soc

.gitignore

@@ -7,6 +7,7 @@
 
 # Test binary, build with `go test -c`
 *.test
+!login/.env.test
 
 # Coverage
 coverage.txt
@@ -68,6 +69,7 @@ docs/docs/apis/proto
 /internal/api/ui/login/static/resources/themes/zitadel/css/zitadel.css
 /internal/api/ui/login/static/resources/themes/zitadel/css/zitadel.css.map
 zitadel-*-*
+!login/**/zitadel-*-*
 
 # local
 build/local/*.env

LICENSING.md

@@ -23,6 +23,7 @@ The following files and directories, including their subdirectories, are license
 
 ```
 login/
+clients/
 ```
 
 ## Community Contributions

login/.eslintrc.cjs

@@ -1,10 +1,21 @@
 module.exports = {
-  root: true,
+  parser: "@typescript-eslint/parser",
-  // Use basic ESLint config since the login app has its own detailed config
+  extends: ["next", "prettier"],
-  extends: ["eslint:recommended"],
+  plugins: ["@typescript-eslint"],
-  settings: {
+  rules: {
-    next: {
+    "@next/next/no-html-link-for-pages": "off",
-      rootDir: ["apps/*/"],
+    "@next/next/no-img-element": "off",
+    "react/no-unescaped-entities": "off",
+    "no-unused-vars": "off",
+    "@typescript-eslint/no-unused-vars": ["error", { argsIgnorePattern: "^_" }],
+    "no-undef": "off",
+  },
+  parserOptions: {
+    ecmaVersion: "latest",
+    sourceType: "module",
+    ecmaFeatures: {
+      jsx: true,
     },
+    project: "./tsconfig.json",
   },
 };

login/.gitignore

@@ -1,3 +1,8 @@
+custom-config.js
+.env*.local
+standalone
+tsconfig.tsbuildinfo
+
 .DS_Store
 node_modules
 .turbo
@@ -7,12 +12,6 @@ dist
 dist-ssr
 *.local
 .env
-server/dist
-public/dist
 .vscode
 .idea
-.vercel
-.env*.local
 /blob-report/
-/out
-/docker

login/.npmrc

@@ -1 +0,0 @@
-auto-install-peers = true

login/.prettierignore

@@ -1,9 +1,5 @@
-.next/
+.next
-.changeset/
+/external
 .github/
 dist/
-standalone/
+standalone/
-packages/zitadel-proto/google
-packages/zitadel-proto/protoc-gen-openapiv2
-packages/zitadel-proto/validate
-packages/zitadel-proto/zitadel

login/acceptance/.eslintrc.cjs

@@ -0,0 +1,10 @@
+module.exports = {
+  root: true,
+  // Use basic ESLint config since the login app has its own detailed config
+  extends: ["eslint:recommended"],
+  settings: {
+    next: {
+      rootDir: ["apps/*/"],
+    },
+  },
+};

login/acceptance/docker-compose.yaml

@@ -1,8 +1,16 @@
 services:
+
   zitadel:
-    user: "${ZITADEL_DEV_UID}"
+    user: "${UID:-1000}:${GID:-1000}"
-    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:02617cf17fdde849378c1a6b5254bbfb2745b164}"
+    image: "${ZITADEL_TAG:-ghcr.io/zitadel/zitadel:latest}"
-    command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled --config /zitadel.yaml --steps /zitadel.yaml'
+    container_name: acceptance-zitadel
+    command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --config /zitadel.yaml --steps /zitadel.yaml'
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.zitadel.rule=!PathPrefix(`/ui/v2/login`)"
+      #      - "traefik.http.middlewares.zitadel.headers.customrequestheaders.Host=localhost"
+#      - "traefik.http.routers.zitadel.middlewares=zitadel@docker"
+      - "traefik.http.services.zitadel-service.loadbalancer.server.scheme=h2c"
     ports:
       - "8080:8080"
     volumes:
@@ -11,12 +19,11 @@ services:
     depends_on:
       db:
         condition: "service_healthy"
-    extra_hosts:
-      - "localhost:host-gateway"
 
   db:
     restart: "always"
-    image: postgres:17.0-alpine3.19
+    image: ${LOGIN_TEST_ACCEPTANCE_POSTGES_TAG:-postgres:17.0-alpine3.19}
+    container_name: acceptance-db
     environment:
       - POSTGRES_USER=zitadel
       - PGUSER=zitadel
@@ -30,42 +37,201 @@ services:
       retries: 5
       start_period: "20s"
     ports:
-      - 5432:5432
+      - "5432:5432"
 
-  wait_for_zitadel:
+  wait-for-zitadel:
     image: curlimages/curl:8.00.1
+    container_name: acceptance-wait-for-zitadel
     command: /bin/sh -c "until curl -s -o /dev/null -i -f http://zitadel:8080/debug/ready; do echo 'waiting' && sleep 1; done; echo 'ready' && sleep 5;" || false
     depends_on:
       - zitadel
 
+  traefik:
+    image: "traefik:v3.4"
+    container_name: "acceptance-traefik"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.login.rule=PathPrefix(`/ui/v2/login`)"
+      - "traefik.http.services.login-service.loadbalancer.server.url=http://host.docker.internal:3000"
+    command:
+#      - "--log.level=DEBUG"
+      - "--ping"
+      - "--api.insecure=true"
+      - "--providers.docker=true"
+      - "--providers.docker.exposedbydefault=false"
+      - "--entrypoints.websecure.http.tls=true"
+      - "--entryPoints.websecure.address=:443"
+    healthcheck:
+      test: ["CMD", "traefik", "healthcheck", "--ping"]
+      interval: "10s"
+      timeout: "30s"
+      retries: 5
+      start_period: "20s"
+    ports:
+      - "443:443"
+      - "8090:8080"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+    extra_hosts:
+      - host.docker.internal:host-gateway
+
   setup:
-    user: "${ZITADEL_DEV_UID}"
+    user: "${UID:-1000}:${GID:-1000}"
-    container_name: setup
+    image: ${LOGIN_TEST_ACCEPTANCE_SETUP_TAG:-login-test-acceptance-setup:local}
-    image: acceptance-setup:latest
+    container_name: acceptance-setup
+    restart: no
+    build:
+      context: "${LOGIN_TEST_ACCEPTANCE_BUILD_CONTEXT:-.}/setup"
+      dockerfile: ../go-command.Dockerfile
+    entrypoint: "./setup.sh"
     environment:
       PAT_FILE: /pat/zitadel-admin-sa.pat
       ZITADEL_API_INTERNAL_URL: http://zitadel:8080
-      WRITE_ENVIRONMENT_FILE: /apps/login/.env.local
+      WRITE_ENVIRONMENT_FILE: /login-env/.env.test.local
-      WRITE_TEST_ENVIRONMENT_FILE: /acceptance/tests/.env.local
       SINK_EMAIL_INTERNAL_URL: http://sink:3333/email
       SINK_SMS_INTERNAL_URL: http://sink:3333/sms
       SINK_NOTIFICATION_URL: http://localhost:3333/notification
+      LOGIN_BASE_URL: https://127.0.0.1.sslip.io/ui/v2/login/
+      ZITADEL_API_URL: https://127.0.0.1.sslip.io
+      ZITADEL_API_DOMAIN: 127.0.0.1.sslip.io
+      ZITADEL_ADMIN_USER: zitadel-admin@zitadel.127.0.0.1.sslip.io
     volumes:
-      - "./pat:/pat"
+      - ./pat:/pat # Read the PAT file from zitadels setup
-      - "../apps/login:/apps/login"
+      - ../login:/login-env # Write the environment variables file for the login
-      - "../acceptance/tests:/acceptance/tests"
     depends_on:
-      wait_for_zitadel:
+      traefik:
+        condition: "service_healthy"
+      wait-for-zitadel:
         condition: "service_completed_successfully"
 
   sink:
-    image: golang:1.24-alpine
+    image: ${LOGIN_TEST_ACCEPTANCE_SINK_TAG:-login-test-acceptance-sink:local}
-    container_name: sink
+    container_name: acceptance-sink
-    command: go run /sink/main.go -port '3333' -email '/email' -sms '/sms' -notification '/notification'
+    build:
+      context: "${LOGIN_TEST_ACCEPTANCE_BUILD_CONTEXT:-.}/sink"
+      dockerfile: ../go-command.Dockerfile
+      args:
+        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+    environment:
+      PORT: '3333'
+    command:
+      - -port
+      - '3333'
+      - -email
+      - '/email'
+      - -sms
+      - '/sms'
+      - -notification
+      - '/notification'
     ports:
-      - 3333:3333
+      - "3333:3333"
-    volumes:
-      - "./sink:/sink"
     depends_on:
       setup:
         condition: "service_completed_successfully"
+
+  oidcrp:
+    user: "${UID:-1000}:${GID:-1000}"
+    image: ${LOGIN_TEST_ACCEPTANCE_OIDCRP_TAG:-login-test-acceptance-oidcrp:local}
+    container_name: acceptance-oidcrp
+    build:
+      context: "${LOGIN_TEST_ACCEPTANCE_BUILD_CONTEXT:-.}/oidcrp"
+      dockerfile: ../go-command.Dockerfile
+      args:
+        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+    environment:
+      API_URL: 'http://traefik'
+      API_DOMAIN: 'traefik'
+      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+      LOGIN_URL: 'https://traefik/ui/v2/login'
+      ISSUER: 'https://traefik'
+      HOST: 'traefik'
+      PORT: '8000'
+      SCOPES: 'openid profile email'
+    ports:
+      - "8000:8000"
+    volumes:
+      - "./pat:/pat"
+    depends_on:
+      traefik:
+        condition: "service_healthy"
+      setup:
+        condition: "service_completed_successfully"
+
+  oidcop:
+    user: "${UID:-1000}:${GID:-1000}"
+    image: ${LOGIN_TEST_ACCEPTANCE_OIDCOP_TAG:-login-test-acceptance-oidcop:local}
+    container_name: acceptance-oidcop
+    build:
+      context: "${LOGIN_TEST_ACCEPTANCE_BUILD_CONTEXT:-.}/idp/oidc"
+      dockerfile: ../../go-command.Dockerfile
+      args:
+        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+    environment:
+      API_URL: 'http://traefik'
+      API_DOMAIN: 'traefik'
+      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+      SCHEMA: 'https'
+      HOST: 'traefik'
+      PORT: "8004"
+    ports:
+      - 8004:8004
+    volumes:
+      - "./pat:/pat"
+    depends_on:
+      traefik:
+        condition: "service_healthy"
+      setup:
+        condition: "service_completed_successfully"
+
+  samlsp:
+    user: "${UID:-1000}:${GID:-1000}"
+    image: "${LOGIN_TEST_ACCEPTANCE_SAMLSP_TAG:-login-test-acceptance-samlsp:local}"
+    container_name: acceptance-samlsp
+    build:
+      context: "${LOGIN_TEST_ACCEPTANCE_BUILD_CONTEXT:-.}/samlsp"
+      dockerfile: ../go-command.Dockerfile
+      args:
+        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+    environment:
+      API_URL: 'http://traefik'
+      API_DOMAIN: 'traefik'
+      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+      LOGIN_URL: 'https://traefik/ui/v2/login'
+      IDP_URL: 'http://zitadel:8080/saml/v2/metadata'
+      HOST: 'https://traefik'
+      PORT: '8001'
+    ports:
+      - 8001:8001
+    volumes:
+      - "./pat:/pat"
+    depends_on:
+      traefik:
+        condition: "service_healthy"
+      setup:
+        condition: "service_completed_successfully"
+
+  samlidp:
+    user: "${UID:-1000}:${GID:-1000}"
+    image: "${LOGIN_TEST_ACCEPTANCE_SAMLIDP_TAG:-login-test-acceptance-samlidp:local}"
+    container_name: acceptance-samlidp
+    build:
+      context: "${LOGIN_TEST_ACCEPTANCE_BUILD_CONTEXT:-.}/idp/saml"
+      dockerfile: ../../go-command.Dockerfile
+      args:
+        - LOGIN_TEST_ACCEPTANCE_GOLANG_TAG=${LOGIN_TEST_ACCEPTANCE_GOLANG_TAG:-golang:1.24-alpine}
+    environment:
+      API_URL: 'http://traefik:8080'
+      API_DOMAIN: 'traefik'
+      PAT_FILE: '/pat/zitadel-admin-sa.pat'
+      SCHEMA: 'https'
+      HOST: 'traefik'
+      PORT: "8003"
+    ports:
+      - 8003:8003
+    volumes:
+      - "./pat:/pat"
+    depends_on:
+      traefik:
+        condition: "service_healthy"
+      setup:
+        condition: "service_completed_successfully"

login/acceptance/pat/.gitignore

@@ -1,2 +1,3 @@
 *
+!.gitignore
 !.gitkeep

login/acceptance/playwright-report/.gitignore

@@ -1,2 +1,3 @@
 *
+!.gitignore
 !.gitkeep

login/acceptance/test-results/.gitignore

@@ -1,2 +1,3 @@
 *
+!.gitignore
 !.gitkeep