Skip to content

fix: oidc multi-tenant discovery cache collision and site applications fallback#112

Open
aymericcousaert wants to merge 6 commits intomasterfrom
fix/oidc-multi-tenant-and-apps-fallback
Open

fix: oidc multi-tenant discovery cache collision and site applications fallback#112
aymericcousaert wants to merge 6 commits intomasterfrom
fix/oidc-multi-tenant-and-apps-fallback

Conversation

@aymericcousaert
Copy link
Copy Markdown
Collaborator

@aymericcousaert aymericcousaert commented Mar 25, 2026
edited
Loading

Summary

1. OIDC discovery cache collision (multi-tenant Azure AD)

The oidc-discovery cache in MongoDB used the provider ID (hostname-only slug) as key. Multiple Azure AD tenants share login.microsoftonline.com, so they got the same cache key — the first tenant's discovery content (authorization/token endpoints) was cached and reused for all others, redirecting users to the wrong tenant.

Fix: use the full discovery URL slug as cache key, without changing the provider ID — zero migration risk.

Site A → discovery: https://login.microsoftonline.com/TENANT_A/v2.0/.well-known/openid-configuration
Site B → discovery: https://login.microsoftonline.com/TENANT_B/v2.0/.well-known/openid-configuration

Before: both cached under key "loginmicrosoftonlinecom" → Site B gets Tenant A's endpoints → wrong SSO
After:  cached under full URL slug → separate cache entries per tenant → correct SSO

2. OAuth token cross-site collision

When the same user logs in on two sites that share the same OIDC provider hostname (e.g. same Azure AD tenant with different client apps), their oauth-tokens collided on the unique {user.id, provider.id} key — one overwrote the other, causing keepalive failures.

Fix: add site to the token storage key ({user.id, provider.id, site}). Backward compatible:

  • readOAuthToken falls back to site: null for legacy tokens without the field
  • writeOAuthToken with a site lazily migrates by deleting the legacy token
  • Index auto-migrated on startup (ensureIndex handles key conflict)
  • All queries use explicit null (not undefined) due to MongoDB ignoreUndefined: true

3. Applications merge

Global applications (from APPLICATIONS env var) are now always available as fallback. Site applications are checked first, then global. Previously, sites with any config (even without applications) could not access global ones, causing runner-gui OAuth to fail with "Unknown client_id" on secondary sites.

4. Application client ID editable

Removed readOnly constraint on the client ID field in site applications form.

Test plan

  • OIDC tests pass (2 tests)
  • OIDC core ID provider tests pass (1 test)
  • Test: global applications fallback when site has no applications
  • Test: merge global + site applications, site overrides on duplicate ID
  • Existing "reject invalid client_id" test still passes
  • Full test suite passes (81 tests)
  • Index auto-migration confirmed in test output: drop then recreate index oauth-tokens/oauth-tokens-key

@aymericcousaert
fix: oidc multi-tenant cache collision and site applications fallback
dfd1b6f 
- use full discovery URL path (not just hostname) for OIDC provider ID,
  fixing cache collisions when multiple Azure AD tenants share
  login.microsoftonline.com
- fall back to global APPLICATIONS config when a site has no applications
  defined, instead of only when there is no site at all
@github-actions github-actions bot added the fix label Mar 25, 2026
@github-actions github-actions bot added fix and removed fix labels Mar 25, 2026
@aymericcousaert
fix: merge global and site applications instead of fallback
0ed77de 
Site applications take priority on duplicate IDs, global applications
are always available as a base.
@github-actions github-actions bot added fix and removed fix labels Mar 25, 2026
@aymericcousaert
fix: add backward compat for coreIdProvider with old OIDC provider ID…
ea68250 
… format

Providers now expose a compatId (old hostname-only format) so that
existing user sessions with stored coreIdProvider references still
match after the ID format change.
@aymericcousaert
fix: replace provider ID change with discovery cache key fix
e04e58a 
Revert the getOidcProviderId format change (host+path) and its
incomplete compatId backward-compat layer. Instead, fix the actual
bug by decoupling the oidc-discovery cache key from the provider ID.

The cache now uses the full discovery URL slug as key, so Azure AD
multi-tenant providers on the same host get separate cache entries
without changing any stored provider IDs — zero migration risk.

Also fix pre-existing lint errors (func-call-spacing, deprecated
Vuetify classes).
@aymericcousaert aymericcousaert changed the title fix: oidc multi-tenant cache collision and site applications fallback fix: oidc multi-tenant discovery cache collision and site applications fallback Mar 30, 2026
@github-actions github-actions bot added fix and removed fix labels Mar 30, 2026
@aymericcousaert
fix: scope oauth tokens by site to prevent cross-site collision
7847e40 
When the same user logs in on two sites that share the same OIDC
provider hostname (e.g. same Azure AD tenant, different apps), their
oauth-tokens collided on the unique {user.id, provider.id} key.

Add site to the token storage key. Backward compatible:
- read falls back to site:null for legacy tokens without the field
- write with a site lazily migrates by deleting the legacy token
- index auto-migrated on startup (ensureIndex handles key conflict)
- all queries use explicit null (not undefined) due to ignoreUndefined
@github-actions github-actions bot added fix and removed fix labels Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aymericcousaert