Merge branch 'origin/main' into 'next-release/main'

2026-04-14 04:17:36 -04:00 · 2026-04-09 15:49:09 +00:00
parent a731cd9db4 9cfe4dadb6
commit 4deba8fb54
32 changed files with 3732 additions and 1610 deletions
--- a/go.mod
+++ b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/blevesearch/bleve/v2 v2.5.7
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/coreos/go-oidc/v3 v3.17.0
-	github.com/cs3org/go-cs3apis v0.0.0-20260310080202-fb97596763d6
+	github.com/cs3org/go-cs3apis v0.0.0-20260407125717-5d69ba49048b
 	github.com/davidbyttow/govips/v2 v2.17.0
 	github.com/dhowden/tag v0.0.0-20240417053706-3d75831295e8
 	github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e
@@ -65,7 +65,7 @@ require (
 	github.com/open-policy-agent/opa v1.15.1
 	github.com/opencloud-eu/icap-client v0.0.0-20250930132611-28a2afe62d89
 	github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d
-	github.com/opencloud-eu/reva/v2 v2.42.7-0.20260408072824-411780d0b756
+	github.com/opencloud-eu/reva/v2 v2.42.7-0.20260409144540-a3009b33f38b
 	github.com/opensearch-project/opensearch-go/v4 v4.6.0
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/pkg/errors v0.9.1
--- a/go.sum
+++ b/go.sum
@@ -264,8 +264,8 @@ github.com/crewjam/httperr v0.2.0 h1:b2BfXR8U3AlIHwNeFFvZ+BV1LFvKLlzMjzaTnZMybNo
 github.com/crewjam/httperr v0.2.0/go.mod h1:Jlz+Sg/XqBQhyMjdDiC+GNNRzZTD7x39Gu3pglZ5oH4=
 github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c=
 github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME=
-github.com/cs3org/go-cs3apis v0.0.0-20260310080202-fb97596763d6 h1:Akwn9gHJugKd8M48LyV+WeIQ6yMXoxZdgZabR53I9q4=
-github.com/cs3org/go-cs3apis v0.0.0-20260310080202-fb97596763d6/go.mod h1:DedpcqXl193qF/08Y04IO0PpxyyMu8+GrkD6kWK2MEQ=
+github.com/cs3org/go-cs3apis v0.0.0-20260407125717-5d69ba49048b h1:WNwuveokaUXIAGrwVLWqJSk0BdJv8k+9RXipBItGuyY=
+github.com/cs3org/go-cs3apis v0.0.0-20260407125717-5d69ba49048b/go.mod h1:DedpcqXl193qF/08Y04IO0PpxyyMu8+GrkD6kWK2MEQ=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=
 github.com/cyphar/filepath-securejoin v0.5.1 h1:eYgfMq5yryL4fbWfkLpFFy2ukSELzaJOTaUTuh+oF48=
 github.com/cyphar/filepath-securejoin v0.5.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
@@ -954,8 +954,8 @@ github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9 h1:dIft
 github.com/opencloud-eu/inotifywaitgo v0.0.0-20251111171128-a390bae3c5e9/go.mod h1:JWyDC6H+5oZRdUJUgKuaye+8Ph5hEs6HVzVoPKzWSGI=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d h1:JcqGDiyrcaQwVyV861TUyQgO7uEmsjkhfm7aQd84dOw=
 github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d/go.mod h1:pzatilMEHZFT3qV7C/X3MqOa3NlRQuYhlRhZTL+hN6Q=
-github.com/opencloud-eu/reva/v2 v2.42.7-0.20260408072824-411780d0b756 h1:Jbftg+S89x2PD7NVWhQB0+vlI/Qo0wv9rBwnM1N50yc=
-github.com/opencloud-eu/reva/v2 v2.42.7-0.20260408072824-411780d0b756/go.mod h1:hjMR/IerRm9xX4bthVRE9ZO/vhvrXVMbuvnnzwLjzK4=
+github.com/opencloud-eu/reva/v2 v2.42.7-0.20260409144540-a3009b33f38b h1:lLTcDZUErhKa88ho+bAecGDcnuIccVZVPoFKfWpLB28=
+github.com/opencloud-eu/reva/v2 v2.42.7-0.20260409144540-a3009b33f38b/go.mod h1:45YSzBU2klnEfdb6dlo6DMNr9ttE/7C9gd8n3g8Co3Y=
 github.com/opencloud-eu/secure v0.0.0-20260312082735-b6f5cb2244e4 h1:l2oB/RctH+t8r7QBj5p8thfEHCM/jF35aAY3WQ3hADI=
 github.com/opencloud-eu/secure v0.0.0-20260312082735-b6f5cb2244e4/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -367,6 +367,9 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 			middleware.UserOIDCClaim(cfg.UserOIDCClaim),
 			middleware.UserCS3Claim(cfg.UserCS3Claim),
 			middleware.TenantOIDCClaim(cfg.TenantOIDCClaim),
+			middleware.TenantIDMappingEnabled(cfg.TenantIDMappingEnabled),
+			middleware.ServiceAccount(cfg.ServiceAccount),
+			middleware.WithRevaGatewaySelector(gatewaySelector),
 			middleware.AutoprovisionAccounts(cfg.AutoprovisionAccounts),
 			middleware.MultiTenantEnabled(cfg.Commons.MultiTenantEnabled),
 			middleware.EventsPublisher(publisher),
--- a/services/proxy/pkg/config/config.go
+++ b/services/proxy/pkg/config/config.go
@@ -35,6 +35,7 @@ type Config struct {
 	UserOIDCClaim                 string              `yaml:"user_oidc_claim" env:"PROXY_USER_OIDC_CLAIM" desc:"The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim." introductionVersion:"1.0.0"`
 	UserCS3Claim                  string              `yaml:"user_cs3_claim" env:"PROXY_USER_CS3_CLAIM" desc:"The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'." introductionVersion:"1.0.0"`
 	TenantOIDCClaim               string              `yaml:"tenant_oidc_claim" env:"PROXY_TENANT_OIDC_CLAIM" desc:"JMESPath expression to extract the tenant ID from the OIDC token claims. When set, the extracted value is verified against the tenant ID returned by the user backend, rejecting requests where they do not match. Only relevant when multi-tenancy is enabled." introductionVersion:"%%NEXT%%"`
+	TenantIDMappingEnabled        bool                `yaml:"tenant_id_mapping_enabled" env:"PROXY_TENANT_ID_MAPPING_ENABLED" desc:"When set to 'true', the proxy will resolve the internal tenant ID from the external tenant ID provided in the OIDC claims by calling the TenantAPI before verifying the tenant. Use this when the external tenant ID in the OIDC token differs from the internal tenant ID stored on the user. Requires 'tenant_oidc_claim' to be set. Only relevant when multi-tenancy is enabled." introductionVersion:"%%NEXT%%"`
 	MachineAuthAPIKey             string              `yaml:"machine_auth_api_key" env:"OC_MACHINE_AUTH_API_KEY;PROXY_MACHINE_AUTH_API_KEY" desc:"Machine auth API key used to validate internal requests necessary to access resources from other services." introductionVersion:"1.0.0" mask:"password"`
 	AutoprovisionAccounts         bool                `yaml:"auto_provision_accounts" env:"PROXY_AUTOPROVISION_ACCOUNTS" desc:"Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running." introductionVersion:"1.0.0"`
 	AutoProvisionClaims           AutoProvisionClaims `yaml:"auto_provision_claims"`
--- a/services/proxy/pkg/middleware/account_resolver.go
+++ b/services/proxy/pkg/middleware/account_resolver.go
@@ -1,12 +1,16 @@
 package middleware

 import (
+	"context"
 	"errors"
 	"fmt"
 	"net/http"
 	"time"

 	"github.com/jellydator/ttlcache/v3"
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	tenantpb "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
+	rpcpb "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/router"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/user/backend"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/userroles"
@@ -16,8 +20,10 @@ import (
 	cs3user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/pkg/oidc"
+	"github.com/opencloud-eu/opencloud/services/proxy/pkg/config"
 	revactx "github.com/opencloud-eu/reva/v2/pkg/ctx"
 	"github.com/opencloud-eu/reva/v2/pkg/events"
+	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/opencloud-eu/reva/v2/pkg/utils"
 )

@@ -34,40 +40,55 @@ func AccountResolver(optionSetters ...Option) func(next http.Handler) http.Handl
 	)
 	go lastGroupSyncCache.Start()

+	tenantIDCache := ttlcache.New(
+		ttlcache.WithTTL[string, string](10*time.Minute),
+		ttlcache.WithDisableTouchOnHit[string, string](),
+	)
+	go tenantIDCache.Start()
+
 	return func(next http.Handler) http.Handler {
 		return &accountResolver{
-			next:                  next,
-			logger:                logger,
-			tracer:                tracer,
-			userProvider:          options.UserProvider,
-			userOIDCClaim:         options.UserOIDCClaim,
-			userCS3Claim:          options.UserCS3Claim,
-			tenantOIDCClaim:       options.TenantOIDCClaim,
-			userRoleAssigner:      options.UserRoleAssigner,
-			autoProvisionAccounts: options.AutoprovisionAccounts,
-			multiTenantEnabled:    options.MultiTenantEnabled,
-			lastGroupSyncCache:    lastGroupSyncCache,
-			eventsPublisher:       options.EventsPublisher,
+			next:                   next,
+			logger:                 logger,
+			tracer:                 tracer,
+			userProvider:           options.UserProvider,
+			userOIDCClaim:          options.UserOIDCClaim,
+			userCS3Claim:           options.UserCS3Claim,
+			tenantOIDCClaim:        options.TenantOIDCClaim,
+			tenantIDMappingEnabled: options.TenantIDMappingEnabled,
+			gatewaySelector:        options.RevaGatewaySelector,
+			serviceAccount:         options.ServiceAccount,
+			userRoleAssigner:       options.UserRoleAssigner,
+			autoProvisionAccounts:  options.AutoprovisionAccounts,
+			multiTenantEnabled:     options.MultiTenantEnabled,
+			lastGroupSyncCache:     lastGroupSyncCache,
+			tenantIDCache:          tenantIDCache,
+			eventsPublisher:        options.EventsPublisher,
 		}
 	}
 }

 type accountResolver struct {
-	next                  http.Handler
-	logger                log.Logger
-	tracer                trace.Tracer
-	userProvider          backend.UserBackend
-	userRoleAssigner      userroles.UserRoleAssigner
-	autoProvisionAccounts bool
-	multiTenantEnabled    bool
-	userOIDCClaim         string
-	userCS3Claim          string
-	tenantOIDCClaim       string
+	next                   http.Handler
+	logger                 log.Logger
+	tracer                 trace.Tracer
+	userProvider           backend.UserBackend
+	userRoleAssigner       userroles.UserRoleAssigner
+	autoProvisionAccounts  bool
+	multiTenantEnabled     bool
+	tenantIDMappingEnabled bool
+	gatewaySelector        pool.Selectable[gateway.GatewayAPIClient]
+	serviceAccount         config.ServiceAccount
+	userOIDCClaim          string
+	userCS3Claim           string
+	tenantOIDCClaim        string
 	// lastGroupSyncCache is used to keep track of when the last sync of group
 	// memberships was done for a specific user. This is used to trigger a sync
 	// with every single request.
 	lastGroupSyncCache *ttlcache.Cache[string, struct{}]
-	eventsPublisher    events.Publisher
+	// tenantIDCache maps external tenant IDs (from OIDC claims) to internal tenant IDs.
+	tenantIDCache   *ttlcache.Cache[string, string]
+	eventsPublisher events.Publisher
 }

 func readStringClaim(path string, claims map[string]interface{}) (string, error) {
@@ -173,7 +194,7 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {

 		// if a tenant claim is configured, verify it matches the tenant id on the resolved user
 		if m.tenantOIDCClaim != "" {
-			if err = m.verifyTenantClaim(user.GetId().GetTenantId(), claims); err != nil {
+			if err = m.verifyTenantClaim(req.Context(), user.GetId().GetTenantId(), claims); err != nil {
 				m.logger.Error().Err(err).Str("userid", user.GetId().GetOpaqueId()).Msg("Tenant claim mismatch")
 				w.WriteHeader(http.StatusUnauthorized)
 				return
@@ -260,13 +281,55 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	m.next.ServeHTTP(w, req)
 }

-func (m accountResolver) verifyTenantClaim(userTenantID string, claims map[string]interface{}) error {
+func (m accountResolver) verifyTenantClaim(ctx context.Context, userTenantID string, claims map[string]interface{}) error {
 	claimTenantID, err := readStringClaim(m.tenantOIDCClaim, claims)
 	if err != nil {
 		return fmt.Errorf("could not read tenant claim: %w", err)
 	}
-	if claimTenantID != userTenantID {
+
+	internalTenantID := claimTenantID
+	if m.tenantIDMappingEnabled {
+		internalTenantID, err = m.resolveInternalTenantID(ctx, claimTenantID)
+		if err != nil {
+			return fmt.Errorf("could not resolve internal tenant id for external tenant id %q: %w", claimTenantID, err)
+		}
+	}
+
+	if internalTenantID != userTenantID {
 		return fmt.Errorf("tenant id from claim %q does not match user tenant id %q", claimTenantID, userTenantID)
 	}
 	return nil
 }
+
+// resolveInternalTenantID maps an external tenant ID (as it appears in OIDC claims) to the
+// internal tenant ID stored on the user object by calling the gateway's TenantAPI.
+// Results are cached for 10 minutes to avoid repeated lookups on every request.
+// The call is authenticated using the configured service account.
+func (m accountResolver) resolveInternalTenantID(ctx context.Context, externalTenantID string) (string, error) {
+	if item := m.tenantIDCache.Get(externalTenantID); item != nil {
+		return item.Value(), nil
+	}
+
+	gwc, err := m.gatewaySelector.Next()
+	if err != nil {
+		return "", fmt.Errorf("could not get gateway client: %w", err)
+	}
+	authCtx, err := utils.GetServiceUserContextWithContext(ctx, gwc, m.serviceAccount.ServiceAccountID, m.serviceAccount.ServiceAccountSecret)
+	if err != nil {
+		return "", fmt.Errorf("could not authenticate service account: %w", err)
+	}
+	resp, err := gwc.GetTenantByClaim(authCtx, &tenantpb.GetTenantByClaimRequest{
+		Claim: "externalid",
+		Value: externalTenantID,
+	})
+	if err != nil {
+		return "", err
+	}
+	if resp.GetStatus().GetCode() != rpcpb.Code_CODE_OK {
+		return "", fmt.Errorf("TenantAPI returned status %s: %s", resp.GetStatus().GetCode(), resp.GetStatus().GetMessage())
+	}
+
+	internalID := resp.GetTenant().GetId()
+	m.tenantIDCache.Set(externalTenantID, internalID, ttlcache.DefaultTTL)
+	return internalID, nil
+}
--- a/services/proxy/pkg/middleware/account_resolver_test.go
+++ b/services/proxy/pkg/middleware/account_resolver_test.go
@@ -6,25 +6,35 @@ import (
 	"net/http/httptest"
 	"testing"

+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	tenantpb "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
 	userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
+	rpcpb "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/pkg/oidc"
+	"github.com/opencloud-eu/opencloud/services/proxy/pkg/config"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/router"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/user/backend"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/user/backend/mocks"
 	userRoleMocks "github.com/opencloud-eu/opencloud/services/proxy/pkg/userroles/mocks"
 	"github.com/opencloud-eu/reva/v2/pkg/auth/scope"
 	revactx "github.com/opencloud-eu/reva/v2/pkg/ctx"
+	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
 	"github.com/opencloud-eu/reva/v2/pkg/token/manager/jwt"
+	cs3mocks "github.com/opencloud-eu/reva/v2/tests/cs3mocks/mocks"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
+	"google.golang.org/grpc"
 )

 const (
-	testIdP      = "https://idx.example.com"
-	testTenantA  = "tenant-a"
-	testTenantB  = "tenant-b"
-	testJWTSecret = "change-me"
+	testIdP               = "https://idx.example.com"
+	testTenantA           = "tenant-a"
+	testTenantB           = "tenant-b"
+	testJWTSecret         = "change-me"
+	testSvcAccountID      = "svc-account-id"
+	testSvcAccountSecret  = "svc-account-secret"
+	testSvcAccountToken   = "svc-account-token"
 )

 func TestTokenIsAddedWithMailClaim(t *testing.T) {
@@ -336,3 +346,123 @@ func mockRequest(claims map[string]interface{}) (*http.Request, *httptest.Respon
 type mockHandler struct{}

 func (m mockHandler) ServeHTTP(writer http.ResponseWriter, request *http.Request) {}
+
+func TestTenantIDMapping(t *testing.T) {
+	const (
+		externalTenantID = "external-tenant-x"
+		internalTenantID = testTenantA
+	)
+
+	user := &userv1beta1.User{
+		Id: &userv1beta1.UserId{
+			Idp:      testIdP,
+			OpaqueId: "123",
+			TenantId: internalTenantID,
+		},
+		Username: "foo",
+	}
+
+	tokenManager, _ := jwt.New(map[string]interface{}{"secret": testJWTSecret, "expires": int64(60)})
+	s, _ := scope.AddOwnerScope(nil)
+	token, _ := tokenManager.MintToken(context.Background(), user, s)
+
+	newSUT := func(t *testing.T, gatewayClient gateway.GatewayAPIClient) http.Handler {
+		t.Helper()
+		gatewaySelector := pool.GetSelector[gateway.GatewayAPIClient](
+			"GatewaySelector",
+			"eu.opencloud.api.gateway",
+			func(cc grpc.ClientConnInterface) gateway.GatewayAPIClient {
+				return gatewayClient
+			},
+		)
+		t.Cleanup(func() { pool.RemoveSelector("GatewaySelector" + "eu.opencloud.api.gateway") })
+
+		ub := mocks.UserBackend{}
+		ub.On("GetUserByClaims", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(user, token, nil)
+		ra := userRoleMocks.UserRoleAssigner{}
+		ra.On("UpdateUserRoleAssignment", mock.Anything, mock.Anything, mock.Anything).Return(user, nil)
+
+		return AccountResolver(
+			Logger(log.NewLogger()),
+			UserProvider(&ub),
+			UserRoleAssigner(&ra),
+			UserOIDCClaim(oidc.PreferredUsername),
+			UserCS3Claim("username"),
+			TenantOIDCClaim("tenant_id"),
+			MultiTenantEnabled(true),
+			TenantIDMappingEnabled(true),
+			ServiceAccount(config.ServiceAccount{
+				ServiceAccountID:     testSvcAccountID,
+				ServiceAccountSecret: testSvcAccountSecret,
+			}),
+			WithRevaGatewaySelector(gatewaySelector),
+		)(mockHandler{})
+	}
+
+	tests := []struct {
+		name           string
+		tenantResponse *tenantpb.GetTenantByClaimResponse
+		wantToken      bool
+		wantStatusCode int
+	}{
+		{
+			name: "token added when external tenant maps to user internal tenant",
+			tenantResponse: &tenantpb.GetTenantByClaimResponse{
+				Status: &rpcpb.Status{Code: rpcpb.Code_CODE_OK},
+				Tenant: &tenantpb.Tenant{Id: internalTenantID, ExternalId: externalTenantID},
+			},
+			wantToken:      true,
+			wantStatusCode: http.StatusOK,
+		},
+		{
+			name: "unauthorized when external tenant maps to a different internal tenant",
+			tenantResponse: &tenantpb.GetTenantByClaimResponse{
+				Status: &rpcpb.Status{Code: rpcpb.Code_CODE_OK},
+				Tenant: &tenantpb.Tenant{Id: testTenantB, ExternalId: externalTenantID},
+			},
+			wantToken:      false,
+			wantStatusCode: http.StatusUnauthorized,
+		},
+		{
+			name: "unauthorized when external tenant is not found",
+			tenantResponse: &tenantpb.GetTenantByClaimResponse{
+				Status: &rpcpb.Status{Code: rpcpb.Code_CODE_NOT_FOUND, Message: "not found"},
+			},
+			wantToken:      false,
+			wantStatusCode: http.StatusUnauthorized,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			gwc := &cs3mocks.GatewayAPIClient{}
+			gwc.On("Authenticate", mock.Anything, &gateway.AuthenticateRequest{
+				Type:         "serviceaccounts",
+				ClientId:     testSvcAccountID,
+				ClientSecret: testSvcAccountSecret,
+			}).Return(&gateway.AuthenticateResponse{
+				Status: &rpcpb.Status{Code: rpcpb.Code_CODE_OK},
+				Token:  testSvcAccountToken,
+			}, nil)
+			gwc.On("GetTenantByClaim", mock.Anything, &tenantpb.GetTenantByClaimRequest{
+				Claim: "externalid",
+				Value: externalTenantID,
+			}).Return(tc.tenantResponse, nil)
+
+			req, rw := mockRequest(map[string]interface{}{
+				oidc.Iss:               testIdP,
+				oidc.PreferredUsername: "foo",
+				"tenant_id":            externalTenantID,
+			})
+			newSUT(t, gwc).ServeHTTP(rw, req)
+
+			if tc.wantToken {
+				assert.NotEmpty(t, req.Header.Get(revactx.TokenHeader))
+			} else {
+				assert.Empty(t, req.Header.Get(revactx.TokenHeader))
+			}
+			assert.Equal(t, tc.wantStatusCode, rw.Code)
+			gwc.AssertExpectations(t)
+		})
+	}
+}
--- a/services/proxy/pkg/middleware/options.go
+++ b/services/proxy/pkg/middleware/options.go
@@ -76,7 +76,12 @@ type Options struct {
 	SkipUserInfo bool
 	// MultiTenantEnabled causes the account resolve middleware to reject users that don't have a tenant id assigned
 	MultiTenantEnabled bool
-	EventsPublisher    events.Publisher
+	// TenantIDMappingEnabled causes the account resolver to resolve the internal tenant ID from the external
+	// tenant ID in the OIDC claims via the gateway's TenantAPI before comparing it to the user's stored tenant ID.
+	TenantIDMappingEnabled bool
+	// ServiceAccount holds credentials used to authenticate internal service calls (e.g. TenantAPI lookups).
+	ServiceAccount         config.ServiceAccount
+	EventsPublisher        events.Publisher
 }

 // newOptions initializes the available default options.
@@ -258,6 +263,22 @@ func MultiTenantEnabled(val bool) Option {
 	}
 }

+// ServiceAccount sets the service account credentials used for authenticated internal calls.
+func ServiceAccount(sa config.ServiceAccount) Option {
+	return func(o *Options) {
+		o.ServiceAccount = sa
+	}
+}
+
+// TenantIDMappingEnabled sets the TenantIDMappingEnabled flag.
+// When true, the account resolver resolves the internal tenant ID from the external tenant ID
+// provided in the OIDC claims by calling the gateway's TenantAPI, instead of comparing directly.
+func TenantIDMappingEnabled(val bool) Option {
+	return func(o *Options) {
+		o.TenantIDMappingEnabled = val
+	}
+}
+
 // EventsPublisher sets the events publisher.
 func EventsPublisher(ep events.Publisher) Option {
 	return func(o *Options) {
--- a/services/users/pkg/config/config.go
+++ b/services/users/pkg/config/config.go
@@ -62,6 +62,11 @@ type LDAPDriver struct {
 	BindPassword             string          `yaml:"bind_password" env:"OC_LDAP_BIND_PASSWORD;USERS_LDAP_BIND_PASSWORD" desc:"Password to use for authenticating the 'bind_dn'." introductionVersion:"1.0.0"`
 	UserBaseDN               string          `yaml:"user_base_dn" env:"OC_LDAP_USER_BASE_DN;USERS_LDAP_USER_BASE_DN" desc:"Search base DN for looking up LDAP users." introductionVersion:"1.0.0"`
 	GroupBaseDN              string          `yaml:"group_base_dn" env:"OC_LDAP_GROUP_BASE_DN;USERS_LDAP_GROUP_BASE_DN" desc:"Search base DN for looking up LDAP groups." introductionVersion:"1.0.0"`
+	TenantBaseDN             string           `yaml:"tenant_base_dn" env:"OC_LDAP_TENANT_BASE_DN;USERS_LDAP_TENANT_BASE_DN" desc:"Search base DN for looking up LDAP tenants. Only relevant in multi-tenant setups." introductionVersion:"%%NEXT%%"`
+	TenantScope              string           `yaml:"tenant_scope" env:"OC_LDAP_TENANT_SCOPE;USERS_LDAP_TENANT_SCOPE" desc:"LDAP search scope to use when looking up tenants. Supported values are 'base', 'one' and 'sub'. Only relevant in multi-tenant setups." introductionVersion:"%%NEXT%%"`
+	TenantFilter             string           `yaml:"tenant_filter" env:"OC_LDAP_TENANT_FILTER;USERS_LDAP_TENANT_FILTER" desc:"LDAP filter to add to the default filters for tenant searches. Only relevant in multi-tenant setups." introductionVersion:"%%NEXT%%"`
+	TenantObjectClass        string           `yaml:"tenant_object_class" env:"OC_LDAP_TENANT_OBJECTCLASS;USERS_LDAP_TENANT_OBJECTCLASS" desc:"The object class to use for tenants in the default tenant search filter. Only relevant in multi-tenant setups." introductionVersion:"%%NEXT%%"`
+	TenantSchema             LDAPTenantSchema `yaml:"tenant_schema"`
 	UserScope                string          `yaml:"user_scope" env:"OC_LDAP_USER_SCOPE;USERS_LDAP_USER_SCOPE" desc:"LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'." introductionVersion:"1.0.0"`
 	GroupScope               string          `yaml:"group_scope" env:"OC_LDAP_GROUP_SCOPE;USERS_LDAP_GROUP_SCOPE" desc:"LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'." introductionVersion:"1.0.0"`
 	UserSubstringFilterType  string          `yaml:"user_substring_filter_type" env:"LDAP_USER_SUBSTRING_FILTER_TYPE;USERS_LDAP_USER_SUBSTRING_FILTER_TYPE" desc:"Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches" introductionVersion:"1.0.0"`
@@ -96,6 +101,12 @@ type LDAPGroupSchema struct {
 	Member          string `yaml:"member" env:"OC_LDAP_GROUP_SCHEMA_MEMBER;USERS_LDAP_GROUP_SCHEMA_MEMBER" desc:"LDAP Attribute that is used for group members." introductionVersion:"1.0.0"`
 }

+type LDAPTenantSchema struct {
+	ID         string `yaml:"id" env:"OC_LDAP_TENANT_SCHEMA_ID;USERS_LDAP_TENANT_SCHEMA_ID" desc:"LDAP Attribute to use as the unique internal ID for tenants. Only relevant in multi-tenant setups." introductionVersion:"%%NEXT%%"`
+	ExternalID string `yaml:"external_id" env:"OC_LDAP_TENANT_SCHEMA_EXTERNAL_ID;USERS_LDAP_TENANT_SCHEMA_EXTERNAL_ID" desc:"LDAP Attribute that holds the external tenant ID as it appears in OIDC claims. Only relevant in multi-tenant setups." introductionVersion:"%%NEXT%%"`
+	Name       string `yaml:"name" env:"OC_LDAP_TENANT_SCHEMA_NAME;USERS_LDAP_TENANT_SCHEMA_NAME" desc:"LDAP Attribute to use for the human-readable name of a tenant. Only relevant in multi-tenant setups." introductionVersion:"%%NEXT%%"`
+}
+
 type OwnCloudSQLDriver struct {
 	DBUsername         string `yaml:"db_username" env:"USERS_OWNCLOUDSQL_DB_USERNAME" desc:"Database user to use for authenticating with the owncloud database." introductionVersion:"1.0.0"`
 	DBPassword         string `yaml:"db_password" env:"USERS_OWNCLOUDSQL_DB_PASSWORD" desc:"Password for the database user." introductionVersion:"1.0.0"`
--- a/services/users/pkg/config/defaults/defaultconfig.go
+++ b/services/users/pkg/config/defaults/defaultconfig.go
@@ -45,6 +45,7 @@ func DefaultConfig() *config.Config {
 				GroupBaseDN:              "ou=groups,o=libregraph-idm",
 				UserScope:                "sub",
 				GroupScope:               "sub",
+				TenantScope:              "sub",
 				UserSubstringFilterType:  "any",
 				UserFilter:               "",
 				GroupFilter:              "",
--- a/services/users/pkg/revaconfig/config.go
+++ b/services/users/pkg/revaconfig/config.go
@@ -66,13 +66,17 @@ func ldapConfigFromString(cfg config.LDAPDriver) map[string]interface{} {
 		"bind_password":              cfg.BindPassword,
 		"user_base_dn":               cfg.UserBaseDN,
 		"group_base_dn":              cfg.GroupBaseDN,
+		"tenant_base_dn":             cfg.TenantBaseDN,
 		"user_scope":                 cfg.UserScope,
 		"group_scope":                cfg.GroupScope,
+		"tenant_search_scope":        cfg.TenantScope,
 		"user_substring_filter_type": cfg.UserSubstringFilterType,
 		"user_filter":                cfg.UserFilter,
 		"group_filter":               cfg.GroupFilter,
+		"tenant_filter":              cfg.TenantFilter,
 		"user_objectclass":           cfg.UserObjectClass,
 		"group_objectclass":          cfg.GroupObjectClass,
+		"tenant_objectclass":         cfg.TenantObjectClass,
 		"user_disable_mechanism":     cfg.DisableUserMechanism,
 		"user_enabled_property":      cfg.UserSchema.Enabled,
 		"user_type_property":         cfg.UserTypeAttribute,
@@ -94,5 +98,10 @@ func ldapConfigFromString(cfg config.LDAPDriver) map[string]interface{} {
 			"groupName":       cfg.GroupSchema.Groupname,
 			"member":          cfg.GroupSchema.Member,
 		},
+		"tenant_schema": map[string]interface{}{
+			"id":         cfg.TenantSchema.ID,
+			"externalId": cfg.TenantSchema.ExternalID,
+			"name":       cfg.TenantSchema.Name,
+		},
 	}
 }
--- a/vendor/github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1/gateway_api.pb.go
+++ b/vendor/github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1/gateway_api.pb.go
--- a/vendor/github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1/gateway_api_grpc.pb.go
+++ b/vendor/github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1/gateway_api_grpc.pb.go
--- a/vendor/github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1/resources.pb.go
+++ b/vendor/github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1/resources.pb.go
@@ -0,0 +1,209 @@
+// Copyright 2018-2026 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.31.0
+// 	protoc        (unknown)
+// source: cs3/identity/tenant/v1beta1/resources.proto
+
+package tenantv1beta1
+
+import (
+	_ "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+// A Tenant represents an isolated organization. Users can be member of
+// exactly one tenant. Members of different tenants are unable to access
+// each others resources.
+type Tenant struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// REQUIRED.
+	// The unique identifier of the tenant. This is a UUID
+	Id string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
+	// OPTIONAL
+	// The name of the Tenant
+	Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"`
+	// OPTIONAL
+	// An external identifier to able to lookup Tenants by externally managed IDs
+	ExternalId string `protobuf:"bytes,3,opt,name=external_id,json=externalId,proto3" json:"external_id,omitempty"`
+}
+
+func (x *Tenant) Reset() {
+	*x = Tenant{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cs3_identity_tenant_v1beta1_resources_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Tenant) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Tenant) ProtoMessage() {}
+
+func (x *Tenant) ProtoReflect() protoreflect.Message {
+	mi := &file_cs3_identity_tenant_v1beta1_resources_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Tenant.ProtoReflect.Descriptor instead.
+func (*Tenant) Descriptor() ([]byte, []int) {
+	return file_cs3_identity_tenant_v1beta1_resources_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Tenant) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
+func (x *Tenant) GetName() string {
+	if x != nil {
+		return x.Name
+	}
+	return ""
+}
+
+func (x *Tenant) GetExternalId() string {
+	if x != nil {
+		return x.ExternalId
+	}
+	return ""
+}
+
+var File_cs3_identity_tenant_v1beta1_resources_proto protoreflect.FileDescriptor
+
+var file_cs3_identity_tenant_v1beta1_resources_proto_rawDesc = []byte{
+	0x0a, 0x2b, 0x63, 0x73, 0x33, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x74,
+	0x65, 0x6e, 0x61, 0x6e, 0x74, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x72, 0x65,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b, 0x63,
+	0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74, 0x65, 0x6e, 0x61,
+	0x6e, 0x74, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x1a, 0x1d, 0x63, 0x73, 0x33, 0x2f,
+	0x74, 0x79, 0x70, 0x65, 0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x74, 0x79,
+	0x70, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x4d, 0x0a, 0x06, 0x54, 0x65, 0x6e,
+	0x61, 0x6e, 0x74, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x02, 0x69, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1f, 0x0a, 0x0b, 0x65, 0x78, 0x74, 0x65, 0x72,
+	0x6e, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x65, 0x78,
+	0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x49, 0x64, 0x42, 0x88, 0x02, 0x0a, 0x1f, 0x63, 0x6f, 0x6d,
+	0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74, 0x65,
+	0x6e, 0x61, 0x6e, 0x74, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x0e, 0x52, 0x65,
+	0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x46,
+	0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x73, 0x33, 0x6f, 0x72,
+	0x67, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x73, 0x33, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x63, 0x73, 0x33,
+	0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74,
+	0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x76,
+	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x43, 0x49, 0x54, 0xaa, 0x02, 0x1b, 0x43,
+	0x73, 0x33, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x54, 0x65, 0x6e, 0x61,
+	0x6e, 0x74, 0x2e, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x1b, 0x43, 0x73, 0x33,
+	0x5c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5c, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74,
+	0x5c, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xe2, 0x02, 0x27, 0x43, 0x73, 0x33, 0x5c, 0x49,
+	0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5c, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x5c, 0x56,
+	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61,
+	0x74, 0x61, 0xea, 0x02, 0x1e, 0x43, 0x73, 0x33, 0x3a, 0x3a, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69,
+	0x74, 0x79, 0x3a, 0x3a, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x65,
+	0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_cs3_identity_tenant_v1beta1_resources_proto_rawDescOnce sync.Once
+	file_cs3_identity_tenant_v1beta1_resources_proto_rawDescData = file_cs3_identity_tenant_v1beta1_resources_proto_rawDesc
+)
+
+func file_cs3_identity_tenant_v1beta1_resources_proto_rawDescGZIP() []byte {
+	file_cs3_identity_tenant_v1beta1_resources_proto_rawDescOnce.Do(func() {
+		file_cs3_identity_tenant_v1beta1_resources_proto_rawDescData = protoimpl.X.CompressGZIP(file_cs3_identity_tenant_v1beta1_resources_proto_rawDescData)
+	})
+	return file_cs3_identity_tenant_v1beta1_resources_proto_rawDescData
+}
+
+var file_cs3_identity_tenant_v1beta1_resources_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_cs3_identity_tenant_v1beta1_resources_proto_goTypes = []interface{}{
+	(*Tenant)(nil), // 0: cs3.identity.tenant.v1beta1.Tenant
+}
+var file_cs3_identity_tenant_v1beta1_resources_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_cs3_identity_tenant_v1beta1_resources_proto_init() }
+func file_cs3_identity_tenant_v1beta1_resources_proto_init() {
+	if File_cs3_identity_tenant_v1beta1_resources_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_cs3_identity_tenant_v1beta1_resources_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Tenant); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_cs3_identity_tenant_v1beta1_resources_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_cs3_identity_tenant_v1beta1_resources_proto_goTypes,
+		DependencyIndexes: file_cs3_identity_tenant_v1beta1_resources_proto_depIdxs,
+		MessageInfos:      file_cs3_identity_tenant_v1beta1_resources_proto_msgTypes,
+	}.Build()
+	File_cs3_identity_tenant_v1beta1_resources_proto = out.File
+	file_cs3_identity_tenant_v1beta1_resources_proto_rawDesc = nil
+	file_cs3_identity_tenant_v1beta1_resources_proto_goTypes = nil
+	file_cs3_identity_tenant_v1beta1_resources_proto_depIdxs = nil
+}
--- a/vendor/github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1/tenant_api.pb.go
+++ b/vendor/github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1/tenant_api.pb.go
@@ -0,0 +1,454 @@
+// Copyright 2018-2026 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.31.0
+// 	protoc        (unknown)
+// source: cs3/identity/tenant/v1beta1/tenant_api.proto
+
+package tenantv1beta1
+
+import (
+	v1beta1 "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1"
+	_ "github.com/cs3org/go-cs3apis/cs3/types/v1beta1"
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type GetTenantRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// REQUIRED.
+	// The id of the tenant.
+	TenantId string `protobuf:"bytes,1,opt,name=tenant_id,json=tenantId,proto3" json:"tenant_id,omitempty"`
+}
+
+func (x *GetTenantRequest) Reset() {
+	*x = GetTenantRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetTenantRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetTenantRequest) ProtoMessage() {}
+
+func (x *GetTenantRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetTenantRequest.ProtoReflect.Descriptor instead.
+func (*GetTenantRequest) Descriptor() ([]byte, []int) {
+	return file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *GetTenantRequest) GetTenantId() string {
+	if x != nil {
+		return x.TenantId
+	}
+	return ""
+}
+
+type GetTenantResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// REQUIRED.
+	// The response status.
+	Status *v1beta1.Status `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
+	// REQUIRED.
+	// The tenant information.
+	Tenant *Tenant `protobuf:"bytes,2,opt,name=tenant,proto3" json:"tenant,omitempty"`
+}
+
+func (x *GetTenantResponse) Reset() {
+	*x = GetTenantResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetTenantResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetTenantResponse) ProtoMessage() {}
+
+func (x *GetTenantResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetTenantResponse.ProtoReflect.Descriptor instead.
+func (*GetTenantResponse) Descriptor() ([]byte, []int) {
+	return file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *GetTenantResponse) GetStatus() *v1beta1.Status {
+	if x != nil {
+		return x.Status
+	}
+	return nil
+}
+
+func (x *GetTenantResponse) GetTenant() *Tenant {
+	if x != nil {
+		return x.Tenant
+	}
+	return nil
+}
+
+type GetTenantByClaimRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// REQUIRED.
+	// The claim on the basis of which users will be filtered.
+	Claim string `protobuf:"bytes,1,opt,name=claim,proto3" json:"claim,omitempty"`
+	// REQUIRED.
+	// The value of the claim to find the specific user.
+	Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"`
+}
+
+func (x *GetTenantByClaimRequest) Reset() {
+	*x = GetTenantByClaimRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetTenantByClaimRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetTenantByClaimRequest) ProtoMessage() {}
+
+func (x *GetTenantByClaimRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetTenantByClaimRequest.ProtoReflect.Descriptor instead.
+func (*GetTenantByClaimRequest) Descriptor() ([]byte, []int) {
+	return file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *GetTenantByClaimRequest) GetClaim() string {
+	if x != nil {
+		return x.Claim
+	}
+	return ""
+}
+
+func (x *GetTenantByClaimRequest) GetValue() string {
+	if x != nil {
+		return x.Value
+	}
+	return ""
+}
+
+type GetTenantByClaimResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// REQUIRED.
+	// The response status.
+	Status *v1beta1.Status `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
+	// REQUIRED.
+	// The tenant information.
+	Tenant *Tenant `protobuf:"bytes,2,opt,name=tenant,proto3" json:"tenant,omitempty"`
+}
+
+func (x *GetTenantByClaimResponse) Reset() {
+	*x = GetTenantByClaimResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetTenantByClaimResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetTenantByClaimResponse) ProtoMessage() {}
+
+func (x *GetTenantByClaimResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetTenantByClaimResponse.ProtoReflect.Descriptor instead.
+func (*GetTenantByClaimResponse) Descriptor() ([]byte, []int) {
+	return file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescGZIP(), []int{3}
+}
+
+func (x *GetTenantByClaimResponse) GetStatus() *v1beta1.Status {
+	if x != nil {
+		return x.Status
+	}
+	return nil
+}
+
+func (x *GetTenantByClaimResponse) GetTenant() *Tenant {
+	if x != nil {
+		return x.Tenant
+	}
+	return nil
+}
+
+var File_cs3_identity_tenant_v1beta1_tenant_api_proto protoreflect.FileDescriptor
+
+var file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDesc = []byte{
+	0x0a, 0x2c, 0x63, 0x73, 0x33, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x74,
+	0x65, 0x6e, 0x61, 0x6e, 0x74, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x74, 0x65,
+	0x6e, 0x61, 0x6e, 0x74, 0x5f, 0x61, 0x70, 0x69, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1b,
+	0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74, 0x65, 0x6e,
+	0x61, 0x6e, 0x74, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x1a, 0x2b, 0x63, 0x73, 0x33,
+	0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74,
+	0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63,
+	0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1c, 0x63, 0x73, 0x33, 0x2f, 0x72, 0x70,
+	0x63, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x63, 0x73, 0x33, 0x2f, 0x74, 0x79, 0x70, 0x65,
+	0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x2f, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x54, 0x65, 0x6e, 0x61,
+	0x6e, 0x74, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x65, 0x6e,
+	0x61, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x65,
+	0x6e, 0x61, 0x6e, 0x74, 0x49, 0x64, 0x22, 0x81, 0x01, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x54, 0x65,
+	0x6e, 0x61, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x06,
+	0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x63,
+	0x73, 0x33, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x53,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x3b, 0x0a,
+	0x06, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e,
+	0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74, 0x65, 0x6e,
+	0x61, 0x6e, 0x74, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x54, 0x65, 0x6e, 0x61,
+	0x6e, 0x74, 0x52, 0x06, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x22, 0x45, 0x0a, 0x17, 0x47, 0x65,
+	0x74, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x42, 0x79, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x12, 0x14, 0x0a, 0x05, 0x76,
+	0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
+	0x65, 0x22, 0x88, 0x01, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x42,
+	0x79, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f,
+	0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17,
+	0x2e, 0x63, 0x73, 0x33, 0x2e, 0x72, 0x70, 0x63, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
+	0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12,
+	0x3b, 0x0a, 0x06, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x23, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74,
+	0x65, 0x6e, 0x61, 0x6e, 0x74, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x54, 0x65,
+	0x6e, 0x61, 0x6e, 0x74, 0x52, 0x06, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x32, 0xf8, 0x01, 0x0a,
+	0x09, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x41, 0x50, 0x49, 0x12, 0x6a, 0x0a, 0x09, 0x47, 0x65,
+	0x74, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x12, 0x2d, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x2e, 0x76, 0x31,
+	0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2e, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65,
+	0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x2e, 0x76, 0x31, 0x62,
+	0x65, 0x74, 0x61, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x7f, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x54, 0x65, 0x6e,
+	0x61, 0x6e, 0x74, 0x42, 0x79, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x12, 0x34, 0x2e, 0x63, 0x73, 0x33,
+	0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74,
+	0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x54, 0x65, 0x6e, 0x61,
+	0x6e, 0x74, 0x42, 0x79, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
+	0x1a, 0x35, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e,
+	0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x47,
+	0x65, 0x74, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x42, 0x79, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x88, 0x02, 0x0a, 0x1f, 0x63, 0x6f, 0x6d, 0x2e,
+	0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x74, 0x65, 0x6e,
+	0x61, 0x6e, 0x74, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x0e, 0x54, 0x65, 0x6e,
+	0x61, 0x6e, 0x74, 0x41, 0x70, 0x69, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x46, 0x67,
+	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x73, 0x33, 0x6f, 0x72, 0x67,
+	0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x73, 0x33, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x63, 0x73, 0x33, 0x2f,
+	0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x2f,
+	0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x76, 0x31,
+	0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x43, 0x49, 0x54, 0xaa, 0x02, 0x1b, 0x43, 0x73,
+	0x33, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x54, 0x65, 0x6e, 0x61, 0x6e,
+	0x74, 0x2e, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x1b, 0x43, 0x73, 0x33, 0x5c,
+	0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5c, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x5c,
+	0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xe2, 0x02, 0x27, 0x43, 0x73, 0x33, 0x5c, 0x49, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5c, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x5c, 0x56, 0x31,
+	0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74,
+	0x61, 0xea, 0x02, 0x1e, 0x43, 0x73, 0x33, 0x3a, 0x3a, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74,
+	0x79, 0x3a, 0x3a, 0x54, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x65, 0x74,
+	0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescOnce sync.Once
+	file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescData = file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDesc
+)
+
+func file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescGZIP() []byte {
+	file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescOnce.Do(func() {
+		file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescData = protoimpl.X.CompressGZIP(file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescData)
+	})
+	return file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDescData
+}
+
+var file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_cs3_identity_tenant_v1beta1_tenant_api_proto_goTypes = []interface{}{
+	(*GetTenantRequest)(nil),         // 0: cs3.identity.tenant.v1beta1.GetTenantRequest
+	(*GetTenantResponse)(nil),        // 1: cs3.identity.tenant.v1beta1.GetTenantResponse
+	(*GetTenantByClaimRequest)(nil),  // 2: cs3.identity.tenant.v1beta1.GetTenantByClaimRequest
+	(*GetTenantByClaimResponse)(nil), // 3: cs3.identity.tenant.v1beta1.GetTenantByClaimResponse
+	(*v1beta1.Status)(nil),           // 4: cs3.rpc.v1beta1.Status
+	(*Tenant)(nil),                   // 5: cs3.identity.tenant.v1beta1.Tenant
+}
+var file_cs3_identity_tenant_v1beta1_tenant_api_proto_depIdxs = []int32{
+	4, // 0: cs3.identity.tenant.v1beta1.GetTenantResponse.status:type_name -> cs3.rpc.v1beta1.Status
+	5, // 1: cs3.identity.tenant.v1beta1.GetTenantResponse.tenant:type_name -> cs3.identity.tenant.v1beta1.Tenant
+	4, // 2: cs3.identity.tenant.v1beta1.GetTenantByClaimResponse.status:type_name -> cs3.rpc.v1beta1.Status
+	5, // 3: cs3.identity.tenant.v1beta1.GetTenantByClaimResponse.tenant:type_name -> cs3.identity.tenant.v1beta1.Tenant
+	0, // 4: cs3.identity.tenant.v1beta1.TenantAPI.GetTenant:input_type -> cs3.identity.tenant.v1beta1.GetTenantRequest
+	2, // 5: cs3.identity.tenant.v1beta1.TenantAPI.GetTenantByClaim:input_type -> cs3.identity.tenant.v1beta1.GetTenantByClaimRequest
+	1, // 6: cs3.identity.tenant.v1beta1.TenantAPI.GetTenant:output_type -> cs3.identity.tenant.v1beta1.GetTenantResponse
+	3, // 7: cs3.identity.tenant.v1beta1.TenantAPI.GetTenantByClaim:output_type -> cs3.identity.tenant.v1beta1.GetTenantByClaimResponse
+	6, // [6:8] is the sub-list for method output_type
+	4, // [4:6] is the sub-list for method input_type
+	4, // [4:4] is the sub-list for extension type_name
+	4, // [4:4] is the sub-list for extension extendee
+	0, // [0:4] is the sub-list for field type_name
+}
+
+func init() { file_cs3_identity_tenant_v1beta1_tenant_api_proto_init() }
+func file_cs3_identity_tenant_v1beta1_tenant_api_proto_init() {
+	if File_cs3_identity_tenant_v1beta1_tenant_api_proto != nil {
+		return
+	}
+	file_cs3_identity_tenant_v1beta1_resources_proto_init()
+	if !protoimpl.UnsafeEnabled {
+		file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetTenantRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetTenantResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetTenantByClaimRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetTenantByClaimResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   4,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_cs3_identity_tenant_v1beta1_tenant_api_proto_goTypes,
+		DependencyIndexes: file_cs3_identity_tenant_v1beta1_tenant_api_proto_depIdxs,
+		MessageInfos:      file_cs3_identity_tenant_v1beta1_tenant_api_proto_msgTypes,
+	}.Build()
+	File_cs3_identity_tenant_v1beta1_tenant_api_proto = out.File
+	file_cs3_identity_tenant_v1beta1_tenant_api_proto_rawDesc = nil
+	file_cs3_identity_tenant_v1beta1_tenant_api_proto_goTypes = nil
+	file_cs3_identity_tenant_v1beta1_tenant_api_proto_depIdxs = nil
+}
--- a/vendor/github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1/tenant_api_grpc.pb.go
+++ b/vendor/github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1/tenant_api_grpc.pb.go
@@ -0,0 +1,166 @@
+// Copyright 2018-2026 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.3.0
+// - protoc             (unknown)
+// source: cs3/identity/tenant/v1beta1/tenant_api.proto
+
+package tenantv1beta1
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+const (
+	TenantAPI_GetTenant_FullMethodName        = "/cs3.identity.tenant.v1beta1.TenantAPI/GetTenant"
+	TenantAPI_GetTenantByClaim_FullMethodName = "/cs3.identity.tenant.v1beta1.TenantAPI/GetTenantByClaim"
+)
+
+// TenantAPIClient is the client API for TenantAPI service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type TenantAPIClient interface {
+	// Gets the information about a Tenant by the tenant id.
+	GetTenant(ctx context.Context, in *GetTenantRequest, opts ...grpc.CallOption) (*GetTenantResponse, error)
+	// Gets the information about a Tenant based on a specified claim.
+	GetTenantByClaim(ctx context.Context, in *GetTenantByClaimRequest, opts ...grpc.CallOption) (*GetTenantByClaimResponse, error)
+}
+
+type tenantAPIClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewTenantAPIClient(cc grpc.ClientConnInterface) TenantAPIClient {
+	return &tenantAPIClient{cc}
+}
+
+func (c *tenantAPIClient) GetTenant(ctx context.Context, in *GetTenantRequest, opts ...grpc.CallOption) (*GetTenantResponse, error) {
+	out := new(GetTenantResponse)
+	err := c.cc.Invoke(ctx, TenantAPI_GetTenant_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *tenantAPIClient) GetTenantByClaim(ctx context.Context, in *GetTenantByClaimRequest, opts ...grpc.CallOption) (*GetTenantByClaimResponse, error) {
+	out := new(GetTenantByClaimResponse)
+	err := c.cc.Invoke(ctx, TenantAPI_GetTenantByClaim_FullMethodName, in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// TenantAPIServer is the server API for TenantAPI service.
+// All implementations should embed UnimplementedTenantAPIServer
+// for forward compatibility
+type TenantAPIServer interface {
+	// Gets the information about a Tenant by the tenant id.
+	GetTenant(context.Context, *GetTenantRequest) (*GetTenantResponse, error)
+	// Gets the information about a Tenant based on a specified claim.
+	GetTenantByClaim(context.Context, *GetTenantByClaimRequest) (*GetTenantByClaimResponse, error)
+}
+
+// UnimplementedTenantAPIServer should be embedded to have forward compatible implementations.
+type UnimplementedTenantAPIServer struct {
+}
+
+func (UnimplementedTenantAPIServer) GetTenant(context.Context, *GetTenantRequest) (*GetTenantResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetTenant not implemented")
+}
+func (UnimplementedTenantAPIServer) GetTenantByClaim(context.Context, *GetTenantByClaimRequest) (*GetTenantByClaimResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetTenantByClaim not implemented")
+}
+
+// UnsafeTenantAPIServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to TenantAPIServer will
+// result in compilation errors.
+type UnsafeTenantAPIServer interface {
+	mustEmbedUnimplementedTenantAPIServer()
+}
+
+func RegisterTenantAPIServer(s grpc.ServiceRegistrar, srv TenantAPIServer) {
+	s.RegisterService(&TenantAPI_ServiceDesc, srv)
+}
+
+func _TenantAPI_GetTenant_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetTenantRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(TenantAPIServer).GetTenant(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: TenantAPI_GetTenant_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(TenantAPIServer).GetTenant(ctx, req.(*GetTenantRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _TenantAPI_GetTenantByClaim_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetTenantByClaimRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(TenantAPIServer).GetTenantByClaim(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: TenantAPI_GetTenantByClaim_FullMethodName,
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(TenantAPIServer).GetTenantByClaim(ctx, req.(*GetTenantByClaimRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// TenantAPI_ServiceDesc is the grpc.ServiceDesc for TenantAPI service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var TenantAPI_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "cs3.identity.tenant.v1beta1.TenantAPI",
+	HandlerType: (*TenantAPIServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "GetTenant",
+			Handler:    _TenantAPI_GetTenant_Handler,
+		},
+		{
+			MethodName: "GetTenantByClaim",
+			Handler:    _TenantAPI_GetTenantByClaim_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "cs3/identity/tenant/v1beta1/tenant_api.proto",
+}
--- a/vendor/github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1/resources.pb.go
+++ b/vendor/github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1/resources.pb.go
@@ -116,6 +116,70 @@ func (UserType) EnumDescriptor() ([]byte, []int) {
 	return file_cs3_identity_user_v1beta1_resources_proto_rawDescGZIP(), []int{0}
 }

+// ExternalIdentity represents an external identifier of a user.
+// This can be populated when multiple identities collapse onto
+// the same user, for example when signing in with e-mail or with
+// an SSO using an account with the same e-mail.
+type ExternalIdentity struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// REQUIRED.
+	// The identity provider for the user.
+	Idp string `protobuf:"bytes,1,opt,name=idp,proto3" json:"idp,omitempty"`
+	// REQUIRED.
+	// the unique identifier for the user in the scope of
+	// the identity provider.
+	OpaqueId string `protobuf:"bytes,2,opt,name=opaque_id,json=opaqueId,proto3" json:"opaque_id,omitempty"`
+}
+
+func (x *ExternalIdentity) Reset() {
+	*x = ExternalIdentity{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ExternalIdentity) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ExternalIdentity) ProtoMessage() {}
+
+func (x *ExternalIdentity) ProtoReflect() protoreflect.Message {
+	mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ExternalIdentity.ProtoReflect.Descriptor instead.
+func (*ExternalIdentity) Descriptor() ([]byte, []int) {
+	return file_cs3_identity_user_v1beta1_resources_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *ExternalIdentity) GetIdp() string {
+	if x != nil {
+		return x.Idp
+	}
+	return ""
+}
+
+func (x *ExternalIdentity) GetOpaqueId() string {
+	if x != nil {
+		return x.OpaqueId
+	}
+	return ""
+}
+
 // A UserId represents a unique identifier of a user.
 type UserId struct {
 	state         protoimpl.MessageState
@@ -136,12 +200,16 @@ type UserId struct {
 	// The tenant id of the user, if applicable.
 	// This is used to identify users in multi-tenant systems.
 	TenantId string `protobuf:"bytes,4,opt,name=tenant_id,json=tenantId,proto3" json:"tenant_id,omitempty"`
+	// OPTIONAL.
+	// External identities of the user, if applicable.
+	// This is used to track identities of the same user on multiple systems.
+	ExternalIdentities []*ExternalIdentity `protobuf:"bytes,5,rep,name=external_identities,json=externalIdentities,proto3" json:"external_identities,omitempty"`
 }

 func (x *UserId) Reset() {
 	*x = UserId{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[0]
+		mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[1]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -154,7 +222,7 @@ func (x *UserId) String() string {
 func (*UserId) ProtoMessage() {}

 func (x *UserId) ProtoReflect() protoreflect.Message {
-	mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[0]
+	mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[1]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -167,7 +235,7 @@ func (x *UserId) ProtoReflect() protoreflect.Message {

 // Deprecated: Use UserId.ProtoReflect.Descriptor instead.
 func (*UserId) Descriptor() ([]byte, []int) {
-	return file_cs3_identity_user_v1beta1_resources_proto_rawDescGZIP(), []int{0}
+	return file_cs3_identity_user_v1beta1_resources_proto_rawDescGZIP(), []int{1}
 }

 func (x *UserId) GetIdp() string {
@@ -198,6 +266,13 @@ func (x *UserId) GetTenantId() string {
 	return ""
 }

+func (x *UserId) GetExternalIdentities() []*ExternalIdentity {
+	if x != nil {
+		return x.ExternalIdentities
+	}
+	return nil
+}
+
 // Represents a user of the system.
 type User struct {
 	state         protoimpl.MessageState
@@ -236,7 +311,7 @@ type User struct {
 func (x *User) Reset() {
 	*x = User{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[1]
+		mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -249,7 +324,7 @@ func (x *User) String() string {
 func (*User) ProtoMessage() {}

 func (x *User) ProtoReflect() protoreflect.Message {
-	mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[1]
+	mi := &file_cs3_identity_user_v1beta1_resources_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -262,7 +337,7 @@ func (x *User) ProtoReflect() protoreflect.Message {

 // Deprecated: Use User.ProtoReflect.Descriptor instead.
 func (*User) Descriptor() ([]byte, []int) {
-	return file_cs3_identity_user_v1beta1_resources_proto_rawDescGZIP(), []int{1}
+	return file_cs3_identity_user_v1beta1_resources_proto_rawDescGZIP(), []int{2}
 }

 func (x *User) GetId() *UserId {
@@ -337,67 +412,77 @@ var file_cs3_identity_user_v1beta1_resources_proto_rawDesc = []byte{
 	0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x76,
 	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x1a, 0x1d, 0x63, 0x73, 0x33, 0x2f, 0x74, 0x79, 0x70, 0x65,
 	0x73, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8d, 0x01, 0x0a, 0x06, 0x55, 0x73, 0x65, 0x72, 0x49, 0x64,
-	0x12, 0x10, 0x0a, 0x03, 0x69, 0x64, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x69,
-	0x64, 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x6f, 0x70, 0x61, 0x71, 0x75, 0x65, 0x5f, 0x69, 0x64, 0x18,
-	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6f, 0x70, 0x61, 0x71, 0x75, 0x65, 0x49, 0x64, 0x12,
-	0x37, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x23, 0x2e,
-	0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x75, 0x73, 0x65,
-	0x72, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x54, 0x79,
-	0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x74, 0x65, 0x6e, 0x61,
-	0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x65, 0x6e,
-	0x61, 0x6e, 0x74, 0x49, 0x64, 0x22, 0xba, 0x02, 0x0a, 0x04, 0x55, 0x73, 0x65, 0x72, 0x12, 0x31,
-	0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x63, 0x73, 0x33,
-	0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x76,
-	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x49, 0x64, 0x52, 0x02, 0x69,
-	0x64, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a,
-	0x04, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6d, 0x61, 0x69,
-	0x6c, 0x12, 0x23, 0x0a, 0x0d, 0x6d, 0x61, 0x69, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69,
-	0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x6d, 0x61, 0x69, 0x6c, 0x56, 0x65,
-	0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x64, 0x69, 0x73, 0x70, 0x6c, 0x61,
-	0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64, 0x69,
-	0x73, 0x70, 0x6c, 0x61, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x67, 0x72, 0x6f,
-	0x75, 0x70, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x67, 0x72, 0x6f, 0x75, 0x70,
-	0x73, 0x12, 0x31, 0x0a, 0x06, 0x6f, 0x70, 0x61, 0x71, 0x75, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x19, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x76, 0x31,
-	0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4f, 0x70, 0x61, 0x71, 0x75, 0x65, 0x52, 0x06, 0x6f, 0x70,
-	0x61, 0x71, 0x75, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x75, 0x69, 0x64, 0x5f, 0x6e, 0x75, 0x6d, 0x62,
-	0x65, 0x72, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x75, 0x69, 0x64, 0x4e, 0x75, 0x6d,
-	0x62, 0x65, 0x72, 0x12, 0x1d, 0x0a, 0x0a, 0x67, 0x69, 0x64, 0x5f, 0x6e, 0x75, 0x6d, 0x62, 0x65,
-	0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x67, 0x69, 0x64, 0x4e, 0x75, 0x6d, 0x62,
-	0x65, 0x72, 0x2a, 0xe7, 0x01, 0x0a, 0x08, 0x55, 0x73, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x12,
-	0x15, 0x0a, 0x11, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e, 0x56,
-	0x41, 0x4c, 0x49, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x50, 0x52, 0x49, 0x4d, 0x41, 0x52, 0x59, 0x10, 0x01, 0x12, 0x17, 0x0a,
-	0x13, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x4f, 0x4e,
-	0x44, 0x41, 0x52, 0x59, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x10, 0x03, 0x12, 0x19, 0x0a,
-	0x15, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x41, 0x50, 0x50, 0x4c, 0x49,
-	0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, 0x55, 0x53, 0x45, 0x52,
-	0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x47, 0x55, 0x45, 0x53, 0x54, 0x10, 0x05, 0x12, 0x17, 0x0a,
-	0x13, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x46, 0x45, 0x44, 0x45, 0x52,
-	0x41, 0x54, 0x45, 0x44, 0x10, 0x06, 0x12, 0x19, 0x0a, 0x15, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x4c, 0x49, 0x47, 0x48, 0x54, 0x57, 0x45, 0x49, 0x47, 0x48, 0x54, 0x10,
-	0x07, 0x12, 0x19, 0x0a, 0x15, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53,
-	0x50, 0x41, 0x43, 0x45, 0x5f, 0x4f, 0x57, 0x4e, 0x45, 0x52, 0x10, 0x08, 0x42, 0xfa, 0x01, 0x0a,
-	0x1d, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74,
-	0x79, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x0e,
-	0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01,
-	0x5a, 0x42, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x73, 0x33,
-	0x6f, 0x72, 0x67, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x73, 0x33, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x63,
-	0x73, 0x33, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x75, 0x73, 0x65, 0x72,
-	0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x76, 0x31, 0x62,
-	0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x43, 0x49, 0x55, 0xaa, 0x02, 0x19, 0x43, 0x73, 0x33,
-	0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x2e, 0x56,
-	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x19, 0x43, 0x73, 0x33, 0x5c, 0x49, 0x64, 0x65,
-	0x6e, 0x74, 0x69, 0x74, 0x79, 0x5c, 0x55, 0x73, 0x65, 0x72, 0x5c, 0x56, 0x31, 0x62, 0x65, 0x74,
-	0x61, 0x31, 0xe2, 0x02, 0x25, 0x43, 0x73, 0x33, 0x5c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74,
-	0x79, 0x5c, 0x55, 0x73, 0x65, 0x72, 0x5c, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x47,
-	0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x1c, 0x43, 0x73, 0x33,
-	0x3a, 0x3a, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x3a, 0x3a, 0x55, 0x73, 0x65, 0x72,
-	0x3a, 0x3a, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
-	0x33,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x41, 0x0a, 0x10, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61,
+	0x6c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x69, 0x64, 0x70,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x69, 0x64, 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x6f,
+	0x70, 0x61, 0x71, 0x75, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
+	0x6f, 0x70, 0x61, 0x71, 0x75, 0x65, 0x49, 0x64, 0x22, 0xeb, 0x01, 0x0a, 0x06, 0x55, 0x73, 0x65,
+	0x72, 0x49, 0x64, 0x12, 0x10, 0x0a, 0x03, 0x69, 0x64, 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x03, 0x69, 0x64, 0x70, 0x12, 0x1b, 0x0a, 0x09, 0x6f, 0x70, 0x61, 0x71, 0x75, 0x65, 0x5f,
+	0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x6f, 0x70, 0x61, 0x71, 0x75, 0x65,
+	0x49, 0x64, 0x12, 0x37, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e,
+	0x32, 0x23, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e,
+	0x75, 0x73, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x55, 0x73, 0x65,
+	0x72, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x1b, 0x0a, 0x09, 0x74,
+	0x65, 0x6e, 0x61, 0x6e, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08,
+	0x74, 0x65, 0x6e, 0x61, 0x6e, 0x74, 0x49, 0x64, 0x12, 0x5c, 0x0a, 0x13, 0x65, 0x78, 0x74, 0x65,
+	0x72, 0x6e, 0x61, 0x6c, 0x5f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x18,
+	0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x74, 0x79, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
+	0x31, 0x2e, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69,
+	0x74, 0x79, 0x52, 0x12, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x49, 0x64, 0x65, 0x6e,
+	0x74, 0x69, 0x74, 0x69, 0x65, 0x73, 0x22, 0xba, 0x02, 0x0a, 0x04, 0x55, 0x73, 0x65, 0x72, 0x12,
+	0x31, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x63, 0x73,
+	0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e,
+	0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x49, 0x64, 0x52, 0x02,
+	0x69, 0x64, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12,
+	0x0a, 0x04, 0x6d, 0x61, 0x69, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6d, 0x61,
+	0x69, 0x6c, 0x12, 0x23, 0x0a, 0x0d, 0x6d, 0x61, 0x69, 0x6c, 0x5f, 0x76, 0x65, 0x72, 0x69, 0x66,
+	0x69, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0c, 0x6d, 0x61, 0x69, 0x6c, 0x56,
+	0x65, 0x72, 0x69, 0x66, 0x69, 0x65, 0x64, 0x12, 0x21, 0x0a, 0x0c, 0x64, 0x69, 0x73, 0x70, 0x6c,
+	0x61, 0x79, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x64,
+	0x69, 0x73, 0x70, 0x6c, 0x61, 0x79, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x67, 0x72,
+	0x6f, 0x75, 0x70, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x67, 0x72, 0x6f, 0x75,
+	0x70, 0x73, 0x12, 0x31, 0x0a, 0x06, 0x6f, 0x70, 0x61, 0x71, 0x75, 0x65, 0x18, 0x07, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x19, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x76,
+	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4f, 0x70, 0x61, 0x71, 0x75, 0x65, 0x52, 0x06, 0x6f,
+	0x70, 0x61, 0x71, 0x75, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x75, 0x69, 0x64, 0x5f, 0x6e, 0x75, 0x6d,
+	0x62, 0x65, 0x72, 0x18, 0x08, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x75, 0x69, 0x64, 0x4e, 0x75,
+	0x6d, 0x62, 0x65, 0x72, 0x12, 0x1d, 0x0a, 0x0a, 0x67, 0x69, 0x64, 0x5f, 0x6e, 0x75, 0x6d, 0x62,
+	0x65, 0x72, 0x18, 0x09, 0x20, 0x01, 0x28, 0x03, 0x52, 0x09, 0x67, 0x69, 0x64, 0x4e, 0x75, 0x6d,
+	0x62, 0x65, 0x72, 0x2a, 0xe7, 0x01, 0x0a, 0x08, 0x55, 0x73, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65,
+	0x12, 0x15, 0x0a, 0x11, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e,
+	0x56, 0x41, 0x4c, 0x49, 0x44, 0x10, 0x00, 0x12, 0x15, 0x0a, 0x11, 0x55, 0x53, 0x45, 0x52, 0x5f,
+	0x54, 0x59, 0x50, 0x45, 0x5f, 0x50, 0x52, 0x49, 0x4d, 0x41, 0x52, 0x59, 0x10, 0x01, 0x12, 0x17,
+	0x0a, 0x13, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x43, 0x4f,
+	0x4e, 0x44, 0x41, 0x52, 0x59, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x55, 0x53, 0x45, 0x52, 0x5f,
+	0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x49, 0x43, 0x45, 0x10, 0x03, 0x12, 0x19,
+	0x0a, 0x15, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x41, 0x50, 0x50, 0x4c,
+	0x49, 0x43, 0x41, 0x54, 0x49, 0x4f, 0x4e, 0x10, 0x04, 0x12, 0x13, 0x0a, 0x0f, 0x55, 0x53, 0x45,
+	0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x47, 0x55, 0x45, 0x53, 0x54, 0x10, 0x05, 0x12, 0x17,
+	0x0a, 0x13, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x46, 0x45, 0x44, 0x45,
+	0x52, 0x41, 0x54, 0x45, 0x44, 0x10, 0x06, 0x12, 0x19, 0x0a, 0x15, 0x55, 0x53, 0x45, 0x52, 0x5f,
+	0x54, 0x59, 0x50, 0x45, 0x5f, 0x4c, 0x49, 0x47, 0x48, 0x54, 0x57, 0x45, 0x49, 0x47, 0x48, 0x54,
+	0x10, 0x07, 0x12, 0x19, 0x0a, 0x15, 0x55, 0x53, 0x45, 0x52, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f,
+	0x53, 0x50, 0x41, 0x43, 0x45, 0x5f, 0x4f, 0x57, 0x4e, 0x45, 0x52, 0x10, 0x08, 0x42, 0xfa, 0x01,
+	0x0a, 0x1d, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69,
+	0x74, 0x79, 0x2e, 0x75, 0x73, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42,
+	0x0e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
+	0x01, 0x5a, 0x42, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x73,
+	0x33, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x73, 0x33, 0x61, 0x70, 0x69, 0x73, 0x2f,
+	0x63, 0x73, 0x33, 0x2f, 0x69, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2f, 0x75, 0x73, 0x65,
+	0x72, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x75, 0x73, 0x65, 0x72, 0x76, 0x31,
+	0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x43, 0x49, 0x55, 0xaa, 0x02, 0x19, 0x43, 0x73,
+	0x33, 0x2e, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x2e, 0x55, 0x73, 0x65, 0x72, 0x2e,
+	0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x19, 0x43, 0x73, 0x33, 0x5c, 0x49, 0x64,
+	0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x5c, 0x55, 0x73, 0x65, 0x72, 0x5c, 0x56, 0x31, 0x62, 0x65,
+	0x74, 0x61, 0x31, 0xe2, 0x02, 0x25, 0x43, 0x73, 0x33, 0x5c, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69,
+	0x74, 0x79, 0x5c, 0x55, 0x73, 0x65, 0x72, 0x5c, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c,
+	0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x1c, 0x43, 0x73,
+	0x33, 0x3a, 0x3a, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x3a, 0x3a, 0x55, 0x73, 0x65,
+	0x72, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
 }

 var (
@@ -413,22 +498,24 @@ func file_cs3_identity_user_v1beta1_resources_proto_rawDescGZIP() []byte {
 }

 var file_cs3_identity_user_v1beta1_resources_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_cs3_identity_user_v1beta1_resources_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_cs3_identity_user_v1beta1_resources_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
 var file_cs3_identity_user_v1beta1_resources_proto_goTypes = []interface{}{
-	(UserType)(0),          // 0: cs3.identity.user.v1beta1.UserType
-	(*UserId)(nil),         // 1: cs3.identity.user.v1beta1.UserId
-	(*User)(nil),           // 2: cs3.identity.user.v1beta1.User
-	(*v1beta1.Opaque)(nil), // 3: cs3.types.v1beta1.Opaque
+	(UserType)(0),            // 0: cs3.identity.user.v1beta1.UserType
+	(*ExternalIdentity)(nil), // 1: cs3.identity.user.v1beta1.ExternalIdentity
+	(*UserId)(nil),           // 2: cs3.identity.user.v1beta1.UserId
+	(*User)(nil),             // 3: cs3.identity.user.v1beta1.User
+	(*v1beta1.Opaque)(nil),   // 4: cs3.types.v1beta1.Opaque
 }
 var file_cs3_identity_user_v1beta1_resources_proto_depIdxs = []int32{
 	0, // 0: cs3.identity.user.v1beta1.UserId.type:type_name -> cs3.identity.user.v1beta1.UserType
-	1, // 1: cs3.identity.user.v1beta1.User.id:type_name -> cs3.identity.user.v1beta1.UserId
-	3, // 2: cs3.identity.user.v1beta1.User.opaque:type_name -> cs3.types.v1beta1.Opaque
-	3, // [3:3] is the sub-list for method output_type
-	3, // [3:3] is the sub-list for method input_type
-	3, // [3:3] is the sub-list for extension type_name
-	3, // [3:3] is the sub-list for extension extendee
-	0, // [0:3] is the sub-list for field type_name
+	1, // 1: cs3.identity.user.v1beta1.UserId.external_identities:type_name -> cs3.identity.user.v1beta1.ExternalIdentity
+	2, // 2: cs3.identity.user.v1beta1.User.id:type_name -> cs3.identity.user.v1beta1.UserId
+	4, // 3: cs3.identity.user.v1beta1.User.opaque:type_name -> cs3.types.v1beta1.Opaque
+	4, // [4:4] is the sub-list for method output_type
+	4, // [4:4] is the sub-list for method input_type
+	4, // [4:4] is the sub-list for extension type_name
+	4, // [4:4] is the sub-list for extension extendee
+	0, // [0:4] is the sub-list for field type_name
 }

 func init() { file_cs3_identity_user_v1beta1_resources_proto_init() }
@@ -438,7 +525,7 @@ func file_cs3_identity_user_v1beta1_resources_proto_init() {
 	}
 	if !protoimpl.UnsafeEnabled {
 		file_cs3_identity_user_v1beta1_resources_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*UserId); i {
+			switch v := v.(*ExternalIdentity); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -450,6 +537,18 @@ func file_cs3_identity_user_v1beta1_resources_proto_init() {
 			}
 		}
 		file_cs3_identity_user_v1beta1_resources_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UserId); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_cs3_identity_user_v1beta1_resources_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*User); i {
 			case 0:
 				return &v.state
@@ -468,7 +567,7 @@ func file_cs3_identity_user_v1beta1_resources_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_cs3_identity_user_v1beta1_resources_proto_rawDesc,
 			NumEnums:      1,
-			NumMessages:   2,
+			NumMessages:   3,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/vendor/github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1/resources.pb.go
+++ b/vendor/github.com/cs3org/go-cs3apis/cs3/sharing/collaboration/v1beta1/resources.pb.go
@@ -115,6 +115,7 @@ const (
 	Filter_TYPE_EXCLUDE_DENIALS Filter_Type = 6
 	Filter_TYPE_SPACE_ID        Filter_Type = 7
 	Filter_TYPE_STATE           Filter_Type = 8
+	Filter_TYPE_GRANTEE         Filter_Type = 9
 )

 // Enum value maps for Filter_Type.
@@ -129,6 +130,7 @@ var (
 		6: "TYPE_EXCLUDE_DENIALS",
 		7: "TYPE_SPACE_ID",
 		8: "TYPE_STATE",
+		9: "TYPE_GRANTEE",
 	}
 	Filter_Type_value = map[string]int32{
 		"TYPE_INVALID":         0,
@@ -140,6 +142,7 @@ var (
 		"TYPE_EXCLUDE_DENIALS": 6,
 		"TYPE_SPACE_ID":        7,
 		"TYPE_STATE":           8,
+		"TYPE_GRANTEE":         9,
 	}
 )

@@ -769,6 +772,7 @@ type Filter struct {
 	//	*Filter_GranteeType
 	//	*Filter_SpaceId
 	//	*Filter_State
+	//	*Filter_Grantee
 	Term isFilter_Term `protobuf_oneof:"term"`
 }

@@ -860,6 +864,13 @@ func (x *Filter) GetState() ShareState {
 	return ShareState_SHARE_STATE_INVALID
 }

+func (x *Filter) GetGrantee() *v1beta1.Grantee {
+	if x, ok := x.GetTerm().(*Filter_Grantee); ok {
+		return x.Grantee
+	}
+	return nil
+}
+
 type isFilter_Term interface {
 	isFilter_Term()
 }
@@ -888,6 +899,10 @@ type Filter_State struct {
 	State ShareState `protobuf:"varint,8,opt,name=state,proto3,enum=cs3.sharing.collaboration.v1beta1.ShareState,oneof"`
 }

+type Filter_Grantee struct {
+	Grantee *v1beta1.Grantee `protobuf:"bytes,9,opt,name=grantee,proto3,oneof"`
+}
+
 func (*Filter_ResourceId) isFilter_Term() {}

 func (*Filter_Owner) isFilter_Term() {}
@@ -900,6 +915,8 @@ func (*Filter_SpaceId) isFilter_Term() {}

 func (*Filter_State) isFilter_Term() {}

+func (*Filter_Grantee) isFilter_Term() {}
+
 var File_cs3_sharing_collaboration_v1beta1_resources_proto protoreflect.FileDescriptor

 var file_cs3_sharing_collaboration_v1beta1_resources_proto_rawDesc = []byte{
@@ -1017,7 +1034,7 @@ var file_cs3_sharing_collaboration_v1beta1_resources_proto_rawDesc = []byte{
 	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x63,
 	0x73, 0x33, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x73, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
 	0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x65, 0x78, 0x70, 0x69,
-	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0x83, 0x05, 0x0a, 0x06, 0x46, 0x69, 0x6c, 0x74, 0x65,
+	0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x22, 0xd8, 0x05, 0x0a, 0x06, 0x46, 0x69, 0x6c, 0x74, 0x65,
 	0x72, 0x12, 0x42, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32,
 	0x2e, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x73, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x2e, 0x63, 0x6f,
 	0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x62, 0x65,
@@ -1046,45 +1063,51 @@ var file_cs3_sharing_collaboration_v1beta1_resources_proto_rawDesc = []byte{
 	0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x2e, 0x63, 0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61,
 	0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x53, 0x68, 0x61,
 	0x72, 0x65, 0x53, 0x74, 0x61, 0x74, 0x65, 0x48, 0x00, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65,
-	0x22, 0xb1, 0x01, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a, 0x0c, 0x54, 0x59, 0x50,
-	0x45, 0x5f, 0x49, 0x4e, 0x56, 0x41, 0x4c, 0x49, 0x44, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x54,
-	0x59, 0x50, 0x45, 0x5f, 0x4e, 0x4f, 0x10, 0x01, 0x12, 0x14, 0x0a, 0x10, 0x54, 0x59, 0x50, 0x45,
-	0x5f, 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x44, 0x10, 0x02, 0x12, 0x0e,
-	0x0a, 0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4f, 0x57, 0x4e, 0x45, 0x52, 0x10, 0x03, 0x12, 0x10,
-	0x0a, 0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x4f, 0x52, 0x10, 0x04,
-	0x12, 0x15, 0x0a, 0x11, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x47, 0x52, 0x41, 0x4e, 0x54, 0x45, 0x45,
-	0x5f, 0x54, 0x59, 0x50, 0x45, 0x10, 0x05, 0x12, 0x18, 0x0a, 0x14, 0x54, 0x59, 0x50, 0x45, 0x5f,
-	0x45, 0x58, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x5f, 0x44, 0x45, 0x4e, 0x49, 0x41, 0x4c, 0x53, 0x10,
-	0x06, 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x50, 0x41, 0x43, 0x45, 0x5f,
-	0x49, 0x44, 0x10, 0x07, 0x12, 0x0e, 0x0a, 0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x54, 0x41,
-	0x54, 0x45, 0x10, 0x08, 0x42, 0x06, 0x0a, 0x04, 0x74, 0x65, 0x72, 0x6d, 0x2a, 0x72, 0x0a, 0x0a,
-	0x53, 0x68, 0x61, 0x72, 0x65, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x17, 0x0a, 0x13, 0x53, 0x48,
-	0x41, 0x52, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x49, 0x4e, 0x56, 0x41, 0x4c, 0x49,
-	0x44, 0x10, 0x00, 0x12, 0x17, 0x0a, 0x13, 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x53, 0x54, 0x41,
-	0x54, 0x45, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10, 0x01, 0x12, 0x18, 0x0a, 0x14,
-	0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x41, 0x43, 0x43, 0x45,
-	0x50, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f,
-	0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x52, 0x45, 0x4a, 0x45, 0x43, 0x54, 0x45, 0x44, 0x10, 0x03,
-	0x42, 0xb3, 0x02, 0x0a, 0x25, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x73, 0x68, 0x61,
-	0x72, 0x69, 0x6e, 0x67, 0x2e, 0x63, 0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42, 0x0e, 0x52, 0x65, 0x73, 0x6f,
-	0x75, 0x72, 0x63, 0x65, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x53, 0x67, 0x69,
-	0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x73, 0x33, 0x6f, 0x72, 0x67, 0x2f,
-	0x67, 0x6f, 0x2d, 0x63, 0x73, 0x33, 0x61, 0x70, 0x69, 0x73, 0x2f, 0x63, 0x73, 0x33, 0x2f, 0x73,
-	0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x2f, 0x63, 0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x3b, 0x63, 0x6f, 0x6c,
-	0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
-	0x31, 0xa2, 0x02, 0x03, 0x43, 0x53, 0x43, 0xaa, 0x02, 0x21, 0x43, 0x73, 0x33, 0x2e, 0x53, 0x68,
-	0x61, 0x72, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74,
-	0x69, 0x6f, 0x6e, 0x2e, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xca, 0x02, 0x21, 0x43, 0x73,
-	0x33, 0x5c, 0x53, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x5c, 0x43, 0x6f, 0x6c, 0x6c, 0x61, 0x62,
-	0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5c, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xe2,
-	0x02, 0x2d, 0x43, 0x73, 0x33, 0x5c, 0x53, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x5c, 0x43, 0x6f,
-	0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5c, 0x56, 0x31, 0x62, 0x65,
-	0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea,
-	0x02, 0x24, 0x43, 0x73, 0x33, 0x3a, 0x3a, 0x53, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x3a, 0x3a,
-	0x43, 0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x3a, 0x3a, 0x56,
-	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x12, 0x41, 0x0a, 0x07, 0x67, 0x72, 0x61, 0x6e, 0x74, 0x65, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x25, 0x2e, 0x63, 0x73, 0x33, 0x2e, 0x73, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x2e,
+	0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
+	0x2e, 0x47, 0x72, 0x61, 0x6e, 0x74, 0x65, 0x65, 0x48, 0x00, 0x52, 0x07, 0x67, 0x72, 0x61, 0x6e,
+	0x74, 0x65, 0x65, 0x22, 0xc3, 0x01, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x10, 0x0a, 0x0c,
+	0x54, 0x59, 0x50, 0x45, 0x5f, 0x49, 0x4e, 0x56, 0x41, 0x4c, 0x49, 0x44, 0x10, 0x00, 0x12, 0x0b,
+	0x0a, 0x07, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4e, 0x4f, 0x10, 0x01, 0x12, 0x14, 0x0a, 0x10, 0x54,
+	0x59, 0x50, 0x45, 0x5f, 0x52, 0x45, 0x53, 0x4f, 0x55, 0x52, 0x43, 0x45, 0x5f, 0x49, 0x44, 0x10,
+	0x02, 0x12, 0x0e, 0x0a, 0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x4f, 0x57, 0x4e, 0x45, 0x52, 0x10,
+	0x03, 0x12, 0x10, 0x0a, 0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x43, 0x52, 0x45, 0x41, 0x54, 0x4f,
+	0x52, 0x10, 0x04, 0x12, 0x15, 0x0a, 0x11, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x47, 0x52, 0x41, 0x4e,
+	0x54, 0x45, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x10, 0x05, 0x12, 0x18, 0x0a, 0x14, 0x54, 0x59,
+	0x50, 0x45, 0x5f, 0x45, 0x58, 0x43, 0x4c, 0x55, 0x44, 0x45, 0x5f, 0x44, 0x45, 0x4e, 0x49, 0x41,
+	0x4c, 0x53, 0x10, 0x06, 0x12, 0x11, 0x0a, 0x0d, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x53, 0x50, 0x41,
+	0x43, 0x45, 0x5f, 0x49, 0x44, 0x10, 0x07, 0x12, 0x0e, 0x0a, 0x0a, 0x54, 0x59, 0x50, 0x45, 0x5f,
+	0x53, 0x54, 0x41, 0x54, 0x45, 0x10, 0x08, 0x12, 0x10, 0x0a, 0x0c, 0x54, 0x59, 0x50, 0x45, 0x5f,
+	0x47, 0x52, 0x41, 0x4e, 0x54, 0x45, 0x45, 0x10, 0x09, 0x42, 0x06, 0x0a, 0x04, 0x74, 0x65, 0x72,
+	0x6d, 0x2a, 0x72, 0x0a, 0x0a, 0x53, 0x68, 0x61, 0x72, 0x65, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12,
+	0x17, 0x0a, 0x13, 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x49,
+	0x4e, 0x56, 0x41, 0x4c, 0x49, 0x44, 0x10, 0x00, 0x12, 0x17, 0x0a, 0x13, 0x53, 0x48, 0x41, 0x52,
+	0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x50, 0x45, 0x4e, 0x44, 0x49, 0x4e, 0x47, 0x10,
+	0x01, 0x12, 0x18, 0x0a, 0x14, 0x53, 0x48, 0x41, 0x52, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45,
+	0x5f, 0x41, 0x43, 0x43, 0x45, 0x50, 0x54, 0x45, 0x44, 0x10, 0x02, 0x12, 0x18, 0x0a, 0x14, 0x53,
+	0x48, 0x41, 0x52, 0x45, 0x5f, 0x53, 0x54, 0x41, 0x54, 0x45, 0x5f, 0x52, 0x45, 0x4a, 0x45, 0x43,
+	0x54, 0x45, 0x44, 0x10, 0x03, 0x42, 0xb3, 0x02, 0x0a, 0x25, 0x63, 0x6f, 0x6d, 0x2e, 0x63, 0x73,
+	0x33, 0x2e, 0x73, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x2e, 0x63, 0x6f, 0x6c, 0x6c, 0x61, 0x62,
+	0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x42,
+	0x0e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50,
+	0x01, 0x5a, 0x53, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x73,
+	0x33, 0x6f, 0x72, 0x67, 0x2f, 0x67, 0x6f, 0x2d, 0x63, 0x73, 0x33, 0x61, 0x70, 0x69, 0x73, 0x2f,
+	0x63, 0x73, 0x33, 0x2f, 0x73, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x2f, 0x63, 0x6f, 0x6c, 0x6c,
+	0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
+	0x31, 0x3b, 0x63, 0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x76,
+	0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0xa2, 0x02, 0x03, 0x43, 0x53, 0x43, 0xaa, 0x02, 0x21, 0x43,
+	0x73, 0x33, 0x2e, 0x53, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x6f, 0x6c, 0x6c, 0x61,
+	0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
+	0xca, 0x02, 0x21, 0x43, 0x73, 0x33, 0x5c, 0x53, 0x68, 0x61, 0x72, 0x69, 0x6e, 0x67, 0x5c, 0x43,
+	0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x5c, 0x56, 0x31, 0x62,
+	0x65, 0x74, 0x61, 0x31, 0xe2, 0x02, 0x2d, 0x43, 0x73, 0x33, 0x5c, 0x53, 0x68, 0x61, 0x72, 0x69,
+	0x6e, 0x67, 0x5c, 0x43, 0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e,
+	0x5c, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61,
+	0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x24, 0x43, 0x73, 0x33, 0x3a, 0x3a, 0x53, 0x68, 0x61, 0x72,
+	0x69, 0x6e, 0x67, 0x3a, 0x3a, 0x43, 0x6f, 0x6c, 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x61, 0x74, 0x69,
+	0x6f, 0x6e, 0x3a, 0x3a, 0x56, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x33,
 }

 var (
@@ -1148,11 +1171,12 @@ var file_cs3_sharing_collaboration_v1beta1_resources_proto_depIdxs = []int32{
 	12, // 24: cs3.sharing.collaboration.v1beta1.Filter.creator:type_name -> cs3.identity.user.v1beta1.UserId
 	16, // 25: cs3.sharing.collaboration.v1beta1.Filter.grantee_type:type_name -> cs3.storage.provider.v1beta1.GranteeType
 	0,  // 26: cs3.sharing.collaboration.v1beta1.Filter.state:type_name -> cs3.sharing.collaboration.v1beta1.ShareState
-	27, // [27:27] is the sub-list for method output_type
-	27, // [27:27] is the sub-list for method input_type
-	27, // [27:27] is the sub-list for extension type_name
-	27, // [27:27] is the sub-list for extension extendee
-	0,  // [0:27] is the sub-list for field type_name
+	11, // 27: cs3.sharing.collaboration.v1beta1.Filter.grantee:type_name -> cs3.storage.provider.v1beta1.Grantee
+	28, // [28:28] is the sub-list for method output_type
+	28, // [28:28] is the sub-list for method input_type
+	28, // [28:28] is the sub-list for extension type_name
+	28, // [28:28] is the sub-list for extension extendee
+	0,  // [0:28] is the sub-list for field type_name
 }

 func init() { file_cs3_sharing_collaboration_v1beta1_resources_proto_init() }
@@ -1269,6 +1293,7 @@ func file_cs3_sharing_collaboration_v1beta1_resources_proto_init() {
 		(*Filter_GranteeType)(nil),
 		(*Filter_SpaceId)(nil),
 		(*Filter_State)(nil),
+		(*Filter_Grantee)(nil),
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
--- a/vendor/github.com/opencloud-eu/reva/v2/cmd/revad/runtime/loader.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/cmd/revad/runtime/loader.go
@@ -46,6 +46,7 @@ import (
 	_ "github.com/opencloud-eu/reva/v2/pkg/share/manager/loader"
 	_ "github.com/opencloud-eu/reva/v2/pkg/storage/fs/loader"
 	_ "github.com/opencloud-eu/reva/v2/pkg/storage/registry/loader"
+	_ "github.com/opencloud-eu/reva/v2/pkg/tenant/manager/loader"
 	_ "github.com/opencloud-eu/reva/v2/pkg/token/manager/loader"
 	_ "github.com/opencloud-eu/reva/v2/pkg/user/manager/loader"
 )
--- a/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/services/gateway/gateway.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/services/gateway/gateway.go
@@ -60,6 +60,7 @@ type config struct {
 	OCMCoreEndpoint               string `mapstructure:"ocmcoresvc"`
 	UserProviderEndpoint          string `mapstructure:"userprovidersvc"`
 	GroupProviderEndpoint         string `mapstructure:"groupprovidersvc"`
+	TenantProviderEndpoint        string `mapstructure:"tenantprovidersvc"`
 	DataTxEndpoint                string `mapstructure:"datatx"`
 	DataGatewayEndpoint           string `mapstructure:"datagateway"`
 	PermissionsEndpoint           string `mapstructure:"permissionssvc"`
@@ -110,6 +111,12 @@ func (c *config) init() {
 	c.OCMCoreEndpoint = sharedconf.GetGatewaySVC(c.OCMCoreEndpoint)
 	c.UserProviderEndpoint = sharedconf.GetGatewaySVC(c.UserProviderEndpoint)
 	c.GroupProviderEndpoint = sharedconf.GetGatewaySVC(c.GroupProviderEndpoint)
+	// Fall back to userprovidersvc when no dedicated tenant provider is configured.
+	if c.TenantProviderEndpoint == "" {
+		c.TenantProviderEndpoint = c.UserProviderEndpoint
+	} else {
+		c.TenantProviderEndpoint = sharedconf.GetGatewaySVC(c.TenantProviderEndpoint)
+	}
 	c.DataTxEndpoint = sharedconf.GetGatewaySVC(c.DataTxEndpoint)

 	c.DataGatewayEndpoint = sharedconf.GetDataGateway(c.DataGatewayEndpoint)
--- a/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/services/gateway/tenantprovider.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/services/gateway/tenantprovider.go
@@ -0,0 +1,61 @@
+// Copyright 2018-2021 CERN
+// Copyright 2026 OpenCloud GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package gateway
+
+import (
+	"context"
+
+	tenant "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
+	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/status"
+	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
+	"github.com/pkg/errors"
+)
+
+func (s *svc) GetTenant(ctx context.Context, req *tenant.GetTenantRequest) (*tenant.GetTenantResponse, error) {
+	c, err := pool.GetTenantProviderServiceClient(s.c.TenantProviderEndpoint)
+	if err != nil {
+		return &tenant.GetTenantResponse{
+			Status: status.NewInternal(ctx, "error getting tenant service client"),
+		}, nil
+	}
+
+	res, err := c.GetTenant(ctx, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "gateway: error calling GetTenant")
+	}
+
+	return res, nil
+}
+
+func (s *svc) GetTenantByClaim(ctx context.Context, req *tenant.GetTenantByClaimRequest) (*tenant.GetTenantByClaimResponse, error) {
+	c, err := pool.GetTenantProviderServiceClient(s.c.TenantProviderEndpoint)
+	if err != nil {
+		return &tenant.GetTenantByClaimResponse{
+			Status: status.NewInternal(ctx, "error getting tenant service client"),
+		}, nil
+	}
+
+	res, err := c.GetTenantByClaim(ctx, req)
+	if err != nil {
+		return nil, errors.Wrap(err, "gateway: error calling GetTenantByClaim")
+	}
+
+	return res, nil
+}
--- a/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/services/userprovider/userprovider.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/internal/grpc/services/userprovider/userprovider.go
@@ -29,6 +29,7 @@ import (
 	"github.com/rs/zerolog"
 	"google.golang.org/grpc"

+	tenantpb "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
 	userpb "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	"github.com/opencloud-eu/reva/v2/pkg/appctx"
 	revactx "github.com/opencloud-eu/reva/v2/pkg/ctx"
@@ -36,8 +37,11 @@ import (
 	"github.com/opencloud-eu/reva/v2/pkg/plugin"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/status"
+	"github.com/opencloud-eu/reva/v2/pkg/sharedconf"
+	"github.com/opencloud-eu/reva/v2/pkg/tenant"
+	tenantRegistry "github.com/opencloud-eu/reva/v2/pkg/tenant/manager/registry"
 	"github.com/opencloud-eu/reva/v2/pkg/user"
-	"github.com/opencloud-eu/reva/v2/pkg/user/manager/registry"
+	userRegistry "github.com/opencloud-eu/reva/v2/pkg/user/manager/registry"
 )

 func init() {
@@ -45,14 +49,29 @@ func init() {
 }

 type config struct {
-	Driver  string                            `mapstructure:"driver"`
-	Drivers map[string]map[string]interface{} `mapstructure:"drivers"`
+	Driver        string                            `mapstructure:"driver"`
+	Drivers       map[string]map[string]interface{} `mapstructure:"drivers"`
+	TenantDriver  string                            `mapstructure:"tenant_driver"`
+	TenantDrivers map[string]map[string]interface{} `mapstructure:"tenant_drivers"`
 }

 func (c *config) init() {
 	if c.Driver == "" {
 		c.Driver = "json"
 	}
+
+	// Fall back to user driver/drivers when no tenant-specific config is provided.
+	if c.TenantDriver == "" {
+		c.TenantDriver = c.Driver
+	}
+	if c.TenantDrivers == nil {
+		c.TenantDrivers = c.Drivers
+	}
+
+	// Force "null" driver if multi-tenancy is disabled
+	if !sharedconf.MultiTenantEnabled() {
+		c.TenantDriver = "null"
+	}
 }

 func parseConfig(m map[string]interface{}) (*config, error) {
@@ -80,7 +99,7 @@ func getDriver(c *config) (user.Manager, *plugin.RevaPlugin, error) {
 		return manager, p, nil
 	} else if _, ok := err.(errtypes.NotFound); ok {
 		// plugin not found, fetch the driver from the in-memory registry
-		if f, ok := registry.NewFuncs[c.Driver]; ok {
+		if f, ok := userRegistry.NewFuncs[c.Driver]; ok {
 			mgr, err := f(c.Drivers[c.Driver])
 			return mgr, nil, err
 		}
@@ -90,6 +109,14 @@ func getDriver(c *config) (user.Manager, *plugin.RevaPlugin, error) {
 	return nil, nil, errtypes.NotFound(fmt.Sprintf("driver %s not found for user manager", c.Driver))
 }

+func getTenantManager(c *config) (tenant.Manager, error) {
+	if f, ok := tenantRegistry.NewFuncs[c.TenantDriver]; ok {
+		mgr, err := f(c.TenantDrivers[c.TenantDriver])
+		return mgr, err
+	}
+	return nil, errtypes.NotFound(fmt.Sprintf("driver %s not found for tenant manager", c.TenantDriver))
+}
+
 // New returns a new UserProviderServiceServer.
 func New(m map[string]interface{}, ss *grpc.Server, _ *zerolog.Logger) (rgrpc.Service, error) {
 	c, err := parseConfig(m)
@@ -100,17 +127,27 @@ func New(m map[string]interface{}, ss *grpc.Server, _ *zerolog.Logger) (rgrpc.Se
 	if err != nil {
 		return nil, err
 	}
-	svc := &service{
-		usermgr: userManager,
-		plugin:  plug,
+	tenantManager, err := getTenantManager(c)
+	if err != nil {
+		return nil, err
 	}

-	return svc, nil
+	return NewWithManagers(userManager, tenantManager, plug), nil
+}
+
+// NewWithManagers returns a new UserProviderService with the given managers.
+func NewWithManagers(um user.Manager, tm tenant.Manager, plug *plugin.RevaPlugin) rgrpc.Service {
+	return &service{
+		usermgr:   um,
+		tenantmgr: tm,
+		plugin:    plug,
+	}
 }

 type service struct {
-	usermgr user.Manager
-	plugin  *plugin.RevaPlugin
+	usermgr   user.Manager
+	tenantmgr tenant.Manager
+	plugin    *plugin.RevaPlugin
 }

 func (s *service) Close() error {
@@ -126,6 +163,7 @@ func (s *service) UnprotectedEndpoints() []string {

 func (s *service) Register(ss *grpc.Server) {
 	userpb.RegisterUserAPIServer(ss, s)
+	tenantpb.RegisterTenantAPIServer(ss, s)
 }

 func (s *service) GetUser(ctx context.Context, req *userpb.GetUserRequest) (*userpb.GetUserResponse, error) {
@@ -232,3 +270,41 @@ func (s *service) GetUserGroups(ctx context.Context, req *userpb.GetUserGroupsRe
 	}
 	return res, nil
 }
+
+func (s *service) GetTenant(ctx context.Context, req *tenantpb.GetTenantRequest) (*tenantpb.GetTenantResponse, error) {
+	log := appctx.GetLogger(ctx)
+	t, err := s.tenantmgr.GetTenant(ctx, req.GetTenantId())
+	if err != nil {
+		log.Warn().Err(err).Interface("tenantid", req.GetTenantId()).Msg("error getting tenant")
+		res := &tenantpb.GetTenantResponse{
+			Status: status.NewInternal(ctx, "error getting tenant"),
+		}
+		if _, ok := err.(errtypes.NotFound); ok {
+			res.Status = status.NewNotFound(ctx, "tenant not found")
+		}
+		return res, nil
+	}
+	return &tenantpb.GetTenantResponse{
+		Status: status.NewOK(ctx),
+		Tenant: t,
+	}, nil
+}
+
+func (s *service) GetTenantByClaim(ctx context.Context, req *tenantpb.GetTenantByClaimRequest) (*tenantpb.GetTenantByClaimResponse, error) {
+	log := appctx.GetLogger(ctx)
+	t, err := s.tenantmgr.GetTenantByClaim(ctx, req.GetClaim(), req.GetValue())
+	if err != nil {
+		log.Warn().Err(err).Interface("claim", req.GetClaim()).Interface("value", req.GetValue()).Msg("error getting tenant")
+		res := &tenantpb.GetTenantByClaimResponse{
+			Status: status.NewInternal(ctx, "error getting tenant"),
+		}
+		if _, ok := err.(errtypes.NotFound); ok {
+			res.Status = status.NewNotFound(ctx, "tenant not found")
+		}
+		return res, nil
+	}
+	return &tenantpb.GetTenantByClaimResponse{
+		Status: status.NewOK(ctx),
+		Tenant: t,
+	}, nil
+}
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool/client.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool/client.go
@@ -26,6 +26,7 @@ import (
 	authregistry "github.com/cs3org/go-cs3apis/cs3/auth/registry/v1beta1"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	group "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
+	tenant "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
 	user "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	ocmcore "github.com/cs3org/go-cs3apis/cs3/ocm/core/v1beta1"
 	invitepb "github.com/cs3org/go-cs3apis/cs3/ocm/invite/v1beta1"
@@ -52,6 +53,12 @@ func GetUserProviderServiceClient(id string, opts ...Option) (user.UserAPIClient
 	return selector.Next()
 }

+// GetTenantProviderServiceClient returns a TenantProviderServiceClient.
+func GetTenantProviderServiceClient(id string, opts ...Option) (tenant.TenantAPIClient, error) {
+	selector, _ := IdentityTenantSelector(id, opts...)
+	return selector.Next()
+}
+
 // GetGroupProviderServiceClient returns a GroupProviderServiceClient.
 func GetGroupProviderServiceClient(id string, opts ...Option) (group.GroupAPIClient, error) {
 	selector, _ := IdentityGroupSelector(id, opts...)
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool/selector.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool/selector.go
@@ -30,6 +30,7 @@ import (
 	authRegistry "github.com/cs3org/go-cs3apis/cs3/auth/registry/v1beta1"
 	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
 	identityGroup "github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1"
+	identityTenant "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
 	identityUser "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
 	ocmCore "github.com/cs3org/go-cs3apis/cs3/ocm/core/v1beta1"
 	ocmInvite "github.com/cs3org/go-cs3apis/cs3/ocm/invite/v1beta1"
@@ -174,6 +175,16 @@ func IdentityGroupSelector(id string, options ...Option) (*Selector[identityGrou
 	), nil
 }

+// IdentityTentantSelector returns a Selector[identityTenant.TenantAPIClient].
+func IdentityTenantSelector(id string, options ...Option) (*Selector[identityTenant.TenantAPIClient], error) {
+	return GetSelector[identityTenant.TenantAPIClient](
+		"IdentityTenantSelector",
+		id,
+		identityTenant.NewTenantAPIClient,
+		options...,
+	), nil
+}
+
 // StorageProviderSelector returns a Selector[storageProvider.ProviderAPIClient].
 func StorageProviderSelector(id string, options ...Option) (*Selector[storageProvider.ProviderAPIClient], error) {
 	return GetSelector[storageProvider.ProviderAPIClient](
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/ldap/ldap.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/ldap/ldap.go
@@ -0,0 +1,121 @@
+// Copyright 2018-2021 CERN
+// Copyright 2026 OpenCloud GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package ldap
+
+import (
+	"context"
+	"fmt"
+
+	tenantpb "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
+	"github.com/go-ldap/ldap/v3"
+	"github.com/mitchellh/mapstructure"
+	"github.com/opencloud-eu/reva/v2/pkg/appctx"
+	"github.com/opencloud-eu/reva/v2/pkg/tenant"
+	"github.com/opencloud-eu/reva/v2/pkg/tenant/manager/registry"
+	"github.com/opencloud-eu/reva/v2/pkg/utils"
+	ldapIdentity "github.com/opencloud-eu/reva/v2/pkg/utils/ldap"
+	"github.com/pkg/errors"
+)
+
+func init() {
+	registry.Register("ldap", New)
+}
+
+type config struct {
+	utils.LDAPConn `mapstructure:",squash"`
+	LDAPIdentity   ldapIdentity.Identity `mapstructure:",squash"`
+}
+
+func parseConfig(m map[string]interface{}) (*config, error) {
+	c := &config{
+		LDAPIdentity: ldapIdentity.New(),
+	}
+	if err := mapstructure.Decode(m, c); err != nil {
+		err = errors.Wrap(err, "error decoding conf")
+		return nil, err
+	}
+	return c, nil
+}
+
+type manager struct {
+	conf *config
+	ldap ldap.Client
+}
+
+// New returns a new user manager.
+func New(m map[string]interface{}) (tenant.Manager, error) {
+	mgr := &manager{}
+	err := mgr.Configure(m)
+	if err != nil {
+		return nil, err
+	}
+
+	mgr.ldap, err = utils.GetLDAPClientWithReconnect(&mgr.conf.LDAPConn)
+
+	return mgr, err
+}
+
+func (m *manager) Configure(ml map[string]interface{}) error {
+	c, err := parseConfig(ml)
+	if err != nil {
+		return err
+	}
+	if err = c.LDAPIdentity.Setup(); err != nil {
+		return fmt.Errorf("error setting up Identity config: %w", err)
+	}
+	m.conf = c
+
+	return nil
+}
+
+func (m *manager) GetTenant(ctx context.Context, id string) (*tenantpb.Tenant, error) {
+	log := appctx.GetLogger(ctx)
+
+	tenantEntry, err := m.conf.LDAPIdentity.GetLDAPTenantByID(ctx, m.ldap, id)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Debug().Interface("entry", tenantEntry).Msg("entries")
+
+	t, err := m.ldapEntryToTenant(tenantEntry)
+	if err != nil {
+		return nil, err
+	}
+
+	return t, nil
+}
+
+func (m *manager) GetTenantByClaim(ctx context.Context, claim, value string) (*tenantpb.Tenant, error) {
+	tenantEntry, err := m.conf.LDAPIdentity.GetLDAPTenantByAttribute(ctx, m.ldap, claim, value)
+	if err != nil {
+		return nil, err
+	}
+	return m.ldapEntryToTenant(tenantEntry)
+}
+
+func (m *manager) ldapEntryToTenant(entry *ldap.Entry) (*tenantpb.Tenant, error) {
+	t := &tenantpb.Tenant{
+		Id:         entry.GetEqualFoldAttributeValue(m.conf.LDAPIdentity.Tenant.Schema.ID),
+		ExternalId: entry.GetEqualFoldAttributeValue(m.conf.LDAPIdentity.Tenant.Schema.ExternalID),
+		Name:       entry.GetEqualFoldAttributeValue(m.conf.LDAPIdentity.Tenant.Schema.Name),
+	}
+	return t, nil
+}
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/loader/loader.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/loader/loader.go
@@ -0,0 +1,28 @@
+// Copyright 2018-2021 CERN
+// Copyright 2026 OpenCloud GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package loader
+
+import (
+	// Load core user manager drivers.
+	_ "github.com/opencloud-eu/reva/v2/pkg/tenant/manager/ldap"
+	_ "github.com/opencloud-eu/reva/v2/pkg/tenant/manager/memory"
+	_ "github.com/opencloud-eu/reva/v2/pkg/tenant/manager/null"
+	// Add your own here
+)
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/memory/memory.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/memory/memory.go
@@ -0,0 +1,106 @@
+// Copyright 2018-2021 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package memory
+
+import (
+	"context"
+
+	tenantpb "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
+	"github.com/mitchellh/mapstructure"
+	"github.com/opencloud-eu/reva/v2/pkg/errtypes"
+	"github.com/opencloud-eu/reva/v2/pkg/tenant"
+	"github.com/opencloud-eu/reva/v2/pkg/tenant/manager/registry"
+	"github.com/pkg/errors"
+)
+
+func init() {
+	registry.Register("memory", New)
+}
+
+// tenantEntry is used only for mapstructure decoding of the config.
+type tenantEntry struct {
+	ID         string `mapstructure:"id"`
+	ExternalID string `mapstructure:"external_id"`
+	Name       string `mapstructure:"name"`
+}
+
+type config struct {
+	Tenants map[string]*tenantEntry `mapstructure:"tenants"`
+}
+
+func parseConfig(m map[string]interface{}) (*config, error) {
+	c := &config{}
+	if err := mapstructure.Decode(m, c); err != nil {
+		return nil, errors.Wrap(err, "error decoding conf")
+	}
+	return c, nil
+}
+
+type manager struct {
+	catalog map[string]*tenantpb.Tenant
+}
+
+// New returns a new tenant manager.
+func New(m map[string]interface{}) (tenant.Manager, error) {
+	mgr := &manager{}
+	err := mgr.Configure(m)
+	return mgr, err
+}
+
+func (m *manager) Configure(ml map[string]interface{}) error {
+	c, err := parseConfig(ml)
+	if err != nil {
+		return err
+	}
+	m.catalog = make(map[string]*tenantpb.Tenant, len(c.Tenants))
+	for k, t := range c.Tenants {
+		m.catalog[k] = &tenantpb.Tenant{
+			Id:         t.ID,
+			ExternalId: t.ExternalID,
+			Name:       t.Name,
+		}
+	}
+	return nil
+}
+
+func (m *manager) GetTenant(ctx context.Context, id string) (*tenantpb.Tenant, error) {
+	if t, ok := m.catalog[id]; ok {
+		return t, nil
+	}
+	return nil, errtypes.NotFound(id)
+}
+
+func (m *manager) GetTenantByClaim(ctx context.Context, claim, value string) (*tenantpb.Tenant, error) {
+	for _, t := range m.catalog {
+		if tenantClaim, err := extractClaim(t, claim); err == nil && value == tenantClaim {
+			return t, nil
+		}
+	}
+	return nil, errtypes.NotFound(value)
+}
+
+func extractClaim(t *tenantpb.Tenant, claim string) (string, error) {
+	switch claim {
+	case "id":
+		return t.Id, nil
+	case "externalid":
+		return t.ExternalId, nil
+	}
+	return "", errors.New("memory: invalid claim")
+}
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/null/null.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/null/null.go
@@ -0,0 +1,49 @@
+// Copyright 2018-2020 CERN
+// Copyright 2026 OpenCloud GmbH
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package null
+
+import (
+	"context"
+
+	tenantpb "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
+	"github.com/opencloud-eu/reva/v2/pkg/errtypes"
+	"github.com/opencloud-eu/reva/v2/pkg/tenant"
+	"github.com/opencloud-eu/reva/v2/pkg/tenant/manager/registry"
+)
+
+func init() {
+	registry.Register("null", New)
+}
+
+type manager struct {
+}
+
+// New returns a tenant manager implementation that return NOT FOUND or empty result set for every call
+func New(m map[string]interface{}) (tenant.Manager, error) {
+	return &manager{}, nil
+}
+
+func (m *manager) GetTenant(ctx context.Context, id string) (*tenantpb.Tenant, error) {
+	return nil, errtypes.NotFound(id)
+}
+
+func (m *manager) GetTenantByClaim(ctx context.Context, claim, value string) (*tenantpb.Tenant, error) {
+	return nil, errtypes.NotFound(value)
+}
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/registry/registry.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/manager/registry/registry.go
@@ -0,0 +1,36 @@
+// Copyright 2018-2021 CERN
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package registry
+
+import (
+	"github.com/opencloud-eu/reva/v2/pkg/tenant"
+)
+
+// NewFunc is the function that tenant managers
+// should register at init time.
+type NewFunc func(map[string]interface{}) (tenant.Manager, error)
+
+// NewFuncs is a map containing all the registered user managers.
+var NewFuncs = map[string]NewFunc{}
+
+// Register registers a new user manager new function.
+// Not safe for concurrent use. Safe for use from package init.
+func Register(name string, f NewFunc) {
+	NewFuncs[name] = f
+}
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/tenant.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/tenant/tenant.go
@@ -0,0 +1,34 @@
+// Copyright 2018-2021 CERN
+// Copyright 2026 OpenCloud
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// In applying this license, CERN does not waive the privileges and immunities
+// granted to it by virtue of its status as an Intergovernmental Organization
+// or submit itself to any jurisdiction.
+
+package tenant
+
+import (
+	"context"
+
+	tenant "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
+)
+
+// Manager is the interface to implement to manipulate users.
+type Manager interface {
+	// GetTenant returns the tenant metadata identified by an id.
+	GetTenant(ctx context.Context, id string) (*tenant.Tenant, error)
+	// GetUserByClaim returns the user identified by a specific value for a given claim.
+	GetTenantByClaim(ctx context.Context, claim, value string) (*tenant.Tenant, error)
+}
--- a/vendor/github.com/opencloud-eu/reva/v2/pkg/utils/ldap/identity.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/pkg/utils/ldap/identity.go
@@ -38,8 +38,9 @@ import (

 // Identity provides methods to query users and groups from an LDAP server
 type Identity struct {
-	User  userConfig  `mapstructure:",squash"`
-	Group groupConfig `mapstructure:",squash"`
+	User   userConfig   `mapstructure:",squash"`
+	Group  groupConfig  `mapstructure:",squash"`
+	Tenant tenantConfig `mapstructure:",squash"`
 }

 const tracerName = "pkg/utils/ldap"
@@ -71,6 +72,15 @@ type groupConfig struct {
 	LocalDisabledDN string `mapstructure:"group_local_disabled_dn"`
 }

+type tenantConfig struct {
+	BaseDN      string `mapstructure:"tenant_base_dn"`
+	Scope       string `mapstructure:"tenant_search_scope"`
+	scopeVal    int
+	Filter      string       `mapstructure:"tenant_filter"`
+	Objectclass string       `mapstructure:"tenant_objectclass"`
+	Schema      tenantSchema `mapstructure:"tenant_schema"`
+}
+
 type groupSchema struct {
 	// GID is an immutable group id, see https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-design-concepts
 	ID              string `mapstructure:"id"`
@@ -106,6 +116,12 @@ type userSchema struct {
 	TenantID string `mapstructure:"tenantId"`
 }

+type tenantSchema struct {
+	ID         string `mapstructure:"id"`
+	ExternalID string `mapstructure:"externalId"`
+	Name       string `mapstructure:"name"`
+}
+
 // Default userConfig (somewhat inspired by Active Directory)
 var userDefaults = userConfig{
 	Scope:       "sub",
@@ -138,11 +154,23 @@ var groupDefaults = groupConfig{
 	SubstringFilterType: "initial",
 }

+// Default tenantConfig (works with OpenCloud's education Schema)
+var tenantDefaults = tenantConfig{
+	Scope:       "sub",
+	Objectclass: "openCloudEducationSchool",
+	Schema: tenantSchema{
+		ID:         "openCloudUUID",
+		ExternalID: "openCloudEducationExternalId",
+		Name:       "ou",
+	},
+}
+
 // New initializes the default config
 func New() Identity {
 	return Identity{
-		User:  userDefaults,
-		Group: groupDefaults,
+		User:   userDefaults,
+		Group:  groupDefaults,
+		Tenant: tenantDefaults,
 	}
 }

@@ -159,6 +187,10 @@ func (i *Identity) Setup() error {
 		return fmt.Errorf("error configuring group scope: %w", err)
 	}

+	if i.Tenant.scopeVal, err = stringToScope(i.Tenant.Scope); err != nil {
+		return fmt.Errorf("error configuring tenant scope: %w", err)
+	}
+
 	if i.User.substringFilterVal, err = stringToFilterType(i.User.SubstringFilterType); err != nil {
 		return fmt.Errorf("error configuring user substring filter type: %w", err)
 	}
@@ -847,6 +879,107 @@ func (i *Identity) getUserLDAPAttrTypes() []string {
 	}
 	return attrs
 }
+
+// GetLDAPTenantByID looks up a tenant by the supplied Id. Returns the corresponding
+// ldap.Entry
+func (i *Identity) GetLDAPTenantByID(ctx context.Context, lc ldap.Client, id string) (*ldap.Entry, error) {
+	var filter string
+	var err error
+	if filter, err = i.getTenantFilter(id); err != nil {
+		return nil, err
+	}
+	return i.GetLDAPTenantByFilter(ctx, lc, filter)
+}
+
+// GetLDAPTenantByAttribute looks up a single user by attribute (can be "externalid" or "id")
+func (i *Identity) GetLDAPTenantByAttribute(ctx context.Context, lc ldap.Client, attribute, value string) (*ldap.Entry, error) {
+	var filter string
+	var err error
+	if filter, err = i.getTenantAttributeFilter(attribute, value); err != nil {
+		return nil, err
+	}
+	return i.GetLDAPTenantByFilter(ctx, lc, filter)
+}
+
+// GetLDAPTenantByFilter looks up a single user by the supplied LDAP filter
+// returns the corresponding ldap.Entry
+func (i *Identity) GetLDAPTenantByFilter(ctx context.Context, lc ldap.Client, filter string) (*ldap.Entry, error) {
+	log := appctx.GetLogger(ctx)
+	_, span := appctx.GetTracerProvider(ctx).Tracer(tracerName).Start(ctx, "GetLDAPTenantByFilter")
+	defer span.End()
+	searchRequest := ldap.NewSearchRequest(
+		i.Tenant.BaseDN, i.Tenant.scopeVal, ldap.NeverDerefAliases, 1, 0, false,
+		filter,
+		i.getTenantLDAPAttrTypes(),
+		nil,
+	)
+
+	setLDAPSearchSpanAttributes(span, searchRequest)
+	log.Debug().Str("backend", "ldap").Str("basedn", i.Tenant.BaseDN).Str("filter", filter).Int("scope", i.Tenant.scopeVal).Msg("LDAP Search")
+	res, err := lc.Search(searchRequest)
+	if err != nil {
+		log.Debug().Str("backend", "ldap").Err(err).Str("tenantfilter", filter).Msg("Error looking up tenant by filter")
+		var errmsg string
+		if lerr, ok := err.(*ldap.Error); ok {
+			if lerr.ResultCode == ldap.LDAPResultSizeLimitExceeded {
+				errmsg = fmt.Sprintf("too many results searching for tenant '%s'", filter)
+			}
+		}
+		span.SetAttributes(attribute.String("ldap.error", errmsg))
+		span.SetStatus(codes.Error, errmsg)
+		return nil, errtypes.NotFound(errmsg)
+	}
+	if len(res.Entries) == 0 {
+		return nil, errtypes.NotFound(filter)
+	}
+	span.SetStatus(codes.Ok, "")
+
+	return res.Entries[0], nil
+}
+
+func (i *Identity) getTenantLDAPAttrTypes() []string {
+	// The are the attributes we request unconditionally when looking up users
+	// as they are needed to populate a user object
+	return []string{
+		i.Tenant.Schema.ID,
+		i.Tenant.Schema.ExternalID,
+		i.Tenant.Schema.Name,
+	}
+}
+
+func (i *Identity) getTenantFilter(id string) (string, error) {
+	var escapedUUID string
+	escapedUUID, err := filterEscapeAttribute(i.Tenant.Schema.ID, false, id)
+	if err != nil {
+		return "", fmt.Errorf("error parsing id '%s' as UUID: %w", id, err)
+	}
+	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
+		i.Tenant.Filter,
+		i.Tenant.Objectclass,
+		i.Tenant.Schema.ID,
+		escapedUUID,
+	), nil
+}
+
+func (i *Identity) getTenantAttributeFilter(attribute, value string) (string, error) {
+	switch attribute {
+	case "id":
+		attribute = i.Tenant.Schema.ID
+	case "externalid":
+		attribute = i.Tenant.Schema.ExternalID
+	}
+	escapedValue, err := filterEscapeAttribute("", false, value)
+	if err != nil {
+		return "", fmt.Errorf("error escaping filter value %q: %w", value, err)
+	}
+	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
+		i.Tenant.Filter,
+		i.Tenant.Objectclass,
+		attribute,
+		escapedValue,
+	), nil
+}
+
 func setLDAPSearchSpanAttributes(span trace.Span, request *ldap.SearchRequest) {
 	span.SetAttributes(
 		attribute.String("ldap.basedn", request.BaseDN),
--- a/vendor/github.com/opencloud-eu/reva/v2/tests/cs3mocks/mocks/GatewayAPIClient.go
+++ b/vendor/github.com/opencloud-eu/reva/v2/tests/cs3mocks/mocks/GatewayAPIClient.go
@@ -56,6 +56,8 @@ import (

 	registryv1beta1 "github.com/cs3org/go-cs3apis/cs3/app/registry/v1beta1"

+	tenantv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1"
+
 	txv1beta1 "github.com/cs3org/go-cs3apis/cs3/tx/v1beta1"

 	userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1"
@@ -3507,6 +3509,152 @@ func (_c *GatewayAPIClient_GetShare_Call) RunAndReturn(run func(context.Context,
 	return _c
 }

+// GetTenant provides a mock function with given fields: ctx, in, opts
+func (_m *GatewayAPIClient) GetTenant(ctx context.Context, in *tenantv1beta1.GetTenantRequest, opts ...grpc.CallOption) (*tenantv1beta1.GetTenantResponse, error) {
+	var tmpRet mock.Arguments
+	if len(opts) > 0 {
+		tmpRet = _m.Called(ctx, in, opts)
+	} else {
+		tmpRet = _m.Called(ctx, in)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTenant")
+	}
+
+	var r0 *tenantv1beta1.GetTenantResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *tenantv1beta1.GetTenantRequest, ...grpc.CallOption) (*tenantv1beta1.GetTenantResponse, error)); ok {
+		return rf(ctx, in, opts...)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *tenantv1beta1.GetTenantRequest, ...grpc.CallOption) *tenantv1beta1.GetTenantResponse); ok {
+		r0 = rf(ctx, in, opts...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*tenantv1beta1.GetTenantResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *tenantv1beta1.GetTenantRequest, ...grpc.CallOption) error); ok {
+		r1 = rf(ctx, in, opts...)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GatewayAPIClient_GetTenant_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTenant'
+type GatewayAPIClient_GetTenant_Call struct {
+	*mock.Call
+}
+
+// GetTenant is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in *tenantv1beta1.GetTenantRequest
+//   - opts ...grpc.CallOption
+func (_e *GatewayAPIClient_Expecter) GetTenant(ctx interface{}, in interface{}, opts ...interface{}) *GatewayAPIClient_GetTenant_Call {
+	return &GatewayAPIClient_GetTenant_Call{Call: _e.mock.On("GetTenant",
+		append([]interface{}{ctx, in}, opts...)...)}
+}
+
+func (_c *GatewayAPIClient_GetTenant_Call) Run(run func(ctx context.Context, in *tenantv1beta1.GetTenantRequest, opts ...grpc.CallOption)) *GatewayAPIClient_GetTenant_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]grpc.CallOption, len(args)-2)
+		for i, a := range args[2:] {
+			if a != nil {
+				variadicArgs[i] = a.(grpc.CallOption)
+			}
+		}
+		run(args[0].(context.Context), args[1].(*tenantv1beta1.GetTenantRequest), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *GatewayAPIClient_GetTenant_Call) Return(_a0 *tenantv1beta1.GetTenantResponse, _a1 error) *GatewayAPIClient_GetTenant_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *GatewayAPIClient_GetTenant_Call) RunAndReturn(run func(context.Context, *tenantv1beta1.GetTenantRequest, ...grpc.CallOption) (*tenantv1beta1.GetTenantResponse, error)) *GatewayAPIClient_GetTenant_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
+// GetTenantByClaim provides a mock function with given fields: ctx, in, opts
+func (_m *GatewayAPIClient) GetTenantByClaim(ctx context.Context, in *tenantv1beta1.GetTenantByClaimRequest, opts ...grpc.CallOption) (*tenantv1beta1.GetTenantByClaimResponse, error) {
+	var tmpRet mock.Arguments
+	if len(opts) > 0 {
+		tmpRet = _m.Called(ctx, in, opts)
+	} else {
+		tmpRet = _m.Called(ctx, in)
+	}
+	ret := tmpRet
+
+	if len(ret) == 0 {
+		panic("no return value specified for GetTenantByClaim")
+	}
+
+	var r0 *tenantv1beta1.GetTenantByClaimResponse
+	var r1 error
+	if rf, ok := ret.Get(0).(func(context.Context, *tenantv1beta1.GetTenantByClaimRequest, ...grpc.CallOption) (*tenantv1beta1.GetTenantByClaimResponse, error)); ok {
+		return rf(ctx, in, opts...)
+	}
+	if rf, ok := ret.Get(0).(func(context.Context, *tenantv1beta1.GetTenantByClaimRequest, ...grpc.CallOption) *tenantv1beta1.GetTenantByClaimResponse); ok {
+		r0 = rf(ctx, in, opts...)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).(*tenantv1beta1.GetTenantByClaimResponse)
+		}
+	}
+
+	if rf, ok := ret.Get(1).(func(context.Context, *tenantv1beta1.GetTenantByClaimRequest, ...grpc.CallOption) error); ok {
+		r1 = rf(ctx, in, opts...)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
+// GatewayAPIClient_GetTenantByClaim_Call is a *mock.Call that shadows Run/Return methods with type explicit version for method 'GetTenantByClaim'
+type GatewayAPIClient_GetTenantByClaim_Call struct {
+	*mock.Call
+}
+
+// GetTenantByClaim is a helper method to define mock.On call
+//   - ctx context.Context
+//   - in *tenantv1beta1.GetTenantByClaimRequest
+//   - opts ...grpc.CallOption
+func (_e *GatewayAPIClient_Expecter) GetTenantByClaim(ctx interface{}, in interface{}, opts ...interface{}) *GatewayAPIClient_GetTenantByClaim_Call {
+	return &GatewayAPIClient_GetTenantByClaim_Call{Call: _e.mock.On("GetTenantByClaim",
+		append([]interface{}{ctx, in}, opts...)...)}
+}
+
+func (_c *GatewayAPIClient_GetTenantByClaim_Call) Run(run func(ctx context.Context, in *tenantv1beta1.GetTenantByClaimRequest, opts ...grpc.CallOption)) *GatewayAPIClient_GetTenantByClaim_Call {
+	_c.Call.Run(func(args mock.Arguments) {
+		variadicArgs := make([]grpc.CallOption, len(args)-2)
+		for i, a := range args[2:] {
+			if a != nil {
+				variadicArgs[i] = a.(grpc.CallOption)
+			}
+		}
+		run(args[0].(context.Context), args[1].(*tenantv1beta1.GetTenantByClaimRequest), variadicArgs...)
+	})
+	return _c
+}
+
+func (_c *GatewayAPIClient_GetTenantByClaim_Call) Return(_a0 *tenantv1beta1.GetTenantByClaimResponse, _a1 error) *GatewayAPIClient_GetTenantByClaim_Call {
+	_c.Call.Return(_a0, _a1)
+	return _c
+}
+
+func (_c *GatewayAPIClient_GetTenantByClaim_Call) RunAndReturn(run func(context.Context, *tenantv1beta1.GetTenantByClaimRequest, ...grpc.CallOption) (*tenantv1beta1.GetTenantByClaimResponse, error)) *GatewayAPIClient_GetTenantByClaim_Call {
+	_c.Call.Return(run)
+	return _c
+}
+
 // GetTransferStatus provides a mock function with given fields: ctx, in, opts
 func (_m *GatewayAPIClient) GetTransferStatus(ctx context.Context, in *txv1beta1.GetTransferStatusRequest, opts ...grpc.CallOption) (*txv1beta1.GetTransferStatusResponse, error) {
 	var tmpRet mock.Arguments
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -316,7 +316,7 @@ github.com/crewjam/saml
 github.com/crewjam/saml/logger
 github.com/crewjam/saml/samlsp
 github.com/crewjam/saml/xmlenc
-# github.com/cs3org/go-cs3apis v0.0.0-20260310080202-fb97596763d6
+# github.com/cs3org/go-cs3apis v0.0.0-20260407125717-5d69ba49048b
 ## explicit; go 1.21
 github.com/cs3org/go-cs3apis/cs3/app/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/app/registry/v1beta1
@@ -325,6 +325,7 @@ github.com/cs3org/go-cs3apis/cs3/auth/provider/v1beta1
 github.com/cs3org/go-cs3apis/cs3/auth/registry/v1beta1
 github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1
 github.com/cs3org/go-cs3apis/cs3/identity/group/v1beta1
+github.com/cs3org/go-cs3apis/cs3/identity/tenant/v1beta1
 github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1
 github.com/cs3org/go-cs3apis/cs3/ocm/core/v1beta1
 github.com/cs3org/go-cs3apis/cs3/ocm/incoming/v1beta1
@@ -1371,7 +1372,7 @@ github.com/opencloud-eu/icap-client
 # github.com/opencloud-eu/libre-graph-api-go v1.0.8-0.20260310090739-853d972b282d
 ## explicit; go 1.18
 github.com/opencloud-eu/libre-graph-api-go
-# github.com/opencloud-eu/reva/v2 v2.42.7-0.20260408072824-411780d0b756
+# github.com/opencloud-eu/reva/v2 v2.42.7-0.20260409144540-a3009b33f38b
 ## explicit; go 1.25.0
 github.com/opencloud-eu/reva/v2/cmd/revad/internal/grace
 github.com/opencloud-eu/reva/v2/cmd/revad/runtime
@@ -1722,6 +1723,12 @@ github.com/opencloud-eu/reva/v2/pkg/store/etcd
 github.com/opencloud-eu/reva/v2/pkg/store/memory
 github.com/opencloud-eu/reva/v2/pkg/sysinfo
 github.com/opencloud-eu/reva/v2/pkg/tags
+github.com/opencloud-eu/reva/v2/pkg/tenant
+github.com/opencloud-eu/reva/v2/pkg/tenant/manager/ldap
+github.com/opencloud-eu/reva/v2/pkg/tenant/manager/loader
+github.com/opencloud-eu/reva/v2/pkg/tenant/manager/memory
+github.com/opencloud-eu/reva/v2/pkg/tenant/manager/null
+github.com/opencloud-eu/reva/v2/pkg/tenant/manager/registry
 github.com/opencloud-eu/reva/v2/pkg/token
 github.com/opencloud-eu/reva/v2/pkg/token/manager/demo
 github.com/opencloud-eu/reva/v2/pkg/token/manager/jwt