feat: Identity brokering (#730)

* feat: add/ remove external idps * feat: external idp add /remove * fix: auth proto * fix: handle login * feat: loginpolicy on authrequest * feat: idp providers on login * feat: link external idp * fix: check login policy on check username * feat: add mapping fields for idp config * feat: use user org id if existing * feat: use user org id if existing * feat: register external user * feat: register external user * feat: user linking * feat: user linking * feat: design external login * feat: design external login * fix: tests * fix: regenerate login design * feat: next step test linking process * feat: next step test linking process * feat: cascade remove external idps on user * fix: tests * fix: tests * feat: external idp requsts on users * fix: generate protos * feat: login styles * feat: login styles * fix: link user * fix: register user on specifig org * fix: user linking * fix: register external, linking auto * fix: remove unnecessary request from proto * fix: tests * fix: new oidc package * fix: migration version * fix: policy permissions * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/static/i18n/en.yaml Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * Update internal/ui/login/handler/renderer.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * Update internal/ui/login/handler/link_users_handler.go Co-authored-by: Livio Amstutz <livio.a@gmail.com> * fix: pr requests * fix: pr requests * fix: pr requests * fix: login name size * fix: profile image light * fix: colors * fix: pr requests * fix: remove redirect uri validator * fix: remove redirect uri validator Co-authored-by: Livio Amstutz <livio.a@gmail.com>
2025-08-12 05:07:31 +00:00 · 2020-09-18 13:26:28 +02:00
parent 1d542a0c57
commit 320ddfa46d
141 changed files with 30057 additions and 12535 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@@ -2,6 +2,12 @@ package eventstore

 import (
 	"context"
+	"github.com/caos/zitadel/internal/api/authz"
+	"github.com/caos/zitadel/internal/eventstore/sdk"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_es_model "github.com/caos/zitadel/internal/iam/repository/view/model"
+	org_event "github.com/caos/zitadel/internal/org/repository/eventsourcing"
+	policy_event "github.com/caos/zitadel/internal/policy/repository/eventsourcing"
 	"time"

 	"github.com/caos/logging"
@@ -11,6 +17,7 @@ import (
 	cache "github.com/caos/zitadel/internal/auth_request/repository"
 	"github.com/caos/zitadel/internal/errors"
 	es_models "github.com/caos/zitadel/internal/eventstore/models"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"
 	"github.com/caos/zitadel/internal/id"
 	org_model "github.com/caos/zitadel/internal/org/model"
 	org_view_model "github.com/caos/zitadel/internal/org/repository/view/model"
@@ -22,6 +29,8 @@ import (

 type AuthRequestRepo struct {
 	UserEvents   *user_event.UserEventstore
+	OrgEvents    *org_event.OrgEventstore
+	PolicyEvents *policy_event.PolicyEventstore
 	AuthRequests cache.AuthRequestCache
 	View         *view.View

@@ -29,6 +38,8 @@ type AuthRequestRepo struct {
 	UserViewProvider        userViewProvider
 	UserEventProvider       userEventProvider
 	OrgViewProvider         orgViewProvider
+	LoginPolicyViewProvider loginPolicyViewProvider
+	IDPProviderViewProvider idpProviderViewProvider

 	IdGenerator id.Generator

@@ -36,6 +47,8 @@ type AuthRequestRepo struct {
 	MfaInitSkippedLifeTime   time.Duration
 	MfaSoftwareCheckLifeTime time.Duration
 	MfaHardwareCheckLifeTime time.Duration
+
+	IAMID string
 }

 type userSessionViewProvider interface {
@@ -46,8 +59,17 @@ type userViewProvider interface {
 	UserByID(string) (*user_view_model.UserView, error)
 }

+type loginPolicyViewProvider interface {
+	LoginPolicyByAggregateID(string) (*iam_view_model.LoginPolicyView, error)
+}
+
+type idpProviderViewProvider interface {
+	IDPProvidersByAggregateID(string) ([]*iam_view_model.IDPProviderView, error)
+}
+
 type userEventProvider interface {
 	UserEventsByID(ctx context.Context, id string, sequence uint64) ([]*es_models.Event, error)
+	BulkAddExternalIDPs(ctx context.Context, userID string, externalIDPs []*user_model.ExternalIDP) error
 }

 type orgViewProvider interface {
@@ -73,7 +95,7 @@ func (repo *AuthRequestRepo) CreateAuthRequest(ctx context.Context, request *mod
 	}
 	request.Audience = ids
 	if request.LoginHint != "" {
-		err = repo.checkLoginName(request, request.LoginHint)
+		err = repo.checkLoginName(ctx, request, request.LoginHint)
 		logging.LogWithFields("EVENT-aG311", "login name", request.LoginHint, "id", request.ID, "applicationID", request.ApplicationID).Debug("login hint invalid")
 	}
 	err = repo.AuthRequests.SaveAuthRequest(ctx, request)
@@ -122,13 +144,45 @@ func (repo *AuthRequestRepo) CheckLoginName(ctx context.Context, id, loginName,
 	if err != nil {
 		return err
 	}
-	err = repo.checkLoginName(request, loginName)
+	err = repo.checkLoginName(ctx, request, loginName)
 	if err != nil {
 		return err
 	}
 	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
 }

+func (repo *AuthRequestRepo) SelectExternalIDP(ctx context.Context, authReqID, idpConfigID, userAgentID string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = repo.checkSelectedExternalIDP(request, idpConfigID)
+	if err != nil {
+		return err
+	}
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) CheckExternalUserLogin(ctx context.Context, authReqID, userAgentID string, externalUser *model.ExternalUser) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = repo.checkExternalUserLogin(request, externalUser.IDPConfigID, externalUser.ExternalUserID)
+	if errors.IsNotFound(err) {
+		return repo.setLinkingUser(ctx, request, externalUser)
+	}
+	if err != nil {
+		return err
+	}
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) setLinkingUser(ctx context.Context, request *model.AuthRequest, externalUser *model.ExternalUser) error {
+	request.LinkingUsers = append(request.LinkingUsers, externalUser)
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
 func (repo *AuthRequestRepo) SelectUser(ctx context.Context, id, userID, userAgentID string) error {
 	request, err := repo.getAuthRequest(ctx, id, userAgentID)
 	if err != nil {
@@ -164,6 +218,59 @@ func (repo *AuthRequestRepo) VerifyMfaOTP(ctx context.Context, authRequestID, us
 	return repo.UserEvents.CheckMfaOTP(ctx, userID, code, request.WithCurrentInfo(info))
 }

+func (repo *AuthRequestRepo) LinkExternalUsers(ctx context.Context, authReqID, userAgentID string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	err = linkExternalIDPs(ctx, repo.UserEventProvider, request)
+	if err != nil {
+		return err
+	}
+	request.LinkingUsers = nil
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
+func (repo *AuthRequestRepo) AutoRegisterExternalUser(ctx context.Context, registerUser *user_model.User, externalIDP *user_model.ExternalIDP, orgMember *org_model.OrgMember, authReqID, userAgentID, resourceOwner string) error {
+	request, err := repo.getAuthRequest(ctx, authReqID, userAgentID)
+	if err != nil {
+		return err
+	}
+	policyResourceOwner := authz.GetCtxData(ctx).OrgID
+	if resourceOwner != "" {
+		policyResourceOwner = resourceOwner
+	}
+	pwPolicy, err := repo.PolicyEvents.GetPasswordComplexityPolicy(ctx, policyResourceOwner)
+	if err != nil {
+		return err
+	}
+	orgPolicy, err := repo.OrgEvents.GetOrgIAMPolicy(ctx, policyResourceOwner)
+	if err != nil {
+		return err
+	}
+	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicy, orgPolicy, resourceOwner)
+	if err != nil {
+		return err
+	}
+	if orgMember != nil {
+		orgMember.UserID = user.AggregateID
+		_, memberAggregate, err := repo.OrgEvents.PrepareAddOrgMember(ctx, orgMember, policyResourceOwner)
+		if err != nil {
+			return err
+		}
+		aggregates = append(aggregates, memberAggregate)
+	}
+
+	err = sdk.PushAggregates(ctx, repo.UserEvents.PushAggregates, user.AppendEvents, aggregates...)
+	if err != nil {
+		return err
+	}
+	request.UserID = user.AggregateID
+	request.SelectedIDPConfigID = externalIDP.IDPConfigID
+	request.LinkingUsers = nil
+	return repo.AuthRequests.UpdateAuthRequest(ctx, request)
+}
+
 func (repo *AuthRequestRepo) getAuthRequestNextSteps(ctx context.Context, id, userAgentID string, checkLoggedIn bool) (*model.AuthRequest, error) {
 	request, err := repo.getAuthRequest(ctx, id, userAgentID)
 	if err != nil {
@@ -185,18 +292,114 @@ func (repo *AuthRequestRepo) getAuthRequest(ctx context.Context, id, userAgentID
 	if request.AgentID != userAgentID {
 		return nil, errors.ThrowPermissionDenied(nil, "EVENT-adk13", "Errors.AuthRequest.UserAgentNotCorresponding")
 	}
+	err = repo.fillLoginPolicy(ctx, request)
+	if err != nil {
+		return nil, err
+	}
 	return request, nil
 }

-func (repo *AuthRequestRepo) checkLoginName(request *model.AuthRequest, loginName string) error {
-	user, err := repo.View.UserByLoginName(loginName)
+func (repo *AuthRequestRepo) getLoginPolicyAndIDPProviders(ctx context.Context, orgID string) (*iam_model.LoginPolicyView, []*iam_model.IDPProviderView, error) {
+	policy, err := repo.getLoginPolicy(ctx, orgID)
+	if err != nil {
+		return nil, nil, err
+	}
+	if !policy.AllowExternalIDP {
+		return policy, nil, nil
+	}
+	idpProviders, err := getLoginPolicyIDPProviders(repo.IDPProviderViewProvider, repo.IAMID, orgID, policy.Default)
+	if err != nil {
+		return nil, nil, err
+	}
+	return policy, idpProviders, nil
+}
+
+func (repo *AuthRequestRepo) fillLoginPolicy(ctx context.Context, request *model.AuthRequest) error {
+	orgID := request.UserOrgID
+	if orgID == "" {
+		orgID = request.GetScopeOrgID()
+	}
+	if orgID == "" {
+		orgID = repo.IAMID
+	}
+
+	policy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, orgID)
 	if err != nil {
 		return err
 	}
+	request.LoginPolicy = policy
+	if idpProviders != nil {
+		request.AllowedExternalIDPs = idpProviders
+	}
+	return nil
+}
+
+func (repo *AuthRequestRepo) checkLoginName(ctx context.Context, request *model.AuthRequest, loginName string) (err error) {
+	orgID := request.GetScopeOrgID()
+	user := new(user_view_model.UserView)
+	if orgID != "" {
+		user, err = repo.View.UserByLoginNameAndResourceOwner(loginName, orgID)
+	} else {
+		user, err = repo.View.UserByLoginName(loginName)
+		if err == nil {
+			err = repo.checkLoginPolicyWithResourceOwner(ctx, request, user)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	if err != nil {
+		return err
+	}
+
 	request.SetUserInfo(user.ID, loginName, "", user.ResourceOwner)
 	return nil
 }

+func (repo AuthRequestRepo) checkLoginPolicyWithResourceOwner(ctx context.Context, request *model.AuthRequest, user *user_view_model.UserView) error {
+	loginPolicy, idpProviders, err := repo.getLoginPolicyAndIDPProviders(ctx, user.ResourceOwner)
+	if err != nil {
+		return err
+	}
+	if len(request.LinkingUsers) != 0 && !loginPolicy.AllowExternalIDP {
+		return errors.ThrowInvalidArgument(nil, "LOGIN-s9sio", "Errors.User.NotAllowedToLink")
+	}
+	if len(request.LinkingUsers) != 0 {
+		exists := linkingIDPConfigExistingInAllowedIDPs(request.LinkingUsers, idpProviders)
+		if !exists {
+			return errors.ThrowInvalidArgument(nil, "LOGIN-Dj89o", "Errors.User.NotAllowedToLink")
+		}
+	}
+	request.LoginPolicy = loginPolicy
+	request.AllowedExternalIDPs = idpProviders
+	return nil
+}
+
+func (repo *AuthRequestRepo) checkSelectedExternalIDP(request *model.AuthRequest, idpConfigID string) error {
+	for _, externalIDP := range request.AllowedExternalIDPs {
+		if externalIDP.IDPConfigID == idpConfigID {
+			request.SelectedIDPConfigID = idpConfigID
+			return nil
+		}
+	}
+	return errors.ThrowNotFound(nil, "LOGIN-Nsm8r", "Errors.User.ExternalIDP.NotAllowed")
+}
+
+func (repo *AuthRequestRepo) checkExternalUserLogin(request *model.AuthRequest, idpConfigID, externalUserID string) (err error) {
+	orgID := request.GetScopeOrgID()
+	externalIDP := new(user_view_model.ExternalIDPView)
+	if orgID != "" {
+		externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigIDAndResourceOwner(externalUserID, idpConfigID, orgID)
+	} else {
+		externalIDP, err = repo.View.ExternalIDPByExternalUserIDAndIDPConfigID(externalUserID, idpConfigID)
+	}
+	if err != nil {
+		return err
+	}
+	request.SetUserInfo(externalIDP.UserID, "", "", externalIDP.ResourceOwner)
+	return nil
+}
+
 func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthRequest, checkLoggedIn bool) ([]model.NextStep, error) {
 	if request == nil {
 		return nil, errors.ThrowInvalidArgument(nil, "EVENT-ds27a", "Errors.Internal")
@@ -206,7 +409,11 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 		return append(steps, &model.RedirectToCallbackStep{}), nil
 	}
 	if request.UserID == "" {
-		steps = append(steps, &model.LoginStep{})
+		if request.LinkingUsers != nil && len(request.LinkingUsers) > 0 {
+			steps = append(steps, new(model.ExternalNotFoundOptionStep))
+			return steps, nil
+		}
+		steps = append(steps, new(model.LoginStep))
 		if request.Prompt == model.PromptSelectAccount || request.Prompt == model.PromptUnspecified {
 			users, err := repo.usersForUserSelection(request)
 			if err != nil {
@@ -222,23 +429,26 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 	if err != nil {
 		return nil, err
 	}
+	request.LoginName = user.PreferredLoginName
 	userSession, err := userSessionByIDs(ctx, repo.UserSessionViewProvider, repo.UserEventProvider, request.AgentID, user)
 	if err != nil {
 		return nil, err
 	}

-	if user.InitRequired {
-		return append(steps, &model.InitUserStep{PasswordSet: user.PasswordSet}), nil
-	}
-	if !user.PasswordSet {
-		return append(steps, &model.InitPasswordStep{}), nil
-	}
+	if request.SelectedIDPConfigID == "" {
+		if user.InitRequired {
+			return append(steps, &model.InitUserStep{PasswordSet: user.PasswordSet}), nil
+		}
+		if !user.PasswordSet {
+			return append(steps, &model.InitPasswordStep{}), nil
+		}

-	if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
-		return append(steps, &model.PasswordStep{}), nil
+		if !checkVerificationTime(userSession.PasswordVerification, repo.PasswordCheckLifeTime) {
+			return append(steps, &model.PasswordStep{}), nil
+		}
+		request.PasswordVerified = true
+		request.AuthTime = userSession.PasswordVerification
 	}
-	request.PasswordVerified = true
-	request.AuthTime = userSession.PasswordVerification

 	if step, ok := repo.mfaChecked(userSession, request, user); !ok {
 		return append(steps, step), nil
@@ -258,6 +468,10 @@ func (repo *AuthRequestRepo) nextSteps(ctx context.Context, request *model.AuthR
 		return steps, nil
 	}

+	if request.LinkingUsers != nil && len(request.LinkingUsers) != 0 {
+		return append(steps, &model.LinkUsersStep{}), nil
+
+	}
 	//PLANNED: consent step
 	return append(steps, &model.RedirectToCallbackStep{}), nil
 }
@@ -322,6 +536,36 @@ func (repo *AuthRequestRepo) mfaSkippedOrSetUp(user *user_model.UserView) bool {
 	return checkVerificationTime(user.MfaInitSkipped, repo.MfaInitSkippedLifeTime)
 }

+func (repo *AuthRequestRepo) getLoginPolicy(ctx context.Context, orgID string) (*iam_model.LoginPolicyView, error) {
+	policy, err := repo.View.LoginPolicyByAggregateID(orgID)
+	if errors.IsNotFound(err) {
+		policy, err = repo.View.LoginPolicyByAggregateID(repo.IAMID)
+		if err != nil {
+			return nil, err
+		}
+		policy.Default = true
+	}
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.LoginPolicyViewToModel(policy), err
+}
+
+func getLoginPolicyIDPProviders(provider idpProviderViewProvider, iamID, orgID string, defaultPolicy bool) ([]*iam_model.IDPProviderView, error) {
+	if defaultPolicy {
+		idpProviders, err := provider.IDPProvidersByAggregateID(iamID)
+		if err != nil {
+			return nil, err
+		}
+		return iam_es_model.IDPProviderViewsToModel(idpProviders), nil
+	}
+	idpProviders, err := provider.IDPProvidersByAggregateID(orgID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_es_model.IDPProviderViewsToModel(idpProviders), nil
+}
+
 func checkVerificationTime(verificationTime time.Time, lifetime time.Duration) bool {
 	return verificationTime.Add(lifetime).After(time.Now().UTC())
 }
@@ -422,3 +666,37 @@ func userByID(ctx context.Context, viewProvider userViewProvider, eventProvider
 	}
 	return user_view_model.UserToModel(&userCopy), nil
 }
+
+func linkExternalIDPs(ctx context.Context, userEventProvider userEventProvider, request *model.AuthRequest) error {
+	externalIDPs := make([]*user_model.ExternalIDP, len(request.LinkingUsers))
+	for i, linkingUser := range request.LinkingUsers {
+		externalIDP := &user_model.ExternalIDP{
+			ObjectRoot:  es_models.ObjectRoot{AggregateID: request.UserID},
+			IDPConfigID: linkingUser.IDPConfigID,
+			UserID:      linkingUser.ExternalUserID,
+			DisplayName: linkingUser.DisplayName,
+		}
+		externalIDPs[i] = externalIDP
+	}
+	data := authz.CtxData{
+		UserID: "LOGIN",
+		OrgID:  request.UserOrgID,
+	}
+	return userEventProvider.BulkAddExternalIDPs(authz.SetCtxData(ctx, data), request.UserID, externalIDPs)
+}
+
+func linkingIDPConfigExistingInAllowedIDPs(linkingUsers []*model.ExternalUser, idpProviders []*iam_model.IDPProviderView) bool {
+	for _, linkingUser := range linkingUsers {
+		exists := false
+		for _, idp := range idpProviders {
+			if idp.IDPConfigID == linkingUser.IDPConfigID {
+				exists = true
+				continue
+			}
+		}
+		if !exists {
+			return false
+		}
+	}
+	return true
+}
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@@ -88,12 +88,20 @@ func (m *mockEventUser) UserEventsByID(ctx context.Context, id string, sequence
 	return events, nil
 }

+func (m *mockEventUser) BulkAddExternalIDPs(ctx context.Context, userID string, externalIDPs []*user_model.ExternalIDP) error {
+	return nil
+}
+
 type mockEventErrUser struct{}

 func (m *mockEventErrUser) UserEventsByID(ctx context.Context, id string, sequence uint64) ([]*es_models.Event, error) {
 	return nil, errors.ThrowInternal(nil, "id", "internal error")
 }

+func (m *mockEventErrUser) BulkAddExternalIDPs(ctx context.Context, userID string, externalIDPs []*user_model.ExternalIDP) error {
+	return errors.ThrowInternal(nil, "id", "internal error")
+}
+
 type mockViewUser struct {
 	InitRequired           bool
 	PasswordSet            bool
@@ -185,6 +193,15 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.LoginStep{}},
 			nil,
 		},
+		{
+			"user not set no active session, linking users, external user not found option",
+			fields{
+				userSessionViewProvider: &mockViewNoUserSession{},
+			},
+			args{&model.AuthRequest{LinkingUsers: []*model.ExternalUser{{IDPConfigID: "IDPConfigID", ExternalUserID: "ExternalUserID"}}}, false},
+			[]model.NextStep{&model.ExternalNotFoundOptionStep{}},
+			nil,
+		},
 		{
 			"user not set, prompt select account and internal error, internal error",
 			fields{
@@ -363,6 +380,24 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.InitPasswordStep{}},
 			nil,
 		},
+		{
+			"external user (no password set), callback",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					MfaSoftwareVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					IsEmailVerified: true,
+					MfaMaxSetUp:     int32(model.MfaLevelSoftware),
+				},
+				userEventProvider:        &mockEventUser{},
+				orgViewProvider:          &mockViewOrg{State: org_model.OrgStateActive},
+				MfaSoftwareCheckLifeTime: 18 * time.Hour,
+			},
+			args{&model.AuthRequest{UserID: "UserID", SelectedIDPConfigID: "IDPConfigID"}, false},
+			[]model.NextStep{&model.RedirectToCallbackStep{}},
+			nil,
+		},
 		{
 			"password not verified, password check step",
 			fields{
@@ -378,6 +413,25 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.PasswordStep{}},
 			nil,
 		},
+		{
+			"external user (no password check needed), callback",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					MfaSoftwareVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					PasswordSet:     true,
+					IsEmailVerified: true,
+					MfaMaxSetUp:     int32(model.MfaLevelSoftware),
+				},
+				userEventProvider:        &mockEventUser{},
+				orgViewProvider:          &mockViewOrg{State: org_model.OrgStateActive},
+				MfaSoftwareCheckLifeTime: 18 * time.Hour,
+			},
+			args{&model.AuthRequest{UserID: "UserID", SelectedIDPConfigID: "IDPConfigID"}, false},
+			[]model.NextStep{&model.RedirectToCallbackStep{}},
+			nil,
+		},
 		{
 			"mfa not verified, mfa check step",
 			fields{
@@ -400,6 +454,28 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			}},
 			nil,
 		},
+		{
+			"external user, mfa not verified, mfa check step",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					PasswordVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					PasswordSet: true,
+					OTPState:    int32(user_model.MfaStateReady),
+					MfaMaxSetUp: int32(model.MfaLevelSoftware),
+				},
+				userEventProvider:        &mockEventUser{},
+				orgViewProvider:          &mockViewOrg{State: org_model.OrgStateActive},
+				PasswordCheckLifeTime:    10 * 24 * time.Hour,
+				MfaSoftwareCheckLifeTime: 18 * time.Hour,
+			},
+			args{&model.AuthRequest{UserID: "UserID", SelectedIDPConfigID: "IDPConfigID"}, false},
+			[]model.NextStep{&model.MfaVerificationStep{
+				MfaProviders: []model.MfaType{model.MfaTypeOTP},
+			}},
+			nil,
+		},
 		{
 			"password change required and email verified, password change step",
 			fields{
@@ -505,6 +581,30 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			[]model.NextStep{&model.RedirectToCallbackStep{}},
 			nil,
 		},
+		{
+			"linking users, link users step",
+			fields{
+				userSessionViewProvider: &mockViewUserSession{
+					MfaSoftwareVerification: time.Now().UTC().Add(-5 * time.Minute),
+				},
+				userViewProvider: &mockViewUser{
+					PasswordSet:     true,
+					IsEmailVerified: true,
+					MfaMaxSetUp:     int32(model.MfaLevelSoftware),
+				},
+				userEventProvider:        &mockEventUser{},
+				orgViewProvider:          &mockViewOrg{State: org_model.OrgStateActive},
+				MfaSoftwareCheckLifeTime: 18 * time.Hour,
+			},
+			args{
+				&model.AuthRequest{
+					UserID:              "UserID",
+					SelectedIDPConfigID: "IDPConfigID",
+					LinkingUsers:        []*model.ExternalUser{{IDPConfigID: "IDPConfigID", ExternalUserID: "UserID", DisplayName: "DisplayName"}},
+				}, false},
+			[]model.NextStep{&model.LinkUsersStep{}},
+			nil,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/internal/auth/repository/eventsourcing/eventstore/org.go
+++ b/internal/auth/repository/eventsourcing/eventstore/org.go
@@ -2,8 +2,9 @@ package eventstore

 import (
 	"context"
-
 	"github.com/caos/logging"
+	iam_model "github.com/caos/zitadel/internal/iam/model"
+	iam_view_model "github.com/caos/zitadel/internal/iam/repository/view/model"

 	auth_model "github.com/caos/zitadel/internal/auth/model"
 	auth_view "github.com/caos/zitadel/internal/auth/repository/eventsourcing/view"
@@ -41,7 +42,7 @@ func (repo *OrgRepository) SearchOrgs(ctx context.Context, request *org_model.Or
 	result := &org_model.OrgSearchResult{
 		Offset:      request.Offset,
 		Limit:       request.Limit,
-		TotalResult: uint64(count),
+		TotalResult: count,
 		Result:      model.OrgsToModel(members),
 	}
 	if err == nil {
@@ -71,7 +72,7 @@ func (repo *OrgRepository) RegisterOrg(ctx context.Context, register *auth_model
 	if err != nil {
 		return nil, err
 	}
-	user, userAggregates, err := repo.UserEventstore.PrepareRegisterUser(ctx, register.User, pwPolicy, orgPolicy, org.AggregateID)
+	user, userAggregates, err := repo.UserEventstore.PrepareRegisterUser(ctx, register.User, nil, pwPolicy, orgPolicy, org.AggregateID)
 	if err != nil {
 		return nil, err
 	}
@@ -94,6 +95,18 @@ func (repo *OrgRepository) RegisterOrg(ctx context.Context, register *auth_model
 	return RegisterToModel(registerModel), nil
 }

-func (repo *OrgRepository) GetOrgIamPolicy(ctx context.Context, orgID string) (*org_model.OrgIAMPolicy, error) {
-	return repo.OrgEventstore.GetOrgIAMPolicy(ctx, policy_model.DefaultPolicy)
+func (repo *OrgRepository) GetDefaultOrgIamPolicy(ctx context.Context) *org_model.OrgIAMPolicy {
+	return repo.OrgEventstore.GetDefaultOrgIAMPolicy(ctx)
+}
+
+func (repo *OrgRepository) GetOrgIamPolicy(ctx context.Context, orgID string) (*org_model.OrgIAMPolicy, error) {
+	return repo.OrgEventstore.GetOrgIAMPolicy(ctx, orgID)
+}
+
+func (repo *OrgRepository) GetIDPConfigByID(ctx context.Context, idpConfigID string) (*iam_model.IDPConfigView, error) {
+	idpConfig, err := repo.View.IDPConfigByID(idpConfigID)
+	if err != nil {
+		return nil, err
+	}
+	return iam_view_model.IDPConfigViewToModel(idpConfig), nil
 }
--- a/internal/auth/repository/eventsourcing/eventstore/user.go
+++ b/internal/auth/repository/eventsourcing/eventstore/user.go
@@ -21,6 +21,7 @@ import (
 )

 type UserRepo struct {
+	SearchLimit  uint64
 	Eventstore   eventstore.Eventstore
 	UserEvents   *user_event.UserEventstore
 	OrgEvents    *org_event.OrgEventstore
@@ -32,7 +33,15 @@ func (repo *UserRepo) Health(ctx context.Context) error {
 	return repo.UserEvents.Health(ctx)
 }

-func (repo *UserRepo) Register(ctx context.Context, registerUser *model.User, orgMember *org_model.OrgMember, resourceOwner string) (*model.User, error) {
+func (repo *UserRepo) Register(ctx context.Context, user *model.User, orgMember *org_model.OrgMember, resourceOwner string) (*model.User, error) {
+	return repo.registerUser(ctx, user, nil, orgMember, resourceOwner)
+}
+
+func (repo *UserRepo) RegisterExternalUser(ctx context.Context, user *model.User, externalIDP *model.ExternalIDP, orgMember *org_model.OrgMember, resourceOwner string) (*model.User, error) {
+	return repo.registerUser(ctx, user, externalIDP, orgMember, resourceOwner)
+}
+
+func (repo *UserRepo) registerUser(ctx context.Context, registerUser *model.User, externalIDP *model.ExternalIDP, orgMember *org_model.OrgMember, resourceOwner string) (*model.User, error) {
 	policyResourceOwner := authz.GetCtxData(ctx).OrgID
 	if resourceOwner != "" {
 		policyResourceOwner = resourceOwner
@@ -45,7 +54,7 @@ func (repo *UserRepo) Register(ctx context.Context, registerUser *model.User, or
 	if err != nil {
 		return nil, err
 	}
-	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, pwPolicy, orgPolicy, resourceOwner)
+	user, aggregates, err := repo.UserEvents.PrepareRegisterUser(ctx, registerUser, externalIDP, pwPolicy, orgPolicy, resourceOwner)
 	if err != nil {
 		return nil, err
 	}
@@ -87,6 +96,42 @@ func (repo *UserRepo) ChangeMyProfile(ctx context.Context, profile *model.Profil
 	return repo.UserEvents.ChangeProfile(ctx, profile)
 }

+func (repo *UserRepo) SearchMyExternalIDPs(ctx context.Context, request *model.ExternalIDPSearchRequest) (*model.ExternalIDPSearchResponse, error) {
+	request.EnsureLimit(repo.SearchLimit)
+	sequence, seqErr := repo.View.GetLatestExternalIDPSequence()
+	logging.Log("EVENT-5Jsi8").OnError(seqErr).Warn("could not read latest user sequence")
+	request.AppendUserQuery(authz.GetCtxData(ctx).UserID)
+	externalIDPS, count, err := repo.View.SearchExternalIDPs(request)
+	if err != nil {
+		return nil, err
+	}
+	result := &model.ExternalIDPSearchResponse{
+		Offset:      request.Offset,
+		Limit:       request.Limit,
+		TotalResult: count,
+		Result:      usr_view_model.ExternalIDPViewsToModel(externalIDPS),
+	}
+	if seqErr == nil {
+		result.Sequence = sequence.CurrentSequence
+		result.Timestamp = sequence.CurrentTimestamp
+	}
+	return result, nil
+}
+
+func (repo *UserRepo) AddMyExternalIDP(ctx context.Context, externalIDP *model.ExternalIDP) (*model.ExternalIDP, error) {
+	if err := checkIDs(ctx, externalIDP.ObjectRoot); err != nil {
+		return nil, err
+	}
+	return repo.UserEvents.AddExternalIDP(ctx, externalIDP)
+}
+
+func (repo *UserRepo) RemoveMyExternalIDP(ctx context.Context, externalIDP *model.ExternalIDP) error {
+	if err := checkIDs(ctx, externalIDP.ObjectRoot); err != nil {
+		return err
+	}
+	return repo.UserEvents.RemoveExternalIDP(ctx, externalIDP)
+}
+
 func (repo *UserRepo) MyEmail(ctx context.Context) (*model.Email, error) {
 	user, err := repo.UserByID(ctx, authz.GetCtxData(ctx).UserID)
 	if err != nil {