[feat] Add SSO via OIDC

[junaway]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
agenta-documentation	Ready	Preview, Comment	Dec 26, 2025 7:25pm

To fix this problem, we should ensure that the redirect parameter is validated before being used in the redirection logic. There are two main approaches:

1. Whitelist: If the set of allowed redirect targets is known and finite, check that redirect matches one of these safe values.
2. Relative path validation: If arbitrary relative paths are allowed, ensure that redirect does NOT specify a full URL (with scheme/host), and is a local path.

For this code, since the usage is for paths within the frontend, the second approach is practical:

• Use Python's urllib.parse.urlparse to check that redirect does not contain a hostname or scheme.
• Remove any backslash characters (\) to prevent bypass.
• If validation fails, redirect to a safe default (e.g., /).

Specific changes:

• Add an import for urlparse from urllib.parse.
• Validate the redirect parameter before building supertokens_url:
  • Strip backslashes.
  • Ensure urlparse(redirect).netloc and urlparse(redirect).scheme are empty.
  • If the validation fails, set redirect to /.

All code changes are to occur within api/oss/src/apis/fastapi/auth/router.py in the block for /authorize/oidc.
No change to existing functionality except improved security for the redirection.

---

[Copilot]

Pull request overview

This PR adds Single Sign-On (SSO) via OpenID Connect (OIDC) support to Agenta. The implementation introduces a comprehensive authentication discovery system, dynamic OIDC provider configuration, user identity tracking, and organization-level authentication policies.

Key changes include:

• Frontend authentication flow refactored to support multiple auth methods with dynamic discovery
• Backend auth service with OIDC provider management, SuperTokens integration with custom overrides for dynamic providers
• New database tables for user identities and organization authentication policies (EE)

Reviewed changes

Copilot reviewed 32 out of 41 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
web/oss/src/pages/auth/[[...path]].tsx	Refactored auth page to dynamically show/hide auth methods based on discovery endpoint and environment flags
web/oss/src/lib/helpers/dynamicEnv.ts	Added environment variables for email/OIDC auth feature flags
web/oss/src/components/pages/auth/SocialAuth/index.tsx	Added optional divider prop to conditionally show separator
web/entrypoint.sh	Added logic to derive AUTH_EMAIL_ENABLED and AUTH_OIDC_ENABLED from environment variables
api/oss/src/core/auth/supertokens_overrides.py	Implemented SuperTokens overrides for dynamic OIDC providers and custom session handling with user identities
api/oss/src/core/auth/service.py	Added AuthService with discovery, authentication, and authorization logic
api/oss/src/core/auth/oidc.py	Implemented OIDC client helper utilities for authorization and token exchange
api/oss/src/core/auth/middleware.py	Added organization policy enforcement middleware (EE)
api/oss/src/apis/fastapi/auth/router.py	Added /discover and /authorize/oidc endpoints
api/oss/src/dbs/postgres/users/*	Added user identities DAO, DBE, DBA, mappings, and types
api/oss/src/dbs/postgres/organizations/*	Added organization policies, domains, providers, invitations DAOs and models
api/oss/databases/postgres/migrations/*	Added migration for user_identities and organization tables
api/ee/src/dbs/postgres/organizations/*	EE-specific organization DBE/DBA classes
api/test-auth.http	Comprehensive HTTP test file documenting all auth endpoints and flows

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The DBA classes inherit from LegacyLifecycleDBA but the migration creates columns matching LifecycleDBA (which includes deleted_at, created_by_id, updated_by_id, and deleted_by_id). This mismatch between the migration and the model definition will cause runtime errors. These classes should inherit from LifecycleDBA instead of LegacyLifecycleDBA to match the migration schema.

[Copilot]

The code calls await self.domains_dao.get_by_id(provider.domain_id) but the OrganizationDomainsDAO class doesn't have a get_by_id method. It only has get_by_domain, list_by_organization, and mark_verified methods. This will cause an AttributeError at runtime.

Suggested change

	domain_dto = await self.domains_dao.get_by_id(provider.domain_id)
	if hasattr(self.domains_dao, "get_by_id"):
	domain_dto = await self.domains_dao.get_by_id(provider.domain_id)
	elif hasattr(self.domains_dao, "get_by_domain"):
	domain_dto = await self.domains_dao.get_by_domain(domain)
	else:
	return False

[Copilot]

The DAO imports types from ee.src.core.organizations.types but this file is in the OSS directory (oss/src/dbs/postgres/organizations/dao.py). This creates a dependency on EE code from OSS code, which breaks the architectural separation. These types should either be defined in OSS or the DAO should only be used in EE. Based on the context, these organization-related features appear to be EE-only, so this DAO file should probably be in the EE directory.

[Copilot]

This file imports types from ee.src.core.organizations.types but is located in the OSS directory. This creates an improper dependency on EE code from OSS code, violating the architectural separation. Since organization policies, domains, providers, and invitations appear to be EE-only features, this mappings file should be located in the EE directory structure.

[Copilot]

The code uses a hardcoded placeholder org_slug = "org" instead of fetching the actual organization slug from the database. This means all SSO identities will be stored with the same generic org slug, making it impossible to distinguish between different organizations' SSO providers. The TODO comment indicates this is known incomplete work that needs to be addressed.

Suggested change

	# Format: oidc:{org_id}:{provider_slug} -> sso:{org_slug}:{provider_slug}
	parts = third_party_id.split(":")
	org_id_str, provider_slug = parts[1], parts[2]
	# TODO: Fetch org_slug from organization table
	org_slug = "org" # Placeholder
	method = f"sso:{org_slug}:{provider_slug}"
	# Format: oidc:{org_id}:{provider_slug} -> sso:{org_id}:{provider_slug}
	parts = third_party_id.split(":")
	org_id_str, provider_slug = parts[1], parts[2]
	method = f"sso:{org_id_str}:{provider_slug}"

[Copilot]

Import of 'List' is not used.
Import of 'Union' is not used.

Suggested change

	from typing import Dict, Any, List, Optional, Union
	from typing import Dict, Any, Optional

[Copilot]

Import of 'Provider' is not used.

[Copilot]

Import of 'User' is not used.

Suggested change

	from supertokens_python.types import User, RecipeUserId
	from supertokens_python.types import RecipeUserId

[Copilot]

This statement is unreachable.

Suggested change

	# For now, assume they are
	is_member = True
	if not is_member:
	return {
	"error": "NOT_A_MEMBER",
	"message": "You are not a member of this organization",
	}
	# For now, assume they are a member and proceed to policy checks

[Copilot]

This statement is unreachable.

Suggested change

	# For now, assume they are
	is_member = True
	if not is_member:
	return {
	"error": "NOT_A_MEMBER",
	"message": "You are not a member of this organization",
	}
	# For now, assume they are (no membership check implemented yet)

[Copilot]

Pull request overview

Copilot reviewed 57 out of 66 changed files in this pull request and generated 18 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The OSS version defines the same database models and migrations that appear in the EE version. This creates significant code duplication - the entire contents of dbas.py, dbes.py, mappings.py, and dao.py are duplicated. Since these are meant to be EE-only features (organization policies, SSO providers), they should only exist in the EE codebase. The OSS versions should either be removed or contain only stub/fallback implementations.

[Copilot]

The load_only optimization is imported but only partially applied. While line 65 adds optimization for the organization query in this batch processing migration, consider whether other queries in the migration could benefit from similar optimization to reduce memory usage during large data migrations.

[Copilot]

The showDivider prop defaults to true to maintain backward compatibility, but the calling code in the auth page explicitly passes the value on line 225. The prop could be made required instead of optional with a default, making the API more explicit and reducing ambiguity about when the divider appears.

[Copilot]

The expires_at field in the migration is correctly defined as TIMESTAMP, but the DBA model defines it as UUID (lines 125-128 in dbas.py). This mismatch between the migration and the model will cause runtime errors. The DBA model should be updated to use TIMESTAMP type.

[Copilot]

The in-memory StateStore is not suitable for production use, especially in multi-instance deployments where state needs to be shared. The TODO comment acknowledges this, but using this in production would cause OIDC flows to fail when requests hit different instances. Consider implementing Redis-backed storage before deploying to production, or add validation to prevent deployment with in-memory state.

[Copilot]

Import of 'Optional' is not used.

[Copilot]

Import of 'List' is not used.

[Copilot]

Import of 'User' is not used.

[Copilot]

This statement is unreachable.

Suggested change

	is_member = True
	if not is_member:
	return {
	"error": "NOT_A_MEMBER",
	"message": "You are not a member of this organization",
	}

[Copilot]

This statement is unreachable.

[Copilot]

Pull request overview

Copilot reviewed 60 out of 69 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Inconsistent base class usage: OSS uses LifecycleDBA while EE uses LegacyLifecycleDBA. This inconsistency may lead to differences in table schemas and lifecycle field behavior between OSS and EE editions for the same tables.

[Copilot]

The variable invite_link is referenced in the f-string but is not defined in this diff section. This will cause a NameError. Check if invite_link is defined earlier in the function or if it should be constructed here.

[Copilot]

This statement is unreachable.

Suggested change

	# Get user ID and check membership
	user_id = session.get_user_id()
	# TODO: Check if user is a member of organization
	# For now, assume they are
	is_member = True
	if not is_member:
	return {
	"error": "NOT_A_MEMBER",
	"message": "You are not a member of this organization",
	}
	# Get user ID (membership enforcement not yet implemented)
	# TODO: Enforce that user is a member of the organization before applying policy
	user_id = session.get_user_id()

[Copilot]

This statement is unreachable.

[Copilot]

Pull request overview

Copilot reviewed 62 out of 71 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Variable user_id is not used.

Suggested change

user_id = session.get_user_id()

[Copilot]

This statement is unreachable.

[Copilot]

Pull request overview

Copilot reviewed 95 out of 104 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (4)

web/entrypoint.sh:1

• The order of NEXT_PUBLIC_AGENTA_WEB_URL and NEXT_PUBLIC_AGENTA_API_URL has been swapped compared to the original, but the surrounding code context suggests this was intentional. However, this creates an inconsistency with the removed lines that had AGENTA_API_URL first. Verify this order change is intentional and doesn't break existing configurations that depend on the original ordering.
  api/oss/src/utils/env.py:1
• Hardcoding a default PostHog API key in production code is a security risk. This key should only be used in development/demo environments. Consider making this explicitly conditional on environment (e.g., only default in demo mode) or removing the default entirely to force explicit configuration.
  api/oss/src/utils/env.py:1
• Defaulting critical security keys to 'replace-me' is dangerous. These should fail loudly if not set in production rather than falling back to insecure defaults. Consider raising an exception when these are not configured in non-development environments.
  api/oss/src/services/organization_service.py:1
• The error message 'No existing invitation found for the user' is misleading when an existing_role exists but no existing_invitation. The user may have been previously invited (thus having a role) but the invitation record is missing. Consider a more accurate message like 'User has no active invitation or existing role in this organization'.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Adding load_only() to limit columns fetched is good, but verify that no other attributes of OrganizationDB are accessed elsewhere in this migration that aren't included in this list. If other attributes are accessed, this could cause additional queries or errors.

Suggested change

.options(load_only(OrganizationDB.id, OrganizationDB.owner))

[Copilot]

Pull request overview

Copilot reviewed 98 out of 107 changed files in this pull request and generated 7 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Variable user_id is not used.

[Copilot]

Import of 'func' is not used.
Import of 'select' is not used.
Import of 'update' is not used.

Suggested change

	from sqlalchemy import select, update, func, text
	from sqlalchemy import text

[Copilot]

Import of 'postgresql' is not used.

Suggested change

from sqlalchemy.dialects import postgresql

[Copilot]

Import of 'HTTPException' is not used.

[Copilot]

Import of 'Optional' is not used.

[Copilot]

This statement is unreachable.

[Copilot]

This statement is unreachable.