Skip to content

fix(auth): support IDP-initiated SSO by disabling OAuth state check for WorkOS#197

Open
jrf0110 wants to merge 1 commit intomainfrom
merge/hq-cv-6xp6g
Open

fix(auth): support IDP-initiated SSO by disabling OAuth state check for WorkOS#197
jrf0110 wants to merge 1 commit intomainfrom
merge/hq-cv-6xp6g

Conversation

@jrf0110
Copy link
Contributor

@jrf0110 jrf0110 commented Feb 14, 2026

Summary

  • Adds checks: [] to the WorkOS OAuth provider config in NextAuth to support IDP-initiated SSO flows
  • Without this, IDP-initiated SSO fails because the OAuth state parameter is missing when the IdP initiates the login flow

Source

Polecat: rust (branch polecat/rust/hq-cv-6xp6g@mlmwvyry)
MR: ki-n2f

Test plan

  • Rebased cleanly on main
  • CI checks (build + test) — auto-merge enabled

@jrf0110 @claude
fix(auth): support IDP-initiated SSO by disabling OAuth state check f…
5fbeaca 
…or WorkOS

WorkOS validates SAML assertions and manages the OAuth code exchange securely,
so NextAuth's state check is unnecessary and breaks IDP-initiated SSO flows
where no state param or cookie exists.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jrf0110 jrf0110 enabled auto-merge (squash) February 14, 2026 22:59
kiloconnect[bot]
kiloconnect bot reviewed Feb 14, 2026
View reviewed changes
src/lib/user.server.ts
client: {
token_endpoint_auth_method: 'client_secret_post',
},
checks: [],
Copy link
Contributor

@kiloconnect kiloconnect bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL: Disabling all OAuth/OIDC checks via checks: [] may weaken auth security

In NextAuth, checks controls protections like state / pkce / nonce (provider-dependent). Setting this to an empty array disables those validations and can open up CSRF / auth-code injection style risks. If this is required for WorkOS compatibility, please add a rationale (and ideally scope to the minimal required checks) rather than disabling all checks.

@kiloconnect
Copy link
Contributor

kiloconnect bot commented Feb 14, 2026

Code Review Summary

Status: 1 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 1
WARNING 0
SUGGESTION 0
Issue Details (click to expand)

CRITICAL

File Line Issue
src/lib/user.server.ts 326 Disabling all OAuth/OIDC checks via checks: [] may weaken auth security
Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
Files Reviewed (1 files)
  • src/lib/user.server.ts - 1 issues

Fix these issues in Kilo Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kiloconnect kiloconnect[bot] kiloconnect[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrf0110