed the policy"
|
|
}
|
|
];
|
|
// hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set
|
|
bool hide_login_name_suffix = 5 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hides the org suffix on the login form if the scope \"urn:zitadel:iam:org:domain:primary:{domainname}\" is set";
|
|
}
|
|
];
|
|
// hex value for secondary color
|
|
string warn_color = 6 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for warn color";
|
|
example: "\"#CD3D56\"";
|
|
}
|
|
];
|
|
// hex value for background color
|
|
string background_color = 7 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for background color";
|
|
example: "\"#FAFAFA\"";
|
|
}
|
|
];
|
|
// hex value for font color
|
|
string font_color = 8 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for font color";
|
|
example: "\"#000000\"";
|
|
}
|
|
];
|
|
// hex value for primary color dark theme
|
|
string primary_color_dark = 9 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for the primary color dark theme";
|
|
example: "\"#BBBAFA\"";
|
|
}
|
|
];
|
|
// hex value for background color dark theme
|
|
string background_color_dark = 10 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for background color dark theme";
|
|
example: "\"#111827\"";
|
|
}
|
|
];
|
|
// hex value for warning color dark theme
|
|
string warn_color_dark = 11 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for warning color dark theme";
|
|
example: "\"#FF3B5B\"";
|
|
}
|
|
];
|
|
// hex value for font color dark theme
|
|
string font_color_dark = 12 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for font color dark theme";
|
|
example: "\"#FFFFFF\"";
|
|
}
|
|
];
|
|
bool disable_watermark = 13;
|
|
string logo_url = 14 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for font color dark theme";
|
|
example: "\"https://acme.com/assets/v1/165617850692654601/policy/label/logo-180950416321494657\"";
|
|
}
|
|
];
|
|
string icon_url = 15 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for font color dark theme";
|
|
example: "\"https://acme.com/assets/v1/165617850692654601/policy/label/icon-180950498874178817\"";
|
|
}
|
|
];
|
|
string logo_url_dark = 16 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for font color dark theme";
|
|
example: "\"https://acme.com/assets/v1/165617850692654601/policy/label/logo-dark-180950229376461345\"";
|
|
}
|
|
];
|
|
string icon_url_dark = 17 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "hex value for font color dark theme";
|
|
example: "\"https://acme.com/assets/v1/165617850692654601/policy/label/icon-dark-180950243237405441\"";
|
|
}
|
|
];
|
|
string font_url = 18;
|
|
}
|
|
|
|
message LoginPolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
bool allow_username_password = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if a user is allowed to log in with his username and password"
|
|
}
|
|
];
|
|
bool allow_register = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if a person is allowed to register a user on this organization"
|
|
}
|
|
];
|
|
bool allow_external_idp = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if a user is allowed to add a defined identity provider. E.g. Google auth"
|
|
}
|
|
];
|
|
bool force_mfa = 5 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if a user MUST use a multi-factor to log in"
|
|
}
|
|
];
|
|
PasswordlessType passwordless_type = 6 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if passwordless is allowed for users"
|
|
}
|
|
];
|
|
bool is_default = 7 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the organization's admin changed the policy"
|
|
}
|
|
];
|
|
bool hide_password_reset = 8 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if password reset link should be shown in the login screen"
|
|
}
|
|
];
|
|
bool ignore_unknown_usernames = 9 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if unknown username on login screen directly returns an error or always displays the password screen"
|
|
}
|
|
];
|
|
string default_redirect_uri = 10 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines where the user will be redirected to if the login is started without app context (e.g. from mail)";
|
|
example: "\"https://acme.com/ui/console\"";
|
|
}
|
|
];
|
|
google.protobuf.Duration password_check_lifetime = 11 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"864000s\"";
|
|
}
|
|
];
|
|
google.protobuf.Duration external_login_check_lifetime = 12 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"864000s\"";
|
|
}
|
|
];
|
|
google.protobuf.Duration mfa_init_skip_lifetime = 13 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"2592000s\"";
|
|
}
|
|
];
|
|
google.protobuf.Duration second_factor_check_lifetime = 14 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"64800s\"";
|
|
}
|
|
];
|
|
google.protobuf.Duration multi_factor_check_lifetime = 15 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"43200s\"";
|
|
}
|
|
];
|
|
repeated SecondFactorType second_factors = 16;
|
|
repeated MultiFactorType multi_factors = 17;
|
|
repeated zitadel.idp.v1.IDPLoginPolicyLink idps = 18;
|
|
// If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success.
|
|
bool allow_domain_discovery = 19 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "If set to true, the suffix (@domain.com) of an unknown username input on the login screen will be matched against the org domains and will redirect to the registration of that organization on success."
|
|
}
|
|
];
|
|
bool disable_login_with_email = 20 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the user can additionally (to the login name) be identified by their verified email address"
|
|
}
|
|
];
|
|
bool disable_login_with_phone = 21 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the user can additionally (to the login name) be identified by their verified phone number"
|
|
}
|
|
];
|
|
bool force_mfa_local_only = 22 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "if activated, only local authenticated users are forced to use MFA. Authentication through IDPs won't prompt a MFA step in the login."
|
|
}
|
|
];
|
|
}
|
|
|
|
enum SecondFactorType {
|
|
SECOND_FACTOR_TYPE_UNSPECIFIED = 0;
|
|
SECOND_FACTOR_TYPE_OTP = 1;
|
|
SECOND_FACTOR_TYPE_U2F = 2;
|
|
}
|
|
|
|
enum MultiFactorType {
|
|
MULTI_FACTOR_TYPE_UNSPECIFIED = 0;
|
|
MULTI_FACTOR_TYPE_U2F_WITH_VERIFICATION = 1;
|
|
}
|
|
|
|
enum PasswordlessType {
|
|
PASSWORDLESS_TYPE_NOT_ALLOWED = 0;
|
|
PASSWORDLESS_TYPE_ALLOWED = 1;
|
|
//PLANNED: PASSWORDLESS_TYPE_WITH_CERT
|
|
}
|
|
|
|
message PasswordComplexityPolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
uint64 min_length = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"8\""
|
|
}
|
|
];
|
|
bool has_uppercase = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the password MUST contain an upper case letter"
|
|
}
|
|
];
|
|
bool has_lowercase = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the password MUST contain a lowercase letter"
|
|
}
|
|
];
|
|
bool has_number = 5 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the password MUST contain a number"
|
|
}
|
|
];
|
|
bool has_symbol = 6 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the password MUST contain a symbol. E.g. \"$\""
|
|
}
|
|
];
|
|
bool is_default = 7 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the organization's admin changed the policy"
|
|
}
|
|
];
|
|
}
|
|
|
|
message PasswordAgePolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
uint64 max_age_days = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Maximum days since last password change"
|
|
example: "\"365\""
|
|
}
|
|
];
|
|
uint64 expire_warn_days = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Days before the password expiry the user gets notified to change the password"
|
|
example: "\"10\""
|
|
}
|
|
];
|
|
bool is_default = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the organization's admin changed the policy"
|
|
}
|
|
];
|
|
}
|
|
|
|
message LockoutPolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
uint64 max_password_attempts = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "Maximum password check attempts before the account gets locked. Attempts are reset as soon as the password is entered correctly or the password is reset. If set to 0 the account will never be locked."
|
|
example: "\"10\""
|
|
}
|
|
];
|
|
bool is_default = 4 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "defines if the organization's admin changed the policy"
|
|
}
|
|
];
|
|
}
|
|
|
|
message PrivacyPolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
string tos_link = 2 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"https://zitadel.com/docs/legal/terms-of-service\"";
|
|
}
|
|
];
|
|
string privacy_link = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"https://zitadel.com/docs/legal/privacy-policy\"";
|
|
}
|
|
];
|
|
bool is_default = 4;
|
|
string help_link = 5 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"https://zitadel.com/docs/manuals/introduction\"";
|
|
}
|
|
];
|
|
string support_email = 6 [
|
|
(validate.rules).string = {ignore_empty: true, max_len: 320, email: true},
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
example: "\"support-email@test.com\"";
|
|
description: "help / support email address."
|
|
}
|
|
];
|
|
}
|
|
|
|
message NotificationPolicy {
|
|
zitadel.v1.ObjectDetails details = 1;
|
|
bool is_default = 2;
|
|
bool password_change = 3 [
|
|
(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
|
|
description: "If set to true the users will get a notification whenever their password has been changed.";
|
|
}
|
|
];
|
|
}
|