Implement Clerk as authentication backend (OAuth2).

2025-06-05 01:10:45 +00:00 · 2023-12-19 13:49:16 +00:00 · 2023-12-19 13:49:16 +00:00 · 9198d7d51b
commit 9198d7d51b
parent f45d12519c
30 changed files with 4430 additions and 1125 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -823,6 +823,7 @@ dependencies = [
 "lazy_static",
 "lrwn",
 "mime_guess",
 "oauth2",
 "openidconnect",
 "pbjson-types",
 "pbkdf2",
--- a/api/csharp/Chirpstack/api/Internal.cs
+++ b/api/csharp/Chirpstack/api/Internal.cs
--- a/api/csharp/Chirpstack/api/InternalGrpc.cs
+++ b/api/csharp/Chirpstack/api/InternalGrpc.cs
@ -77,6 +77,10 @@ namespace Chirpstack.Api {
    [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
    static readonly grpc::Marshaller<global::Chirpstack.Api.OpenIdConnectLoginResponse> __Marshaller_api_OpenIdConnectLoginResponse = grpc::Marshallers.Create(__Helper_SerializeMessage, context => __Helper_DeserializeMessage(context, global::Chirpstack.Api.OpenIdConnectLoginResponse.Parser));
    [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
    static readonly grpc::Marshaller<global::Chirpstack.Api.OAuth2LoginRequest> __Marshaller_api_OAuth2LoginRequest = grpc::Marshallers.Create(__Helper_SerializeMessage, context => __Helper_DeserializeMessage(context, global::Chirpstack.Api.OAuth2LoginRequest.Parser));
    [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
    static readonly grpc::Marshaller<global::Chirpstack.Api.OAuth2LoginResponse> __Marshaller_api_OAuth2LoginResponse = grpc::Marshallers.Create(__Helper_SerializeMessage, context => __Helper_DeserializeMessage(context, global::Chirpstack.Api.OAuth2LoginResponse.Parser));
    [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
    static readonly grpc::Marshaller<global::Chirpstack.Api.GetDevicesSummaryRequest> __Marshaller_api_GetDevicesSummaryRequest = grpc::Marshallers.Create(__Helper_SerializeMessage, context => __Helper_DeserializeMessage(context, global::Chirpstack.Api.GetDevicesSummaryRequest.Parser));
    [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
    static readonly grpc::Marshaller<global::Chirpstack.Api.GetDevicesSummaryResponse> __Marshaller_api_GetDevicesSummaryResponse = grpc::Marshallers.Create(__Helper_SerializeMessage, context => __Helper_DeserializeMessage(context, global::Chirpstack.Api.GetDevicesSummaryResponse.Parser));
@ -163,6 +167,14 @@ namespace Chirpstack.Api {
        __Marshaller_api_OpenIdConnectLoginRequest,
        __Marshaller_api_OpenIdConnectLoginResponse);
    [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
    static readonly grpc::Method<global::Chirpstack.Api.OAuth2LoginRequest, global::Chirpstack.Api.OAuth2LoginResponse> __Method_OAuth2Login = new grpc::Method<global::Chirpstack.Api.OAuth2LoginRequest, global::Chirpstack.Api.OAuth2LoginResponse>(
        grpc::MethodType.Unary,
        __ServiceName,
        "OAuth2Login",
        __Marshaller_api_OAuth2LoginRequest,
        __Marshaller_api_OAuth2LoginResponse);
    [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
    static readonly grpc::Method<global::Chirpstack.Api.GetDevicesSummaryRequest, global::Chirpstack.Api.GetDevicesSummaryResponse> __Method_GetDevicesSummary = new grpc::Method<global::Chirpstack.Api.GetDevicesSummaryRequest, global::Chirpstack.Api.GetDevicesSummaryResponse>(
        grpc::MethodType.Unary,
@ -325,6 +337,18 @@ namespace Chirpstack.Api {
        throw new grpc::RpcException(new grpc::Status(grpc::StatusCode.Unimplemented, ""));
      }
      /// <summary>
      /// OAuth2 login.
      /// </summary>
      /// <param name="request">The request received from the client.</param>
      /// <param name="context">The context of the server-side call handler being invoked.</param>
      /// <returns>The response to send back to the client (wrapped by a task).</returns>
      [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
      public virtual global::System.Threading.Tasks.Task<global::Chirpstack.Api.OAuth2LoginResponse> OAuth2Login(global::Chirpstack.Api.OAuth2LoginRequest request, grpc::ServerCallContext context)
      {
        throw new grpc::RpcException(new grpc::Status(grpc::StatusCode.Unimplemented, ""));
      }
      /// <summary>
      /// GetDevicesSummary returns an aggregated summary of the devices.
      /// </summary>
@ -826,6 +850,54 @@ namespace Chirpstack.Api {
        return CallInvoker.AsyncUnaryCall(__Method_OpenIdConnectLogin, null, options, request);
      }
      /// <summary>
      /// OAuth2 login.
      /// </summary>
      /// <param name="request">The request to send to the server.</param>
      /// <param name="headers">The initial metadata to send with the call. This parameter is optional.</param>
      /// <param name="deadline">An optional deadline for the call. The call will be cancelled if deadline is hit.</param>
      /// <param name="cancellationToken">An optional token for canceling the call.</param>
      /// <returns>The response received from the server.</returns>
      [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
      public virtual global::Chirpstack.Api.OAuth2LoginResponse OAuth2Login(global::Chirpstack.Api.OAuth2LoginRequest request, grpc::Metadata headers = null, global::System.DateTime? deadline = null, global::System.Threading.CancellationToken cancellationToken = default(global::System.Threading.CancellationToken))
      {
        return OAuth2Login(request, new grpc::CallOptions(headers, deadline, cancellationToken));
      }
      /// <summary>
      /// OAuth2 login.
      /// </summary>
      /// <param name="request">The request to send to the server.</param>
      /// <param name="options">The options for the call.</param>
      /// <returns>The response received from the server.</returns>
      [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
      public virtual global::Chirpstack.Api.OAuth2LoginResponse OAuth2Login(global::Chirpstack.Api.OAuth2LoginRequest request, grpc::CallOptions options)
      {
        return CallInvoker.BlockingUnaryCall(__Method_OAuth2Login, null, options, request);
      }
      /// <summary>
      /// OAuth2 login.
      /// </summary>
      /// <param name="request">The request to send to the server.</param>
      /// <param name="headers">The initial metadata to send with the call. This parameter is optional.</param>
      /// <param name="deadline">An optional deadline for the call. The call will be cancelled if deadline is hit.</param>
      /// <param name="cancellationToken">An optional token for canceling the call.</param>
      /// <returns>The call object.</returns>
      [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
      public virtual grpc::AsyncUnaryCall<global::Chirpstack.Api.OAuth2LoginResponse> OAuth2LoginAsync(global::Chirpstack.Api.OAuth2LoginRequest request, grpc::Metadata headers = null, global::System.DateTime? deadline = null, global::System.Threading.CancellationToken cancellationToken = default(global::System.Threading.CancellationToken))
      {
        return OAuth2LoginAsync(request, new grpc::CallOptions(headers, deadline, cancellationToken));
      }
      /// <summary>
      /// OAuth2 login.
      /// </summary>
      /// <param name="request">The request to send to the server.</param>
      /// <param name="options">The options for the call.</param>
      /// <returns>The call object.</returns>
      [global::System.CodeDom.Compiler.GeneratedCode("grpc_csharp_plugin", null)]
      public virtual grpc::AsyncUnaryCall<global::Chirpstack.Api.OAuth2LoginResponse> OAuth2LoginAsync(global::Chirpstack.Api.OAuth2LoginRequest request, grpc::CallOptions options)
      {
        return CallInvoker.AsyncUnaryCall(__Method_OAuth2Login, null, options, request);
      }
      /// <summary>
      /// GetDevicesSummary returns an aggregated summary of the devices.
      /// </summary>
      /// <param name="request">The request to send to the server.</param>
@ -1111,6 +1183,7 @@ namespace Chirpstack.Api {
          .AddMethod(__Method_ListApiKeys, serviceImpl.ListApiKeys)
          .AddMethod(__Method_Settings, serviceImpl.Settings)
          .AddMethod(__Method_OpenIdConnectLogin, serviceImpl.OpenIdConnectLogin)
          .AddMethod(__Method_OAuth2Login, serviceImpl.OAuth2Login)
          .AddMethod(__Method_GetDevicesSummary, serviceImpl.GetDevicesSummary)
          .AddMethod(__Method_GetGatewaysSummary, serviceImpl.GetGatewaysSummary)
          .AddMethod(__Method_StreamGatewayFrames, serviceImpl.StreamGatewayFrames)
@ -1135,6 +1208,7 @@ namespace Chirpstack.Api {
      serviceBinder.AddMethod(__Method_ListApiKeys, serviceImpl == null ? null : new grpc::UnaryServerMethod<global::Chirpstack.Api.ListApiKeysRequest, global::Chirpstack.Api.ListApiKeysResponse>(serviceImpl.ListApiKeys));
      serviceBinder.AddMethod(__Method_Settings, serviceImpl == null ? null : new grpc::UnaryServerMethod<global::Google.Protobuf.WellKnownTypes.Empty, global::Chirpstack.Api.SettingsResponse>(serviceImpl.Settings));
      serviceBinder.AddMethod(__Method_OpenIdConnectLogin, serviceImpl == null ? null : new grpc::UnaryServerMethod<global::Chirpstack.Api.OpenIdConnectLoginRequest, global::Chirpstack.Api.OpenIdConnectLoginResponse>(serviceImpl.OpenIdConnectLogin));
      serviceBinder.AddMethod(__Method_OAuth2Login, serviceImpl == null ? null : new grpc::UnaryServerMethod<global::Chirpstack.Api.OAuth2LoginRequest, global::Chirpstack.Api.OAuth2LoginResponse>(serviceImpl.OAuth2Login));
      serviceBinder.AddMethod(__Method_GetDevicesSummary, serviceImpl == null ? null : new grpc::UnaryServerMethod<global::Chirpstack.Api.GetDevicesSummaryRequest, global::Chirpstack.Api.GetDevicesSummaryResponse>(serviceImpl.GetDevicesSummary));
      serviceBinder.AddMethod(__Method_GetGatewaysSummary, serviceImpl == null ? null : new grpc::UnaryServerMethod<global::Chirpstack.Api.GetGatewaysSummaryRequest, global::Chirpstack.Api.GetGatewaysSummaryResponse>(serviceImpl.GetGatewaysSummary));
      serviceBinder.AddMethod(__Method_StreamGatewayFrames, serviceImpl == null ? null : new grpc::ServerStreamingServerMethod<global::Chirpstack.Api.StreamGatewayFramesRequest, global::Chirpstack.Api.LogItem>(serviceImpl.StreamGatewayFrames));
--- a/api/go/api/internal.pb.go
+++ b/api/go/api/internal.pb.go
--- a/api/go/api/internal_grpc.pb.go
+++ b/api/go/api/internal_grpc.pb.go
@ -28,6 +28,7 @@ const (
 	InternalService_ListApiKeys_FullMethodName         = "/api.InternalService/ListApiKeys"
 	InternalService_Settings_FullMethodName            = "/api.InternalService/Settings"
 	InternalService_OpenIdConnectLogin_FullMethodName  = "/api.InternalService/OpenIdConnectLogin"
 	InternalService_OAuth2Login_FullMethodName         = "/api.InternalService/OAuth2Login"
 	InternalService_GetDevicesSummary_FullMethodName   = "/api.InternalService/GetDevicesSummary"
 	InternalService_GetGatewaysSummary_FullMethodName  = "/api.InternalService/GetGatewaysSummary"
 	InternalService_StreamGatewayFrames_FullMethodName = "/api.InternalService/StreamGatewayFrames"
@ -57,6 +58,8 @@ type InternalServiceClient interface {
 	Settings(ctx context.Context, in *emptypb.Empty, opts ...grpc.CallOption) (*SettingsResponse, error)
 	// OpenId Connect login.
 	OpenIdConnectLogin(ctx context.Context, in *OpenIdConnectLoginRequest, opts ...grpc.CallOption) (*OpenIdConnectLoginResponse, error)
 	// OAuth2 login.
 	OAuth2Login(ctx context.Context, in *OAuth2LoginRequest, opts ...grpc.CallOption) (*OAuth2LoginResponse, error)
 	// GetDevicesSummary returns an aggregated summary of the devices.
 	GetDevicesSummary(ctx context.Context, in *GetDevicesSummaryRequest, opts ...grpc.CallOption) (*GetDevicesSummaryResponse, error)
 	// GetGatewaysSummary returns an aggregated summary of the gateways.
@ -153,6 +156,15 @@ func (c *internalServiceClient) OpenIdConnectLogin(ctx context.Context, in *Open
 	return out, nil
 }
 func (c *internalServiceClient) OAuth2Login(ctx context.Context, in *OAuth2LoginRequest, opts ...grpc.CallOption) (*OAuth2LoginResponse, error) {
 	out := new(OAuth2LoginResponse)
 	err := c.cc.Invoke(ctx, InternalService_OAuth2Login_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 func (c *internalServiceClient) GetDevicesSummary(ctx context.Context, in *GetDevicesSummaryRequest, opts ...grpc.CallOption) (*GetDevicesSummaryResponse, error) {
 	out := new(GetDevicesSummaryResponse)
 	err := c.cc.Invoke(ctx, InternalService_GetDevicesSummary_FullMethodName, in, out, opts...)
@ -305,6 +317,8 @@ type InternalServiceServer interface {
 	Settings(context.Context, *emptypb.Empty) (*SettingsResponse, error)
 	// OpenId Connect login.
 	OpenIdConnectLogin(context.Context, *OpenIdConnectLoginRequest) (*OpenIdConnectLoginResponse, error)
 	// OAuth2 login.
 	OAuth2Login(context.Context, *OAuth2LoginRequest) (*OAuth2LoginResponse, error)
 	// GetDevicesSummary returns an aggregated summary of the devices.
 	GetDevicesSummary(context.Context, *GetDevicesSummaryRequest) (*GetDevicesSummaryResponse, error)
 	// GetGatewaysSummary returns an aggregated summary of the gateways.
@ -350,6 +364,9 @@ func (UnimplementedInternalServiceServer) Settings(context.Context, *emptypb.Emp
 func (UnimplementedInternalServiceServer) OpenIdConnectLogin(context.Context, *OpenIdConnectLoginRequest) (*OpenIdConnectLoginResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method OpenIdConnectLogin not implemented")
 }
 func (UnimplementedInternalServiceServer) OAuth2Login(context.Context, *OAuth2LoginRequest) (*OAuth2LoginResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method OAuth2Login not implemented")
 }
 func (UnimplementedInternalServiceServer) GetDevicesSummary(context.Context, *GetDevicesSummaryRequest) (*GetDevicesSummaryResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetDevicesSummary not implemented")
 }
@ -528,6 +545,24 @@ func _InternalService_OpenIdConnectLogin_Handler(srv interface{}, ctx context.Co
 	return interceptor(ctx, in, info, handler)
 }
 func _InternalService_OAuth2Login_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(OAuth2LoginRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(InternalServiceServer).OAuth2Login(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: InternalService_OAuth2Login_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(InternalServiceServer).OAuth2Login(ctx, req.(*OAuth2LoginRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 func _InternalService_GetDevicesSummary_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GetDevicesSummaryRequest)
 	if err := dec(in); err != nil {
@ -702,6 +737,10 @@ var InternalService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "OpenIdConnectLogin",
 			Handler:    _InternalService_OpenIdConnectLogin_Handler,
 		},
 		{
 			MethodName: "OAuth2Login",
 			Handler:    _InternalService_OAuth2Login_Handler,
 		},
 		{
 			MethodName: "GetDevicesSummary",
 			Handler:    _InternalService_GetDevicesSummary_Handler,
--- a/api/grpc-web/api/internal_grpc_web_pb.d.ts
+++ b/api/grpc-web/api/internal_grpc_web_pb.d.ts
@ -65,6 +65,13 @@ export class InternalServiceClient {
               response: api_internal_pb.OpenIdConnectLoginResponse) => void
  ): grpcWeb.ClientReadableStream<api_internal_pb.OpenIdConnectLoginResponse>;
  oAuth2Login(
    request: api_internal_pb.OAuth2LoginRequest,
    metadata: grpcWeb.Metadata | undefined,
    callback: (err: grpcWeb.RpcError,
               response: api_internal_pb.OAuth2LoginResponse) => void
  ): grpcWeb.ClientReadableStream<api_internal_pb.OAuth2LoginResponse>;
  getDevicesSummary(
    request: api_internal_pb.GetDevicesSummaryRequest,
    metadata: grpcWeb.Metadata | undefined,
@ -155,6 +162,11 @@ export class InternalServicePromiseClient {
    metadata?: grpcWeb.Metadata
  ): Promise<api_internal_pb.OpenIdConnectLoginResponse>;
  oAuth2Login(
    request: api_internal_pb.OAuth2LoginRequest,
    metadata?: grpcWeb.Metadata
  ): Promise<api_internal_pb.OAuth2LoginResponse>;
  getDevicesSummary(
    request: api_internal_pb.GetDevicesSummaryRequest,
    metadata?: grpcWeb.Metadata
--- a/api/grpc-web/api/internal_grpc_web_pb.js
+++ b/api/grpc-web/api/internal_grpc_web_pb.js
@ -570,6 +570,67 @@ proto.api.InternalServicePromiseClient.prototype.openIdConnectLogin =
 };
 /**
 * @const
 * @type {!grpc.web.MethodDescriptor<
 *   !proto.api.OAuth2LoginRequest,
 *   !proto.api.OAuth2LoginResponse>}
 */
 const methodDescriptor_InternalService_OAuth2Login = new grpc.web.MethodDescriptor(
  '/api.InternalService/OAuth2Login',
  grpc.web.MethodType.UNARY,
  proto.api.OAuth2LoginRequest,
  proto.api.OAuth2LoginResponse,
  /**
   * @param {!proto.api.OAuth2LoginRequest} request
   * @return {!Uint8Array}
   */
  function(request) {
    return request.serializeBinary();
  },
  proto.api.OAuth2LoginResponse.deserializeBinary
 );
 /**
 * @param {!proto.api.OAuth2LoginRequest} request The
 *     request proto
 * @param {?Object<string, string>} metadata User defined
 *     call metadata
 * @param {function(?grpc.web.RpcError, ?proto.api.OAuth2LoginResponse)}
 *     callback The callback function(error, response)
 * @return {!grpc.web.ClientReadableStream<!proto.api.OAuth2LoginResponse>|undefined}
 *     The XHR Node Readable Stream
 */
 proto.api.InternalServiceClient.prototype.oAuth2Login =
    function(request, metadata, callback) {
  return this.client_.rpcCall(this.hostname_ +
      '/api.InternalService/OAuth2Login',
      request,
      metadata || {},
      methodDescriptor_InternalService_OAuth2Login,
      callback);
 };
 /**
 * @param {!proto.api.OAuth2LoginRequest} request The
 *     request proto
 * @param {?Object<string, string>=} metadata User defined
 *     call metadata
 * @return {!Promise<!proto.api.OAuth2LoginResponse>}
 *     Promise that resolves to the response
 */
 proto.api.InternalServicePromiseClient.prototype.oAuth2Login =
    function(request, metadata) {
  return this.client_.unaryCall(this.hostname_ +
      '/api.InternalService/OAuth2Login',
      request,
      metadata || {},
      methodDescriptor_InternalService_OAuth2Login);
 };
 /**
 * @const
 * @type {!grpc.web.MethodDescriptor<
--- a/api/grpc-web/api/internal_pb.d.ts
+++ b/api/grpc-web/api/internal_pb.d.ts
@ -364,6 +364,11 @@ export class SettingsResponse extends jspb.Message {
  hasOpenidConnect(): boolean;
  clearOpenidConnect(): SettingsResponse;
  getOauth2(): OAuth2 | undefined;
  setOauth2(value?: OAuth2): SettingsResponse;
  hasOauth2(): boolean;
  clearOauth2(): SettingsResponse;
  serializeBinary(): Uint8Array;
  toObject(includeInstance?: boolean): SettingsResponse.AsObject;
  static toObject(includeInstance: boolean, msg: SettingsResponse): SettingsResponse.AsObject;
@ -375,6 +380,7 @@ export class SettingsResponse extends jspb.Message {
 export namespace SettingsResponse {
  export type AsObject = {
    openidConnect?: OpenIdConnect.AsObject,
    oauth2?: OAuth2.AsObject,
  }
 }
@ -408,6 +414,36 @@ export namespace OpenIdConnect {
  }
 }
 export class OAuth2 extends jspb.Message {
  getEnabled(): boolean;
  setEnabled(value: boolean): OAuth2;
  getLoginUrl(): string;
  setLoginUrl(value: string): OAuth2;
  getLoginLabel(): string;
  setLoginLabel(value: string): OAuth2;
  getLogoutUrl(): string;
  setLogoutUrl(value: string): OAuth2;
  serializeBinary(): Uint8Array;
  toObject(includeInstance?: boolean): OAuth2.AsObject;
  static toObject(includeInstance: boolean, msg: OAuth2): OAuth2.AsObject;
  static serializeBinaryToWriter(message: OAuth2, writer: jspb.BinaryWriter): void;
  static deserializeBinary(bytes: Uint8Array): OAuth2;
  static deserializeBinaryFromReader(message: OAuth2, reader: jspb.BinaryReader): OAuth2;
 }
 export namespace OAuth2 {
  export type AsObject = {
    enabled: boolean,
    loginUrl: string,
    loginLabel: string,
    logoutUrl: string,
  }
 }
 export class OpenIdConnectLoginRequest extends jspb.Message {
  getCode(): string;
  setCode(value: string): OpenIdConnectLoginRequest;
@ -448,6 +484,46 @@ export namespace OpenIdConnectLoginResponse {
  }
 }
 export class OAuth2LoginRequest extends jspb.Message {
  getCode(): string;
  setCode(value: string): OAuth2LoginRequest;
  getState(): string;
  setState(value: string): OAuth2LoginRequest;
  serializeBinary(): Uint8Array;
  toObject(includeInstance?: boolean): OAuth2LoginRequest.AsObject;
  static toObject(includeInstance: boolean, msg: OAuth2LoginRequest): OAuth2LoginRequest.AsObject;
  static serializeBinaryToWriter(message: OAuth2LoginRequest, writer: jspb.BinaryWriter): void;
  static deserializeBinary(bytes: Uint8Array): OAuth2LoginRequest;
  static deserializeBinaryFromReader(message: OAuth2LoginRequest, reader: jspb.BinaryReader): OAuth2LoginRequest;
 }
 export namespace OAuth2LoginRequest {
  export type AsObject = {
    code: string,
    state: string,
  }
 }
 export class OAuth2LoginResponse extends jspb.Message {
  getToken(): string;
  setToken(value: string): OAuth2LoginResponse;
  serializeBinary(): Uint8Array;
  toObject(includeInstance?: boolean): OAuth2LoginResponse.AsObject;
  static toObject(includeInstance: boolean, msg: OAuth2LoginResponse): OAuth2LoginResponse.AsObject;
  static serializeBinaryToWriter(message: OAuth2LoginResponse, writer: jspb.BinaryWriter): void;
  static deserializeBinary(bytes: Uint8Array): OAuth2LoginResponse;
  static deserializeBinaryFromReader(message: OAuth2LoginResponse, reader: jspb.BinaryReader): OAuth2LoginResponse;
 }
 export namespace OAuth2LoginResponse {
  export type AsObject = {
    token: string,
  }
 }
 export class GetDevicesSummaryRequest extends jspb.Message {
  getTenantId(): string;
  setTenantId(value: string): GetDevicesSummaryRequest;
--- a/api/grpc-web/api/internal_pb.js
+++ b/api/grpc-web/api/internal_pb.js
@ -39,6 +39,9 @@ goog.exportSymbol('proto.api.ListRegionsResponse', null, global);
 goog.exportSymbol('proto.api.LogItem', null, global);
 goog.exportSymbol('proto.api.LoginRequest', null, global);
 goog.exportSymbol('proto.api.LoginResponse', null, global);
 goog.exportSymbol('proto.api.OAuth2', null, global);
 goog.exportSymbol('proto.api.OAuth2LoginRequest', null, global);
 goog.exportSymbol('proto.api.OAuth2LoginResponse', null, global);
 goog.exportSymbol('proto.api.OpenIdConnect', null, global);
 goog.exportSymbol('proto.api.OpenIdConnectLoginRequest', null, global);
 goog.exportSymbol('proto.api.OpenIdConnectLoginResponse', null, global);
@ -365,6 +368,27 @@ if (goog.DEBUG && !COMPILED) {
   */
  proto.api.OpenIdConnect.displayName = 'proto.api.OpenIdConnect';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
 * server response, or constructed directly in Javascript. The array is used
 * in place and becomes part of the constructed object. It is not cloned.
 * If no data is provided, the constructed object will be empty, but still
 * valid.
 * @extends {jspb.Message}
 * @constructor
 */
 proto.api.OAuth2 = function(opt_data) {
  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
 };
 goog.inherits(proto.api.OAuth2, jspb.Message);
 if (goog.DEBUG && !COMPILED) {
  /**
   * @public
   * @override
   */
  proto.api.OAuth2.displayName = 'proto.api.OAuth2';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
@ -407,6 +431,48 @@ if (goog.DEBUG && !COMPILED) {
   */
  proto.api.OpenIdConnectLoginResponse.displayName = 'proto.api.OpenIdConnectLoginResponse';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
 * server response, or constructed directly in Javascript. The array is used
 * in place and becomes part of the constructed object. It is not cloned.
 * If no data is provided, the constructed object will be empty, but still
 * valid.
 * @extends {jspb.Message}
 * @constructor
 */
 proto.api.OAuth2LoginRequest = function(opt_data) {
  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
 };
 goog.inherits(proto.api.OAuth2LoginRequest, jspb.Message);
 if (goog.DEBUG && !COMPILED) {
  /**
   * @public
   * @override
   */
  proto.api.OAuth2LoginRequest.displayName = 'proto.api.OAuth2LoginRequest';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
 * server response, or constructed directly in Javascript. The array is used
 * in place and becomes part of the constructed object. It is not cloned.
 * If no data is provided, the constructed object will be empty, but still
 * valid.
 * @extends {jspb.Message}
 * @constructor
 */
 proto.api.OAuth2LoginResponse = function(opt_data) {
  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
 };
 goog.inherits(proto.api.OAuth2LoginResponse, jspb.Message);
 if (goog.DEBUG && !COMPILED) {
  /**
   * @public
   * @override
   */
  proto.api.OAuth2LoginResponse.displayName = 'proto.api.OAuth2LoginResponse';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
@ -3356,7 +3422,8 @@ proto.api.SettingsResponse.prototype.toObject = function(opt_includeInstance) {
 */
 proto.api.SettingsResponse.toObject = function(includeInstance, msg) {
  var f, obj = {
-    openidConnect: (f = msg.getOpenidConnect()) && proto.api.OpenIdConnect.toObject(includeInstance, f)
+    openidConnect: (f = msg.getOpenidConnect()) && proto.api.OpenIdConnect.toObject(includeInstance, f),
    oauth2: (f = msg.getOauth2()) && proto.api.OAuth2.toObject(includeInstance, f)
  };
  if (includeInstance) {
@ -3398,6 +3465,11 @@ proto.api.SettingsResponse.deserializeBinaryFromReader = function(msg, reader) {
      reader.readMessage(value,proto.api.OpenIdConnect.deserializeBinaryFromReader);
      msg.setOpenidConnect(value);
      break;
    case 2:
      var value = new proto.api.OAuth2;
      reader.readMessage(value,proto.api.OAuth2.deserializeBinaryFromReader);
      msg.setOauth2(value);
      break;
    default:
      reader.skipField();
      break;
@ -3435,6 +3507,14 @@ proto.api.SettingsResponse.serializeBinaryToWriter = function(message, writer) {
      proto.api.OpenIdConnect.serializeBinaryToWriter
    );
  }
  f = message.getOauth2();
  if (f != null) {
    writer.writeMessage(
      2,
      f,
      proto.api.OAuth2.serializeBinaryToWriter
    );
  }
 };
@ -3475,6 +3555,43 @@ proto.api.SettingsResponse.prototype.hasOpenidConnect = function() {
 };
 /**
 * optional OAuth2 oauth2 = 2;
 * @return {?proto.api.OAuth2}
 */
 proto.api.SettingsResponse.prototype.getOauth2 = function() {
  return /** @type{?proto.api.OAuth2} */ (
    jspb.Message.getWrapperField(this, proto.api.OAuth2, 2));
 };
 /**
 * @param {?proto.api.OAuth2|undefined} value
 * @return {!proto.api.SettingsResponse} returns this
 */
 proto.api.SettingsResponse.prototype.setOauth2 = function(value) {
  return jspb.Message.setWrapperField(this, 2, value);
 };
 /**
 * Clears the message field making it undefined.
 * @return {!proto.api.SettingsResponse} returns this
 */
 proto.api.SettingsResponse.prototype.clearOauth2 = function() {
  return this.setOauth2(undefined);
 };
 /**
 * Returns whether this field is set.
 * @return {boolean}
 */
 proto.api.SettingsResponse.prototype.hasOauth2 = function() {
  return jspb.Message.getField(this, 2) != null;
 };
@ -3698,6 +3815,226 @@ proto.api.OpenIdConnect.prototype.setLogoutUrl = function(value) {
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
 * Field names that are reserved in JavaScript and will be renamed to pb_name.
 * Optional fields that are not set will be set to undefined.
 * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
 * For the list of reserved names please see:
 *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
 * @param {boolean=} opt_includeInstance Deprecated. whether to include the
 *     JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @return {!Object}
 */
 proto.api.OAuth2.prototype.toObject = function(opt_includeInstance) {
  return proto.api.OAuth2.toObject(opt_includeInstance, this);
 };
 /**
 * Static version of the {@see toObject} method.
 * @param {boolean|undefined} includeInstance Deprecated. Whether to include
 *     the JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @param {!proto.api.OAuth2} msg The msg instance to transform.
 * @return {!Object}
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2.toObject = function(includeInstance, msg) {
  var f, obj = {
    enabled: jspb.Message.getBooleanFieldWithDefault(msg, 1, false),
    loginUrl: jspb.Message.getFieldWithDefault(msg, 2, ""),
    loginLabel: jspb.Message.getFieldWithDefault(msg, 3, ""),
    logoutUrl: jspb.Message.getFieldWithDefault(msg, 4, "")
  };
  if (includeInstance) {
    obj.$jspbMessageInstance = msg;
  }
  return obj;
 };
 }
 /**
 * Deserializes binary data (in protobuf wire format).
 * @param {jspb.ByteSource} bytes The bytes to deserialize.
 * @return {!proto.api.OAuth2}
 */
 proto.api.OAuth2.deserializeBinary = function(bytes) {
  var reader = new jspb.BinaryReader(bytes);
  var msg = new proto.api.OAuth2;
  return proto.api.OAuth2.deserializeBinaryFromReader(msg, reader);
 };
 /**
 * Deserializes binary data (in protobuf wire format) from the
 * given reader into the given message object.
 * @param {!proto.api.OAuth2} msg The message object to deserialize into.
 * @param {!jspb.BinaryReader} reader The BinaryReader to use.
 * @return {!proto.api.OAuth2}
 */
 proto.api.OAuth2.deserializeBinaryFromReader = function(msg, reader) {
  while (reader.nextField()) {
    if (reader.isEndGroup()) {
      break;
    }
    var field = reader.getFieldNumber();
    switch (field) {
    case 1:
      var value = /** @type {boolean} */ (reader.readBool());
      msg.setEnabled(value);
      break;
    case 2:
      var value = /** @type {string} */ (reader.readString());
      msg.setLoginUrl(value);
      break;
    case 3:
      var value = /** @type {string} */ (reader.readString());
      msg.setLoginLabel(value);
      break;
    case 4:
      var value = /** @type {string} */ (reader.readString());
      msg.setLogoutUrl(value);
      break;
    default:
      reader.skipField();
      break;
    }
  }
  return msg;
 };
 /**
 * Serializes the message to binary data (in protobuf wire format).
 * @return {!Uint8Array}
 */
 proto.api.OAuth2.prototype.serializeBinary = function() {
  var writer = new jspb.BinaryWriter();
  proto.api.OAuth2.serializeBinaryToWriter(this, writer);
  return writer.getResultBuffer();
 };
 /**
 * Serializes the given message to binary data (in protobuf wire
 * format), writing to the given BinaryWriter.
 * @param {!proto.api.OAuth2} message
 * @param {!jspb.BinaryWriter} writer
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2.serializeBinaryToWriter = function(message, writer) {
  var f = undefined;
  f = message.getEnabled();
  if (f) {
    writer.writeBool(
      1,
      f
    );
  }
  f = message.getLoginUrl();
  if (f.length > 0) {
    writer.writeString(
      2,
      f
    );
  }
  f = message.getLoginLabel();
  if (f.length > 0) {
    writer.writeString(
      3,
      f
    );
  }
  f = message.getLogoutUrl();
  if (f.length > 0) {
    writer.writeString(
      4,
      f
    );
  }
 };
 /**
 * optional bool enabled = 1;
 * @return {boolean}
 */
 proto.api.OAuth2.prototype.getEnabled = function() {
  return /** @type {boolean} */ (jspb.Message.getBooleanFieldWithDefault(this, 1, false));
 };
 /**
 * @param {boolean} value
 * @return {!proto.api.OAuth2} returns this
 */
 proto.api.OAuth2.prototype.setEnabled = function(value) {
  return jspb.Message.setProto3BooleanField(this, 1, value);
 };
 /**
 * optional string login_url = 2;
 * @return {string}
 */
 proto.api.OAuth2.prototype.getLoginUrl = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2} returns this
 */
 proto.api.OAuth2.prototype.setLoginUrl = function(value) {
  return jspb.Message.setProto3StringField(this, 2, value);
 };
 /**
 * optional string login_label = 3;
 * @return {string}
 */
 proto.api.OAuth2.prototype.getLoginLabel = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 3, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2} returns this
 */
 proto.api.OAuth2.prototype.setLoginLabel = function(value) {
  return jspb.Message.setProto3StringField(this, 3, value);
 };
 /**
 * optional string logout_url = 4;
 * @return {string}
 */
 proto.api.OAuth2.prototype.getLogoutUrl = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 4, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2} returns this
 */
 proto.api.OAuth2.prototype.setLogoutUrl = function(value) {
  return jspb.Message.setProto3StringField(this, 4, value);
 };
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
@ -3988,6 +4325,296 @@ proto.api.OpenIdConnectLoginResponse.prototype.setToken = function(value) {
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
 * Field names that are reserved in JavaScript and will be renamed to pb_name.
 * Optional fields that are not set will be set to undefined.
 * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
 * For the list of reserved names please see:
 *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
 * @param {boolean=} opt_includeInstance Deprecated. whether to include the
 *     JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @return {!Object}
 */
 proto.api.OAuth2LoginRequest.prototype.toObject = function(opt_includeInstance) {
  return proto.api.OAuth2LoginRequest.toObject(opt_includeInstance, this);
 };
 /**
 * Static version of the {@see toObject} method.
 * @param {boolean|undefined} includeInstance Deprecated. Whether to include
 *     the JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @param {!proto.api.OAuth2LoginRequest} msg The msg instance to transform.
 * @return {!Object}
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2LoginRequest.toObject = function(includeInstance, msg) {
  var f, obj = {
    code: jspb.Message.getFieldWithDefault(msg, 1, ""),
    state: jspb.Message.getFieldWithDefault(msg, 2, "")
  };
  if (includeInstance) {
    obj.$jspbMessageInstance = msg;
  }
  return obj;
 };
 }
 /**
 * Deserializes binary data (in protobuf wire format).
 * @param {jspb.ByteSource} bytes The bytes to deserialize.
 * @return {!proto.api.OAuth2LoginRequest}
 */
 proto.api.OAuth2LoginRequest.deserializeBinary = function(bytes) {
  var reader = new jspb.BinaryReader(bytes);
  var msg = new proto.api.OAuth2LoginRequest;
  return proto.api.OAuth2LoginRequest.deserializeBinaryFromReader(msg, reader);
 };
 /**
 * Deserializes binary data (in protobuf wire format) from the
 * given reader into the given message object.
 * @param {!proto.api.OAuth2LoginRequest} msg The message object to deserialize into.
 * @param {!jspb.BinaryReader} reader The BinaryReader to use.
 * @return {!proto.api.OAuth2LoginRequest}
 */
 proto.api.OAuth2LoginRequest.deserializeBinaryFromReader = function(msg, reader) {
  while (reader.nextField()) {
    if (reader.isEndGroup()) {
      break;
    }
    var field = reader.getFieldNumber();
    switch (field) {
    case 1:
      var value = /** @type {string} */ (reader.readString());
      msg.setCode(value);
      break;
    case 2:
      var value = /** @type {string} */ (reader.readString());
      msg.setState(value);
      break;
    default:
      reader.skipField();
      break;
    }
  }
  return msg;
 };
 /**
 * Serializes the message to binary data (in protobuf wire format).
 * @return {!Uint8Array}
 */
 proto.api.OAuth2LoginRequest.prototype.serializeBinary = function() {
  var writer = new jspb.BinaryWriter();
  proto.api.OAuth2LoginRequest.serializeBinaryToWriter(this, writer);
  return writer.getResultBuffer();
 };
 /**
 * Serializes the given message to binary data (in protobuf wire
 * format), writing to the given BinaryWriter.
 * @param {!proto.api.OAuth2LoginRequest} message
 * @param {!jspb.BinaryWriter} writer
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2LoginRequest.serializeBinaryToWriter = function(message, writer) {
  var f = undefined;
  f = message.getCode();
  if (f.length > 0) {
    writer.writeString(
      1,
      f
    );
  }
  f = message.getState();
  if (f.length > 0) {
    writer.writeString(
      2,
      f
    );
  }
 };
 /**
 * optional string code = 1;
 * @return {string}
 */
 proto.api.OAuth2LoginRequest.prototype.getCode = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2LoginRequest} returns this
 */
 proto.api.OAuth2LoginRequest.prototype.setCode = function(value) {
  return jspb.Message.setProto3StringField(this, 1, value);
 };
 /**
 * optional string state = 2;
 * @return {string}
 */
 proto.api.OAuth2LoginRequest.prototype.getState = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2LoginRequest} returns this
 */
 proto.api.OAuth2LoginRequest.prototype.setState = function(value) {
  return jspb.Message.setProto3StringField(this, 2, value);
 };
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
 * Field names that are reserved in JavaScript and will be renamed to pb_name.
 * Optional fields that are not set will be set to undefined.
 * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
 * For the list of reserved names please see:
 *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
 * @param {boolean=} opt_includeInstance Deprecated. whether to include the
 *     JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @return {!Object}
 */
 proto.api.OAuth2LoginResponse.prototype.toObject = function(opt_includeInstance) {
  return proto.api.OAuth2LoginResponse.toObject(opt_includeInstance, this);
 };
 /**
 * Static version of the {@see toObject} method.
 * @param {boolean|undefined} includeInstance Deprecated. Whether to include
 *     the JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @param {!proto.api.OAuth2LoginResponse} msg The msg instance to transform.
 * @return {!Object}
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2LoginResponse.toObject = function(includeInstance, msg) {
  var f, obj = {
    token: jspb.Message.getFieldWithDefault(msg, 1, "")
  };
  if (includeInstance) {
    obj.$jspbMessageInstance = msg;
  }
  return obj;
 };
 }
 /**
 * Deserializes binary data (in protobuf wire format).
 * @param {jspb.ByteSource} bytes The bytes to deserialize.
 * @return {!proto.api.OAuth2LoginResponse}
 */
 proto.api.OAuth2LoginResponse.deserializeBinary = function(bytes) {
  var reader = new jspb.BinaryReader(bytes);
  var msg = new proto.api.OAuth2LoginResponse;
  return proto.api.OAuth2LoginResponse.deserializeBinaryFromReader(msg, reader);
 };
 /**
 * Deserializes binary data (in protobuf wire format) from the
 * given reader into the given message object.
 * @param {!proto.api.OAuth2LoginResponse} msg The message object to deserialize into.
 * @param {!jspb.BinaryReader} reader The BinaryReader to use.
 * @return {!proto.api.OAuth2LoginResponse}
 */
 proto.api.OAuth2LoginResponse.deserializeBinaryFromReader = function(msg, reader) {
  while (reader.nextField()) {
    if (reader.isEndGroup()) {
      break;
    }
    var field = reader.getFieldNumber();
    switch (field) {
    case 1:
      var value = /** @type {string} */ (reader.readString());
      msg.setToken(value);
      break;
    default:
      reader.skipField();
      break;
    }
  }
  return msg;
 };
 /**
 * Serializes the message to binary data (in protobuf wire format).
 * @return {!Uint8Array}
 */
 proto.api.OAuth2LoginResponse.prototype.serializeBinary = function() {
  var writer = new jspb.BinaryWriter();
  proto.api.OAuth2LoginResponse.serializeBinaryToWriter(this, writer);
  return writer.getResultBuffer();
 };
 /**
 * Serializes the given message to binary data (in protobuf wire
 * format), writing to the given BinaryWriter.
 * @param {!proto.api.OAuth2LoginResponse} message
 * @param {!jspb.BinaryWriter} writer
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2LoginResponse.serializeBinaryToWriter = function(message, writer) {
  var f = undefined;
  f = message.getToken();
  if (f.length > 0) {
    writer.writeString(
      1,
      f
    );
  }
 };
 /**
 * optional string token = 1;
 * @return {string}
 */
 proto.api.OAuth2LoginResponse.prototype.getToken = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2LoginResponse} returns this
 */
 proto.api.OAuth2LoginResponse.prototype.setToken = function(value) {
  return jspb.Message.setProto3StringField(this, 1, value);
 };
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
--- a/api/js/api/internal_grpc_pb.d.ts
+++ b/api/js/api/internal_grpc_pb.d.ts
@ -16,6 +16,7 @@ interface IInternalServiceService extends grpc.ServiceDefinition<grpc.UntypedSer
  listApiKeys: grpc.MethodDefinition<api_internal_pb.ListApiKeysRequest, api_internal_pb.ListApiKeysResponse>;
  settings: grpc.MethodDefinition<google_protobuf_empty_pb.Empty, api_internal_pb.SettingsResponse>;
  openIdConnectLogin: grpc.MethodDefinition<api_internal_pb.OpenIdConnectLoginRequest, api_internal_pb.OpenIdConnectLoginResponse>;
  oAuth2Login: grpc.MethodDefinition<api_internal_pb.OAuth2LoginRequest, api_internal_pb.OAuth2LoginResponse>;
  getDevicesSummary: grpc.MethodDefinition<api_internal_pb.GetDevicesSummaryRequest, api_internal_pb.GetDevicesSummaryResponse>;
  getGatewaysSummary: grpc.MethodDefinition<api_internal_pb.GetGatewaysSummaryRequest, api_internal_pb.GetGatewaysSummaryResponse>;
  streamGatewayFrames: grpc.MethodDefinition<api_internal_pb.StreamGatewayFramesRequest, api_internal_pb.LogItem>;
@ -36,6 +37,7 @@ export interface IInternalServiceServer extends grpc.UntypedServiceImplementatio
  listApiKeys: grpc.handleUnaryCall<api_internal_pb.ListApiKeysRequest, api_internal_pb.ListApiKeysResponse>;
  settings: grpc.handleUnaryCall<google_protobuf_empty_pb.Empty, api_internal_pb.SettingsResponse>;
  openIdConnectLogin: grpc.handleUnaryCall<api_internal_pb.OpenIdConnectLoginRequest, api_internal_pb.OpenIdConnectLoginResponse>;
  oAuth2Login: grpc.handleUnaryCall<api_internal_pb.OAuth2LoginRequest, api_internal_pb.OAuth2LoginResponse>;
  getDevicesSummary: grpc.handleUnaryCall<api_internal_pb.GetDevicesSummaryRequest, api_internal_pb.GetDevicesSummaryResponse>;
  getGatewaysSummary: grpc.handleUnaryCall<api_internal_pb.GetGatewaysSummaryRequest, api_internal_pb.GetGatewaysSummaryResponse>;
  streamGatewayFrames: grpc.handleServerStreamingCall<api_internal_pb.StreamGatewayFramesRequest, api_internal_pb.LogItem>;
@ -71,6 +73,9 @@ export class InternalServiceClient extends grpc.Client {
  openIdConnectLogin(argument: api_internal_pb.OpenIdConnectLoginRequest, callback: grpc.requestCallback<api_internal_pb.OpenIdConnectLoginResponse>): grpc.ClientUnaryCall;
  openIdConnectLogin(argument: api_internal_pb.OpenIdConnectLoginRequest, metadataOrOptions: grpc.Metadata | grpc.CallOptions | null, callback: grpc.requestCallback<api_internal_pb.OpenIdConnectLoginResponse>): grpc.ClientUnaryCall;
  openIdConnectLogin(argument: api_internal_pb.OpenIdConnectLoginRequest, metadata: grpc.Metadata | null, options: grpc.CallOptions | null, callback: grpc.requestCallback<api_internal_pb.OpenIdConnectLoginResponse>): grpc.ClientUnaryCall;
  oAuth2Login(argument: api_internal_pb.OAuth2LoginRequest, callback: grpc.requestCallback<api_internal_pb.OAuth2LoginResponse>): grpc.ClientUnaryCall;
  oAuth2Login(argument: api_internal_pb.OAuth2LoginRequest, metadataOrOptions: grpc.Metadata | grpc.CallOptions | null, callback: grpc.requestCallback<api_internal_pb.OAuth2LoginResponse>): grpc.ClientUnaryCall;
  oAuth2Login(argument: api_internal_pb.OAuth2LoginRequest, metadata: grpc.Metadata | null, options: grpc.CallOptions | null, callback: grpc.requestCallback<api_internal_pb.OAuth2LoginResponse>): grpc.ClientUnaryCall;
  getDevicesSummary(argument: api_internal_pb.GetDevicesSummaryRequest, callback: grpc.requestCallback<api_internal_pb.GetDevicesSummaryResponse>): grpc.ClientUnaryCall;
  getDevicesSummary(argument: api_internal_pb.GetDevicesSummaryRequest, metadataOrOptions: grpc.Metadata | grpc.CallOptions | null, callback: grpc.requestCallback<api_internal_pb.GetDevicesSummaryResponse>): grpc.ClientUnaryCall;
  getDevicesSummary(argument: api_internal_pb.GetDevicesSummaryRequest, metadata: grpc.Metadata | null, options: grpc.CallOptions | null, callback: grpc.requestCallback<api_internal_pb.GetDevicesSummaryResponse>): grpc.ClientUnaryCall;
--- a/api/js/api/internal_grpc_pb.js
+++ b/api/js/api/internal_grpc_pb.js
@ -195,6 +195,28 @@ function deserialize_api_LoginResponse(buffer_arg) {
  return api_internal_pb.LoginResponse.deserializeBinary(new Uint8Array(buffer_arg));
 }
 function serialize_api_OAuth2LoginRequest(arg) {
  if (!(arg instanceof api_internal_pb.OAuth2LoginRequest)) {
    throw new Error('Expected argument of type api.OAuth2LoginRequest');
  }
  return Buffer.from(arg.serializeBinary());
 }
 function deserialize_api_OAuth2LoginRequest(buffer_arg) {
  return api_internal_pb.OAuth2LoginRequest.deserializeBinary(new Uint8Array(buffer_arg));
 }
 function serialize_api_OAuth2LoginResponse(arg) {
  if (!(arg instanceof api_internal_pb.OAuth2LoginResponse)) {
    throw new Error('Expected argument of type api.OAuth2LoginResponse');
  }
  return Buffer.from(arg.serializeBinary());
 }
 function deserialize_api_OAuth2LoginResponse(buffer_arg) {
  return api_internal_pb.OAuth2LoginResponse.deserializeBinary(new Uint8Array(buffer_arg));
 }
 function serialize_api_OpenIdConnectLoginRequest(arg) {
  if (!(arg instanceof api_internal_pb.OpenIdConnectLoginRequest)) {
    throw new Error('Expected argument of type api.OpenIdConnectLoginRequest');
@ -382,6 +404,18 @@ openIdConnectLogin: {
    responseSerialize: serialize_api_OpenIdConnectLoginResponse,
    responseDeserialize: deserialize_api_OpenIdConnectLoginResponse,
  },
  // OAuth2 login.
 oAuth2Login: {
    path: '/api.InternalService/OAuth2Login',
    requestStream: false,
    responseStream: false,
    requestType: api_internal_pb.OAuth2LoginRequest,
    responseType: api_internal_pb.OAuth2LoginResponse,
    requestSerialize: serialize_api_OAuth2LoginRequest,
    requestDeserialize: deserialize_api_OAuth2LoginRequest,
    responseSerialize: serialize_api_OAuth2LoginResponse,
    responseDeserialize: deserialize_api_OAuth2LoginResponse,
  },
  // GetDevicesSummary returns an aggregated summary of the devices.
 getDevicesSummary: {
    path: '/api.InternalService/GetDevicesSummary',
--- a/api/js/api/internal_pb.d.ts
+++ b/api/js/api/internal_pb.d.ts
@ -391,6 +391,11 @@ export class SettingsResponse extends jspb.Message {
  getOpenidConnect(): OpenIdConnect | undefined;
  setOpenidConnect(value?: OpenIdConnect): void;
  hasOauth2(): boolean;
  clearOauth2(): void;
  getOauth2(): OAuth2 | undefined;
  setOauth2(value?: OAuth2): void;
  serializeBinary(): Uint8Array;
  toObject(includeInstance?: boolean): SettingsResponse.AsObject;
  static toObject(includeInstance: boolean, msg: SettingsResponse): SettingsResponse.AsObject;
@ -404,6 +409,7 @@ export class SettingsResponse extends jspb.Message {
 export namespace SettingsResponse {
  export type AsObject = {
    openidConnect?: OpenIdConnect.AsObject,
    oauth2?: OAuth2.AsObject,
  }
 }
@ -439,6 +445,38 @@ export namespace OpenIdConnect {
  }
 }
 export class OAuth2 extends jspb.Message {
  getEnabled(): boolean;
  setEnabled(value: boolean): void;
  getLoginUrl(): string;
  setLoginUrl(value: string): void;
  getLoginLabel(): string;
  setLoginLabel(value: string): void;
  getLogoutUrl(): string;
  setLogoutUrl(value: string): void;
  serializeBinary(): Uint8Array;
  toObject(includeInstance?: boolean): OAuth2.AsObject;
  static toObject(includeInstance: boolean, msg: OAuth2): OAuth2.AsObject;
  static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
  static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
  static serializeBinaryToWriter(message: OAuth2, writer: jspb.BinaryWriter): void;
  static deserializeBinary(bytes: Uint8Array): OAuth2;
  static deserializeBinaryFromReader(message: OAuth2, reader: jspb.BinaryReader): OAuth2;
 }
 export namespace OAuth2 {
  export type AsObject = {
    enabled: boolean,
    loginUrl: string,
    loginLabel: string,
    logoutUrl: string,
  }
 }
 export class OpenIdConnectLoginRequest extends jspb.Message {
  getCode(): string;
  setCode(value: string): void;
@ -483,6 +521,50 @@ export namespace OpenIdConnectLoginResponse {
  }
 }
 export class OAuth2LoginRequest extends jspb.Message {
  getCode(): string;
  setCode(value: string): void;
  getState(): string;
  setState(value: string): void;
  serializeBinary(): Uint8Array;
  toObject(includeInstance?: boolean): OAuth2LoginRequest.AsObject;
  static toObject(includeInstance: boolean, msg: OAuth2LoginRequest): OAuth2LoginRequest.AsObject;
  static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
  static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
  static serializeBinaryToWriter(message: OAuth2LoginRequest, writer: jspb.BinaryWriter): void;
  static deserializeBinary(bytes: Uint8Array): OAuth2LoginRequest;
  static deserializeBinaryFromReader(message: OAuth2LoginRequest, reader: jspb.BinaryReader): OAuth2LoginRequest;
 }
 export namespace OAuth2LoginRequest {
  export type AsObject = {
    code: string,
    state: string,
  }
 }
 export class OAuth2LoginResponse extends jspb.Message {
  getToken(): string;
  setToken(value: string): void;
  serializeBinary(): Uint8Array;
  toObject(includeInstance?: boolean): OAuth2LoginResponse.AsObject;
  static toObject(includeInstance: boolean, msg: OAuth2LoginResponse): OAuth2LoginResponse.AsObject;
  static extensions: {[key: number]: jspb.ExtensionFieldInfo<jspb.Message>};
  static extensionsBinary: {[key: number]: jspb.ExtensionFieldBinaryInfo<jspb.Message>};
  static serializeBinaryToWriter(message: OAuth2LoginResponse, writer: jspb.BinaryWriter): void;
  static deserializeBinary(bytes: Uint8Array): OAuth2LoginResponse;
  static deserializeBinaryFromReader(message: OAuth2LoginResponse, reader: jspb.BinaryReader): OAuth2LoginResponse;
 }
 export namespace OAuth2LoginResponse {
  export type AsObject = {
    token: string,
  }
 }
 export class GetDevicesSummaryRequest extends jspb.Message {
  getTenantId(): string;
  setTenantId(value: string): void;
--- a/api/js/api/internal_pb.js
+++ b/api/js/api/internal_pb.js
@ -39,6 +39,9 @@ goog.exportSymbol('proto.api.ListRegionsResponse', null, global);
 goog.exportSymbol('proto.api.LogItem', null, global);
 goog.exportSymbol('proto.api.LoginRequest', null, global);
 goog.exportSymbol('proto.api.LoginResponse', null, global);
 goog.exportSymbol('proto.api.OAuth2', null, global);
 goog.exportSymbol('proto.api.OAuth2LoginRequest', null, global);
 goog.exportSymbol('proto.api.OAuth2LoginResponse', null, global);
 goog.exportSymbol('proto.api.OpenIdConnect', null, global);
 goog.exportSymbol('proto.api.OpenIdConnectLoginRequest', null, global);
 goog.exportSymbol('proto.api.OpenIdConnectLoginResponse', null, global);
@ -365,6 +368,27 @@ if (goog.DEBUG && !COMPILED) {
   */
  proto.api.OpenIdConnect.displayName = 'proto.api.OpenIdConnect';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
 * server response, or constructed directly in Javascript. The array is used
 * in place and becomes part of the constructed object. It is not cloned.
 * If no data is provided, the constructed object will be empty, but still
 * valid.
 * @extends {jspb.Message}
 * @constructor
 */
 proto.api.OAuth2 = function(opt_data) {
  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
 };
 goog.inherits(proto.api.OAuth2, jspb.Message);
 if (goog.DEBUG && !COMPILED) {
  /**
   * @public
   * @override
   */
  proto.api.OAuth2.displayName = 'proto.api.OAuth2';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
@ -407,6 +431,48 @@ if (goog.DEBUG && !COMPILED) {
   */
  proto.api.OpenIdConnectLoginResponse.displayName = 'proto.api.OpenIdConnectLoginResponse';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
 * server response, or constructed directly in Javascript. The array is used
 * in place and becomes part of the constructed object. It is not cloned.
 * If no data is provided, the constructed object will be empty, but still
 * valid.
 * @extends {jspb.Message}
 * @constructor
 */
 proto.api.OAuth2LoginRequest = function(opt_data) {
  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
 };
 goog.inherits(proto.api.OAuth2LoginRequest, jspb.Message);
 if (goog.DEBUG && !COMPILED) {
  /**
   * @public
   * @override
   */
  proto.api.OAuth2LoginRequest.displayName = 'proto.api.OAuth2LoginRequest';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
 * server response, or constructed directly in Javascript. The array is used
 * in place and becomes part of the constructed object. It is not cloned.
 * If no data is provided, the constructed object will be empty, but still
 * valid.
 * @extends {jspb.Message}
 * @constructor
 */
 proto.api.OAuth2LoginResponse = function(opt_data) {
  jspb.Message.initialize(this, opt_data, 0, -1, null, null);
 };
 goog.inherits(proto.api.OAuth2LoginResponse, jspb.Message);
 if (goog.DEBUG && !COMPILED) {
  /**
   * @public
   * @override
   */
  proto.api.OAuth2LoginResponse.displayName = 'proto.api.OAuth2LoginResponse';
 }
 /**
 * Generated by JsPbCodeGenerator.
 * @param {Array=} opt_data Optional initial data array, typically from a
@ -3356,7 +3422,8 @@ proto.api.SettingsResponse.prototype.toObject = function(opt_includeInstance) {
 */
 proto.api.SettingsResponse.toObject = function(includeInstance, msg) {
  var f, obj = {
-    openidConnect: (f = msg.getOpenidConnect()) && proto.api.OpenIdConnect.toObject(includeInstance, f)
+    openidConnect: (f = msg.getOpenidConnect()) && proto.api.OpenIdConnect.toObject(includeInstance, f),
    oauth2: (f = msg.getOauth2()) && proto.api.OAuth2.toObject(includeInstance, f)
  };
  if (includeInstance) {
@ -3398,6 +3465,11 @@ proto.api.SettingsResponse.deserializeBinaryFromReader = function(msg, reader) {
      reader.readMessage(value,proto.api.OpenIdConnect.deserializeBinaryFromReader);
      msg.setOpenidConnect(value);
      break;
    case 2:
      var value = new proto.api.OAuth2;
      reader.readMessage(value,proto.api.OAuth2.deserializeBinaryFromReader);
      msg.setOauth2(value);
      break;
    default:
      reader.skipField();
      break;
@ -3435,6 +3507,14 @@ proto.api.SettingsResponse.serializeBinaryToWriter = function(message, writer) {
      proto.api.OpenIdConnect.serializeBinaryToWriter
    );
  }
  f = message.getOauth2();
  if (f != null) {
    writer.writeMessage(
      2,
      f,
      proto.api.OAuth2.serializeBinaryToWriter
    );
  }
 };
@ -3475,6 +3555,43 @@ proto.api.SettingsResponse.prototype.hasOpenidConnect = function() {
 };
 /**
 * optional OAuth2 oauth2 = 2;
 * @return {?proto.api.OAuth2}
 */
 proto.api.SettingsResponse.prototype.getOauth2 = function() {
  return /** @type{?proto.api.OAuth2} */ (
    jspb.Message.getWrapperField(this, proto.api.OAuth2, 2));
 };
 /**
 * @param {?proto.api.OAuth2|undefined} value
 * @return {!proto.api.SettingsResponse} returns this
 */
 proto.api.SettingsResponse.prototype.setOauth2 = function(value) {
  return jspb.Message.setWrapperField(this, 2, value);
 };
 /**
 * Clears the message field making it undefined.
 * @return {!proto.api.SettingsResponse} returns this
 */
 proto.api.SettingsResponse.prototype.clearOauth2 = function() {
  return this.setOauth2(undefined);
 };
 /**
 * Returns whether this field is set.
 * @return {boolean}
 */
 proto.api.SettingsResponse.prototype.hasOauth2 = function() {
  return jspb.Message.getField(this, 2) != null;
 };
@ -3698,6 +3815,226 @@ proto.api.OpenIdConnect.prototype.setLogoutUrl = function(value) {
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
 * Field names that are reserved in JavaScript and will be renamed to pb_name.
 * Optional fields that are not set will be set to undefined.
 * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
 * For the list of reserved names please see:
 *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
 * @param {boolean=} opt_includeInstance Deprecated. whether to include the
 *     JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @return {!Object}
 */
 proto.api.OAuth2.prototype.toObject = function(opt_includeInstance) {
  return proto.api.OAuth2.toObject(opt_includeInstance, this);
 };
 /**
 * Static version of the {@see toObject} method.
 * @param {boolean|undefined} includeInstance Deprecated. Whether to include
 *     the JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @param {!proto.api.OAuth2} msg The msg instance to transform.
 * @return {!Object}
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2.toObject = function(includeInstance, msg) {
  var f, obj = {
    enabled: jspb.Message.getBooleanFieldWithDefault(msg, 1, false),
    loginUrl: jspb.Message.getFieldWithDefault(msg, 2, ""),
    loginLabel: jspb.Message.getFieldWithDefault(msg, 3, ""),
    logoutUrl: jspb.Message.getFieldWithDefault(msg, 4, "")
  };
  if (includeInstance) {
    obj.$jspbMessageInstance = msg;
  }
  return obj;
 };
 }
 /**
 * Deserializes binary data (in protobuf wire format).
 * @param {jspb.ByteSource} bytes The bytes to deserialize.
 * @return {!proto.api.OAuth2}
 */
 proto.api.OAuth2.deserializeBinary = function(bytes) {
  var reader = new jspb.BinaryReader(bytes);
  var msg = new proto.api.OAuth2;
  return proto.api.OAuth2.deserializeBinaryFromReader(msg, reader);
 };
 /**
 * Deserializes binary data (in protobuf wire format) from the
 * given reader into the given message object.
 * @param {!proto.api.OAuth2} msg The message object to deserialize into.
 * @param {!jspb.BinaryReader} reader The BinaryReader to use.
 * @return {!proto.api.OAuth2}
 */
 proto.api.OAuth2.deserializeBinaryFromReader = function(msg, reader) {
  while (reader.nextField()) {
    if (reader.isEndGroup()) {
      break;
    }
    var field = reader.getFieldNumber();
    switch (field) {
    case 1:
      var value = /** @type {boolean} */ (reader.readBool());
      msg.setEnabled(value);
      break;
    case 2:
      var value = /** @type {string} */ (reader.readString());
      msg.setLoginUrl(value);
      break;
    case 3:
      var value = /** @type {string} */ (reader.readString());
      msg.setLoginLabel(value);
      break;
    case 4:
      var value = /** @type {string} */ (reader.readString());
      msg.setLogoutUrl(value);
      break;
    default:
      reader.skipField();
      break;
    }
  }
  return msg;
 };
 /**
 * Serializes the message to binary data (in protobuf wire format).
 * @return {!Uint8Array}
 */
 proto.api.OAuth2.prototype.serializeBinary = function() {
  var writer = new jspb.BinaryWriter();
  proto.api.OAuth2.serializeBinaryToWriter(this, writer);
  return writer.getResultBuffer();
 };
 /**
 * Serializes the given message to binary data (in protobuf wire
 * format), writing to the given BinaryWriter.
 * @param {!proto.api.OAuth2} message
 * @param {!jspb.BinaryWriter} writer
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2.serializeBinaryToWriter = function(message, writer) {
  var f = undefined;
  f = message.getEnabled();
  if (f) {
    writer.writeBool(
      1,
      f
    );
  }
  f = message.getLoginUrl();
  if (f.length > 0) {
    writer.writeString(
      2,
      f
    );
  }
  f = message.getLoginLabel();
  if (f.length > 0) {
    writer.writeString(
      3,
      f
    );
  }
  f = message.getLogoutUrl();
  if (f.length > 0) {
    writer.writeString(
      4,
      f
    );
  }
 };
 /**
 * optional bool enabled = 1;
 * @return {boolean}
 */
 proto.api.OAuth2.prototype.getEnabled = function() {
  return /** @type {boolean} */ (jspb.Message.getBooleanFieldWithDefault(this, 1, false));
 };
 /**
 * @param {boolean} value
 * @return {!proto.api.OAuth2} returns this
 */
 proto.api.OAuth2.prototype.setEnabled = function(value) {
  return jspb.Message.setProto3BooleanField(this, 1, value);
 };
 /**
 * optional string login_url = 2;
 * @return {string}
 */
 proto.api.OAuth2.prototype.getLoginUrl = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2} returns this
 */
 proto.api.OAuth2.prototype.setLoginUrl = function(value) {
  return jspb.Message.setProto3StringField(this, 2, value);
 };
 /**
 * optional string login_label = 3;
 * @return {string}
 */
 proto.api.OAuth2.prototype.getLoginLabel = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 3, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2} returns this
 */
 proto.api.OAuth2.prototype.setLoginLabel = function(value) {
  return jspb.Message.setProto3StringField(this, 3, value);
 };
 /**
 * optional string logout_url = 4;
 * @return {string}
 */
 proto.api.OAuth2.prototype.getLogoutUrl = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 4, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2} returns this
 */
 proto.api.OAuth2.prototype.setLogoutUrl = function(value) {
  return jspb.Message.setProto3StringField(this, 4, value);
 };
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
@ -3988,6 +4325,296 @@ proto.api.OpenIdConnectLoginResponse.prototype.setToken = function(value) {
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
 * Field names that are reserved in JavaScript and will be renamed to pb_name.
 * Optional fields that are not set will be set to undefined.
 * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
 * For the list of reserved names please see:
 *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
 * @param {boolean=} opt_includeInstance Deprecated. whether to include the
 *     JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @return {!Object}
 */
 proto.api.OAuth2LoginRequest.prototype.toObject = function(opt_includeInstance) {
  return proto.api.OAuth2LoginRequest.toObject(opt_includeInstance, this);
 };
 /**
 * Static version of the {@see toObject} method.
 * @param {boolean|undefined} includeInstance Deprecated. Whether to include
 *     the JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @param {!proto.api.OAuth2LoginRequest} msg The msg instance to transform.
 * @return {!Object}
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2LoginRequest.toObject = function(includeInstance, msg) {
  var f, obj = {
    code: jspb.Message.getFieldWithDefault(msg, 1, ""),
    state: jspb.Message.getFieldWithDefault(msg, 2, "")
  };
  if (includeInstance) {
    obj.$jspbMessageInstance = msg;
  }
  return obj;
 };
 }
 /**
 * Deserializes binary data (in protobuf wire format).
 * @param {jspb.ByteSource} bytes The bytes to deserialize.
 * @return {!proto.api.OAuth2LoginRequest}
 */
 proto.api.OAuth2LoginRequest.deserializeBinary = function(bytes) {
  var reader = new jspb.BinaryReader(bytes);
  var msg = new proto.api.OAuth2LoginRequest;
  return proto.api.OAuth2LoginRequest.deserializeBinaryFromReader(msg, reader);
 };
 /**
 * Deserializes binary data (in protobuf wire format) from the
 * given reader into the given message object.
 * @param {!proto.api.OAuth2LoginRequest} msg The message object to deserialize into.
 * @param {!jspb.BinaryReader} reader The BinaryReader to use.
 * @return {!proto.api.OAuth2LoginRequest}
 */
 proto.api.OAuth2LoginRequest.deserializeBinaryFromReader = function(msg, reader) {
  while (reader.nextField()) {
    if (reader.isEndGroup()) {
      break;
    }
    var field = reader.getFieldNumber();
    switch (field) {
    case 1:
      var value = /** @type {string} */ (reader.readString());
      msg.setCode(value);
      break;
    case 2:
      var value = /** @type {string} */ (reader.readString());
      msg.setState(value);
      break;
    default:
      reader.skipField();
      break;
    }
  }
  return msg;
 };
 /**
 * Serializes the message to binary data (in protobuf wire format).
 * @return {!Uint8Array}
 */
 proto.api.OAuth2LoginRequest.prototype.serializeBinary = function() {
  var writer = new jspb.BinaryWriter();
  proto.api.OAuth2LoginRequest.serializeBinaryToWriter(this, writer);
  return writer.getResultBuffer();
 };
 /**
 * Serializes the given message to binary data (in protobuf wire
 * format), writing to the given BinaryWriter.
 * @param {!proto.api.OAuth2LoginRequest} message
 * @param {!jspb.BinaryWriter} writer
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2LoginRequest.serializeBinaryToWriter = function(message, writer) {
  var f = undefined;
  f = message.getCode();
  if (f.length > 0) {
    writer.writeString(
      1,
      f
    );
  }
  f = message.getState();
  if (f.length > 0) {
    writer.writeString(
      2,
      f
    );
  }
 };
 /**
 * optional string code = 1;
 * @return {string}
 */
 proto.api.OAuth2LoginRequest.prototype.getCode = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2LoginRequest} returns this
 */
 proto.api.OAuth2LoginRequest.prototype.setCode = function(value) {
  return jspb.Message.setProto3StringField(this, 1, value);
 };
 /**
 * optional string state = 2;
 * @return {string}
 */
 proto.api.OAuth2LoginRequest.prototype.getState = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 2, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2LoginRequest} returns this
 */
 proto.api.OAuth2LoginRequest.prototype.setState = function(value) {
  return jspb.Message.setProto3StringField(this, 2, value);
 };
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
 * Field names that are reserved in JavaScript and will be renamed to pb_name.
 * Optional fields that are not set will be set to undefined.
 * To access a reserved field use, foo.pb_<name>, eg, foo.pb_default.
 * For the list of reserved names please see:
 *     net/proto2/compiler/js/internal/generator.cc#kKeyword.
 * @param {boolean=} opt_includeInstance Deprecated. whether to include the
 *     JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @return {!Object}
 */
 proto.api.OAuth2LoginResponse.prototype.toObject = function(opt_includeInstance) {
  return proto.api.OAuth2LoginResponse.toObject(opt_includeInstance, this);
 };
 /**
 * Static version of the {@see toObject} method.
 * @param {boolean|undefined} includeInstance Deprecated. Whether to include
 *     the JSPB instance for transitional soy proto support:
 *     http://goto/soy-param-migration
 * @param {!proto.api.OAuth2LoginResponse} msg The msg instance to transform.
 * @return {!Object}
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2LoginResponse.toObject = function(includeInstance, msg) {
  var f, obj = {
    token: jspb.Message.getFieldWithDefault(msg, 1, "")
  };
  if (includeInstance) {
    obj.$jspbMessageInstance = msg;
  }
  return obj;
 };
 }
 /**
 * Deserializes binary data (in protobuf wire format).
 * @param {jspb.ByteSource} bytes The bytes to deserialize.
 * @return {!proto.api.OAuth2LoginResponse}
 */
 proto.api.OAuth2LoginResponse.deserializeBinary = function(bytes) {
  var reader = new jspb.BinaryReader(bytes);
  var msg = new proto.api.OAuth2LoginResponse;
  return proto.api.OAuth2LoginResponse.deserializeBinaryFromReader(msg, reader);
 };
 /**
 * Deserializes binary data (in protobuf wire format) from the
 * given reader into the given message object.
 * @param {!proto.api.OAuth2LoginResponse} msg The message object to deserialize into.
 * @param {!jspb.BinaryReader} reader The BinaryReader to use.
 * @return {!proto.api.OAuth2LoginResponse}
 */
 proto.api.OAuth2LoginResponse.deserializeBinaryFromReader = function(msg, reader) {
  while (reader.nextField()) {
    if (reader.isEndGroup()) {
      break;
    }
    var field = reader.getFieldNumber();
    switch (field) {
    case 1:
      var value = /** @type {string} */ (reader.readString());
      msg.setToken(value);
      break;
    default:
      reader.skipField();
      break;
    }
  }
  return msg;
 };
 /**
 * Serializes the message to binary data (in protobuf wire format).
 * @return {!Uint8Array}
 */
 proto.api.OAuth2LoginResponse.prototype.serializeBinary = function() {
  var writer = new jspb.BinaryWriter();
  proto.api.OAuth2LoginResponse.serializeBinaryToWriter(this, writer);
  return writer.getResultBuffer();
 };
 /**
 * Serializes the given message to binary data (in protobuf wire
 * format), writing to the given BinaryWriter.
 * @param {!proto.api.OAuth2LoginResponse} message
 * @param {!jspb.BinaryWriter} writer
 * @suppress {unusedLocalVariables} f is only used for nested messages
 */
 proto.api.OAuth2LoginResponse.serializeBinaryToWriter = function(message, writer) {
  var f = undefined;
  f = message.getToken();
  if (f.length > 0) {
    writer.writeString(
      1,
      f
    );
  }
 };
 /**
 * optional string token = 1;
 * @return {string}
 */
 proto.api.OAuth2LoginResponse.prototype.getToken = function() {
  return /** @type {string} */ (jspb.Message.getFieldWithDefault(this, 1, ""));
 };
 /**
 * @param {string} value
 * @return {!proto.api.OAuth2LoginResponse} returns this
 */
 proto.api.OAuth2LoginResponse.prototype.setToken = function(value) {
  return jspb.Message.setProto3StringField(this, 1, value);
 };
 if (jspb.Message.GENERATE_TO_OBJECT) {
 /**
 * Creates an object representation of this proto.
--- a/api/proto/api/internal.proto
+++ b/api/proto/api/internal.proto
@ -15,361 +15,396 @@ import "api/user.proto";
 // InternalService is the service providing API endpoints for internal usage.
 service InternalService {
-	// Log in a user
+  // Log in a user
-	rpc Login(LoginRequest) returns (LoginResponse) {}
+  rpc Login(LoginRequest) returns (LoginResponse) {}
-	// Get the current user's profile
+  // Get the current user's profile
-	rpc Profile(google.protobuf.Empty) returns (ProfileResponse) {}
+  rpc Profile(google.protobuf.Empty) returns (ProfileResponse) {}
-	// Perform a global search.
+  // Perform a global search.
-	rpc GlobalSearch(GlobalSearchRequest) returns (GlobalSearchResponse) {}
+  rpc GlobalSearch(GlobalSearchRequest) returns (GlobalSearchResponse) {}
-    // CreateApiKey creates the given API key.
+  // CreateApiKey creates the given API key.
-    rpc CreateApiKey(CreateApiKeyRequest) returns (CreateApiKeyResponse) {}
+  rpc CreateApiKey(CreateApiKeyRequest) returns (CreateApiKeyResponse) {}
-    // DeleteApiKey deletes the API key.
+  // DeleteApiKey deletes the API key.
-    rpc DeleteApiKey(DeleteApiKeyRequest) returns (google.protobuf.Empty) {}
+  rpc DeleteApiKey(DeleteApiKeyRequest) returns (google.protobuf.Empty) {}
-    // ListApiKeys lists the available API keys.
+  // ListApiKeys lists the available API keys.
-    rpc ListApiKeys(ListApiKeysRequest) returns (ListApiKeysResponse) {}
+  rpc ListApiKeys(ListApiKeysRequest) returns (ListApiKeysResponse) {}
-    // Get the global settings.
+  // Get the global settings.
-    rpc Settings(google.protobuf.Empty) returns (SettingsResponse) {}
+  rpc Settings(google.protobuf.Empty) returns (SettingsResponse) {}
-    // OpenId Connect login.
+  // OpenId Connect login.
-    rpc OpenIdConnectLogin(OpenIdConnectLoginRequest) returns (OpenIdConnectLoginResponse) {}
+  rpc OpenIdConnectLogin(OpenIdConnectLoginRequest)
      returns (OpenIdConnectLoginResponse) {}
-    // GetDevicesSummary returns an aggregated summary of the devices.
+  // OAuth2 login.
-    rpc GetDevicesSummary(GetDevicesSummaryRequest) returns (GetDevicesSummaryResponse) {}
+  rpc OAuth2Login(OAuth2LoginRequest) returns (OAuth2LoginResponse) {}
-    // GetGatewaysSummary returns an aggregated summary of the gateways.
+  // GetDevicesSummary returns an aggregated summary of the devices.
-    rpc GetGatewaysSummary(GetGatewaysSummaryRequest) returns (GetGatewaysSummaryResponse) {}
+  rpc GetDevicesSummary(GetDevicesSummaryRequest)
      returns (GetDevicesSummaryResponse) {}
-    // Stream frame for the given Gateway ID.
+  // GetGatewaysSummary returns an aggregated summary of the gateways.
-    rpc StreamGatewayFrames(StreamGatewayFramesRequest) returns (stream LogItem) {}
+  rpc GetGatewaysSummary(GetGatewaysSummaryRequest)
      returns (GetGatewaysSummaryResponse) {}
-    // Stream frames for the given Device EUI.
+  // Stream frame for the given Gateway ID.
-    rpc StreamDeviceFrames(StreamDeviceFramesRequest) returns (stream LogItem) {}
+  rpc StreamGatewayFrames(StreamGatewayFramesRequest) returns (stream LogItem) {
  }
-    // Stream events for the given Device EUI.
+  // Stream frames for the given Device EUI.
-    rpc StreamDeviceEvents(StreamDeviceEventsRequest) returns (stream LogItem) {}
+  rpc StreamDeviceFrames(StreamDeviceFramesRequest) returns (stream LogItem) {}
-    // ListRegions lists the available (configured) regions.
+  // Stream events for the given Device EUI.
-    rpc ListRegions(google.protobuf.Empty) returns (ListRegionsResponse) {}
+  rpc StreamDeviceEvents(StreamDeviceEventsRequest) returns (stream LogItem) {}
-    // GetRegion returns the region details for the given region.
+  // ListRegions lists the available (configured) regions.
-    rpc GetRegion(GetRegionRequest) returns (GetRegionResponse) {}
+  rpc ListRegions(google.protobuf.Empty) returns (ListRegionsResponse) {}
  // GetRegion returns the region details for the given region.
  rpc GetRegion(GetRegionRequest) returns (GetRegionResponse) {}
 }
 message ApiKey {
-    // API key ID.
+  // API key ID.
-    // This value will be automatically generated on create.
+  // This value will be automatically generated on create.
-    string id = 1;
+  string id = 1;
-    // Name.
+  // Name.
-    string name = 2;
+  string name = 2;
-    // Is global admin key.
+  // Is global admin key.
-    bool is_admin = 3;
+  bool is_admin = 3;
-    // Tenant ID.
+  // Tenant ID.
-    // In case the API key is intended to manage resources under a single tenant.
+  // In case the API key is intended to manage resources under a single tenant.
-    string tenant_id = 4;
+  string tenant_id = 4;
 }
 message CreateApiKeyRequest {
-    // The API key to create.
+  // The API key to create.
-    ApiKey api_key = 1;
+  ApiKey api_key = 1;
 }
 message CreateApiKeyResponse {
-    // API key ID.
+  // API key ID.
-    string id = 1;
+  string id = 1;
-    // API token for authentication API requests.
+  // API token for authentication API requests.
-    string token = 2;
+  string token = 2;
 }
 message DeleteApiKeyRequest {
-    // API key ID.
+  // API key ID.
-    string id = 1;
+  string id = 1;
 }
 message ListApiKeysRequest {
-    // Max number of items to return.
+  // Max number of items to return.
-    uint32 limit = 1;
+  uint32 limit = 1;
-    // Offset in the result-set (for pagination).
+  // Offset in the result-set (for pagination).
-    uint32 offset = 2;
+  uint32 offset = 2;
-    // Return only admin keys.
+  // Return only admin keys.
-    bool is_admin = 3;
+  bool is_admin = 3;
-    // Filter on tenant ID.
+  // Filter on tenant ID.
-    string tenant_id = 4;
+  string tenant_id = 4;
 }
 message ListApiKeysResponse {
-    // Total number of API keys.
+  // Total number of API keys.
-    uint32 total_count = 1;
+  uint32 total_count = 1;
-    repeated ApiKey result = 2;
+  repeated ApiKey result = 2;
 }
 // Defines a tenant to which the user is associated.
 message UserTenantLink {
-    // Created at timestamp.
+  // Created at timestamp.
-    google.protobuf.Timestamp created_at = 1;
+  google.protobuf.Timestamp created_at = 1;
-    // Last update timestamp.
+  // Last update timestamp.
-	google.protobuf.Timestamp updated_at = 2;
+  google.protobuf.Timestamp updated_at = 2;
-    // Tenant ID.
+  // Tenant ID.
-    string tenant_id = 3;
+  string tenant_id = 3;
-    // User is admin within the context of this tenant.
+  // User is admin within the context of this tenant.
-    // There is no need to set the is_device_admin and is_gateway_admin flags.
+  // There is no need to set the is_device_admin and is_gateway_admin flags.
-    bool is_admin = 4;
+  bool is_admin = 4;
-    // User is able to modify device related resources (applications,
+  // User is able to modify device related resources (applications,
-    // device-profiles, devices, multicast-groups).
+  // device-profiles, devices, multicast-groups).
-    bool is_device_admin = 5;
+  bool is_device_admin = 5;
-    // User is able to modify gateways.
+  // User is able to modify gateways.
-    bool is_gateway_admin = 6;
+  bool is_gateway_admin = 6;
 }
 message LoginRequest {
-	// Email of the user.
+  // Email of the user.
-	string email = 1;
+  string email = 1;
-	// Password of the user.
+  // Password of the user.
-	string password = 2;
+  string password = 2;
 }
 message LoginResponse {
-	// The JWT tag to be used to access chirpstack-application-server interfaces.
+  // The JWT tag to be used to access chirpstack-application-server interfaces.
-	string jwt = 1;
+  string jwt = 1;
 }
 message ProfileResponse {
-    // User object.
+  // User object.
-    User user = 1;
+  User user = 1;
-    // Tenants to which the user is associated.
+  // Tenants to which the user is associated.
-    repeated UserTenantLink tenants = 3;
+  repeated UserTenantLink tenants = 3;
 }
 message GlobalSearchRequest {
-	// Search query.
+  // Search query.
-	string search = 1;
+  string search = 1;
-	// Max number of results to return.
+  // Max number of results to return.
-	int64 limit = 2;
+  int64 limit = 2;
-	// Offset offset of the result-set (for pagination).
+  // Offset offset of the result-set (for pagination).
-	int64 offset = 3;
+  int64 offset = 3;
 }
-message GlobalSearchResponse {
+message GlobalSearchResponse { repeated GlobalSearchResult result = 1; }
 	repeated GlobalSearchResult result = 1;
 }
 message GlobalSearchResult {
-	// Record kind.
+  // Record kind.
-	string kind = 1;
+  string kind = 1;
-	// Search score.
+  // Search score.
-	float score = 2;
+  float score = 2;
-	// Organization id.
+  // Organization id.
-	string tenant_id = 3;
+  string tenant_id = 3;
-	// Organization name.
+  // Organization name.
-	string tenant_name = 4;
+  string tenant_name = 4;
-	// Application id.
+  // Application id.
-	string application_id = 5;
+  string application_id = 5;
-	// Application name.
+  // Application name.
-	string application_name = 6;
+  string application_name = 6;
-	// Device DevEUI (hex encoded).
+  // Device DevEUI (hex encoded).
-	string device_dev_eui = 7;
+  string device_dev_eui = 7;
-	// Device name.
+  // Device name.
-	string device_name = 8;
+  string device_name = 8;
-	// Gateway MAC (hex encoded).
+  // Gateway MAC (hex encoded).
-	string gateway_id = 9;
+  string gateway_id = 9;
-	// Gateway name.
+  // Gateway name.
-	string gateway_name = 10;
+  string gateway_name = 10;
 }
 message SettingsResponse {
-    // OpenId Connect settings.
+  // OpenId Connect settings.
-    OpenIdConnect openid_connect = 1;
+  OpenIdConnect openid_connect = 1;
  // OAuth2 settings.
  OAuth2 oauth2 = 2;
 }
 message OpenIdConnect {
-    // Enable OpenId Connect authentication.
+  // Enable OpenId Connect authentication.
-    bool enabled = 1;
+  bool enabled = 1;
-    // Login url.
+  // Login url.
-    string login_url = 2 [json_name = "loginURL"];
+  string login_url = 2;
-    // Login label.
+  // Login label.
-    string login_label = 3;
+  string login_label = 3;
-    // Logout url.
+  // Logout url.
-    string logout_url = 4 [json_name = "logoutURL"];
+  string logout_url = 4;
 }
 message OAuth2 {
  // OAuth2 is enabled.
  bool enabled = 1;
  // Login url.
  string login_url = 2;
  // Login label.
  string login_label = 3;
  // Logout url.
  string logout_url = 4;
 }
 message OpenIdConnectLoginRequest {
-    // OpenId Connect callback code.
+  // OpenId Connect callback code.
-    string code = 1;
+  string code = 1;
-    // OpenId Connect callback state.
+  // OpenId Connect callback state.
-    string state = 2;
+  string state = 2;
 }
 message OpenIdConnectLoginResponse {
-    // Token to use for authentication.
+  // Token to use for authentication.
-    string token = 1;
+  string token = 1;
 }
 message OAuth2LoginRequest {
  // OAuth2 callback code.
  string code = 1;
  // OAuth2 callback state.
  string state = 2;
 }
 message OAuth2LoginResponse {
  // Token to use for authentication.
  string token = 1;
 }
 message GetDevicesSummaryRequest {
-    // Tenant ID (UUID).
+  // Tenant ID (UUID).
-    string tenant_id = 1;
+  string tenant_id = 1;
 }
 message GetDevicesSummaryResponse {
-    // Active count.
+  // Active count.
-    uint32 active_count = 1;
+  uint32 active_count = 1;
-    // Inactive count.
+  // Inactive count.
-    uint32 inactive_count = 2;
+  uint32 inactive_count = 2;
-    // per data-rate count.
+  // per data-rate count.
-    // Devices that have never been seen are excluded.
+  // Devices that have never been seen are excluded.
-    map<uint32, uint32> dr_count = 3;
+  map<uint32, uint32> dr_count = 3;
-    // Never seen count.
+  // Never seen count.
-    uint32 never_seen_count = 4;
+  uint32 never_seen_count = 4;
 }
 message GetGatewaysSummaryRequest {
-    // Tenant ID (UUID).
+  // Tenant ID (UUID).
-    string tenant_id = 1;
+  string tenant_id = 1;
 }
 message GetGatewaysSummaryResponse {
-    // Online count.
+  // Online count.
-    uint32 online_count = 1;
+  uint32 online_count = 1;
-    // Offline count.
+  // Offline count.
-    uint32 offline_count = 2;
+  uint32 offline_count = 2;
-    // Never seen count.
+  // Never seen count.
-    uint32 never_seen_count = 3;
+  uint32 never_seen_count = 3;
 }
 message LogItem {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Timestamp.
+  // Timestamp.
-    google.protobuf.Timestamp time = 2;
+  google.protobuf.Timestamp time = 2;
-    // Message.
+  // Message.
-    string description = 3;
+  string description = 3;
-    // Body.
+  // Body.
-    string body = 4;
+  string body = 4;
-    // Properties.
+  // Properties.
-    map<string, string> properties = 5;
+  map<string, string> properties = 5;
 }
 message StreamGatewayFramesRequest {
-    // Gateway ID (EUI64).
+  // Gateway ID (EUI64).
-    string gateway_id = 1;
+  string gateway_id = 1;
 }
 message StreamDeviceFramesRequest {
-    // Device EUI.
+  // Device EUI.
-    string dev_eui = 1;
+  string dev_eui = 1;
 }
 message StreamDeviceEventsRequest {
-    // Device EUI.
+  // Device EUI.
-    string dev_eui = 1;
+  string dev_eui = 1;
 }
 message ListRegionsResponse {
-    // Configured regions.
+  // Configured regions.
-    repeated RegionListItem regions = 1;
+  repeated RegionListItem regions = 1;
 }
 message RegionListItem {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Region.
+  // Region.
-    common.Region region = 2;
+  common.Region region = 2;
-    // Description.
+  // Description.
-    string description = 3;
+  string description = 3;
 }
 message GetRegionRequest {
-    // Region ID.
+  // Region ID.
-    string id = 1;
+  string id = 1;
 }
 message GetRegionResponse {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Region.
+  // Region.
-    common.Region region = 2;
+  common.Region region = 2;
-    // User information.
+  // User information.
-    string user_info = 3;
+  string user_info = 3;
-    // Uplink channels.
+  // Uplink channels.
-    repeated RegionChannel uplink_channels = 4;
+  repeated RegionChannel uplink_channels = 4;
-    // RX1 delay.
+  // RX1 delay.
-    uint32 rx1_delay = 5;
+  uint32 rx1_delay = 5;
-    // RX1 data-rate offset.
+  // RX1 data-rate offset.
-    uint32 rx1_dr_offset = 6;
+  uint32 rx1_dr_offset = 6;
-    // RX2 DR.
+  // RX2 DR.
-    uint32 rx2_dr = 7;
+  uint32 rx2_dr = 7;
-    // RX2 frequency.
+  // RX2 frequency.
-    uint32 rx2_frequency = 8;
+  uint32 rx2_frequency = 8;
-    // Class-B ping-slot DR.
+  // Class-B ping-slot DR.
-    uint32 class_b_ping_slot_dr = 9;
+  uint32 class_b_ping_slot_dr = 9;
-    // Class-B ping-slot frequency.
+  // Class-B ping-slot frequency.
-    uint32 class_b_ping_slot_frequency = 10;
+  uint32 class_b_ping_slot_frequency = 10;
-    // Region description.
+  // Region description.
-    string description = 11;
+  string description = 11;
 }
 message RegionChannel {
-    // Frequency (Hz).
+  // Frequency (Hz).
-    uint32 frequency = 1;
+  uint32 frequency = 1;
-    // Min DR.
+  // Min DR.
-    uint32 dr_min = 2;
+  uint32 dr_min = 2;
-    // Max DR.
+  // Max DR.
-    uint32 dr_max = 3;
+  uint32 dr_max = 3;
 }
--- a/api/python/proto/chirpstack-api/api/internal.proto
+++ b/api/python/proto/chirpstack-api/api/internal.proto
@ -15,361 +15,396 @@ import "chirpstack-api/api/user.proto";
 // InternalService is the service providing API endpoints for internal usage.
 service InternalService {
-	// Log in a user
+  // Log in a user
-	rpc Login(LoginRequest) returns (LoginResponse) {}
+  rpc Login(LoginRequest) returns (LoginResponse) {}
-	// Get the current user's profile
+  // Get the current user's profile
-	rpc Profile(google.protobuf.Empty) returns (ProfileResponse) {}
+  rpc Profile(google.protobuf.Empty) returns (ProfileResponse) {}
-	// Perform a global search.
+  // Perform a global search.
-	rpc GlobalSearch(GlobalSearchRequest) returns (GlobalSearchResponse) {}
+  rpc GlobalSearch(GlobalSearchRequest) returns (GlobalSearchResponse) {}
-    // CreateApiKey creates the given API key.
+  // CreateApiKey creates the given API key.
-    rpc CreateApiKey(CreateApiKeyRequest) returns (CreateApiKeyResponse) {}
+  rpc CreateApiKey(CreateApiKeyRequest) returns (CreateApiKeyResponse) {}
-    // DeleteApiKey deletes the API key.
+  // DeleteApiKey deletes the API key.
-    rpc DeleteApiKey(DeleteApiKeyRequest) returns (google.protobuf.Empty) {}
+  rpc DeleteApiKey(DeleteApiKeyRequest) returns (google.protobuf.Empty) {}
-    // ListApiKeys lists the available API keys.
+  // ListApiKeys lists the available API keys.
-    rpc ListApiKeys(ListApiKeysRequest) returns (ListApiKeysResponse) {}
+  rpc ListApiKeys(ListApiKeysRequest) returns (ListApiKeysResponse) {}
-    // Get the global settings.
+  // Get the global settings.
-    rpc Settings(google.protobuf.Empty) returns (SettingsResponse) {}
+  rpc Settings(google.protobuf.Empty) returns (SettingsResponse) {}
-    // OpenId Connect login.
+  // OpenId Connect login.
-    rpc OpenIdConnectLogin(OpenIdConnectLoginRequest) returns (OpenIdConnectLoginResponse) {}
+  rpc OpenIdConnectLogin(OpenIdConnectLoginRequest)
      returns (OpenIdConnectLoginResponse) {}
-    // GetDevicesSummary returns an aggregated summary of the devices.
+  // OAuth2 login.
-    rpc GetDevicesSummary(GetDevicesSummaryRequest) returns (GetDevicesSummaryResponse) {}
+  rpc OAuth2Login(OAuth2LoginRequest) returns (OAuth2LoginResponse) {}
-    // GetGatewaysSummary returns an aggregated summary of the gateways.
+  // GetDevicesSummary returns an aggregated summary of the devices.
-    rpc GetGatewaysSummary(GetGatewaysSummaryRequest) returns (GetGatewaysSummaryResponse) {}
+  rpc GetDevicesSummary(GetDevicesSummaryRequest)
      returns (GetDevicesSummaryResponse) {}
-    // Stream frame for the given Gateway ID.
+  // GetGatewaysSummary returns an aggregated summary of the gateways.
-    rpc StreamGatewayFrames(StreamGatewayFramesRequest) returns (stream LogItem) {}
+  rpc GetGatewaysSummary(GetGatewaysSummaryRequest)
      returns (GetGatewaysSummaryResponse) {}
-    // Stream frames for the given Device EUI.
+  // Stream frame for the given Gateway ID.
-    rpc StreamDeviceFrames(StreamDeviceFramesRequest) returns (stream LogItem) {}
+  rpc StreamGatewayFrames(StreamGatewayFramesRequest) returns (stream LogItem) {
  }
-    // Stream events for the given Device EUI.
+  // Stream frames for the given Device EUI.
-    rpc StreamDeviceEvents(StreamDeviceEventsRequest) returns (stream LogItem) {}
+  rpc StreamDeviceFrames(StreamDeviceFramesRequest) returns (stream LogItem) {}
-    // ListRegions lists the available (configured) regions.
+  // Stream events for the given Device EUI.
-    rpc ListRegions(google.protobuf.Empty) returns (ListRegionsResponse) {}
+  rpc StreamDeviceEvents(StreamDeviceEventsRequest) returns (stream LogItem) {}
-    // GetRegion returns the region details for the given region.
+  // ListRegions lists the available (configured) regions.
-    rpc GetRegion(GetRegionRequest) returns (GetRegionResponse) {}
+  rpc ListRegions(google.protobuf.Empty) returns (ListRegionsResponse) {}
  // GetRegion returns the region details for the given region.
  rpc GetRegion(GetRegionRequest) returns (GetRegionResponse) {}
 }
 message ApiKey {
-    // API key ID.
+  // API key ID.
-    // This value will be automatically generated on create.
+  // This value will be automatically generated on create.
-    string id = 1;
+  string id = 1;
-    // Name.
+  // Name.
-    string name = 2;
+  string name = 2;
-    // Is global admin key.
+  // Is global admin key.
-    bool is_admin = 3;
+  bool is_admin = 3;
-    // Tenant ID.
+  // Tenant ID.
-    // In case the API key is intended to manage resources under a single tenant.
+  // In case the API key is intended to manage resources under a single tenant.
-    string tenant_id = 4;
+  string tenant_id = 4;
 }
 message CreateApiKeyRequest {
-    // The API key to create.
+  // The API key to create.
-    ApiKey api_key = 1;
+  ApiKey api_key = 1;
 }
 message CreateApiKeyResponse {
-    // API key ID.
+  // API key ID.
-    string id = 1;
+  string id = 1;
-    // API token for authentication API requests.
+  // API token for authentication API requests.
-    string token = 2;
+  string token = 2;
 }
 message DeleteApiKeyRequest {
-    // API key ID.
+  // API key ID.
-    string id = 1;
+  string id = 1;
 }
 message ListApiKeysRequest {
-    // Max number of items to return.
+  // Max number of items to return.
-    uint32 limit = 1;
+  uint32 limit = 1;
-    // Offset in the result-set (for pagination).
+  // Offset in the result-set (for pagination).
-    uint32 offset = 2;
+  uint32 offset = 2;
-    // Return only admin keys.
+  // Return only admin keys.
-    bool is_admin = 3;
+  bool is_admin = 3;
-    // Filter on tenant ID.
+  // Filter on tenant ID.
-    string tenant_id = 4;
+  string tenant_id = 4;
 }
 message ListApiKeysResponse {
-    // Total number of API keys.
+  // Total number of API keys.
-    uint32 total_count = 1;
+  uint32 total_count = 1;
-    repeated ApiKey result = 2;
+  repeated ApiKey result = 2;
 }
 // Defines a tenant to which the user is associated.
 message UserTenantLink {
-    // Created at timestamp.
+  // Created at timestamp.
-    google.protobuf.Timestamp created_at = 1;
+  google.protobuf.Timestamp created_at = 1;
-    // Last update timestamp.
+  // Last update timestamp.
-	google.protobuf.Timestamp updated_at = 2;
+  google.protobuf.Timestamp updated_at = 2;
-    // Tenant ID.
+  // Tenant ID.
-    string tenant_id = 3;
+  string tenant_id = 3;
-    // User is admin within the context of this tenant.
+  // User is admin within the context of this tenant.
-    // There is no need to set the is_device_admin and is_gateway_admin flags.
+  // There is no need to set the is_device_admin and is_gateway_admin flags.
-    bool is_admin = 4;
+  bool is_admin = 4;
-    // User is able to modify device related resources (applications,
+  // User is able to modify device related resources (applications,
-    // device-profiles, devices, multicast-groups).
+  // device-profiles, devices, multicast-groups).
-    bool is_device_admin = 5;
+  bool is_device_admin = 5;
-    // User is able to modify gateways.
+  // User is able to modify gateways.
-    bool is_gateway_admin = 6;
+  bool is_gateway_admin = 6;
 }
 message LoginRequest {
-	// Email of the user.
+  // Email of the user.
-	string email = 1;
+  string email = 1;
-	// Password of the user.
+  // Password of the user.
-	string password = 2;
+  string password = 2;
 }
 message LoginResponse {
-	// The JWT tag to be used to access chirpstack-application-server interfaces.
+  // The JWT tag to be used to access chirpstack-application-server interfaces.
-	string jwt = 1;
+  string jwt = 1;
 }
 message ProfileResponse {
-    // User object.
+  // User object.
-    User user = 1;
+  User user = 1;
-    // Tenants to which the user is associated.
+  // Tenants to which the user is associated.
-    repeated UserTenantLink tenants = 3;
+  repeated UserTenantLink tenants = 3;
 }
 message GlobalSearchRequest {
-	// Search query.
+  // Search query.
-	string search = 1;
+  string search = 1;
-	// Max number of results to return.
+  // Max number of results to return.
-	int64 limit = 2;
+  int64 limit = 2;
-	// Offset offset of the result-set (for pagination).
+  // Offset offset of the result-set (for pagination).
-	int64 offset = 3;
+  int64 offset = 3;
 }
-message GlobalSearchResponse {
+message GlobalSearchResponse { repeated GlobalSearchResult result = 1; }
 	repeated GlobalSearchResult result = 1;
 }
 message GlobalSearchResult {
-	// Record kind.
+  // Record kind.
-	string kind = 1;
+  string kind = 1;
-	// Search score.
+  // Search score.
-	float score = 2;
+  float score = 2;
-	// Organization id.
+  // Organization id.
-	string tenant_id = 3;
+  string tenant_id = 3;
-	// Organization name.
+  // Organization name.
-	string tenant_name = 4;
+  string tenant_name = 4;
-	// Application id.
+  // Application id.
-	string application_id = 5;
+  string application_id = 5;
-	// Application name.
+  // Application name.
-	string application_name = 6;
+  string application_name = 6;
-	// Device DevEUI (hex encoded).
+  // Device DevEUI (hex encoded).
-	string device_dev_eui = 7;
+  string device_dev_eui = 7;
-	// Device name.
+  // Device name.
-	string device_name = 8;
+  string device_name = 8;
-	// Gateway MAC (hex encoded).
+  // Gateway MAC (hex encoded).
-	string gateway_id = 9;
+  string gateway_id = 9;
-	// Gateway name.
+  // Gateway name.
-	string gateway_name = 10;
+  string gateway_name = 10;
 }
 message SettingsResponse {
-    // OpenId Connect settings.
+  // OpenId Connect settings.
-    OpenIdConnect openid_connect = 1;
+  OpenIdConnect openid_connect = 1;
  // OAuth2 settings.
  OAuth2 oauth2 = 2;
 }
 message OpenIdConnect {
-    // Enable OpenId Connect authentication.
+  // Enable OpenId Connect authentication.
-    bool enabled = 1;
+  bool enabled = 1;
-    // Login url.
+  // Login url.
-    string login_url = 2 [json_name = "loginURL"];
+  string login_url = 2;
-    // Login label.
+  // Login label.
-    string login_label = 3;
+  string login_label = 3;
-    // Logout url.
+  // Logout url.
-    string logout_url = 4 [json_name = "logoutURL"];
+  string logout_url = 4;
 }
 message OAuth2 {
  // OAuth2 is enabled.
  bool enabled = 1;
  // Login url.
  string login_url = 2;
  // Login label.
  string login_label = 3;
  // Logout url.
  string logout_url = 4;
 }
 message OpenIdConnectLoginRequest {
-    // OpenId Connect callback code.
+  // OpenId Connect callback code.
-    string code = 1;
+  string code = 1;
-    // OpenId Connect callback state.
+  // OpenId Connect callback state.
-    string state = 2;
+  string state = 2;
 }
 message OpenIdConnectLoginResponse {
-    // Token to use for authentication.
+  // Token to use for authentication.
-    string token = 1;
+  string token = 1;
 }
 message OAuth2LoginRequest {
  // OAuth2 callback code.
  string code = 1;
  // OAuth2 callback state.
  string state = 2;
 }
 message OAuth2LoginResponse {
  // Token to use for authentication.
  string token = 1;
 }
 message GetDevicesSummaryRequest {
-    // Tenant ID (UUID).
+  // Tenant ID (UUID).
-    string tenant_id = 1;
+  string tenant_id = 1;
 }
 message GetDevicesSummaryResponse {
-    // Active count.
+  // Active count.
-    uint32 active_count = 1;
+  uint32 active_count = 1;
-    // Inactive count.
+  // Inactive count.
-    uint32 inactive_count = 2;
+  uint32 inactive_count = 2;
-    // per data-rate count.
+  // per data-rate count.
-    // Devices that have never been seen are excluded.
+  // Devices that have never been seen are excluded.
-    map<uint32, uint32> dr_count = 3;
+  map<uint32, uint32> dr_count = 3;
-    // Never seen count.
+  // Never seen count.
-    uint32 never_seen_count = 4;
+  uint32 never_seen_count = 4;
 }
 message GetGatewaysSummaryRequest {
-    // Tenant ID (UUID).
+  // Tenant ID (UUID).
-    string tenant_id = 1;
+  string tenant_id = 1;
 }
 message GetGatewaysSummaryResponse {
-    // Online count.
+  // Online count.
-    uint32 online_count = 1;
+  uint32 online_count = 1;
-    // Offline count.
+  // Offline count.
-    uint32 offline_count = 2;
+  uint32 offline_count = 2;
-    // Never seen count.
+  // Never seen count.
-    uint32 never_seen_count = 3;
+  uint32 never_seen_count = 3;
 }
 message LogItem {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Timestamp.
+  // Timestamp.
-    google.protobuf.Timestamp time = 2;
+  google.protobuf.Timestamp time = 2;
-    // Message.
+  // Message.
-    string description = 3;
+  string description = 3;
-    // Body.
+  // Body.
-    string body = 4;
+  string body = 4;
-    // Properties.
+  // Properties.
-    map<string, string> properties = 5;
+  map<string, string> properties = 5;
 }
 message StreamGatewayFramesRequest {
-    // Gateway ID (EUI64).
+  // Gateway ID (EUI64).
-    string gateway_id = 1;
+  string gateway_id = 1;
 }
 message StreamDeviceFramesRequest {
-    // Device EUI.
+  // Device EUI.
-    string dev_eui = 1;
+  string dev_eui = 1;
 }
 message StreamDeviceEventsRequest {
-    // Device EUI.
+  // Device EUI.
-    string dev_eui = 1;
+  string dev_eui = 1;
 }
 message ListRegionsResponse {
-    // Configured regions.
+  // Configured regions.
-    repeated RegionListItem regions = 1;
+  repeated RegionListItem regions = 1;
 }
 message RegionListItem {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Region.
+  // Region.
-    common.Region region = 2;
+  common.Region region = 2;
-    // Description.
+  // Description.
-    string description = 3;
+  string description = 3;
 }
 message GetRegionRequest {
-    // Region ID.
+  // Region ID.
-    string id = 1;
+  string id = 1;
 }
 message GetRegionResponse {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Region.
+  // Region.
-    common.Region region = 2;
+  common.Region region = 2;
-    // User information.
+  // User information.
-    string user_info = 3;
+  string user_info = 3;
-    // Uplink channels.
+  // Uplink channels.
-    repeated RegionChannel uplink_channels = 4;
+  repeated RegionChannel uplink_channels = 4;
-    // RX1 delay.
+  // RX1 delay.
-    uint32 rx1_delay = 5;
+  uint32 rx1_delay = 5;
-    // RX1 data-rate offset.
+  // RX1 data-rate offset.
-    uint32 rx1_dr_offset = 6;
+  uint32 rx1_dr_offset = 6;
-    // RX2 DR.
+  // RX2 DR.
-    uint32 rx2_dr = 7;
+  uint32 rx2_dr = 7;
-    // RX2 frequency.
+  // RX2 frequency.
-    uint32 rx2_frequency = 8;
+  uint32 rx2_frequency = 8;
-    // Class-B ping-slot DR.
+  // Class-B ping-slot DR.
-    uint32 class_b_ping_slot_dr = 9;
+  uint32 class_b_ping_slot_dr = 9;
-    // Class-B ping-slot frequency.
+  // Class-B ping-slot frequency.
-    uint32 class_b_ping_slot_frequency = 10;
+  uint32 class_b_ping_slot_frequency = 10;
-    // Region description.
+  // Region description.
-    string description = 11;
+  string description = 11;
 }
 message RegionChannel {
-    // Frequency (Hz).
+  // Frequency (Hz).
-    uint32 frequency = 1;
+  uint32 frequency = 1;
-    // Min DR.
+  // Min DR.
-    uint32 dr_min = 2;
+  uint32 dr_min = 2;
-    // Max DR.
+  // Max DR.
-    uint32 dr_max = 3;
+  uint32 dr_max = 3;
 }
--- a/api/python/src/chirpstack_api/api/internal_pb2.py
+++ b/api/python/src/chirpstack_api/api/internal_pb2.py
--- a/api/python/src/chirpstack_api/api/internal_pb2.pyi
+++ b/api/python/src/chirpstack_api/api/internal_pb2.pyi
@ -140,10 +140,12 @@ class GlobalSearchResult(_message.Message):
    def __init__(self, kind: _Optional[str] = ..., score: _Optional[float] = ..., tenant_id: _Optional[str] = ..., tenant_name: _Optional[str] = ..., application_id: _Optional[str] = ..., application_name: _Optional[str] = ..., device_dev_eui: _Optional[str] = ..., device_name: _Optional[str] = ..., gateway_id: _Optional[str] = ..., gateway_name: _Optional[str] = ...) -> None: ...
 class SettingsResponse(_message.Message):
-    __slots__ = ["openid_connect"]
+    __slots__ = ["openid_connect", "oauth2"]
    OPENID_CONNECT_FIELD_NUMBER: _ClassVar[int]
    OAUTH2_FIELD_NUMBER: _ClassVar[int]
    openid_connect: OpenIdConnect
-    def __init__(self, openid_connect: _Optional[_Union[OpenIdConnect, _Mapping]] = ...) -> None: ...
+    oauth2: OAuth2
    def __init__(self, openid_connect: _Optional[_Union[OpenIdConnect, _Mapping]] = ..., oauth2: _Optional[_Union[OAuth2, _Mapping]] = ...) -> None: ...
 class OpenIdConnect(_message.Message):
    __slots__ = ["enabled", "login_url", "login_label", "logout_url"]
@ -157,6 +159,18 @@ class OpenIdConnect(_message.Message):
    logout_url: str
    def __init__(self, enabled: bool = ..., login_url: _Optional[str] = ..., login_label: _Optional[str] = ..., logout_url: _Optional[str] = ...) -> None: ...
 class OAuth2(_message.Message):
    __slots__ = ["enabled", "login_url", "login_label", "logout_url"]
    ENABLED_FIELD_NUMBER: _ClassVar[int]
    LOGIN_URL_FIELD_NUMBER: _ClassVar[int]
    LOGIN_LABEL_FIELD_NUMBER: _ClassVar[int]
    LOGOUT_URL_FIELD_NUMBER: _ClassVar[int]
    enabled: bool
    login_url: str
    login_label: str
    logout_url: str
    def __init__(self, enabled: bool = ..., login_url: _Optional[str] = ..., login_label: _Optional[str] = ..., logout_url: _Optional[str] = ...) -> None: ...
 class OpenIdConnectLoginRequest(_message.Message):
    __slots__ = ["code", "state"]
    CODE_FIELD_NUMBER: _ClassVar[int]
@ -171,6 +185,20 @@ class OpenIdConnectLoginResponse(_message.Message):
    token: str
    def __init__(self, token: _Optional[str] = ...) -> None: ...
 class OAuth2LoginRequest(_message.Message):
    __slots__ = ["code", "state"]
    CODE_FIELD_NUMBER: _ClassVar[int]
    STATE_FIELD_NUMBER: _ClassVar[int]
    code: str
    state: str
    def __init__(self, code: _Optional[str] = ..., state: _Optional[str] = ...) -> None: ...
 class OAuth2LoginResponse(_message.Message):
    __slots__ = ["token"]
    TOKEN_FIELD_NUMBER: _ClassVar[int]
    token: str
    def __init__(self, token: _Optional[str] = ...) -> None: ...
 class GetDevicesSummaryRequest(_message.Message):
    __slots__ = ["tenant_id"]
    TENANT_ID_FIELD_NUMBER: _ClassVar[int]
--- a/api/python/src/chirpstack_api/api/internal_pb2_grpc.py
+++ b/api/python/src/chirpstack_api/api/internal_pb2_grpc.py
@ -56,6 +56,11 @@ class InternalServiceStub(object):
                request_serializer=chirpstack__api_dot_api_dot_internal__pb2.OpenIdConnectLoginRequest.SerializeToString,
                response_deserializer=chirpstack__api_dot_api_dot_internal__pb2.OpenIdConnectLoginResponse.FromString,
                )
        self.OAuth2Login = channel.unary_unary(
                '/api.InternalService/OAuth2Login',
                request_serializer=chirpstack__api_dot_api_dot_internal__pb2.OAuth2LoginRequest.SerializeToString,
                response_deserializer=chirpstack__api_dot_api_dot_internal__pb2.OAuth2LoginResponse.FromString,
                )
        self.GetDevicesSummary = channel.unary_unary(
                '/api.InternalService/GetDevicesSummary',
                request_serializer=chirpstack__api_dot_api_dot_internal__pb2.GetDevicesSummaryRequest.SerializeToString,
@ -153,6 +158,13 @@ class InternalServiceServicer(object):
        context.set_details('Method not implemented!')
        raise NotImplementedError('Method not implemented!')
    def OAuth2Login(self, request, context):
        """OAuth2 login.
        """
        context.set_code(grpc.StatusCode.UNIMPLEMENTED)
        context.set_details('Method not implemented!')
        raise NotImplementedError('Method not implemented!')
    def GetDevicesSummary(self, request, context):
        """GetDevicesSummary returns an aggregated summary of the devices.
        """
@ -245,6 +257,11 @@ def add_InternalServiceServicer_to_server(servicer, server):
                    request_deserializer=chirpstack__api_dot_api_dot_internal__pb2.OpenIdConnectLoginRequest.FromString,
                    response_serializer=chirpstack__api_dot_api_dot_internal__pb2.OpenIdConnectLoginResponse.SerializeToString,
            ),
            'OAuth2Login': grpc.unary_unary_rpc_method_handler(
                    servicer.OAuth2Login,
                    request_deserializer=chirpstack__api_dot_api_dot_internal__pb2.OAuth2LoginRequest.FromString,
                    response_serializer=chirpstack__api_dot_api_dot_internal__pb2.OAuth2LoginResponse.SerializeToString,
            ),
            'GetDevicesSummary': grpc.unary_unary_rpc_method_handler(
                    servicer.GetDevicesSummary,
                    request_deserializer=chirpstack__api_dot_api_dot_internal__pb2.GetDevicesSummaryRequest.FromString,
@ -427,6 +444,23 @@ class InternalService(object):
            options, channel_credentials,
            insecure, call_credentials, compression, wait_for_ready, timeout, metadata)
    @staticmethod
    def OAuth2Login(request,
            target,
            options=(),
            channel_credentials=None,
            call_credentials=None,
            insecure=False,
            compression=None,
            wait_for_ready=None,
            timeout=None,
            metadata=None):
        return grpc.experimental.unary_unary(request, target, '/api.InternalService/OAuth2Login',
            chirpstack__api_dot_api_dot_internal__pb2.OAuth2LoginRequest.SerializeToString,
            chirpstack__api_dot_api_dot_internal__pb2.OAuth2LoginResponse.FromString,
            options, channel_credentials,
            insecure, call_credentials, compression, wait_for_ready, timeout, metadata)
    @staticmethod
    def GetDevicesSummary(request,
            target,
--- a/api/rust/proto/chirpstack/api/internal.proto
+++ b/api/rust/proto/chirpstack/api/internal.proto
@ -15,361 +15,396 @@ import "api/user.proto";
 // InternalService is the service providing API endpoints for internal usage.
 service InternalService {
-	// Log in a user
+  // Log in a user
-	rpc Login(LoginRequest) returns (LoginResponse) {}
+  rpc Login(LoginRequest) returns (LoginResponse) {}
-	// Get the current user's profile
+  // Get the current user's profile
-	rpc Profile(google.protobuf.Empty) returns (ProfileResponse) {}
+  rpc Profile(google.protobuf.Empty) returns (ProfileResponse) {}
-	// Perform a global search.
+  // Perform a global search.
-	rpc GlobalSearch(GlobalSearchRequest) returns (GlobalSearchResponse) {}
+  rpc GlobalSearch(GlobalSearchRequest) returns (GlobalSearchResponse) {}
-    // CreateApiKey creates the given API key.
+  // CreateApiKey creates the given API key.
-    rpc CreateApiKey(CreateApiKeyRequest) returns (CreateApiKeyResponse) {}
+  rpc CreateApiKey(CreateApiKeyRequest) returns (CreateApiKeyResponse) {}
-    // DeleteApiKey deletes the API key.
+  // DeleteApiKey deletes the API key.
-    rpc DeleteApiKey(DeleteApiKeyRequest) returns (google.protobuf.Empty) {}
+  rpc DeleteApiKey(DeleteApiKeyRequest) returns (google.protobuf.Empty) {}
-    // ListApiKeys lists the available API keys.
+  // ListApiKeys lists the available API keys.
-    rpc ListApiKeys(ListApiKeysRequest) returns (ListApiKeysResponse) {}
+  rpc ListApiKeys(ListApiKeysRequest) returns (ListApiKeysResponse) {}
-    // Get the global settings.
+  // Get the global settings.
-    rpc Settings(google.protobuf.Empty) returns (SettingsResponse) {}
+  rpc Settings(google.protobuf.Empty) returns (SettingsResponse) {}
-    // OpenId Connect login.
+  // OpenId Connect login.
-    rpc OpenIdConnectLogin(OpenIdConnectLoginRequest) returns (OpenIdConnectLoginResponse) {}
+  rpc OpenIdConnectLogin(OpenIdConnectLoginRequest)
      returns (OpenIdConnectLoginResponse) {}
-    // GetDevicesSummary returns an aggregated summary of the devices.
+  // OAuth2 login.
-    rpc GetDevicesSummary(GetDevicesSummaryRequest) returns (GetDevicesSummaryResponse) {}
+  rpc OAuth2Login(OAuth2LoginRequest) returns (OAuth2LoginResponse) {}
-    // GetGatewaysSummary returns an aggregated summary of the gateways.
+  // GetDevicesSummary returns an aggregated summary of the devices.
-    rpc GetGatewaysSummary(GetGatewaysSummaryRequest) returns (GetGatewaysSummaryResponse) {}
+  rpc GetDevicesSummary(GetDevicesSummaryRequest)
      returns (GetDevicesSummaryResponse) {}
-    // Stream frame for the given Gateway ID.
+  // GetGatewaysSummary returns an aggregated summary of the gateways.
-    rpc StreamGatewayFrames(StreamGatewayFramesRequest) returns (stream LogItem) {}
+  rpc GetGatewaysSummary(GetGatewaysSummaryRequest)
      returns (GetGatewaysSummaryResponse) {}
-    // Stream frames for the given Device EUI.
+  // Stream frame for the given Gateway ID.
-    rpc StreamDeviceFrames(StreamDeviceFramesRequest) returns (stream LogItem) {}
+  rpc StreamGatewayFrames(StreamGatewayFramesRequest) returns (stream LogItem) {
  }
-    // Stream events for the given Device EUI.
+  // Stream frames for the given Device EUI.
-    rpc StreamDeviceEvents(StreamDeviceEventsRequest) returns (stream LogItem) {}
+  rpc StreamDeviceFrames(StreamDeviceFramesRequest) returns (stream LogItem) {}
-    // ListRegions lists the available (configured) regions.
+  // Stream events for the given Device EUI.
-    rpc ListRegions(google.protobuf.Empty) returns (ListRegionsResponse) {}
+  rpc StreamDeviceEvents(StreamDeviceEventsRequest) returns (stream LogItem) {}
-    // GetRegion returns the region details for the given region.
+  // ListRegions lists the available (configured) regions.
-    rpc GetRegion(GetRegionRequest) returns (GetRegionResponse) {}
+  rpc ListRegions(google.protobuf.Empty) returns (ListRegionsResponse) {}
  // GetRegion returns the region details for the given region.
  rpc GetRegion(GetRegionRequest) returns (GetRegionResponse) {}
 }
 message ApiKey {
-    // API key ID.
+  // API key ID.
-    // This value will be automatically generated on create.
+  // This value will be automatically generated on create.
-    string id = 1;
+  string id = 1;
-    // Name.
+  // Name.
-    string name = 2;
+  string name = 2;
-    // Is global admin key.
+  // Is global admin key.
-    bool is_admin = 3;
+  bool is_admin = 3;
-    // Tenant ID.
+  // Tenant ID.
-    // In case the API key is intended to manage resources under a single tenant.
+  // In case the API key is intended to manage resources under a single tenant.
-    string tenant_id = 4;
+  string tenant_id = 4;
 }
 message CreateApiKeyRequest {
-    // The API key to create.
+  // The API key to create.
-    ApiKey api_key = 1;
+  ApiKey api_key = 1;
 }
 message CreateApiKeyResponse {
-    // API key ID.
+  // API key ID.
-    string id = 1;
+  string id = 1;
-    // API token for authentication API requests.
+  // API token for authentication API requests.
-    string token = 2;
+  string token = 2;
 }
 message DeleteApiKeyRequest {
-    // API key ID.
+  // API key ID.
-    string id = 1;
+  string id = 1;
 }
 message ListApiKeysRequest {
-    // Max number of items to return.
+  // Max number of items to return.
-    uint32 limit = 1;
+  uint32 limit = 1;
-    // Offset in the result-set (for pagination).
+  // Offset in the result-set (for pagination).
-    uint32 offset = 2;
+  uint32 offset = 2;
-    // Return only admin keys.
+  // Return only admin keys.
-    bool is_admin = 3;
+  bool is_admin = 3;
-    // Filter on tenant ID.
+  // Filter on tenant ID.
-    string tenant_id = 4;
+  string tenant_id = 4;
 }
 message ListApiKeysResponse {
-    // Total number of API keys.
+  // Total number of API keys.
-    uint32 total_count = 1;
+  uint32 total_count = 1;
-    repeated ApiKey result = 2;
+  repeated ApiKey result = 2;
 }
 // Defines a tenant to which the user is associated.
 message UserTenantLink {
-    // Created at timestamp.
+  // Created at timestamp.
-    google.protobuf.Timestamp created_at = 1;
+  google.protobuf.Timestamp created_at = 1;
-    // Last update timestamp.
+  // Last update timestamp.
-	google.protobuf.Timestamp updated_at = 2;
+  google.protobuf.Timestamp updated_at = 2;
-    // Tenant ID.
+  // Tenant ID.
-    string tenant_id = 3;
+  string tenant_id = 3;
-    // User is admin within the context of this tenant.
+  // User is admin within the context of this tenant.
-    // There is no need to set the is_device_admin and is_gateway_admin flags.
+  // There is no need to set the is_device_admin and is_gateway_admin flags.
-    bool is_admin = 4;
+  bool is_admin = 4;
-    // User is able to modify device related resources (applications,
+  // User is able to modify device related resources (applications,
-    // device-profiles, devices, multicast-groups).
+  // device-profiles, devices, multicast-groups).
-    bool is_device_admin = 5;
+  bool is_device_admin = 5;
-    // User is able to modify gateways.
+  // User is able to modify gateways.
-    bool is_gateway_admin = 6;
+  bool is_gateway_admin = 6;
 }
 message LoginRequest {
-	// Email of the user.
+  // Email of the user.
-	string email = 1;
+  string email = 1;
-	// Password of the user.
+  // Password of the user.
-	string password = 2;
+  string password = 2;
 }
 message LoginResponse {
-	// The JWT tag to be used to access chirpstack-application-server interfaces.
+  // The JWT tag to be used to access chirpstack-application-server interfaces.
-	string jwt = 1;
+  string jwt = 1;
 }
 message ProfileResponse {
-    // User object.
+  // User object.
-    User user = 1;
+  User user = 1;
-    // Tenants to which the user is associated.
+  // Tenants to which the user is associated.
-    repeated UserTenantLink tenants = 3;
+  repeated UserTenantLink tenants = 3;
 }
 message GlobalSearchRequest {
-	// Search query.
+  // Search query.
-	string search = 1;
+  string search = 1;
-	// Max number of results to return.
+  // Max number of results to return.
-	int64 limit = 2;
+  int64 limit = 2;
-	// Offset offset of the result-set (for pagination).
+  // Offset offset of the result-set (for pagination).
-	int64 offset = 3;
+  int64 offset = 3;
 }
-message GlobalSearchResponse {
+message GlobalSearchResponse { repeated GlobalSearchResult result = 1; }
 	repeated GlobalSearchResult result = 1;
 }
 message GlobalSearchResult {
-	// Record kind.
+  // Record kind.
-	string kind = 1;
+  string kind = 1;
-	// Search score.
+  // Search score.
-	float score = 2;
+  float score = 2;
-	// Organization id.
+  // Organization id.
-	string tenant_id = 3;
+  string tenant_id = 3;
-	// Organization name.
+  // Organization name.
-	string tenant_name = 4;
+  string tenant_name = 4;
-	// Application id.
+  // Application id.
-	string application_id = 5;
+  string application_id = 5;
-	// Application name.
+  // Application name.
-	string application_name = 6;
+  string application_name = 6;
-	// Device DevEUI (hex encoded).
+  // Device DevEUI (hex encoded).
-	string device_dev_eui = 7;
+  string device_dev_eui = 7;
-	// Device name.
+  // Device name.
-	string device_name = 8;
+  string device_name = 8;
-	// Gateway MAC (hex encoded).
+  // Gateway MAC (hex encoded).
-	string gateway_id = 9;
+  string gateway_id = 9;
-	// Gateway name.
+  // Gateway name.
-	string gateway_name = 10;
+  string gateway_name = 10;
 }
 message SettingsResponse {
-    // OpenId Connect settings.
+  // OpenId Connect settings.
-    OpenIdConnect openid_connect = 1;
+  OpenIdConnect openid_connect = 1;
  // OAuth2 settings.
  OAuth2 oauth2 = 2;
 }
 message OpenIdConnect {
-    // Enable OpenId Connect authentication.
+  // Enable OpenId Connect authentication.
-    bool enabled = 1;
+  bool enabled = 1;
-    // Login url.
+  // Login url.
-    string login_url = 2 [json_name = "loginURL"];
+  string login_url = 2;
-    // Login label.
+  // Login label.
-    string login_label = 3;
+  string login_label = 3;
-    // Logout url.
+  // Logout url.
-    string logout_url = 4 [json_name = "logoutURL"];
+  string logout_url = 4;
 }
 message OAuth2 {
  // OAuth2 is enabled.
  bool enabled = 1;
  // Login url.
  string login_url = 2;
  // Login label.
  string login_label = 3;
  // Logout url.
  string logout_url = 4;
 }
 message OpenIdConnectLoginRequest {
-    // OpenId Connect callback code.
+  // OpenId Connect callback code.
-    string code = 1;
+  string code = 1;
-    // OpenId Connect callback state.
+  // OpenId Connect callback state.
-    string state = 2;
+  string state = 2;
 }
 message OpenIdConnectLoginResponse {
-    // Token to use for authentication.
+  // Token to use for authentication.
-    string token = 1;
+  string token = 1;
 }
 message OAuth2LoginRequest {
  // OAuth2 callback code.
  string code = 1;
  // OAuth2 callback state.
  string state = 2;
 }
 message OAuth2LoginResponse {
  // Token to use for authentication.
  string token = 1;
 }
 message GetDevicesSummaryRequest {
-    // Tenant ID (UUID).
+  // Tenant ID (UUID).
-    string tenant_id = 1;
+  string tenant_id = 1;
 }
 message GetDevicesSummaryResponse {
-    // Active count.
+  // Active count.
-    uint32 active_count = 1;
+  uint32 active_count = 1;
-    // Inactive count.
+  // Inactive count.
-    uint32 inactive_count = 2;
+  uint32 inactive_count = 2;
-    // per data-rate count.
+  // per data-rate count.
-    // Devices that have never been seen are excluded.
+  // Devices that have never been seen are excluded.
-    map<uint32, uint32> dr_count = 3;
+  map<uint32, uint32> dr_count = 3;
-    // Never seen count.
+  // Never seen count.
-    uint32 never_seen_count = 4;
+  uint32 never_seen_count = 4;
 }
 message GetGatewaysSummaryRequest {
-    // Tenant ID (UUID).
+  // Tenant ID (UUID).
-    string tenant_id = 1;
+  string tenant_id = 1;
 }
 message GetGatewaysSummaryResponse {
-    // Online count.
+  // Online count.
-    uint32 online_count = 1;
+  uint32 online_count = 1;
-    // Offline count.
+  // Offline count.
-    uint32 offline_count = 2;
+  uint32 offline_count = 2;
-    // Never seen count.
+  // Never seen count.
-    uint32 never_seen_count = 3;
+  uint32 never_seen_count = 3;
 }
 message LogItem {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Timestamp.
+  // Timestamp.
-    google.protobuf.Timestamp time = 2;
+  google.protobuf.Timestamp time = 2;
-    // Message.
+  // Message.
-    string description = 3;
+  string description = 3;
-    // Body.
+  // Body.
-    string body = 4;
+  string body = 4;
-    // Properties.
+  // Properties.
-    map<string, string> properties = 5;
+  map<string, string> properties = 5;
 }
 message StreamGatewayFramesRequest {
-    // Gateway ID (EUI64).
+  // Gateway ID (EUI64).
-    string gateway_id = 1;
+  string gateway_id = 1;
 }
 message StreamDeviceFramesRequest {
-    // Device EUI.
+  // Device EUI.
-    string dev_eui = 1;
+  string dev_eui = 1;
 }
 message StreamDeviceEventsRequest {
-    // Device EUI.
+  // Device EUI.
-    string dev_eui = 1;
+  string dev_eui = 1;
 }
 message ListRegionsResponse {
-    // Configured regions.
+  // Configured regions.
-    repeated RegionListItem regions = 1;
+  repeated RegionListItem regions = 1;
 }
 message RegionListItem {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Region.
+  // Region.
-    common.Region region = 2;
+  common.Region region = 2;
-    // Description.
+  // Description.
-    string description = 3;
+  string description = 3;
 }
 message GetRegionRequest {
-    // Region ID.
+  // Region ID.
-    string id = 1;
+  string id = 1;
 }
 message GetRegionResponse {
-    // ID.
+  // ID.
-    string id = 1;
+  string id = 1;
-    // Region.
+  // Region.
-    common.Region region = 2;
+  common.Region region = 2;
-    // User information.
+  // User information.
-    string user_info = 3;
+  string user_info = 3;
-    // Uplink channels.
+  // Uplink channels.
-    repeated RegionChannel uplink_channels = 4;
+  repeated RegionChannel uplink_channels = 4;
-    // RX1 delay.
+  // RX1 delay.
-    uint32 rx1_delay = 5;
+  uint32 rx1_delay = 5;
-    // RX1 data-rate offset.
+  // RX1 data-rate offset.
-    uint32 rx1_dr_offset = 6;
+  uint32 rx1_dr_offset = 6;
-    // RX2 DR.
+  // RX2 DR.
-    uint32 rx2_dr = 7;
+  uint32 rx2_dr = 7;
-    // RX2 frequency.
+  // RX2 frequency.
-    uint32 rx2_frequency = 8;
+  uint32 rx2_frequency = 8;
-    // Class-B ping-slot DR.
+  // Class-B ping-slot DR.
-    uint32 class_b_ping_slot_dr = 9;
+  uint32 class_b_ping_slot_dr = 9;
-    // Class-B ping-slot frequency.
+  // Class-B ping-slot frequency.
-    uint32 class_b_ping_slot_frequency = 10;
+  uint32 class_b_ping_slot_frequency = 10;
-    // Region description.
+  // Region description.
-    string description = 11;
+  string description = 11;
 }
 message RegionChannel {
-    // Frequency (Hz).
+  // Frequency (Hz).
-    uint32 frequency = 1;
+  uint32 frequency = 1;
-    // Min DR.
+  // Min DR.
-    uint32 dr_min = 2;
+  uint32 dr_min = 2;
-    // Max DR.
+  // Max DR.
-    uint32 dr_max = 3;
+  uint32 dr_max = 3;
 }
--- a/chirpstack/Cargo.toml
+++ b/chirpstack/Cargo.toml
@ -107,6 +107,7 @@ rustls-pemfile = "1.0"
 rsa = "0.9"
 rcgen = { version = "0.12", features = [ "x509-parser" ] }
 openidconnect = { version = "3.3", features = ["accept-rfc3339-timestamps"] }
 oauth2 = "4.4"
 # MQTT
 rumqttc = { version = "0.23", features = ["url"] }
--- a/chirpstack/src/api/internal.rs
+++ b/chirpstack/src/api/internal.rs
@ -7,6 +7,7 @@ use anyhow::{Context as AnyhowContext, Result};
 use futures::Stream;
 use reqwest::header::{HeaderMap, CONTENT_TYPE};
 use reqwest::Client;
 use serde::Serialize;
 use tokio::sync::mpsc;
 use tokio_stream::wrappers::ReceiverStream;
 use tonic::{Request, Response, Status};
@ -20,7 +21,7 @@ use super::auth::claims;
 use super::auth::{validator, AuthID};
 use super::error::ToStatus;
 use super::helpers::ToProto;
-use super::{helpers, oidc};
+use super::{helpers, oauth2, oidc};
 use crate::storage::{api_key, device, error::Error, gateway, redis_key, search, tenant, user};
 use crate::{config, region, stream};
 use lrwn::EUI64;
@ -38,25 +39,25 @@ impl Internal {
        }
    }
-    async fn create_and_provision_user(&self, oidc_user: &oidc::User) -> Result<user::User> {
+    async fn create_and_provision_user<S>(
-        let external_id = oidc_user.subject().to_string();
+        &self,
-        let email = match oidc_user.email() {
+        external_id: &str,
-            Some(v) => v.to_string(),
+        email: &str,
-            None => {
+        email_verified: bool,
-                return Err(anyhow!("email is missing"));
+        user_info: &S,
-            }
+    ) -> Result<user::User>
-        };
+    where
-        let email_verified = oidc_user.email_verified().unwrap_or_default();
+        S: Serialize,
-
+    {
        let u = user::User {
            is_active: true,
-            email,
+            email: email.to_string(),
            email_verified,
-            external_id: Some(external_id),
+            external_id: Some(external_id.to_string()),
            ..Default::default()
        };
        let u = user::create(u).await?;
-        if let Err(e) = self.provision_user(&u.id, oidc_user).await {
+        if let Err(e) = self.provision_user(&u.id, user_info).await {
            error!(error = %e, "Provisioning user failed");
            user::delete(&u.id).await?;
            return Err(e);
@ -65,7 +66,10 @@ impl Internal {
        Ok(u)
    }
-    async fn provision_user(&self, user_id: &Uuid, oidc_user: &oidc::User) -> Result<()> {
+    async fn provision_user<S>(&self, user_id: &Uuid, user_info: &S) -> Result<()>
    where
        S: Serialize,
    {
        let conf = config::get();
        if conf
            .user_authentication
@ -87,7 +91,7 @@ impl Internal {
                    .openid_connect
                    .registration_callback_url,
            )
-            .json(&oidc_user)
+            .json(user_info)
            .query(&[("user_id", user_id.to_string())])
            .headers(headers)
            .send()
@ -404,11 +408,17 @@ impl InternalService for Internal {
        Ok(Response::new(api::SettingsResponse {
            openid_connect: Some(api::OpenIdConnect {
-                enabled: conf.user_authentication.openid_connect.enabled,
+                enabled: conf.user_authentication.enabled == "openid_connect",
                login_url: "/auth/oidc/login".into(),
                login_label: conf.user_authentication.openid_connect.login_label.clone(),
                logout_url: conf.user_authentication.openid_connect.logout_url.clone(),
            }),
            oauth2: Some(api::OAuth2 {
                enabled: conf.user_authentication.enabled == "oauth2",
                login_url: "/auth/oauth2/login".into(),
                login_label: conf.user_authentication.oauth2.login_label.clone(),
                logout_url: conf.user_authentication.oauth2.logout_url.clone(),
            }),
        }))
    }
@ -456,7 +466,7 @@ impl InternalService for Internal {
        if u.is_none() {
            u = match user::get_by_email(&email).await {
                Ok(mut v) => {
-                    v.external_id = Some(external_id);
+                    v.external_id = Some(external_id.clone());
                    Some(v)
                }
                Err(e) => match e {
@ -471,7 +481,7 @@ impl InternalService for Internal {
        // register the user (if enabled)
        if u.is_none() && conf.user_authentication.openid_connect.registration_enabled {
            u = Some(
-                self.create_and_provision_user(&oidc_user)
+                self.create_and_provision_user(&external_id, &email, email_verified, &oidc_user)
                    .await
                    .map_err(|e| e.status())?,
            );
@ -497,6 +507,87 @@ impl InternalService for Internal {
        Ok(Response::new(api::OpenIdConnectLoginResponse { token }))
    }
    async fn o_auth2_login(
        &self,
        request: Request<api::OAuth2LoginRequest>,
    ) -> Result<Response<api::OAuth2LoginResponse>, Status> {
        let req = request.get_ref();
        let conf = config::get();
        let oauth_user = oauth2::get_user(&req.code, &req.state)
            .await
            .map_err(|e| e.status())?;
        let email_verified =
            oauth_user.email_verified || conf.user_authentication.oauth2.assume_email_verified;
        if !email_verified {
            return Err(Status::failed_precondition(
                "email address must be verified before you can login",
            ));
        }
        // try to get user by external id
        let mut u: Option<user::User> =
            match user::get_by_external_id(&oauth_user.external_id).await {
                Ok(v) => Some(v),
                Err(e) => match e {
                    Error::NotFound(_) => None,
                    _ => {
                        return Err(e.status());
                    }
                },
            };
        if u.is_none() {
            u = match user::get_by_email(&oauth_user.email).await {
                Ok(mut v) => {
                    v.external_id = Some(oauth_user.external_id.clone());
                    Some(v)
                }
                Err(e) => match e {
                    Error::NotFound(_) => None,
                    _ => {
                        return Err(e.status());
                    }
                },
            };
        }
        // register the user (if enabled)
        if u.is_none() && conf.user_authentication.oauth2.registration_enabled {
            u = Some(
                self.create_and_provision_user(
                    &oauth_user.external_id,
                    &oauth_user.email,
                    email_verified,
                    &oauth_user,
                )
                .await
                .map_err(|e| e.status())?,
            );
        }
        let mut u = match u {
            Some(v) => v,
            None => {
                return Err(Status::not_found("User does not exist"));
            }
        };
        // update the user
        // in case it was fetched using the external id, this will make sure we sync with any
        // possible email change.
        u.email = oauth_user.email.clone();
        u.email_verified = email_verified;
        let u = user::update(u).await.map_err(|e| e.status())?;
        let token = claims::AuthClaim::new_for_user(&u.id)
            .encode(self.jwt_secret.as_ref())
            .map_err(|e| e.status())?;
        Ok(Response::new(api::OAuth2LoginResponse { token }))
    }
    async fn get_devices_summary(
        &self,
        request: Request<api::GetDevicesSummaryRequest>,
--- a/chirpstack/src/api/mod.rs
+++ b/chirpstack/src/api/mod.rs
@ -55,6 +55,7 @@ pub mod helpers;
 pub mod internal;
 pub mod monitoring;
 pub mod multicast;
 pub mod oauth2;
 pub mod oidc;
 pub mod relay;
 pub mod tenant;
@ -181,6 +182,10 @@ pub async fn setup() -> Result<()> {
                .or(warp::path!("auth" / "oidc" / "callback")
                    .and(warp::query::<oidc::CallbackArgs>())
                    .and_then(oidc::callback_handler))
                .or(warp::path!("auth" / "oauth2" / "login").and_then(oauth2::login_handler))
                .or(warp::path!("auth" / "oauth2" / "callback")
                    .and(warp::query::<oauth2::CallbackArgs>())
                    .and_then(oauth2::callback_handler))
                .or(warp::path::tail().and_then(http_serve)),
        );
        let mut warp_service = ServiceBuilder::new()
--- a/chirpstack/src/api/oauth2.rs
+++ b/chirpstack/src/api/oauth2.rs
@ -0,0 +1,186 @@
 use std::str::FromStr;
 use anyhow::{Context, Result};
 use chrono::Duration;
 use oauth2::basic::BasicClient;
 use oauth2::reqwest::async_http_client;
 use oauth2::{
    AuthType, AuthUrl, AuthorizationCode, ClientId, ClientSecret, CsrfToken, PkceCodeChallenge,
    RedirectUrl, Scope, TokenResponse, TokenUrl,
 };
 use reqwest::header::AUTHORIZATION;
 use serde::{Deserialize, Serialize};
 use tracing::{error, trace};
 use warp::{Rejection, Reply};
 use crate::config;
 use crate::helpers::errors::PrintFullError;
 use crate::storage::{get_async_redis_conn, redis_key};
 #[derive(Deserialize)]
 struct ClerkUserinfo {
    pub email: String,
    pub email_verified: bool,
    pub user_id: String,
 }
 #[derive(Serialize, Deserialize)]
 pub struct CallbackArgs {
    pub code: String,
    pub state: String,
 }
 #[derive(Serialize, Debug)]
 pub struct User {
    pub email: String,
    pub email_verified: bool,
    pub external_id: String,
 }
 pub async fn login_handler() -> Result<impl Reply, Rejection> {
    let client = match get_client() {
        Ok(v) => v,
        Err(e) => {
            error!(error = %e.full(), "Get OAuth2 client error");
            return Ok(warp::reply::with_status(
                "Internal error",
                warp::http::StatusCode::INTERNAL_SERVER_ERROR,
            )
            .into_response());
        }
    };
    let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
    let (auth_url, csrf_token) = client
        .authorize_url(CsrfToken::new_random)
        .add_scope(Scope::new("email".into()))
        .set_pkce_challenge(pkce_challenge)
        .url();
    if let Err(e) = store_verifier(&csrf_token, &pkce_verifier).await {
        error!(error = %e.full(), "Store verifier error");
        return Ok(warp::reply::with_status(
            "Internal error",
            warp::http::StatusCode::INTERNAL_SERVER_ERROR,
        )
        .into_response());
    }
    Ok(
        warp::redirect::found(warp::http::Uri::from_str(auth_url.as_str()).unwrap())
            .into_response(),
    )
 }
 pub async fn callback_handler(args: CallbackArgs) -> Result<impl Reply, Rejection> {
    // warp::redirect does not work with '#'.
    Ok(warp::reply::with_header(
        warp::http::StatusCode::PERMANENT_REDIRECT,
        warp::http::header::LOCATION,
        format!("/#/login?code={}&state={}", args.code, args.state),
    ))
 }
 fn get_client() -> Result<BasicClient> {
    let conf = config::get();
    if conf.user_authentication.enabled != "oauth2" {
        return Err(anyhow!("OAuth2 is not enabled"));
    }
    let client = BasicClient::new(
        ClientId::new(conf.user_authentication.oauth2.client_id.clone()),
        Some(ClientSecret::new(
            conf.user_authentication.oauth2.client_secret.clone(),
        )),
        AuthUrl::new(conf.user_authentication.oauth2.auth_url.clone())?,
        Some(TokenUrl::new(
            conf.user_authentication.oauth2.token_url.clone(),
        )?),
    )
    .set_redirect_uri(RedirectUrl::new(
        conf.user_authentication.oauth2.redirect_url.clone(),
    )?)
    .set_auth_type(match conf.user_authentication.oauth2.provider.as_ref() {
        "clerk" => AuthType::RequestBody, // clerk does not support BasicAuth
        _ => AuthType::BasicAuth,         //  default oauth2 crate value
    });
    Ok(client)
 }
 pub async fn get_user(code: &str, state: &str) -> Result<User> {
    let state = oauth2::CsrfToken::new(state.to_string());
    let verifier = get_verifier(&state).await?;
    let client = get_client()?;
    let token = match client
        .exchange_code(AuthorizationCode::new(code.to_string()))
        .set_pkce_verifier(verifier)
        .request_async(async_http_client)
        .await
    {
        Ok(v) => v,
        Err(e) => {
            return Err(anyhow!(e.to_string()));
        }
    };
    let access_token = token.access_token().secret();
    let conf = config::get();
    let provider = conf.user_authentication.oauth2.provider.clone();
    let userinfo_url = conf.user_authentication.oauth2.userinfo_url.clone();
    match provider.as_ref() {
        "clerk" => get_clerk_user(access_token, &userinfo_url).await,
        _ => Err(anyhow!("Unsupported OAuth2 provider: {}", provider)),
    }
 }
 async fn get_clerk_user(token: &str, url: &str) -> Result<User> {
    let client = reqwest::Client::new();
    let auth_header = format!("Bearer {}", token);
    let resp: ClerkUserinfo = client
        .get(url)
        .header(AUTHORIZATION, auth_header)
        .send()
        .await?
        .json()
        .await?;
    Ok(User {
        email: resp.email,
        email_verified: resp.email_verified,
        external_id: resp.user_id,
    })
 }
 async fn store_verifier(
    token: &oauth2::CsrfToken,
    verifier: &oauth2::PkceCodeVerifier,
 ) -> Result<()> {
    trace!("Storing verifier");
    let key = redis_key(format!("auth:oauth2:{}", token.secret()));
    redis::cmd("PSETEX")
        .arg(key)
        .arg(Duration::minutes(5).num_milliseconds())
        .arg(verifier.secret())
        .query_async(&mut get_async_redis_conn().await?)
        .await?;
    Ok(())
 }
 async fn get_verifier(token: &oauth2::CsrfToken) -> Result<oauth2::PkceCodeVerifier> {
    trace!("Getting verifier");
    let key = redis_key(format!("auth:oauth2:{}", token.secret()));
    let v: String = redis::cmd("GET")
        .arg(&key)
        .query_async(&mut get_async_redis_conn().await?)
        .await
        .context("Get verifier")?;
    Ok(oauth2::PkceCodeVerifier::new(v))
 }
--- a/chirpstack/src/api/oidc.rs
+++ b/chirpstack/src/api/oidc.rs
@ -106,8 +106,8 @@ pub async fn get_user(code: &str, state: &str) -> Result<User> {
 async fn get_client() -> Result<CoreClient> {
    let conf = config::get();
-    if !conf.user_authentication.openid_connect.enabled {
+    if conf.user_authentication.enabled != "openid_connect" {
-        return Err(anyhow!("OIDC is disabled"));
+        return Err(anyhow!("OIDC is not enabled"));
    }
    let client_id = ClientId::new(conf.user_authentication.openid_connect.client_id.clone());
--- a/chirpstack/src/cmd/configfile.rs
+++ b/chirpstack/src/cmd/configfile.rs
@ -544,14 +544,17 @@ pub fn run() {
 # User authentication configuration.
 [user_authentication]
  # Enabled authentication backend.
  #
  # Options are:
  #  * internal       - Internal authentication backend (default).
  #  * openid_connect - OpenID Connect based backend.
  #  * oauth2         - OAuth2 based backend.
  enabled="{{ user_authentication.enabled }}"
  # OpenID Connect.
  [user_authentication.openid_connect]
    # Enable OpenID Connect authentication.
    #
    # Enabling this option replaces password authentication.
    enabled={{ user_authentication.openid_connect.enabled }}
    # Registration enabled.
    #
    # Enabling this will automatically register the user when it is not yet present
@ -587,13 +590,13 @@ pub fn run() {
    # Redirect URL.
    #
-    # This must contain the ChirpStack Application Server web-interface hostname
+    # This must contain the ChirpStack web-interface hostname
    # with '/auth/oidc/callback' path, e.g. https://example.com/auth/oidc/callback.
    redirect_url="{{ user_authentication.openid_connect.redirect_url }}"
    # Logout URL.
    #
-    # When set, ChirpStack Application Server will redirect to this URL instead
+    # When set, ChirpStack will redirect to this URL instead
    # of redirecting to the login page.
    logout_url="{{ user_authentication.openid_connect.logout_url }}"
@ -611,6 +614,78 @@ pub fn run() {
    assume_email_verified={{ user_authentication.openid_connect.assume_email_verified }}
  # OAuth2 backend.
  [user_authentication.oauth2]
    # Provider.
    #
    # Options are:
    #  * clerk
    provider="{{ user_authentication.oauth2.provider }}"
    # Registration enabled.
    #
    # Enabling this will automatically register the user when it is not yet present
    # in the ChirpStack database. There is no registration form as the user information
    # is automatically received using the OAuth2 provided information.
    # The user will not be associated with any organization, but in order to
    # facilitate the automatic onboarding of users, it is possible to configure a
    # registration callback URL (next config option).
    registration_enabled={{ user_authentication.oauth2.registration_enabled }}
    # Registration callback URL.
    #
    # This (optional) endpoint will be called on the registration of the user and
    # can implement the association of the user with an organization, create a new
    # organization, ...
    # ChirpStack will make a HTTP POST call to this endpoint,
    # with the following URL parameters:
    # - user_id, of the newly created user in ChirpStack.
    #
    # The POST body contains a JSON payload with the OAuth2 payload.
    registration_callback_url="{{ user_authentication.oauth2.registration_callback_url }}"
    # OAuth2 client ID.
    client_id="{{ user_authentication.oauth2.client_id }}"
    # OAuth2 client secret.
    client_secret="{{ user_authentication.oauth2.client_secret }}"
    # OAuth2 auth URL.
    auth_url="{{ user_authentication.oauth2.auth_url }}"
    # OAuth2 token URL.
    token_url="{{ user_authentication.oauth2.token_url }}"
    # Userinfo URL.
    #
    # This is the URL that ChirpStack will request to receive the user information.
    userinfo_url="{{ user_authentication.oauth2.userinfo_url }}"
    # Redirect URL.
    #
    # This must contain the ChirpStack web-interface hostname
    # with '/auth/oauth2/callback' path, e.g. https://example.com/auth/oauth2/callback.
    redirect_url="{{ user_authentication.oauth2.redirect_url }}"
    # Logout URL.
    #
    # When set, ChirpStack will redirect to this URL instead
    # of redirecting to the login page.
    logout_url="{{ user_authentication.oauth2.logout_url }}"
    # Login label.
    #
    # The login label is used in the web-interface login form.
    login_label="{{ user_authentication.oauth2.login_label }}"
    # Assume e-mail verified.
    #
    # If set to true, then ChirpStack will ignore the email_verified received
    # from the userinfo URL, assuming it will be true.
    assume_email_verified={{ user_authentication.oauth2.assume_email_verified }}
 # Join Server configuration.
 [join_server]
--- a/chirpstack/src/config.rs
+++ b/chirpstack/src/config.rs
@ -391,16 +391,27 @@ impl Default for CodecJs {
    }
 }
-#[derive(Serialize, Deserialize, Clone, Default)]
+#[derive(Serialize, Deserialize, Clone)]
 #[serde(default)]
 pub struct UserAuthentication {
    pub enabled: String,
    pub openid_connect: OpenIdConnect,
    pub oauth2: OAuth2,
 }
 impl Default for UserAuthentication {
    fn default() -> Self {
        UserAuthentication {
            enabled: "internal".into(),
            openid_connect: Default::default(),
            oauth2: Default::default(),
        }
    }
 }
 #[derive(Serialize, Deserialize, Default, Clone)]
 #[serde(default)]
 pub struct OpenIdConnect {
    pub enabled: bool,
    pub registration_enabled: bool,
    pub registration_callback_url: String,
    pub provider_url: String,
@ -412,6 +423,23 @@ pub struct OpenIdConnect {
    pub assume_email_verified: bool,
 }
 #[derive(Serialize, Deserialize, Default, Clone)]
 #[serde(default)]
 pub struct OAuth2 {
    pub registration_enabled: bool,
    pub registration_callback_url: String,
    pub client_id: String,
    pub client_secret: String,
    pub auth_url: String,
    pub token_url: String,
    pub redirect_url: String,
    pub userinfo_url: String,
    pub provider: String,
    pub logout_url: String,
    pub login_label: String,
    pub assume_email_verified: bool,
 }
 #[derive(Serialize, Deserialize, Default, Clone)]
 #[serde(default)]
 pub struct JoinServer {
--- a/ui/package.json
+++ b/ui/package.json
@ -70,4 +70,4 @@
  "devDependencies": {
    "prettier": "^3.0.0"
  }
-}
+}
--- a/ui/src/components/Header.tsx
+++ b/ui/src/components/Header.tsx
@ -53,15 +53,20 @@ function Header({ user }: { user: User }) {
    }
    let oidc = settings.getOpenidConnect()!;
    let oAuth2 = settings.getOauth2()!;
-    if (!oidc.getEnabled() || oidc.getLogoutUrl() === "") {
+    if (oidc.getEnabled() && oidc.getLogoutUrl() !== "") {
      SessionStore.logout(true, () => {
        navigate("/login");
      });
    } else {
      SessionStore.logout(false, () => {
        navigate(oidc.getLogoutUrl());
      });
    } else if (oAuth2.getEnabled() && oAuth2.getLogoutUrl() !== "") {
      SessionStore.logout(false, () => {
        navigate(oAuth2.getLogoutUrl());
      });
    } else {
      SessionStore.logout(true, () => {
        navigate("/login");
      });
    }
  };
@ -86,23 +91,23 @@ function Header({ user }: { user: User }) {
    label: any;
    options: any[];
  }[] = [
-    {
+      {
-      label: renderTitle("Tenants"),
+        label: renderTitle("Tenants"),
-      options: [],
+        options: [],
-    },
+      },
-    {
+      {
-      label: renderTitle("Gateways"),
+        label: renderTitle("Gateways"),
-      options: [],
+        options: [],
-    },
+      },
-    {
+      {
-      label: renderTitle("Applications"),
+        label: renderTitle("Applications"),
-      options: [],
+        options: [],
-    },
+      },
-    {
+      {
-      label: renderTitle("Devices"),
+        label: renderTitle("Devices"),
-      options: [],
+        options: [],
-    },
+      },
-  ];
+    ];
  if (searchResult !== undefined) {
    for (const res of searchResult.getResultList()) {
--- a/ui/src/stores/SessionStore.ts
+++ b/ui/src/stores/SessionStore.ts
@ -7,6 +7,7 @@ import {
  LoginRequest,
  UserTenantLink,
  OpenIdConnectLoginRequest,
  OAuth2LoginRequest,
 } from "@chirpstack/chirpstack-api-grpc-web/api/internal_pb";
 import { User } from "@chirpstack/chirpstack-api-grpc-web/api/user_pb";
@ -23,7 +24,7 @@ class SessionStore extends EventEmitter {
    this.client = new InternalServiceClient("");
    this.tenants = [];
-    this.fetchProfile(() => {});
+    this.fetchProfile(() => { });
  }
  login = (email: string, password: string, callbackFunc: any) => {
@ -53,6 +54,18 @@ class SessionStore extends EventEmitter {
    });
  };
  oAuth2Login = (req: OAuth2LoginRequest, callbackFunc: any) => {
    this.client.oAuth2Login(req, {}, (err, resp) => {
      if (err !== null) {
        HandleLoginError(err);
        return;
      }
      this.setToken(resp.getToken());
      this.fetchProfile(callbackFunc);
    });
  };
  logout = (emit: boolean, callbackFunc: () => void) => {
    localStorage.clear();
    this.user = undefined;
--- a/ui/src/views/users/Login.tsx
+++ b/ui/src/views/users/Login.tsx
@ -4,7 +4,7 @@ import { useLocation, useNavigate } from "react-router-dom";
 import { Row, Col, Card } from "antd";
 import { Form, Input, Button } from "antd";
-import { SettingsResponse, OpenIdConnectLoginRequest } from "@chirpstack/chirpstack-api-grpc-web/api/internal_pb";
+import { SettingsResponse, OpenIdConnectLoginRequest, OAuth2LoginRequest } from "@chirpstack/chirpstack-api-grpc-web/api/internal_pb";
 import SessionStore from "../../stores/SessionStore";
 import InternalStore from "../../stores/InternalStore";
@ -35,6 +35,11 @@ interface OidcLoginProps {
  loginLabel: string;
 }
 interface OAuth2LoginProps {
  loginUrl: string;
  loginLabel: string;
 }
 function OidcLogin({ loginUrl, loginLabel }: OidcLoginProps) {
  return (
    <Row style={{ marginTop: "200px" }}>
@ -49,6 +54,21 @@ function OidcLogin({ loginUrl, loginLabel }: OidcLoginProps) {
  );
 }
 function OAuth2Login({ loginUrl, loginLabel }: OAuth2LoginProps) {
  return (
    <Row style={{ marginTop: "200px" }}>
      <Col span={8} offset={8}>
        <Card title="ChirpStack login">
          <a href={loginUrl}>
            <Button type="primary">{loginLabel}</Button>
          </a>
        </Card>
      </Col>
    </Row>
  );
 }
 function LoginForm() {
  const navigate = useNavigate();
@ -107,30 +127,52 @@ function Login() {
  const [loaded, setLoaded] = useState<boolean>(false);
  const [oidcEnabled, setOidcEnabled] = useState<boolean>(false);
  const [oAuth2Enabled, setOAuth2Enabled] = useState<boolean>(false);
  const [oidcLoginLabel, setOidcLoginLabel] = useState<string>("");
  const [oidcLoginUrl, setOidcLoginUrl] = useState<string>("");
  const [oAuth2LoginLabel, setOAuth2LoginLabel] = useState<string>("");
  const [oAuth2LoginUrl, setOAuth2LoginUrl] = useState<string>("");
  useEffect(() => {
-    SessionStore.logout(true, () => {});
+    SessionStore.logout(true, () => { });
-    if (location.search === "") {
+    InternalStore.settings((resp: SettingsResponse) => {
-      InternalStore.settings((resp: SettingsResponse) => {
+      setLoaded(true);
        setLoaded(true);
        setOidcEnabled(resp.getOpenidConnect()!.getEnabled());
        setOidcLoginLabel(resp.getOpenidConnect()!.getLoginLabel());
        setOidcLoginUrl(resp.getOpenidConnect()!.getLoginUrl());
      });
    } else {
      // Callback from OIDC provider.
      let q = new URLSearchParams(location.search);
      let req = new OpenIdConnectLoginRequest();
      req.setCode(q.get("code") || "");
      req.setState(q.get("state") || "");
-      SessionStore.openIdConnectLogin(req, () => {
+      const oidc = resp.getOpenidConnect()!;
-        navigate("/");
+      const oAuth2 = resp.getOauth2()!;
-      });
+
-    }
+      setOidcEnabled(oidc.getEnabled());
      setOidcLoginLabel(oidc.getLoginLabel());
      setOidcLoginUrl(oidc.getLoginUrl());
      setOAuth2Enabled(oAuth2.getEnabled());
      setOAuth2LoginLabel(oAuth2.getLoginLabel());
      setOAuth2LoginUrl(oAuth2.getLoginUrl());
      if (location.search !== "") {
        // Callback from OIDC or OAuth2 provider.
        let q = new URLSearchParams(location.search);
        if (oidc.getEnabled()) {
          let req = new OpenIdConnectLoginRequest();
          req.setCode(q.get("code") || "");
          req.setState(q.get("state") || "");
          SessionStore.openIdConnectLogin(req, () => {
            navigate("/");
          });
        } else if (oAuth2.getEnabled()) {
          let req = new OAuth2LoginRequest();
          req.setCode(q.get("code") || "");
          req.setState(q.get("state") || "");
          SessionStore.oAuth2Login(req, () => {
            navigate("/");
          });
        }
      }
    });
  }, [location, navigate]);
  if (!loaded) {
@ -139,6 +181,8 @@ function Login() {
  if (oidcEnabled) {
    return <OidcLogin loginUrl={oidcLoginUrl} loginLabel={oidcLoginLabel} />;
  } else if (oAuth2Enabled) {
    return <OAuth2Login loginUrl={oAuth2LoginUrl} loginLabel={oAuth2LoginLabel} />;
  } else {
    return <LoginForm />;
  }