Skip to content

fix: oauth and sso hardening and behavior consistency (h-batch-5)#3114

Merged
crivetimihai merged 10 commits intomainfrom
h-batch-5
Feb 23, 2026
Merged

fix: oauth and sso hardening and behavior consistency (h-batch-5)#3114
crivetimihai merged 10 commits intomainfrom
h-batch-5

Conversation

@crivetimihai
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai commented Feb 23, 2026
edited
Loading

Summary

Batch 5 OAuth/SSO hardening for tracked high-priority items.

Resolved Items

  • O-02 Cross-User OAuth Token Reuse

    • Resource invocation now looks up authorization_code tokens using the calling user identity only.
    • Removed service-account/platform-admin token fallback in this path.

  • O-03 SSO Account via Email

    • SSO login no longer auto-links an existing account to a different auth provider.
    • Existing accounts with mismatched provider require explicit linking flow.
    • Added deny-by-default handling for explicit unverified email claims from IdP user info.

  • O-04 SSO Admin Approval

    • Expired pending approvals no longer fall through to account creation.
    • Expired approvals are marked/renewed as pending and remain blocked until explicit admin action.
    • Unknown approval statuses now fail closed.

  • O-06 SSO Scope Change

    • Requested SSO scopes are normalized and constrained to provider policy.
    • Enforced subset/intersection behavior against configured provider scopes (and optional metadata allowlist).
    • Invalid requested scopes now return HTTP 400.

  • O-11 Authorization Code Fallback to client_credentials

    • Removed authorization_code to client_credentials fallback in OAuthManager.get_access_token.
    • authorization_code now requires explicit interactive consent flow and raises on non-interactive usage.

  • O-14 SSO State Not Session-Bound (Login CSRF)

    • SSO state is now session-bound via HMAC and verified against browser session binding.
    • Login sets sso_session_id cookie; callback requires matching binding to proceed.

  • O-16 OAuth authorize/status Lacks Ownership Checks

    • Added centralized gateway access enforcement for OAuth authorize/status endpoints.
    • Enforces token scope ownership checks plus visibility/team/owner/admin rules consistently.

Verification-Only Item (Intentionally Not Marked Resolved)

  • O-15 OAuth fetch-tools Lacks RBAC
    • Re-validated endpoint-level permission enforcement and scoped ownership checks.
    • Added targeted regression coverage to prevent permission/ownership regressions.
    • Tracker status remains NEEDS DEVELOPER VERIFICATION per batch requirement.

Notes

  • Updated SSO docs to reflect session-bound callback behavior and scope enforcement.

@crivetimihai
fix: oauth grant handling hardening and behavior consistency (O-11)
7f96b90 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
fix: sso flow validation hardening and behavior consistency (O-03 O-0…
63d854a 
…4 O-06 O-14)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
fix: oauth access enforcement hardening and behavior consistency (O-0…
7018c99 
…2 O-15 O-16)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
chore: auth lint compliance hardening and behavior consistency
f485cce 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
docs: rc2 changelog and sso approval flow consistency
f45ac8d 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
fix: oauth status request-context hardening (O-16)
7dabdf3 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai changed the title fix: oauth and sso hardening and behavior consistency (O-02 O-03 O-04 O-06 O-11 O-14 O-16) fix: oauth and sso hardening and behavior consistency (h-batch-5) Feb 23, 2026
@crivetimihai crivetimihai self-assigned this Feb 23, 2026
@crivetimihai crivetimihai added security Improves security revisit Revisit this PR at a later date to address further issues, or if problems arise. labels Feb 23, 2026
@crivetimihai
test: expand oauth and sso hardening regression coverage
edc3e46 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
fix: github sso email-claim handling and regression coverage
11b5e2b 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai added this to the Release 1.0.0-GA milestone Feb 23, 2026
@crivetimihai
fix: oauth fetch-tools access hardening (O-15)
553d617 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
Update tests
2cb9aaa 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai merged commit 5a51f10 into main Feb 23, 2026
49 checks passed
@crivetimihai crivetimihai deleted the h-batch-5 branch February 23, 2026 03:29
vishu-bh pushed a commit that referenced this pull request Feb 24, 2026
@crivetimihai
fix: oauth and sso hardening and behavior consistency (h-batch-5) (#3114
ed68d5c 
)

* fix: oauth grant handling hardening and behavior consistency (O-11)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: sso flow validation hardening and behavior consistency (O-03 O-04 O-06 O-14)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: oauth access enforcement hardening and behavior consistency (O-02 O-15 O-16)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* chore: auth lint compliance hardening and behavior consistency

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* docs: rc2 changelog and sso approval flow consistency

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: oauth status request-context hardening (O-16)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* test: expand oauth and sso hardening regression coverage

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: github sso email-claim handling and regression coverage

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: oauth fetch-tools access hardening (O-15)

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Update tests

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

@crivetimihai crivetimihai

Labels

revisit Revisit this PR at a later date to address further issues, or if problems arise. security Improves security

Projects

None yet

Milestone

Release 1.0.0-RC2

Development

Successfully merging this pull request may close these issues.

1 participant

@crivetimihai