Skip to content

feat(web): add Idira SSO support#1459

Open
brendan-kellam wants to merge 2 commits into
mainfrom
brendan-kellam/add-idira-sso-SOU-1520
Open

feat(web): add Idira SSO support#1459
brendan-kellam wants to merge 2 commits into
mainfrom
brendan-kellam/add-idira-sso-SOU-1520

Conversation

@brendan-kellam

@brendan-kellam brendan-kellam commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1520

Summary

  • add Idira as an enterprise OIDC identity provider
  • add Idira configuration schemas, generated reference documentation, and setup instructions
  • add Idira login branding and login telemetry

Validation

  • yarn workspace @sourcebot/schemas build
  • focused ESLint for the affected web files
  • git diff --check

Notes

  • An Idira test tenant was not available, so the end-to-end OIDC flow was not exercised.

Note

High Risk
New authentication provider and OIDC callback path; misconfiguration or IdP-specific behavior could block sign-in, and the flow was not end-to-end tested without an Idira tenant.

Overview
Adds Idira as an enterprise OpenID Connect SSO identity provider (provider: "idira"), alongside existing issuer-based OIDC providers.

Configuration is wired through v3 identityProviders with clientId, clientSecret, and issuer (env or Google Cloud Secret), plus generated schema/docs and a new setup section in the IdP docs. The EE SSO layer registers an Auth.js OIDC provider at /api/auth/callback/idira with PKCE/state, openid profile email scopes, and the same optional email account-linking flag as other providers.

The login UI gets Idira branding (idira.svg), a wa_login_with_idira PostHog event, and a minor newline fix at the end of utils.ts. Changelog notes the feature as EE.

Reviewed by Cursor Bugbot for commit 891f696. Bugbot is set up for automated code reviews on this repo. Configure here.

Summary by CodeRabbit

  • New Features

    • Added Enterprise SSO support for Idira through OpenID Connect (OIDC).
    • Added Idira to supported identity provider configurations, including environment and Google Cloud Secret credential references.
    • Added Idira branding and login analytics support.
  • Documentation

    • Added setup instructions covering redirect URIs, permissions, trust-page credentials, and configuration examples.
    • Updated the changelog and configuration schemas to document Idira support.

@github-actions

This comment has been minimized.

@mintlify

mintlify Bot commented Jul 17, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
sourcebot 🟢 Ready View Preview Jul 17, 2026, 12:48 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

Adds Idira as an OIDC SSO provider across configuration schemas, TypeScript types, web authentication registration, login analytics, provider branding, setup documentation, and the unreleased changelog.

Changes

Idira identity provider support

Layer / File(s) Summary
Configuration contracts and validation
packages/schemas/src/v3/*, docs/snippets/schemas/v3/*, schemas/v3/identityProvider.json
Adds Idira configuration types and schema variants for map and array forms, requiring clientId, clientSecret, and issuer through environment or Google Cloud Secret references.
Authentication and login integration
packages/web/src/ee/features/sso/sso.ts, packages/web/src/app/login/components/loginForm.tsx, packages/web/src/lib/*
Registers Idira as an OIDC provider with PKCE, state checks, and the openid profile email scope, and adds Idira login analytics and UI metadata.
Setup documentation and changelog
docs/docs/configuration/idp.mdx, CHANGELOG.md
Documents Idira callback configuration, permissions, credentials, environment variables, and the identityProviders example, and records Idira SSO in Unreleased changes.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
  participant IdentityProviderConfig
  participant getEEIdentityProviders
  participant createIdiraProvider
  participant IdiraOIDC
  IdentityProviderConfig->>getEEIdentityProviders: provide Idira credentials and issuer
  getEEIdentityProviders->>createIdiraProvider: create OIDC provider
  createIdiraProvider->>IdiraOIDC: use PKCE, state, and OIDC scopes
Loading

Possibly related PRs

Suggested reviewers: msukkari

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding Idira SSO support.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch brendan-kellam/add-idira-sso-SOU-1520

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/web/src/ee/features/sso/sso.ts`:
- Line 175: Update the AUTH_EE_GCP_IAP_ENABLED condition in the SSO flow to
compare explicitly against 'true', matching the booleanSchema string
representation. Leave the existing AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING
comparison unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c33af8f8-60a4-44f9-801f-b591c8f53b38

📥 Commits

Reviewing files that changed from the base of the PR and between 9371f1d and 891f696.

⛔ Files ignored due to path filters (1)
  • packages/web/public/idira.svg is excluded by !**/*.svg
📒 Files selected for processing (13)
  • CHANGELOG.md
  • docs/docs/configuration/idp.mdx
  • docs/snippets/schemas/v3/identityProvider.schema.mdx
  • docs/snippets/schemas/v3/index.schema.mdx
  • packages/schemas/src/v3/identityProvider.schema.ts
  • packages/schemas/src/v3/identityProvider.type.ts
  • packages/schemas/src/v3/index.schema.ts
  • packages/schemas/src/v3/index.type.ts
  • packages/web/src/app/login/components/loginForm.tsx
  • packages/web/src/ee/features/sso/sso.ts
  • packages/web/src/lib/posthogEvents.ts
  • packages/web/src/lib/utils.ts
  • schemas/v3/identityProvider.json

clientId,
clientSecret,
issuer,
allowDangerousEmailAccountLinking: env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true',

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Check the implementation of booleanSchema to understand its runtime type
ast-grep run --pattern 'const booleanSchema = $$$' packages/shared/src/env.server.ts

Repository: sourcebot-dev/sourcebot

Length of output: 247


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '150,220p' packages/web/src/ee/features/sso/sso.ts | cat -n

Repository: sourcebot-dev/sourcebot

Length of output: 3526


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '1,80p' packages/shared/src/env.server.ts | cat -n

Repository: sourcebot-dev/sourcebot

Length of output: 3511


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '160,215p' packages/web/src/ee/features/sso/sso.ts | cat -n

Repository: sourcebot-dev/sourcebot

Length of output: 2718


Compare AUTH_EE_GCP_IAP_ENABLED to 'true' explicitly.

booleanSchema stores booleans as 'true' | 'false', so env.AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING === 'true' is fine. The remaining bug is if (env.AUTH_EE_GCP_IAP_ENABLED) in packages/web/src/ee/features/sso/sso.ts:202, which treats 'false' as enabled.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/ee/features/sso/sso.ts` at line 175, Update the
AUTH_EE_GCP_IAP_ENABLED condition in the SSO flow to compare explicitly against
'true', matching the booleanSchema string representation. Leave the existing
AUTH_EE_ALLOW_EMAIL_ACCOUNT_LINKING comparison unchanged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant