feat: specify login UI version on instance and apps (#9071)

# Which Problems Are Solved

To be able to migrate or test the new login UI, admins might want to
(temporarily) switch individual apps.
At a later point admin might want to make sure all applications use the
new login UI.

# How the Problems Are Solved

- Added a feature flag `` on instance level to require all apps to use
the new login and provide an optional base url.
- if the flag is enabled, all (OIDC) applications will automatically use
the v2 login.
  - if disabled, applications can decide based on their configuration
- Added an option on OIDC apps to use the new login UI and an optional
base url.
- Removed the requirement to use `x-zitadel-login-client` to be
redirected to the login V2 and retrieve created authrequest and link
them to SSO sessions.
- Added a new "IAM_LOGIN_CLIENT" role to allow management of users,
sessions, grants and more without `x-zitadel-login-client`.

# Additional Changes

None

# Additional Context

closes https://github.com/zitadel/zitadel/issues/8702

internal/api/grpc/admin/import.go

@@ -644,7 +644,15 @@ func importOIDCApps(ctx context.Context, s *Server, errors *[]*admin_pb.ImportDa
 	}
 	for _, app := range org.GetOidcApps() {
 		logging.Debugf("import oidcapplication: %s", app.GetAppId())
-		_, err := s.command.AddOIDCApplicationWithID(ctx, management.AddOIDCAppRequestToDomain(app.App), org.GetOrgId(), app.GetAppId())
+		oidcApp, err := management.AddOIDCAppRequestToDomain(app.App)
+		if err != nil {
+			*errors = append(*errors, &admin_pb.ImportDataError{Type: "oidc_app", Id: app.GetAppId(), Message: err.Error()})
+			if isCtxTimeout(ctx) {
+				return err
+			}
+			continue
+		}
+		_, err = s.command.AddOIDCApplicationWithID(ctx, oidcApp, org.GetOrgId(), app.GetAppId())
 		if err != nil {
 			*errors = append(*errors, &admin_pb.ImportDataError{Type: "oidc_app", Id: app.GetAppId(), Message: err.Error()})
 			if isCtxTimeout(ctx) {

internal/api/grpc/admin/integration_test/iam_member_test.go

@@ -25,6 +25,7 @@ var iamRoles = []string{
 	"IAM_USER_MANAGER",
 	"IAM_ADMIN_IMPERSONATOR",
 	"IAM_END_USER_IMPERSONATOR",
+	"IAM_LOGIN_CLIENT",
 }
 
 func TestServer_ListIAMMemberRoles(t *testing.T) {

internal/api/grpc/feature/v2/converter.go

@@ -1,6 +1,10 @@
 package feature
 
 import (
+	"net/url"
+
+	"github.com/muhlemmer/gu"
+
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/feature"
@@ -8,7 +12,11 @@ import (
 	feature_pb "github.com/zitadel/zitadel/pkg/grpc/feature/v2"
 )
 
-func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command.SystemFeatures {
+func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) (*command.SystemFeatures, error) {
+	loginV2, err := loginV2ToDomain(req.GetLoginV2())
+	if err != nil {
+		return nil, err
+	}
 	return &command.SystemFeatures{
 		LoginDefaultOrg:                 req.LoginDefaultOrg,
 		TriggerIntrospectionProjections: req.OidcTriggerIntrospectionProjections,
@@ -20,7 +28,8 @@ func systemFeaturesToCommand(req *feature_pb.SetSystemFeaturesRequest) *command.
 		OIDCSingleV1SessionTermination:  req.OidcSingleV1SessionTermination,
 		DisableUserTokenEvent:           req.DisableUserTokenEvent,
 		EnableBackChannelLogout:         req.EnableBackChannelLogout,
-	}
+		LoginV2:                         loginV2,
+	}, nil
 }
 
 func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesResponse {
@@ -36,10 +45,15 @@ func systemFeaturesToPb(f *query.SystemFeatures) *feature_pb.GetSystemFeaturesRe
 		OidcSingleV1SessionTermination:      featureSourceToFlagPb(&f.OIDCSingleV1SessionTermination),
 		DisableUserTokenEvent:               featureSourceToFlagPb(&f.DisableUserTokenEvent),
 		EnableBackChannelLogout:             featureSourceToFlagPb(&f.EnableBackChannelLogout),
+		LoginV2:                             loginV2ToLoginV2FlagPb(f.LoginV2),
 	}
 }
 
-func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *command.InstanceFeatures {
+func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) (*command.InstanceFeatures, error) {
+	loginV2, err := loginV2ToDomain(req.GetLoginV2())
+	if err != nil {
+		return nil, err
+	}
 	return &command.InstanceFeatures{
 		LoginDefaultOrg:                 req.LoginDefaultOrg,
 		TriggerIntrospectionProjections: req.OidcTriggerIntrospectionProjections,
@@ -53,7 +67,8 @@ func instanceFeaturesToCommand(req *feature_pb.SetInstanceFeaturesRequest) *comm
 		OIDCSingleV1SessionTermination:  req.OidcSingleV1SessionTermination,
 		DisableUserTokenEvent:           req.DisableUserTokenEvent,
 		EnableBackChannelLogout:         req.EnableBackChannelLogout,
-	}
+		LoginV2:                         loginV2,
+	}, nil
 }
 
 func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeaturesResponse {
@@ -71,6 +86,7 @@ func instanceFeaturesToPb(f *query.InstanceFeatures) *feature_pb.GetInstanceFeat
 		OidcSingleV1SessionTermination:      featureSourceToFlagPb(&f.OIDCSingleV1SessionTermination),
 		DisableUserTokenEvent:               featureSourceToFlagPb(&f.DisableUserTokenEvent),
 		EnableBackChannelLogout:             featureSourceToFlagPb(&f.EnableBackChannelLogout),
+		LoginV2:                             loginV2ToLoginV2FlagPb(f.LoginV2),
 	}
 }
 
@@ -81,6 +97,39 @@ func featureSourceToImprovedPerformanceFlagPb(fs *query.FeatureSource[[]feature.
 	}
 }
 
+func loginV2ToDomain(loginV2 *feature_pb.LoginV2) (_ *feature.LoginV2, err error) {
+	if loginV2 == nil {
+		return nil, nil
+	}
+	var baseURI *url.URL
+	if loginV2.GetBaseUri() != "" {
+		baseURI, err = url.Parse(loginV2.GetBaseUri())
+		if err != nil {
+			return nil, err
+		}
+	}
+	return &feature.LoginV2{
+		Required: loginV2.GetRequired(),
+		BaseURI:  baseURI,
+	}, nil
+}
+
+func loginV2ToLoginV2FlagPb(f query.FeatureSource[*feature.LoginV2]) *feature_pb.LoginV2FeatureFlag {
+	var required bool
+	var baseURI *string
+	if f.Value != nil {
+		required = f.Value.Required
+		if f.Value.BaseURI != nil && f.Value.BaseURI.String() != "" {
+			baseURI = gu.Ptr(f.Value.BaseURI.String())
+		}
+	}
+	return &feature_pb.LoginV2FeatureFlag{
+		Required: required,
+		BaseUri:  baseURI,
+		Source:   featureLevelToSourcePb(f.Level),
+	}
+}
+
 func featureSourceToFlagPb(fs *query.FeatureSource[bool]) *feature_pb.FeatureFlag {
 	return &feature_pb.FeatureFlag{
 		Enabled: fs.Value,

internal/api/grpc/feature/v2/converter_test.go

@@ -1,6 +1,7 @@
 package feature
 
 import (
+	"net/url"
 	"testing"
 	"time"
 
@@ -26,6 +27,10 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		OidcTokenExchange:                   gu.Ptr(true),
 		ImprovedPerformance:                 nil,
 		OidcSingleV1SessionTermination:      gu.Ptr(true),
+		LoginV2: &feature_pb.LoginV2{
+			Required: true,
+			BaseUri:  gu.Ptr("https://login.com"),
+		},
 	}
 	want := &command.SystemFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -36,9 +41,14 @@ func Test_systemFeaturesToCommand(t *testing.T) {
 		TokenExchange:                   gu.Ptr(true),
 		ImprovedPerformance:             nil,
 		OIDCSingleV1SessionTermination:  gu.Ptr(true),
+		LoginV2: &feature.LoginV2{
+			Required: true,
+			BaseURI:  &url.URL{Scheme: "https", Host: "login.com"},
+		},
 	}
-	got := systemFeaturesToCommand(arg)
+	got, err := systemFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
+	assert.NoError(t, err)
 }
 
 func Test_systemFeaturesToPb(t *testing.T) {
@@ -84,6 +94,13 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Level: feature.LevelSystem,
 			Value: true,
 		},
+		LoginV2: query.FeatureSource[*feature.LoginV2]{
+			Level: feature.LevelSystem,
+			Value: &feature.LoginV2{
+				Required: true,
+				BaseURI:  &url.URL{Scheme: "https", Host: "login.com"},
+			},
+		},
 	}
 	want := &feature_pb.GetSystemFeaturesResponse{
 		Details: &object.Details{
@@ -131,6 +148,11 @@ func Test_systemFeaturesToPb(t *testing.T) {
 			Enabled: true,
 			Source:  feature_pb.Source_SOURCE_SYSTEM,
 		},
+		LoginV2: &feature_pb.LoginV2FeatureFlag{
+			Required: true,
+			BaseUri:  gu.Ptr("https://login.com"),
+			Source:   feature_pb.Source_SOURCE_SYSTEM,
+		},
 	}
 	got := systemFeaturesToPb(arg)
 	assert.Equal(t, want, got)
@@ -149,6 +171,10 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		DebugOidcParentError:                gu.Ptr(true),
 		OidcSingleV1SessionTermination:      gu.Ptr(true),
 		EnableBackChannelLogout:             gu.Ptr(true),
+		LoginV2: &feature_pb.LoginV2{
+			Required: true,
+			BaseUri:  gu.Ptr("https://login.com"),
+		},
 	}
 	want := &command.InstanceFeatures{
 		LoginDefaultOrg:                 gu.Ptr(true),
@@ -162,9 +188,14 @@ func Test_instanceFeaturesToCommand(t *testing.T) {
 		DebugOIDCParentError:            gu.Ptr(true),
 		OIDCSingleV1SessionTermination:  gu.Ptr(true),
 		EnableBackChannelLogout:         gu.Ptr(true),
+		LoginV2: &feature.LoginV2{
+			Required: true,
+			BaseURI:  &url.URL{Scheme: "https", Host: "login.com"},
+		},
 	}
-	got := instanceFeaturesToCommand(arg)
+	got, err := instanceFeaturesToCommand(arg)
 	assert.Equal(t, want, got)
+	assert.NoError(t, err)
 }
 
 func Test_instanceFeaturesToPb(t *testing.T) {
@@ -214,6 +245,13 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Level: feature.LevelInstance,
 			Value: true,
 		},
+		LoginV2: query.FeatureSource[*feature.LoginV2]{
+			Level: feature.LevelInstance,
+			Value: &feature.LoginV2{
+				Required: true,
+				BaseURI:  &url.URL{Scheme: "https", Host: "login.com"},
+			},
+		},
 	}
 	want := &feature_pb.GetInstanceFeaturesResponse{
 		Details: &object.Details{
@@ -269,6 +307,11 @@ func Test_instanceFeaturesToPb(t *testing.T) {
 			Enabled: true,
 			Source:  feature_pb.Source_SOURCE_INSTANCE,
 		},
+		LoginV2: &feature_pb.LoginV2FeatureFlag{
+			Required: true,
+			BaseUri:  gu.Ptr("https://login.com"),
+			Source:   feature_pb.Source_SOURCE_INSTANCE,
+		},
 	}
 	got := instanceFeaturesToPb(arg)
 	assert.Equal(t, want, got)

internal/api/grpc/feature/v2/feature.go

@@ -11,7 +11,11 @@ import (
 )
 
 func (s *Server) SetSystemFeatures(ctx context.Context, req *feature.SetSystemFeaturesRequest) (_ *feature.SetSystemFeaturesResponse, err error) {
-	details, err := s.command.SetSystemFeatures(ctx, systemFeaturesToCommand(req))
+	features, err := systemFeaturesToCommand(req)
+	if err != nil {
+		return nil, err
+	}
+	details, err := s.command.SetSystemFeatures(ctx, features)
 	if err != nil {
 		return nil, err
 	}
@@ -39,7 +43,11 @@ func (s *Server) GetSystemFeatures(ctx context.Context, req *feature.GetSystemFe
 }
 
 func (s *Server) SetInstanceFeatures(ctx context.Context, req *feature.SetInstanceFeaturesRequest) (_ *feature.SetInstanceFeaturesResponse, err error) {
-	details, err := s.command.SetInstanceFeatures(ctx, instanceFeaturesToCommand(req))
+	features, err := instanceFeaturesToCommand(req)
+	if err != nil {
+		return nil, err
+	}
+	details, err := s.command.SetInstanceFeatures(ctx, features)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/idp/v2/integration_test/server_test.go

@@ -27,7 +27,7 @@ func TestMain(m *testing.M) {
 
 		Instance = integration.NewInstance(ctx)
 
-		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
+		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
 		IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
 		CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
 		Client = Instance.Client.IDPv2

internal/api/grpc/management/project_application.go

@@ -80,7 +80,11 @@ func (s *Server) ListAppChanges(ctx context.Context, req *mgmt_pb.ListAppChanges
 }
 
 func (s *Server) AddOIDCApp(ctx context.Context, req *mgmt_pb.AddOIDCAppRequest) (*mgmt_pb.AddOIDCAppResponse, error) {
-	app, err := s.command.AddOIDCApplication(ctx, AddOIDCAppRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	oidcApp, err := AddOIDCAppRequestToDomain(req)
+	if err != nil {
+		return nil, err
+	}
+	app, err := s.command.AddOIDCApplication(ctx, oidcApp, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}
@@ -128,7 +132,11 @@ func (s *Server) UpdateApp(ctx context.Context, req *mgmt_pb.UpdateAppRequest) (
 }
 
 func (s *Server) UpdateOIDCAppConfig(ctx context.Context, req *mgmt_pb.UpdateOIDCAppConfigRequest) (*mgmt_pb.UpdateOIDCAppConfigResponse, error) {
-	config, err := s.command.ChangeOIDCApplication(ctx, UpdateOIDCAppConfigRequestToDomain(req), authz.GetCtxData(ctx).OrgID)
+	oidcApp, err := UpdateOIDCAppConfigRequestToDomain(req)
+	if err != nil {
+		return nil, err
+	}
+	config, err := s.command.ChangeOIDCApplication(ctx, oidcApp, authz.GetCtxData(ctx).OrgID)
 	if err != nil {
 		return nil, err
 	}

internal/api/grpc/management/project_application_converter.go

@@ -36,7 +36,11 @@ func ListAppsRequestToModel(req *mgmt_pb.ListAppsRequest) (*query.AppSearchQueri
 	}, nil
 }
 
-func AddOIDCAppRequestToDomain(req *mgmt_pb.AddOIDCAppRequest) *domain.OIDCApp {
+func AddOIDCAppRequestToDomain(req *mgmt_pb.AddOIDCAppRequest) (*domain.OIDCApp, error) {
+	loginVersion, loginBaseURI, err := app_grpc.LoginVersionToDomain(req.GetLoginVersion())
+	if err != nil {
+		return nil, err
+	}
 	return &domain.OIDCApp{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: req.ProjectId,
@@ -58,7 +62,9 @@ func AddOIDCAppRequestToDomain(req *mgmt_pb.AddOIDCAppRequest) *domain.OIDCApp {
 		AdditionalOrigins:        req.AdditionalOrigins,
 		SkipNativeAppSuccessPage: req.SkipNativeAppSuccessPage,
 		BackChannelLogoutURI:     req.GetBackChannelLogoutUri(),
-	}
+		LoginVersion:             loginVersion,
+		LoginBaseURI:             loginBaseURI,
+	}, nil
 }
 
 func AddSAMLAppRequestToDomain(req *mgmt_pb.AddSAMLAppRequest) *domain.SAMLApp {
@@ -89,7 +95,11 @@ func UpdateAppRequestToDomain(app *mgmt_pb.UpdateAppRequest) domain.Application
 	}
 }
 
-func UpdateOIDCAppConfigRequestToDomain(app *mgmt_pb.UpdateOIDCAppConfigRequest) *domain.OIDCApp {
+func UpdateOIDCAppConfigRequestToDomain(app *mgmt_pb.UpdateOIDCAppConfigRequest) (*domain.OIDCApp, error) {
+	loginVersion, loginBaseURI, err := app_grpc.LoginVersionToDomain(app.GetLoginVersion())
+	if err != nil {
+		return nil, err
+	}
 	return &domain.OIDCApp{
 		ObjectRoot: models.ObjectRoot{
 			AggregateID: app.ProjectId,
@@ -110,7 +120,9 @@ func UpdateOIDCAppConfigRequestToDomain(app *mgmt_pb.UpdateOIDCAppConfigRequest)
 		AdditionalOrigins:        app.AdditionalOrigins,
 		SkipNativeAppSuccessPage: app.SkipNativeAppSuccessPage,
 		BackChannelLogoutURI:     app.BackChannelLogoutUri,
-	}
+		LoginVersion:             loginVersion,
+		LoginBaseURI:             loginBaseURI,
+	}, nil
 }
 
 func UpdateSAMLAppConfigRequestToDomain(app *mgmt_pb.UpdateSAMLAppConfigRequest) *domain.SAMLApp {

internal/api/grpc/oidc/v2/integration_test/oidc_test.go

@@ -16,15 +16,18 @@ import (
 	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/app"
 	"github.com/zitadel/zitadel/pkg/grpc/object/v2"
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2"
 	"github.com/zitadel/zitadel/pkg/grpc/session/v2"
 )
 
 var (
-	CTX      context.Context
-	Instance *integration.Instance
-	Client   oidc_pb.OIDCServiceClient
+	CTX            context.Context
+	CTXLoginClient context.Context
+	Instance       *integration.Instance
+	Client         oidc_pb.OIDCServiceClient
+	loginV2        = &app.LoginVersion{Version: &app.LoginVersion_LoginV2{LoginV2: &app.LoginV2{BaseUri: nil}}}
 )
 
 const (
@@ -42,6 +45,7 @@ func TestMain(m *testing.M) {
 		Client = Instance.Client.OIDCv2
 
 		CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
+		CTXLoginClient = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
 		return m.Run()
 	}())
 }
@@ -51,29 +55,58 @@ func TestServer_GetAuthRequest(t *testing.T) {
 	require.NoError(t, err)
 	client, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false)
 	require.NoError(t, err)
-	authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI)
-	require.NoError(t, err)
+
 	now := time.Now()
 
 	tests := []struct {
 		name          string
 		AuthRequestID string
+		ctx           context.Context
 		want          *oidc_pb.GetAuthRequestResponse
 		wantErr       bool
 	}{
 		{
 			name:          "Not found",
 			AuthRequestID: "123",
+			ctx:           CTX,
 			wantErr:       true,
 		},
 		{
-			name:          "success",
-			AuthRequestID: authRequestID,
+			name: "success",
+			AuthRequestID: func() string {
+				authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI)
+				require.NoError(t, err)
+				return authRequestID
+			}(),
+			ctx: CTX,
+		},
+		{
+			name: "without login client, no permission",
+			AuthRequestID: func() string {
+				client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
+				require.NoError(t, err)
+				authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "")
+				require.NoError(t, err)
+				return authRequestID
+			}(),
+			ctx:     CTX,
+			wantErr: true,
+		},
+		{
+			name: "without login client, with permission",
+			AuthRequestID: func() string {
+				client, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
+				require.NoError(t, err)
+				authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, client.GetClientId(), redirectURI, "")
+				require.NoError(t, err)
+				return authRequestID
+			}(),
+			ctx: CTXLoginClient,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := Client.GetAuthRequest(CTX, &oidc_pb.GetAuthRequestRequest{
+			got, err := Client.GetAuthRequest(tt.ctx, &oidc_pb.GetAuthRequestRequest{
 				AuthRequestId: tt.AuthRequestID,
 			})
 			if tt.wantErr {
@@ -83,7 +116,7 @@ func TestServer_GetAuthRequest(t *testing.T) {
 			require.NoError(t, err)
 			authRequest := got.GetAuthRequest()
 			assert.NotNil(t, authRequest)
-			assert.Equal(t, authRequestID, authRequest.GetId())
+			assert.Equal(t, tt.AuthRequestID, authRequest.GetId())
 			assert.WithinRange(t, authRequest.GetCreationDate().AsTime(), now.Add(-time.Second), now.Add(time.Second))
 			assert.Contains(t, authRequest.GetScope(), "openid")
 		})
@@ -95,6 +128,8 @@ func TestServer_CreateCallback(t *testing.T) {
 	require.NoError(t, err)
 	client, err := Instance.CreateOIDCNativeClient(CTX, redirectURI, logoutRedirectURI, project.GetId(), false)
 	require.NoError(t, err)
+	clientV2, err := Instance.CreateOIDCClientLoginVersion(CTX, redirectURI, logoutRedirectURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, false, loginV2)
+	require.NoError(t, err)
 	sessionResp, err := Instance.Client.SessionV2.CreateSession(CTX, &session.CreateSessionRequest{
 		Checks: &session.Checks{
 			User: &session.CheckUser{
@@ -108,6 +143,7 @@ func TestServer_CreateCallback(t *testing.T) {
 
 	tests := []struct {
 		name      string
+		ctx       context.Context
 		req       *oidc_pb.CreateCallbackRequest
 		AuthError string
 		want      *oidc_pb.CreateCallbackResponse
@@ -116,6 +152,7 @@ func TestServer_CreateCallback(t *testing.T) {
 	}{
 		{
 			name: "Not found",
+			ctx:  CTX,
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: "123",
 				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
@@ -129,6 +166,7 @@ func TestServer_CreateCallback(t *testing.T) {
 		},
 		{
 			name: "session not found",
+			ctx:  CTX,
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
 					authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users[integration.UserTypeOrgOwner].ID, redirectURI)
@@ -146,6 +184,7 @@ func TestServer_CreateCallback(t *testing.T) {
 		},
 		{
 			name: "session token invalid",
+			ctx:  CTX,
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
 					authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
@@ -163,6 +202,7 @@ func TestServer_CreateCallback(t *testing.T) {
 		},
 		{
 			name: "fail callback",
+			ctx:  CTX,
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
 					authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
@@ -186,8 +226,35 @@ func TestServer_CreateCallback(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "fail callback, no login client header",
+			ctx:  CTXLoginClient,
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Error{
+					Error: &oidc_pb.AuthorizationError{
+						Error:            oidc_pb.ErrorReason_ERROR_REASON_ACCESS_DENIED,
+						ErrorDescription: gu.Ptr("nope"),
+						ErrorUri:         gu.Ptr("https://example.com/docs"),
+					},
+				},
+			},
+			want: &oidc_pb.CreateCallbackResponse{
+				CallbackUrl: regexp.QuoteMeta(`oidcintegrationtest://callback?error=access_denied&error_description=nope&error_uri=https%3A%2F%2Fexample.com%2Fdocs&state=state`),
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Instance.ID(),
+				},
+			},
+			wantErr: false,
+		},
 		{
 			name: "code callback",
+			ctx:  CTX,
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
 					authRequestID, err := Instance.CreateOIDCAuthRequest(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURI)
@@ -211,10 +278,54 @@ func TestServer_CreateCallback(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "implicit",
+			name: "code callback, no login client header, no permission, error",
+			ctx:  CTX,
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
-					client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit)
+					authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			wantErr: true,
+		},
+		{
+			name: "code callback, no login client header, with permission",
+			ctx:  CTXLoginClient,
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					authRequestID, err := Instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURI, "")
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			want: &oidc_pb.CreateCallbackResponse{
+				CallbackUrl: `oidcintegrationtest:\/\/callback\?code=(.*)&state=state`,
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Instance.ID(),
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "implicit",
+			ctx:  CTX,
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil)
 					require.NoError(t, err)
 					authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit)
 					require.NoError(t, err)
@@ -236,10 +347,37 @@ func TestServer_CreateCallback(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "implicit, no login client header",
+			ctx:  CTXLoginClient,
+			req: &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: func() string {
+					clientV2, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, loginV2)
+					require.NoError(t, err)
+					authRequestID, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientV2.GetClientId(), redirectURIImplicit)
+					require.NoError(t, err)
+					return authRequestID
+				}(),
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionResp.GetSessionId(),
+						SessionToken: sessionResp.GetSessionToken(),
+					},
+				},
+			},
+			want: &oidc_pb.CreateCallbackResponse{
+				CallbackUrl: `http:\/\/localhost:9999\/callback#access_token=(.*)&expires_in=(.*)&id_token=(.*)&state=state&token_type=Bearer`,
+				Details: &object.Details{
+					ChangeDate:    timestamppb.Now(),
+					ResourceOwner: Instance.ID(),
+				},
+			},
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := Client.CreateCallback(CTX, tt.req)
+			got, err := Client.CreateCallback(tt.ctx, tt.req)
 			if tt.wantErr {
 				require.Error(t, err)
 				return

internal/api/grpc/oidc/v2beta/integration_test/oidc_test.go

@@ -214,7 +214,7 @@ func TestServer_CreateCallback(t *testing.T) {
 			name: "implicit",
 			req: &oidc_pb.CreateCallbackRequest{
 				AuthRequestId: func() string {
-					client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit)
+					client, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil)
 					require.NoError(t, err)
 					authRequestID, err := Instance.CreateOIDCAuthRequestImplicit(CTX, client.GetClientId(), Instance.Users.Get(integration.UserTypeOrgOwner).ID, redirectURIImplicit)
 					require.NoError(t, err)

internal/api/grpc/org/v2/integration_test/org_test.go

@@ -35,7 +35,7 @@ func TestMain(m *testing.M) {
 
 		CTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
 		OwnerCTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)
-		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
+		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
 		User = Instance.CreateHumanUser(CTX)
 		return m.Run()
 	}())

internal/api/grpc/project/application.go

@@ -1,6 +1,8 @@
 package project
 
 import (
+	"net/url"
+
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	object_grpc "github.com/zitadel/zitadel/internal/api/grpc/object"
@@ -62,10 +64,24 @@ func AppOIDCConfigToPb(app *query.OIDCApp) *app_pb.App_OidcConfig {
 			AllowedOrigins:           app.AllowedOrigins,
 			SkipNativeAppSuccessPage: app.SkipNativeAppSuccessPage,
 			BackChannelLogoutUri:     app.BackChannelLogoutURI,
+			LoginVersion:             loginVersionToPb(app.LoginVersion, app.LoginBaseURI),
 		},
 	}
 }
 
+func loginVersionToPb(version domain.LoginVersion, baseURI *string) *app_pb.LoginVersion {
+	switch version {
+	case domain.LoginVersionUnspecified:
+		return nil
+	case domain.LoginVersion1:
+		return &app_pb.LoginVersion{Version: &app_pb.LoginVersion_LoginV1{LoginV1: &app_pb.LoginV1{}}}
+	case domain.LoginVersion2:
+		return &app_pb.LoginVersion{Version: &app_pb.LoginVersion_LoginV2{LoginV2: &app_pb.LoginV2{BaseUri: baseURI}}}
+	default:
+		return nil
+	}
+}
+
 func AppSAMLConfigToPb(app *query.SAMLApp) app_pb.AppConfig {
 	return &app_pb.App_SamlConfig{
 		SamlConfig: &app_pb.SAMLConfig{
@@ -311,3 +327,17 @@ func AppQueryToModel(appQuery *app_pb.AppQuery) (query.SearchQuery, error) {
 		return nil, zerrors.ThrowInvalidArgument(nil, "APP-Add46", "List.Query.Invalid")
 	}
 }
+
+func LoginVersionToDomain(version *app_pb.LoginVersion) (domain.LoginVersion, string, error) {
+	switch v := version.GetVersion().(type) {
+	case nil:
+		return domain.LoginVersionUnspecified, "", nil
+	case *app_pb.LoginVersion_LoginV1:
+		return domain.LoginVersion1, "", nil
+	case *app_pb.LoginVersion_LoginV2:
+		_, err := url.Parse(v.LoginV2.GetBaseUri())
+		return domain.LoginVersion2, v.LoginV2.GetBaseUri(), err
+	default:
+		return domain.LoginVersionUnspecified, "", nil
+	}
+}

internal/api/grpc/resources/user/v3alpha/integration_test/email_test.go

@@ -69,7 +69,7 @@ func TestServer_SetContactEmail(t *testing.T) {
 		},
 		{
 			name: "email patch, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.SetContactEmailRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -412,7 +412,7 @@ func TestServer_VerifyContactEmail(t *testing.T) {
 		},
 		{
 			name: "email verify, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.VerifyContactEmailRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -601,7 +601,7 @@ func TestServer_ResendContactEmailCode(t *testing.T) {
 		},
 		{
 			name: "email resend, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.ResendContactEmailCodeRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()

internal/api/grpc/resources/user/v3alpha/integration_test/phone_test.go

@@ -68,7 +68,7 @@ func TestServer_SetContactPhone(t *testing.T) {
 		},
 		{
 			name: "phone patch, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.SetContactPhoneRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -340,7 +340,7 @@ func TestServer_VerifyContactPhone(t *testing.T) {
 		},
 		{
 			name: "phone verify, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.VerifyContactPhoneRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -530,7 +530,7 @@ func TestServer_ResendContactPhoneCode(t *testing.T) {
 		},
 		{
 			name: "phone resend, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.ResendContactPhoneCodeRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()

internal/api/grpc/resources/user/v3alpha/integration_test/user_test.go

@@ -94,7 +94,7 @@ func TestServer_CreateUser(t *testing.T) {
 		},
 		{
 			name: "user create, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			req: &user.CreateUserRequest{
 				Organization: &object.Organization{
 					Property: &object.Organization_OrgId{
@@ -294,7 +294,7 @@ func TestServer_PatchUser(t *testing.T) {
 		},
 		{
 			name: "user patch, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.PatchUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -734,7 +734,7 @@ func TestServer_DeleteUser(t *testing.T) {
 		},
 		{
 			name: "user delete, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.DeleteUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -950,7 +950,7 @@ func TestServer_LockUser(t *testing.T) {
 		},
 		{
 			name: "user lock, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.LockUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -1152,7 +1152,7 @@ func TestServer_UnlockUser(t *testing.T) {
 		},
 		{
 			name: "user unlock, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.UnlockUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -1333,7 +1333,7 @@ func TestServer_DeactivateUser(t *testing.T) {
 		},
 		{
 			name: "user deactivate, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.DeactivateUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()
@@ -1535,7 +1535,7 @@ func TestServer_ActivateUser(t *testing.T) {
 		},
 		{
 			name: "user activate, no permission",
-			ctx:  instance.WithAuthorization(CTX, integration.UserTypeLogin),
+			ctx:  instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 			dep: func(req *user.ActivateUserRequest) error {
 				userResp := instance.CreateSchemaUser(isolatedIAMOwnerCTX, orgResp.GetOrganizationId(), schemaResp.GetDetails().GetId(), []byte("{\"name\": \"user\"}"))
 				req.Id = userResp.GetDetails().GetId()

internal/api/grpc/settings/v2/integration_test/settings_test.go

@@ -237,7 +237,7 @@ func TestServer_GetActiveIdentityProviders(t *testing.T) {
 		{
 			name: "permission error",
 			args: args{
-				ctx: instance.WithAuthorization(CTX, integration.UserTypeLogin),
+				ctx: instance.WithAuthorization(CTX, integration.UserTypeNoPermission),
 				req: &settings.GetActiveIdentityProvidersRequest{},
 			},
 			wantErr: true,

internal/api/grpc/user/v2/integration_test/user_test.go

@@ -43,7 +43,7 @@ func TestMain(m *testing.M) {
 
 		Instance = integration.NewInstance(ctx)
 
-		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
+		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
 		IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
 		SystemCTX = integration.WithSystemAuthorization(ctx)
 		CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)

internal/api/grpc/user/v2beta/integration_test/user_test.go

@@ -41,7 +41,7 @@ func TestMain(m *testing.M) {
 
 		Instance = integration.NewInstance(ctx)
 
-		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeLogin)
+		UserCTX = Instance.WithAuthorization(ctx, integration.UserTypeNoPermission)
 		IamCTX = Instance.WithAuthorization(ctx, integration.UserTypeIAMOwner)
 		SystemCTX = integration.WithSystemAuthorization(ctx)
 		CTX = Instance.WithAuthorization(ctx, integration.UserTypeOrgOwner)

internal/api/oidc/auth_request.go

@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/http"
+	"net/url"
 	"slices"
 	"strings"
 	"time"
@@ -16,6 +17,7 @@ import (
 	"github.com/zitadel/zitadel/internal/api/authz"
 	http_utils "github.com/zitadel/zitadel/internal/api/http"
 	"github.com/zitadel/zitadel/internal/api/http/middleware"
+	"github.com/zitadel/zitadel/internal/api/ui/login"
 	"github.com/zitadel/zitadel/internal/auth/repository/eventsourcing/handler"
 	"github.com/zitadel/zitadel/internal/command"
 	"github.com/zitadel/zitadel/internal/domain"
@@ -26,7 +28,11 @@ import (
 )
 
 const (
-	LoginClientHeader = "x-zitadel-login-client"
+	LoginClientHeader            = "x-zitadel-login-client"
+	LoginPostLogoutRedirectParam = "post_logout_redirect"
+	LoginPath                    = "/login"
+	LogoutPath                   = "/logout"
+	LogoutDonePath               = "/logout/done"
 )
 
 func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest, userID string) (_ op.AuthRequest, err error) {
@@ -36,12 +42,34 @@ func (o *OPStorage) CreateAuthRequest(ctx context.Context, req *oidc.AuthRequest
 		span.EndWithError(err)
 	}()
 
+	// for backwards compatibility we pass the login client if set
 	headers, _ := http_utils.HeadersFromCtx(ctx)
-	if loginClient := headers.Get(LoginClientHeader); loginClient != "" {
+	loginClient := headers.Get(LoginClientHeader)
+
+	// if the instance requires the v2 login, use it no matter what the application configured
+	if authz.GetFeatures(ctx).LoginV2.Required {
 		return o.createAuthRequestLoginClient(ctx, req, userID, loginClient)
 	}
 
-	return o.createAuthRequest(ctx, req, userID)
+	version, err := o.query.OIDCClientLoginVersion(ctx, req.ClientID)
+	if err != nil {
+		return nil, err
+	}
+
+	switch version {
+	case domain.LoginVersion1:
+		return o.createAuthRequest(ctx, req, userID)
+	case domain.LoginVersion2:
+		return o.createAuthRequestLoginClient(ctx, req, userID, loginClient)
+	case domain.LoginVersionUnspecified:
+		fallthrough
+	default:
+		// if undefined, use the v2 login if the header is sent, to retain the current behavior
+		if loginClient != "" {
+			return o.createAuthRequestLoginClient(ctx, req, userID, loginClient)
+		}
+		return o.createAuthRequest(ctx, req, userID)
+	}
 }
 
 func (o *OPStorage) createAuthRequestScopeAndAudience(ctx context.Context, clientID string, reqScope []string) (scope, audience []string, err error) {
@@ -240,18 +268,35 @@ func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionR
 
 	// check for the login client header
 	headers, _ := http_utils.HeadersFromCtx(ctx)
-	// in case there is no id_token_hint, redirect to the UI and let it decide which session to terminate
-	if headers.Get(LoginClientHeader) != "" && endSessionRequest.IDTokenHintClaims == nil {
-		return o.defaultLogoutURLV2 + endSessionRequest.RedirectURI, nil
+
+	// V2:
+	// In case there is no id_token_hint and login V2 is either required by feature
+	// or requested via header (backwards compatibility),
+	// we'll redirect to the UI (V2) and let it decide which session to terminate
+	//
+	// If there's no id_token_hint and for v1 logins, we handle them separately
+	if endSessionRequest.IDTokenHintClaims == nil &&
+		(authz.GetFeatures(ctx).LoginV2.Required || headers.Get(LoginClientHeader) != "") {
+		redirectURI := v2PostLogoutRedirectURI(endSessionRequest.RedirectURI)
+		// if no base uri is set, fallback to the default configured in the runtime config
+		if authz.GetFeatures(ctx).LoginV2.BaseURI == nil || authz.GetFeatures(ctx).LoginV2.BaseURI.String() == "" {
+			return o.defaultLogoutURLV2 + redirectURI, nil
+		}
+		return buildLoginV2LogoutURL(authz.GetFeatures(ctx).LoginV2.BaseURI, redirectURI), nil
 	}
 
-	// If there is no login client header and no id_token_hint or the id_token_hint does not have a session ID,
-	// do a v1 Terminate session (which terminates all sessions of the user agent, identified by cookie).
+	// V1:
+	// We check again for the id_token_hint param and if a session is set in it.
+	// All explicit V2 sessions with empty id_token_hint are handled above and all V2 session contain a sessionID
+	// So if any condition is not met, we handle the request as a V1 request and do a (v1) TerminateSession,
+	// which terminates all sessions of the user agent, identified by cookie.
 	if endSessionRequest.IDTokenHintClaims == nil || endSessionRequest.IDTokenHintClaims.SessionID == "" {
 		return endSessionRequest.RedirectURI, o.TerminateSession(ctx, endSessionRequest.UserID, endSessionRequest.ClientID)
 	}
 
-	// If the sessionID is prefixed by V1, we also terminate a v1 session.
+	// V1:
+	// If the sessionID is prefixed by V1, we also terminate a v1 session, but based on the SingleV1SessionTermination feature flag,
+	// we either terminate all sessions of the user agent or only the specific session
 	if strings.HasPrefix(endSessionRequest.IDTokenHintClaims.SessionID, handler.IDPrefixV1) {
 		err = o.terminateV1Session(ctx, endSessionRequest.UserID, endSessionRequest.IDTokenHintClaims.SessionID)
 		if err != nil {
@@ -260,12 +305,31 @@ func (o *OPStorage) TerminateSessionFromRequest(ctx context.Context, endSessionR
 		return endSessionRequest.RedirectURI, nil
 	}
 
-	// terminate the v2 session of the id_token_hint
+	// V2:
+	// Terminate the v2 session of the id_token_hint
 	_, err = o.command.TerminateSessionWithoutTokenCheck(ctx, endSessionRequest.IDTokenHintClaims.SessionID)
 	if err != nil {
 		return "", err
 	}
-	return endSessionRequest.RedirectURI, nil
+	return v2PostLogoutRedirectURI(endSessionRequest.RedirectURI), nil
+}
+
+func buildLoginV2LogoutURL(baseURI *url.URL, redirectURI string) string {
+	baseURI.JoinPath(LogoutPath)
+	q := baseURI.Query()
+	q.Set(LoginPostLogoutRedirectParam, redirectURI)
+	baseURI.RawQuery = q.Encode()
+	return baseURI.String()
+}
+
+// v2PostLogoutRedirectURI will take care that the post_logout_redirect_uri is correctly set for v2 logins.
+// The default value set by the [op.SessionEnder] only handles V1 logins. In case the redirect_uri is set to the default
+// we'll return the path for the v2 login.
+func v2PostLogoutRedirectURI(redirectURI string) string {
+	if redirectURI != login.DefaultLoggedOutPath {
+		return redirectURI
+	}
+	return LogoutDonePath
 }
 
 // terminateV1Session terminates "v1" sessions created through the login UI.

internal/api/oidc/client_converter.go

@@ -15,6 +15,10 @@ import (
 	"github.com/zitadel/zitadel/internal/query"
 )
 
+const (
+	LoginAuthRequestParam = "authRequest"
+)
+
 type Client struct {
 	client            *query.OIDCClient
 	defaultLoginURL   string
@@ -49,10 +53,21 @@ func (c *Client) GetID() string {
 }
 
 func (c *Client) LoginURL(id string) string {
-	if strings.HasPrefix(id, command.IDPrefixV2) {
+	// if the authRequest does not have the v2 prefix, it was created for login V1
+	if !strings.HasPrefix(id, command.IDPrefixV2) {
+		return c.defaultLoginURL + id
+	}
+	// any v2 login without a specific base uri will be sent to the configured login v2 UI
+	// this way we're also backwards compatible
+	if c.client.LoginBaseURI == nil || c.client.LoginBaseURI.URL().String() == "" {
 		return c.defaultLoginURLV2 + id
 	}
-	return c.defaultLoginURL + id
+	// for clients with a specific URI (internal or external) we only need to add the auth request id
+	uri := c.client.LoginBaseURI.URL().JoinPath(LoginPath)
+	q := uri.Query()
+	q.Set(LoginAuthRequestParam, id)
+	uri.RawQuery = q.Encode()
+	return uri.String()
 }
 
 func (c *Client) RedirectURIs() []string {

internal/api/oidc/integration_test/auth_request_test.go

@@ -29,157 +29,255 @@ var (
 
 func TestOPStorage_CreateAuthRequest(t *testing.T) {
 	clientID, _ := createClient(t, Instance)
+	clientIDV2, _ := createClientLoginV2(t, Instance)
 
 	id := createAuthRequest(t, Instance, clientID, redirectURI)
 	require.Contains(t, id, command.IDPrefixV2)
+
+	id2 := createAuthRequestNoLoginClientHeader(t, Instance, clientIDV2, redirectURI)
+	require.Contains(t, id2, command.IDPrefixV2)
 }
 
 func TestOPStorage_CreateAccessToken_code(t *testing.T) {
-	clientID, _ := createClient(t, Instance)
-	authRequestID := createAuthRequest(t, Instance, clientID, redirectURI)
-	sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
-	linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
-		AuthRequestId: authRequestID,
-		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
-			Session: &oidc_pb.Session{
-				SessionId:    sessionID,
-				SessionToken: sessionToken,
-			},
+	tests := []struct {
+		name          string
+		clientID      string
+		authRequestID func(t testing.TB, instance *integration.Instance, clientID, redirectURI string, scope ...string) string
+	}{
+		{
+			name: "login header",
+			clientID: func() string {
+				clientID, _ := createClient(t, Instance)
+				return clientID
+			}(),
+			authRequestID: createAuthRequest,
 		},
-	})
-	require.NoError(t, err)
-
-	// test code exchange
-	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
-	tokens, err := exchangeTokens(t, Instance, clientID, code, redirectURI)
-	require.NoError(t, err)
-	assertTokens(t, tokens, false)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
-
-	// callback on a succeeded request must fail
-	linkResp, err = Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
-		AuthRequestId: authRequestID,
-		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
-			Session: &oidc_pb.Session{
-				SessionId:    sessionID,
-				SessionToken: sessionToken,
-			},
+		{
+			name: "login v2 config",
+			clientID: func() string {
+				clientID, _ := createClientLoginV2(t, Instance)
+				return clientID
+			}(),
+			authRequestID: createAuthRequestNoLoginClientHeader,
 		},
-	})
-	require.Error(t, err)
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			authRequestID := tt.authRequestID(t, Instance, tt.clientID, redirectURI)
+			sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
+			linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: authRequestID,
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionID,
+						SessionToken: sessionToken,
+					},
+				},
+			})
+			require.NoError(t, err)
 
-	// exchange with a used code must fail
-	_, err = exchangeTokens(t, Instance, clientID, code, redirectURI)
-	require.Error(t, err)
+			// test code exchange
+			code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+			tokens, err := exchangeTokens(t, Instance, tt.clientID, code, redirectURI)
+			require.NoError(t, err)
+			assertTokens(t, tokens, false)
+			assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
+
+			// callback on a succeeded request must fail
+			linkResp, err = Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: authRequestID,
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionID,
+						SessionToken: sessionToken,
+					},
+				},
+			})
+			require.Error(t, err)
+
+			// exchange with a used code must fail
+			_, err = exchangeTokens(t, Instance, tt.clientID, code, redirectURI)
+			require.Error(t, err)
+		})
+	}
 }
 
 func TestOPStorage_CreateAccessToken_implicit(t *testing.T) {
-	clientID := createImplicitClient(t)
-	authRequestID := createAuthRequestImplicit(t, clientID, redirectURIImplicit)
-	sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
-	linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
-		AuthRequestId: authRequestID,
-		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
-			Session: &oidc_pb.Session{
-				SessionId:    sessionID,
-				SessionToken: sessionToken,
-			},
+	tests := []struct {
+		name          string
+		clientID      string
+		authRequestID func(t testing.TB, clientID, redirectURI string, scope ...string) string
+	}{
+		{
+			name:          "login header",
+			clientID:      createImplicitClient(t),
+			authRequestID: createAuthRequestImplicit,
 		},
-	})
-	require.NoError(t, err)
-
-	// test implicit callback
-	callback, err := url.Parse(linkResp.GetCallbackUrl())
-	require.NoError(t, err)
-	values, err := url.ParseQuery(callback.Fragment)
-	require.NoError(t, err)
-	accessToken := values.Get("access_token")
-	idToken := values.Get("id_token")
-	refreshToken := values.Get("refresh_token")
-	assert.NotEmpty(t, accessToken)
-	assert.NotEmpty(t, idToken)
-	assert.Empty(t, refreshToken)
-	assert.NotEmpty(t, values.Get("expires_in"))
-	assert.Equal(t, oidc.BearerToken, values.Get("token_type"))
-	assert.Equal(t, "state", values.Get("state"))
-
-	// check id_token / claims
-	provider, err := Instance.CreateRelyingParty(CTX, clientID, redirectURIImplicit)
-	require.NoError(t, err)
-	claims, err := rp.VerifyTokens[*oidc.IDTokenClaims](context.Background(), accessToken, idToken, provider.IDTokenVerifier())
-	require.NoError(t, err)
-	assertIDTokenClaims(t, claims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
-
-	// callback on a succeeded request must fail
-	linkResp, err = Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
-		AuthRequestId: authRequestID,
-		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
-			Session: &oidc_pb.Session{
-				SessionId:    sessionID,
-				SessionToken: sessionToken,
-			},
+		{
+			name:          "login v2 config",
+			clientID:      createImplicitClientNoLoginClientHeader(t),
+			authRequestID: createAuthRequestImplicitNoLoginClientHeader,
 		},
-	})
-	require.Error(t, err)
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			authRequestID := tt.authRequestID(t, tt.clientID, redirectURIImplicit)
+			sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
+			linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: authRequestID,
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionID,
+						SessionToken: sessionToken,
+					},
+				},
+			})
+			require.NoError(t, err)
+
+			// test implicit callback
+			callback, err := url.Parse(linkResp.GetCallbackUrl())
+			require.NoError(t, err)
+			values, err := url.ParseQuery(callback.Fragment)
+			require.NoError(t, err)
+			accessToken := values.Get("access_token")
+			idToken := values.Get("id_token")
+			refreshToken := values.Get("refresh_token")
+			assert.NotEmpty(t, accessToken)
+			assert.NotEmpty(t, idToken)
+			assert.Empty(t, refreshToken)
+			assert.NotEmpty(t, values.Get("expires_in"))
+			assert.Equal(t, oidc.BearerToken, values.Get("token_type"))
+			assert.Equal(t, "state", values.Get("state"))
+
+			// check id_token / claims
+			provider, err := Instance.CreateRelyingParty(CTX, tt.clientID, redirectURIImplicit)
+			require.NoError(t, err)
+			claims, err := rp.VerifyTokens[*oidc.IDTokenClaims](context.Background(), accessToken, idToken, provider.IDTokenVerifier())
+			require.NoError(t, err)
+			assertIDTokenClaims(t, claims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
+
+			// callback on a succeeded request must fail
+			linkResp, err = Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: authRequestID,
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionID,
+						SessionToken: sessionToken,
+					},
+				},
+			})
+			require.Error(t, err)
+		})
+	}
 }
 
 func TestOPStorage_CreateAccessAndRefreshTokens_code(t *testing.T) {
-	clientID, _ := createClient(t, Instance)
-	authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
-	sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
-	linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
-		AuthRequestId: authRequestID,
-		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
-			Session: &oidc_pb.Session{
-				SessionId:    sessionID,
-				SessionToken: sessionToken,
-			},
+	tests := []struct {
+		name          string
+		clientID      string
+		authRequestID func(t testing.TB, instance *integration.Instance, clientID, redirectURI string, scope ...string) string
+	}{
+		{
+			name: "login header",
+			clientID: func() string {
+				clientID, _ := createClient(t, Instance)
+				return clientID
+			}(),
+			authRequestID: createAuthRequest,
 		},
-	})
-	require.NoError(t, err)
+		{
+			name: "login v2 config",
+			clientID: func() string {
+				clientID, _ := createClientLoginV2(t, Instance)
+				return clientID
+			}(),
+			authRequestID: createAuthRequestNoLoginClientHeader,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			authRequestID := tt.authRequestID(t, Instance, tt.clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
+			sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
+			linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: authRequestID,
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionID,
+						SessionToken: sessionToken,
+					},
+				},
+			})
+			require.NoError(t, err)
 
-	// test code exchange (expect refresh token to be returned)
-	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
-	tokens, err := exchangeTokens(t, Instance, clientID, code, redirectURI)
-	require.NoError(t, err)
-	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
+			// test code exchange (expect refresh token to be returned)
+			code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+			tokens, err := exchangeTokens(t, Instance, tt.clientID, code, redirectURI)
+			require.NoError(t, err)
+			assertTokens(t, tokens, true)
+			assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
+		})
+	}
 }
 
 func TestOPStorage_CreateAccessAndRefreshTokens_refresh(t *testing.T) {
-	clientID, _ := createClient(t, Instance)
-	provider, err := Instance.CreateRelyingParty(CTX, clientID, redirectURI)
-	require.NoError(t, err)
-	authRequestID := createAuthRequest(t, Instance, clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
-	sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
-	linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
-		AuthRequestId: authRequestID,
-		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
-			Session: &oidc_pb.Session{
-				SessionId:    sessionID,
-				SessionToken: sessionToken,
-			},
+	tests := []struct {
+		name          string
+		clientID      string
+		authRequestID func(t testing.TB, instance *integration.Instance, clientID, redirectURI string, scope ...string) string
+	}{
+		{
+			name: "login header",
+			clientID: func() string {
+				clientID, _ := createClient(t, Instance)
+				return clientID
+			}(),
+			authRequestID: createAuthRequest,
 		},
-	})
-	require.NoError(t, err)
+		{
+			name: "login v2 config",
+			clientID: func() string {
+				clientID, _ := createClientLoginV2(t, Instance)
+				return clientID
+			}(),
+			authRequestID: createAuthRequestNoLoginClientHeader,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			provider, err := Instance.CreateRelyingParty(CTX, tt.clientID, redirectURI)
+			require.NoError(t, err)
+			authRequestID := tt.authRequestID(t, Instance, tt.clientID, redirectURI, oidc.ScopeOpenID, oidc.ScopeOfflineAccess)
+			sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
+			linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: authRequestID,
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionID,
+						SessionToken: sessionToken,
+					},
+				},
+			})
+			require.NoError(t, err)
 
-	// code exchange
-	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
-	tokens, err := exchangeTokens(t, Instance, clientID, code, redirectURI)
-	require.NoError(t, err)
-	assertTokens(t, tokens, true)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
+			// code exchange
+			code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+			tokens, err := exchangeTokens(t, Instance, tt.clientID, code, redirectURI)
+			require.NoError(t, err)
+			assertTokens(t, tokens, true)
+			assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
-	// test actual refresh grant
-	newTokens, err := refreshTokens(t, clientID, tokens.RefreshToken)
-	require.NoError(t, err)
-	assertTokens(t, newTokens, true)
-	// auth time must still be the initial
-	assertIDTokenClaims(t, newTokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
+			// test actual refresh grant
+			newTokens, err := refreshTokens(t, tt.clientID, tokens.RefreshToken)
+			require.NoError(t, err)
+			assertTokens(t, newTokens, true)
+			// auth time must still be the initial
+			assertIDTokenClaims(t, newTokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
-	// refresh with an old refresh_token must fail
-	_, err = rp.RefreshTokens[*oidc.IDTokenClaims](CTX, provider, tokens.RefreshToken, "", "")
-	require.Error(t, err)
+			// refresh with an old refresh_token must fail
+			_, err = rp.RefreshTokens[*oidc.IDTokenClaims](CTX, provider, tokens.RefreshToken, "", "")
+			require.Error(t, err)
+		})
+	}
 }
 
 func TestOPStorage_RevokeToken_access_token(t *testing.T) {
@@ -454,47 +552,75 @@ func TestOPStorage_TerminateSession_refresh_grant(t *testing.T) {
 }
 
 func TestOPStorage_TerminateSession_empty_id_token_hint(t *testing.T) {
-	clientID, _ := createClient(t, Instance)
-	provider, err := Instance.CreateRelyingParty(CTX, clientID, redirectURI)
-	require.NoError(t, err)
-	authRequestID := createAuthRequest(t, Instance, clientID, redirectURI)
-	sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
-	linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
-		AuthRequestId: authRequestID,
-		CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
-			Session: &oidc_pb.Session{
-				SessionId:    sessionID,
-				SessionToken: sessionToken,
-			},
+	tests := []struct {
+		name          string
+		clientID      string
+		authRequestID func(t testing.TB, instance *integration.Instance, clientID, redirectURI string, scope ...string) string
+		logoutURL     string
+	}{
+		{
+			name: "login header",
+			clientID: func() string {
+				clientID, _ := createClient(t, Instance)
+				return clientID
+			}(),
+			authRequestID: createAuthRequest,
+			logoutURL:     http_utils.BuildOrigin(Instance.Host(), Instance.Config.Secure) + Instance.Config.LogoutURLV2 + logoutRedirectURI + "?state=state",
 		},
-	})
-	require.NoError(t, err)
+		{
+			name: "login v2 config",
+			clientID: func() string {
+				clientID, _ := createClientLoginV2(t, Instance)
+				return clientID
+			}(),
+			authRequestID: createAuthRequestNoLoginClientHeader,
+			logoutURL:     http_utils.BuildOrigin(Instance.Host(), Instance.Config.Secure) + Instance.Config.LogoutURLV2 + logoutRedirectURI + "?state=state",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			provider, err := Instance.CreateRelyingParty(CTX, tt.clientID, redirectURI)
+			require.NoError(t, err)
+			authRequestID := tt.authRequestID(t, Instance, tt.clientID, redirectURI)
+			sessionID, sessionToken, startTime, changeTime := Instance.CreateVerifiedWebAuthNSession(t, CTXLOGIN, User.GetUserId())
+			linkResp, err := Instance.Client.OIDCv2.CreateCallback(CTXLOGIN, &oidc_pb.CreateCallbackRequest{
+				AuthRequestId: authRequestID,
+				CallbackKind: &oidc_pb.CreateCallbackRequest_Session{
+					Session: &oidc_pb.Session{
+						SessionId:    sessionID,
+						SessionToken: sessionToken,
+					},
+				},
+			})
+			require.NoError(t, err)
 
-	// test code exchange
-	code := assertCodeResponse(t, linkResp.GetCallbackUrl())
-	tokens, err := exchangeTokens(t, Instance, clientID, code, redirectURI)
-	require.NoError(t, err)
-	assertTokens(t, tokens, false)
-	assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
+			// test code exchange
+			code := assertCodeResponse(t, linkResp.GetCallbackUrl())
+			tokens, err := exchangeTokens(t, Instance, tt.clientID, code, redirectURI)
+			require.NoError(t, err)
+			assertTokens(t, tokens, false)
+			assertIDTokenClaims(t, tokens.IDTokenClaims, User.GetUserId(), armPasskey, startTime, changeTime, sessionID)
 
-	postLogoutRedirect, err := rp.EndSession(CTX, provider, "", logoutRedirectURI, "state")
-	require.NoError(t, err)
-	assert.Equal(t, http_utils.BuildOrigin(Instance.Host(), Instance.Config.Secure)+Instance.Config.LogoutURLV2+logoutRedirectURI+"?state=state", postLogoutRedirect.String())
+			postLogoutRedirect, err := rp.EndSession(CTX, provider, "", logoutRedirectURI, "state")
+			require.NoError(t, err)
+			assert.Equal(t, tt.logoutURL, postLogoutRedirect.String())
 
-	// userinfo must not fail until login UI terminated session
-	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
-	require.NoError(t, err)
+			// userinfo must not fail until login UI terminated session
+			_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+			require.NoError(t, err)
 
-	// simulate termination by login UI
-	_, err = Instance.Client.SessionV2.DeleteSession(CTXLOGIN, &session.DeleteSessionRequest{
-		SessionId:    sessionID,
-		SessionToken: gu.Ptr(sessionToken),
-	})
-	require.NoError(t, err)
+			// simulate termination by login UI
+			_, err = Instance.Client.SessionV2.DeleteSession(CTXLOGIN, &session.DeleteSessionRequest{
+				SessionId:    sessionID,
+				SessionToken: gu.Ptr(sessionToken),
+			})
+			require.NoError(t, err)
 
-	// userinfo must fail
-	_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
-	require.Error(t, err)
+			// userinfo must fail
+			_, err = rp.Userinfo[*oidc.UserInfo](CTX, tokens.AccessToken, tokens.TokenType, tokens.IDTokenClaims.Subject, provider)
+			require.Error(t, err)
+		})
+	}
 }
 
 func exchangeTokens(t testing.TB, instance *integration.Instance, clientID, code, redirectURI string) (*oidc.Tokens[*oidc.IDTokenClaims], error) {

internal/api/oidc/integration_test/oidc_test.go

@@ -18,6 +18,7 @@ import (
 
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/integration"
+	"github.com/zitadel/zitadel/pkg/grpc/app"
 	"github.com/zitadel/zitadel/pkg/grpc/auth"
 	mgmt "github.com/zitadel/zitadel/pkg/grpc/management"
 	oidc_pb "github.com/zitadel/zitadel/pkg/grpc/oidc/v2"
@@ -394,16 +395,27 @@ func Test_ZITADEL_API_terminated_session_user_disabled(t *testing.T) {
 
 func createClient(t testing.TB, instance *integration.Instance) (clientID, projectID string) {
 	return createClientWithOpts(t, instance, clientOpts{
-		redirectURI: redirectURI,
-		logoutURI:   logoutRedirectURI,
-		devMode:     false,
+		redirectURI:  redirectURI,
+		logoutURI:    logoutRedirectURI,
+		devMode:      false,
+		LoginVersion: nil,
+	})
+}
+
+func createClientLoginV2(t testing.TB, instance *integration.Instance) (clientID, projectID string) {
+	return createClientWithOpts(t, instance, clientOpts{
+		redirectURI:  redirectURI,
+		logoutURI:    logoutRedirectURI,
+		devMode:      false,
+		LoginVersion: &app.LoginVersion{Version: &app.LoginVersion_LoginV2{LoginV2: &app.LoginV2{BaseUri: nil}}},
 	})
 }
 
 type clientOpts struct {
-	redirectURI string
-	logoutURI   string
-	devMode     bool
+	redirectURI  string
+	logoutURI    string
+	devMode      bool
+	LoginVersion *app.LoginVersion
 }
 
 func createClientWithOpts(t testing.TB, instance *integration.Instance, opts clientOpts) (clientID, projectID string) {
@@ -411,13 +423,19 @@ func createClientWithOpts(t testing.TB, instance *integration.Instance, opts cli
 
 	project, err := instance.CreateProject(ctx)
 	require.NoError(t, err)
-	app, err := instance.CreateOIDCNativeClient(ctx, opts.redirectURI, opts.logoutURI, project.GetId(), opts.devMode)
+	app, err := instance.CreateOIDCClientLoginVersion(ctx, opts.redirectURI, opts.logoutURI, project.GetId(), app.OIDCAppType_OIDC_APP_TYPE_NATIVE, app.OIDCAuthMethodType_OIDC_AUTH_METHOD_TYPE_NONE, opts.devMode, opts.LoginVersion)
 	require.NoError(t, err)
 	return app.GetClientId(), project.GetId()
 }
 
 func createImplicitClient(t testing.TB) string {
-	app, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit)
+	app, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, nil)
+	require.NoError(t, err)
+	return app.GetClientId()
+}
+
+func createImplicitClientNoLoginClientHeader(t testing.TB) string {
+	app, err := Instance.CreateOIDCImplicitFlowClient(CTX, redirectURIImplicit, &app.LoginVersion{Version: &app.LoginVersion_LoginV2{LoginV2: &app.LoginV2{BaseUri: nil}}})
 	require.NoError(t, err)
 	return app.GetClientId()
 }
@@ -428,12 +446,24 @@ func createAuthRequest(t testing.TB, instance *integration.Instance, clientID, r
 	return redURL
 }
 
+func createAuthRequestNoLoginClientHeader(t testing.TB, instance *integration.Instance, clientID, redirectURI string, scope ...string) string {
+	redURL, err := instance.CreateOIDCAuthRequestWithoutLoginClientHeader(CTX, clientID, redirectURI, "", scope...)
+	require.NoError(t, err)
+	return redURL
+}
+
 func createAuthRequestImplicit(t testing.TB, clientID, redirectURI string, scope ...string) string {
 	redURL, err := Instance.CreateOIDCAuthRequestImplicit(CTX, clientID, Instance.Users.Get(integration.UserTypeLogin).ID, redirectURI, scope...)
 	require.NoError(t, err)
 	return redURL
 }
 
+func createAuthRequestImplicitNoLoginClientHeader(t testing.TB, clientID, redirectURI string, scope ...string) string {
+	redURL, err := Instance.CreateOIDCAuthRequestImplicitWithoutLoginClientHeader(CTX, clientID, redirectURI, scope...)
+	require.NoError(t, err)
+	return redURL
+}
+
 func assertOIDCTime(t *testing.T, actual oidc.Time, expected time.Time) {
 	assertOIDCTimeRange(t, actual, expected, expected)
 }