SSO Phase 4c: Block non-SSO logins by GregorShear · Pull Request #1936 · estuary/ui

GregorShear · 2026-03-23T22:21:23Z

Summary

Intercept sso_required:<domain> errors from Supabase auth to redirect users to their organization's SSO provider
Wraps all supabase fetch requests (specifically auth requests - both login and token refresh) and looks for sso-required errors
Adds a full-page interstitial (FullPageSSONotSatisfied) that explains SSO is required and provides a one-click redirect to the tenant's identity provider via signInWithSSO({ domain })

Test plan

Trigger sso_required error on OAuth login → interstitial appears, SSO redirect works
Trigger sso_required error on token refresh → interstitial appears
Normal login flows (no SSO requirement) are unaffected

travjenkins

A few more tweaks

GregorShear · 2026-04-02T22:58:38Z

+    };
+
+    return (
+        <FullPageDialog>


Really struggled to hide the avatar in the upper right - my understanding is that setUserDetails(null) should do it, but I think the authStateChange listener defined in User/index.tsx was restoring that value.

So anyway, I'm punting on that and using this FullPageDialog wrapper component that omits the top bar entirely. Let me know what you think.

@travjenkins

Yup - this is fine and what I expected the faster solution to be :D

GregorShear · 2026-04-02T23:02:42Z

+                // Remove the session directly from localStorage.
+                // We can't use supabaseClient.auth.signOut() here
+                // because the token refresh that triggered this
+                // interceptor holds Supabase's internal session
+                // lock, so calling signOut deadlocks and hangs.
+                localStorage.removeItem(supabaseStorageKey);


some more weirdness - need to remove the session from local storage to prevent retrying the token refresh request. Normally we'd do that with supabaseClient.auth.signOut(), but calling that in this function hangs, i think because supabase already has a lock on the session during the refresh cycle (which we are interrupting here).

another option would be to call signOut() in a useEffect in the SsoRequired component. I kinda like having the logic centralized here, though.

talked to travis - moving this to the SsoRequired useEffect and calling the actual signout() function

travjenkins

lgtm - we'll wanna keep an eye on 401 GQL calls but doubt that'll be an issue in prod

GregorShear changed the base branch from main to greg/invites_sso_redirect March 23, 2026 22:21

GregorShear force-pushed the greg/login-intercept branch 2 times, most recently from a45bea7 to c1680b6 Compare March 26, 2026 02:40

GregorShear force-pushed the greg/invites_sso_redirect branch 3 times, most recently from c331ea6 to 441e224 Compare March 26, 2026 03:34

GregorShear force-pushed the greg/login-intercept branch 2 times, most recently from 9a4e45c to bdafc04 Compare March 26, 2026 03:42

GregorShear force-pushed the greg/invites_sso_redirect branch 3 times, most recently from 6d98c48 to 6b39967 Compare March 26, 2026 04:53

GregorShear force-pushed the greg/login-intercept branch from bdafc04 to 5af80fe Compare March 26, 2026 15:38

GregorShear force-pushed the greg/invites_sso_redirect branch from 6b39967 to 6779097 Compare March 28, 2026 02:16

Base automatically changed from greg/invites_sso_redirect to greg/invites2 March 30, 2026 16:32

Base automatically changed from greg/invites2 to main March 31, 2026 15:11

GregorShear force-pushed the greg/login-intercept branch 6 times, most recently from 64b0b36 to 13bf542 Compare April 2, 2026 01:26

GregorShear commented Apr 2, 2026

View reviewed changes

Comment thread src/components/fullPage/SSONotSatisfied.tsx Outdated

GregorShear requested a review from travjenkins April 2, 2026 02:35

GregorShear marked this pull request as ready for review April 2, 2026 02:36

GregorShear requested a review from a team as a code owner April 2, 2026 02:37