Merge branch 'main' into default-redirect

2025-12-12 14:54:33 +00:00 · 2024-11-21 10:17:28 +01:00
parent 2c542b813b 1360645695
commit f187ddc6ba
65 changed files with 2650 additions and 246 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,10 +4,6 @@ on: pull_request
 jobs:
  quality:
    env:
      ZITADEL_IMAGE: ghcr.io/zitadel/zitadel:v2.65.0
      POSTGRES_IMAGE: postgres:17.0-alpine3.19
    name: Ensure Quality
    runs-on: ubuntu-latest
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ Login UI.
 The scope of functionality of this repo and packages is under active development.
-The `@zitadel/client` and `@zitadel/node` packages are using [@connectrpc/connect](https://github.com/connectrpc/connect-es#readme) and its [2.0.0-alpha](https://github.com/connectrpc/connect-es/releases/tag/v2.0.0-alpha.1) release which might still change.
+The `@zitadel/client` and `@zitadel/node` packages are using [@connectrpc/connect](https://github.com/connectrpc/connect-es#readme).
 You can read the [contribution guide](/CONTRIBUTING.md) on how to contribute.
 Questions can be raised in our [Discord channel](https://discord.gg/erh5Brh7jE) or as
--- a/acceptance/docker-compose.yaml
+++ b/acceptance/docker-compose.yaml
@@ -1,7 +1,7 @@
 services:
  zitadel:
    user: "${ZITADEL_DEV_UID}"
-    image: "${ZITADEL_IMAGE:-ghcr.io/zitadel/zitadel:latest}"
+    image: ghcr.io/zitadel/zitadel:v2.65.0
    command: 'start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled --config /zitadel.yaml --steps /zitadel.yaml'
    ports:
      - "8080:8080"
@@ -14,7 +14,7 @@ services:
  db:
    restart: "always"
-    image: "${POSTGRES_IMAGE:-postgres:latest}"
+    image: postgres:17.0-alpine3.19
    environment:
      - POSTGRES_USER=zitadel
      - PGUSER=zitadel
@@ -44,9 +44,11 @@ services:
      PAT_FILE: /pat/zitadel-admin-sa.pat
      ZITADEL_API_INTERNAL_URL: http://zitadel:8080
      WRITE_ENVIRONMENT_FILE: /apps/login/.env.local
      WRITE_TEST_ENVIRONMENT_FILE: /acceptance/tests/.env.local
    volumes:
      - "./pat:/pat"
      - "../apps/login:/apps/login"
      - "../acceptance/tests:/acceptance/tests"
    depends_on:
      wait_for_zitadel:
        condition: "service_completed_successfully"
--- a/acceptance/setup.sh
+++ b/acceptance/setup.sh
@@ -26,15 +26,19 @@ fi
 WRITE_ENVIRONMENT_FILE=${WRITE_ENVIRONMENT_FILE:-$(dirname "$0")/../apps/login/.env.local}
 echo "Writing environment file to ${WRITE_ENVIRONMENT_FILE} when done."
 WRITE_TEST_ENVIRONMENT_FILE=${WRITE_TEST_ENVIRONMENT_FILE:-$(dirname "$0")/../acceptance/tests/.env.local}
 echo "Writing environment file to ${WRITE_TEST_ENVIRONMENT_FILE} when done."
 echo "ZITADEL_API_URL=${ZITADEL_API_URL}
 ZITADEL_SERVICE_USER_ID=${ZITADEL_SERVICE_USER_ID}
 ZITADEL_SERVICE_USER_TOKEN=${PAT}
-DEBUG=true" > ${WRITE_ENVIRONMENT_FILE}
+DEBUG=true"| tee "${WRITE_ENVIRONMENT_FILE}" "${WRITE_TEST_ENVIRONMENT_FILE}" > /dev/null
 echo "Wrote environment file ${WRITE_ENVIRONMENT_FILE}"
 cat ${WRITE_ENVIRONMENT_FILE}
 echo "Wrote environment file ${WRITE_TEST_ENVIRONMENT_FILE}"
 cat ${WRITE_TEST_ENVIRONMENT_FILE}
 DEFAULTORG_RESPONSE_RESULTS=0
 # waiting for default organization
 until [ ${DEFAULTORG_RESPONSE_RESULTS} -eq 1 ]
--- a/acceptance/tests/admin.spec.ts
+++ b/acceptance/tests/admin.spec.ts
@@ -0,0 +1,7 @@
 import { test } from "@playwright/test";
 import { loginScreenExpect, loginWithPassword } from "./login";
 test("admin login", async ({ page }) => {
  await loginWithPassword(page, "zitadel-admin@zitadel.localhost", "Password1!");
  await loginScreenExpect(page, "ZITADEL Admin");
 });
--- a/acceptance/tests/idp-apple.spec.ts
+++ b/acceptance/tests/idp-apple.spec.ts
@@ -0,0 +1,94 @@
 // Note for all tests, in case Apple doesn't deliver all relevant information per default
 // We should add an action in the needed cases
 import test from "@playwright/test";
 test("login with Apple IDP", async ({ page }) => {
  // Given an Apple IDP is configured on the organization
  // Given the user has an Apple added as auth method
  // User authenticates with Apple
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with Apple IDP - error", async ({ page }) => {
  // Given an Apple IDP is configured on the organization
  // Given the user has an Apple added as auth method
  // User is redirected to Apple
  // User authenticates with Apple and gets an error
  // User is redirect back to login
  // An error is shown to the user "Something went wrong in Apple Login"
 });
 test("login with Apple IDP, no user existing - auto register", async ({ page }) => {
  // Given idp Apple is configure on the organization as only authencation method
  // Given idp Apple is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Apple
  // User authenticates in Apple
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Apple IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp Apple is configure on the organization as only authencation method
  // Given idp Apple is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Apple
  // User authenticates in Apple
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Apple IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp Apple is configure on the organization as only authencation method
  // Given idp Apple is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Apple
  // User authenticates in Apple
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with Apple IDP, no user linked - auto link", async ({ page }) => {
  // Given idp Apple is configure on the organization as only authencation method
  // Given idp Apple is configure with account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to Apple
  // User authenticates in Apple with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Apple IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp Apple is configure on the organization as only authencation method
  // Given idp Apple is configure with manually account linking  not allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Apple
  // User authenticates in Apple with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with Apple IDP, no user linked, user link successful", async ({ page }) => {
  // Given idp Apple is configure on the organization as only authencation method
  // Given idp Apple is configure with manually account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Apple
  // User authenticates in Apple with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-generic-jwt.spec.ts
+++ b/acceptance/tests/idp-generic-jwt.spec.ts
@@ -0,0 +1,91 @@
 import test from "@playwright/test";
 test("login with Generic JWT IDP", async ({ page }) => {
  // Given a Generic JWT IDP is configured on the organization
  // Given the user has Generic JWT IDP added as auth method
  // User authenticates with the Generic JWT IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with Generic JWT IDP - error", async ({ page }) => {
  // Given the Generic JWT IDP is configured on the organization
  // Given the user has Generic JWT IDP added as auth method
  // User is redirected to the Generic JWT IDP
  // User authenticates with the Generic JWT IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with Generic JWT IDP, no user existing - auto register", async ({ page }) => {
  // Given idp Generic JWT is configure on the organization as only authencation method
  // Given idp Generic JWT is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic JWT
  // User authenticates in Generic JWT
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic JWT IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp Generic JWT is configure on the organization as only authencation method
  // Given idp Generic JWT is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic JWT
  // User authenticates in Generic JWT
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic JWT IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp Generic JWT is configure on the organization as only authencation method
  // Given idp Generic JWT is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic JWT
  // User authenticates in Generic JWT
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with Generic JWT IDP, no user linked - auto link", async ({ page }) => {
  // Given idp Generic JWT is configure on the organization as only authencation method
  // Given idp Generic JWT is configure with account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to Generic JWT
  // User authenticates in Generic JWT with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic JWT IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp Generic JWT is configure on the organization as only authencation method
  // Given idp Generic JWT is configure with manually account linking  not allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Generic JWT
  // User authenticates in Generic JWT with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with Generic JWT IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp Generic JWT is configure on the organization as only authencation method
  // Given idp Generic JWT is configure with manually account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Generic JWT
  // User authenticates in Generic JWT with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-generic-oauth.spec.ts
+++ b/acceptance/tests/idp-generic-oauth.spec.ts
@@ -0,0 +1,91 @@
 import test from "@playwright/test";
 test("login with Generic OAuth IDP", async ({ page }) => {
  // Given a Generic OAuth IDP is configured on the organization
  // Given the user has Generic OAuth IDP added as auth method
  // User authenticates with the Generic OAuth IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with Generic OAuth IDP - error", async ({ page }) => {
  // Given the Generic OAuth IDP is configured on the organization
  // Given the user has Generic OAuth IDP added as auth method
  // User is redirected to the Generic OAuth IDP
  // User authenticates with the Generic OAuth IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with Generic OAuth IDP, no user existing - auto register", async ({ page }) => {
  // Given idp Generic OAuth is configure on the organization as only authencation method
  // Given idp Generic OAuth is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic OAuth
  // User authenticates in Generic OAuth
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic OAuth IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp Generic OAuth is configure on the organization as only authencation method
  // Given idp Generic OAuth is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic OAuth
  // User authenticates in Generic OAuth
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic OAuth IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp Generic OAuth is configure on the organization as only authencation method
  // Given idp Generic OAuth is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic OAuth
  // User authenticates in Generic OAuth
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with Generic OAuth IDP, no user linked - auto link", async ({ page }) => {
  // Given idp Generic OAuth is configure on the organization as only authencation method
  // Given idp Generic OAuth is configure with account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to Generic OAuth
  // User authenticates in Generic OAuth with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic OAuth IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp Generic OAuth is configure on the organization as only authencation method
  // Given idp Generic OAuth is configure with manually account linking  not allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Generic OAuth
  // User authenticates in Generic OAuth with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with Generic OAuth IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp Generic OAuth is configure on the organization as only authencation method
  // Given idp Generic OAuth is configure with manually account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Generic OAuth
  // User authenticates in Generic OAuth with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-generic-oidc.spec.ts
+++ b/acceptance/tests/idp-generic-oidc.spec.ts
@@ -0,0 +1,93 @@
 // Note, we should use a provider such as Google to test this, where we know OIDC standard is properly implemented
 import test from "@playwright/test";
 test("login with Generic OIDC IDP", async ({ page }) => {
  // Given a Generic OIDC IDP is configured on the organization
  // Given the user has Generic OIDC IDP added as auth method
  // User authenticates with the Generic OIDC IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with Generic OIDC IDP - error", async ({ page }) => {
  // Given the Generic OIDC IDP is configured on the organization
  // Given the user has Generic OIDC IDP added as auth method
  // User is redirected to the Generic OIDC IDP
  // User authenticates with the Generic OIDC IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with Generic OIDC IDP, no user existing - auto register", async ({ page }) => {
  // Given idp Generic OIDC is configure on the organization as only authencation method
  // Given idp Generic OIDC is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic OIDC
  // User authenticates in Generic OIDC
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic OIDC IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp Generic OIDC is configure on the organization as only authencation method
  // Given idp Generic OIDC is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic OIDC
  // User authenticates in Generic OIDC
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic OIDC IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp Generic OIDC is configure on the organization as only authencation method
  // Given idp Generic OIDC is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Generic OIDC
  // User authenticates in Generic OIDC
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with Generic OIDC IDP, no user linked - auto link", async ({ page }) => {
  // Given idp Generic OIDC is configure on the organization as only authencation method
  // Given idp Generic OIDC is configure with account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to Generic OIDC
  // User authenticates in Generic OIDC with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Generic OIDC IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp Generic OIDC is configure on the organization as only authencation method
  // Given idp Generic OIDC is configure with manually account linking  not allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Generic OIDC
  // User authenticates in Generic OIDC with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with Generic OIDC IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp Generic OIDC is configure on the organization as only authencation method
  // Given idp Generic OIDC is configure with manually account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Generic OIDC
  // User authenticates in Generic OIDC with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-github-enterprise.spec.ts
+++ b/acceptance/tests/idp-github-enterprise.spec.ts
@@ -0,0 +1,95 @@
 import test from "@playwright/test";
 test("login with GitHub Enterprise IDP", async ({ page }) => {
  // Given a GitHub Enterprise IDP is configured on the organization
  // Given the user has GitHub Enterprise IDP added as auth method
  // User authenticates with the GitHub Enterprise IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with GitHub Enterprise IDP - error", async ({ page }) => {
  // Given the GitHub Enterprise IDP is configured on the organization
  // Given the user has GitHub Enterprise IDP added as auth method
  // User is redirected to the GitHub Enterprise IDP
  // User authenticates with the GitHub Enterprise IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with GitHub Enterprise IDP, no user existing - auto register", async ({ page }) => {
  // Given idp GitHub Enterprise is configure on the organization as only authencation method
  // Given idp GitHub Enterprise is configure with account creation alloweed, and automatic creation enabled
  // Given ZITADEL Action is added to autofill missing user information
  // Given no user exists yet
  // User is automatically redirected to GitHub Enterprise
  // User authenticates in GitHub Enterprise
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with GitHub Enterprise IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp GitHub Enterprise is configure on the organization as only authencation method
  // Given idp GitHub Enterprise is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to GitHub Enterprise
  // User authenticates in GitHub Enterprise
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with GitHub Enterprise IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp GitHub Enterprise is configure on the organization as only authencation method
  // Given idp GitHub Enterprise is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to GitHub Enterprise
  // User authenticates in GitHub Enterprise
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with GitHub Enterprise IDP, no user linked - auto link", async ({ page }) => {
  // Given idp GitHub Enterprise is configure on the organization as only authencation method
  // Given idp GitHub Enterprise is configure with account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to GitHub Enterprise
  // User authenticates in GitHub Enterprise with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with GitHub Enterprise IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp GitHub Enterprise is configure on the organization as only authencation method
  // Given idp GitHub Enterprise is configure with manually account linking  not allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to GitHub Enterprise
  // User authenticates in GitHub Enterprise with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with GitHub Enterprise IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp GitHub Enterprise is configure on the organization as only authencation method
  // Given idp GitHub Enterprise is configure with manually account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to GitHub Enterprise
  // User authenticates in GitHub Enterprise with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-github.spec.ts
+++ b/acceptance/tests/idp-github.spec.ts
@@ -0,0 +1,95 @@
 import test from "@playwright/test";
 test("login with GitHub IDP", async ({ page }) => {
  // Given a GitHub IDP is configured on the organization
  // Given the user has GitHub IDP added as auth method
  // User authenticates with the GitHub IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with GitHub IDP - error", async ({ page }) => {
  // Given the GitHub IDP is configured on the organization
  // Given the user has GitHub IDP added as auth method
  // User is redirected to the GitHub IDP
  // User authenticates with the GitHub IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with GitHub IDP, no user existing - auto register", async ({ page }) => {
  // Given idp GitHub is configure on the organization as only authencation method
  // Given idp GitHub is configure with account creation alloweed, and automatic creation enabled
  // Given ZITADEL Action is added to autofill missing user information
  // Given no user exists yet
  // User is automatically redirected to GitHub
  // User authenticates in GitHub
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with GitHub IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp GitHub is configure on the organization as only authencation method
  // Given idp GitHub is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to GitHub
  // User authenticates in GitHub
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with GitHub IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp GitHub is configure on the organization as only authencation method
  // Given idp GitHub is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to GitHub
  // User authenticates in GitHub
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with GitHub IDP, no user linked - auto link", async ({ page }) => {
  // Given idp GitHub is configure on the organization as only authencation method
  // Given idp GitHub is configure with account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to GitHub
  // User authenticates in GitHub with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with GitHub IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp GitHub is configure on the organization as only authencation method
  // Given idp GitHub is configure with manually account linking  not allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to GitHub
  // User authenticates in GitHub with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with GitHub IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp GitHub is configure on the organization as only authencation method
  // Given idp GitHub is configure with manually account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to GitHub
  // User authenticates in GitHub with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-gitlab-self-hosted.spec.ts
+++ b/acceptance/tests/idp-gitlab-self-hosted.spec.ts
@@ -0,0 +1,95 @@
 import test from "@playwright/test";
 test("login with GitLab Self-Hosted IDP", async ({ page }) => {
  // Given a GitLab Self-Hosted IDP is configured on the organization
  // Given the user has GitLab Self-Hosted IDP added as auth method
  // User authenticates with the GitLab Self-Hosted IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with GitLab Self-Hosted IDP - error", async ({ page }) => {
  // Given the GitLab Self-Hosted IDP is configured on the organization
  // Given the user has GitLab Self-Hosted IDP added as auth method
  // User is redirected to the GitLab Self-Hosted IDP
  // User authenticates with the GitLab Self-Hosted IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with Gitlab Self-Hosted IDP, no user existing - auto register", async ({ page }) => {
  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
  // Given idp Gitlab Self-Hosted is configure with account creation alloweed, and automatic creation enabled
  // Given ZITADEL Action is added to autofill missing user information
  // Given no user exists yet
  // User is automatically redirected to Gitlab Self-Hosted
  // User authenticates in Gitlab Self-Hosted
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Gitlab Self-Hosted IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
  // Given idp Gitlab Self-Hosted is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Gitlab Self-Hosted
  // User authenticates in Gitlab Self-Hosted
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Gitlab Self-Hosted IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
  // Given idp Gitlab Self-Hosted is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Gitlab Self-Hosted
  // User authenticates in Gitlab Self-Hosted
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with Gitlab Self-Hosted IDP, no user linked - auto link", async ({ page }) => {
  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
  // Given idp Gitlab Self-Hosted is configure with account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to Gitlab Self-Hosted
  // User authenticates in Gitlab Self-Hosted with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Gitlab Self-Hosted IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
  // Given idp Gitlab Self-Hosted is configure with manually account linking  not allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Gitlab Self-Hosted
  // User authenticates in Gitlab Self-Hosted with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with Gitlab Self-Hosted IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp Gitlab Self-Hosted is configure on the organization as only authencation method
  // Given idp Gitlab Self-Hosted is configure with manually account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Gitlab Self-Hosted
  // User authenticates in Gitlab Self-Hosted with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-gitlab.spec.ts
+++ b/acceptance/tests/idp-gitlab.spec.ts
@@ -0,0 +1,95 @@
 import test from "@playwright/test";
 test("login with GitLab IDP", async ({ page }) => {
  // Given a GitLab IDP is configured on the organization
  // Given the user has GitLab IDP added as auth method
  // User authenticates with the GitLab IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with GitLab IDP - error", async ({ page }) => {
  // Given the GitLab IDP is configured on the organization
  // Given the user has GitLab IDP added as auth method
  // User is redirected to the GitLab IDP
  // User authenticates with the GitLab IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with Gitlab IDP, no user existing - auto register", async ({ page }) => {
  // Given idp Gitlab is configure on the organization as only authencation method
  // Given idp Gitlab is configure with account creation alloweed, and automatic creation enabled
  // Given ZITADEL Action is added to autofill missing user information
  // Given no user exists yet
  // User is automatically redirected to Gitlab
  // User authenticates in Gitlab
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Gitlab IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp Gitlab is configure on the organization as only authencation method
  // Given idp Gitlab is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Gitlab
  // User authenticates in Gitlab
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Gitlab IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp Gitlab is configure on the organization as only authencation method
  // Given idp Gitlab is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Gitlab
  // User authenticates in Gitlab
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with Gitlab IDP, no user linked - auto link", async ({ page }) => {
  // Given idp Gitlab is configure on the organization as only authencation method
  // Given idp Gitlab is configure with account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to Gitlab
  // User authenticates in Gitlab with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Gitlab IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp Gitlab is configure on the organization as only authencation method
  // Given idp Gitlab is configure with manually account linking  not allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Gitlab
  // User authenticates in Gitlab with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with Gitlab IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp Gitlab is configure on the organization as only authencation method
  // Given idp Gitlab is configure with manually account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Gitlab
  // User authenticates in Gitlab with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-google.spec.ts
+++ b/acceptance/tests/idp-google.spec.ts
@@ -0,0 +1,91 @@
 import test from "@playwright/test";
 test("login with Google IDP", async ({ page }) => {
  // Given a Google IDP is configured on the organization
  // Given the user has Google IDP added as auth method
  // User authenticates with the Google IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with Google IDP - error", async ({ page }) => {
  // Given the Google IDP is configured on the organization
  // Given the user has Google IDP added as auth method
  // User is redirected to the Google IDP
  // User authenticates with the Google IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with Google IDP, no user existing - auto register", async ({ page }) => {
  // Given idp Google is configure on the organization as only authencation method
  // Given idp Google is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Google
  // User authenticates in Google
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Google IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp Google is configure on the organization as only authencation method
  // Given idp Google is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Google
  // User authenticates in Google
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Google IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp Google is configure on the organization as only authencation method
  // Given idp Google is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Google
  // User authenticates in Google
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with Google IDP, no user linked - auto link", async ({ page }) => {
  // Given idp Google is configure on the organization as only authencation method
  // Given idp Google is configure with account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to Google
  // User authenticates in Google with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Google IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp Google is configure on the organization as only authencation method
  // Given idp Google is configure with manually account linking  not allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Google
  // User authenticates in Google with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with Google IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp Google is configure on the organization as only authencation method
  // Given idp Google is configure with manually account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Google
  // User authenticates in Google with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-ldap.spec.ts
+++ b/acceptance/tests/idp-ldap.spec.ts
@@ -0,0 +1,91 @@
 import test from "@playwright/test";
 test("login with LDAP IDP", async ({ page }) => {
  // Given a LDAP IDP is configured on the organization
  // Given the user has LDAP IDP added as auth method
  // User authenticates with the LDAP IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with LDAP IDP - error", async ({ page }) => {
  // Given the LDAP IDP is configured on the organization
  // Given the user has LDAP IDP added as auth method
  // User is redirected to the LDAP IDP
  // User authenticates with the LDAP IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with LDAP IDP, no user existing - auto register", async ({ page }) => {
  // Given idp LDAP is configure on the organization as only authencation method
  // Given idp LDAP is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to LDAP
  // User authenticates in LDAP
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with LDAP IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp LDAP is configure on the organization as only authencation method
  // Given idp LDAP is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to LDAP
  // User authenticates in LDAP
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with LDAP IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp LDAP is configure on the organization as only authencation method
  // Given idp LDAP is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to LDAP
  // User authenticates in LDAP
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with LDAP IDP, no user linked - auto link", async ({ page }) => {
  // Given idp LDAP is configure on the organization as only authencation method
  // Given idp LDAP is configure with account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to LDAP
  // User authenticates in LDAP with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with LDAP IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp LDAP is configure on the organization as only authencation method
  // Given idp LDAP is configure with manually account linking  not allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to LDAP
  // User authenticates in LDAP with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with LDAP IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp LDAP is configure on the organization as only authencation method
  // Given idp LDAP is configure with manually account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to LDAP
  // User authenticates in LDAP with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-microsoft.spec.ts
+++ b/acceptance/tests/idp-microsoft.spec.ts
@@ -0,0 +1,94 @@
 // Note for all tests, in case Microsoft doesn't deliver all relevant information per default
 // We should add an action in the needed cases
 import test from "@playwright/test";
 test("login with Microsoft IDP", async ({ page }) => {
  // Given a Microsoft IDP is configured on the organization
  // Given the user has Microsoft IDP added as auth method
  // User authenticates with the Microsoft IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with Microsoft IDP - error", async ({ page }) => {
  // Given the Microsoft IDP is configured on the organization
  // Given the user has Microsoft IDP added as auth method
  // User is redirected to the Microsoft IDP
  // User authenticates with the Microsoft IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with Microsoft IDP, no user existing - auto register", async ({ page }) => {
  // Given idp Microsoft is configure on the organization as only authencation method
  // Given idp Microsoft is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Microsoft
  // User authenticates in Microsoft
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Microsoft IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp Microsoft is configure on the organization as only authencation method
  // Given idp Microsoft is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Microsoft
  // User authenticates in Microsoft
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Microsoft IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp Microsoft is configure on the organization as only authencation method
  // Given idp Microsoft is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to Microsoft
  // User authenticates in Microsoft
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with Microsoft IDP, no user linked - auto link", async ({ page }) => {
  // Given idp Microsoft is configure on the organization as only authencation method
  // Given idp Microsoft is configure with account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to Microsoft
  // User authenticates in Microsoft with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with Microsoft IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp Microsoft is configure on the organization as only authencation method
  // Given idp Microsoft is configure with manually account linking  not allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Microsoft
  // User authenticates in Microsoft with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with Microsoft IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp Microsoft is configure on the organization as only authencation method
  // Given idp Microsoft is configure with manually account linking allowed, and linking set to existing email
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to Microsoft
  // User authenticates in Microsoft with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/idp-saml.spec.ts
+++ b/acceptance/tests/idp-saml.spec.ts
@@ -0,0 +1,95 @@
 import test from "@playwright/test";
 test("login with SAML IDP", async ({ page }) => {
  // Given a SAML IDP is configured on the organization
  // Given the user has SAML IDP added as auth method
  // User authenticates with the SAML IDP
  // User is redirected back to login
  // User is redirected to the app
 });
 test("login with SAML IDP - error", async ({ page }) => {
  // Given the SAML IDP is configured on the organization
  // Given the user has SAML IDP added as auth method
  // User is redirected to the SAML IDP
  // User authenticates with the SAML IDP and gets an error
  // User is redirected back to login
  // An error is shown to the user "Something went wrong"
 });
 test("login with SAML IDP, no user existing - auto register", async ({ page }) => {
  // Given idp SAML is configure on the organization as only authencation method
  // Given idp SAML is configure with account creation alloweed, and automatic creation enabled
  // Given ZITADEL Action is added to autofill missing user information
  // Given no user exists yet
  // User is automatically redirected to SAML
  // User authenticates in SAML
  // User is redirect to ZITADEL login
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with SAML IDP, no user existing - auto register not possible", async ({ page }) => {
  // Given idp SAML is configure on the organization as only authencation method
  // Given idp SAML is configure with account creation alloweed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to SAML
  // User authenticates in SAML
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // User will see the registration page with pre filled user information
  // User fills missing information
  // User clicks register button
  // User is created in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with SAML IDP, no user existing - auto register enabled - manual creation disabled, creation not possible", async ({
  page,
 }) => {
  // Given idp SAML is configure on the organization as only authencation method
  // Given idp SAML is configure with account creation not allowed, and automatic creation enabled
  // Given no user exists yet
  // User is automatically redirected to SAML
  // User authenticates in SAML
  // User is redirect to ZITADEL login
  // Because of missing informaiton on the user auto creation is not possible
  // Error message is shown, that registration of the user was not possible due to missing information
 });
 test("login with SAML IDP, no user linked - auto link", async ({ page }) => {
  // Given idp SAML is configure on the organization as only authencation method
  // Given idp SAML is configure with account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com exists
  // User is automatically redirected to SAML
  // User authenticates in SAML with user@zitadel.com
  // User is redirect to ZITADEL login
  // User is linked with existing user in ZITADEL
  // User is redirected to the app (default redirect url)
 });
 test("login with SAML IDP, no user linked, linking not possible", async ({ page }) => {
  // Given idp SAML is configure on the organization as only authencation method
  // Given idp SAML is configure with manually account linking  not allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to SAML
  // User authenticates in SAML with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User will get an error message that account linking wasn't possible
 });
 test("login with SAML IDP, no user linked, linking successful", async ({ page }) => {
  // Given idp SAML is configure on the organization as only authencation method
  // Given idp SAML is configure with manually account linking allowed, and linking set to existing email
  // Given ZITADEL Action is added to autofill missing user information
  // Given user with email address user@zitadel.com doesn't exists
  // User is automatically redirected to SAML
  // User authenticates in SAML with user@zitadel.com
  // User is redirect to ZITADEL login
  // User with email address user@zitadel.com can not be found
  // User is prompted to link the account manually
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/login-configuration-possiblities.spec.ts
+++ b/acceptance/tests/login-configuration-possiblities.spec.ts
@@ -0,0 +1,51 @@
 import test from "@playwright/test";
 test("login with mfa setup, mfa setup prompt", async ({ page }) => {
  // Given the organization has enabled at least one mfa types
  // Given the user has a password but no mfa registered
  // User authenticates with login name and password
  // User is prompted to setup a mfa, mfa providers are listed, the user can choose the provider
 });
 test("login with mfa setup, no mfa setup prompt", async ({ page }) => {
  // Given the organization has set "multifactor init check time" to 0
  // Given the organization has enabled mfa types
  // Given the user has a password but no mfa registered
  // User authenticates with loginname and password
  // user is directly loged in and not prompted to setup mfa
 });
 test("login with mfa setup, force mfa for local authenticated users", async ({ page }) => {
  // Given the organization has enabled force mfa for local authentiacted users
  // Given the organization has enabled all possible mfa types
  // Given the user has a password but no mfa registered
  // User authenticates with loginname and password
  // User is prompted to setup a mfa, all possible mfa providers are listed, the user can choose the provider
 });
 test("login with mfa setup, force mfa - local user", async ({ page }) => {
  // Given the organization has enabled force mfa for local authentiacted users
  // Given the organization has enabled all possible mfa types
  // Given the user has a password but no mfa registered
  // User authenticates with loginname and password
  // User is prompted to setup a mfa, all possible mfa providers are listed, the user can choose the provider
 });
 test("login with mfa setup, force mfa - external user", async ({ page }) => {
  // Given the organization has enabled force mfa
  // Given the organization has enabled all possible mfa types
  // Given the user has an idp but no mfa registered
  // enter login name
  // redirect to configured external idp
  // User is prompted to setup a mfa, all possible mfa providers are listed, the user can choose the provider
 });
 test("login with mfa setup, force mfa - local user, wrong password", async ({ page }) => {
  // Given the organization has a password lockout policy set to 1 on the max password attempts
  // Given the user has only a password as auth methos
  // enter login name
  // enter wrong password
  // User will get an error "Wrong password"
  // enter password
  // User will get an error "Max password attempts reached - user is locked. Please reach out to your administrator"
 });
--- a/acceptance/tests/login.ts
+++ b/acceptance/tests/login.ts
@@ -0,0 +1,28 @@
 import { expect, Page } from "@playwright/test";
 import { loginname } from "./loginname";
 import { password } from "./password";
 export async function startLogin(page: Page) {
  await page.goto("/loginname");
 }
 export async function loginWithPassword(page: Page, username: string, pw: string) {
  await startLogin(page);
  await loginname(page, username);
  await password(page, pw);
 }
 export async function loginWithPasskey(page: Page, authenticatorId: string, username: string) {
  await startLogin(page);
  await loginname(page, username);
  // await passkey(page, authenticatorId);
 }
 export async function loginScreenExpect(page: Page, fullName: string) {
  await expect(page).toHaveURL(/signedin.*/);
  await expect(page.getByRole("heading")).toContainText(fullName);
 }
 export async function loginWithOTP(page: Page, username: string, password: string) {
  await loginWithPassword(page, username, password);
 }
--- a/acceptance/tests/loginname-screen.ts
+++ b/acceptance/tests/loginname-screen.ts
@@ -0,0 +1,12 @@
 import { expect, Page } from "@playwright/test";
 const usernameUserInput = "username-text-input";
 export async function loginnameScreen(page: Page, username: string) {
  await page.getByTestId(usernameUserInput).pressSequentially(username);
 }
 export async function loginnameScreenExpect(page: Page, username: string) {
  await expect(page.getByTestId(usernameUserInput)).toHaveValue(username);
  await expect(page.getByTestId("error").locator("div")).toContainText("Could not find user");
 }
--- a/acceptance/tests/loginname.ts
+++ b/acceptance/tests/loginname.ts
@@ -0,0 +1,7 @@
 import { Page } from "@playwright/test";
 import { loginnameScreen } from "./loginname-screen";
 export async function loginname(page: Page, username: string) {
  await loginnameScreen(page, username);
  await page.getByTestId("submit-button").click();
 }
--- a/acceptance/tests/otp.ts
+++ b/acceptance/tests/otp.ts
@@ -0,0 +1,31 @@
 import * as http from "node:http";
 let messages = new Map<string, any>();
 export function startSink() {
  const hostname = "127.0.0.1";
  const port = 3030;
  const server = http.createServer((req, res) => {
    console.log("Sink received message: ");
    let body = "";
    req.on("data", (chunk) => {
      body += chunk;
    });
    req.on("end", () => {
      console.log(body);
      const data = JSON.parse(body);
      messages.set(data.contextInfo.recipientEmailAddress, data.args.code);
      res.statusCode = 200;
      res.setHeader("Content-Type", "text/plain");
      res.write("OK");
      res.end();
    });
  });
  server.listen(port, hostname, () => {
    console.log(`Sink running at http://${hostname}:${port}/`);
  });
  return server;
 }
--- a/acceptance/tests/passkey.ts
+++ b/acceptance/tests/passkey.ts
@@ -0,0 +1,109 @@
 import { expect, Page } from "@playwright/test";
 import { CDPSession } from "playwright-core";
 interface session {
  client: CDPSession;
  authenticatorId: string;
 }
 async function client(page: Page): Promise<session> {
  const cdpSession = await page.context().newCDPSession(page);
  await cdpSession.send("WebAuthn.enable", { enableUI: false });
  const result = await cdpSession.send("WebAuthn.addVirtualAuthenticator", {
    options: {
      protocol: "ctap2",
      transport: "internal",
      hasResidentKey: true,
      hasUserVerification: true,
      isUserVerified: true,
      automaticPresenceSimulation: true,
    },
  });
  return { client: cdpSession, authenticatorId: result.authenticatorId };
 }
 export async function passkeyRegister(page: Page): Promise<string> {
  const session = await client(page);
  await passkeyNotExisting(session.client, session.authenticatorId);
  await simulateSuccessfulPasskeyRegister(session.client, session.authenticatorId, () =>
    page.getByTestId("submit-button").click(),
  );
  await passkeyRegistered(session.client, session.authenticatorId);
  return session.authenticatorId;
 }
 export async function passkey(page: Page, authenticatorId: string) {
  const cdpSession = await page.context().newCDPSession(page);
  await cdpSession.send("WebAuthn.enable", { enableUI: false });
  const signCount = await passkeyExisting(cdpSession, authenticatorId);
  await simulateSuccessfulPasskeyInput(cdpSession, authenticatorId, () => page.getByTestId("submit-button").click());
  await passkeyUsed(cdpSession, authenticatorId, signCount);
 }
 async function passkeyNotExisting(client: CDPSession, authenticatorId: string) {
  const result = await client.send("WebAuthn.getCredentials", { authenticatorId });
  expect(result.credentials).toHaveLength(0);
 }
 async function passkeyRegistered(client: CDPSession, authenticatorId: string) {
  const result = await client.send("WebAuthn.getCredentials", { authenticatorId });
  expect(result.credentials).toHaveLength(1);
  await passkeyUsed(client, authenticatorId, 0);
 }
 async function passkeyExisting(client: CDPSession, authenticatorId: string): Promise<number> {
  const result = await client.send("WebAuthn.getCredentials", { authenticatorId });
  expect(result.credentials).toHaveLength(1);
  return result.credentials[0].signCount;
 }
 async function passkeyUsed(client: CDPSession, authenticatorId: string, signCount: number) {
  const result = await client.send("WebAuthn.getCredentials", { authenticatorId });
  expect(result.credentials).toHaveLength(1);
  expect(result.credentials[0].signCount).toBeGreaterThan(signCount);
 }
 async function simulateSuccessfulPasskeyRegister(
  client: CDPSession,
  authenticatorId: string,
  operationTrigger: () => Promise<void>,
 ) {
  // initialize event listeners to wait for a successful passkey input event
  const operationCompleted = new Promise<void>((resolve) => {
    client.on("WebAuthn.credentialAdded", () => {
      console.log("Credential Added!");
      resolve();
    });
  });
  // perform a user action that triggers passkey prompt
  await operationTrigger();
  // wait to receive the event that the passkey was successfully registered or verified
  await operationCompleted;
 }
 async function simulateSuccessfulPasskeyInput(
  client: CDPSession,
  authenticatorId: string,
  operationTrigger: () => Promise<void>,
 ) {
  // initialize event listeners to wait for a successful passkey input event
  const operationCompleted = new Promise<void>((resolve) => {
    client.on("WebAuthn.credentialAsserted", () => {
      console.log("Credential Asserted!");
      resolve();
    });
  });
  // perform a user action that triggers passkey prompt
  await operationTrigger();
  // wait to receive the event that the passkey was successfully registered or verified
  await operationCompleted;
 }
--- a/acceptance/tests/password-screen.ts
+++ b/acceptance/tests/password-screen.ts
@@ -0,0 +1,57 @@
 import { expect, Page } from "@playwright/test";
 const passwordField = "password-text-input";
 const passwordConfirmField = "password-confirm-text-input";
 const lengthCheck = "length-check";
 const symbolCheck = "symbol-check";
 const numberCheck = "number-check";
 const uppercaseCheck = "uppercase-check";
 const lowercaseCheck = "lowercase-check";
 const equalCheck = "equal-check";
 const matchText = "Matches";
 const noMatchText = "Doesn't match";
 export async function changePasswordScreen(page: Page, password1: string, password2: string) {
  await page.getByTestId(passwordField).pressSequentially(password1);
  await page.getByTestId(passwordConfirmField).pressSequentially(password2);
 }
 export async function passwordScreen(page: Page, password: string) {
  await page.getByTestId(passwordField).pressSequentially(password);
 }
 export async function passwordScreenExpect(page: Page, password: string) {
  await expect(page.getByTestId(passwordField)).toHaveValue(password);
  await expect(page.getByTestId("error").locator("div")).toContainText("Could not verify password");
 }
 export async function changePasswordScreenExpect(
  page: Page,
  password1: string,
  password2: string,
  length: boolean,
  symbol: boolean,
  number: boolean,
  uppercase: boolean,
  lowercase: boolean,
  equals: boolean,
 ) {
  await expect(page.getByTestId(passwordField)).toHaveValue(password1);
  await expect(page.getByTestId(passwordConfirmField)).toHaveValue(password2);
  await checkContent(page, lengthCheck, length);
  await checkContent(page, symbolCheck, symbol);
  await checkContent(page, numberCheck, number);
  await checkContent(page, uppercaseCheck, uppercase);
  await checkContent(page, lowercaseCheck, lowercase);
  await checkContent(page, equalCheck, equals);
 }
 async function checkContent(page: Page, testid: string, match: boolean) {
  if (match) {
    await expect(page.getByTestId(testid)).toContainText(matchText);
  } else {
    await expect(page.getByTestId(testid)).toContainText(noMatchText);
  }
 }
--- a/acceptance/tests/password.ts
+++ b/acceptance/tests/password.ts
@@ -0,0 +1,19 @@
 import { Page } from "@playwright/test";
 import { changePasswordScreen, passwordScreen } from "./password-screen";
 const passwordSubmitButton = "submit-button";
 export async function startChangePassword(page: Page, loginname: string) {
  await page.goto("/password/change?" + new URLSearchParams({ loginName: loginname }));
 }
 export async function changePassword(page: Page, loginname: string, password: string) {
  await startChangePassword(page, loginname);
  await changePasswordScreen(page, password, password);
  await page.getByTestId(passwordSubmitButton).click();
 }
 export async function password(page: Page, password: string) {
  await passwordScreen(page, password);
  await page.getByTestId(passwordSubmitButton).click();
 }
--- a/acceptance/tests/register-screen.ts
+++ b/acceptance/tests/register-screen.ts
@@ -0,0 +1,27 @@
 import { Page } from "@playwright/test";
 const passwordField = "password-text-input";
 const passwordConfirmField = "password-confirm-text-input";
 export async function registerUserScreenPassword(page: Page, firstname: string, lastname: string, email: string) {
  await registerUserScreen(page, firstname, lastname, email);
  await page.getByTestId("Password-radio").click();
 }
 export async function registerUserScreenPasskey(page: Page, firstname: string, lastname: string, email: string) {
  await registerUserScreen(page, firstname, lastname, email);
  await page.getByTestId("Passkeys-radio").click();
 }
 export async function registerPasswordScreen(page: Page, password1: string, password2: string) {
  await page.getByTestId(passwordField).pressSequentially(password1);
  await page.getByTestId(passwordConfirmField).pressSequentially(password2);
 }
 export async function registerUserScreen(page: Page, firstname: string, lastname: string, email: string) {
  await page.getByTestId("firstname-text-input").pressSequentially(firstname);
  await page.getByTestId("lastname-text-input").pressSequentially(lastname);
  await page.getByTestId("email-text-input").pressSequentially(email);
  await page.getByTestId("privacy-policy-checkbox").check();
  await page.getByTestId("tos-checkbox").check();
 }
--- a/acceptance/tests/register.spec.ts
+++ b/acceptance/tests/register.spec.ts
@@ -0,0 +1,161 @@
 import { test } from "@playwright/test";
 import { loginScreenExpect } from "./login";
 import { registerWithPasskey, registerWithPassword } from "./register";
 import { removeUserByUsername } from "./zitadel";
 test("register with password", async ({ page }) => {
  const username = "register-password@example.com";
  const password = "Password1!";
  const firstname = "firstname";
  const lastname = "lastname";
  await removeUserByUsername(username);
  await registerWithPassword(page, firstname, lastname, username, password, password);
  await loginScreenExpect(page, firstname + " " + lastname);
 });
 test("register with passkey", async ({ page }) => {
  const username = "register-passkey@example.com";
  const firstname = "firstname";
  const lastname = "lastname";
  await removeUserByUsername(username);
  await registerWithPasskey(page, firstname, lastname, username);
  await loginScreenExpect(page, firstname + " " + lastname);
 });
 test("register with username and password - only password enabled", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given on the default organization passkey is not enabled
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration page
  // Only password is shown as an option - no passkey
  // User enters "firstname", "lastname", "username" and "password"
  // User is redirected to app (default redirect url)
 });
 test("register with username and password - wrong password not enough characters", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given on the default organization passkey is not enabled
  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration page
  // Only password is shown as an option - no passkey
  // User enters "firstname", "lastname", "username" and a password thats to short
  // Error is shown "Password doesn't match the policy - it must have at least 8 characters"
 });
 test("register with username and password - wrong password number missing", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given on the default organization passkey is not enabled
  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration page
  // Only password is shown as an option - no passkey
  // User enters "firstname", "lastname", "username" and a password without a number
  // Error is shown "Password doesn't match the policy - number missing"
 });
 test("register with username and password - wrong password upper case missing", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given on the default organization passkey is not enabled
  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration page
  // Only password is shown as an option - no passkey
  // User enters "firstname", "lastname", "username" and a password without an upper case
  // Error is shown "Password doesn't match the policy - uppercase letter missing"
 });
 test("register with username and password - wrong password lower case missing", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given on the default organization passkey is not enabled
  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration page
  // Only password is shown as an option - no passkey
  // User enters "firstname", "lastname", "username" and a password without an lower case
  // Error is shown "Password doesn't match the policy - lowercase letter missing"
 });
 test("register with username and password - wrong password symboo missing", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given on the default organization passkey is not enabled
  // Given password policy is set to 8 characters and must include number, symbol, lower and upper letter
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration page
  // Only password is shown as an option - no passkey
  // User enters "firstname", "lastname", "username" and a password without an symbol
  // Error is shown "Password doesn't match the policy - symbol missing"
 });
 test("register with username and password - password and passkey enabled", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given on the default organization passkey is enabled
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration page
  // User enters "firstname", "lastname", "username"
  // Password and passkey are shown as authentication option
  // User clicks password
  // User enters password
  // User is redirected to app (default redirect url)
 });
 test("register with username and passkey - password and passkey enabled", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given on the default organization passkey is enabled
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration page
  // User enters "firstname", "lastname", "username"
  // Password and passkey are shown as authentication option
  // User clicks passkey
  // Passkey is opened automatically
  // User verifies passkey
  // User is redirected to app (default redirect url)
 });
 test("register with username and password - registration disabled", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization no idp is configured and enabled
  // Given user doesn't exist
  // Button "register new user" is not available
 });
 test("register with username and password - multiple registration options", async ({ page }) => {
  // Given on the default organization "username and password is allowed" is enabled
  // Given on the default organization "username registeration allowed" is enabled
  // Given on the default organization one idp is configured and enabled
  // Given user doesn't exist
  // Click on button "register new user"
  // User is redirected to registration options
  // Local User and idp button are shown
  // User clicks idp button
  // User enters "firstname", "lastname", "username" and "password"
  // User clicks next
  // User is redirected to app (default redirect url)
 });
--- a/acceptance/tests/register.ts
+++ b/acceptance/tests/register.ts
@@ -0,0 +1,25 @@
 import { Page } from "@playwright/test";
 import { passkeyRegister } from "./passkey";
 import { registerPasswordScreen, registerUserScreenPasskey, registerUserScreenPassword } from "./register-screen";
 export async function registerWithPassword(
  page: Page,
  firstname: string,
  lastname: string,
  email: string,
  password1: string,
  password2: string,
 ) {
  await page.goto("/register");
  await registerUserScreenPassword(page, firstname, lastname, email);
  await page.getByTestId("submit-button").click();
  await registerPasswordScreen(page, password1, password2);
  await page.getByTestId("submit-button").click();
 }
 export async function registerWithPasskey(page: Page, firstname: string, lastname: string, email: string): Promise<string> {
  await page.goto("/register");
  await registerUserScreenPasskey(page, firstname, lastname, email);
  await page.getByTestId("submit-button").click();
  return await passkeyRegister(page);
 }
--- a/acceptance/tests/user.ts
+++ b/acceptance/tests/user.ts
@@ -0,0 +1,216 @@
 import { Page } from "@playwright/test";
 import axios from "axios";
 import { registerWithPasskey } from "./register";
 import { getUserByUsername, removeUser } from "./zitadel";
 export interface userProps {
  email: string;
  firstName: string;
  lastName: string;
  organization: string;
  password: string;
 }
 class User {
  private readonly props: userProps;
  private user: string;
  constructor(userProps: userProps) {
    this.props = userProps;
  }
  async ensure(page: Page) {
    await this.remove();
    const body = {
      username: this.props.email,
      organization: {
        orgId: this.props.organization,
      },
      profile: {
        givenName: this.props.firstName,
        familyName: this.props.lastName,
      },
      email: {
        email: this.props.email,
        isVerified: true,
      },
      password: {
        password: this.props.password!,
      },
    };
    try {
      const response = await axios.post(`${process.env.ZITADEL_API_URL}/v2/users/human`, body, {
        headers: {
          "Content-Type": "application/json",
          Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
        },
      });
      if (response.status >= 400 && response.status !== 409) {
        const error = `HTTP Error: ${response.status} - ${response.statusText}`;
        console.error(error);
        throw new Error(error);
      }
    } catch (error) {
      console.error("Error making request:", error);
      throw error;
    }
    // wait for projection of user
    await page.waitForTimeout(3000);
  }
  async remove() {
    const resp: any = await getUserByUsername(this.getUsername());
    if (!resp || !resp.result || !resp.result[0]) {
      return;
    }
    await removeUser(resp.result[0].userId);
  }
  public setUserId(userId: string) {
    this.user = userId;
  }
  public getUserId() {
    return this.user;
  }
  public getUsername() {
    return this.props.email;
  }
  public getPassword() {
    return this.props.password;
  }
  public getFirstname() {
    return this.props.firstName;
  }
  public getLastname() {
    return this.props.lastName;
  }
  public getFullName() {
    return `${this.props.firstName} ${this.props.lastName}`;
  }
 }
 export class PasswordUser extends User {}
 export enum OtpType {
  sms = "sms",
  email = "email",
 }
 export interface otpUserProps {
  email: string;
  firstName: string;
  lastName: string;
  organization: string;
  password: string;
  type: OtpType;
 }
 export class PasswordUserWithOTP extends User {
  private type: OtpType;
  private code: string;
  constructor(props: otpUserProps) {
    super({
      email: props.email,
      firstName: props.firstName,
      lastName: props.lastName,
      organization: props.organization,
      password: props.password,
    });
    this.type = props.type;
  }
  async ensure(page: Page) {
    await super.ensure(page);
    let url = "otp_";
    switch (this.type) {
      case OtpType.sms:
        url = url + "sms";
        break;
      case OtpType.email:
        url = url + "email";
        break;
    }
    try {
      const response = await axios.post(
        `${process.env.ZITADEL_API_URL}/v2/users/${this.getUserId()}/${url}`,
        {},
        {
          headers: {
            "Content-Type": "application/json",
            Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
          },
        },
      );
      if (response.status >= 400 && response.status !== 409) {
        const error = `HTTP Error: ${response.status} - ${response.statusText}`;
        console.error(error);
        throw new Error(error);
      }
      // TODO: get code from SMS or Email provider
      this.code = "";
    } catch (error) {
      console.error("Error making request:", error);
      throw error;
    }
    // wait for projection of user
    await page.waitForTimeout(2000);
  }
  public getCode() {
    return this.code;
  }
 }
 export interface passkeyUserProps {
  email: string;
  firstName: string;
  lastName: string;
  organization: string;
 }
 export class PasskeyUser extends User {
  private authenticatorId: string;
  constructor(props: passkeyUserProps) {
    super({
      email: props.email,
      firstName: props.firstName,
      lastName: props.lastName,
      organization: props.organization,
      password: "",
    });
  }
  public async ensure(page: Page) {
    await this.remove();
    const authId = await registerWithPasskey(page, this.getFirstname(), this.getLastname(), this.getUsername());
    this.authenticatorId = authId;
    // wait for projection of user
    await page.waitForTimeout(2000);
  }
  public async remove() {
    await super.remove();
  }
  public getAuthenticatorId(): string {
    return this.authenticatorId;
  }
 }
--- a/acceptance/tests/username-passkey.spec.ts
+++ b/acceptance/tests/username-passkey.spec.ts
@@ -0,0 +1,46 @@
 import { test as base } from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
 import { loginScreenExpect, loginWithPasskey } from "./login";
 import { PasskeyUser } from "./user";
 // Read from ".env" file.
 dotenv.config({ path: path.resolve(__dirname, ".env.local") });
 const test = base.extend<{ user: PasskeyUser }>({
  user: async ({ page }, use) => {
    const user = new PasskeyUser({
      email: "passkey@example.com",
      firstName: "first",
      lastName: "last",
      organization: "",
    });
    await user.ensure(page);
    await use(user);
  },
 });
 test("username and passkey login", async ({ user, page }) => {
  await loginWithPasskey(page, user.getAuthenticatorId(), user.getUsername());
  await loginScreenExpect(page, user.getFullName());
 });
 test("username and passkey login, if passkey enabled", async ({ user, page }) => {
  // Given passkey is enabled on the organization of the user
  // Given the user has only passkey enabled as authentication
  // enter username
  // passkey popup is directly shown
  // user verifies passkey
  // user is redirected to app
 });
 test("username and passkey login, multiple auth methods", async ({ user, page }) => {
  // Given passkey and password is enabled on the organization of the user
  // Given the user has password and passkey registered
  // enter username
  // passkey popup is directly shown
  // user aborts passkey authentication
  // user switches to password authentication
  // user enters password
  // user is redirected to app
 });
--- a/acceptance/tests/username-password-changed.spec.ts
+++ b/acceptance/tests/username-password-changed.spec.ts
@@ -0,0 +1,50 @@
 import { test as base } from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
 import { loginWithPassword } from "./login";
 import { startChangePassword } from "./password";
 import { changePasswordScreen, changePasswordScreenExpect } from "./password-screen";
 import { PasswordUser } from "./user";
 // Read from ".env" file.
 dotenv.config({ path: path.resolve(__dirname, ".env.local") });
 const test = base.extend<{ user: PasswordUser }>({
  user: async ({ page }, use) => {
    const user = new PasswordUser({
      email: "password-changed@example.com",
      firstName: "first",
      lastName: "last",
      password: "Password1!",
      organization: "",
    });
    await user.ensure(page);
    await use(user);
  },
 });
 test("username and password changed login", async ({ user, page }) => {
  // commented, fix in https://github.com/zitadel/zitadel/pull/8807
  /*
    const changedPw = "ChangedPw1!";
    await loginWithPassword(page, user.getUsername(), user.getPassword());
    // wait for projection of token
    await page.waitForTimeout(2000);
    await changePassword(page, user.getUsername(), changedPw);
    await loginScreenExpect(page, user.getFullName());
    await loginWithPassword(page, user.getUsername(), changedPw);
    await loginScreenExpect(page, user.getFullName());
     */
 });
 test("password not with desired complexity", async ({ user, page }) => {
  const changedPw1 = "change";
  const changedPw2 = "chang";
  await loginWithPassword(page, user.getUsername(), user.getPassword());
  await startChangePassword(page, user.getUsername());
  await changePasswordScreen(page, changedPw1, changedPw2);
  await changePasswordScreenExpect(page, changedPw1, changedPw2, false, false, false, false, true, false);
 });
--- a/acceptance/tests/username-password-otp_email.spec.ts
+++ b/acceptance/tests/username-password-otp_email.spec.ts
@@ -0,0 +1,55 @@
 import { test } from "@playwright/test";
 test("username, password and email otp login, enter code manually", async ({ page }) => {
  // Given email otp is enabled on the organization of the user
  // Given the user has only email otp configured as second factor
  // User enters username
  // User enters password
  // User receives an email with a verification code
  // User enters the code into the ui
  // User is redirected to the app (default redirect url)
 });
 test("username, password and email otp login, click link in email", async ({ page }) => {
  // Given email otp is enabled on the organization of the user
  // Given the user has only email otp configured as second factor
  // User enters username
  // User enters password
  // User receives an email with a verification code
  // User clicks link in the email
  // User is redirected to the app (default redirect url)
 });
 test("username, password and email otp login, resend code", async ({ page }) => {
  // Given email otp is enabled on the organization of the user
  // Given the user has only email otp configured as second factor
  // User enters username
  // User enters password
  // User receives an email with a verification code
  // User clicks resend code
  // User receives a new email with a verification code
  // User enters the new code in the ui
  // User is redirected to the app (default redirect url)
 });
 test("username, password and email otp login, wrong code", async ({ page }) => {
  // Given email otp is enabled on the organization of the user
  // Given the user has only email otp configured as second factor
  // User enters username
  // User enters password
  // User receives an email with a verification code
  // User enters a wrond code
  // Error message - "Invalid code" is shown
 });
 test("username, password and email otp login, multiple mfa options", async ({ page }) => {
  // Given email otp and sms otp is enabled on the organization of the user
  // Given the user has email and sms otp configured as second factor
  // User enters username
  // User enters password
  // User receives an email with a verification code
  // User clicks button to use sms otp as second factor
  // User receives an sms with a verification code
  // User enters code in ui
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/username-password-otp_sms.spec.ts
+++ b/acceptance/tests/username-password-otp_sms.spec.ts
@@ -0,0 +1,32 @@
 import { test } from "@playwright/test";
 test("username, password and sms otp login", async ({ page }) => {
  // Given sms otp is enabled on the organization of the user
  // Given the user has only sms otp configured as second factor
  // User enters username
  // User enters password
  // User receives a sms with a verification code
  // User enters the code into the ui
  // User is redirected to the app (default redirect url)
 });
 test("username, password and sms otp login, resend code", async ({ page }) => {
  // Given sms otp is enabled on the organization of the user
  // Given the user has only sms otp configured as second factor
  // User enters username
  // User enters password
  // User receives a sms with a verification code
  // User clicks resend code
  // User receives a new sms with a verification code
  // User is redirected to the app (default redirect url)
 });
 test("username, password and sms otp login, wrong code", async ({ page }) => {
  // Given sms otp is enabled on the organization of the user
  // Given the user has only sms otp configured as second factor
  // User enters username
  // User enters password
  // User receives a sms with a verification code
  // User enters a wrong code
  // Error message - "Invalid code" is shown
 });
--- a/acceptance/tests/username-password-totp.spec.ts
+++ b/acceptance/tests/username-password-totp.spec.ts
@@ -0,0 +1,34 @@
 import { test } from "@playwright/test";
 test("username, password and totp login", async ({ page }) => {
  // Given totp is enabled on the organization of the user
  // Given the user has only totp configured as second factor
  // User enters username
  // User enters password
  // Screen for entering the code is shown directly
  // User enters the code into the ui
  // User is redirected to the app (default redirect url)
 });
 test("username, password and totp otp login, wrong code", async ({ page }) => {
  // Given totp is enabled on the organization of the user
  // Given the user has only totp configured as second factor
  // User enters username
  // User enters password
  // Screen for entering the code is shown directly
  // User enters a wrond code
  // Error message - "Invalid code" is shown
 });
 test("username, password and totp login, multiple mfa options", async ({ page }) => {
  // Given totp and email otp is enabled on the organization of the user
  // Given the user has totp and email otp configured as second factor
  // User enters username
  // User enters password
  // Screen for entering the code is shown directly
  // Button to switch to email otp is shown
  // User clicks button to use email otp instead
  // User receives an email with a verification code
  // User enters code in ui
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/username-password-u2f.spec.ts
+++ b/acceptance/tests/username-password-u2f.spec.ts
@@ -0,0 +1,24 @@
 import { test } from "@playwright/test";
 test("username, password and u2f login", async ({ page }) => {
  // Given u2f is enabled on the organization of the user
  // Given the user has only u2f configured as second factor
  // User enters username
  // User enters password
  // Popup for u2f is directly opened
  // User verifies u2f
  // User is redirected to the app (default redirect url)
 });
 test("username, password and u2f login, multiple mfa options", async ({ page }) => {
  // Given u2f and semailms otp is enabled on the organization of the user
  // Given the user has u2f and email otp configured as second factor
  // User enters username
  // User enters password
  // Popup for u2f is directly opened
  // User aborts u2f verification
  // User clicks button to use email otp as second factor
  // User receives an email with a verification code
  // User enters code in ui
  // User is redirected to the app (default redirect url)
 });
--- a/acceptance/tests/username-password.spec.ts
+++ b/acceptance/tests/username-password.spec.ts
@@ -1,12 +1,139 @@
-import { test } from "@playwright/test";
+import { test as base } from "@playwright/test";
 import dotenv from "dotenv";
 import path from "path";
 import { loginScreenExpect, loginWithPassword, startLogin } from "./login";
 import { loginname } from "./loginname";
 import { loginnameScreenExpect } from "./loginname-screen";
 import { password } from "./password";
 import { passwordScreenExpect } from "./password-screen";
 import { PasswordUser } from "./user";
-test("username and password", async ({ page }) => {
+// Read from ".env" file.
-  await page.goto("/loginname");
+dotenv.config({ path: path.resolve(__dirname, ".env.local") });
-  const loginname = page.getByLabel("Loginname");
+
-  await loginname.pressSequentially("zitadel-admin@zitadel.localhost");
+const test = base.extend<{ user: PasswordUser }>({
-  await loginname.press("Enter");
+  user: async ({ page }, use) => {
-  const password = page.getByLabel("Password");
+    const user = new PasswordUser({
-  await password.pressSequentially("Password1!");
+      email: "password@example.com",
-  await password.press("Enter");
+      firstName: "first",
-  await page.getByRole("heading", { name: "Welcome ZITADEL Admin!" }).click();
+      lastName: "last",
      password: "Password1!",
      organization: "",
    });
    await user.ensure(page);
    await use(user);
  },
 });
 test("username and password login", async ({ user, page }) => {
  await loginWithPassword(page, user.getUsername(), user.getPassword());
  await loginScreenExpect(page, user.getFullName());
 });
 test("username and password login, unknown username", async ({ page }) => {
  const username = "unknown";
  await startLogin(page);
  await loginname(page, username);
  await loginnameScreenExpect(page, username);
 });
 test("username and password login, wrong password", async ({ user, page }) => {
  await startLogin(page);
  await loginname(page, user.getUsername());
  await password(page, "wrong");
  await passwordScreenExpect(page, "wrong");
 });
 test("username and password login, wrong username, ignore unknown usernames", async ({ user, page }) => {
  // Given user doesn't exist but ignore unknown usernames setting is set to true
  // Given username password login is enabled on the users organization
  // enter login name
  // enter password
  // redirect to loginname page --> error message username or password wrong
 });
 test("username and password login, initial password change", async ({ user, page }) => {
  // Given user is created and has changePassword set to true
  // Given username password login is enabled on the users organization
  // enter login name
  // enter password
  // create new password
 });
 test("username and password login, reset password hidden", async ({ user, page }) => {
  // Given the organization has enabled "Password reset hidden" in the login policy
  // Given username password login is enabled on the users organization
  // enter login name
  // password reset link should not be shown on password screen
 });
 test("username and password login, reset password - enter code manually", async ({ user, page }) => {
  // Given user has forgotten password and clicks the forgot password button
  // Given username password login is enabled on the users organization
  // enter login name
  // click password forgotten
  // enter code from email
  // user is redirected to app (default redirect url)
 });
 test("username and password login, reset password - click link", async ({ user, page }) => {
  // Given user has forgotten password and clicks the forgot password button, and then the link in the email
  // Given username password login is enabled on the users organization
  // enter login name
  // click password forgotten
  // click link in email
  // set new password
  // redirect to app (default redirect url)
 });
 test("username and password login, reset password, resend code", async ({ user, page }) => {
  // Given user has forgotten password and clicks the forgot password button and then resend code
  // Given username password login is enabled on the users organization
  // enter login name
  // click password forgotten
  // click resend code
  // enter code from second email
  // user is redirected to app (default redirect url)
 });
 test("email login enabled", async ({ user, page }) => {
  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
  // Given no other user with the same email address exists
  // enter email address "test@zitadel.com " in login screen
  // user will get to password screen
 });
 test("email login disabled", async ({ user, page }) => {
  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
  // Given no other user with the same email address exists
  // enter email address "test@zitadel.com" in login screen
  // user will see error message "user not found"
 });
 test("email login enabled - multiple users", async ({ user, page }) => {
  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
  // Given a second user with the username "testuser2", email test@zitadel.com and phone number 0711111111 exists
  // enter email address "test@zitadel.com" in login screen
  // user will see error message "user not found"
 });
 test("phone login enabled", async ({ user, page }) => {
  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
  // Given no other user with the same phon number exists
  // enter phone number "0711111111" in login screen
  // user will get to password screen
 });
 test("phone login disabled", async ({ user, page }) => {
  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
  // Given no other user with the same phone number exists
  // enter phone number "0711111111" in login screen
  // user will see error message "user not found"
 });
 test("phone login enabled - multiple users", async ({ user, page }) => {
  // Given user with the username "testuser", email test@zitadel.com and phone number 0711111111 exists
  // Given a second user with the username "testuser2", email test@zitadel.com and phone number 0711111111 exists
  // enter phone number "0711111111" in login screen
  // user will see error message "user not found"
 });
--- a/acceptance/tests/zitadel.ts
+++ b/acceptance/tests/zitadel.ts
@@ -0,0 +1,60 @@
 import axios from "axios";
 export async function removeUserByUsername(username: string) {
  const resp = await getUserByUsername(username);
  if (!resp || !resp.result || !resp.result[0]) {
    return;
  }
  await removeUser(resp.result[0].userId);
 }
 export async function removeUser(id: string) {
  try {
    const response = await axios.delete(`${process.env.ZITADEL_API_URL}/v2/users/${id}`, {
      headers: {
        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
      },
    });
    if (response.status >= 400 && response.status !== 404) {
      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
      console.error(error);
      throw new Error(error);
    }
  } catch (error) {
    console.error("Error making request:", error);
    throw error;
  }
 }
 export async function getUserByUsername(username: string) {
  const listUsersBody = {
    queries: [
      {
        userNameQuery: {
          userName: username,
        },
      },
    ],
  };
  try {
    const response = await axios.post(`${process.env.ZITADEL_API_URL}/v2/users`, listUsersBody, {
      headers: {
        "Content-Type": "application/json",
        Authorization: `Bearer ${process.env.ZITADEL_SERVICE_USER_TOKEN}`,
      },
    });
    if (response.status >= 400) {
      const error = `HTTP Error: ${response.status} - ${response.statusText}`;
      console.error(error);
      throw new Error(error);
    }
    return response.data;
  } catch (error) {
    console.error("Error making request:", error);
    throw error;
  }
 }
--- a/acceptance/zitadel.yaml
+++ b/acceptance/zitadel.yaml
@@ -15,6 +15,14 @@ FirstInstance:
      Pat:
        ExpirationDate: 2099-01-01T00:00:00Z
 DefaultInstance:
  PrivacyPolicy:
    TOSLink: "https://zitadel.com/docs/legal/terms-of-service"
    PrivacyLink: "https://zitadel.com/docs/legal/policies/privacy-policy"
    HelpLink: "https://zitadel.com/docs"
    SupportEmail: "support@zitadel.com"
    DocsLink: "https://zitadel.com/docs"
 Database:
  EventPushConnRatio: 0.2 # 4
  ProjectionSpoolerConnRatio: 0.3 # 6
--- a/apps/login/src/components/authentication-method-radio.tsx
+++ b/apps/login/src/components/authentication-method-radio.tsx
@@ -30,6 +30,7 @@ export function AuthenticationMethodRadio({
              <RadioGroup.Option
                key={method.name}
                value={method}
                data-testid={method.name + "-radio"}
                className={({ active, checked }) =>
                  `${
                    active
--- a/apps/login/src/components/change-password-form.tsx
+++ b/apps/login/src/components/change-password-form.tsx
@@ -148,6 +148,7 @@ export function ChangePasswordForm({
            })}
            label="New Password"
            error={errors.password?.message as string}
            data-testid="password-text-input"
          />
        </div>
        <div className="">
@@ -160,6 +161,7 @@ export function ChangePasswordForm({
            })}
            label="Confirm Password"
            error={errors.confirmPassword?.message as string}
            data-testid="password-confirm-text-input"
          />
        </div>
      </div>
@@ -175,7 +177,7 @@ export function ChangePasswordForm({
      {error && <Alert>{error}</Alert>}
      <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
+        <BackButton data-testid="back-button" />
        <Button
          type="submit"
          variant={ButtonVariants.Primary}
@@ -186,6 +188,7 @@ export function ChangePasswordForm({
            watchPassword !== watchConfirmPassword
          }
          onClick={handleSubmit(submitChange)}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("change.submit")}
--- a/apps/login/src/components/login-otp.tsx
+++ b/apps/login/src/components/login-otp.tsx
@@ -215,7 +215,7 @@ export function LoginOTP({
      )}
      <div className="mt-8 flex w-full flex-row items-center">
-        <BackButton />
+        <BackButton data-testid="back-button" />
        <span className="flex-grow"></span>
        <Button
          type="submit"
@@ -225,6 +225,7 @@ export function LoginOTP({
          onClick={handleSubmit((e) => {
            setCodeAndContinue(e, organization);
          })}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("verify.submit")}
--- a/apps/login/src/components/login-passkey.tsx
+++ b/apps/login/src/components/login-passkey.tsx
@@ -228,6 +228,7 @@ export function LoginPasskey({
                "/password?" + new URLSearchParams(params), // alt is set because password is requested as alternative auth method, so passwordless prompt can be escaped
              );
            }}
            data-testid="password-button"
          >
            {t("verify.usePassword")}
          </Button>
@@ -265,6 +266,7 @@ export function LoginPasskey({
                setLoading(false);
              });
          }}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("verify.submit")}
--- a/apps/login/src/components/password-complexity.tsx
+++ b/apps/login/src/components/password-complexity.tsx
@@ -65,7 +65,7 @@ export function PasswordComplexity({
  return (
    <div className="mb-4 grid grid-cols-2 gap-x-8 gap-y-2">
      {passwordComplexitySettings.minLength != undefined ? (
-        <div className="flex flex-row items-center">
+        <div className="flex flex-row items-center" data-testid="length-check">
          {hasMinLength ? check : cross}
          <span className={desc}>
            Password length {passwordComplexitySettings.minLength.toString()}
@@ -74,23 +74,23 @@ export function PasswordComplexity({
      ) : (
        <span />
      )}
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="symbol-check">
        {hasSymbol ? check : cross}
        <span className={desc}>has Symbol</span>
      </div>
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="number-check">
        {hasNumber ? check : cross}
        <span className={desc}>has Number</span>
      </div>
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="uppercase-check">
        {hasUppercase ? check : cross}
        <span className={desc}>has uppercase</span>
      </div>
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="lowercase-check">
        {hasLowercase ? check : cross}
        <span className={desc}>has lowercase</span>
      </div>
-      <div className="flex flex-row items-center">
+      <div className="flex flex-row items-center" data-testid="equal-check">
        {equals ? check : cross}
        <span className={desc}>equals</span>
      </div>
--- a/apps/login/src/components/password-form.tsx
+++ b/apps/login/src/components/password-form.tsx
@@ -126,6 +126,7 @@ export function PasswordForm({
          autoComplete="password"
          {...register("password", { required: "This field is required" })}
          label="Password"
          data-testid="password-text-input"
        />
        {!loginSettings?.hidePasswordReset && (
          <button
@@ -155,13 +156,13 @@ export function PasswordForm({
      )}
      {error && (
-        <div className="py-4">
+        <div className="py-4" data-testid="error">
          <Alert>{error}</Alert>
        </div>
      )}
      <div className="mt-8 flex w-full flex-row items-center">
-        <BackButton />
+        <BackButton data-testid="back-button" />
        <span className="flex-grow"></span>
        <Button
          type="submit"
@@ -169,6 +170,7 @@ export function PasswordForm({
          variant={ButtonVariants.Primary}
          disabled={loading || !formState.isValid}
          onClick={handleSubmit(submitPassword)}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("verify.submit")}
--- a/apps/login/src/components/privacy-policy-checkboxes.tsx
+++ b/apps/login/src/components/privacy-policy-checkboxes.tsx
@@ -60,6 +60,7 @@ export function PrivacyPolicyCheckboxes({ legal, onChange }: Props) {
              });
              onChange(checked && acceptanceState.privacyPolicyAccepted);
            }}
            data-testid="privacy-policy-checkbox"
          />
          <div className="mr-4 w-[28rem]">
@@ -84,6 +85,7 @@ export function PrivacyPolicyCheckboxes({ legal, onChange }: Props) {
              });
              onChange(checked && acceptanceState.tosAccepted);
            }}
            data-testid="tos-checkbox"
          />
          <div className="mr-4 w-[28rem]">
--- a/apps/login/src/components/register-form-without-password.tsx
+++ b/apps/login/src/components/register-form-without-password.tsx
@@ -128,6 +128,7 @@ export function RegisterFormWithoutPassword({
            {...register("firstname", { required: "This field is required" })}
            label="First name"
            error={errors.firstname?.message as string}
            data-testid="firstname-text-input"
          />
        </div>
        <div className="">
@@ -138,6 +139,7 @@ export function RegisterFormWithoutPassword({
            {...register("lastname", { required: "This field is required" })}
            label="Last name"
            error={errors.lastname?.message as string}
            data-testid="lastname-text-input"
          />
        </div>
        <div className="col-span-2">
@@ -148,6 +150,7 @@ export function RegisterFormWithoutPassword({
            {...register("email", { required: "This field is required" })}
            label="E-mail"
            error={errors.email?.message as string}
            data-testid="email-text-input"
          />
        </div>
      </div>
@@ -176,7 +179,7 @@ export function RegisterFormWithoutPassword({
        </div>
      )}
      <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
+        <BackButton data-testid="back-button" />
        <Button
          type="submit"
          variant={ButtonVariants.Primary}
@@ -189,6 +192,7 @@ export function RegisterFormWithoutPassword({
                : !!loginSettings?.allowUsernamePassword;
            return submitAndContinue(values, usePasswordToContinue);
          })}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("submit")}
--- a/apps/login/src/components/register-passkey.tsx
+++ b/apps/login/src/components/register-passkey.tsx
@@ -195,6 +195,7 @@ export function RegisterPasskey({
          variant={ButtonVariants.Primary}
          disabled={loading || !formState.isValid}
          onClick={handleSubmit(submitRegisterAndContinue)}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("set.submit")}
--- a/apps/login/src/components/register-u2f.tsx
+++ b/apps/login/src/components/register-u2f.tsx
@@ -190,7 +190,7 @@ export function RegisterU2f({
      )}
      <div className="mt-8 flex w-full flex-row items-center">
-        <BackButton />
+        <BackButton data-testid="back-button" />
        <span className="flex-grow"></span>
        <Button
@@ -199,6 +199,7 @@ export function RegisterU2f({
          variant={ButtonVariants.Primary}
          disabled={loading}
          onClick={submitRegisterAndContinue}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("set.submit")}
--- a/apps/login/src/components/set-password-form.tsx
+++ b/apps/login/src/components/set-password-form.tsx
@@ -217,7 +217,7 @@ export function SetPasswordForm({
      {error && <Alert>{error}</Alert>}
      <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
+        <BackButton data-testid="back-button" />
        <Button
          type="submit"
          variant={ButtonVariants.Primary}
@@ -228,6 +228,7 @@ export function SetPasswordForm({
            watchPassword !== watchConfirmPassword
          }
          onClick={handleSubmit(submitPassword)}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("set.submit")}
--- a/apps/login/src/components/set-register-password-form.tsx
+++ b/apps/login/src/components/set-register-password-form.tsx
@@ -113,6 +113,7 @@ export function SetRegisterPasswordForm({
            })}
            label="Password"
            error={errors.password?.message as string}
            data-testid="password-text-input"
          />
        </div>
        <div className="">
@@ -125,6 +126,7 @@ export function SetRegisterPasswordForm({
            })}
            label="Confirm Password"
            error={errors.confirmPassword?.message as string}
            data-testid="password-confirm-text-input"
          />
        </div>
      </div>
@@ -140,7 +142,7 @@ export function SetRegisterPasswordForm({
      {error && <Alert>{error}</Alert>}
      <div className="mt-8 flex w-full flex-row items-center justify-between">
-        <BackButton />
+        <BackButton data-testid="back-button" />
        <Button
          type="submit"
          variant={ButtonVariants.Primary}
@@ -151,6 +153,7 @@ export function SetRegisterPasswordForm({
            watchPassword !== watchConfirmPassword
          }
          onClick={handleSubmit(submitRegister)}
          data-testid="submit-button"
        >
          {loading && <Spinner className="h-5 w-5 mr-2" />}
          {t("password.submit")}
--- a/apps/login/src/components/totp-register.tsx
+++ b/apps/login/src/components/totp-register.tsx
@@ -111,6 +111,7 @@ export function TotpRegister({
                type="text"
                {...register("code", { required: "This field is required" })}
                label="Code"
                data-testid="code-text-input"
              />
            </div>
@@ -128,6 +129,7 @@ export function TotpRegister({
                variant={ButtonVariants.Primary}
                disabled={loading || !formState.isValid}
                onClick={handleSubmit(continueWithCode)}
                data-testid="submit-button"
              >
                {loading && <Spinner className="h-5 w-5 mr-2" />}
                {t("set.submit")}
--- a/apps/login/src/components/username-form.tsx
+++ b/apps/login/src/components/username-form.tsx
@@ -82,6 +82,7 @@ export function UsernameForm({
          autoComplete="username"
          {...register("loginName", { required: "This field is required" })}
          label="Loginname"
          data-testid="username-text-input"
        />
        {allowRegister && (
          <button
@@ -99,6 +100,7 @@ export function UsernameForm({
            }}
            type="button"
            disabled={loading}
            data-testid="register-button"
          >
            {t("register")}
          </button>
@@ -106,7 +108,7 @@ export function UsernameForm({
      </div>
      {error && (
-        <div className="py-4">
+        <div className="py-4" data-testid="error">
          <Alert>{error}</Alert>
        </div>
      )}
@@ -114,9 +116,10 @@ export function UsernameForm({
      <div className="pt-6 pb-4">{children}</div>
      <div className="mt-4 flex w-full flex-row items-center">
-        <BackButton />
+        <BackButton data-testid="back-button" />
        <span className="flex-grow"></span>
        <Button
          data-testid="submit-button"
          type="submit"
          className="self-end"
          variant={ButtonVariants.Primary}
--- a/apps/login/src/components/verify-email-form.tsx
+++ b/apps/login/src/components/verify-email-form.tsx
--- a/apps/login/src/lib/self.ts
+++ b/apps/login/src/lib/self.ts
@@ -11,7 +11,6 @@ import { getSession } from "./zitadel";
 const transport = (token: string) =>
  createServerTransport(token, {
    baseUrl: process.env.ZITADEL_API_URL!,
    httpVersion: "2",
  });
 const sessionService = (sessionId: string) => {
--- a/apps/login/src/lib/server/session.ts
+++ b/apps/login/src/lib/server/session.ts
@@ -8,7 +8,6 @@ import { deleteSession, listAuthenticationMethodTypes } from "@/lib/zitadel";
 import { RequestChallenges } from "@zitadel/proto/zitadel/session/v2/challenge_pb";
 import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";
 import { Checks } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
 import { headers } from "next/headers";
 import {
  getMostRecentSessionCookie,
  getSessionCookieById,
@@ -108,7 +107,8 @@ export async function updateSession(options: UpdateSessionCommand) {
          return Promise.reject(error);
        });
-  const host = headers().get("host");
+  // TODO remove ports from host header for URL with port
  const host = "localhost";
  if (
    host &&
--- a/apps/login/src/lib/zitadel.ts
+++ b/apps/login/src/lib/zitadel.ts
@@ -54,10 +54,7 @@ const CACHE_REVALIDATION_INTERVAL_IN_SECONDS = process.env
 const transport = createServerTransport(
  process.env.ZITADEL_SERVICE_USER_TOKEN!,
-  {
+  { baseUrl: process.env.ZITADEL_API_URL! },
    baseUrl: process.env.ZITADEL_API_URL!,
    httpVersion: "2",
  },
 );
 export const sessionService = createSessionServiceClient(transport);
@@ -652,7 +649,6 @@ export async function createPasskeyRegistrationLink(
 ) {
  // const transport = createServerTransport(token, {
  //   baseUrl: process.env.ZITADEL_API_URL!,
  //   httpVersion: "2",
  // });
  // const service = createUserServiceClient(transport);
@@ -680,7 +676,6 @@ export async function registerU2F(
 ) {
  // const transport = createServerTransport(token, {
  //   baseUrl: process.env.ZITADEL_API_URL!,
  //   httpVersion: "2",
  // });
  // const service = createUserServiceClient(transport);
--- a/package.json
+++ b/package.json
@@ -5,9 +5,11 @@
  "scripts": {
    "generate": "turbo run generate",
    "build": "turbo run build",
    "build:packages": "turbo run build --filter=./packages/*",
    "build:apps": "turbo run build --filter=./apps/*",
    "test": "turbo run test",
    "start": "turbo run start",
-    "start:built":  "turbo run start:built",
+    "start:built": "turbo run start:built",
    "test:unit": "turbo run test:unit -- --passWithNoTests",
    "test:integration": "turbo run test:integration",
    "test:acceptance": "pnpm exec playwright test",
@@ -34,6 +36,8 @@
    "@types/node": "^22.9.0",
    "@vitejs/plugin-react": "^4.3.3",
    "@zitadel/prettier-config": "workspace:*",
    "axios": "^1.7.7",
    "dotenv": "^16.4.5",
    "eslint": "8.57.1",
    "eslint-config-zitadel": "workspace:*",
    "prettier": "^3.2.5",
--- a/packages/zitadel-client/package.json
+++ b/packages/zitadel-client/package.json
@@ -44,8 +44,8 @@
    "clean": "rm -rf .turbo && rm -rf node_modules && rm -rf dist"
  },
  "dependencies": {
-    "@bufbuild/protobuf": "^2.0.0",
+    "@bufbuild/protobuf": "^2.2.2",
-    "@connectrpc/connect": "2.0.0-alpha.1",
+    "@connectrpc/connect": "^2.0.0",
    "@zitadel/proto": "workspace:*"
  },
  "devDependencies": {
--- a/packages/zitadel-client/src/helpers.ts
+++ b/packages/zitadel-client/src/helpers.ts
@@ -1,9 +1,9 @@
 import type { DescService } from "@bufbuild/protobuf";
 import { Timestamp, timestampDate } from "@bufbuild/protobuf/wkt";
-import { createPromiseClient, Transport } from "@connectrpc/connect";
+import { createClient, Transport } from "@connectrpc/connect";
 export function createClientFor<TService extends DescService>(service: TService) {
-  return (transport: Transport) => createPromiseClient(service, transport);
+  return (transport: Transport) => createClient(service, transport);
 }
 export function toDate(timestamp: Timestamp | undefined): Date | undefined {
--- a/packages/zitadel-client/src/v2.ts
+++ b/packages/zitadel-client/src/v2.ts
@@ -1,6 +1,7 @@
 import { create } from "@bufbuild/protobuf";
 import { FeatureService } from "@zitadel/proto/zitadel/feature/v2/feature_service_pb";
 import { IdentityProviderService } from "@zitadel/proto/zitadel/idp/v2/idp_service_pb";
-import { RequestContext } from "@zitadel/proto/zitadel/object/v2/object_pb";
+import { RequestContextSchema } from "@zitadel/proto/zitadel/object/v2/object_pb";
 import { OIDCService } from "@zitadel/proto/zitadel/oidc/v2/oidc_service_pb";
 import { OrganizationService } from "@zitadel/proto/zitadel/org/v2/org_service_pb";
 import { SessionService } from "@zitadel/proto/zitadel/session/v2/session_service_pb";
@@ -17,8 +18,8 @@ export const createOrganizationServiceClient = createClientFor(OrganizationServi
 export const createFeatureServiceClient = createClientFor(FeatureService);
 export const createIdpServiceClient = createClientFor(IdentityProviderService);
-export function makeReqCtx(orgId: string | undefined): Partial<RequestContext> {
+export function makeReqCtx(orgId: string | undefined) {
-  return {
+  return create(RequestContextSchema, {
    resourceOwner: orgId ? { case: "orgId", value: orgId } : { case: "instance", value: true },
-  };
+  });
 }
--- a/packages/zitadel-node/package.json
+++ b/packages/zitadel-node/package.json
@@ -29,15 +29,15 @@
  },
  "peerDependencies": {
    "@zitadel/client": "workspace:*",
-    "@connectrpc/connect": "^2.0.0-alpha.1"
+    "@connectrpc/connect": "^2.0.0"
  },
  "dependencies": {
-    "@connectrpc/connect-node": "^2.0.0-alpha.1",
+    "@connectrpc/connect-node": "^2.0.0",
-    "@connectrpc/connect-web": "^2.0.0-alpha.1",
+    "@connectrpc/connect-web": "^2.0.0",
    "jose": "^5.3.0"
  },
  "devDependencies": {
-    "@connectrpc/connect": "^2.0.0-alpha.1",
+    "@connectrpc/connect": "^2.0.0",
    "@types/node": "^22.9.0",
    "@zitadel/client": "workspace:*",
    "@zitadel/tsconfig": "workspace:*",
--- a/packages/zitadel-proto/buf.gen.yaml
+++ b/packages/zitadel-proto/buf.gen.yaml
@@ -2,7 +2,7 @@ version: v2
 managed:
  enabled: true
 plugins:
-  - remote: buf.build/bufbuild/es:v2.0.0
+  - remote: buf.build/bufbuild/es:v2.2.0
    out: .
    include_imports: true
    opt:
--- a/packages/zitadel-proto/package.json
+++ b/packages/zitadel-proto/package.json
@@ -12,12 +12,12 @@
  "sideEffects": false,
  "scripts": {
    "generate": "buf generate https://github.com/zitadel/zitadel.git --path ./proto/zitadel",
-    "clean": "rm -rf zitadel && rm -rf .turbo && rm -rf node_modules"
+    "clean": "rm -rf zitadel .turbo node_modules google protoc-gen-openapiv2 validate"
  },
  "dependencies": {
-    "@bufbuild/protobuf": "^2.0.0"
+    "@bufbuild/protobuf": "^2.2.2"
  },
  "devDependencies": {
-    "@bufbuild/buf": "^1.46.0"
+    "@bufbuild/buf": "^1.47.2"
  }
 }
--- a/playwright.config.ts
+++ b/playwright.config.ts
@@ -26,7 +26,7 @@ export default defineConfig({
  /* Shared settings for all the projects below. See https://playwright.dev/docs/api/class-testoptions. */
  use: {
    /* Base URL to use in actions like `await page.goto('/')`. */
-    baseURL: "http://127.0.0.1:3000",
+    baseURL: "http://localhost:3000",
    /* Collect trace when retrying the failed test. See https://playwright.dev/docs/trace-viewer */
    trace: "on-first-retry",
@@ -38,17 +38,17 @@ export default defineConfig({
      name: "chromium",
      use: { ...devices["Desktop Chrome"] },
    },
-
+    /*
-    {
+            {
-      name: "firefox",
+              name: "firefox",
-      use: { ...devices["Desktop Firefox"] },
+              use: { ...devices["Desktop Firefox"] },
-    },
+            },
-    /* TODO: webkit fails. Is this a bug?
+            TODO: webkit fails. Is this a bug?
-    {
+            {
-      name: 'webkit',
+              name: 'webkit',
-      use: { ...devices['Desktop Safari'] },
+              use: { ...devices['Desktop Safari'] },
-    },
+            },
-*/
+        */
    /* Test against mobile viewports. */
    // {
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml