Test Cases

[hifabienne]

General:

• ❌ Per default the settings of the default organization should be triggered
  _Note: At the moment the instance settings are triggered

As an end user I am able to authenticate using the following authentications methods if they are configured on my user:

• ❌ Password
  _Note: Authentication goes through, but I get an error at the end: ""error": {
  "name": "ConnectError",
  "rawMessage": "Errors.AuthRequest.AlreadyHandled (COMMAND-Sx208nt)",
  "code": 9,
  "metadata": {

  },"

• ❌ Given user has an Initial Password, user is prompted to change the password
  Note: User is not prompted to change the password during login

• ❌ Reset Password

  • ❌ User can enter the code received per email directly in the ui and set a new password
    _Note: User is authenticated, but receives same error as above
  • ❌ User can click the link in the email and set a new password
    _Note: User receives an email, flow works fine, but i am not redirected after finishing the login (as far as i remember we have implemented something to get to the same auth request in v1)
  • ✅User can resend the code

• ✅ Passkey

• ❌ MFA: SMS OTP

  • ❌ Authenticate by entering the code into the ui
    Note: Code was not sent, payload shows undefined in sessionid not sure if that has an impact
  • ❌ Resend the email code

• MFA: Email OTP

  • ✅ Authenticate by entering the code into the ui
  • ❌ Authenticate by clicking the link in the email
    Note: the user is sent to the old login instead of the new one

• ✅ Resend the email code
• MFA: TOTP
  • ❌ Can we change the logo of authenticator app to something different, this is google specific and might be confusing for customers

• ❌ MFA: U2F
  _Note: I got the following error:

• SSO: Google

• SSO: Microsoft

• SSO: Apple

  • Given an error occures on the login with apple, the user should be able to use a different authentication method
    Note: at the moment the user is stuck on the login failure screen
    

• SSO: Github

• SSO: Generic OIDC

• SSO: Generic OAuth

• SSO: SAML

• ❌ Given MFA Init is set to 0, the user will not be prompted to setup a mfa

• Given MFA Init is not set to 0, the user will be prompted to add one of the configured mfas

  • ❌ User can skip the mfa prompt

• ❌ I see all the possible providers from the organizations login policy
• ❌ Add passkey and authenticate the user afterwards
  Note: user is prompted twice to add the passkey, other than that I am able to register it and login

As an end user I am able to register my user using the following authentication methods (assuming self-registration is enabled):

• Registration with username & password
  • ❌ Register link is only shown when "User Registration allowed" enabled
    Note: atm link is always shown
  • ✅ Correct password complexity policy is triggered
  • ❌ Verify Email
    Note when I create a new user with username and email, i get a verification email, the link in there goes to the old
    login
• ✅ Passkey
  • Register a new user with username and passkey as authentication method
• SSO: Google
• SSO: Microsoft
• SSO: Apple
• SSO: Github
• SSO: Generic OIDC
• SSO: Generic OAuth
• SSO: SAML
• MFA: SMS OTP
• MFA: Email OTP
• MFA: TOTP
• MFA: U2F

As an administrator I can create a user through the APIs or Management Console, and the user is able to login afterwards:

• Given I create a user with an initial password, the user is asked to change the password on the first login
• Given I create a user with an email address and no authentication method, the user is prompted to add the authentication method on the next login
• Given I create a user with a non verified email, the user will have to verify the address (email link/code)

The login is capable to handle translations

• Implement i18n in Login #196
  Note: custom texts are excluded in the first version

The login UI can handle the following B2B use cases

• Domain discovery
• Org ID Scope
• Trigger Branding (Colors & Logo)
• Trigger Login Settings
  • ❌ Configured mfas/ passwordless
    Note: At the moment it always shows passkey to configure, and not the list i have configured
  • ❌ force mfa
    Note: Even if I have force mfa, i do have a skip button
  • ❌ Unknown username
    Note: When I enter an unknown username I get a not found error
  • ❌ Multifactor init lifetime
    Note: Even if I have lifetime to 0, i get the prompt
  • ❌ Disabled Email / Phone login
    Note: At the moment the email phone login doesn't work, not sure if thats a backend or a frontend thing
• Given no redirect url is given from an authrequest the default redirect url is taken, user will be redirected after successful login

Complex test cases

Org ID Scope with 1 idp

❌ Given I have an organization with the domain "rootd.ch", Google as idp enabled with registration allowed, and username/password disabled, and register user disabled.
given the user [email protected] doesn't exist, and enters the username [email protected]
given i send an oidc request with the org id scope
❌ the user should directly be redirected
✅ User can login with google and is redirected back to the login
❌ user is automatically created
❌ user is automatically redirected to the app

Note: Probably the context e.g org id is missing when we want to send the create

Domain Discovery with 1 idp

❌ Given I have an organization with the domain "rootd.ch", Google as idp enabled with registration allowed, and username/password disabled, and regsiter user disabled.
the user [email protected] doesn't exist, and enters the username [email protected]
the user should be automatically redirected to google, and authenticate

✅ User is redirected to correct organization
❌ User is automatically redirected to Google, Note, the user is redirected to the registration page