Skip to content

fix(sso): SSO callback redirect for non-admin users with team memberships#4777

Open
bogdanmariusc10 wants to merge 2 commits into
mainfrom
4770-sso-callback-redirect-to-admin-makes-platform_viewer-users-unable-to-use-sso-login
Open

fix(sso): SSO callback redirect for non-admin users with team memberships#4777
bogdanmariusc10 wants to merge 2 commits into
mainfrom
4770-sso-callback-redirect-to-admin-makes-platform_viewer-users-unable-to-use-sso-login

Conversation

@bogdanmariusc10
Copy link
Copy Markdown
Collaborator

@bogdanmariusc10 bogdanmariusc10 commented May 15, 2026
edited
Loading

🔗 Related Issue

Closes #4770

📝 Summary

Fixes SSO callback redirect that was blocking non-admin users from accessing the platform. The SSO callback handler was unconditionally redirecting all authenticated users to /admin without a team_id parameter, which prevented the AdminAuthMiddleware from resolving team-scoped admin permissions.

The fix implements intelligent redirect logic:

  • Platform admins (is_admin=true): Redirect to /admin (unchanged behavior)
  • Non-admin users with teams: Redirect to /admin?team_id=<first_team_id> (enables team-scoped admin access)
  • Non-admin users without teams: Redirect to / (root page)
  • Error handling: Falls back to /admin if team retrieval fails

This enables team members with admin.* permissions to access the admin UI in their team context, and provides appropriate landing pages for regular users (platform_viewer, developer, etc.).

🏷️ Type of Change

  • Bug fix
  • Feature / Enhancement
  • Documentation
  • Refactor
  • Chore (deps, CI, tooling)
  • Other (describe below)

🧪 Verification

Check Command Status
Lint suite make lint ✅ Pass
Unit tests make test ✅ Pass
Coverage ≥ 80% make coverage ✅ Pass

✅ Checklist

  • Code formatted (make black isort pre-commit)
  • Tests added/updated for changes
  • Documentation updated (if applicable)
  • No secrets or credentials committed

📓 Notes

Implementation Details

Modified: mcpgateway/routers/sso.py (lines 402-440)

  • Added JWT token decoding to determine user admin status
  • Added TeamManagementService integration to retrieve user teams
  • Implemented conditional redirect logic based on admin status and team membership
  • Added comprehensive error handling with logging

Test Coverage: tests/unit/mcpgateway/routers/test_sso_router.py

  • Updated 3 existing tests to use valid JWT tokens with admin status
  • Added 4 new tests covering all redirect scenarios:
    • test_handle_sso_callback_non_admin_with_team_redirects_to_team - Non-admin user with team membership redirects to team-scoped admin
    • test_handle_sso_callback_non_admin_no_teams_redirects_to_root - Non-admin user without teams redirects to root page
    • test_handle_sso_callback_team_service_error_falls_back_to_admin - Team service error falls back to /admin redirect
    • test_handle_sso_callback_invalid_jwt_falls_back_to_user_info - Invalid JWT token triggers exception handler and falls back to user_info

Test Results: All 50 SSO router tests passing ✅

Impact

Before: Only platform admins could successfully use SSO login. Non-admin users were redirected to /admin without team_id, causing a 403 error.

After:

  • ✅ Platform admins continue to work as before
  • ✅ Team admins with admin.* permissions can now access via SSO
  • ✅ Regular users are redirected to appropriate landing pages
  • ✅ All SSO providers benefit (Okta, Google, GitHub, Keycloak, Entra, ADFS, Generic OIDC)

Backwards Compatibility

The fix is fully backwards compatible:

  • Platform admins experience no change in behavior
  • Non-admin users who previously couldn't log in via SSO can now do so
  • Error handling ensures graceful degradation if team retrieval fails

fix: SSO callback redirect for non-admin users with team memberships
d0162b5 
Resolves #4770

The SSO callback handler was unconditionally redirecting all authenticated
users to /admin without a team_id parameter. This prevented non-admin users
from accessing the platform via SSO, as the AdminAuthMiddleware requires
either platform admin status or team-scoped admin permissions (which need
a team_id query parameter).

Changes:
- Modified SSO callback to decode JWT and check user admin status
- Platform admins: redirect to /admin (unchanged behavior)
- Non-admin users with teams: redirect to /admin?team_id=<first_team_id>
- Non-admin users without teams: redirect to / (root)
- Added error handling with fallback to /admin

This enables team-scoped admin access for users with admin.* permissions
and provides appropriate landing pages for regular users.

Tests:
- Updated existing tests to use valid JWT tokens with admin status
- Added test for non-admin user with team (team-scoped redirect)
- Added test for non-admin user without teams (root redirect)
- Added test for team service error (fallback to /admin)
- All 49 SSO router tests passing

Signed-off-by: Bogdan-Marius-Catanus <[email protected]>
@bogdanmariusc10 bogdanmariusc10 added the rbac Role-based Access Control label May 15, 2026
@bogdanmariusc10 bogdanmariusc10 added the SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release label May 15, 2026
@bogdanmariusc10 bogdanmariusc10 linked an issue May 15, 2026 that may be closed by this pull request
SSO callback redirect to /admin makes platform_viewer users unable to use SSO login #4770
Open
@bogdanmariusc10 bogdanmariusc10 added the api REST API Related item label May 15, 2026
test: add coverage for JWT decode exception handler in SSO callback
f8e3349 
Adds test case for invalid JWT token to cover exception handler
(lines 412-415) that falls back to user_info when token decode fails.

This brings diff coverage to 96% (24/25 lines covered).

Signed-off-by: Bogdan-Marius-Catanus <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai Awaiting requested review from crivetimihai crivetimihai is a code owner

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

@brian-hussey brian-hussey Awaiting requested review from brian-hussey brian-hussey is a code owner

@Lang-Akshay Lang-Akshay Awaiting requested review from Lang-Akshay Lang-Akshay is a code owner

@ja8zyjits ja8zyjits Awaiting requested review from ja8zyjits ja8zyjits is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

api REST API Related item rbac Role-based Access Control SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

SSO callback redirect to /admin makes platform_viewer users unable to use SSO login

1 participant

@bogdanmariusc10