This repository contains all TypeScript and JavaScript packages and applications you need to create your own ZITADEL Login UI.
The scope of functionality of this repo and packages is under active development.
The @zitadel/client
and @zitadel/node
packages are using @connectrpc/connect and its 2.0.0-alpha release which might still change.
You can read the contribution guide on how to contribute. Questions can be raised in our Discord channel or as a GitHub issue.
We think the easiest path of getting up and running, is the following:
- Fork and clone this repository
- Run the ZITADEL Cloud login UI locally
- Make changes to the code and see the effects live on your local machine
- Study the rest of this README.md and get familiar and comfortable with how everything works.
- Decide on a way of how you want to build and run your login UI. You can reuse ZITADEL Clouds way. But if you need more freedom, you can also import the packages you need into your self built application.
login
: The login UI used by ZITADEL Cloud, powered by Next.js@zitadel/node
: core components for establishing node client connection@zitadel/client
: shared client utilities@zitadel/proto
: shared protobuf types@zitadel/tsconfig
: sharedtsconfig.json
s used throughout the monorepoeslint-config-zitadel
: ESLint preset
Each package and app is 100% TypeScript.
The login is currently in a work in progress state. The goal is to implement a login UI, using the session API of ZITADEL, which also implements the OIDC Standard and is ready to use for everyone.
In the first phase we want to have a MVP login ready with the OIDC Standard and a basic feature set. In a second step the features will be extended.
This list should show the current implementation state, and also what is missing. You can already use the current state, and extend it with your needs.
-
Local User Registration (with Password)
-
User Registration and Login with external Provider
- GitHub
- GitHub Enterprise
- GitLab
- GitLab Enterprise
- Azure
- Apple
- Generic OIDC
- Generic OAuth
- Generic JWT
- LDAP
- SAML SP
-
Multifactor Registration an Login
- Passkeys
- TOTP
- OTP: Email Code
- OTP: SMS Code
-
Password Change/Reset
-
Domain Discovery
-
Branding
-
OIDC Standard
- Authorization Code Flow with PKCE
- AuthRequest
hintUserId
- AuthRequest
loginHint
- AuthRequest
prompt
- Login
- Select Account
- Consent
- Create
- Scopes
- `openid email profile address``
-
offline access
-
urn:zitadel:iam:org:idp:id:{idp_id}
-
urn:zitadel:iam:org:project:id:zitadel:aud
-
urn:zitadel:iam:org:id:{orgid}
-
urn:zitadel:iam:org:domain:primary:{domain}
- AuthRequest UI locales
This diagram shows the available pages and flows.
Note that back navigation or retries are not displayed.
flowchart TD
A[Start] --> register
A[Start] --> accounts
A[Start] --> loginname
loginname -- signInWithIDP --> idp-success
loginname -- signInWithIDP --> idp-failure
idp-success --> B[signedin]
loginname --> password
loginname -- hasPasskey --> passkey
loginname -- allowRegister --> register
passkey-add --passwordAllowed --> password
passkey -- hasPassword --> password
passkey --> B[signedin]
password -- hasMFA --> mfa
password -- allowPasskeys --> passkey-add
mfa --> otp
otp --> B[signedin]
mfa--> u2f
u2f -->B[signedin]
register --> passkey-add
register --> password-set
password-set --> B[signedin]
passkey-add --> B[signedin]
password --> B[signedin]
password-- forceMFA -->mfaset
mfaset --> u2fset
mfaset --> otpset
u2fset --> B[signedin]
otpset --> B[signedin]
accounts--> loginname
password -- not verified yet -->verify
register-- withpassword -->verify
passkey-- notVerified --> verify
verify --> B[signedin]
You can find a more detailed documentation of the different pages here.
- TypeScript for static type checking
- ESLint for code linting
- Prettier for code formatting
pnpm generate
- Build proto stubs for server and client packagepnpm build
- Build all packages and the login apppnpm test
- Test all packages and the login apppnpm test:watch
- Rerun tests on file changepnpm dev
- Develop all packages and the login apppnpm lint
- Lint all packagespnpm changeset
- Generate a changesetpnpm clean
- Clean up allnode_modules
anddist
folders (runs each package's clean script)
Package publishing has been configured using Changesets. Here is their documentation for more information about the workflow.
The GitHub Action needs an NPM_TOKEN
and GITHUB_TOKEN
in the repository
settings. The Changesets bot should also be installed on the GitHub repository.
Read the changesets documentation for more information about this automation
To run the application make sure to install the dependencies with
pnpm install
then setup the environment for the login application which needs a .env.local
in /apps/login
.
Go to your instance and create a service user for the application having the IAM_OWNER
manager role.
This user is required to have access to create users on your primary organization and reading policy data so it can be
restricted to your personal use case but we'll stick with IAM_OWNER
for convenience. Create a PAT and copy the value to
paste it under the ZITADEL_SERVICE_USER_TOKEN
key.
The file should look as follows:
ZITADEL_API_URL=[yourinstanceurl]
ZITADEL_ORG_ID=[yourprimaryorg]
ZITADEL_SERVICE_USER_TOKEN=[yourserviceuserpersonalaccesstoken]
then generate the GRPC stubs with
pnpm generate
and then run it with
pnpm dev
Open the login application with your favorite browser at localhost:3000
.
To deploy your own version on Vercel, navigate to your instance and create a service user. Copy its id from the overview and set it as ZITADEL_SERVICE_USER_ID. Then create a personal access token (PAT), copy and set it as ZITADEL_SERVICE_USER_TOKEN, then navigate to your instance settings and make sure it gets IAM_OWNER permissions. Finally set your instance url as ZITADEL_API_URL. Make sure to set it without trailing slash.