feat(auth): allow portal users to sign in via SSO#264
Conversation
SSO is allowed for every role at the policy layer; verified-domain surfacing and provider registration gate who is offered it, while role governs authorization rather than authentication. This unblocks verified-domain portal users on a private or internal workspace who were offered SSO but rejected at the callback. Refs #263
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 371ce92130
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
A direct /sign-in/oauth2 start bypasses the verified-domain routing the login UI applies, and the OAuth-start path has no email for the pre-check to gate on. The callback cleanup is therefore the gate: a portal user (role 'user') signing in via SSO must be at a verified domain. Team SSO stays unconditional (those roles are assigned deliberately). Addresses review feedback on #264.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f231ba93ae
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
handleSsoCallbackAfter (bootstrap-admin promotion + lastSsoSignInAt stamp) now skips SSO callbacks whose email is not at a verified domain, matching the gate handleAutoProvisionAfter already applies. Without it, a non-verified-domain user in an adminless workspace was promoted to admin before the verified-domain rejection in handleCallbackPolicyCleanup — which revokes only the session and leaves the role write behind, so a later password/magic-link login would be admin. Addresses Codex P1 review feedback on #264.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a7dbb6a6c7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@codex review |
|
Codex Review: Didn't find any major issues. Hooray! Reviewed commit: ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
mortondev
force-pushed
the
feat/portal-user-sso
branch
from
a7dbb6a to
5f44a4b
Compare
Extract the inline portal-SSO verified-domain check into a reusable isSsoBlockedForRole predicate (sibling of isHardBound) and dedupe the three callback reject branches behind a shared blockSignIn helper. Reuse the shared isTeamMember role helper instead of an inline role check. Move the SSO gate above the principal-row guard so the email-driven policy fails closed when no principal row exists. Add tests for portal SSO at an enforced (Require SSO) domain and for the no-principal-row case. Claude-Session: https://claude.ai/code/session_01J4VVqUDnPRSkaxLeFEaHpZ
1 participant
What
Let Portal Users (
role: user) sign in through the workspace SSO connection, gated on a verified domain. Team roles (admin/member) — reached only via bootstrap or a deliberate invite — keep SSO unconditionally.Why
Closes #263. A workspace run as a private/internal tool authenticates everyone through one IdP (e.g. Microsoft Entra) but keeps most staff as restricted portal users. Those users were offered "Continue with SSO" (verified-domain routing is role-blind) yet rejected at the callback, because portal SSO was gated on a
portalConfig.oauth.ssoflag no UI ever set — a sign-in loop.How
isAuthMethodAllowedtreats SSO as an enabled method for every role; role governs authorization, not whether the method exists.handleCallbackPolicyCleanup), where the IdP email is known: a portal user (role: 'user') signing in via SSO must be at a verified domain (DNS-provensso_verified_domain), else the session is revoked. Team roles are exempt — they're only granted via bootstrap or invitation, so their SSO stays unconditional (the first-admin bootstrap and invited cross-domain members both depend on this).lookupAuthMethodsFnonly offers SSO on a verified-domain match) and closes the direct/sign-in/oauth2start that bypasses that routing.Safety
Review
All Codex findings addressed; threads resolved.