feat: app handling compliance (#527)

* feat: check oidc compliance * fix: add tests * fix: add oidc config tests * fix: add oidc config tests user agent * fix: test oidc config compliance * fix: test oidc config compliance * fix: useragent implicit authmethod none * fix: merge master * feat: translate compliance problems * feat: check native app for custom url * fix: better compliance handling * fix: better compliance handling * feat: add odidc dev mode * fix: remove deprecated request fro management api * fix: oidc package version * fix: migration * fix: tests * fix: remove unused functions * fix: generate proto files * fix: native implicit and code none compliant * fix: create project * Update internal/project/model/oidc_config_test.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/project/model/oidc_config.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: tests Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-02-25 18:55:27 -06:00 · 2020-08-10 09:34:56 +02:00
parent 64f0b191b5
commit 5699fe80d5
27 changed files with 15925 additions and 16502 deletions
--- a/pkg/grpc/management/application.go
+++ b/pkg/grpc/management/application.go
@@ -0,0 +1,24 @@
+package management
+
+import (
+	"github.com/caos/zitadel/internal/api/grpc/server/middleware"
+)
+
+func (a *ApplicationView) Localizers() []middleware.Localizer {
+	if a == nil {
+		return nil
+	}
+
+	switch configType := a.AppConfig.(type) {
+	case *ApplicationView_OidcConfig:
+		if !configType.OidcConfig.NoneCompliant {
+			return nil
+		}
+		localizers := make([]middleware.Localizer, len(configType.OidcConfig.ComplianceProblems))
+		for i, problem := range configType.OidcConfig.ComplianceProblems {
+			localizers[i] = problem
+		}
+		return localizers
+	}
+	return nil
+}
--- a/pkg/grpc/management/management.pb.authoptions.go
+++ b/pkg/grpc/management/management.pb.authoptions.go
@@ -553,64 +553,4 @@ var ManagementService_AuthMethods = authz.MethodMapping{
 		Permission: "user.grant.delete",
 		CheckParam: "",
 	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectUserGrants": authz.Option{
-		Permission: "project.user.grant.read",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/ProjectUserGrantByID": authz.Option{
-		Permission: "project.user.grant.read",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/CreateProjectUserGrant": authz.Option{
-		Permission: "project.user.grant.write",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectUserGrant": authz.Option{
-		Permission: "project.user.grant.write",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectUserGrant": authz.Option{
-		Permission: "project.user.grant.write",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectUserGrant": authz.Option{
-		Permission: "project.user.grant.write",
-		CheckParam: "ProjectId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/SearchProjectGrantUserGrants": authz.Option{
-		Permission: "project.grant.user.grant.read",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/ProjectGrantUserGrantByID": authz.Option{
-		Permission: "project.grant.user.grant.read",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/CreateProjectGrantUserGrant": authz.Option{
-		Permission: "project.grant.user.grant.write",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/UpdateProjectGrantUserGrant": authz.Option{
-		Permission: "project.grant.user.grant.write",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/DeactivateProjectGrantUserGrant": authz.Option{
-		Permission: "project.grant.user.grant.write",
-		CheckParam: "ProjectGrantId",
-	},
-
-	"/caos.zitadel.management.api.v1.ManagementService/ReactivateProjectGrantUserGrant": authz.Option{
-		Permission: "project.grant.user.grant.write",
-		CheckParam: "ProjectGrantId",
-	},
 }
--- a/pkg/grpc/management/management.pb.go
+++ b/pkg/grpc/management/management.pb.go
--- a/pkg/grpc/management/management.pb.gw.go
+++ b/pkg/grpc/management/management.pb.gw.go
--- a/pkg/grpc/management/mock/management.proto.mock.go
+++ b/pkg/grpc/management/mock/management.proto.mock.go
@@ -477,46 +477,6 @@ func (mr *MockManagementServiceClientMockRecorder) CreateProjectGrant(arg0, arg1
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectGrant), varargs...)
 }

-// CreateProjectGrantUserGrant mocks base method
-func (m *MockManagementServiceClient) CreateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateProjectGrantUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateProjectGrantUserGrant indicates an expected call of CreateProjectGrantUserGrant
-func (mr *MockManagementServiceClientMockRecorder) CreateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectGrantUserGrant), varargs...)
-}
-
-// CreateProjectUserGrant mocks base method
-func (m *MockManagementServiceClient) CreateProjectUserGrant(arg0 context.Context, arg1 *management.UserGrantCreate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "CreateProjectUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// CreateProjectUserGrant indicates an expected call of CreateProjectUserGrant
-func (mr *MockManagementServiceClientMockRecorder) CreateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "CreateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).CreateProjectUserGrant), varargs...)
-}
-
 // CreateUser mocks base method
 func (m *MockManagementServiceClient) CreateUser(arg0 context.Context, arg1 *management.CreateUserRequest, arg2 ...grpc.CallOption) (*management.User, error) {
 	m.ctrl.T.Helper()
@@ -637,46 +597,6 @@ func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectGrant(arg0,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectGrant), varargs...)
 }

-// DeactivateProjectGrantUserGrant mocks base method
-func (m *MockManagementServiceClient) DeactivateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateProjectGrantUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateProjectGrantUserGrant indicates an expected call of DeactivateProjectGrantUserGrant
-func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectGrantUserGrant), varargs...)
-}
-
-// DeactivateProjectUserGrant mocks base method
-func (m *MockManagementServiceClient) DeactivateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "DeactivateProjectUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// DeactivateProjectUserGrant indicates an expected call of DeactivateProjectUserGrant
-func (mr *MockManagementServiceClientMockRecorder) DeactivateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "DeactivateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).DeactivateProjectUserGrant), varargs...)
-}
-
 // DeactivateUser mocks base method
 func (m *MockManagementServiceClient) DeactivateUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.User, error) {
 	m.ctrl.T.Helper()
@@ -1357,46 +1277,6 @@ func (mr *MockManagementServiceClientMockRecorder) ProjectGrantByID(arg0, arg1 i
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectGrantByID), varargs...)
 }

-// ProjectGrantUserGrantByID mocks base method
-func (m *MockManagementServiceClient) ProjectGrantUserGrantByID(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrantView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ProjectGrantUserGrantByID", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ProjectGrantUserGrantByID indicates an expected call of ProjectGrantUserGrantByID
-func (mr *MockManagementServiceClientMockRecorder) ProjectGrantUserGrantByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectGrantUserGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectGrantUserGrantByID), varargs...)
-}
-
-// ProjectUserGrantByID mocks base method
-func (m *MockManagementServiceClient) ProjectUserGrantByID(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrantView, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ProjectUserGrantByID", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantView)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ProjectUserGrantByID indicates an expected call of ProjectUserGrantByID
-func (mr *MockManagementServiceClientMockRecorder) ProjectUserGrantByID(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ProjectUserGrantByID", reflect.TypeOf((*MockManagementServiceClient)(nil).ProjectUserGrantByID), varargs...)
-}
-
 // ReactivateApplication mocks base method
 func (m *MockManagementServiceClient) ReactivateApplication(arg0 context.Context, arg1 *management.ApplicationID, arg2 ...grpc.CallOption) (*management.Application, error) {
 	m.ctrl.T.Helper()
@@ -1477,46 +1357,6 @@ func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectGrant(arg0,
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectGrant), varargs...)
 }

-// ReactivateProjectGrantUserGrant mocks base method
-func (m *MockManagementServiceClient) ReactivateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateProjectGrantUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateProjectGrantUserGrant indicates an expected call of ReactivateProjectGrantUserGrant
-func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectGrantUserGrant), varargs...)
-}
-
-// ReactivateProjectUserGrant mocks base method
-func (m *MockManagementServiceClient) ReactivateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantID, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "ReactivateProjectUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// ReactivateProjectUserGrant indicates an expected call of ReactivateProjectUserGrant
-func (mr *MockManagementServiceClientMockRecorder) ReactivateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ReactivateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).ReactivateProjectUserGrant), varargs...)
-}
-
 // ReactivateUser mocks base method
 func (m *MockManagementServiceClient) ReactivateUser(arg0 context.Context, arg1 *management.UserID, arg2 ...grpc.CallOption) (*management.User, error) {
 	m.ctrl.T.Helper()
@@ -1937,26 +1777,6 @@ func (mr *MockManagementServiceClientMockRecorder) SearchProjectGrantMembers(arg
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectGrantMembers", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectGrantMembers), varargs...)
 }

-// SearchProjectGrantUserGrants mocks base method
-func (m *MockManagementServiceClient) SearchProjectGrantUserGrants(arg0 context.Context, arg1 *management.ProjectGrantUserGrantSearchRequest, arg2 ...grpc.CallOption) (*management.UserGrantSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjectGrantUserGrants", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjectGrantUserGrants indicates an expected call of SearchProjectGrantUserGrants
-func (mr *MockManagementServiceClientMockRecorder) SearchProjectGrantUserGrants(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectGrantUserGrants", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectGrantUserGrants), varargs...)
-}
-
 // SearchProjectGrants mocks base method
 func (m *MockManagementServiceClient) SearchProjectGrants(arg0 context.Context, arg1 *management.ProjectGrantSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectGrantSearchResponse, error) {
 	m.ctrl.T.Helper()
@@ -2017,26 +1837,6 @@ func (mr *MockManagementServiceClientMockRecorder) SearchProjectRoles(arg0, arg1
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectRoles", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectRoles), varargs...)
 }

-// SearchProjectUserGrants mocks base method
-func (m *MockManagementServiceClient) SearchProjectUserGrants(arg0 context.Context, arg1 *management.ProjectUserGrantSearchRequest, arg2 ...grpc.CallOption) (*management.UserGrantSearchResponse, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "SearchProjectUserGrants", varargs...)
-	ret0, _ := ret[0].(*management.UserGrantSearchResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// SearchProjectUserGrants indicates an expected call of SearchProjectUserGrants
-func (mr *MockManagementServiceClientMockRecorder) SearchProjectUserGrants(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SearchProjectUserGrants", reflect.TypeOf((*MockManagementServiceClient)(nil).SearchProjectUserGrants), varargs...)
-}
-
 // SearchProjects mocks base method
 func (m *MockManagementServiceClient) SearchProjects(arg0 context.Context, arg1 *management.ProjectSearchRequest, arg2 ...grpc.CallOption) (*management.ProjectSearchResponse, error) {
 	m.ctrl.T.Helper()
@@ -2337,46 +2137,6 @@ func (mr *MockManagementServiceClientMockRecorder) UpdateProjectGrant(arg0, arg1
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectGrant), varargs...)
 }

-// UpdateProjectGrantUserGrant mocks base method
-func (m *MockManagementServiceClient) UpdateProjectGrantUserGrant(arg0 context.Context, arg1 *management.ProjectGrantUserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateProjectGrantUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateProjectGrantUserGrant indicates an expected call of UpdateProjectGrantUserGrant
-func (mr *MockManagementServiceClientMockRecorder) UpdateProjectGrantUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectGrantUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectGrantUserGrant), varargs...)
-}
-
-// UpdateProjectUserGrant mocks base method
-func (m *MockManagementServiceClient) UpdateProjectUserGrant(arg0 context.Context, arg1 *management.ProjectUserGrantUpdate, arg2 ...grpc.CallOption) (*management.UserGrant, error) {
-	m.ctrl.T.Helper()
-	varargs := []interface{}{arg0, arg1}
-	for _, a := range arg2 {
-		varargs = append(varargs, a)
-	}
-	ret := m.ctrl.Call(m, "UpdateProjectUserGrant", varargs...)
-	ret0, _ := ret[0].(*management.UserGrant)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// UpdateProjectUserGrant indicates an expected call of UpdateProjectUserGrant
-func (mr *MockManagementServiceClientMockRecorder) UpdateProjectUserGrant(arg0, arg1 interface{}, arg2 ...interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	varargs := append([]interface{}{arg0, arg1}, arg2...)
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UpdateProjectUserGrant", reflect.TypeOf((*MockManagementServiceClient)(nil).UpdateProjectUserGrant), varargs...)
-}
-
 // UpdateUserAddress mocks base method
 func (m *MockManagementServiceClient) UpdateUserAddress(arg0 context.Context, arg1 *management.UpdateUserAddressRequest, arg2 ...grpc.CallOption) (*management.UserAddress, error) {
 	m.ctrl.T.Helper()
--- a/pkg/grpc/management/proto/management.proto
+++ b/pkg/grpc/management/proto/management.proto
@@ -1247,184 +1247,6 @@ service ManagementService {
            permission: "user.grant.delete"
        };
    }
-
-    // search user grants based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc SearchProjectUserGrants(ProjectUserGrantSearchRequest) returns (UserGrantSearchResponse) {
-        option deprecated = true;
-        option (google.api.http) = {
-            post: "/projects/{project_id}/users/grants/_search"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.read"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // get user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc ProjectUserGrantByID(ProjectUserGrantID) returns (UserGrantView) {
-        option deprecated = true;
-        option (google.api.http) = {
-            get: "/projects/{project_id}/users/{user_id}/grants/{id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.read"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // create user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc CreateProjectUserGrant(UserGrantCreate) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            post: "/projects/{project_id}/users/{user_id}/grants"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.write"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // update user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc UpdateProjectUserGrant(ProjectUserGrantUpdate) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projects/{project_id}/users/{user_id}/grants/{id}"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.write"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // deactivate user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc DeactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projects/{project_id}/users/{user_id}/grants/{id}/_deactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.write"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // reactivate user grant based on a project
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc ReactivateProjectUserGrant(ProjectUserGrantID) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projects/{project_id}/users/{user_id}/grants/{id}/_reactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.user.grant.write"
-            check_field_name: "ProjectId"
-        };
-    }
-
-    // search user grants based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc SearchProjectGrantUserGrants(ProjectGrantUserGrantSearchRequest) returns (UserGrantSearchResponse) {
-        option deprecated = true;
-        option (google.api.http) = {
-            post: "/projectgrants/{project_grant_id}/users/grants/_search"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.read"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // get user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc ProjectGrantUserGrantByID(ProjectGrantUserGrantID) returns (UserGrantView) {
-        option deprecated = true;
-        option (google.api.http) = {
-            get: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.read"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // create user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc CreateProjectGrantUserGrant(ProjectGrantUserGrantCreate) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            post: "/projectgrants/{project_grant_id}/users/{user_id}/grants"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.write"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // update user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc UpdateProjectGrantUserGrant(ProjectGrantUserGrantUpdate) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.write"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // deactivate user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc DeactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_deactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.write"
-            check_field_name: "ProjectGrantId"
-        };
-    }
-
-    // reactivate user grant based on a projectgrant
-    // This request is required that the user authorizations of zitadel can be differentiated
-    rpc ReactivateProjectGrantUserGrant(ProjectGrantUserGrantID) returns (UserGrant) {
-        option deprecated = true;
-        option (google.api.http) = {
-            put: "/projectgrants/{project_grant_id}/users/{user_id}/grants/{id}/_reactivate"
-            body: "*"
-        };
-
-        option (caos.zitadel.utils.v1.auth_option) = {
-            permission: "project.grant.user.grant.write"
-            check_field_name: "ProjectGrantId"
-        };
-    }
 }

 message ZitadelDocs {
@@ -2335,6 +2157,10 @@ message OIDCConfig {
    string client_secret = 6;
    OIDCAuthMethodType auth_method_type = 7;
    repeated string post_logout_redirect_uris = 8;
+    OIDCVersion version = 9;
+    bool none_compliant = 10;
+    repeated caos.zitadel.api.v1.LocalizedMessage compliance_problems = 11;
+    bool dev_mode = 12;
 }

 message OIDCApplicationCreate {
@@ -2346,6 +2172,12 @@ message OIDCApplicationCreate {
    OIDCApplicationType application_type = 6;
    OIDCAuthMethodType auth_method_type = 7;
    repeated string post_logout_redirect_uris = 8;
+    OIDCVersion version = 9;
+    bool dev_mode = 10;
+}
+
+enum OIDCVersion {
+    OIDCV1_0 = 0;
 }

 message OIDCConfigUpdate {
@@ -2357,6 +2189,7 @@ message OIDCConfigUpdate {
    OIDCApplicationType application_type = 6;
    OIDCAuthMethodType auth_method_type = 7;
    repeated string post_logout_redirect_uris = 8;
+    bool dev_mode = 9;
 }

 enum OIDCResponseType {
@@ -2630,39 +2463,6 @@ message UserGrantID {
    string id = 2;
 }

-message ProjectUserGrantID {
-    string project_id = 1;
-    string user_id = 2;
-    string id = 3;
-}
-
-message ProjectUserGrantUpdate {
-    string project_id = 1;
-    string user_id = 2;
-    string id = 3;
-    repeated string role_keys = 4;
-}
-
-message ProjectGrantUserGrantID {
-    string project_grant_id = 1;
-    string user_id = 2;
-    string id = 3;
-}
-
-message ProjectGrantUserGrantCreate {
-    string user_id = 1;
-    string project_grant_id = 2;
-    string project_id = 3 [(validate.rules).string.min_len = 1];
-    repeated string role_keys = 4;
-}
-
-message ProjectGrantUserGrantUpdate {
-    string project_grant_id = 1;
-    string user_id = 2;
-    string id = 3;
-    repeated string role_keys = 4;
-}
-
 enum UserGrantState {
    USERGRANTSTATE_UNSPECIFIED = 0;
    USERGRANTSTATE_ACTIVE = 1;
--- a/pkg/grpc/message/message.go
+++ b/pkg/grpc/message/message.go
@@ -11,3 +11,7 @@ func (m *LocalizedMessage) SetLocalizedMessage(message string) {
 func NewLocalizedEventType(key string) *LocalizedMessage {
 	return &LocalizedMessage{Key: "EventTypes." + key}
 }
+
+func NewLocalizedMessage(key string) *LocalizedMessage {
+	return &LocalizedMessage{Key: key}
+}