Skip to content

Phase 4b: Invite SSO enforcement + SSO routing#2797

Open
GregorShear wants to merge 1 commit intomasterfrom
greg/sso-phase-4/b
Open

Phase 4b: Invite SSO enforcement + SSO routing#2797
GregorShear wants to merge 1 commit intomasterfrom
greg/sso-phase-4/b

Conversation

@GregorShear
Copy link
Contributor

@GregorShear GregorShear commented Mar 20, 2026
edited
Loading

  • Reject invite redemption when the invite's tenant has sso_provider_id IS NOT NULL and the redeeming user lacks a matching SSO identity (auth.identities.provider_id = tenants.sso_provider_id).
  • Keyed on sso_provider_id IS NOT NULL.
  • This gates new grant creation via invites as soon as a tenant has SSO configured.
  • Fix invite link query ordering (order by created_at desc)

Additionally, route invite links directly into the SSO flow:

  • createInviteLink looks up the tenant's sso_provider_id and includes it in the returned link/metadata
  • Add ssoProvider ID to the invite link URL (e.g. ?grantToken=...&ssoProvider=...)
  • Dashboard reads ssoProvider from query params and calls GoTrue POST /auth/v1/sso directly

These ship together because rejecting non-SSO invite redemption without routing users to the correct SSO flow would be a dead end.

Verify:

  • SSO user (matching provider) redeems invite for SSO tenant → success
  • SSO user from Tenant A's provider tries to redeem invite for Tenant B (different sso_provider_id) → rejected with clear error
  • Non-SSO user tries to redeem invite for SSO tenant → rejected with clear error
  • Non-SSO user redeems invite for tenant without sso_provider_id → unaffected
  • SSO user redeems invite for tenant without sso_provider_id → unaffected (no restriction)
  • Invite for sub-prefix under SSO tenant → same enforcement applies
  • Invite link for SSO tenant includes ssoProvider param → user routed directly into SSO flow

@GregorShear GregorShear changed the base branch from master to greg/sso-phase-4/a March 20, 2026 03:18
@GregorShear GregorShear force-pushed the greg/sso-phase-4/b branch 4 times, most recently from 825b209 to c470810 Compare March 21, 2026 02:19
GregorShear
GregorShear commented Mar 21, 2026
View reviewed changes
crates/control-plane-api/src/server/public/graphql/invite_links.rs Outdated
Comment on lines +301 to +306
.split_at(
invite
.catalog_prefix
.find('/')
.expect("prefix must contain '/'")
+ 1,
Copy link
Contributor Author

@GregorShear GregorShear Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a util function somewhere to extract tenant from prefix? not that it's complicated, but...

Copy link
Member

@psFried psFried Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's this, though nothing I can recall that's in a shared module. Seems like it might be worth it, though

@GregorShear GregorShear marked this pull request as ready for review March 21, 2026 03:20
@GregorShear GregorShear requested review from jshearer and psFried and removed request for jshearer March 21, 2026 03:20
psFried
psFried approved these changes Mar 23, 2026
View reviewed changes
Copy link
Member

@psFried psFried left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

crates/control-plane-api/src/server/public/graphql/invite_links.rs Outdated
Comment on lines +301 to +306
.split_at(
invite
.catalog_prefix
.find('/')
.expect("prefix must contain '/'")
+ 1,
Copy link
Member

@psFried psFried Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's this, though nothing I can recall that's in a shared module. Seems like it might be worth it, though

@GregorShear GregorShear force-pushed the greg/sso-phase-4/b branch 4 times, most recently from bb22086 to 7cb615f Compare March 23, 2026 21:22
@GregorShear GregorShear changed the base branch from greg/sso-phase-4/a to master March 23, 2026 21:22
@github-actions
Copy link

github-actions bot commented Mar 23, 2026

PR Preview Action v1.8.1

QR code for preview link

🚀 View preview at
https://estuary.github.io/flow/pr-preview/pr-2797/

Built to branch gh-pages at 2026-03-23 21:24 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

GregorShear
GregorShear commented Mar 23, 2026
View reviewed changes
crates/models/src/references.rs
Comment on lines +238 to +243
pub fn tenant_from(prefix: &str) -> &str {
let idx = prefix
.find('/')
.expect("prefix must contain at least one /");
&prefix[..idx + 1]
}
Copy link
Contributor Author

@GregorShear GregorShear Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay for this to live here?

@GregorShear GregorShear force-pushed the greg/sso-phase-4/b branch 2 times, most recently from c9ecd92 to 8e55746 Compare March 24, 2026 18:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@psFried psFried psFried approved these changes

@jshearer jshearer Awaiting requested review from jshearer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GregorShear @psFried