chore: move the go code into a subfolder

apps/api/internal/idp/providers/oauth/mapper.go

@@ -0,0 +1,110 @@
+package oauth
+
+import (
+	"encoding/json"
+	"fmt"
+	"strconv"
+
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/idp"
+)
+
+var _ idp.User = (*UserMapper)(nil)
+
+// UserMapper is an implementation of [idp.User].
+// It can be used in ZITADEL actions to map the `RawInfo`
+type UserMapper struct {
+	idAttribute string
+	RawInfo     map[string]interface{}
+}
+
+func NewUserMapper(idAttribute string) *UserMapper {
+	return &UserMapper{
+		idAttribute: idAttribute,
+		RawInfo:     make(map[string]interface{}),
+	}
+}
+
+func (u *UserMapper) UnmarshalJSON(data []byte) error {
+	return json.Unmarshal(data, &u.RawInfo)
+}
+
+// GetID is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetID() string {
+	id, ok := u.RawInfo[u.idAttribute]
+	if !ok {
+		return ""
+	}
+	switch i := id.(type) {
+	case string:
+		return i
+	case int:
+		return strconv.Itoa(i)
+	case float64:
+		return strconv.FormatFloat(i, 'f', -1, 64)
+	default:
+		return fmt.Sprint(i)
+	}
+}
+
+// GetFirstName is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetFirstName() string {
+	return ""
+}
+
+// GetLastName is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetLastName() string {
+	return ""
+}
+
+// GetDisplayName is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetDisplayName() string {
+	return ""
+}
+
+// GetNickname is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetNickname() string {
+	return ""
+}
+
+// GetPreferredUsername is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetPreferredUsername() string {
+	return ""
+}
+
+// GetEmail is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetEmail() domain.EmailAddress {
+	return ""
+}
+
+// IsEmailVerified is an implementation of the [idp.User] interface.
+func (u *UserMapper) IsEmailVerified() bool {
+	return false
+}
+
+// GetPhone is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetPhone() domain.PhoneNumber {
+	return ""
+}
+
+// IsPhoneVerified is an implementation of the [idp.User] interface.
+func (u *UserMapper) IsPhoneVerified() bool {
+	return false
+}
+
+// GetPreferredLanguage is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetPreferredLanguage() language.Tag {
+	return language.Und
+}
+
+// GetAvatarURL is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetAvatarURL() string {
+	return ""
+}
+
+// GetProfile is an implementation of the [idp.User] interface.
+func (u *UserMapper) GetProfile() string {
+	return ""
+}

apps/api/internal/idp/providers/oauth/oauth2.go

@@ -0,0 +1,143 @@
+package oauth
+
+import (
+	"context"
+
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"golang.org/x/oauth2"
+
+	"github.com/zitadel/zitadel/internal/idp"
+)
+
+var _ idp.Provider = (*Provider)(nil)
+
+// Provider is the [idp.Provider] implementation for a generic OAuth 2.0 provider
+type Provider struct {
+	rp.RelyingParty
+	options           []rp.Option
+	name              string
+	userEndpoint      string
+	user              func() idp.User
+	isLinkingAllowed  bool
+	isCreationAllowed bool
+	isAutoCreation    bool
+	isAutoUpdate      bool
+	generateVerifier  func() string
+}
+
+type ProviderOpts func(provider *Provider)
+
+// WithLinkingAllowed allows end users to link the federated user to an existing one.
+func WithLinkingAllowed() ProviderOpts {
+	return func(p *Provider) {
+		p.isLinkingAllowed = true
+	}
+}
+
+// WithCreationAllowed allows end users to create a new user using the federated information.
+func WithCreationAllowed() ProviderOpts {
+	return func(p *Provider) {
+		p.isCreationAllowed = true
+	}
+}
+
+// WithAutoCreation enables that federated users are automatically created if not already existing.
+func WithAutoCreation() ProviderOpts {
+	return func(p *Provider) {
+		p.isAutoCreation = true
+	}
+}
+
+// WithAutoUpdate enables that information retrieved from the provider is automatically used to update
+// the existing user on each authentication.
+func WithAutoUpdate() ProviderOpts {
+	return func(p *Provider) {
+		p.isAutoUpdate = true
+	}
+}
+
+// WithRelyingPartyOption allows to set an additional [rp.Option] like [rp.WithPKCE].
+func WithRelyingPartyOption(option rp.Option) ProviderOpts {
+	return func(p *Provider) {
+		p.options = append(p.options, option)
+	}
+}
+
+// New creates a generic OAuth 2.0 provider
+func New(config *oauth2.Config, name, userEndpoint string, user func() idp.User, options ...ProviderOpts) (provider *Provider, err error) {
+	provider = &Provider{
+		name:             name,
+		userEndpoint:     userEndpoint,
+		user:             user,
+		generateVerifier: oauth2.GenerateVerifier,
+	}
+	for _, option := range options {
+		option(provider)
+	}
+	provider.RelyingParty, err = rp.NewRelyingPartyOAuth(config, provider.options...)
+	if err != nil {
+		return nil, err
+	}
+	return provider, nil
+}
+
+// Name implements the [idp.Provider] interface
+func (p *Provider) Name() string {
+	return p.name
+}
+
+// BeginAuth implements the [idp.Provider] interface.
+// It will create a [Session] with an OAuth2.0 authorization request as AuthURL.
+func (p *Provider) BeginAuth(ctx context.Context, state string, params ...idp.Parameter) (idp.Session, error) {
+	opts := make([]rp.AuthURLOpt, 0)
+	var loginHintSet bool
+	for _, param := range params {
+		if username, ok := param.(idp.LoginHintParam); ok {
+			loginHintSet = true
+			opts = append(opts, loginHint(string(username)))
+		}
+	}
+	if !loginHintSet {
+		opts = append(opts, rp.WithPrompt(oidc.PromptSelectAccount))
+	}
+
+	var codeVerifier string
+	if p.RelyingParty.IsPKCE() {
+		codeVerifier = p.generateVerifier()
+		opts = append(opts, rp.WithCodeChallenge(oidc.NewSHACodeChallenge(codeVerifier)))
+	}
+
+	url := rp.AuthURL(state, p.RelyingParty, opts...)
+	return &Session{AuthURL: url, Provider: p, CodeVerifier: codeVerifier}, nil
+}
+
+func loginHint(hint string) rp.AuthURLOpt {
+	return func() []oauth2.AuthCodeOption {
+		return []oauth2.AuthCodeOption{oauth2.SetAuthURLParam("login_hint", hint)}
+	}
+}
+
+// IsLinkingAllowed implements the [idp.Provider] interface.
+func (p *Provider) IsLinkingAllowed() bool {
+	return p.isLinkingAllowed
+}
+
+// IsCreationAllowed implements the [idp.Provider] interface.
+func (p *Provider) IsCreationAllowed() bool {
+	return p.isCreationAllowed
+}
+
+// IsAutoCreation implements the [idp.Provider] interface.
+func (p *Provider) IsAutoCreation() bool {
+	return p.isAutoCreation
+}
+
+// IsAutoUpdate implements the [idp.Provider] interface.
+func (p *Provider) IsAutoUpdate() bool {
+	return p.isAutoUpdate
+}
+
+func (p *Provider) User() idp.User {
+	return p.user()
+}

apps/api/internal/idp/providers/oauth/oauth2_test.go

@@ -0,0 +1,184 @@
+package oauth
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	"golang.org/x/oauth2"
+
+	"github.com/zitadel/zitadel/internal/idp"
+)
+
+func TestProvider_BeginAuth(t *testing.T) {
+	type fields struct {
+		config       *oauth2.Config
+		name         string
+		userEndpoint string
+		userMapper   func() idp.User
+		options      []ProviderOpts
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   idp.Session
+	}{
+		{
+			name: "successful auth without PKCE",
+			fields: fields{
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+			},
+			want: &Session{AuthURL: "https://oauth2.com/authorize?client_id=clientID&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=user&state=testState"},
+		},
+		{
+			name: "successful auth with PKCE",
+			fields: fields{
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+				options: []ProviderOpts{
+					WithLinkingAllowed(),
+					WithCreationAllowed(),
+					WithAutoCreation(),
+					WithAutoUpdate(),
+					WithRelyingPartyOption(rp.WithPKCE(nil)),
+				},
+			},
+			want: &Session{AuthURL: "https://oauth2.com/authorize?client_id=clientID&code_challenge=2ZoH_a01aprzLkwVbjlPsBo4m8mJ_zOKkaDqYM7Oh5w&code_challenge_method=S256&prompt=select_account&redirect_uri=redirectURI&response_type=code&scope=user&state=testState"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := assert.New(t)
+			r := require.New(t)
+
+			provider, err := New(tt.fields.config, tt.fields.name, tt.fields.userEndpoint, tt.fields.userMapper, tt.fields.options...)
+			r.NoError(err)
+			provider.generateVerifier = func() string {
+				return "pkceOAuthVerifier"
+			}
+
+			ctx := context.Background()
+			session, err := provider.BeginAuth(ctx, "testState")
+			r.NoError(err)
+
+			wantAuth, wantErr := tt.want.GetAuth(ctx)
+			gotAuth, gotErr := session.GetAuth(ctx)
+			a.Equal(wantAuth, gotAuth)
+			a.ErrorIs(gotErr, wantErr)
+		})
+	}
+}
+
+func TestProvider_Options(t *testing.T) {
+	type fields struct {
+		config       *oauth2.Config
+		name         string
+		userEndpoint string
+		userMapper   func() idp.User
+		options      []ProviderOpts
+	}
+	type want struct {
+		name            string
+		linkingAllowed  bool
+		creationAllowed bool
+		autoCreation    bool
+		autoUpdate      bool
+		pkce            bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   want
+	}{
+		{
+			name: "default",
+			fields: fields{
+				name: "oauth",
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+				options: nil,
+			},
+			want: want{
+				name:            "oauth",
+				linkingAllowed:  false,
+				creationAllowed: false,
+				autoCreation:    false,
+				autoUpdate:      false,
+				pkce:            false,
+			},
+		},
+		{
+			name: "all true",
+			fields: fields{
+				name: "oauth",
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+				options: []ProviderOpts{
+					WithLinkingAllowed(),
+					WithCreationAllowed(),
+					WithAutoCreation(),
+					WithAutoUpdate(),
+					WithRelyingPartyOption(rp.WithPKCE(nil)),
+				},
+			},
+			want: want{
+				name:            "oauth",
+				linkingAllowed:  true,
+				creationAllowed: true,
+				autoCreation:    true,
+				autoUpdate:      true,
+				pkce:            true,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			a := assert.New(t)
+
+			provider, err := New(tt.fields.config, tt.fields.name, tt.fields.userEndpoint, tt.fields.userMapper, tt.fields.options...)
+			require.NoError(t, err)
+
+			a.Equal(tt.want.name, provider.Name())
+			a.Equal(tt.want.linkingAllowed, provider.IsLinkingAllowed())
+			a.Equal(tt.want.creationAllowed, provider.IsCreationAllowed())
+			a.Equal(tt.want.autoCreation, provider.IsAutoCreation())
+			a.Equal(tt.want.autoUpdate, provider.IsAutoUpdate())
+			a.Equal(tt.want.pkce, provider.RelyingParty.IsPKCE())
+		})
+	}
+}

apps/api/internal/idp/providers/oauth/session.go

@@ -0,0 +1,91 @@
+package oauth
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"time"
+
+	"github.com/zitadel/oidc/v3/pkg/client/rp"
+	httphelper "github.com/zitadel/oidc/v3/pkg/http"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+
+	"github.com/zitadel/zitadel/internal/idp"
+)
+
+var ErrCodeMissing = errors.New("no auth code provided")
+
+const (
+	CodeVerifier = "codeVerifier"
+)
+
+var _ idp.Session = (*Session)(nil)
+
+// Session is the [idp.Session] implementation for the OAuth2.0 provider.
+type Session struct {
+	AuthURL      string
+	CodeVerifier string
+	Code         string
+	Tokens       *oidc.Tokens[*oidc.IDTokenClaims]
+
+	Provider *Provider
+}
+
+func NewSession(provider *Provider, code string, idpArguments map[string]any) *Session {
+	verifier, _ := idpArguments[CodeVerifier].(string)
+	return &Session{Provider: provider, Code: code, CodeVerifier: verifier}
+}
+
+// GetAuth implements the [idp.Session] interface.
+func (s *Session) GetAuth(ctx context.Context) (idp.Auth, error) {
+	return idp.Redirect(s.AuthURL)
+}
+
+// PersistentParameters implements the [idp.Session] interface.
+func (s *Session) PersistentParameters() map[string]any {
+	if s.CodeVerifier == "" {
+		return nil
+	}
+	return map[string]any{CodeVerifier: s.CodeVerifier}
+}
+
+// FetchUser implements the [idp.Session] interface.
+// It will execute an OAuth 2.0 code exchange if needed to retrieve the access token,
+// call the specified userEndpoint and map the received information into an [idp.User].
+func (s *Session) FetchUser(ctx context.Context) (_ idp.User, err error) {
+	if s.Tokens == nil {
+		if err = s.authorize(ctx); err != nil {
+			return nil, err
+		}
+	}
+	req, err := http.NewRequest("GET", s.Provider.userEndpoint, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("authorization", s.Tokens.TokenType+" "+s.Tokens.AccessToken)
+	user := s.Provider.User()
+	if err := httphelper.HttpRequest(s.Provider.RelyingParty.HttpClient(), req, &user); err != nil {
+		return nil, err
+	}
+	return user, nil
+}
+
+func (s *Session) ExpiresAt() time.Time {
+	if s.Tokens == nil {
+		return time.Time{}
+	}
+	return s.Tokens.Expiry
+}
+
+func (s *Session) authorize(ctx context.Context) (err error) {
+	if s.Code == "" {
+		return ErrCodeMissing
+	}
+	var opts []rp.CodeExchangeOpt
+	if s.CodeVerifier != "" {
+		opts = append(opts, rp.WithCodeVerifier(s.CodeVerifier))
+	}
+	s.Tokens, err = rp.CodeExchange[*oidc.IDTokenClaims](ctx, s.Code, s.Provider.RelyingParty, opts...)
+
+	return err
+}

apps/api/internal/idp/providers/oauth/session_test.go

@@ -0,0 +1,274 @@
+package oauth
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"testing"
+
+	"github.com/h2non/gock"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/zitadel/oidc/v3/pkg/oidc"
+	"golang.org/x/oauth2"
+	"golang.org/x/text/language"
+
+	"github.com/zitadel/zitadel/internal/domain"
+	"github.com/zitadel/zitadel/internal/idp"
+)
+
+func TestProvider_FetchUser(t *testing.T) {
+	type fields struct {
+		config       *oauth2.Config
+		name         string
+		userEndpoint string
+		httpMock     func(issuer string)
+		userMapper   func() idp.User
+		authURL      string
+		code         string
+		tokens       *oidc.Tokens[*oidc.IDTokenClaims]
+	}
+	type want struct {
+		err               func(error) bool
+		user              idp.User
+		id                string
+		firstName         string
+		lastName          string
+		displayName       string
+		nickName          string
+		preferredUsername string
+		email             string
+		isEmailVerified   bool
+		phone             string
+		isPhoneVerified   bool
+		preferredLanguage language.Tag
+		avatarURL         string
+		profile           string
+	}
+	tests := []struct {
+		name   string
+		fields fields
+		want   want
+	}{
+		{
+			name: "unauthenticated session, error",
+			fields: fields{
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+				userEndpoint: "https://oauth2.com/user",
+				httpMock:     func(issuer string) {},
+				authURL:      "https://oauth2.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=user&state=testState",
+				tokens:       nil,
+			},
+			want: want{
+				err: func(err error) bool {
+					return errors.Is(err, ErrCodeMissing)
+				},
+			},
+		},
+		{
+			name: "user error",
+			fields: fields{
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+				userEndpoint: "https://oauth2.com/user",
+				httpMock: func(issuer string) {
+					gock.New(issuer).
+						Get("/user").
+						Reply(http.StatusInternalServerError)
+				},
+				userMapper: func() idp.User {
+					return NewUserMapper("userID")
+				},
+				authURL: "https://oauth2.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=user&state=testState",
+				tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
+					Token: &oauth2.Token{
+						AccessToken: "accessToken",
+						TokenType:   oidc.BearerToken,
+					},
+				},
+			},
+			want: want{
+				err: func(err error) bool {
+					return err.Error() == "http status not ok: 500 Internal Server Error "
+				},
+			},
+		},
+		{
+			name: "successful fetch",
+			fields: fields{
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+				userEndpoint: "https://oauth2.com/user",
+				httpMock: func(issuer string) {
+					gock.New(issuer).
+						Get("/user").
+						Reply(200).
+						JSON(map[string]interface{}{
+							"userID": "id",
+							"custom": "claim",
+						})
+				},
+				userMapper: func() idp.User {
+					return NewUserMapper("userID")
+				},
+				authURL: "https://issuer.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=user&state=testState",
+				tokens: &oidc.Tokens[*oidc.IDTokenClaims]{
+					Token: &oauth2.Token{
+						AccessToken: "accessToken",
+						TokenType:   oidc.BearerToken,
+					},
+				},
+			},
+			want: want{
+				user: &UserMapper{
+					idAttribute: "userID",
+					RawInfo: map[string]interface{}{
+						"userID": "id",
+						"custom": "claim",
+					},
+				},
+				id:                "id",
+				firstName:         "",
+				lastName:          "",
+				displayName:       "",
+				nickName:          "",
+				preferredUsername: "",
+				email:             "",
+				isEmailVerified:   false,
+				phone:             "",
+				isPhoneVerified:   false,
+				preferredLanguage: language.Und,
+				avatarURL:         "",
+				profile:           "",
+			},
+		},
+		{
+			name: "successful fetch with code exchange",
+			fields: fields{
+				config: &oauth2.Config{
+					ClientID:     "clientID",
+					ClientSecret: "clientSecret",
+					Endpoint: oauth2.Endpoint{
+						AuthURL:  "https://oauth2.com/authorize",
+						TokenURL: "https://oauth2.com/token",
+					},
+					RedirectURL: "redirectURI",
+					Scopes:      []string{"user"},
+				},
+				userEndpoint: "https://oauth2.com/user",
+				httpMock: func(issuer string) {
+					gock.New(issuer).
+						Post("/token").
+						BodyString("client_id=clientID&client_secret=clientSecret&code=code&grant_type=authorization_code&redirect_uri=redirectURI").
+						Reply(200).
+						JSON(&oidc.AccessTokenResponse{
+							AccessToken:  "accessToken",
+							TokenType:    oidc.BearerToken,
+							RefreshToken: "",
+							ExpiresIn:    3600,
+							IDToken:      "",
+							State:        "testState"})
+					gock.New(issuer).
+						Get("/user").
+						Reply(200).
+						JSON(map[string]interface{}{
+							"userID": "id",
+							"custom": "claim",
+						})
+				},
+				userMapper: func() idp.User {
+					return NewUserMapper("userID")
+				},
+				authURL: "https://issuer.com/authorize?client_id=clientID&redirect_uri=redirectURI&response_type=code&scope=user&state=testState",
+				tokens:  nil,
+				code:    "code",
+			},
+			want: want{
+				user: &UserMapper{
+					idAttribute: "userID",
+					RawInfo: map[string]interface{}{
+						"userID": "id",
+						"custom": "claim",
+					},
+				},
+				id:                "id",
+				firstName:         "",
+				lastName:          "",
+				displayName:       "",
+				nickName:          "",
+				preferredUsername: "",
+				email:             "",
+				isEmailVerified:   false,
+				phone:             "",
+				isPhoneVerified:   false,
+				preferredLanguage: language.Und,
+				avatarURL:         "",
+				profile:           "",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			defer gock.Off()
+			tt.fields.httpMock("https://oauth2.com")
+			a := assert.New(t)
+
+			provider, err := New(tt.fields.config, tt.fields.name, tt.fields.userEndpoint, tt.fields.userMapper)
+			require.NoError(t, err)
+
+			session := &Session{
+				AuthURL:  tt.fields.authURL,
+				Code:     tt.fields.code,
+				Tokens:   tt.fields.tokens,
+				Provider: provider,
+			}
+
+			user, err := session.FetchUser(context.Background())
+			if tt.want.err != nil && !tt.want.err(err) {
+				a.Fail("invalid error", err)
+			}
+			if tt.want.err == nil {
+				a.NoError(err)
+				a.Equal(tt.want.user, user)
+				a.Equal(tt.want.id, user.GetID())
+				a.Equal(tt.want.firstName, user.GetFirstName())
+				a.Equal(tt.want.lastName, user.GetLastName())
+				a.Equal(tt.want.displayName, user.GetDisplayName())
+				a.Equal(tt.want.nickName, user.GetNickname())
+				a.Equal(tt.want.preferredUsername, user.GetPreferredUsername())
+				a.Equal(domain.EmailAddress(tt.want.email), user.GetEmail())
+				a.Equal(tt.want.isEmailVerified, user.IsEmailVerified())
+				a.Equal(domain.PhoneNumber(tt.want.phone), user.GetPhone())
+				a.Equal(tt.want.isPhoneVerified, user.IsPhoneVerified())
+				a.Equal(tt.want.preferredLanguage, user.GetPreferredLanguage())
+				a.Equal(tt.want.avatarURL, user.GetAvatarURL())
+				a.Equal(tt.want.profile, user.GetProfile())
+			}
+		})
+	}
+}