Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO User Deduplication Plugin #11404

Merged
merged 3 commits into from
Mar 17, 2025
Merged

SSO User Deduplication Plugin #11404

merged 3 commits into from
Mar 17, 2025

Conversation

flvndvd
Copy link
Contributor

@flvndvd flvndvd commented Mar 17, 2025
edited
Loading

Description

This PR adds a Poke plugin that handles duplicate user accounts created when SSO is enabled for a workspace. The plugin focuses on access consolidation rather than content migration.

🚗 also fixed https://github.com/dust-tt/tasks/issues/2400.

Plugin Behavior

For each email with duplicate active memberships in a workspace:

  1. Identifies the SSO-authenticated account (newer) and the original account (older)
  2. Archives and revokes the SSO account's membership
  3. Updates the original account to use SSO credentials
  4. Preserves all existing resources and permissions on the original account

Safety Features

  • Dry-run mode (execute=false) displays a detailed diff of planned changes
  • Only processes accounts with active memberships
  • Only processes duplicates where one account uses SSO authentication
  • Preserves original account's creation date and resources
  • Archives SSO accounts with timestamped auth0Sub for audit trail

Example Output (Dry Run)

{
  "changes": [
    {
      "email": "[email protected]",
      "ssoUser": {
        "id": 6,
        "createdAt": "2024-08-05T10:19:24.385Z",
        "auth0Sub": "okta|workspace-AgtPVuhCPc|00ufij23if7tzNmBU5d7",
        "provider": "okta"
      },
      "oldestUser": {
        "id": 1,
        "createdAt": "2024-07-16T07:53:54.824Z",
        "auth0Sub": "google-oauth2|110529292044773145778",
        "provider": "google"
      }
    }
  ]
}

Tests

Risk

Deploy Plan

@flvndvd flvndvd marked this pull request as ready for review March 17, 2025 12:01
aubin-tchoi
aubin-tchoi approved these changes Mar 17, 2025
View reviewed changes
Copy link
Contributor

@aubin-tchoi aubin-tchoi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

front/lib/api/poke/plugins/workspaces/sso_dedupe_members.ts
ssoMembership.user?.id
);
if (!ssoUser) {
continue;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we could want to know that the even in dry mode

aubin-tchoi
aubin-tchoi reviewed Mar 17, 2025
View reviewed changes
front/lib/api/poke/plugins/workspaces/sso_dedupe_members.ts
}

// Find oldest user (excluding SSO user).
const oldestMembership = dupes
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: do we want to be informed if there are more than 1 other membership? There could be a case where for some reason we have 2 other ones and the auth0 sub is put on the wrong one

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could push it in changes, but here we make the assumptions that it can exist and the script on purpose ignores it.

@flvndvd flvndvd merged commit d9516ba into main Mar 17, 2025
6 checks passed
@flvndvd flvndvd deleted the flav/poke-plugin-merge-sso-users branch March 17, 2025 12:34
frankaloia pushed a commit that referenced this pull request Mar 17, 2025
@flvndvd @frankaloia
SSO User Deduplication Plugin (#11404)
f37317c 
* Add Poke plugin to merge duplicated users from SSO

* ✏️

* ✨
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aubin-tchoi aubin-tchoi aubin-tchoi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@flvndvd @aubin-tchoi