fix(auth): support IDP-initiated SSO by disabling OAuth state check for WorkOS#197
Open
fix(auth): support IDP-initiated SSO by disabling OAuth state check for WorkOS#197
Conversation
…or WorkOS WorkOS validates SAML assertions and manages the OAuth code exchange securely, so NextAuth's state check is unnecessary and breaks IDP-initiated SSO flows where no state param or cookie exists. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
| client: { | ||
| token_endpoint_auth_method: 'client_secret_post', | ||
| }, | ||
| checks: [], |
Contributor
There was a problem hiding this comment.
CRITICAL: Disabling all OAuth/OIDC checks via checks: [] may weaken auth security
In NextAuth, checks controls protections like state / pkce / nonce (provider-dependent). Setting this to an empty array disables those validations and can open up CSRF / auth-code injection style risks. If this is required for WorkOS compatibility, please add a rationale (and ideally scope to the minimal required checks) rather than disabling all checks.
Contributor
Code Review SummaryStatus: 1 Issues Found | Recommendation: Address before merge Overview
Issue Details (click to expand)CRITICAL
Other Observations (not in diff)Issues found in unchanged code that cannot receive inline comments:
Files Reviewed (1 files)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
checks: []to the WorkOS OAuth provider config in NextAuth to support IDP-initiated SSO flowsSource
Polecat: rust (branch
polecat/rust/hq-cv-6xp6g@mlmwvyry)MR: ki-n2f
Test plan