Merge pull request #256 from zitadel/acceptance-test-suite

chore: acceptance test suite

.github/workflows/test.yml

@@ -4,10 +4,6 @@ on: pull_request
 
 jobs:
   quality:
-    env:
-      ZITADEL_IMAGE: ghcr.io/zitadel/zitadel:v2.65.0
-      POSTGRES_IMAGE: postgres:17.0-alpine3.19
-
     name: Ensure Quality
 
     runs-on: ubuntu-latest

acceptance/docker-compose.yaml

@@ -1,7 +1,7 @@
 services:
   zitadel:
     user: "${ZITADEL_DEV_UID}"
-    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:latest}"
+    image: ghcr.io/zitadel/zitadel:v2.65.0
     command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled --config /zitadel.yaml --steps /zitadel.yaml'
     ports:
       - "8080:8080"
@@ -14,7 +14,7 @@ services:
 
   db:
     restart: "always"
-    image: "${POSTGRES_IMAGE:-postgres:latest}"
+    image: postgres:17.0-alpine3.19
     environment:
       - POSTGRES_USER=zitadel
       - PGUSER=zitadel
@@ -44,9 +44,11 @@ services:
       PAT_FILE: /pat/zitadel-admin-sa.pat
       ZITADEL_API_INTERNAL_URL: http://zitadel:8080
       WRITE_ENVIRONMENT_FILE: /apps/login/.env.local
+      WRITE_TEST_ENVIRONMENT_FILE: /acceptance/tests/.env.local
     volumes:
       - "./pat:/pat"
       - "../apps/login:/apps/login"
+      - "../acceptance/tests:/acceptance/tests"
     depends_on:
       wait_for_zitadel:
         condition: "service_completed_successfully"

acceptance/setup.sh

@@ -26,15 +26,19 @@ fi
 
 WRITE_ENVIRONMENT_FILE=${WRITE_ENVIRONMENT_FILE:-$(dirname "$0")/../apps/login/.env.local}
 echo "Writing environment file to ${WRITE_ENVIRONMENT_FILE} when done."
+WRITE_TEST_ENVIRONMENT_FILE=${WRITE_TEST_ENVIRONMENT_FILE:-$(dirname "$0")/../acceptance/tests/.env.local}
+echo "Writing environment file to ${WRITE_TEST_ENVIRONMENT_FILE} when done."
 
 echo "ZITADEL_API_URL=${ZITADEL_API_URL}
 ZITADEL_SERVICE_USER_ID=${ZITADEL_SERVICE_USER_ID}
 ZITADEL_SERVICE_USER_TOKEN=${PAT}
-DEBUG=true" > ${WRITE_ENVIRONMENT_FILE}
-
+DEBUG=true"| tee "${WRITE_ENVIRONMENT_FILE}" "${WRITE_TEST_ENVIRONMENT_FILE}" > /dev/null
 echo "Wrote environment file ${WRITE_ENVIRONMENT_FILE}"
 cat ${WRITE_ENVIRONMENT_FILE}
 
+echo "Wrote environment file ${WRITE_TEST_ENVIRONMENT_FILE}"
+cat ${WRITE_TEST_ENVIRONMENT_FILE}
+
 DEFAULTORG_RESPONSE_RESULTS=0
 # waiting for default organization
 until [ ${DEFAULTORG_RESPONSE_RESULTS} -eq 1 ]

acceptance/tests/admin.spec.ts

@@ -0,0 +1,7 @@
+import { test } from "@playwright/test";
+import { loginScreenExpect, loginWithPassword } from "./login";
+
+test("admin login", async ({ page }) => {
+  await loginWithPassword(page, "zitadel-admin@zitadel.localhost", "Password1!");
+  await loginScreenExpect(page, "ZITADEL Admin");
+});

acceptance/tests/idp-apple.spec.ts

@@ -0,0 +1,94 @@
+// Note for all tests, in case Apple doesn't deliver all relevant information per default
+// We should add an action in the needed cases
+
+import test from "@playwright/test";
+
+test("login with Apple IDP", async ({ page }) => {
+  // Given an Apple IDP is configured on the organization
+  // Given the user has an Apple added as auth method
+  // User authenticates with Apple
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with Apple IDP - error", async ({ page }) => {
+  // Given an Apple IDP is configured on the organization
+  // Given the user has an Apple added as auth method
+  // User is redirected to Apple
+  // User authenticates with Apple and gets an error
+  // User is redirect back to login
+  // An error is shown to the user "Something went wrong in Apple Login"
+});
+
+test("login with Apple IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp Apple is configure on the organization as only authencation method
+  // Given idp Apple is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Apple
+  // User authenticates in Apple
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Apple IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp Apple is configure on the organization as only authencation method
+  // Given idp Apple is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Apple
+  // User authenticates in Apple
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Apple IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp Apple is configure on the organization as only authencation method
+  // Given idp Apple is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Apple
+  // User authenticates in Apple
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with Apple IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp Apple is configure on the organization as only authencation method
+  // Given idp Apple is configure with account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to Apple
+  // User authenticates in Apple with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Apple IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp Apple is configure on the organization as only authencation method
+  // Given idp Apple is configure with manually account linking  not allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Apple
+  // User authenticates in Apple with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with Apple IDP, no user linked, user link successful", async ({ page }) => {
+  // Given idp Apple is configure on the organization as only authencation method
+  // Given idp Apple is configure with manually account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Apple
+  // User authenticates in Apple with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-generic-jwt.spec.ts

@@ -0,0 +1,91 @@
+import test from "@playwright/test";
+
+test("login with Generic JWT IDP", async ({ page }) => {
+  // Given a Generic JWT IDP is configured on the organization
+  // Given the user has Generic JWT IDP added as auth method
+  // User authenticates with the Generic JWT IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with Generic JWT IDP - error", async ({ page }) => {
+  // Given the Generic JWT IDP is configured on the organization
+  // Given the user has Generic JWT IDP added as auth method
+  // User is redirected to the Generic JWT IDP
+  // User authenticates with the Generic JWT IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with Generic JWT IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp Generic JWT is configure on the organization as only authencation method
+  // Given idp Generic JWT is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic JWT
+  // User authenticates in Generic JWT
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic JWT IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp Generic JWT is configure on the organization as only authencation method
+  // Given idp Generic JWT is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic JWT
+  // User authenticates in Generic JWT
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic JWT IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp Generic JWT is configure on the organization as only authencation method
+  // Given idp Generic JWT is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic JWT
+  // User authenticates in Generic JWT
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with Generic JWT IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp Generic JWT is configure on the organization as only authencation method
+  // Given idp Generic JWT is configure with account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to Generic JWT
+  // User authenticates in Generic JWT with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic JWT IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp Generic JWT is configure on the organization as only authencation method
+  // Given idp Generic JWT is configure with manually account linking  not allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Generic JWT
+  // User authenticates in Generic JWT with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with Generic JWT IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp Generic JWT is configure on the organization as only authencation method
+  // Given idp Generic JWT is configure with manually account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Generic JWT
+  // User authenticates in Generic JWT with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-generic-oauth.spec.ts

@@ -0,0 +1,91 @@
+import test from "@playwright/test";
+
+test("login with Generic OAuth IDP", async ({ page }) => {
+  // Given a Generic OAuth IDP is configured on the organization
+  // Given the user has Generic OAuth IDP added as auth method
+  // User authenticates with the Generic OAuth IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with Generic OAuth IDP - error", async ({ page }) => {
+  // Given the Generic OAuth IDP is configured on the organization
+  // Given the user has Generic OAuth IDP added as auth method
+  // User is redirected to the Generic OAuth IDP
+  // User authenticates with the Generic OAuth IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with Generic OAuth IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp Generic OAuth is configure on the organization as only authencation method
+  // Given idp Generic OAuth is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic OAuth
+  // User authenticates in Generic OAuth
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic OAuth IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp Generic OAuth is configure on the organization as only authencation method
+  // Given idp Generic OAuth is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic OAuth
+  // User authenticates in Generic OAuth
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic OAuth IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp Generic OAuth is configure on the organization as only authencation method
+  // Given idp Generic OAuth is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic OAuth
+  // User authenticates in Generic OAuth
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with Generic OAuth IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp Generic OAuth is configure on the organization as only authencation method
+  // Given idp Generic OAuth is configure with account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to Generic OAuth
+  // User authenticates in Generic OAuth with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic OAuth IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp Generic OAuth is configure on the organization as only authencation method
+  // Given idp Generic OAuth is configure with manually account linking  not allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Generic OAuth
+  // User authenticates in Generic OAuth with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with Generic OAuth IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp Generic OAuth is configure on the organization as only authencation method
+  // Given idp Generic OAuth is configure with manually account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Generic OAuth
+  // User authenticates in Generic OAuth with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-generic-oidc.spec.ts

@@ -0,0 +1,93 @@
+// Note, we should use a provider such as Google to test this, where we know OIDC standard is properly implemented
+
+import test from "@playwright/test";
+
+test("login with Generic OIDC IDP", async ({ page }) => {
+  // Given a Generic OIDC IDP is configured on the organization
+  // Given the user has Generic OIDC IDP added as auth method
+  // User authenticates with the Generic OIDC IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with Generic OIDC IDP - error", async ({ page }) => {
+  // Given the Generic OIDC IDP is configured on the organization
+  // Given the user has Generic OIDC IDP added as auth method
+  // User is redirected to the Generic OIDC IDP
+  // User authenticates with the Generic OIDC IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with Generic OIDC IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp Generic OIDC is configure on the organization as only authencation method
+  // Given idp Generic OIDC is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic OIDC
+  // User authenticates in Generic OIDC
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic OIDC IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp Generic OIDC is configure on the organization as only authencation method
+  // Given idp Generic OIDC is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic OIDC
+  // User authenticates in Generic OIDC
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic OIDC IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp Generic OIDC is configure on the organization as only authencation method
+  // Given idp Generic OIDC is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Generic OIDC
+  // User authenticates in Generic OIDC
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with Generic OIDC IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp Generic OIDC is configure on the organization as only authencation method
+  // Given idp Generic OIDC is configure with account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to Generic OIDC
+  // User authenticates in Generic OIDC with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Generic OIDC IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp Generic OIDC is configure on the organization as only authencation method
+  // Given idp Generic OIDC is configure with manually account linking  not allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Generic OIDC
+  // User authenticates in Generic OIDC with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with Generic OIDC IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp Generic OIDC is configure on the organization as only authencation method
+  // Given idp Generic OIDC is configure with manually account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Generic OIDC
+  // User authenticates in Generic OIDC with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-github-enterprise.spec.ts

@@ -0,0 +1,95 @@
+import test from "@playwright/test";
+
+test("login with GitHub Enterprise IDP", async ({ page }) => {
+  // Given a GitHub Enterprise IDP is configured on the organization
+  // Given the user has GitHub Enterprise IDP added as auth method
+  // User authenticates with the GitHub Enterprise IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with GitHub Enterprise IDP - error", async ({ page }) => {
+  // Given the GitHub Enterprise IDP is configured on the organization
+  // Given the user has GitHub Enterprise IDP added as auth method
+  // User is redirected to the GitHub Enterprise IDP
+  // User authenticates with the GitHub Enterprise IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with GitHub Enterprise IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp GitHub Enterprise is configure on the organization as only authencation method
+  // Given idp GitHub Enterprise is configure with account creation alloweed, and automatic creation enabled
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given no user exists yet
+  // User is automatically redirected to GitHub Enterprise
+  // User authenticates in GitHub Enterprise
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with GitHub Enterprise IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp GitHub Enterprise is configure on the organization as only authencation method
+  // Given idp GitHub Enterprise is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to GitHub Enterprise
+  // User authenticates in GitHub Enterprise
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with GitHub Enterprise IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp GitHub Enterprise is configure on the organization as only authencation method
+  // Given idp GitHub Enterprise is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to GitHub Enterprise
+  // User authenticates in GitHub Enterprise
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with GitHub Enterprise IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp GitHub Enterprise is configure on the organization as only authencation method
+  // Given idp GitHub Enterprise is configure with account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to GitHub Enterprise
+  // User authenticates in GitHub Enterprise with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with GitHub Enterprise IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp GitHub Enterprise is configure on the organization as only authencation method
+  // Given idp GitHub Enterprise is configure with manually account linking  not allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to GitHub Enterprise
+  // User authenticates in GitHub Enterprise with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with GitHub Enterprise IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp GitHub Enterprise is configure on the organization as only authencation method
+  // Given idp GitHub Enterprise is configure with manually account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to GitHub Enterprise
+  // User authenticates in GitHub Enterprise with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-github.spec.ts

@@ -0,0 +1,95 @@
+import test from "@playwright/test";
+
+test("login with GitHub IDP", async ({ page }) => {
+  // Given a GitHub IDP is configured on the organization
+  // Given the user has GitHub IDP added as auth method
+  // User authenticates with the GitHub IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with GitHub IDP - error", async ({ page }) => {
+  // Given the GitHub IDP is configured on the organization
+  // Given the user has GitHub IDP added as auth method
+  // User is redirected to the GitHub IDP
+  // User authenticates with the GitHub IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with GitHub IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp GitHub is configure on the organization as only authencation method
+  // Given idp GitHub is configure with account creation alloweed, and automatic creation enabled
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given no user exists yet
+  // User is automatically redirected to GitHub
+  // User authenticates in GitHub
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with GitHub IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp GitHub is configure on the organization as only authencation method
+  // Given idp GitHub is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to GitHub
+  // User authenticates in GitHub
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with GitHub IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp GitHub is configure on the organization as only authencation method
+  // Given idp GitHub is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to GitHub
+  // User authenticates in GitHub
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with GitHub IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp GitHub is configure on the organization as only authencation method
+  // Given idp GitHub is configure with account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to GitHub
+  // User authenticates in GitHub with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with GitHub IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp GitHub is configure on the organization as only authencation method
+  // Given idp GitHub is configure with manually account linking  not allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to GitHub
+  // User authenticates in GitHub with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with GitHub IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp GitHub is configure on the organization as only authencation method
+  // Given idp GitHub is configure with manually account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to GitHub
+  // User authenticates in GitHub with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-gitlab-self-hosted.spec.ts

@@ -0,0 +1,95 @@
+import test from "@playwright/test";
+
+test("login with GitLab Self-Hosted IDP", async ({ page }) => {
+  // Given a GitLab Self-Hosted IDP is configured on the organization
+  // Given the user has GitLab Self-Hosted IDP added as auth method
+  // User authenticates with the GitLab Self-Hosted IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with GitLab Self-Hosted IDP - error", async ({ page }) => {
+  // Given the GitLab Self-Hosted IDP is configured on the organization
+  // Given the user has GitLab Self-Hosted IDP added as auth method
+  // User is redirected to the GitLab Self-Hosted IDP
+  // User authenticates with the GitLab Self-Hosted IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with Gitlab Self-Hosted IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
+  // Given idp Gitlab Self-Hosted is configure with account creation alloweed, and automatic creation enabled
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given no user exists yet
+  // User is automatically redirected to Gitlab Self-Hosted
+  // User authenticates in Gitlab Self-Hosted
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Gitlab Self-Hosted IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
+  // Given idp Gitlab Self-Hosted is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Gitlab Self-Hosted
+  // User authenticates in Gitlab Self-Hosted
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Gitlab Self-Hosted IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
+  // Given idp Gitlab Self-Hosted is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Gitlab Self-Hosted
+  // User authenticates in Gitlab Self-Hosted
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with Gitlab Self-Hosted IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
+  // Given idp Gitlab Self-Hosted is configure with account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to Gitlab Self-Hosted
+  // User authenticates in Gitlab Self-Hosted with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Gitlab Self-Hosted IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
+  // Given idp Gitlab Self-Hosted is configure with manually account linking  not allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Gitlab Self-Hosted
+  // User authenticates in Gitlab Self-Hosted with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with Gitlab Self-Hosted IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
+  // Given idp Gitlab Self-Hosted is configure with manually account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Gitlab Self-Hosted
+  // User authenticates in Gitlab Self-Hosted with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-gitlab.spec.ts

@@ -0,0 +1,95 @@
+import test from "@playwright/test";
+
+test("login with GitLab IDP", async ({ page }) => {
+  // Given a GitLab IDP is configured on the organization
+  // Given the user has GitLab IDP added as auth method
+  // User authenticates with the GitLab IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with GitLab IDP - error", async ({ page }) => {
+  // Given the GitLab IDP is configured on the organization
+  // Given the user has GitLab IDP added as auth method
+  // User is redirected to the GitLab IDP
+  // User authenticates with the GitLab IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with Gitlab IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp Gitlab is configure on the organization as only authencation method
+  // Given idp Gitlab is configure with account creation alloweed, and automatic creation enabled
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given no user exists yet
+  // User is automatically redirected to Gitlab
+  // User authenticates in Gitlab
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Gitlab IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp Gitlab is configure on the organization as only authencation method
+  // Given idp Gitlab is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Gitlab
+  // User authenticates in Gitlab
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Gitlab IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp Gitlab is configure on the organization as only authencation method
+  // Given idp Gitlab is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Gitlab
+  // User authenticates in Gitlab
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with Gitlab IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp Gitlab is configure on the organization as only authencation method
+  // Given idp Gitlab is configure with account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to Gitlab
+  // User authenticates in Gitlab with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Gitlab IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp Gitlab is configure on the organization as only authencation method
+  // Given idp Gitlab is configure with manually account linking  not allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Gitlab
+  // User authenticates in Gitlab with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with Gitlab IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp Gitlab is configure on the organization as only authencation method
+  // Given idp Gitlab is configure with manually account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Gitlab
+  // User authenticates in Gitlab with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-google.spec.ts

@@ -0,0 +1,91 @@
+import test from "@playwright/test";
+
+test("login with Google IDP", async ({ page }) => {
+  // Given a Google IDP is configured on the organization
+  // Given the user has Google IDP added as auth method
+  // User authenticates with the Google IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with Google IDP - error", async ({ page }) => {
+  // Given the Google IDP is configured on the organization
+  // Given the user has Google IDP added as auth method
+  // User is redirected to the Google IDP
+  // User authenticates with the Google IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with Google IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp Google is configure on the organization as only authencation method
+  // Given idp Google is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Google
+  // User authenticates in Google
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Google IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp Google is configure on the organization as only authencation method
+  // Given idp Google is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Google
+  // User authenticates in Google
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Google IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp Google is configure on the organization as only authencation method
+  // Given idp Google is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Google
+  // User authenticates in Google
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with Google IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp Google is configure on the organization as only authencation method
+  // Given idp Google is configure with account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to Google
+  // User authenticates in Google with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Google IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp Google is configure on the organization as only authencation method
+  // Given idp Google is configure with manually account linking  not allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Google
+  // User authenticates in Google with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with Google IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp Google is configure on the organization as only authencation method
+  // Given idp Google is configure with manually account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Google
+  // User authenticates in Google with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-ldap.spec.ts

@@ -0,0 +1,91 @@
+import test from "@playwright/test";
+
+test("login with LDAP IDP", async ({ page }) => {
+  // Given a LDAP IDP is configured on the organization
+  // Given the user has LDAP IDP added as auth method
+  // User authenticates with the LDAP IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with LDAP IDP - error", async ({ page }) => {
+  // Given the LDAP IDP is configured on the organization
+  // Given the user has LDAP IDP added as auth method
+  // User is redirected to the LDAP IDP
+  // User authenticates with the LDAP IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with LDAP IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp LDAP is configure on the organization as only authencation method
+  // Given idp LDAP is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to LDAP
+  // User authenticates in LDAP
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with LDAP IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp LDAP is configure on the organization as only authencation method
+  // Given idp LDAP is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to LDAP
+  // User authenticates in LDAP
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with LDAP IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp LDAP is configure on the organization as only authencation method
+  // Given idp LDAP is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to LDAP
+  // User authenticates in LDAP
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with LDAP IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp LDAP is configure on the organization as only authencation method
+  // Given idp LDAP is configure with account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to LDAP
+  // User authenticates in LDAP with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with LDAP IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp LDAP is configure on the organization as only authencation method
+  // Given idp LDAP is configure with manually account linking  not allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to LDAP
+  // User authenticates in LDAP with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with LDAP IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp LDAP is configure on the organization as only authencation method
+  // Given idp LDAP is configure with manually account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to LDAP
+  // User authenticates in LDAP with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-microsoft.spec.ts

@@ -0,0 +1,94 @@
+// Note for all tests, in case Microsoft doesn't deliver all relevant information per default
+// We should add an action in the needed cases
+
+import test from "@playwright/test";
+
+test("login with Microsoft IDP", async ({ page }) => {
+  // Given a Microsoft IDP is configured on the organization
+  // Given the user has Microsoft IDP added as auth method
+  // User authenticates with the Microsoft IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with Microsoft IDP - error", async ({ page }) => {
+  // Given the Microsoft IDP is configured on the organization
+  // Given the user has Microsoft IDP added as auth method
+  // User is redirected to the Microsoft IDP
+  // User authenticates with the Microsoft IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with Microsoft IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp Microsoft is configure on the organization as only authencation method
+  // Given idp Microsoft is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Microsoft
+  // User authenticates in Microsoft
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Microsoft IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp Microsoft is configure on the organization as only authencation method
+  // Given idp Microsoft is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Microsoft
+  // User authenticates in Microsoft
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Microsoft IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp Microsoft is configure on the organization as only authencation method
+  // Given idp Microsoft is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to Microsoft
+  // User authenticates in Microsoft
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with Microsoft IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp Microsoft is configure on the organization as only authencation method
+  // Given idp Microsoft is configure with account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to Microsoft
+  // User authenticates in Microsoft with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with Microsoft IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp Microsoft is configure on the organization as only authencation method
+  // Given idp Microsoft is configure with manually account linking  not allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Microsoft
+  // User authenticates in Microsoft with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with Microsoft IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp Microsoft is configure on the organization as only authencation method
+  // Given idp Microsoft is configure with manually account linking allowed, and linking set to existing email
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to Microsoft
+  // User authenticates in Microsoft with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/idp-saml.spec.ts

@@ -0,0 +1,95 @@
+import test from "@playwright/test";
+
+test("login with SAML IDP", async ({ page }) => {
+  // Given a SAML IDP is configured on the organization
+  // Given the user has SAML IDP added as auth method
+  // User authenticates with the SAML IDP
+  // User is redirected back to login
+  // User is redirected to the app
+});
+
+test("login with SAML IDP - error", async ({ page }) => {
+  // Given the SAML IDP is configured on the organization
+  // Given the user has SAML IDP added as auth method
+  // User is redirected to the SAML IDP
+  // User authenticates with the SAML IDP and gets an error
+  // User is redirected back to login
+  // An error is shown to the user "Something went wrong"
+});
+
+test("login with SAML IDP, no user existing - auto register", async ({ page }) => {
+  // Given idp SAML is configure on the organization as only authencation method
+  // Given idp SAML is configure with account creation alloweed, and automatic creation enabled
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given no user exists yet
+  // User is automatically redirected to SAML
+  // User authenticates in SAML
+  // User is redirect to ZITADEL login
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with SAML IDP, no user existing - auto register not possible", async ({ page }) => {
+  // Given idp SAML is configure on the organization as only authencation method
+  // Given idp SAML is configure with account creation alloweed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to SAML
+  // User authenticates in SAML
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // User will see the registration page with pre filled user information
+  // User fills missing information
+  // User clicks register button
+  // User is created in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with SAML IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
+  page,
+}) => {
+  // Given idp SAML is configure on the organization as only authencation method
+  // Given idp SAML is configure with account creation not allowed, and automatic creation enabled
+  // Given no user exists yet
+  // User is automatically redirected to SAML
+  // User authenticates in SAML
+  // User is redirect to ZITADEL login
+  // Because of missing informaiton on the user auto creation is not possible
+  // Error message is shown, that registration of the user was not possible due to missing information
+});
+
+test("login with SAML IDP, no user linked - auto link", async ({ page }) => {
+  // Given idp SAML is configure on the organization as only authencation method
+  // Given idp SAML is configure with account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com exists
+  // User is automatically redirected to SAML
+  // User authenticates in SAML with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User is linked with existing user in ZITADEL
+  // User is redirected to the app (default redirect url)
+});
+
+test("login with SAML IDP, no user linked, linking not possible", async ({ page }) => {
+  // Given idp SAML is configure on the organization as only authencation method
+  // Given idp SAML is configure with manually account linking  not allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to SAML
+  // User authenticates in SAML with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User will get an error message that account linking wasn't possible
+});
+
+test("login with SAML IDP, no user linked, linking successful", async ({ page }) => {
+  // Given idp SAML is configure on the organization as only authencation method
+  // Given idp SAML is configure with manually account linking allowed, and linking set to existing email
+  // Given ZITADEL Action is added to autofill missing user information
+  // Given user with email address user@zitadel.com doesn't exists
+  // User is automatically redirected to SAML
+  // User authenticates in SAML with user@zitadel.com
+  // User is redirect to ZITADEL login
+  // User with email address user@zitadel.com can not be found
+  // User is prompted to link the account manually
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/login-configuration-possiblities.spec.ts

@@ -0,0 +1,51 @@
+import test from "@playwright/test";
+
+test("login with mfa setup, mfa setup prompt", async ({ page }) => {
+  // Given the organization has enabled at least one mfa types
+  // Given the user has a password but no mfa registered
+  // User authenticates with login name and password
+  // User is prompted to setup a mfa, mfa providers are listed, the user can choose the provider
+});
+
+test("login with mfa setup, no mfa setup prompt", async ({ page }) => {
+  // Given the organization has set "multifactor init check time" to 0
+  // Given the organization has enabled mfa types
+  // Given the user has a password but no mfa registered
+  // User authenticates with loginname and password
+  // user is directly loged in and not prompted to setup mfa
+});
+
+test("login with mfa setup, force mfa for local authenticated users", async ({ page }) => {
+  // Given the organization has enabled force mfa for local authentiacted users
+  // Given the organization has enabled all possible mfa types
+  // Given the user has a password but no mfa registered
+  // User authenticates with loginname and password
+  // User is prompted to setup a mfa, all possible mfa providers are listed, the user can choose the provider
+});
+
+test("login with mfa setup, force mfa - local user", async ({ page }) => {
+  // Given the organization has enabled force mfa for local authentiacted users
+  // Given the organization has enabled all possible mfa types
+  // Given the user has a password but no mfa registered
+  // User authenticates with loginname and password
+  // User is prompted to setup a mfa, all possible mfa providers are listed, the user can choose the provider
+});
+
+test("login with mfa setup, force mfa - external user", async ({ page }) => {
+  // Given the organization has enabled force mfa
+  // Given the organization has enabled all possible mfa types
+  // Given the user has an idp but no mfa registered
+  // enter login name
+  // redirect to configured external idp
+  // User is prompted to setup a mfa, all possible mfa providers are listed, the user can choose the provider
+});
+
+test("login with mfa setup, force mfa - local user, wrong password", async ({ page }) => {
+  // Given the organization has a password lockout policy set to 1 on the max password attempts
+  // Given the user has only a password as auth methos
+  // enter login name
+  // enter wrong password
+  // User will get an error "Wrong password"
+  // enter password
+  // User will get an error "Max password attempts reached - user is locked. Please reach out to your administrator"
+});

acceptance/tests/login.ts

@@ -0,0 +1,28 @@
+import { expect, Page } from "@playwright/test";
+import { loginname } from "./loginname";
+import { password } from "./password";
+
+export async function startLogin(page: Page) {
+  await page.goto("/loginname");
+}
+
+export async function loginWithPassword(page: Page, username: string, pw: string) {
+  await startLogin(page);
+  await loginname(page, username);
+  await password(page, pw);
+}
+
+export async function loginWithPasskey(page: Page, authenticatorId: string, username: string) {
+  await startLogin(page);
+  await loginname(page, username);
+  // await passkey(page, authenticatorId);
+}
+
+export async function loginScreenExpect(page: Page, fullName: string) {
+  await expect(page).toHaveURL(/signedin.*/);
+  await expect(page.getByRole("heading")).toContainText(fullName);
+}
+
+export async function loginWithOTP(page: Page, username: string, password: string) {
+  await loginWithPassword(page, username, password);
+}

acceptance/tests/loginname-screen.ts

@@ -0,0 +1,12 @@
+import { expect, Page } from "@playwright/test";
+
+const usernameUserInput = "username-text-input";
+
+export async function loginnameScreen(page: Page, username: string) {
+  await page.getByTestId(usernameUserInput).pressSequentially(username);
+}
+
+export async function loginnameScreenExpect(page: Page, username: string) {
+  await expect(page.getByTestId(usernameUserInput)).toHaveValue(username);
+  await expect(page.getByTestId("error").locator("div")).toContainText("Could not find user");
+}

acceptance/tests/loginname.ts

@@ -0,0 +1,7 @@
+import { Page } from "@playwright/test";
+import { loginnameScreen } from "./loginname-screen";
+
+export async function loginname(page: Page, username: string) {
+  await loginnameScreen(page, username);
+  await page.getByTestId("submit-button").click();
+}

acceptance/tests/otp.ts

@@ -0,0 +1,31 @@
+import * as http from "node:http";
+
+let messages = new Map<string, any>();
+
+export function startSink() {
+  const hostname = "127.0.0.1";
+  const port = 3030;
+
+  const server = http.createServer((req, res) => {
+    console.log("Sink received message: ");
+    let body = "";
+    req.on("data", (chunk) => {
+      body += chunk;
+    });
+
+    req.on("end", () => {
+      console.log(body);
+      const data = JSON.parse(body);
+      messages.set(data.contextInfo.recipientEmailAddress, data.args.code);
+      res.statusCode = 200;
+      res.setHeader("Content-Type", "text/plain");
+      res.write("OK");
+      res.end();
+    });
+  });
+
+  server.listen(port, hostname, () => {
+    console.log(`Sink running at http://${hostname}:${port}/`);
+  });
+  return server;
+}

acceptance/tests/passkey.ts

@@ -0,0 +1,109 @@
+import { expect, Page } from "@playwright/test";
+import { CDPSession } from "playwright-core";
+
+interface session {
+  client: CDPSession;
+  authenticatorId: string;
+}
+
+async function client(page: Page): Promise<session> {
+  const cdpSession = await page.context().newCDPSession(page);
+  await cdpSession.send("WebAuthn.enable", { enableUI: false });
+  const result = await cdpSession.send("WebAuthn.addVirtualAuthenticator", {
+    options: {
+      protocol: "ctap2",
+      transport: "internal",
+      hasResidentKey: true,
+      hasUserVerification: true,
+      isUserVerified: true,
+      automaticPresenceSimulation: true,
+    },
+  });
+  return { client: cdpSession, authenticatorId: result.authenticatorId };
+}
+
+export async function passkeyRegister(page: Page): Promise<string> {
+  const session = await client(page);
+
+  await passkeyNotExisting(session.client, session.authenticatorId);
+  await simulateSuccessfulPasskeyRegister(session.client, session.authenticatorId, () =>
+    page.getByTestId("submit-button").click(),
+  );
+  await passkeyRegistered(session.client, session.authenticatorId);
+
+  return session.authenticatorId;
+}
+
+export async function passkey(page: Page, authenticatorId: string) {
+  const cdpSession = await page.context().newCDPSession(page);
+  await cdpSession.send("WebAuthn.enable", { enableUI: false });
+
+  const signCount = await passkeyExisting(cdpSession, authenticatorId);
+
+  await simulateSuccessfulPasskeyInput(cdpSession, authenticatorId, () => page.getByTestId("submit-button").click());
+
+  await passkeyUsed(cdpSession, authenticatorId, signCount);
+}
+
+async function passkeyNotExisting(client: CDPSession, authenticatorId: string) {
+  const result = await client.send("WebAuthn.getCredentials", { authenticatorId });
+  expect(result.credentials).toHaveLength(0);
+}
+
+async function passkeyRegistered(client: CDPSession, authenticatorId: string) {
+  const result = await client.send("WebAuthn.getCredentials", { authenticatorId });
+  expect(result.credentials).toHaveLength(1);
+  await passkeyUsed(client, authenticatorId, 0);
+}
+
+async function passkeyExisting(client: CDPSession, authenticatorId: string): Promise<number> {
+  const result = await client.send("WebAuthn.getCredentials", { authenticatorId });
+  expect(result.credentials).toHaveLength(1);
+  return result.credentials[0].signCount;
+}
+
+async function passkeyUsed(client: CDPSession, authenticatorId: string, signCount: number) {
+  const result = await client.send("WebAuthn.getCredentials", { authenticatorId });
+  expect(result.credentials).toHaveLength(1);
+  expect(result.credentials[0].signCount).toBeGreaterThan(signCount);
+}
+
+async function simulateSuccessfulPasskeyRegister(
+  client: CDPSession,
+  authenticatorId: string,
+  operationTrigger: () => Promise<void>,
+) {
+  // initialize event listeners to wait for a successful passkey input event
+  const operationCompleted = new Promise<void>((resolve) => {
+    client.on("WebAuthn.credentialAdded", () => {
+      console.log("Credential Added!");
+      resolve();
+    });
+  });
+
+  // perform a user action that triggers passkey prompt
+  await operationTrigger();
+
+  // wait to receive the event that the passkey was successfully registered or verified
+  await operationCompleted;
+}
+
+async function simulateSuccessfulPasskeyInput(
+  client: CDPSession,
+  authenticatorId: string,
+  operationTrigger: () => Promise<void>,
+) {
+  // initialize event listeners to wait for a successful passkey input event
+  const operationCompleted = new Promise<void>((resolve) => {
+    client.on("WebAuthn.credentialAsserted", () => {
+      console.log("Credential Asserted!");
+      resolve();
+    });
+  });
+
+  // perform a user action that triggers passkey prompt
+  await operationTrigger();
+
+  // wait to receive the event that the passkey was successfully registered or verified
+  await operationCompleted;
+}

acceptance/tests/password-screen.ts

@@ -0,0 +1,57 @@
+import { expect, Page } from "@playwright/test";
+
+const passwordField = "password-text-input";
+const passwordConfirmField = "password-confirm-text-input";
+const lengthCheck = "length-check";
+const symbolCheck = "symbol-check";
+const numberCheck = "number-check";
+const uppercaseCheck = "uppercase-check";
+const lowercaseCheck = "lowercase-check";
+const equalCheck = "equal-check";
+
+const matchText = "Matches";
+const noMatchText = "Doesn't match";
+
+export async function changePasswordScreen(page: Page, password1: string, password2: string) {
+  await page.getByTestId(passwordField).pressSequentially(password1);
+  await page.getByTestId(passwordConfirmField).pressSequentially(password2);
+}
+
+export async function passwordScreen(page: Page, password: string) {
+  await page.getByTestId(passwordField).pressSequentially(password);
+}
+
+export async function passwordScreenExpect(page: Page, password: string) {
+  await expect(page.getByTestId(passwordField)).toHaveValue(password);
+  await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify password");
+}
+
+export async function changePasswordScreenExpect(
+  page: Page,
+  password1: string,
+  password2: string,
+  length: boolean,
+  symbol: boolean,
+  number: boolean,
+  uppercase: boolean,
+  lowercase: boolean,
+  equals: boolean,
+) {
+  await expect(page.getByTestId(passwordField)).toHaveValue(password1);
+  await expect(page.getByTestId(passwordConfirmField)).toHaveValue(password2);
+
+  await checkContent(page, lengthCheck, length);
+  await checkContent(page, symbolCheck, symbol);
+  await checkContent(page, numberCheck, number);
+  await checkContent(page, uppercaseCheck, uppercase);
+  await checkContent(page, lowercaseCheck, lowercase);
+  await checkContent(page, equalCheck, equals);
+}
+
+async function checkContent(page: Page, testid: string, match: boolean) {
+  if (match) {
+    await expect(page.getByTestId(testid)).toContainText(matchText);
+  } else {
+    await expect(page.getByTestId(testid)).toContainText(noMatchText);
+  }
+}

acceptance/tests/password.ts

@@ -0,0 +1,19 @@
+import { Page } from "@playwright/test";
+import { changePasswordScreen, passwordScreen } from "./password-screen";
+
+const passwordSubmitButton = "submit-button";
+
+export async function startChangePassword(page: Page, loginname: string) {
+  await page.goto("/password/change?" + new URLSearchParams({ loginName: loginname }));
+}
+
+export async function changePassword(page: Page, loginname: string, password: string) {
+  await startChangePassword(page, loginname);
+  await changePasswordScreen(page, password, password);
+  await page.getByTestId(passwordSubmitButton).click();
+}
+
+export async function password(page: Page, password: string) {
+  await passwordScreen(page, password);
+  await page.getByTestId(passwordSubmitButton).click();
+}

acceptance/tests/register-screen.ts

@@ -0,0 +1,27 @@
+import { Page } from "@playwright/test";
+
+const passwordField = "password-text-input";
+const passwordConfirmField = "password-confirm-text-input";
+
+export async function registerUserScreenPassword(page: Page, firstname: string, lastname: string, email: string) {
+  await registerUserScreen(page, firstname, lastname, email);
+  await page.getByTestId("Password-radio").click();
+}
+
+export async function registerUserScreenPasskey(page: Page, firstname: string, lastname: string, email: string) {
+  await registerUserScreen(page, firstname, lastname, email);
+  await page.getByTestId("Passkeys-radio").click();
+}
+
+export async function registerPasswordScreen(page: Page, password1: string, password2: string) {
+  await page.getByTestId(passwordField).pressSequentially(password1);
+  await page.getByTestId(passwordConfirmField).pressSequentially(password2);
+}
+
+export async function registerUserScreen(page: Page, firstname: string, lastname: string, email: string) {
+  await page.getByTestId("firstname-text-input").pressSequentially(firstname);
+  await page.getByTestId("lastname-text-input").pressSequentially(lastname);
+  await page.getByTestId("email-text-input").pressSequentially(email);
+  await page.getByTestId("privacy-policy-checkbox").check();
+  await page.getByTestId("tos-checkbox").check();
+}

acceptance/tests/register.spec.ts

@@ -0,0 +1,161 @@
+import { test } from "@playwright/test";
+import { loginScreenExpect } from "./login";
+import { registerWithPasskey, registerWithPassword } from "./register";
+import { removeUserByUsername } from "./zitadel";
+
+test("register with password", async ({ page }) => {
+  const username = "register-password@example.com";
+  const password = "Password1!";
+  const firstname = "firstname";
+  const lastname = "lastname";
+
+  await removeUserByUsername(username);
+  await registerWithPassword(page, firstname, lastname, username, password, password);
+  await loginScreenExpect(page, firstname + " " + lastname);
+});
+
+test("register with passkey", async ({ page }) => {
+  const username = "register-passkey@example.com";
+  const firstname = "firstname";
+  const lastname = "lastname";
+
+  await removeUserByUsername(username);
+  await registerWithPasskey(page, firstname, lastname, username);
+  await loginScreenExpect(page, firstname + " " + lastname);
+});
+
+test("register with username and password - only password enabled", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given on the default organization passkey is not enabled
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration page
+  // Only password is shown as an option - no passkey
+  // User enters "firstname", "lastname", "username" and "password"
+  // User is redirected to app (default redirect url)
+});
+
+test("register with username and password - wrong password not enough characters", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given on the default organization passkey is not enabled
+  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration page
+  // Only password is shown as an option - no passkey
+  // User enters "firstname", "lastname", "username" and a password thats to short
+  // Error is shown "Password doesn't match the policy - it must have at least 8 characters"
+});
+
+test("register with username and password - wrong password number missing", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given on the default organization passkey is not enabled
+  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration page
+  // Only password is shown as an option - no passkey
+  // User enters "firstname", "lastname", "username" and a password without a number
+  // Error is shown "Password doesn't match the policy - number missing"
+});
+
+test("register with username and password - wrong password upper case missing", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given on the default organization passkey is not enabled
+  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration page
+  // Only password is shown as an option - no passkey
+  // User enters "firstname", "lastname", "username" and a password without an upper case
+  // Error is shown "Password doesn't match the policy - uppercase letter missing"
+});
+
+test("register with username and password - wrong password lower case missing", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given on the default organization passkey is not enabled
+  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration page
+  // Only password is shown as an option - no passkey
+  // User enters "firstname", "lastname", "username" and a password without an lower case
+  // Error is shown "Password doesn't match the policy - lowercase letter missing"
+});
+
+test("register with username and password - wrong password symboo missing", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given on the default organization passkey is not enabled
+  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration page
+  // Only password is shown as an option - no passkey
+  // User enters "firstname", "lastname", "username" and a password without an symbol
+  // Error is shown "Password doesn't match the policy - symbol missing"
+});
+
+test("register with username and password - password and passkey enabled", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given on the default organization passkey is enabled
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration page
+  // User enters "firstname", "lastname", "username"
+  // Password and passkey are shown as authentication option
+  // User clicks password
+  // User enters password
+  // User is redirected to app (default redirect url)
+});
+
+test("register with username and passkey - password and passkey enabled", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given on the default organization passkey is enabled
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration page
+  // User enters "firstname", "lastname", "username"
+  // Password and passkey are shown as authentication option
+  // User clicks passkey
+  // Passkey is opened automatically
+  // User verifies passkey
+  // User is redirected to app (default redirect url)
+});
+
+test("register with username and password - registration disabled", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization no idp is configured and enabled
+  // Given user doesn't exist
+  // Button "register new user" is not available
+});
+
+test("register with username and password - multiple registration options", async ({ page }) => {
+  // Given on the default organization "username and password is allowed" is enabled
+  // Given on the default organization "username registeration allowed" is enabled
+  // Given on the default organization one idp is configured and enabled
+  // Given user doesn't exist
+  // Click on button "register new user"
+  // User is redirected to registration options
+  // Local User and idp button are shown
+  // User clicks idp button
+  // User enters "firstname", "lastname", "username" and "password"
+  // User clicks next
+  // User is redirected to app (default redirect url)
+});

acceptance/tests/register.ts

@@ -0,0 +1,25 @@
+import { Page } from "@playwright/test";
+import { passkeyRegister } from "./passkey";
+import { registerPasswordScreen, registerUserScreenPasskey, registerUserScreenPassword } from "./register-screen";
+
+export async function registerWithPassword(
+  page: Page,
+  firstname: string,
+  lastname: string,
+  email: string,
+  password1: string,
+  password2: string,
+) {
+  await page.goto("/register");
+  await registerUserScreenPassword(page, firstname, lastname, email);
+  await page.getByTestId("submit-button").click();
+  await registerPasswordScreen(page, password1, password2);
+  await page.getByTestId("submit-button").click();
+}
+
+export async function registerWithPasskey(page: Page, firstname: string, lastname: string, email: string): Promise<string> {
+  await page.goto("/register");
+  await registerUserScreenPasskey(page, firstname, lastname, email);
+  await page.getByTestId("submit-button").click();
+  return await passkeyRegister(page);
+}

acceptance/tests/user.ts

@@ -0,0 +1,216 @@
+import { Page } from "@playwright/test";
+import axios from "axios";
+import { registerWithPasskey } from "./register";
+import { getUserByUsername, removeUser } from "./zitadel";
+
+export interface userProps {
+  email: string;
+  firstName: string;
+  lastName: string;
+  organization: string;
+  password: string;
+}
+
+class User {
+  private readonly props: userProps;
+  private user: string;
+
+  constructor(userProps: userProps) {
+    this.props = userProps;
+  }
+
+  async ensure(page: Page) {
+    await this.remove();
+
+    const body = {
+      username: this.props.email,
+      organization: {
+        orgId: this.props.organization,
+      },
+      profile: {
+        givenName: this.props.firstName,
+        familyName: this.props.lastName,
+      },
+      email: {
+        email: this.props.email,
+        isVerified: true,
+      },
+      password: {
+        password: this.props.password!,
+      },
+    };
+
+    try {
+      const response = await axios.post(`${process.env.ZITADEL_API_URL}/v2/users/human`, body, {
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+        },
+      });
+
+      if (response.status >= 400 && response.status !== 409) {
+        const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+        console.error(error);
+        throw new Error(error);
+      }
+    } catch (error) {
+      console.error("Error making request:", error);
+      throw error;
+    }
+
+    // wait for projection of user
+    await page.waitForTimeout(3000);
+  }
+
+  async remove() {
+    const resp: any = await getUserByUsername(this.getUsername());
+    if (!resp || !resp.result || !resp.result[0]) {
+      return;
+    }
+    await removeUser(resp.result[0].userId);
+  }
+
+  public setUserId(userId: string) {
+    this.user = userId;
+  }
+
+  public getUserId() {
+    return this.user;
+  }
+
+  public getUsername() {
+    return this.props.email;
+  }
+
+  public getPassword() {
+    return this.props.password;
+  }
+
+  public getFirstname() {
+    return this.props.firstName;
+  }
+
+  public getLastname() {
+    return this.props.lastName;
+  }
+
+  public getFullName() {
+    return `${this.props.firstName} ${this.props.lastName}`;
+  }
+}
+
+export class PasswordUser extends User {}
+
+export enum OtpType {
+  sms = "sms",
+  email = "email",
+}
+
+export interface otpUserProps {
+  email: string;
+  firstName: string;
+  lastName: string;
+  organization: string;
+  password: string;
+  type: OtpType;
+}
+
+export class PasswordUserWithOTP extends User {
+  private type: OtpType;
+  private code: string;
+
+  constructor(props: otpUserProps) {
+    super({
+      email: props.email,
+      firstName: props.firstName,
+      lastName: props.lastName,
+      organization: props.organization,
+      password: props.password,
+    });
+    this.type = props.type;
+  }
+
+  async ensure(page: Page) {
+    await super.ensure(page);
+
+    let url = "otp_";
+    switch (this.type) {
+      case OtpType.sms:
+        url = url + "sms";
+        break;
+      case OtpType.email:
+        url = url + "email";
+        break;
+    }
+
+    try {
+      const response = await axios.post(
+        `${process.env.ZITADEL_API_URL}/v2/users/${this.getUserId()}/${url}`,
+        {},
+        {
+          headers: {
+            "Content-Type": "application/json",
+            Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+          },
+        },
+      );
+
+      if (response.status >= 400 && response.status !== 409) {
+        const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+        console.error(error);
+        throw new Error(error);
+      }
+
+      // TODO: get code from SMS or Email provider
+      this.code = "";
+    } catch (error) {
+      console.error("Error making request:", error);
+      throw error;
+    }
+
+    // wait for projection of user
+    await page.waitForTimeout(2000);
+  }
+
+  public getCode() {
+    return this.code;
+  }
+}
+
+export interface passkeyUserProps {
+  email: string;
+  firstName: string;
+  lastName: string;
+  organization: string;
+}
+
+export class PasskeyUser extends User {
+  private authenticatorId: string;
+
+  constructor(props: passkeyUserProps) {
+    super({
+      email: props.email,
+      firstName: props.firstName,
+      lastName: props.lastName,
+      organization: props.organization,
+      password: "",
+    });
+  }
+
+  public async ensure(page: Page) {
+    await this.remove();
+    const authId = await registerWithPasskey(page, this.getFirstname(), this.getLastname(), this.getUsername());
+    this.authenticatorId = authId;
+
+    // wait for projection of user
+    await page.waitForTimeout(2000);
+  }
+
+  public async remove() {
+    await super.remove();
+  }
+
+  public getAuthenticatorId(): string {
+    return this.authenticatorId;
+  }
+}

acceptance/tests/username-passkey.spec.ts

@@ -0,0 +1,46 @@
+import { test as base } from "@playwright/test";
+import dotenv from "dotenv";
+import path from "path";
+import { loginScreenExpect, loginWithPasskey } from "./login";
+import { PasskeyUser } from "./user";
+
+// Read from ".env" file.
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
+
+const test = base.extend<{ user: PasskeyUser }>({
+  user: async ({ page }, use) => {
+    const user = new PasskeyUser({
+      email: "passkey@example.com",
+      firstName: "first",
+      lastName: "last",
+      organization: "",
+    });
+    await user.ensure(page);
+    await use(user);
+  },
+});
+
+test("username and passkey login", async ({ user, page }) => {
+  await loginWithPasskey(page, user.getAuthenticatorId(), user.getUsername());
+  await loginScreenExpect(page, user.getFullName());
+});
+
+test("username and passkey login, if passkey enabled", async ({ user, page }) => {
+  // Given passkey is enabled on the organization of the user
+  // Given the user has only passkey enabled as authentication
+  // enter username
+  // passkey popup is directly shown
+  // user verifies passkey
+  // user is redirected to app
+});
+
+test("username and passkey login, multiple auth methods", async ({ user, page }) => {
+  // Given passkey and password is enabled on the organization of the user
+  // Given the user has password and passkey registered
+  // enter username
+  // passkey popup is directly shown
+  // user aborts passkey authentication
+  // user switches to password authentication
+  // user enters password
+  // user is redirected to app
+});

acceptance/tests/username-password-changed.spec.ts

@@ -0,0 +1,50 @@
+import { test as base } from "@playwright/test";
+import dotenv from "dotenv";
+import path from "path";
+import { loginWithPassword } from "./login";
+import { startChangePassword } from "./password";
+import { changePasswordScreen, changePasswordScreenExpect } from "./password-screen";
+import { PasswordUser } from "./user";
+
+// Read from ".env" file.
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
+
+const test = base.extend<{ user: PasswordUser }>({
+  user: async ({ page }, use) => {
+    const user = new PasswordUser({
+      email: "password-changed@example.com",
+      firstName: "first",
+      lastName: "last",
+      password: "Password1!",
+      organization: "",
+    });
+    await user.ensure(page);
+    await use(user);
+  },
+});
+
+test("username and password changed login", async ({ user, page }) => {
+  // commented, fix in https://github.com/zitadel/zitadel/pull/8807
+  /*
+    const changedPw = "ChangedPw1!";
+    await loginWithPassword(page, user.getUsername(), user.getPassword());
+
+    // wait for projection of token
+    await page.waitForTimeout(2000);
+
+    await changePassword(page, user.getUsername(), changedPw);
+    await loginScreenExpect(page, user.getFullName());
+
+    await loginWithPassword(page, user.getUsername(), changedPw);
+    await loginScreenExpect(page, user.getFullName());
+     */
+});
+
+test("password not with desired complexity", async ({ user, page }) => {
+  const changedPw1 = "change";
+  const changedPw2 = "chang";
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  await startChangePassword(page, user.getUsername());
+  await changePasswordScreen(page, changedPw1, changedPw2);
+  await changePasswordScreenExpect(page, changedPw1, changedPw2, false, false, false, false, true, false);
+});

acceptance/tests/username-password-otp_email.spec.ts

@@ -0,0 +1,55 @@
+import { test } from "@playwright/test";
+
+test("username, password and email otp login, enter code manually", async ({ page }) => {
+  // Given email otp is enabled on the organization of the user
+  // Given the user has only email otp configured as second factor
+  // User enters username
+  // User enters password
+  // User receives an email with a verification code
+  // User enters the code into the ui
+  // User is redirected to the app (default redirect url)
+});
+
+test("username, password and email otp login, click link in email", async ({ page }) => {
+  // Given email otp is enabled on the organization of the user
+  // Given the user has only email otp configured as second factor
+  // User enters username
+  // User enters password
+  // User receives an email with a verification code
+  // User clicks link in the email
+  // User is redirected to the app (default redirect url)
+});
+
+test("username, password and email otp login, resend code", async ({ page }) => {
+  // Given email otp is enabled on the organization of the user
+  // Given the user has only email otp configured as second factor
+  // User enters username
+  // User enters password
+  // User receives an email with a verification code
+  // User clicks resend code
+  // User receives a new email with a verification code
+  // User enters the new code in the ui
+  // User is redirected to the app (default redirect url)
+});
+
+test("username, password and email otp login, wrong code", async ({ page }) => {
+  // Given email otp is enabled on the organization of the user
+  // Given the user has only email otp configured as second factor
+  // User enters username
+  // User enters password
+  // User receives an email with a verification code
+  // User enters a wrond code
+  // Error message - "Invalid code" is shown
+});
+
+test("username, password and email otp login, multiple mfa options", async ({ page }) => {
+  // Given email otp and sms otp is enabled on the organization of the user
+  // Given the user has email and sms otp configured as second factor
+  // User enters username
+  // User enters password
+  // User receives an email with a verification code
+  // User clicks button to use sms otp as second factor
+  // User receives an sms with a verification code
+  // User enters code in ui
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/username-password-otp_sms.spec.ts

@@ -0,0 +1,32 @@
+import { test } from "@playwright/test";
+
+test("username, password and sms otp login", async ({ page }) => {
+  // Given sms otp is enabled on the organization of the user
+  // Given the user has only sms otp configured as second factor
+  // User enters username
+  // User enters password
+  // User receives a sms with a verification code
+  // User enters the code into the ui
+  // User is redirected to the app (default redirect url)
+});
+
+test("username, password and sms otp login, resend code", async ({ page }) => {
+  // Given sms otp is enabled on the organization of the user
+  // Given the user has only sms otp configured as second factor
+  // User enters username
+  // User enters password
+  // User receives a sms with a verification code
+  // User clicks resend code
+  // User receives a new sms with a verification code
+  // User is redirected to the app (default redirect url)
+});
+
+test("username, password and sms otp login, wrong code", async ({ page }) => {
+  // Given sms otp is enabled on the organization of the user
+  // Given the user has only sms otp configured as second factor
+  // User enters username
+  // User enters password
+  // User receives a sms with a verification code
+  // User enters a wrong code
+  // Error message - "Invalid code" is shown
+});

acceptance/tests/username-password-totp.spec.ts

@@ -0,0 +1,34 @@
+import { test } from "@playwright/test";
+
+test("username, password and totp login", async ({ page }) => {
+  // Given totp is enabled on the organization of the user
+  // Given the user has only totp configured as second factor
+  // User enters username
+  // User enters password
+  // Screen for entering the code is shown directly
+  // User enters the code into the ui
+  // User is redirected to the app (default redirect url)
+});
+
+test("username, password and totp otp login, wrong code", async ({ page }) => {
+  // Given totp is enabled on the organization of the user
+  // Given the user has only totp configured as second factor
+  // User enters username
+  // User enters password
+  // Screen for entering the code is shown directly
+  // User enters a wrond code
+  // Error message - "Invalid code" is shown
+});
+
+test("username, password and totp login, multiple mfa options", async ({ page }) => {
+  // Given totp and email otp is enabled on the organization of the user
+  // Given the user has totp and email otp configured as second factor
+  // User enters username
+  // User enters password
+  // Screen for entering the code is shown directly
+  // Button to switch to email otp is shown
+  // User clicks button to use email otp instead
+  // User receives an email with a verification code
+  // User enters code in ui
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/username-password-u2f.spec.ts

@@ -0,0 +1,24 @@
+import { test } from "@playwright/test";
+
+test("username, password and u2f login", async ({ page }) => {
+  // Given u2f is enabled on the organization of the user
+  // Given the user has only u2f configured as second factor
+  // User enters username
+  // User enters password
+  // Popup for u2f is directly opened
+  // User verifies u2f
+  // User is redirected to the app (default redirect url)
+});
+
+test("username, password and u2f login, multiple mfa options", async ({ page }) => {
+  // Given u2f and semailms otp is enabled on the organization of the user
+  // Given the user has u2f and email otp configured as second factor
+  // User enters username
+  // User enters password
+  // Popup for u2f is directly opened
+  // User aborts u2f verification
+  // User clicks button to use email otp as second factor
+  // User receives an email with a verification code
+  // User enters code in ui
+  // User is redirected to the app (default redirect url)
+});

acceptance/tests/username-password.spec.ts

@@ -1,12 +1,139 @@
-import { test } from "@playwright/test";
+import { test as base } from "@playwright/test";
+import dotenv from "dotenv";
+import path from "path";
+import { loginScreenExpect, loginWithPassword, startLogin } from "./login";
+import { loginname } from "./loginname";
+import { loginnameScreenExpect } from "./loginname-screen";
+import { password } from "./password";
+import { passwordScreenExpect } from "./password-screen";
+import { PasswordUser } from "./user";
 
-test("username and password", async ({ page }) => {
-  await page.goto("/loginname");
-  const loginname = page.getByLabel("Loginname");
-  await loginname.pressSequentially("zitadel-admin@zitadel.localhost");
-  await loginname.press("Enter");
-  const password = page.getByLabel("Password");
-  await password.pressSequentially("Password1!");
-  await password.press("Enter");
-  await page.getByRole("heading", { name: "Welcome ZITADEL Admin!" }).click();
+// Read from ".env" file.
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
+
+const test = base.extend<{ user: PasswordUser }>({
+  user: async ({ page }, use) => {
+    const user = new PasswordUser({
+      email: "password@example.com",
+      firstName: "first",
+      lastName: "last",
+      password: "Password1!",
+      organization: "",
+    });
+    await user.ensure(page);
+    await use(user);
+  },
+});
+
+test("username and password login", async ({ user, page }) => {
+  await loginWithPassword(page, user.getUsername(), user.getPassword());
+  await loginScreenExpect(page, user.getFullName());
+});
+
+test("username and password login, unknown username", async ({ page }) => {
+  const username = "unknown";
+  await startLogin(page);
+  await loginname(page, username);
+  await loginnameScreenExpect(page, username);
+});
+
+test("username and password login, wrong password", async ({ user, page }) => {
+  await startLogin(page);
+  await loginname(page, user.getUsername());
+  await password(page, "wrong");
+  await passwordScreenExpect(page, "wrong");
+});
+
+test("username and password login, wrong username, ignore unknown usernames", async ({ user, page }) => {
+  // Given user doesn't exist but ignore unknown usernames setting is set to true
+  // Given username password login is enabled on the users organization
+  // enter login name
+  // enter password
+  // redirect to loginname page --> error message username or password wrong
+});
+
+test("username and password login, initial password change", async ({ user, page }) => {
+  // Given user is created and has changePassword set to true
+  // Given username password login is enabled on the users organization
+  // enter login name
+  // enter password
+  // create new password
+});
+
+test("username and password login, reset password hidden", async ({ user, page }) => {
+  // Given the organization has enabled "Password reset hidden" in the login policy
+  // Given username password login is enabled on the users organization
+  // enter login name
+  // password reset link should not be shown on password screen
+});
+
+test("username and password login, reset password - enter code manually", async ({ user, page }) => {
+  // Given user has forgotten password and clicks the forgot password button
+  // Given username password login is enabled on the users organization
+  // enter login name
+  // click password forgotten
+  // enter code from email
+  // user is redirected to app (default redirect url)
+});
+
+test("username and password login, reset password - click link", async ({ user, page }) => {
+  // Given user has forgotten password and clicks the forgot password button, and then the link in the email
+  // Given username password login is enabled on the users organization
+  // enter login name
+  // click password forgotten
+  // click link in email
+  // set new password
+  // redirect to app (default redirect url)
+});
+
+test("username and password login, reset password, resend code", async ({ user, page }) => {
+  // Given user has forgotten password and clicks the forgot password button and then resend code
+  // Given username password login is enabled on the users organization
+  // enter login name
+  // click password forgotten
+  // click resend code
+  // enter code from second email
+  // user is redirected to app (default redirect url)
+});
+
+test("email login enabled", async ({ user, page }) => {
+  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
+  // Given no other user with the same email address exists
+  // enter email address "test@zitadel.com " in login screen
+  // user will get to password screen
+});
+
+test("email login disabled", async ({ user, page }) => {
+  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
+  // Given no other user with the same email address exists
+  // enter email address "test@zitadel.com" in login screen
+  // user will see error message "user not found"
+});
+
+test("email login enabled - multiple users", async ({ user, page }) => {
+  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
+  // Given a second user with the username "testuser2", email test@zitadel.com and phone number 0711111111 exists
+  // enter email address "test@zitadel.com" in login screen
+  // user will see error message "user not found"
+});
+
+test("phone login enabled", async ({ user, page }) => {
+  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
+  // Given no other user with the same phon number exists
+  // enter phone number "0711111111" in login screen
+  // user will get to password screen
+});
+
+test("phone login disabled", async ({ user, page }) => {
+  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
+  // Given no other user with the same phone number exists
+  // enter phone number "0711111111" in login screen
+  // user will see error message "user not found"
+});
+
+test("phone login enabled - multiple users", async ({ user, page }) => {
+  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
+  // Given a second user with the username "testuser2", email test@zitadel.com and phone number 0711111111 exists
+  // enter phone number "0711111111" in login screen
+  // user will see error message "user not found"
 });

acceptance/tests/zitadel.ts

@@ -0,0 +1,60 @@
+import axios from "axios";
+
+export async function removeUserByUsername(username: string) {
+  const resp = await getUserByUsername(username);
+  if (!resp || !resp.result || !resp.result[0]) {
+    return;
+  }
+  await removeUser(resp.result[0].userId);
+}
+
+export async function removeUser(id: string) {
+  try {
+    const response = await axios.delete(`${process.env.ZITADEL_API_URL}/v2/users/${id}`, {
+      headers: {
+        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+      },
+    });
+
+    if (response.status >= 400 && response.status !== 404) {
+      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+      console.error(error);
+      throw new Error(error);
+    }
+  } catch (error) {
+    console.error("Error making request:", error);
+    throw error;
+  }
+}
+
+export async function getUserByUsername(username: string) {
+  const listUsersBody = {
+    queries: [
+      {
+        userNameQuery: {
+          userName: username,
+        },
+      },
+    ],
+  };
+
+  try {
+    const response = await axios.post(`${process.env.ZITADEL_API_URL}/v2/users`, listUsersBody, {
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
+      },
+    });
+
+    if (response.status >= 400) {
+      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
+      console.error(error);
+      throw new Error(error);
+    }
+
+    return response.data;
+  } catch (error) {
+    console.error("Error making request:", error);
+    throw error;
+  }
+}

acceptance/zitadel.yaml

@@ -15,6 +15,14 @@ FirstInstance:
       Pat:
         ExpirationDate: 2099-01-01T00:00:00Z
 
+DefaultInstance:
+  PrivacyPolicy:
+    TOSLink: "https://zitadel.com/docs/legal/terms-of-service"
+    PrivacyLink: "https://zitadel.com/docs/legal/policies/privacy-policy"
+    HelpLink: "https://zitadel.com/docs"
+    SupportEmail: "support@zitadel.com"
+    DocsLink: "https://zitadel.com/docs"
+
 Database:
   EventPushConnRatio: 0.2 # 4
   ProjectionSpoolerConnRatio: 0.3 # 6

apps/login/src/components/authentication-method-radio.tsx

@@ -30,6 +30,7 @@ export function AuthenticationMethodRadio({
               <RadioGroup.Option
                 key={method.name}
                 value={method}
+                data-testid={method.name + "-radio"}
                 className={({ active, checked }) =>
                   `${
                     active

apps/login/src/components/change-password-form.tsx

@@ -148,6 +148,7 @@ export function ChangePasswordForm({
             })}
             label="New Password"
             error={errors.password?.message as string}
+            data-testid="password-text-input"
           />
         </div>
         <div className="">
@@ -160,6 +161,7 @@ export function ChangePasswordForm({
             })}
             label="Confirm Password"
             error={errors.confirmPassword?.message as string}
+            data-testid="password-confirm-text-input"
           />
         </div>
       </div>
@@ -175,7 +177,7 @@ export function ChangePasswordForm({
       {error && <Alert>{error}</Alert>}
 
       <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
+        <BackButton data-testid="back-button" />
         <Button
           type="submit"
           variant={ButtonVariants.Primary}
@@ -186,6 +188,7 @@ export function ChangePasswordForm({
             watchPassword !== watchConfirmPassword
           }
           onClick={handleSubmit(submitChange)}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("change.submit")}

apps/login/src/components/login-otp.tsx

@@ -236,7 +236,7 @@ export function LoginOTP({
       )}
 
       <div className="mt-8 flex w-full flex-row items-center">
-        <BackButton />
+        <BackButton data-testid="back-button" />
         <span className="flex-grow"></span>
         <Button
           type="submit"
@@ -246,6 +246,7 @@ export function LoginOTP({
           onClick={handleSubmit((e) => {
             setCodeAndContinue(e, organization);
           })}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("verify.submit")}

apps/login/src/components/login-passkey.tsx

@@ -235,6 +235,7 @@ export function LoginPasskey({
                 "/password?" + new URLSearchParams(params), // alt is set because password is requested as alternative auth method, so passwordless prompt can be escaped
               );
             }}
+            data-testid="password-button"
           >
             {t("verify.usePassword")}
           </Button>
@@ -272,6 +273,7 @@ export function LoginPasskey({
                 setLoading(false);
               });
           }}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("verify.submit")}

apps/login/src/components/password-complexity.tsx

@@ -65,7 +65,7 @@ export function PasswordComplexity({
   return (
     <div className="mb-4 grid grid-cols-2 gap-x-8 gap-y-2">
       {passwordComplexitySettings.minLength != undefined ? (
-        <div className="flex flex-row items-center">
+        <div className="flex flex-row items-center" data-testid="length-check">
           {hasMinLength ? check : cross}
           <span className={desc}>
             Password length {passwordComplexitySettings.minLength.toString()}
@@ -74,23 +74,23 @@ export function PasswordComplexity({
       ) : (
         <span />
       )}
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="symbol-check">
         {hasSymbol ? check : cross}
         <span className={desc}>has Symbol</span>
       </div>
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="number-check">
         {hasNumber ? check : cross}
         <span className={desc}>has Number</span>
       </div>
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="uppercase-check">
         {hasUppercase ? check : cross}
         <span className={desc}>has uppercase</span>
       </div>
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="lowercase-check">
         {hasLowercase ? check : cross}
         <span className={desc}>has lowercase</span>
       </div>
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="equal-check">
         {equals ? check : cross}
         <span className={desc}>equals</span>
       </div>

apps/login/src/components/password-form.tsx

@@ -126,6 +126,7 @@ export function PasswordForm({
           autoComplete="password"
           {...register("password", { required: "This field is required" })}
           label="Password"
+          data-testid="password-text-input"
         />
         {!loginSettings?.hidePasswordReset && (
           <button
@@ -155,13 +156,13 @@ export function PasswordForm({
       )}
 
       {error && (
-        <div className="py-4">
+        <div className="py-4" data-testid="error">
           <Alert>{error}</Alert>
         </div>
       )}
 
       <div className="mt-8 flex w-full flex-row items-center">
-        <BackButton />
+        <BackButton data-testid="back-button" />
         <span className="flex-grow"></span>
         <Button
           type="submit"
@@ -169,6 +170,7 @@ export function PasswordForm({
           variant={ButtonVariants.Primary}
           disabled={loading || !formState.isValid}
           onClick={handleSubmit(submitPassword)}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("verify.submit")}

apps/login/src/components/privacy-policy-checkboxes.tsx

@@ -60,6 +60,7 @@ export function PrivacyPolicyCheckboxes({ legal, onChange }: Props) {
               });
               onChange(checked && acceptanceState.privacyPolicyAccepted);
             }}
+            data-testid="privacy-policy-checkbox"
           />
 
           <div className="mr-4 w-[28rem]">
@@ -84,6 +85,7 @@ export function PrivacyPolicyCheckboxes({ legal, onChange }: Props) {
               });
               onChange(checked && acceptanceState.tosAccepted);
             }}
+            data-testid="tos-checkbox"
           />
 
           <div className="mr-4 w-[28rem]">

apps/login/src/components/register-form-without-password.tsx

@@ -120,6 +120,7 @@ export function RegisterFormWithoutPassword({
             {...register("firstname", { required: "This field is required" })}
             label="First name"
             error={errors.firstname?.message as string}
+            data-testid="firstname-text-input"
           />
         </div>
         <div className="">
@@ -130,6 +131,7 @@ export function RegisterFormWithoutPassword({
             {...register("lastname", { required: "This field is required" })}
             label="Last name"
             error={errors.lastname?.message as string}
+            data-testid="lastname-text-input"
           />
         </div>
         <div className="col-span-2">
@@ -140,6 +142,7 @@ export function RegisterFormWithoutPassword({
             {...register("email", { required: "This field is required" })}
             label="E-mail"
             error={errors.email?.message as string}
+            data-testid="email-text-input"
           />
         </div>
       </div>
@@ -167,7 +170,7 @@ export function RegisterFormWithoutPassword({
       )}
 
       <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
+        <BackButton data-testid="back-button" />
         <Button
           type="submit"
           variant={ButtonVariants.Primary}
@@ -175,6 +178,7 @@ export function RegisterFormWithoutPassword({
           onClick={handleSubmit((values) =>
             submitAndContinue(values, !(selected.name === methods[0].name)),
           )}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("submit")}

apps/login/src/components/register-passkey.tsx

@@ -195,6 +195,7 @@ export function RegisterPasskey({
           variant={ButtonVariants.Primary}
           disabled={loading || !formState.isValid}
           onClick={handleSubmit(submitRegisterAndContinue)}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("set.submit")}

apps/login/src/components/register-u2f.tsx

@@ -190,7 +190,7 @@ export function RegisterU2f({
       )}
 
       <div className="mt-8 flex w-full flex-row items-center">
-        <BackButton />
+        <BackButton data-testid="back-button" />
 
         <span className="flex-grow"></span>
         <Button
@@ -199,6 +199,7 @@ export function RegisterU2f({
           variant={ButtonVariants.Primary}
           disabled={loading}
           onClick={submitRegisterAndContinue}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("set.submit")}

apps/login/src/components/set-password-form.tsx

@@ -217,7 +217,7 @@ export function SetPasswordForm({
       {error && <Alert>{error}</Alert>}
 
       <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
+        <BackButton data-testid="back-button" />
         <Button
           type="submit"
           variant={ButtonVariants.Primary}
@@ -228,6 +228,7 @@ export function SetPasswordForm({
             watchPassword !== watchConfirmPassword
           }
           onClick={handleSubmit(submitPassword)}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("set.submit")}

apps/login/src/components/set-register-password-form.tsx

@@ -113,6 +113,7 @@ export function SetRegisterPasswordForm({
             })}
             label="Password"
             error={errors.password?.message as string}
+            data-testid="password-text-input"
           />
         </div>
         <div className="">
@@ -125,6 +126,7 @@ export function SetRegisterPasswordForm({
             })}
             label="Confirm Password"
             error={errors.confirmPassword?.message as string}
+            data-testid="password-confirm-text-input"
           />
         </div>
       </div>
@@ -140,7 +142,7 @@ export function SetRegisterPasswordForm({
       {error && <Alert>{error}</Alert>}
 
       <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
+        <BackButton data-testid="back-button" />
         <Button
           type="submit"
           variant={ButtonVariants.Primary}
@@ -151,6 +153,7 @@ export function SetRegisterPasswordForm({
             watchPassword !== watchConfirmPassword
           }
           onClick={handleSubmit(submitRegister)}
+          data-testid="submit-button"
         >
           {loading && <Spinner className="h-5 w-5 mr-2" />}
           {t("password.submit")}

apps/login/src/components/totp-register.tsx

@@ -123,6 +123,7 @@ export function TotpRegister({
                 type="text"
                 {...register("code", { required: "This field is required" })}
                 label="Code"
+                data-testid="code-text-input"
               />
             </div>
 
@@ -140,6 +141,7 @@ export function TotpRegister({
                 variant={ButtonVariants.Primary}
                 disabled={loading || !formState.isValid}
                 onClick={handleSubmit(continueWithCode)}
+                data-testid="submit-button"
               >
                 {loading && <Spinner className="h-5 w-5 mr-2" />}
                 {t("set.submit")}

apps/login/src/components/username-form.tsx

@@ -82,6 +82,7 @@ export function UsernameForm({
           autoComplete="username"
           {...register("loginName", { required: "This field is required" })}
           label="Loginname"
+          data-testid="username-text-input"
         />
         {allowRegister && (
           <button
@@ -99,6 +100,7 @@ export function UsernameForm({
             }}
             type="button"
             disabled={loading}
+            data-testid="register-button"
           >
             {t("register")}
           </button>
@@ -106,7 +108,7 @@ export function UsernameForm({
       </div>
 
       {error && (
-        <div className="py-4">
+        <div className="py-4" data-testid="error">
           <Alert>{error}</Alert>
         </div>
       )}
@@ -114,9 +116,10 @@ export function UsernameForm({
       <div className="pt-6 pb-4">{children}</div>
 
       <div className="mt-4 flex w-full flex-row items-center">
-        <BackButton />
+        <BackButton data-testid="back-button" />
         <span className="flex-grow"></span>
         <Button
+          data-testid="submit-button"
           type="submit"
           className="self-end"
           variant={ButtonVariants.Primary}

apps/login/src/lib/server/session.ts

@@ -7,7 +7,6 @@ import {
 import { deleteSession, listAuthenticationMethodTypes } from "@/lib/zitadel";
 import { RequestChallenges } from "@zitadel/proto/zitadel/session/v2/challenge_pb";
 import { Checks } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
-import { headers } from "next/headers";
 import {
   getMostRecentSessionCookie,
   getSessionCookieById,
@@ -67,7 +66,8 @@ export async function updateSession(options: UpdateSessionCommand) {
           return Promise.reject(error);
         });
 
-  const host = headers().get("host");
+  // TODO remove ports from host header for URL with port
+  const host = "localhost";
 
   if (
     host &&

package.json

@@ -7,7 +7,7 @@
     "build": "turbo run build",
     "test": "turbo run test",
     "start": "turbo run start",
-    "start:built":  "turbo run start:built",
+    "start:built": "turbo run start:built",
     "test:unit": "turbo run test:unit -- --passWithNoTests",
     "test:integration": "turbo run test:integration",
     "test:acceptance": "pnpm exec playwright test",
@@ -34,6 +34,8 @@
     "@types/node": "^22.9.0",
     "@vitejs/plugin-react": "^4.3.3",
     "@zitadel/prettier-config": "workspace:*",
+    "axios": "^1.7.7",
+    "dotenv": "^16.4.5",
     "eslint": "8.57.1",
     "eslint-config-zitadel": "workspace:*",
     "prettier": "^3.2.5",

playwright.config.ts

@@ -26,7 +26,7 @@ export default defineConfig({
   /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
   use: {
     /* Base URL to use in actions like `await page.goto('/')`. */
-    baseURL: "http://127.0.0.1:3000",
+    baseURL: "http://localhost:3000",
 
     /* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
     trace: "on-first-retry",
@@ -38,17 +38,17 @@ export default defineConfig({
       name: "chromium",
       use: { ...devices["Desktop Chrome"] },
     },
-
-    {
-      name: "firefox",
-      use: { ...devices["Desktop Firefox"] },
-    },
-    /* TODO: webkit fails. Is this a bug?
-    {
-      name: 'webkit',
-      use: { ...devices['Desktop Safari'] },
-    },
-*/
+    /*
+            {
+              name: "firefox",
+              use: { ...devices["Desktop Firefox"] },
+            },
+            TODO: webkit fails. Is this a bug?
+            {
+              name: 'webkit',
+              use: { ...devices['Desktop Safari'] },
+            },
+        */
 
     /* Test against mobile viewports. */
     // {

pnpm-lock.yaml

@@ -26,6 +26,12 @@ importers:
       '@zitadel/prettier-config':
         specifier: workspace:*
         version: link:packages/zitadel-prettier-config
+      axios:
+        specifier: ^1.7.7
+        version: 1.7.7
+      dotenv:
+        specifier: ^16.4.5
+        version: 16.4.5
       eslint:
         specifier: 8.57.1
         version: 8.57.1
@@ -2071,6 +2077,10 @@ packages:
     resolution: {integrity: sha512-7GO6HghkA5fYG9TYnNxi14/7K9f5occMlp3zXAuSxn7CKCxt9xbNWG7yF8hTCSUchlfWSe3uLmlPfigevRItzQ==}
     engines: {node: '>=12'}
 
+  dotenv@16.4.5:
+    resolution: {integrity: sha512-ZmdL2rui+eB2YwhsWzjInR8LldtZHGDoQ1ugH85ppHKwpUHL7j7rN0Ti9NCnGiQbhaZ11FpR+7ao1dNsmduNUg==}
+    engines: {node: '>=12'}
+
   dprint-node@1.0.8:
     resolution: {integrity: sha512-iVKnUtYfGrYcW1ZAlfR/F59cUVL8QIhWoBJoSjkkdua/dkWIgjZfiLMeTjiB06X0ZLkQ0M2C1VbUj/CxkIf1zg==}
 
@@ -4623,7 +4633,7 @@ snapshots:
       '@babel/traverse': 7.25.9
       '@babel/types': 7.26.0
       convert-source-map: 2.0.0
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       gensync: 1.0.0-beta.2
       json5: 2.2.3
       semver: 6.3.1
@@ -4710,7 +4720,7 @@ snapshots:
       '@babel/parser': 7.26.2
       '@babel/template': 7.25.9
       '@babel/types': 7.26.0
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       globals: 11.12.0
     transitivePeerDependencies:
       - supports-color
@@ -5100,7 +5110,7 @@ snapshots:
   '@eslint/eslintrc@2.1.4':
     dependencies:
       ajv: 6.12.6
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       espree: 9.6.1
       globals: 13.24.0
       ignore: 5.3.2
@@ -5199,7 +5209,7 @@ snapshots:
   '@humanwhocodes/config-array@0.13.0':
     dependencies:
       '@humanwhocodes/object-schema': 2.0.3
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       minimatch: 3.1.2
     transitivePeerDependencies:
       - supports-color
@@ -5746,7 +5756,7 @@ snapshots:
 
   agent-base@7.1.1:
     dependencies:
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
     transitivePeerDependencies:
       - supports-color
 
@@ -5921,6 +5931,14 @@ snapshots:
 
   axe-core@4.10.0: {}
 
+  axios@1.7.7:
+    dependencies:
+      follow-redirects: 1.15.6
+      form-data: 4.0.0
+      proxy-from-env: 1.1.0
+    transitivePeerDependencies:
+      - debug
+
   axios@1.7.7(debug@4.3.7):
     dependencies:
       follow-redirects: 1.15.6(debug@4.3.7)
@@ -6267,6 +6285,10 @@ snapshots:
     dependencies:
       ms: 2.1.2
 
+  debug@4.3.7:
+    dependencies:
+      ms: 2.1.3
+
   debug@4.3.7(supports-color@5.5.0):
     dependencies:
       ms: 2.1.3
@@ -6368,6 +6390,8 @@ snapshots:
 
   dotenv@16.0.3: {}
 
+  dotenv@16.4.5: {}
+
   dprint-node@1.0.8:
     dependencies:
       detect-libc: 1.0.3
@@ -6619,7 +6643,7 @@ snapshots:
       debug: 4.3.7(supports-color@5.5.0)
       enhanced-resolve: 5.17.1
       eslint: 8.57.1
-      eslint-module-utils: 2.8.2(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.6.3(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-plugin-import@2.29.1)(eslint@8.57.1))(eslint@8.57.1)
+      eslint-module-utils: 2.8.2(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.6.3)(eslint@8.57.1)
       fast-glob: 3.3.2
       get-tsconfig: 4.8.0
       is-bun-module: 1.1.0
@@ -6632,7 +6656,7 @@ snapshots:
       - eslint-import-resolver-webpack
       - supports-color
 
-  eslint-module-utils@2.8.2(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.6.3(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-plugin-import@2.29.1)(eslint@8.57.1))(eslint@8.57.1):
+  eslint-module-utils@2.8.2(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.6.3)(eslint@8.57.1):
     dependencies:
       debug: 3.2.7(supports-color@8.1.1)
     optionalDependencies:
@@ -6653,7 +6677,7 @@ snapshots:
       doctrine: 2.1.0
       eslint: 8.57.1
       eslint-import-resolver-node: 0.3.9
-      eslint-module-utils: 2.8.2(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.6.3(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-plugin-import@2.29.1)(eslint@8.57.1))(eslint@8.57.1)
+      eslint-module-utils: 2.8.2(@typescript-eslint/parser@7.18.0(eslint@8.57.1)(typescript@5.6.3))(eslint-import-resolver-node@0.3.9)(eslint-import-resolver-typescript@3.6.3)(eslint@8.57.1)
       hasown: 2.0.2
       is-core-module: 2.15.1
       is-glob: 4.0.3
@@ -6741,7 +6765,7 @@ snapshots:
       ajv: 6.12.6
       chalk: 4.1.2
       cross-spawn: 7.0.3
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       doctrine: 3.0.0
       escape-string-regexp: 4.0.0
       eslint-scope: 7.2.2
@@ -6931,6 +6955,8 @@ snapshots:
 
   flatted@3.3.1: {}
 
+  follow-redirects@1.15.6: {}
+
   follow-redirects@1.15.6(debug@4.3.7):
     optionalDependencies:
       debug: 4.3.7(supports-color@5.5.0)
@@ -7165,7 +7191,7 @@ snapshots:
   http-proxy-agent@7.0.2:
     dependencies:
       agent-base: 7.1.1
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
     transitivePeerDependencies:
       - supports-color
 
@@ -7185,7 +7211,7 @@ snapshots:
   https-proxy-agent@7.0.5:
     dependencies:
       agent-base: 7.1.1
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
     transitivePeerDependencies:
       - supports-color
 
@@ -8709,7 +8735,7 @@ snapshots:
       cac: 6.7.14
       chokidar: 4.0.1
       consola: 3.2.3
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       esbuild: 0.24.0
       joycon: 3.1.1
       picocolors: 1.1.1
@@ -8867,7 +8893,7 @@ snapshots:
   vite-node@2.1.4(@types/node@22.9.0)(sass@1.80.7):
     dependencies:
       cac: 6.7.14
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       pathe: 1.1.2
       vite: 5.4.11(@types/node@22.9.0)(sass@1.80.7)
     transitivePeerDependencies:
@@ -8883,7 +8909,7 @@ snapshots:
 
   vite-tsconfig-paths@5.1.2(typescript@5.6.3)(vite@5.4.11(@types/node@22.9.0)(sass@1.80.7)):
     dependencies:
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       globrex: 0.1.2
       tsconfck: 3.1.4(typescript@5.6.3)
     optionalDependencies:
@@ -8912,7 +8938,7 @@ snapshots:
       '@vitest/spy': 2.1.4
       '@vitest/utils': 2.1.4
       chai: 5.1.2
-      debug: 4.3.7(supports-color@5.5.0)
+      debug: 4.3.7
       expect-type: 1.1.0
       magic-string: 0.30.12
       pathe: 1.1.2