From 07e5d548f06c020167cf605707d73aeef223d3a6 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Thu, 5 Jun 2025 09:20:05 +0200
Subject: [PATCH 01/13] register with idp intent

---
 .../(login)/idp/[provider]/success/page.tsx   | 12 ++++++++++
 apps/login/src/app/(login)/register/page.tsx  | 22 ++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
index 1cee8b587c..cf5f0c8637 100644
--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -24,6 +24,7 @@ import {
 } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
 import { getLocale, getTranslations } from "next-intl/server";
 import { headers } from "next/headers";
+import { redirect } from "next/navigation";
 
 const ORG_SUFFIX_REGEX = /(?<=@)(.+)/;
 
@@ -205,6 +206,7 @@ export default async function Page(props: {
       }
     }
 
+    // if addHumanUser is provided in the intent, expect that it can be created otherwise show an error
     if (addHumanUser) {
       let addHumanUserWithOrganization: AddHumanUserRequest;
       if (orgToRegisterOn) {
@@ -241,6 +243,16 @@ export default async function Page(props: {
             : "Could not create user",
         );
       }
+    } else {
+      // if no user was found, we will create a new user manually / redirect to the registration page
+      if (options.isCreationAllowed) {
+        const registerParams = new URLSearchParams({
+          idpIntentId: id,
+          idpIntentToken: token,
+          organization: organization ?? "",
+        });
+        return redirect(`/register?${registerParams})}`);
+      }
     }
 
     if (newUser) {
diff --git a/apps/login/src/app/(login)/register/page.tsx b/apps/login/src/app/(login)/register/page.tsx
index e50511edb1..d042b52c60 100644
--- a/apps/login/src/app/(login)/register/page.tsx
+++ b/apps/login/src/app/(login)/register/page.tsx
@@ -7,6 +7,7 @@ import {
   getLegalAndSupportSettings,
   getLoginSettings,
   getPasswordComplexitySettings,
+  retrieveIDPIntent,
 } from "@/lib/zitadel";
 import { Organization } from "@zitadel/proto/zitadel/org/v2/org_pb";
 import { getLocale, getTranslations } from "next-intl/server";
@@ -19,7 +20,15 @@ export default async function Page(props: {
   const locale = getLocale();
   const t = await getTranslations({ locale, namespace: "register" });
 
-  let { firstname, lastname, email, organization, requestId } = searchParams;
+  let {
+    firstname,
+    lastname,
+    email,
+    organization,
+    requestId,
+    idpIntentId,
+    idpIntentToken,
+  } = searchParams;
 
   const _headers = await headers();
   const { serviceUrl } = getServiceUrlFromHeaders(_headers);
@@ -33,6 +42,17 @@ export default async function Page(props: {
     }
   }
 
+  let idpIntent;
+  if (idpIntentId && idpIntentToken) {
+    idpIntent = await retrieveIDPIntent({
+      serviceUrl,
+      id: idpIntentId,
+      token: idpIntentToken,
+    });
+
+    const { idpInformation, userId } = idpIntent;
+  }
+
   const legal = await getLegalAndSupportSettings({
     serviceUrl,
     organization,

From 738f1f04487881f2a75cf746c994f03aeb84ad7c Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 6 Jun 2025 13:46:25 +0200
Subject: [PATCH 02/13] conditionally hide options

---
 apps/login/locales/de.json                   |  2 ++
 apps/login/locales/en.json                   |  2 ++
 apps/login/locales/es.json                   |  2 ++
 apps/login/locales/it.json                   |  2 ++
 apps/login/locales/pl.json                   |  2 ++
 apps/login/locales/ru.json                   |  2 ++
 apps/login/locales/zh.json                   |  2 ++
 apps/login/src/app/(login)/register/page.tsx | 28 ++++++++++++++++++++
 apps/login/src/components/register-form.tsx  | 11 +++++++-
 9 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/apps/login/locales/de.json b/apps/login/locales/de.json
index 9da622340b..bddc703771 100644
--- a/apps/login/locales/de.json
+++ b/apps/login/locales/de.json
@@ -149,11 +149,13 @@
     },
     "title": "Registrieren",
     "description": "Erstellen Sie Ihr ZITADEL-Konto.",
+    "noMethodAvailableWarning": "Keine Authentifizierungsmethode verfügbar. Bitte wenden Sie sich an den Administrator.",
     "selectMethod": "Wählen Sie die Methode, mit der Sie sich authentifizieren möchten",
     "agreeTo": "Um sich zu registrieren, müssen Sie den Nutzungsbedingungen zustimmen",
     "termsOfService": "Nutzungsbedingungen",
     "privacyPolicy": "Datenschutzrichtlinie",
     "submit": "Weiter",
+    "orUseIDP": "oder verwenden Sie einen Identitätsanbieter",
     "password": {
       "title": "Passwort festlegen",
       "description": "Legen Sie das Passwort für Ihr Konto fest",
diff --git a/apps/login/locales/en.json b/apps/login/locales/en.json
index 37a1b62289..7bf71fd259 100644
--- a/apps/login/locales/en.json
+++ b/apps/login/locales/en.json
@@ -149,11 +149,13 @@
     },
     "title": "Register",
     "description": "Create your ZITADEL account.",
+    "noMethodAvailableWarning": "No authentication method available. Please contact your administrator.",
     "selectMethod": "Select the method you would like to authenticate",
     "agreeTo": "To register you must agree to the terms and conditions",
     "termsOfService": "Terms of Service",
     "privacyPolicy": "Privacy Policy",
     "submit": "Continue",
+    "orUseIDP": "or use an Identity Provider",
     "password": {
       "title": "Set Password",
       "description": "Set the password for your account",
diff --git a/apps/login/locales/es.json b/apps/login/locales/es.json
index 8969618c67..225a5c84db 100644
--- a/apps/login/locales/es.json
+++ b/apps/login/locales/es.json
@@ -149,11 +149,13 @@
     },
     "title": "Registrarse",
     "description": "Crea tu cuenta ZITADEL.",
+    "noMethodAvailableWarning": "No hay métodos de autenticación disponibles. Por favor, contacta a tu administrador.",
     "selectMethod": "Selecciona el método con el que deseas autenticarte",
     "agreeTo": "Para registrarte debes aceptar los términos y condiciones",
     "termsOfService": "Términos de Servicio",
     "privacyPolicy": "Política de Privacidad",
     "submit": "Continuar",
+    "orUseIDP": "o usa un Proveedor de Identidad",
     "password": {
       "title": "Establecer Contraseña",
       "description": "Establece la contraseña para tu cuenta",
diff --git a/apps/login/locales/it.json b/apps/login/locales/it.json
index 83fc5f3bfc..effe09047a 100644
--- a/apps/login/locales/it.json
+++ b/apps/login/locales/it.json
@@ -149,11 +149,13 @@
     },
     "title": "Registrati",
     "description": "Crea il tuo account ZITADEL.",
+    "noMethodAvailableWarning": "Nessun metodo di autenticazione disponibile. Contatta l'amministratore di sistema per assistenza.",
     "selectMethod": "Seleziona il metodo con cui desideri autenticarti",
     "agreeTo": "Per registrarti devi accettare i termini e le condizioni",
     "termsOfService": "Termini di Servizio",
     "privacyPolicy": "Informativa sulla Privacy",
     "submit": "Continua",
+    "orUseIDP": "o usa un Identity Provider",
     "password": {
       "title": "Imposta Password",
       "description": "Imposta la password per il tuo account",
diff --git a/apps/login/locales/pl.json b/apps/login/locales/pl.json
index ad9f5d9a65..95f3cb2d2b 100644
--- a/apps/login/locales/pl.json
+++ b/apps/login/locales/pl.json
@@ -149,11 +149,13 @@
     },
     "title": "Rejestracja",
     "description": "Utwórz konto ZITADEL.",
+    "noMethodAvailableWarning": "Brak dostępnych metod uwierzytelniania. Skontaktuj się z administratorem.",
     "selectMethod": "Wybierz metodę uwierzytelniania, której chcesz użyć",
     "agreeTo": "Aby się zarejestrować, musisz zaakceptować warunki korzystania",
     "termsOfService": "Regulamin",
     "privacyPolicy": "Polityka prywatności",
     "submit": "Kontynuuj",
+    "orUseIDP": "lub użyj dostawcy tożsamości",
     "password": {
       "title": "Ustaw hasło",
       "description": "Ustaw hasło dla swojego konta",
diff --git a/apps/login/locales/ru.json b/apps/login/locales/ru.json
index 73b0810e93..9c34a1e6b1 100644
--- a/apps/login/locales/ru.json
+++ b/apps/login/locales/ru.json
@@ -149,11 +149,13 @@
     },
     "title": "Регистрация",
     "description": "Создайте свой аккаунт ZITADEL.",
+    "noMethodAvailableWarning": "Нет доступных методов аутентификации. Обратитесь к администратору.",
     "selectMethod": "Выберите метод аутентификации",
     "agreeTo": "Для регистрации необходимо принять условия:",
     "termsOfService": "Условия использования",
     "privacyPolicy": "Политика конфиденциальности",
     "submit": "Продолжить",
+    "orUseIDP": "или используйте Identity Provider",
     "password": {
       "title": "Установить пароль",
       "description": "Установите пароль для вашего аккаунта",
diff --git a/apps/login/locales/zh.json b/apps/login/locales/zh.json
index bba15c62dd..fae81906d2 100644
--- a/apps/login/locales/zh.json
+++ b/apps/login/locales/zh.json
@@ -149,11 +149,13 @@
     },
     "title": "注册",
     "description": "创建您的 ZITADEL 账户。",
+    "noMethodAvailableWarning": "没有可用的认证方法。请联系您的系统管理员。",
     "selectMethod": "选择您想使用的认证方法",
     "agreeTo": "注册即表示您同意条款和条件",
     "termsOfService": "服务条款",
     "privacyPolicy": "隐私政策",
     "submit": "继续",
+    "orUseIDP": "或使用身份提供者",
     "password": {
       "title": "设置密码",
       "description": "为您的账户设置密码",
diff --git a/apps/login/src/app/(login)/register/page.tsx b/apps/login/src/app/(login)/register/page.tsx
index d042b52c60..550a214102 100644
--- a/apps/login/src/app/(login)/register/page.tsx
+++ b/apps/login/src/app/(login)/register/page.tsx
@@ -1,7 +1,9 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { RegisterForm } from "@/components/register-form";
+import { SignInWithIdp } from "@/components/sign-in-with-idp";
 import { getServiceUrlFromHeaders } from "@/lib/service-url";
 import {
+  getActiveIdentityProviders,
   getBrandingSettings,
   getDefaultOrg,
   getLegalAndSupportSettings,
@@ -72,6 +74,15 @@ export default async function Page(props: {
     organization,
   });
 
+  const identityProviders = await getActiveIdentityProviders({
+    serviceUrl,
+    orgId: organization,
+  }).then((resp) => {
+    return resp.identityProviders.filter((idp) => {
+      return idp.options?.isAutoCreation || idp.options?.isCreationAllowed; // check if IDP allows to create account automatically or manual creation is allowed
+    });
+  });
+
   if (!loginSettings?.allowRegister) {
     return (
       <DynamicTheme branding={branding}>
@@ -91,6 +102,9 @@ export default async function Page(props: {
 
         {legal && passwordComplexitySettings && (
           <RegisterForm
+            idpCount={
+              !loginSettings?.allowExternalIdp ? 0 : identityProviders.length
+            }
             legal={legal}
             organization={organization}
             firstname={firstname}
@@ -100,6 +114,20 @@ export default async function Page(props: {
             loginSettings={loginSettings}
           ></RegisterForm>
         )}
+
+        {loginSettings?.allowExternalIdp && !!identityProviders.length && (
+          <>
+            <div className="py-3 flex flex-col items-center">
+              <p className="ztdl-p text-center">{t("orUseIDP")}</p>
+            </div>
+
+            <SignInWithIdp
+              identityProviders={identityProviders}
+              requestId={requestId}
+              organization={organization}
+            ></SignInWithIdp>
+          </>
+        )}
       </div>
     </DynamicTheme>
   );
diff --git a/apps/login/src/components/register-form.tsx b/apps/login/src/components/register-form.tsx
index 09e3f0b89b..4ce4860b16 100644
--- a/apps/login/src/components/register-form.tsx
+++ b/apps/login/src/components/register-form.tsx
@@ -10,7 +10,7 @@ import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
 import { useState } from "react";
 import { FieldValues, useForm } from "react-hook-form";
-import { Alert } from "./alert";
+import { Alert, AlertType } from "./alert";
 import {
   AuthenticationMethod,
   AuthenticationMethodRadio,
@@ -38,6 +38,7 @@ type Props = {
   organization?: string;
   requestId?: string;
   loginSettings?: LoginSettings;
+  idpCount: number;
 };
 
 export function RegisterForm({
@@ -48,6 +49,7 @@ export function RegisterForm({
   organization,
   requestId,
   loginSettings,
+  idpCount = 0,
 }: Props) {
   const t = useTranslations("register");
 
@@ -178,11 +180,18 @@ export function RegisterForm({
           </div>
         )}
 
+      {(!loginSettings?.allowUsernamePassword ||
+        loginSettings?.passkeysType != PasskeysType.ALLOWED) &&
+        !idpCount && (
+          <Alert type={AlertType.INFO}>{t("noMethodAvailableWarning")}</Alert>
+        )}
+
       {error && (
         <div className="py-4">
           <Alert>{error}</Alert>
         </div>
       )}
+
       <div className="mt-8 flex w-full flex-row items-center justify-between">
         <BackButton data-testid="back-button" />
         <Button

From 830e495cd05cb5cb3d51ef261f3cabb845a7ae53 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Fri, 6 Jun 2025 14:21:11 +0200
Subject: [PATCH 03/13] user missing data form for IDPs

---
 .../(login)/idp/[provider]/success/page.tsx   | 125 ++++++++-------
 .../components/idps/pages/complete-idp.tsx    |  38 +++++
 .../register-form-idp-incomplete.tsx          | 143 ++++++++++++++++++
 apps/login/src/lib/server/cookie.ts           |  17 ++-
 apps/login/src/lib/server/idp.ts              |  12 +-
 apps/login/src/lib/server/register.ts         |  81 +++++++++-
 apps/login/src/lib/zitadel.ts                 |   2 +-
 7 files changed, 341 insertions(+), 77 deletions(-)
 create mode 100644 apps/login/src/components/idps/pages/complete-idp.tsx
 create mode 100644 apps/login/src/components/register-form-idp-incomplete.tsx

diff --git a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
index cf5f0c8637..3e4a7b253a 100644
--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -1,5 +1,6 @@
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { IdpSignin } from "@/components/idp-signin";
+import { completeIDP } from "@/components/idps/pages/complete-idp";
 import { linkingFailed } from "@/components/idps/pages/linking-failed";
 import { linkingSuccess } from "@/components/idps/pages/linking-success";
 import { loginFailed } from "@/components/idps/pages/login-failed";
@@ -24,7 +25,6 @@ import {
 } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
 import { getLocale, getTranslations } from "next-intl/server";
 import { headers } from "next/headers";
-import { redirect } from "next/navigation";
 
 const ORG_SUFFIX_REGEX = /(?<=@)(.+)/;
 
@@ -177,9 +177,10 @@ export default async function Page(props: {
     }
   }
 
-  if (options?.isAutoCreation) {
+  let newUser;
+  // automatic creation of a user is allowed and data is complete
+  if (options?.isAutoCreation && addHumanUser) {
     let orgToRegisterOn: string | undefined = organization;
-    let newUser;
 
     if (
       !orgToRegisterOn &&
@@ -206,70 +207,68 @@ export default async function Page(props: {
       }
     }
 
-    // if addHumanUser is provided in the intent, expect that it can be created otherwise show an error
-    if (addHumanUser) {
-      let addHumanUserWithOrganization: AddHumanUserRequest;
-      if (orgToRegisterOn) {
-        const organizationSchema = create(OrganizationSchema, {
-          org: { case: "orgId", value: orgToRegisterOn },
-        });
+    let addHumanUserWithOrganization: AddHumanUserRequest;
+    if (orgToRegisterOn) {
+      const organizationSchema = create(OrganizationSchema, {
+        org: { case: "orgId", value: orgToRegisterOn },
+      });
 
-        addHumanUserWithOrganization = create(AddHumanUserRequestSchema, {
-          ...addHumanUser,
-          organization: organizationSchema,
-        });
-      } else {
-        addHumanUserWithOrganization = create(
-          AddHumanUserRequestSchema,
-          addHumanUser,
-        );
-      }
-
-      try {
-        newUser = await addHuman({
-          serviceUrl,
-          request: addHumanUserWithOrganization,
-        });
-      } catch (error: unknown) {
-        console.error(
-          "An error occurred while creating the user:",
-          error,
-          addHumanUser,
-        );
-        return loginFailed(
-          branding,
-          (error as ConnectError).message
-            ? (error as ConnectError).message
-            : "Could not create user",
-        );
-      }
+      addHumanUserWithOrganization = create(AddHumanUserRequestSchema, {
+        ...addHumanUser,
+        organization: organizationSchema,
+      });
     } else {
-      // if no user was found, we will create a new user manually / redirect to the registration page
-      if (options.isCreationAllowed) {
-        const registerParams = new URLSearchParams({
-          idpIntentId: id,
-          idpIntentToken: token,
-          organization: organization ?? "",
-        });
-        return redirect(`/register?${registerParams})}`);
-      }
-    }
-
-    if (newUser) {
-      return (
-        <DynamicTheme branding={branding}>
-          <div className="flex flex-col items-center space-y-4">
-            <h1>{t("registerSuccess.title")}</h1>
-            <p className="ztdl-p">{t("registerSuccess.description")}</p>
-            <IdpSignin
-              userId={newUser.userId}
-              idpIntent={{ idpIntentId: id, idpIntentToken: token }}
-              requestId={requestId}
-            />
-          </div>
-        </DynamicTheme>
+      addHumanUserWithOrganization = create(
+        AddHumanUserRequestSchema,
+        addHumanUser,
       );
     }
+
+    try {
+      newUser = await addHuman({
+        serviceUrl,
+        request: addHumanUserWithOrganization,
+      });
+    } catch (error: unknown) {
+      console.error(
+        "An error occurred while creating the user:",
+        error,
+        addHumanUser,
+      );
+      return loginFailed(
+        branding,
+        (error as ConnectError).message
+          ? (error as ConnectError).message
+          : "Could not create user",
+      );
+    }
+  }
+
+  // if no user was found, we will create a new user manually / redirect to the registration page
+  if (options?.isCreationAllowed) {
+    return completeIDP({
+      branding,
+      idpInformation,
+      organization,
+      requestId,
+      userId,
+    });
+  }
+
+  if (newUser) {
+    return (
+      <DynamicTheme branding={branding}>
+        <div className="flex flex-col items-center space-y-4">
+          <h1>{t("registerSuccess.title")}</h1>
+          <p className="ztdl-p">{t("registerSuccess.description")}</p>
+          <IdpSignin
+            userId={newUser.userId}
+            idpIntent={{ idpIntentId: id, idpIntentToken: token }}
+            requestId={requestId}
+          />
+        </div>
+      </DynamicTheme>
+    );
   }
 
   // return login failed if no linking or creation is allowed and no user was found
diff --git a/apps/login/src/components/idps/pages/complete-idp.tsx b/apps/login/src/components/idps/pages/complete-idp.tsx
new file mode 100644
index 0000000000..4443a9317b
--- /dev/null
+++ b/apps/login/src/components/idps/pages/complete-idp.tsx
@@ -0,0 +1,38 @@
+import { RegisterFormIDPIncomplete } from "@/components/register-form-idp-incomplete";
+import { BrandingSettings } from "@zitadel/proto/zitadel/settings/v2/branding_settings_pb";
+import { IDPInformation } from "@zitadel/proto/zitadel/user/v2/idp_pb";
+import { getLocale, getTranslations } from "next-intl/server";
+import { DynamicTheme } from "../../dynamic-theme";
+
+export async function completeIDP({
+  userId,
+  idpInformation,
+  requestId,
+  organization,
+  branding,
+}: {
+  userId: string;
+  idpInformation: IDPInformation;
+  requestId?: string;
+  organization?: string;
+  branding?: BrandingSettings;
+}) {
+  const locale = getLocale();
+  const t = await getTranslations({ locale, namespace: "idp" });
+
+  return (
+    <DynamicTheme branding={branding}>
+      <div className="flex flex-col items-center space-y-4">
+        <h1>{t("loginSuccess.title")}</h1>
+        <p className="ztdl-p">{t("loginSuccess.description")}</p>
+
+        <RegisterFormIDPIncomplete
+          userId={userId}
+          idpInformation={idpInformation}
+          requestId={requestId}
+          organization={organization}
+        />
+      </div>
+    </DynamicTheme>
+  );
+}
diff --git a/apps/login/src/components/register-form-idp-incomplete.tsx b/apps/login/src/components/register-form-idp-incomplete.tsx
new file mode 100644
index 0000000000..35324be2e2
--- /dev/null
+++ b/apps/login/src/components/register-form-idp-incomplete.tsx
@@ -0,0 +1,143 @@
+"use client";
+
+import { IDPInformation } from "@zitadel/proto/zitadel/user/v2/idp_pb";
+import { useTranslations } from "next-intl";
+import { useRouter } from "next/navigation";
+import { useState } from "react";
+import { FieldValues, useForm } from "react-hook-form";
+import { Alert } from "./alert";
+import { AuthenticationMethod, methods } from "./authentication-method-radio";
+import { BackButton } from "./back-button";
+import { Button, ButtonVariants } from "./button";
+import { TextInput } from "./input";
+import { Spinner } from "./spinner";
+
+type Inputs =
+  | {
+      firstname: string;
+      lastname: string;
+      email: string;
+    }
+  | FieldValues;
+
+type Props = {
+  organization?: string;
+  requestId?: string;
+  idpInformation?: IDPInformation;
+};
+
+export function RegisterFormIDPIncomplete({
+  organization,
+  requestId,
+  idpInformation,
+}: Props) {
+  const t = useTranslations("register");
+
+  const { register, handleSubmit, formState } = useForm<Inputs>({
+    mode: "onBlur",
+    defaultValues: {
+      email: idpInformation?.rawInformation?.email ?? "",
+      firstName: idpInformation?.rawInformation?.firstname ?? "",
+      lastname: idpInformation?.rawInformation?.lastname ?? "",
+    },
+  });
+
+  const [loading, setLoading] = useState<boolean>(false);
+  const [selected, setSelected] = useState<AuthenticationMethod>(methods[0]);
+  const [error, setError] = useState<string>("");
+
+  const router = useRouter();
+
+  async function submitAndRegister(values: Inputs) {
+    setLoading(true);
+    const response = await registerUserAndLinkToIDP({
+      email: values.email,
+      firstName: values.firstname,
+      lastName: values.lastname,
+      organization: organization,
+      requestId: requestId,
+    })
+      .catch(() => {
+        setError("Could not register user");
+        return;
+      })
+      .finally(() => {
+        setLoading(false);
+      });
+
+    if (response && "error" in response && response.error) {
+      setError(response.error);
+      return;
+    }
+
+    if (response && "redirect" in response && response.redirect) {
+      return router.push(response.redirect);
+    }
+
+    return response;
+  }
+
+  const { errors } = formState;
+
+  return (
+    <form className="w-full">
+      <div className="grid grid-cols-2 gap-4 mb-4">
+        <div className="">
+          <TextInput
+            type="firstname"
+            autoComplete="firstname"
+            required
+            {...register("firstname", { required: "This field is required" })}
+            label="First name"
+            error={errors.firstname?.message as string}
+            data-testid="firstname-text-input"
+          />
+        </div>
+        <div className="">
+          <TextInput
+            type="lastname"
+            autoComplete="lastname"
+            required
+            {...register("lastname", { required: "This field is required" })}
+            label="Last name"
+            error={errors.lastname?.message as string}
+            data-testid="lastname-text-input"
+          />
+        </div>
+        <div className="col-span-2">
+          <TextInput
+            type="email"
+            autoComplete="email"
+            required
+            {...register("email", { required: "This field is required" })}
+            label="E-mail"
+            error={errors.email?.message as string}
+            data-testid="email-text-input"
+          />
+        </div>
+      </div>
+
+      <p className="mt-4 ztdl-p mb-6 block text-left">{t("completeData")}</p>
+
+      {error && (
+        <div className="py-4">
+          <Alert>{error}</Alert>
+        </div>
+      )}
+
+      <div className="mt-8 flex w-full flex-row items-center justify-between">
+        <BackButton data-testid="back-button" />
+        <Button
+          type="submit"
+          variant={ButtonVariants.Primary}
+          disabled={loading || !formState.isValid || !tosAndPolicyAccepted}
+          onClick={handleSubmit(submitAndRegister)}
+          data-testid="submit-button"
+        >
+          {loading && <Spinner className="h-5 w-5 mr-2" />}
+          {t("submit")}
+        </Button>
+      </div>
+    </form>
+  );
+}
diff --git a/apps/login/src/lib/server/cookie.ts b/apps/login/src/lib/server/cookie.ts
index 88e0b48290..841fc06b3a 100644
--- a/apps/login/src/lib/server/cookie.ts
+++ b/apps/login/src/lib/server/cookie.ts
@@ -109,15 +109,20 @@ export async function createSessionAndUpdateCookie(command: {
   }
 }
 
-export async function createSessionForIdpAndUpdateCookie(
-  userId: string,
+export async function createSessionForIdpAndUpdateCookie({
+  userId,
+  idpIntent,
+  requestId,
+  lifetime,
+}: {
+  userId: string;
   idpIntent: {
     idpIntentId?: string | undefined;
     idpIntentToken?: string | undefined;
-  },
-  requestId: string | undefined,
-  lifetime?: Duration,
-): Promise<Session> {
+  };
+  requestId: string | undefined;
+  lifetime?: Duration;
+}): Promise<Session> {
   const _headers = await headers();
   const { serviceUrl } = getServiceUrlFromHeaders(_headers);
 
diff --git a/apps/login/src/lib/server/idp.ts b/apps/login/src/lib/server/idp.ts
index 5cac537690..aaf5b77779 100644
--- a/apps/login/src/lib/server/idp.ts
+++ b/apps/login/src/lib/server/idp.ts
@@ -122,12 +122,12 @@ export async function createNewSessionFromIdpIntent(
     organization: userResponse.user.details?.resourceOwner,
   });
 
-  const session = await createSessionForIdpAndUpdateCookie(
-    command.userId,
-    command.idpIntent,
-    command.requestId,
-    loginSettings?.externalLoginCheckLifetime,
-  );
+  const session = await createSessionForIdpAndUpdateCookie({
+    userId: command.userId,
+    idpIntent: command.idpIntent,
+    requestId: command.requestId,
+    lifetime: loginSettings?.externalLoginCheckLifetime,
+  });
 
   if (!session || !session.factors?.user) {
     return { error: "Could not create session" };
diff --git a/apps/login/src/lib/server/register.ts b/apps/login/src/lib/server/register.ts
index 25bea33527..b08099817d 100644
--- a/apps/login/src/lib/server/register.ts
+++ b/apps/login/src/lib/server/register.ts
@@ -1,6 +1,9 @@
 "use server";
 
-import { createSessionAndUpdateCookie } from "@/lib/server/cookie";
+import {
+  createSessionAndUpdateCookie,
+  createSessionForIdpAndUpdateCookie,
+} from "@/lib/server/cookie";
 import { addHumanUser, getLoginSettings, getUserByID } from "@/lib/zitadel";
 import { create } from "@zitadel/client";
 import { Factors } from "@zitadel/proto/zitadel/session/v2/session_pb";
@@ -133,3 +136,79 @@ export async function registerUser(command: RegisterUserCommand) {
     return { redirect: url };
   }
 }
+
+type RegisterUserAndLinkToIDPommand = {
+  email: string;
+  firstName: string;
+  lastName: string;
+  organization?: string;
+  requestId?: string;
+  idpIntent: {
+    idpIntentId: string;
+    idpIntentToken: string;
+  };
+  userId: string;
+};
+
+export type registerUserAndLinkToIDPResponse = {
+  userId: string;
+  sessionId: string;
+  factors: Factors | undefined;
+};
+export async function registerUserAndLinkToIDP(
+  command: RegisterUserAndLinkToIDPommand,
+) {
+  const _headers = await headers();
+  const { serviceUrl } = getServiceUrlFromHeaders(_headers);
+  const host = _headers.get("host");
+
+  if (!host || typeof host !== "string") {
+    throw new Error("No host found");
+  }
+
+  const addResponse = await addHumanUser({
+    serviceUrl,
+    email: command.email,
+    firstName: command.firstName,
+    lastName: command.lastName,
+    organization: command.organization,
+  });
+
+  if (!addResponse) {
+    return { error: "Could not create user" };
+  }
+
+  const loginSettings = await getLoginSettings({
+    serviceUrl,
+    organization: command.organization,
+  });
+
+  // TODO: addIDPLink to addResponse
+
+  const session = await createSessionForIdpAndUpdateCookie({
+    requestId: command.requestId,
+    userId: command.userId,
+    idpIntent: command.idpIntent,
+    lifetime: loginSettings?.externalLoginCheckLifetime,
+  });
+
+  if (!session || !session.factors?.user) {
+    return { error: "Could not create session" };
+  }
+
+  const url = await getNextUrl(
+    command.requestId && session.id
+      ? {
+          sessionId: session.id,
+          requestId: command.requestId,
+          organization: session.factors.user.organizationId,
+        }
+      : {
+          loginName: session.factors.user.loginName,
+          organization: session.factors.user.organizationId,
+        },
+    loginSettings?.defaultRedirectUri,
+  );
+
+  return { redirect: url };
+}
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index a0e91a021c..c53d622d7d 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -387,7 +387,7 @@ export type AddHumanUserData = {
   firstName: string;
   lastName: string;
   email: string;
-  password: string | undefined;
+  password?: string;
   organization: string | undefined;
 };
 

From dbf458c685b131903bba65ab49a8dc95ebc00e6a Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Tue, 10 Jun 2025 14:02:35 +0200
Subject: [PATCH 04/13] idpIntent properties

---
 .../app/(login)/idp/[provider]/success/page.tsx    |  1 +
 .../src/components/idps/pages/complete-idp.tsx     |  6 ++++++
 .../components/register-form-idp-incomplete.tsx    | 14 ++++++++++++--
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
index 3e4a7b253a..b56a425138 100644
--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -248,6 +248,7 @@ export default async function Page(props: {
   if (options?.isCreationAllowed) {
     return completeIDP({
       branding,
+      idpIntent: { idpIntentId: id, idpIntentToken: token },
       idpInformation,
       organization,
       requestId,
diff --git a/apps/login/src/components/idps/pages/complete-idp.tsx b/apps/login/src/components/idps/pages/complete-idp.tsx
index 4443a9317b..a2a89265c8 100644
--- a/apps/login/src/components/idps/pages/complete-idp.tsx
+++ b/apps/login/src/components/idps/pages/complete-idp.tsx
@@ -10,12 +10,17 @@ export async function completeIDP({
   requestId,
   organization,
   branding,
+  idpIntent,
 }: {
   userId: string;
   idpInformation: IDPInformation;
   requestId?: string;
   organization?: string;
   branding?: BrandingSettings;
+  idpIntent: {
+    idpIntentId: string;
+    idpIntentToken: string;
+  };
 }) {
   const locale = getLocale();
   const t = await getTranslations({ locale, namespace: "idp" });
@@ -31,6 +36,7 @@ export async function completeIDP({
           idpInformation={idpInformation}
           requestId={requestId}
           organization={organization}
+          idpIntent={idpIntent}
         />
       </div>
     </DynamicTheme>
diff --git a/apps/login/src/components/register-form-idp-incomplete.tsx b/apps/login/src/components/register-form-idp-incomplete.tsx
index 35324be2e2..5fd7e43786 100644
--- a/apps/login/src/components/register-form-idp-incomplete.tsx
+++ b/apps/login/src/components/register-form-idp-incomplete.tsx
@@ -1,5 +1,6 @@
 "use client";
 
+import { registerUserAndLinkToIDP } from "@/lib/server/register";
 import { IDPInformation } from "@zitadel/proto/zitadel/user/v2/idp_pb";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
@@ -23,13 +24,20 @@ type Inputs =
 type Props = {
   organization?: string;
   requestId?: string;
-  idpInformation?: IDPInformation;
+  idpIntent: {
+    idpIntentId: string;
+    idpIntentToken: string;
+  };
+  idpInformation: IDPInformation;
+  userId: string;
 };
 
 export function RegisterFormIDPIncomplete({
   organization,
   requestId,
+  idpIntent,
   idpInformation,
+  userId,
 }: Props) {
   const t = useTranslations("register");
 
@@ -51,11 +59,13 @@ export function RegisterFormIDPIncomplete({
   async function submitAndRegister(values: Inputs) {
     setLoading(true);
     const response = await registerUserAndLinkToIDP({
+      userId: userId,
       email: values.email,
       firstName: values.firstname,
       lastName: values.lastname,
       organization: organization,
       requestId: requestId,
+      idpIntent: idpIntent,
     })
       .catch(() => {
         setError("Could not register user");
@@ -130,7 +140,7 @@ export function RegisterFormIDPIncomplete({
         <Button
           type="submit"
           variant={ButtonVariants.Primary}
-          disabled={loading || !formState.isValid || !tosAndPolicyAccepted}
+          disabled={loading || !formState.isValid}
           onClick={handleSubmit(submitAndRegister)}
           data-testid="submit-button"
         >

From 99595816662494799b5f4ee18de88d78026ebf45 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Jun 2025 10:04:16 +0200
Subject: [PATCH 05/13] i18n

---
 apps/login/locales/de.json                    |  4 ++++
 apps/login/locales/en.json                    |  4 ++++
 apps/login/locales/es.json                    |  4 ++++
 apps/login/locales/it.json                    |  4 ++++
 apps/login/locales/pl.json                    |  4 ++++
 apps/login/locales/ru.json                    |  4 ++++
 apps/login/locales/zh.json                    |  4 ++++
 .../(login)/idp/[provider]/success/page.tsx   |  5 ++---
 .../components/idps/pages/complete-idp.tsx    |  4 ++--
 .../register-form-idp-incomplete.tsx          |  4 ----
 apps/login/src/components/register-form.tsx   | 19 ++++++++++++-------
 11 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/apps/login/locales/de.json b/apps/login/locales/de.json
index bddc703771..36dc145120 100644
--- a/apps/login/locales/de.json
+++ b/apps/login/locales/de.json
@@ -72,6 +72,10 @@
     "linkingError": {
       "title": "Konto-Verknüpfung fehlgeschlagen",
       "description": "Beim Verknüpfen Ihres Kontos ist ein Fehler aufgetreten."
+    },
+    "completeRegister": {
+      "title": "Registrierung abschließen",
+      "description": "Bitte vervollständige die Registrierung, um dein Konto zu erstellen."
     }
   },
   "mfa": {
diff --git a/apps/login/locales/en.json b/apps/login/locales/en.json
index 7bf71fd259..0b1cbeb472 100644
--- a/apps/login/locales/en.json
+++ b/apps/login/locales/en.json
@@ -72,6 +72,10 @@
     "linkingError": {
       "title": "Account linking failed",
       "description": "An error occurred while trying to link your account."
+    },
+    "completeRegister": {
+      "title": "Complete your data",
+      "description": "You need to complete your registration by providing your email address and name."
     }
   },
   "mfa": {
diff --git a/apps/login/locales/es.json b/apps/login/locales/es.json
index 225a5c84db..5cd40f764a 100644
--- a/apps/login/locales/es.json
+++ b/apps/login/locales/es.json
@@ -72,6 +72,10 @@
     "linkingError": {
       "title": "Error al vincular la cuenta",
       "description": "Ocurrió un error al intentar vincular tu cuenta."
+    },
+    "completeRegister": {
+      "title": "Completar registro",
+      "description": "Para completar el registro, debes establecer una contraseña."
     }
   },
   "mfa": {
diff --git a/apps/login/locales/it.json b/apps/login/locales/it.json
index effe09047a..a19aa91cfb 100644
--- a/apps/login/locales/it.json
+++ b/apps/login/locales/it.json
@@ -72,6 +72,10 @@
     "linkingError": {
       "title": "Collegamento account fallito",
       "description": "Si è verificato un errore durante il tentativo di collegare il tuo account."
+    },
+    "completeRegister": {
+      "title": "Completa la registrazione",
+      "description": "Completa la registrazione del tuo account."
     }
   },
   "mfa": {
diff --git a/apps/login/locales/pl.json b/apps/login/locales/pl.json
index 95f3cb2d2b..b97e7e4b47 100644
--- a/apps/login/locales/pl.json
+++ b/apps/login/locales/pl.json
@@ -72,6 +72,10 @@
     "linkingError": {
       "title": "Powiązanie konta nie powiodło się",
       "description": "Wystąpił błąd podczas próby powiązania konta."
+    },
+    "completeRegister": {
+      "title": "Ukończ rejestrację",
+      "description": "Ukończ rejestrację swojego konta."
     }
   },
   "mfa": {
diff --git a/apps/login/locales/ru.json b/apps/login/locales/ru.json
index 9c34a1e6b1..77ea8ba79e 100644
--- a/apps/login/locales/ru.json
+++ b/apps/login/locales/ru.json
@@ -72,6 +72,10 @@
     "linkingError": {
       "title": "Ошибка привязки аккаунта",
       "description": "Произошла ошибка при попытке привязать аккаунт."
+    },
+    "completeRegister": {
+      "title": "Завершите регистрацию",
+      "description": "Завершите регистрацию вашего аккаунта."
     }
   },
   "mfa": {
diff --git a/apps/login/locales/zh.json b/apps/login/locales/zh.json
index fae81906d2..0ad9c7e056 100644
--- a/apps/login/locales/zh.json
+++ b/apps/login/locales/zh.json
@@ -72,6 +72,10 @@
     "linkingError": {
       "title": "账户链接失败",
       "description": "链接账户时发生错误。"
+    },
+    "completeRegister": {
+      "title": "完成注册",
+      "description": "完成您的账户注册。"
     }
   },
   "mfa": {
diff --git a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
index b56a425138..c01adcf346 100644
--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -242,10 +242,9 @@ export default async function Page(props: {
           : "Could not create user",
       );
     }
-  }
+  } else if (options?.isCreationAllowed) {
+    // if no user was found, we will create a new user manually / redirect to the registration page
 
-  // if no user was found, we will create a new user manually / redirect to the registration page
-  if (options?.isCreationAllowed) {
     return completeIDP({
       branding,
       idpIntent: { idpIntentId: id, idpIntentToken: token },
diff --git a/apps/login/src/components/idps/pages/complete-idp.tsx b/apps/login/src/components/idps/pages/complete-idp.tsx
index a2a89265c8..dbc20fbd06 100644
--- a/apps/login/src/components/idps/pages/complete-idp.tsx
+++ b/apps/login/src/components/idps/pages/complete-idp.tsx
@@ -28,8 +28,8 @@ export async function completeIDP({
   return (
     <DynamicTheme branding={branding}>
       <div className="flex flex-col items-center space-y-4">
-        <h1>{t("loginSuccess.title")}</h1>
-        <p className="ztdl-p">{t("loginSuccess.description")}</p>
+        <h1>{t("completeRegister.title")}</h1>
+        <p className="ztdl-p">{t("completeRegister.description")}</p>
 
         <RegisterFormIDPIncomplete
           userId={userId}
diff --git a/apps/login/src/components/register-form-idp-incomplete.tsx b/apps/login/src/components/register-form-idp-incomplete.tsx
index 5fd7e43786..943aa63df3 100644
--- a/apps/login/src/components/register-form-idp-incomplete.tsx
+++ b/apps/login/src/components/register-form-idp-incomplete.tsx
@@ -7,7 +7,6 @@ import { useRouter } from "next/navigation";
 import { useState } from "react";
 import { FieldValues, useForm } from "react-hook-form";
 import { Alert } from "./alert";
-import { AuthenticationMethod, methods } from "./authentication-method-radio";
 import { BackButton } from "./back-button";
 import { Button, ButtonVariants } from "./button";
 import { TextInput } from "./input";
@@ -51,7 +50,6 @@ export function RegisterFormIDPIncomplete({
   });
 
   const [loading, setLoading] = useState<boolean>(false);
-  const [selected, setSelected] = useState<AuthenticationMethod>(methods[0]);
   const [error, setError] = useState<string>("");
 
   const router = useRouter();
@@ -127,8 +125,6 @@ export function RegisterFormIDPIncomplete({
         </div>
       </div>
 
-      <p className="mt-4 ztdl-p mb-6 block text-left">{t("completeData")}</p>
-
       {error && (
         <div className="py-4">
           <Alert>{error}</Alert>
diff --git a/apps/login/src/components/register-form.tsx b/apps/login/src/components/register-form.tsx
index 4ce4860b16..6701fdf215 100644
--- a/apps/login/src/components/register-form.tsx
+++ b/apps/login/src/components/register-form.tsx
@@ -167,17 +167,22 @@ export function RegisterForm({
           onChange={setTosAndPolicyAccepted}
         />
       )}
-      <p className="mt-4 ztdl-p mb-6 block text-left">{t("selectMethod")}</p>
       {/* show chooser if both methods are allowed */}
       {loginSettings &&
         loginSettings.allowUsernamePassword &&
         loginSettings.passkeysType == PasskeysType.ALLOWED && (
-          <div className="pb-4">
-            <AuthenticationMethodRadio
-              selected={selected}
-              selectionChanged={setSelected}
-            />
-          </div>
+          <>
+            <p className="mt-4 ztdl-p mb-6 block text-left">
+              {t("selectMethod")}
+            </p>
+
+            <div className="pb-4">
+              <AuthenticationMethodRadio
+                selected={selected}
+                selectionChanged={setSelected}
+              />
+            </div>
+          </>
         )}
 
       {(!loginSettings?.allowUsernamePassword ||

From f31fac4c9ea4fe8e41f77259bc3f5c5dd82d5221 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Jun 2025 13:38:38 +0200
Subject: [PATCH 06/13] link user to idp after creation

---
 .../(login)/idp/[provider]/success/page.tsx   | 96 +++++++++++++------
 apps/login/src/app/(login)/register/page.tsx  | 28 ++----
 .../components/idps/pages/complete-idp.tsx    | 26 +++--
 .../register-form-idp-incomplete.tsx          | 29 ++++--
 apps/login/src/components/register-form.tsx   |  2 +-
 apps/login/src/lib/server/invite.ts           |  2 +-
 apps/login/src/lib/server/register.ts         | 31 +++++-
 apps/login/src/lib/zitadel.ts                 | 51 ++++++----
 8 files changed, 171 insertions(+), 94 deletions(-)

diff --git a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
index c01adcf346..a31aed4bb3 100644
--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -10,6 +10,7 @@ import {
   addHuman,
   addIDPLink,
   getBrandingSettings,
+  getDefaultOrg,
   getIDPByID,
   getLoginSettings,
   getOrgsByDomain,
@@ -19,6 +20,7 @@ import {
 import { ConnectError, create } from "@zitadel/client";
 import { AutoLinkingOption } from "@zitadel/proto/zitadel/idp/v2/idp_pb";
 import { OrganizationSchema } from "@zitadel/proto/zitadel/object/v2/object_pb";
+import { Organization } from "@zitadel/proto/zitadel/org/v2/org_pb";
 import {
   AddHumanUserRequest,
   AddHumanUserRequestSchema,
@@ -28,6 +30,41 @@ import { headers } from "next/headers";
 
 const ORG_SUFFIX_REGEX = /(?<=@)(.+)/;
 
+async function resolveOrganizationForUser({
+  organization,
+  addHumanUser,
+  serviceUrl,
+}: {
+  organization?: string;
+  addHumanUser?: { username?: string };
+  serviceUrl: string;
+}): Promise<string | undefined> {
+  if (organization) return organization;
+
+  if (addHumanUser?.username && ORG_SUFFIX_REGEX.test(addHumanUser.username)) {
+    const matched = ORG_SUFFIX_REGEX.exec(addHumanUser.username);
+    const suffix = matched?.[1] ?? "";
+
+    const orgs = await getOrgsByDomain({
+      serviceUrl,
+      domain: suffix,
+    });
+    const orgToCheckForDiscovery =
+      orgs.result && orgs.result.length === 1 ? orgs.result[0].id : undefined;
+
+    if (orgToCheckForDiscovery) {
+      const orgLoginSettings = await getLoginSettings({
+        serviceUrl,
+        organization: orgToCheckForDiscovery,
+      });
+      if (orgLoginSettings?.allowDomainDiscovery) {
+        return orgToCheckForDiscovery;
+      }
+    }
+  }
+  return undefined;
+}
+
 export default async function Page(props: {
   searchParams: Promise<Record<string | number | symbol, string | undefined>>;
   params: Promise<{ provider: string }>;
@@ -36,7 +73,7 @@ export default async function Page(props: {
   const searchParams = await props.searchParams;
   const locale = getLocale();
   const t = await getTranslations({ locale, namespace: "idp" });
-  const { id, token, requestId, organization, link } = searchParams;
+  let { id, token, requestId, organization, link } = searchParams;
   const { provider } = params;
 
   const _headers = await headers();
@@ -47,6 +84,15 @@ export default async function Page(props: {
     organization,
   });
 
+  if (!organization) {
+    const org: Organization | null = await getDefaultOrg({
+      serviceUrl,
+    });
+    if (org) {
+      organization = org.id;
+    }
+  }
+
   if (!provider || !id || !token) {
     return loginFailed(branding, "IDP context missing");
   }
@@ -180,32 +226,11 @@ export default async function Page(props: {
   let newUser;
   // automatic creation of a user is allowed and data is complete
   if (options?.isAutoCreation && addHumanUser) {
-    let orgToRegisterOn: string | undefined = organization;
-
-    if (
-      !orgToRegisterOn &&
-      addHumanUser?.username && // username or email?
-      ORG_SUFFIX_REGEX.test(addHumanUser.username)
-    ) {
-      const matched = ORG_SUFFIX_REGEX.exec(addHumanUser.username);
-      const suffix = matched?.[1] ?? "";
-
-      // this just returns orgs where the suffix is set as primary domain
-      const orgs = await getOrgsByDomain({
-        serviceUrl,
-        domain: suffix,
-      });
-      const orgToCheckForDiscovery =
-        orgs.result && orgs.result.length === 1 ? orgs.result[0].id : undefined;
-
-      const orgLoginSettings = await getLoginSettings({
-        serviceUrl,
-        organization: orgToCheckForDiscovery,
-      });
-      if (orgLoginSettings?.allowDomainDiscovery) {
-        orgToRegisterOn = orgToCheckForDiscovery;
-      }
-    }
+    const orgToRegisterOn = await resolveOrganizationForUser({
+      organization,
+      addHumanUser,
+      serviceUrl,
+    });
 
     let addHumanUserWithOrganization: AddHumanUserRequest;
     if (orgToRegisterOn) {
@@ -244,14 +269,25 @@ export default async function Page(props: {
     }
   } else if (options?.isCreationAllowed) {
     // if no user was found, we will create a new user manually / redirect to the registration page
+    const orgToRegisterOn = await resolveOrganizationForUser({
+      organization,
+      addHumanUser,
+      serviceUrl,
+    });
+
+    if (!orgToRegisterOn) {
+      return loginFailed(branding, "No organization found for registration");
+    }
 
     return completeIDP({
       branding,
       idpIntent: { idpIntentId: id, idpIntentToken: token },
-      idpInformation,
-      organization,
+      addHumanUser,
+      organization: orgToRegisterOn,
       requestId,
-      userId,
+      idpUserId: idpInformation?.userId,
+      idpId: idpInformation?.idpId,
+      idpUserName: idpInformation?.userName,
     });
   }
 
diff --git a/apps/login/src/app/(login)/register/page.tsx b/apps/login/src/app/(login)/register/page.tsx
index 550a214102..3a61dbae7c 100644
--- a/apps/login/src/app/(login)/register/page.tsx
+++ b/apps/login/src/app/(login)/register/page.tsx
@@ -1,3 +1,4 @@
+import { Alert } from "@/components/alert";
 import { DynamicTheme } from "@/components/dynamic-theme";
 import { RegisterForm } from "@/components/register-form";
 import { SignInWithIdp } from "@/components/sign-in-with-idp";
@@ -9,7 +10,6 @@ import {
   getLegalAndSupportSettings,
   getLoginSettings,
   getPasswordComplexitySettings,
-  retrieveIDPIntent,
 } from "@/lib/zitadel";
 import { Organization } from "@zitadel/proto/zitadel/org/v2/org_pb";
 import { getLocale, getTranslations } from "next-intl/server";
@@ -21,16 +21,9 @@ export default async function Page(props: {
   const searchParams = await props.searchParams;
   const locale = getLocale();
   const t = await getTranslations({ locale, namespace: "register" });
+  const tError = await getTranslations({ locale, namespace: "error" });
 
-  let {
-    firstname,
-    lastname,
-    email,
-    organization,
-    requestId,
-    idpIntentId,
-    idpIntentToken,
-  } = searchParams;
+  let { firstname, lastname, email, organization, requestId } = searchParams;
 
   const _headers = await headers();
   const { serviceUrl } = getServiceUrlFromHeaders(_headers);
@@ -44,17 +37,6 @@ export default async function Page(props: {
     }
   }
 
-  let idpIntent;
-  if (idpIntentId && idpIntentToken) {
-    idpIntent = await retrieveIDPIntent({
-      serviceUrl,
-      id: idpIntentId,
-      token: idpIntentToken,
-    });
-
-    const { idpInformation, userId } = idpIntent;
-  }
-
   const legal = await getLegalAndSupportSettings({
     serviceUrl,
     organization,
@@ -100,7 +82,9 @@ export default async function Page(props: {
         <h1>{t("title")}</h1>
         <p className="ztdl-p">{t("description")}</p>
 
-        {legal && passwordComplexitySettings && (
+        {!organization && <Alert>{tError("unknownContext")}</Alert>}
+
+        {legal && passwordComplexitySettings && organization && (
           <RegisterForm
             idpCount={
               !loginSettings?.allowExternalIdp ? 0 : identityProviders.length
diff --git a/apps/login/src/components/idps/pages/complete-idp.tsx b/apps/login/src/components/idps/pages/complete-idp.tsx
index dbc20fbd06..e1ed5e7401 100644
--- a/apps/login/src/components/idps/pages/complete-idp.tsx
+++ b/apps/login/src/components/idps/pages/complete-idp.tsx
@@ -1,21 +1,25 @@
 import { RegisterFormIDPIncomplete } from "@/components/register-form-idp-incomplete";
 import { BrandingSettings } from "@zitadel/proto/zitadel/settings/v2/branding_settings_pb";
-import { IDPInformation } from "@zitadel/proto/zitadel/user/v2/idp_pb";
+import { AddHumanUserRequest } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
 import { getLocale, getTranslations } from "next-intl/server";
 import { DynamicTheme } from "../../dynamic-theme";
 
 export async function completeIDP({
-  userId,
-  idpInformation,
+  idpUserId,
+  idpId,
+  idpUserName,
+  addHumanUser,
   requestId,
   organization,
   branding,
   idpIntent,
 }: {
-  userId: string;
-  idpInformation: IDPInformation;
+  idpUserId: string;
+  idpId: string;
+  idpUserName: string;
+  addHumanUser?: AddHumanUserRequest;
   requestId?: string;
-  organization?: string;
+  organization: string;
   branding?: BrandingSettings;
   idpIntent: {
     idpIntentId: string;
@@ -32,8 +36,14 @@ export async function completeIDP({
         <p className="ztdl-p">{t("completeRegister.description")}</p>
 
         <RegisterFormIDPIncomplete
-          userId={userId}
-          idpInformation={idpInformation}
+          idpUserId={idpUserId}
+          idpId={idpId}
+          idpUserName={idpUserName}
+          defaultValues={{
+            email: addHumanUser?.email?.email || "",
+            firstname: addHumanUser?.profile?.givenName || "",
+            lastname: addHumanUser?.profile?.familyName || "",
+          }}
           requestId={requestId}
           organization={organization}
           idpIntent={idpIntent}
diff --git a/apps/login/src/components/register-form-idp-incomplete.tsx b/apps/login/src/components/register-form-idp-incomplete.tsx
index 943aa63df3..6194b34052 100644
--- a/apps/login/src/components/register-form-idp-incomplete.tsx
+++ b/apps/login/src/components/register-form-idp-incomplete.tsx
@@ -1,7 +1,6 @@
 "use client";
 
 import { registerUserAndLinkToIDP } from "@/lib/server/register";
-import { IDPInformation } from "@zitadel/proto/zitadel/user/v2/idp_pb";
 import { useTranslations } from "next-intl";
 import { useRouter } from "next/navigation";
 import { useState } from "react";
@@ -21,31 +20,39 @@ type Inputs =
   | FieldValues;
 
 type Props = {
-  organization?: string;
+  organization: string;
   requestId?: string;
   idpIntent: {
     idpIntentId: string;
     idpIntentToken: string;
   };
-  idpInformation: IDPInformation;
-  userId: string;
+  defaultValues?: {
+    firstname?: string;
+    lastname?: string;
+    email?: string;
+  };
+  idpUserId: string;
+  idpId: string;
+  idpUserName: string;
 };
 
 export function RegisterFormIDPIncomplete({
   organization,
   requestId,
   idpIntent,
-  idpInformation,
-  userId,
+  defaultValues,
+  idpUserId,
+  idpId,
+  idpUserName,
 }: Props) {
   const t = useTranslations("register");
 
   const { register, handleSubmit, formState } = useForm<Inputs>({
     mode: "onBlur",
     defaultValues: {
-      email: idpInformation?.rawInformation?.email ?? "",
-      firstName: idpInformation?.rawInformation?.firstname ?? "",
-      lastname: idpInformation?.rawInformation?.lastname ?? "",
+      email: defaultValues?.email ?? "",
+      firstname: defaultValues?.firstname ?? "",
+      lastname: defaultValues?.lastname ?? "",
     },
   });
 
@@ -57,7 +64,9 @@ export function RegisterFormIDPIncomplete({
   async function submitAndRegister(values: Inputs) {
     setLoading(true);
     const response = await registerUserAndLinkToIDP({
-      userId: userId,
+      idpId: idpId,
+      idpUserName: idpUserName,
+      idpUserId: idpUserId,
       email: values.email,
       firstName: values.firstname,
       lastName: values.lastname,
diff --git a/apps/login/src/components/register-form.tsx b/apps/login/src/components/register-form.tsx
index 6701fdf215..1999bc7251 100644
--- a/apps/login/src/components/register-form.tsx
+++ b/apps/login/src/components/register-form.tsx
@@ -35,7 +35,7 @@ type Props = {
   firstname?: string;
   lastname?: string;
   email?: string;
-  organization?: string;
+  organization: string;
   requestId?: string;
   loginSettings?: LoginSettings;
   idpCount: number;
diff --git a/apps/login/src/lib/server/invite.ts b/apps/login/src/lib/server/invite.ts
index c0fc63fef5..40225d9916 100644
--- a/apps/login/src/lib/server/invite.ts
+++ b/apps/login/src/lib/server/invite.ts
@@ -10,7 +10,7 @@ type InviteUserCommand = {
   firstName: string;
   lastName: string;
   password?: string;
-  organization?: string;
+  organization: string;
   requestId?: string;
 };
 
diff --git a/apps/login/src/lib/server/register.ts b/apps/login/src/lib/server/register.ts
index b08099817d..c753a745b8 100644
--- a/apps/login/src/lib/server/register.ts
+++ b/apps/login/src/lib/server/register.ts
@@ -4,7 +4,12 @@ import {
   createSessionAndUpdateCookie,
   createSessionForIdpAndUpdateCookie,
 } from "@/lib/server/cookie";
-import { addHumanUser, getLoginSettings, getUserByID } from "@/lib/zitadel";
+import {
+  addHumanUser,
+  addIDPLink,
+  getLoginSettings,
+  getUserByID,
+} from "@/lib/zitadel";
 import { create } from "@zitadel/client";
 import { Factors } from "@zitadel/proto/zitadel/session/v2/session_pb";
 import {
@@ -21,7 +26,7 @@ type RegisterUserCommand = {
   firstName: string;
   lastName: string;
   password?: string;
-  organization?: string;
+  organization: string;
   requestId?: string;
 };
 
@@ -141,13 +146,15 @@ type RegisterUserAndLinkToIDPommand = {
   email: string;
   firstName: string;
   lastName: string;
-  organization?: string;
+  organization: string;
   requestId?: string;
   idpIntent: {
     idpIntentId: string;
     idpIntentToken: string;
   };
-  userId: string;
+  idpUserId: string;
+  idpId: string;
+  idpUserName: string;
 };
 
 export type registerUserAndLinkToIDPResponse = {
@@ -185,9 +192,23 @@ export async function registerUserAndLinkToIDP(
 
   // TODO: addIDPLink to addResponse
 
+  const idpLink = await addIDPLink({
+    serviceUrl,
+    idp: {
+      id: command.idpId,
+      userId: command.idpUserId,
+      userName: command.idpUserName,
+    },
+    userId: addResponse.userId,
+  });
+
+  if (!idpLink) {
+    return { error: "Could not link IDP to user" };
+  }
+
   const session = await createSessionForIdpAndUpdateCookie({
     requestId: command.requestId,
-    userId: command.userId,
+    userId: addResponse.userId, // the user we just created
     idpIntent: command.idpIntent,
     lifetime: loginSettings?.externalLoginCheckLifetime,
   });
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index c53d622d7d..d5045df041 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -1,7 +1,10 @@
 import { Client, create, Duration } from "@zitadel/client";
 import { makeReqCtx } from "@zitadel/client/v2";
 import { IdentityProviderService } from "@zitadel/proto/zitadel/idp/v2/idp_service_pb";
-import { TextQueryMethod } from "@zitadel/proto/zitadel/object/v2/object_pb";
+import {
+  OrganizationSchema,
+  TextQueryMethod,
+} from "@zitadel/proto/zitadel/object/v2/object_pb";
 import {
   CreateCallbackRequest,
   OIDCService,
@@ -32,6 +35,7 @@ import {
 import { SendInviteCodeSchema } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import {
   AddHumanUserRequest,
+  AddHumanUserRequestSchema,
   ResendEmailCodeRequest,
   ResendEmailCodeRequestSchema,
   SendEmailCodeRequestSchema,
@@ -388,7 +392,7 @@ export type AddHumanUserData = {
   lastName: string;
   email: string;
   password?: string;
-  organization: string | undefined;
+  organization: string;
 };
 
 export async function addHumanUser({
@@ -404,23 +408,36 @@ export async function addHumanUser({
     serviceUrl,
   );
 
-  return userService.addHumanUser({
-    email: {
-      email,
-      verification: {
-        case: "isVerified",
-        value: false,
+  let addHumanUserRequest: AddHumanUserRequest = create(
+    AddHumanUserRequestSchema,
+    {
+      email: {
+        email,
+        verification: {
+          case: "isVerified",
+          value: false,
+        },
       },
+      username: email,
+      profile: { givenName: firstName, familyName: lastName },
+      passwordType: password
+        ? { case: "password", value: { password } }
+        : undefined,
     },
-    username: email,
-    profile: { givenName: firstName, familyName: lastName },
-    organization: organization
-      ? { org: { case: "orgId", value: organization } }
-      : undefined,
-    passwordType: password
-      ? { case: "password", value: { password } }
-      : undefined,
-  });
+  );
+
+  if (organization) {
+    const organizationSchema = create(OrganizationSchema, {
+      org: { case: "orgId", value: organization },
+    });
+
+    addHumanUserRequest = {
+      ...addHumanUserRequest,
+      organization: organizationSchema,
+    };
+  }
+
+  return userService.addHumanUser(addHumanUserRequest);
 }
 
 export async function addHuman({

From 75d2186490369b58cf736209d788481439688955 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Jun 2025 13:40:06 +0200
Subject: [PATCH 07/13] cleanup

---
 apps/login/src/lib/server/register.ts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/apps/login/src/lib/server/register.ts b/apps/login/src/lib/server/register.ts
index c753a745b8..f84b4c8d51 100644
--- a/apps/login/src/lib/server/register.ts
+++ b/apps/login/src/lib/server/register.ts
@@ -190,8 +190,6 @@ export async function registerUserAndLinkToIDP(
     organization: command.organization,
   });
 
-  // TODO: addIDPLink to addResponse
-
   const idpLink = await addIDPLink({
     serviceUrl,
     idp: {

From 4e6ff833d8b935a17e8dcda3be535064935b97be Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Jun 2025 14:02:13 +0200
Subject: [PATCH 08/13] check for loginsettings

---
 apps/login/src/app/(login)/loginname/page.tsx |  2 +-
 apps/login/src/app/(login)/register/page.tsx  | 33 +++++++++++--------
 apps/login/src/components/register-form.tsx   | 10 +++---
 3 files changed, 26 insertions(+), 19 deletions(-)

diff --git a/apps/login/src/app/(login)/loginname/page.tsx b/apps/login/src/app/(login)/loginname/page.tsx
index 79372729c4..adb6ec0eef 100644
--- a/apps/login/src/app/(login)/loginname/page.tsx
+++ b/apps/login/src/app/(login)/loginname/page.tsx
@@ -75,7 +75,7 @@ export default async function Page(props: {
           submit={submit}
           allowRegister={!!loginSettings?.allowRegister}
         >
-          {identityProviders && (
+          {identityProviders && loginSettings?.allowExternalIdp && (
             <SignInWithIdp
               identityProviders={identityProviders}
               requestId={requestId}
diff --git a/apps/login/src/app/(login)/register/page.tsx b/apps/login/src/app/(login)/register/page.tsx
index 3a61dbae7c..be872b4dc7 100644
--- a/apps/login/src/app/(login)/register/page.tsx
+++ b/apps/login/src/app/(login)/register/page.tsx
@@ -12,6 +12,7 @@ import {
   getPasswordComplexitySettings,
 } from "@/lib/zitadel";
 import { Organization } from "@zitadel/proto/zitadel/org/v2/org_pb";
+import { PasskeysType } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
 import { getLocale, getTranslations } from "next-intl/server";
 import { headers } from "next/headers";
 
@@ -84,20 +85,24 @@ export default async function Page(props: {
 
         {!organization && <Alert>{tError("unknownContext")}</Alert>}
 
-        {legal && passwordComplexitySettings && organization && (
-          <RegisterForm
-            idpCount={
-              !loginSettings?.allowExternalIdp ? 0 : identityProviders.length
-            }
-            legal={legal}
-            organization={organization}
-            firstname={firstname}
-            lastname={lastname}
-            email={email}
-            requestId={requestId}
-            loginSettings={loginSettings}
-          ></RegisterForm>
-        )}
+        {legal &&
+          passwordComplexitySettings &&
+          organization &&
+          (loginSettings.allowUsernamePassword ||
+            loginSettings.passkeysType == PasskeysType.ALLOWED) && (
+            <RegisterForm
+              idpCount={
+                !loginSettings?.allowExternalIdp ? 0 : identityProviders.length
+              }
+              legal={legal}
+              organization={organization}
+              firstname={firstname}
+              lastname={lastname}
+              email={email}
+              requestId={requestId}
+              loginSettings={loginSettings}
+            ></RegisterForm>
+          )}
 
         {loginSettings?.allowExternalIdp && !!identityProviders.length && (
           <>
diff --git a/apps/login/src/components/register-form.tsx b/apps/login/src/components/register-form.tsx
index 1999bc7251..c581131c8c 100644
--- a/apps/login/src/components/register-form.tsx
+++ b/apps/login/src/components/register-form.tsx
@@ -185,10 +185,12 @@ export function RegisterForm({
           </>
         )}
 
-      {(!loginSettings?.allowUsernamePassword ||
-        loginSettings?.passkeysType != PasskeysType.ALLOWED) &&
-        !idpCount && (
-          <Alert type={AlertType.INFO}>{t("noMethodAvailableWarning")}</Alert>
+      {!loginSettings?.allowUsernamePassword &&
+        loginSettings?.passkeysType != PasskeysType.ALLOWED &&
+        (!loginSettings?.allowExternalIdp || !idpCount) && (
+          <div className="py-4">
+            <Alert type={AlertType.INFO}>{t("noMethodAvailableWarning")}</Alert>
+          </div>
         )}
 
       {error && (

From 5e69ed382061f5bb8de14311e427787ca346dc88 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Jun 2025 14:04:02 +0200
Subject: [PATCH 09/13] cleanup invite form

---
 apps/login/src/components/invite-form.tsx | 143 ----------------------
 1 file changed, 143 deletions(-)
 delete mode 100644 apps/login/src/components/invite-form.tsx

diff --git a/apps/login/src/components/invite-form.tsx b/apps/login/src/components/invite-form.tsx
deleted file mode 100644
index 35c0bec028..0000000000
--- a/apps/login/src/components/invite-form.tsx
+++ /dev/null
@@ -1,143 +0,0 @@
-"use client";
-
-import { inviteUser } from "@/lib/server/invite";
-import { useTranslations } from "next-intl";
-import { useRouter } from "next/navigation";
-import { useState } from "react";
-import { FieldValues, useForm } from "react-hook-form";
-import { Alert } from "./alert";
-import { BackButton } from "./back-button";
-import { Button, ButtonVariants } from "./button";
-import { TextInput } from "./input";
-import { Spinner } from "./spinner";
-
-type Inputs =
-  | {
-      firstname: string;
-      lastname: string;
-      email: string;
-    }
-  | FieldValues;
-
-type Props = {
-  firstname?: string;
-  lastname?: string;
-  email?: string;
-  organization?: string;
-};
-
-export function InviteForm({
-  email,
-  firstname,
-  lastname,
-  organization,
-}: Props) {
-  const t = useTranslations("register");
-
-  const { register, handleSubmit, formState } = useForm<Inputs>({
-    mode: "onBlur",
-    defaultValues: {
-      email: email ?? "",
-      firstName: firstname ?? "",
-      lastname: lastname ?? "",
-    },
-  });
-
-  const [loading, setLoading] = useState<boolean>(false);
-  const [error, setError] = useState<string>("");
-
-  const router = useRouter();
-
-  async function submitAndContinue(values: Inputs) {
-    setLoading(true);
-    const response = await inviteUser({
-      email: values.email,
-      firstName: values.firstname,
-      lastName: values.lastname,
-      organization: organization,
-    })
-      .catch(() => {
-        setError("Could not create invitation Code");
-        return;
-      })
-      .finally(() => {
-        setLoading(false);
-      });
-
-    if (response && typeof response === "object" && "error" in response) {
-      setError(response.error);
-      return;
-    }
-
-    if (!response) {
-      setError("Could not create invitation Code");
-      return;
-    }
-
-    const params = new URLSearchParams({});
-
-    if (response) {
-      params.append("userId", response);
-    }
-
-    return router.push(`/invite/success?` + params);
-  }
-
-  const { errors } = formState;
-
-  return (
-    <form className="w-full">
-      <div className="grid grid-cols-2 gap-4 mb-4">
-        <div className="col-span-2">
-          <TextInput
-            type="email"
-            autoComplete="email"
-            required
-            {...register("email", { required: "This field is required" })}
-            label="E-mail"
-            error={errors.email?.message as string}
-          />
-        </div>
-        <div className="">
-          <TextInput
-            type="firstname"
-            autoComplete="firstname"
-            required
-            {...register("firstname", { required: "This field is required" })}
-            label="First name"
-            error={errors.firstname?.message as string}
-          />
-        </div>
-        <div className="">
-          <TextInput
-            type="lastname"
-            autoComplete="lastname"
-            required
-            {...register("lastname", { required: "This field is required" })}
-            label="Last name"
-            error={errors.lastname?.message as string}
-          />
-        </div>
-      </div>
-
-      {error && (
-        <div className="py-4">
-          <Alert>{error}</Alert>
-        </div>
-      )}
-
-      <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
-        <Button
-          type="submit"
-          variant={ButtonVariants.Primary}
-          disabled={loading || !formState.isValid}
-          onClick={handleSubmit(submitAndContinue)}
-        >
-          {loading && <Spinner className="h-5 w-5 mr-2" />}
-          {t("submit")}
-        </Button>
-      </div>
-    </form>
-  );
-}

From 41170310dc17bd1402c0c3f6bc7e06eaef2eca13 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Jun 2025 14:04:40 +0200
Subject: [PATCH 10/13] cleanup invite server code

---
 apps/login/src/lib/server/invite.ts | 58 -----------------------------
 1 file changed, 58 deletions(-)
 delete mode 100644 apps/login/src/lib/server/invite.ts

diff --git a/apps/login/src/lib/server/invite.ts b/apps/login/src/lib/server/invite.ts
deleted file mode 100644
index 40225d9916..0000000000
--- a/apps/login/src/lib/server/invite.ts
+++ /dev/null
@@ -1,58 +0,0 @@
-"use server";
-
-import { addHumanUser, createInviteCode } from "@/lib/zitadel";
-import { Factors } from "@zitadel/proto/zitadel/session/v2/session_pb";
-import { headers } from "next/headers";
-import { getServiceUrlFromHeaders } from "../service-url";
-
-type InviteUserCommand = {
-  email: string;
-  firstName: string;
-  lastName: string;
-  password?: string;
-  organization: string;
-  requestId?: string;
-};
-
-export type RegisterUserResponse = {
-  userId: string;
-  sessionId: string;
-  factors: Factors | undefined;
-};
-
-export async function inviteUser(command: InviteUserCommand) {
-  const _headers = await headers();
-  const { serviceUrl } = getServiceUrlFromHeaders(_headers);
-  const host = _headers.get("host");
-
-  if (!host) {
-    return { error: "Could not get domain" };
-  }
-
-  const human = await addHumanUser({
-    serviceUrl,
-    email: command.email,
-    firstName: command.firstName,
-    lastName: command.lastName,
-    password: command.password ? command.password : undefined,
-    organization: command.organization,
-  });
-
-  if (!human) {
-    return { error: "Could not create user" };
-  }
-
-  const basePath = process.env.NEXT_PUBLIC_BASE_PATH ?? "";
-
-  const codeResponse = await createInviteCode({
-    serviceUrl,
-    urlTemplate: `${host.includes("localhost") ? "http://" : "https://"}${host}${basePath}/verify?code={{.Code}}&userId={{.UserID}}&organization={{.OrgID}}&invite=true`,
-    userId: human.userId,
-  });
-
-  if (!codeResponse || !human) {
-    return { error: "Could not create invite code" };
-  }
-
-  return human.userId;
-}

From 3e777662e6d1955ca5e80a8121fab41247f43d6d Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 11 Jun 2025 14:09:56 +0200
Subject: [PATCH 11/13] require organization

---
 apps/login/src/app/(login)/register/password/page.tsx    | 4 ++--
 apps/login/src/components/set-register-password-form.tsx | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/login/src/app/(login)/register/password/page.tsx b/apps/login/src/app/(login)/register/password/page.tsx
index ee6fa03e59..d6a24fa47f 100644
--- a/apps/login/src/app/(login)/register/password/page.tsx
+++ b/apps/login/src/app/(login)/register/password/page.tsx
@@ -33,7 +33,7 @@ export default async function Page(props: {
     }
   }
 
-  const missingData = !firstname || !lastname || !email;
+  const missingData = !firstname || !lastname || !email || !organization;
 
   const legal = await getLegalAndSupportSettings({
     serviceUrl,
@@ -73,7 +73,7 @@ export default async function Page(props: {
             email={email}
             firstname={firstname}
             lastname={lastname}
-            organization={organization}
+            organization={organization as string} // organization is guaranteed to be a string here otherwise we would have returned earlier
             requestId={requestId}
           ></SetRegisterPasswordForm>
         )}
diff --git a/apps/login/src/components/set-register-password-form.tsx b/apps/login/src/components/set-register-password-form.tsx
index 3f38a408d0..3e48c649c1 100644
--- a/apps/login/src/components/set-register-password-form.tsx
+++ b/apps/login/src/components/set-register-password-form.tsx
@@ -31,7 +31,7 @@ type Props = {
   email: string;
   firstname: string;
   lastname: string;
-  organization?: string;
+  organization: string;
   requestId?: string;
 };
 

From 756bf7ec2623b8b41a7a4c88e268f59068ba0c39 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 18 Jun 2025 10:22:49 +0200
Subject: [PATCH 12/13] fix: update human on login

---
 .../(login)/idp/[provider]/success/page.tsx   | 43 +++++++++++++------
 apps/login/src/lib/zitadel.ts                 | 16 +++++++
 2 files changed, 47 insertions(+), 12 deletions(-)

diff --git a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
index a31aed4bb3..0822c6576b 100644
--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -16,6 +16,7 @@ import {
   getOrgsByDomain,
   listUsers,
   retrieveIDPIntent,
+  updateHuman,
 } from "@/lib/zitadel";
 import { ConnectError, create } from "@zitadel/client";
 import { AutoLinkingOption } from "@zitadel/proto/zitadel/idp/v2/idp_pb";
@@ -24,6 +25,7 @@ import { Organization } from "@zitadel/proto/zitadel/org/v2/org_pb";
 import {
   AddHumanUserRequest,
   AddHumanUserRequestSchema,
+  UpdateHumanUserRequestSchema,
 } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
 import { getLocale, getTranslations } from "next-intl/server";
 import { headers } from "next/headers";
@@ -106,18 +108,6 @@ export default async function Page(props: {
   const { idpInformation, userId } = intent;
   let { addHumanUser } = intent;
 
-  // sign in user. If user should be linked continue
-  if (userId && !link) {
-    // TODO: update user if idp.options.isAutoUpdate is true
-
-    return loginSuccess(
-      userId,
-      { idpIntentId: id, idpIntentToken: token },
-      requestId,
-      branding,
-    );
-  }
-
   if (!idpInformation) {
     return loginFailed(branding, "IDP information missing");
   }
@@ -126,12 +116,41 @@ export default async function Page(props: {
     serviceUrl,
     id: idpInformation.idpId,
   });
+
   const options = idp?.config?.options;
 
   if (!idp) {
     throw new Error("IDP not found");
   }
 
+  // sign in user. If user should be linked continue
+  if (userId && !link) {
+    // if auto update is enabled, we will update the user with the new information
+    if (options?.isAutoUpdate && addHumanUser) {
+      try {
+        await updateHuman({
+          serviceUrl,
+          request: create(UpdateHumanUserRequestSchema, {
+            userId: userId,
+            profile: addHumanUser.profile,
+            email: addHumanUser.email,
+            phone: addHumanUser.phone,
+          }),
+        });
+      } catch (error: unknown) {
+        // Log the error and continue with the login process
+        console.warn("An error occurred while updating the user:", error);
+      }
+    }
+
+    return loginSuccess(
+      userId,
+      { idpIntentId: id, idpIntentToken: token },
+      requestId,
+      branding,
+    );
+  }
+
   if (link) {
     if (!options?.isLinkingAllowed) {
       // linking was probably disallowed since the invitation was created
diff --git a/apps/login/src/lib/zitadel.ts b/apps/login/src/lib/zitadel.ts
index d5045df041..8cc4efe0bc 100644
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -41,6 +41,7 @@ import {
   SendEmailCodeRequestSchema,
   SetPasswordRequest,
   SetPasswordRequestSchema,
+  UpdateHumanUserRequest,
   UserService,
   VerifyPasskeyRegistrationRequest,
   VerifyU2FRegistrationRequest,
@@ -455,6 +456,21 @@ export async function addHuman({
   return userService.addHumanUser(request);
 }
 
+export async function updateHuman({
+  serviceUrl,
+  request,
+}: {
+  serviceUrl: string;
+  request: UpdateHumanUserRequest;
+}) {
+  const userService: Client<typeof UserService> = await createServiceForHost(
+    UserService,
+    serviceUrl,
+  );
+
+  return userService.updateHumanUser(request);
+}
+
 export async function verifyTOTPRegistration({
   serviceUrl,
   code,

From 85cc98f68aca4d7313f9e647f58e6aa2e1d7e228 Mon Sep 17 00:00:00 2001
From: Max Peintner <peintnerm@gmail.com>
Date: Wed, 18 Jun 2025 14:23:48 +0200
Subject: [PATCH 13/13] fix: scoped branding for complete page

---
 .../src/app/(login)/idp/[provider]/success/page.tsx      | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
index 0822c6576b..bfbde8b252 100644
--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -81,7 +81,7 @@ export default async function Page(props: {
   const _headers = await headers();
   const { serviceUrl } = getServiceUrlFromHeaders(_headers);
 
-  const branding = await getBrandingSettings({
+  let branding = await getBrandingSettings({
     serviceUrl,
     organization,
   });
@@ -294,6 +294,13 @@ export default async function Page(props: {
       serviceUrl,
     });
 
+    if (orgToRegisterOn) {
+      branding = await getBrandingSettings({
+        serviceUrl,
+        organization: orgToRegisterOn,
+      });
+    }
+
     if (!orgToRegisterOn) {
       return loginFailed(branding, "No organization found for registration");
     }