Skip to content

feat(auth): surface SSO membership and gate team management#471

Open
ben-fornefeld wants to merge 6 commits into
mainfrom
auth/sso-initial
Open

feat(auth): surface SSO membership and gate team management#471
ben-fornefeld wants to merge 6 commits into
mainfrom
auth/sso-initial

Conversation

@ben-fornefeld

Copy link
Copy Markdown
Member

What

Surfaces SSO membership on AuthUser and gates team-management UI for SSO-managed users. Pairs with the infra/dashboard-api PR (server-side enforcement + org→team mapping).

Changes

  • AuthUser.isSso + organizationId derived from the Kratos identity's organization_id (a first-class Ory identity field, not a trait or JWT claim), populated in both fromKratosSessionIdentity and fromOryIdentity.
  • Create team: the "Create new team" item is hidden in the team switcher for SSO users.
  • Add member: the "Add new member" button is disabled with a tooltip"Members are managed by your SSO provider. Ask teammates to sign in through SSO…" — instead of opening the invite dialog.

These are UX guards; the authoritative enforcement is server-side in dashboard-api.

Tests / checks

tsc --noEmit clean for the changed files (pre-existing unrelated errors only); biome lint clean on changed files.

🤖 Generated with Claude Code

Derive isSso/organizationId on AuthUser from the Kratos identity's
organization_id (first-class field, not a trait). SSO-managed users have
their membership driven by their identity provider, so:

- hide "Create new team" in the team switcher
- disable "Add new member" with a tooltip pointing teammates to SSO sign-in

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cla-bot cla-bot Bot added the cla-signed label Jun 26, 2026
@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
web Ready Ready Preview, Comment Jun 29, 2026 9:40pm

Request Review

@cursor

cursor Bot commented Jun 26, 2026

Copy link
Copy Markdown

PR Summary

Low Risk
Mostly auth model and UI gating; the .gitignore change could accidentally ignore .env.example if negation no longer wins.

Overview
AuthUser now includes organizationId and isSso, set in fromKratosSessionIdentity and fromOryIdentity from the identity’s organization_id (isSso when that id is present).

The sidebar team switcher only shows Create new team when !user.isSso.

.gitignore adds a .env* entry at the bottom; it may override the existing !.env.example exception depending on ignore order.

Reviewed by Cursor Bugbot for commit db52ffc. Bugbot is set up for automated code reviews on this repo. Configure here.

Address PR review:
- read organization_id directly (`identity.organization_id || null`) instead of
  trimming/typeof-guarding an Ory-assigned UUID that never carries whitespace;
  drop the readOrganizationId helper
- trim comments to non-obvious context only

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

Comment thread src/features/dashboard/members/add-member-dialog.tsx Outdated
Comment thread src/features/dashboard/members/add-member-dialog.tsx Outdated
ben-fornefeld and others added 2 commits June 29, 2026 14:39
Invites to SSO teams are now allowed and validated server-side (the invitee
must be an org account), so the dialog needs no team-SSO knowledge — back to
the plain button. The create-team gate (user.isSso) stays.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Drop the temporary sso_debug:* logs added while debugging organization_id
resolution (identity.ts, session.ts, kratos-session-edge.ts).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants