smartive · sprudel · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025 · Dec 5, 2025
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,10 +18,7 @@ jobs:
       - uses: extractions/setup-just@v3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: arduino/setup-protoc@v1
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-      - run: cargo install protoc-gen-prost protoc-gen-prost-crate protoc-gen-tonic
+      - run: cargo install protoc-gen-prost-crate
       - name: generated grpc code
         run: just
       - name: Semantic Release

diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -20,10 +20,7 @@ jobs:
       - uses: extractions/setup-just@v3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: arduino/setup-protoc@v1
-        with:
-          repo-token: ${{ secrets.GITHUB_TOKEN }}
-      - run: cargo install protoc-gen-prost protoc-gen-prost-crate protoc-gen-tonic
+      - run: cargo install protoc-gen-prost-crate
       - name: generated grpc code
         run: just
       - run: cargo clippy --all-features --no-deps

diff --git a/README.md b/README.md
@@ -35,9 +35,6 @@ Required tooling:
 
 - [just](https://just.systems)
 - [buf](https://buf.build)
-- [protoc](https://grpc.io/docs/protoc-installation/)
-- `protoc-gen-prost`: `cargo install protoc-gen-prost`
-- `protoc-gen-tonic`: `cargo install protoc-gen-tonic`
 - `protoc-gen-prost-crate`: `cargo install protoc-gen-prost-crate`
 
 Installing the tools is also partially available via `just install-tools`.

diff --git a/buf.gen.yaml b/buf.gen.yaml
@@ -1,20 +1,20 @@
 # buf.gen.yaml
-version: v1
+version: v2
 managed:
   enabled: true
 plugins:
-  - plugin: prost
+  - remote: buf.build/community/neoeinstein-prost:v0.5.0
     out: crates/zitadel-gen/src/api/
     opt:
       - compile_well_known_types
       - extern_path=.google.protobuf=::pbjson_types
-  - plugin: tonic
+  - remote: buf.build/community/neoeinstein-tonic:v0.5.0
     out: crates/zitadel-gen/src/api/
     opt:
       - compile_well_known_types
       - extern_path=.google.protobuf=::pbjson_types
       - no_server
-  - name: prost-crate
+  - local: protoc-gen-prost-crate
     out: ./crates/zitadel-gen
     strategy: all
     opt:

diff --git a/crates/zitadel-gen/Cargo.toml b/crates/zitadel-gen/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "zitadel-gen"
-version = "2.69.1"
+version = "2.71.19"
 edition = "2021"
 
 
@@ -62,13 +62,9 @@ proto_full = ["zitadel-action-v1","zitadel-admin-v1","zitadel-app-v1","zitadel-a
 
 [dependencies]
 anyhow = "1.0"
-pbjson-types = { version = "0.7.0"}
-prost = { version = "0.13.1", default-features = false, features = ["std"] }
-prost-types = { version = "0.13.1", default-features = false }
+pbjson-types = { version = "0.8.0"}
+prost = { version = "0.14.1", default-features = false, features = ["std"] }
+prost-types = { version = "0.14.1", default-features = false }
 regex = { version = "1.5.5", default-features = false }
-tonic = "0.12.0"
-
-[build-dependencies]
-tonic-build = "0.12.0"
-prost-build = { version = "0.13.1", default-features = false }
-pbjson-build = "0.7.0"
+tonic = "0.14.2"
+tonic-prost = "0.14.2"
diff --git a/crates/zitadel-gen/src/lib.rs b/crates/zitadel-gen/src/lib.rs
@@ -1,8 +1,7 @@
-
 #[allow(clippy::all)]
 pub mod api;
 
 #[allow(clippy::all)]
 pub mod zitadel {
     pub use crate::api::zitadel::*;
-}
+}
diff --git a/crates/zitadel/Cargo.toml b/crates/zitadel/Cargo.toml
@@ -21,7 +21,7 @@ default = ["tls-roots"]
 ## Feature that enables support for the [actix framework](https://actix.rs/).
 actix = ["credentials", "oidc", "dep:actix-web"]
 
-api-common = ["dep:prost", "dep:prost-types", "dep:tonic", "dep:tonic-types", "dep:pbjson-types", "dep:zitadel-gen" ]
+api-common = ["dep:tonic", "dep:zitadel-gen"]
 
 ## The API feature enables all gRPC service clients to access the ZITADEL API.
 api = [
@@ -55,7 +55,7 @@ api-settings-v2 = ["api-common", "zitadel-gen/zitadel-settings-v2" ]
 api-user-v2 = ["api-common", "zitadel-gen/zitadel-user-v2" ]
 
 
-tls-roots = ["tonic/tls-roots"]
+tls-roots = ["tonic/tls-native-roots"]
 tls-webpki-roots = ["tonic/tls-webpki-roots"]
 
 
@@ -105,9 +105,6 @@ document-features = { version = "0.2.8", optional = true }
 jsonwebtoken = { version = "9.3.0", optional = true }
 moka = { version = "0.12.8", features = ["future"], optional = true }
 openidconnect = { version = "4.0.0", optional = true }
-pbjson-types = { version = "0.7.0", optional = true }
-prost = { version = "0.13.1", optional = true }
-prost-types = { version = "0.13.1", optional = true }
 reqwest = { version = "0.12.12", features = ["json", "rustls-tls"], default-features = false, optional = true }
 rocket = { version = "0.5.0", optional = true }
 serde = { version = "1.0.200", features = ["derive"], optional = true }
@@ -118,14 +115,13 @@ tokio = { version = "1.37.0", optional = true, features = [
   "macros",
   "rt-multi-thread",
 ] }
-tonic = { version = "0.12.1", features = [
-  "tls",
+tonic = { version = "0.14.2", features = [
+  "tls-ring",
 ], optional = true }
 rocket_okapi = { version = "0.9.0", optional = true, default-features = false }
 schemars = {version = "0.8.21", optional = true}
-tonic-types = { version = "0.12.1", optional = true }
 
-zitadel-gen = { path = "../zitadel-gen", version = "2.69",  optional = true }
+zitadel-gen = { path = "../zitadel-gen", version = "2.71",  optional = true }
 
 [dev-dependencies]
 chrono = "0.4.38"

diff --git a/crates/zitadel/src/api/clients.rs b/crates/zitadel/src/api/clients.rs
@@ -132,10 +132,10 @@ impl ClientBuilder<NoInterceptor> {
 impl<T> ClientBuilder<T>
 where
     T: BuildInterceptedService,
-    T::Target: tonic::client::GrpcService<tonic::body::BoxBody>,
-    <T::Target as tonic::client::GrpcService<tonic::body::BoxBody>>::ResponseBody:
+    T::Target: tonic::client::GrpcService<tonic::body::Body>,
+    <T::Target as tonic::client::GrpcService<tonic::body::Body>>::ResponseBody:
         Body<Data = Bytes> + Send + 'static,
-    <<T::Target as tonic::client::GrpcService<tonic::body::BoxBody>>::ResponseBody as Body>::Error:
+    <<T::Target as tonic::client::GrpcService<tonic::body::Body>>::ResponseBody as Body>::Error:
         Into<StdError> + Send,
 {
     /// Create a new [`AdminServiceClient`].
@@ -306,7 +306,6 @@ async fn get_channel(api_endpoint: &str) -> Result<Channel, ClientError> {
         .map_err(|_| ClientError::ConnectionError)
 }
 
-
 #[cfg(test)]
 mod tests {
     use super::*;

diff --git a/crates/zitadel/src/api/mod.rs b/crates/zitadel/src/api/mod.rs
@@ -5,7 +5,6 @@
 //! Further contains interceptors that may be used to
 //! authenticate the clients to ZITADEL with credentials.
 
-
 pub mod clients;
 #[allow(clippy::all)]
 #[cfg(feature = "api")]

diff --git a/crates/zitadel/src/credentials/service_account.rs b/crates/zitadel/src/credentials/service_account.rs
@@ -237,7 +237,9 @@ impl ServiceAccount {
     ) -> Result<String, ServiceAccountError> {
         let issuer = IssuerUrl::new(audience.to_string())
             .map_err(|e| ServiceAccountError::AudienceUrl { source: e })?;
-        let async_http_client = reqwest::ClientBuilder::new().redirect(reqwest::redirect::Policy::none()).build()?;
+        let async_http_client = reqwest::ClientBuilder::new()
+            .redirect(reqwest::redirect::Policy::none())
+            .build()?;
         let metadata = CoreProviderMetadata::discover_async(issuer, &async_http_client)
             .await
             .map_err(|e| ServiceAccountError::DiscoveryError {
@@ -271,7 +273,12 @@ impl ServiceAccount {
         // })
         // .await
         // .map_err(|e| ServiceAccountError::HttpError { source: e })?;
-        let response = async_http_client.post(url).headers(headers).body(body).send().await?;
+        let response = async_http_client
+            .post(url)
+            .headers(headers)
+            .body(body)
+            .send()
+            .await?;
 
         serde_json::from_slice(response.bytes().await?.to_vec().as_slice())
             .map_err(|e| ServiceAccountError::Json { source: e })

diff --git a/crates/zitadel/src/oidc/discovery.rs b/crates/zitadel/src/oidc/discovery.rs
@@ -2,9 +2,8 @@ use custom_error::custom_error;
 use openidconnect::{
     core::{
         CoreAuthDisplay, CoreClaimName, CoreClaimType, CoreClientAuthMethod, CoreGrantType,
-        CoreJsonWebKey, CoreJweContentEncryptionAlgorithm,
-        CoreJweKeyManagementAlgorithm, CoreResponseMode, CoreResponseType,
-        CoreSubjectIdentifierType,
+        CoreJsonWebKey, CoreJweContentEncryptionAlgorithm, CoreJweKeyManagementAlgorithm,
+        CoreResponseMode, CoreResponseType, CoreSubjectIdentifierType,
     },
     url, AdditionalProviderMetadata, IntrospectionUrl, IssuerUrl, ProviderMetadata, RevocationUrl,
 };
@@ -50,7 +49,9 @@ custom_error! {
 pub async fn discover(authority: &str) -> Result<ZitadelProviderMetadata, DiscoveryError> {
     let issuer = IssuerUrl::new(authority.to_string())
         .map_err(|source| DiscoveryError::IssuerUrl { source })?;
-    let async_http_client = reqwest::ClientBuilder::new().redirect(reqwest::redirect::Policy::none()).build()?;
+    let async_http_client = reqwest::ClientBuilder::new()
+        .redirect(reqwest::redirect::Policy::none())
+        .build()?;
     ZitadelProviderMetadata::discover_async(issuer, &async_http_client)
         .await
         .map_err(|_| DiscoveryError::DiscoveryDocument)