fix(auth): recover organizations from userinfo when a refresh has no id token#14
Merged
Merged
Conversation
…id token getAuth read the org claims only from the ID token, but Gatekeeper issues an id_token only at login, not on the refresh-token grant. So once a session's access token refreshed (~hourly), `organizations` went empty and every Omni dashboard (herald/backfeed/runa) showed "No workspaces yet" until re-login. Extract the userinfo hydration into a helper and also run it when the id token is absent (or carried no org claim), recovering orgs from the OIDC UserInfo endpoint with the access token. Per OIDC Core 5.3.2 the userinfo `sub` must match the session subject before its claims are trusted; a mismatch is rejected. Cached per subject (existing TTL) so it is not a per-request round-trip. 287 tests pass (incl. new no-id-token recovery + sub-mismatch rejection); tsc/biome/knip clean. Build isolated to build/auth; no jsxDEV.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
getAuthreads org claims only from the ID token, but Gatekeeper issues anid_tokenonly at login — not on the refresh-token grant. So once a session's access token refreshes (~hourly),organizationsgoes empty and every Omni dashboard (herald/backfeed/runa) shows "No workspaces yet" until the user re-logs in. (Same root as the sign-outid_token_hintgap.) Confirmed live on Herald.Fix
Extract the existing userinfo hydration into a helper and also run it when the ID token is absent (or carries no org claim), recovering organizations from the OIDC UserInfo endpoint with the access token — the standard OIDC mechanism (Core §5.3), already used here for slim tokens.
Security / spec
subMUST match the session subject before its claims are trusted; a mismatch is rejected (new test covers this).Testing
287 tests pass, incl. new no-id-token recovery and sub-mismatch rejection cases. tsc/biome/knip clean. Build diff isolated to
build/auth(+ core barrel re-export); nobuild/reactchurn, nojsxDEV.