fix(cli): Use device code flow for missing scope re-authentication#15074
Merged
anatrajkovska merged 3 commits intomainfrom Feb 24, 2026
Merged
Conversation
🦋 Changeset detectedLatest commit: 4a3f5b3 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
Contributor
📦 CLI Tarball ReadyThe Vercel CLI tarball for this PR is now available! Quick TestYou can test this PR's CLI directly by running: npx https://zero-config-hirdhvusb-uncurated-tests.vercel.app/tarballs/vercel.tgz --helpUse in vercel.jsonTo use this CLI version in your project builds, add to your {
"build": {
"env": {
"VERCEL_CLI_VERSION": "vercel@https://zero-config-hirdhvusb-uncurated-tests.vercel.app/tarballs/vercel.tgz"
}
}
} |
Contributor
🧪 Unit Test StrategyComparing: Strategy: Affected packages only ✅ Only testing packages that have been modified or depend on modified packages. Affected packages - 1 (3%)
Unaffected packages - 39 (98%)
Results
This comment is automatically generated based on the affected testing strategy |
marcgreenstock
approved these changes
Feb 18, 2026
AAorris
approved these changes
Feb 18, 2026
mehulkar
approved these changes
Feb 18, 2026
Contributor
mehulkar
left a comment
There was a problem hiding this comment.
stamping to get past code owners since Accounts team has already approved
…ope-in-device-code-flow
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Merged
styfle
pushed a commit
that referenced
this pull request
Feb 24, 2026
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## vercel@50.23.0 ### Minor Changes - [dev] allow to skip authentication and project linking for `vc dev` by setting `VERCEL_EXPERIMENTAL_DEV_SKIP_LINK` env var. ([#15122](#15122)) - [services] detect project root to prevent accidental setup of a service as a standalone project. ([#15187](#15187)) ### Patch Changes - Fix re-authentication for teams with missing scope to use the device code flow instead of the deprecated SSO redirect flow. ([#15074](#15074)) - Add CLI eval for vc env command ([#15118](#15118)) - Updated dependencies \[]: - @vercel/node@5.6.7 ## @vercel/functions@3.4.3 ### Patch Changes - [functions] Revert "[functions] URL encode cache tags" ([#15213](#15213)) <!-- VADE_RISK_START --> > [!NOTE] > Low Risk Change > > This PR contains only version bumps and changelog updates from the Changesets release automation, with no actual code changes. > > - Deletes changeset markdown files consumed during release > - Updates version numbers in package.json files (50.22.3→50.23.0, 3.4.2→3.4.3) > - Adds changelog entries documenting previously merged changes > > <sup>Risk assessment for [commit 18f0132](https://github.com/vercel/vercel/commit/18f013287efb10cb34e666236f9e34f0c72d0c83).</sup> <!-- VADE_RISK_END --> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
anatrajkovska
added a commit
that referenced
this pull request
Feb 25, 2026
This PR is a follow up of #15074 and removes the dead code for the legacy SSO flow, as it is not used anymore. <!-- VADE_RISK_START --> > [!WARNING] > High Risk Change > > This PR removes legacy SSO/SAML login flow code (oauth.ts, saml.ts, verify.ts, prompt.ts) which is dead code cleanup as stated, but removing authentication-related code paths warrants careful review to ensure the new flow fully replaces this functionality. > > - Deletes entire oauth.ts, saml.ts, verify.ts, and prompt.ts files handling legacy SSO login > - Removes OAuth callback server, SAML login flow, and token verification logic > - Adds CODEOWNERS entries for login/logout/teams paths to identity-and-access-management team > > <sup>Risk assessment for [commit c75fa98](https://github.com/vercel/vercel/commit/c75fa9884892abf45494adec0fbbbd03a0770f17).</sup> <!-- VADE_RISK_END -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If the user switches to a team using
vercel switchwhich has SSO or MFA enforced and the user hasn't yet authorized the team, instead of redirecting them to the old SSO flow which is deprecated, now we will use the device code flow which supports passing theteam_idquery param that enforces the user to authorize the request before they can login.Warning
High Risk Change
This PR changes the authentication flow for team re-authentication, replacing the deprecated SAML/SSO login flow with device code flow, which is a refactor of the auth mechanism that requires careful review to ensure the new flow properly enforces authorization.
Risk assessment for commit 794b171.