Skip to content

[feat] Add multi-organizations, verified domains, and sso providers #3372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jp-agenta merged 175 commits into from
Jan 16, 2026
Merged

[feat] Add multi-organizations, verified domains, and sso providers #3372

jp-agenta merged 175 commits into from
Jan 16, 2026

Conversation

@jp-agenta
Copy link
Member

@jp-agenta jp-agenta commented Jan 8, 2026
edited
Loading

Summary

This PR introduces a comprehensive authentication and authorization system centered on multi-organization support, domain verification, and enterprise SSO (OIDC). It adds new database schema and migrations, new OSS/EE services and API routes, updated SuperTokens integration, and a significant frontend rework for auth flows and organization settings.

The PR also ships extensive design documentation and manual test plans.

Change inventory (organized by area)

Data model and migrations

  • Add organization slug and cleanup migrations to normalize org data and flags.
  • Add SSO/OIDC tables and organization-scoped secrets.
  • Scope secrets and entities to organizations/projects in both OSS and EE migrations.
  • Expand organization metadata and flags used for policy enforcement.

Key files:

  • api/ee/databases/postgres/migrations/core/versions/12d23a8f7dde_add_slug_to_organizations.py
  • api/ee/databases/postgres/migrations/core/versions/59b85eb7516c_add_sso_oidc_tables.py
  • api/ee/databases/postgres/migrations/core/versions/a9f3e8b7c5d1_clean_up_organizations.py
  • api/ee/databases/postgres/migrations/core/versions/c3b2a1d4e5f6_add_secret_org_scope.py
  • api/oss/databases/postgres/migrations/core/versions/12d23a8f7dde_add_slug_to_organizations.py
  • api/oss/databases/postgres/migrations/core/versions/59b85eb7516c_add_sso_oidc_tables.py
  • api/oss/databases/postgres/migrations/core/versions/a9f3e8b7c5d1_clean_up_organizations.py
  • api/oss/databases/postgres/migrations/core/versions/c3b2a1d4e5f6_add_secret_org_scope.py

OSS backend

  • New centralized AuthService for discovery, policy enforcement, and session identity tracking.
  • New FastAPI auth endpoints for discovery, access checks, session identity updates, and SSO authorization (EE-only).
  • New SuperTokens configuration and recipe overrides for dynamic providers and payload management.
  • New users/identities DAOs and organization/user typed models.
  • Updates across services (auth, users, organizations, secrets, caching, env).

Key files:

  • api/oss/src/core/auth/service.py
  • api/oss/src/apis/fastapi/auth/router.py
  • api/oss/src/core/auth/supertokens/config.py
  • api/oss/src/core/auth/supertokens/overrides.py
  • api/oss/src/dbs/postgres/users/dao.py
  • api/oss/src/services/auth_service.py
  • api/oss/src/services/user_service.py
  • api/oss/src/utils/env.py

EE backend

  • New organization APIs, models, and DAO layers for domains and providers.
  • Expanded organization service logic, admin manager, and workspace manager behavior.
  • Organization access control, invitations cleanup, and policy enforcement updates.
  • Billing and subscription adjustments to account for org ownership and membership.

Key files:

  • api/ee/src/apis/fastapi/organizations/router.py
  • api/ee/src/dbs/postgres/organizations/dao.py
  • api/ee/src/services/organization_service.py
  • api/ee/src/routers/organization_router.py
  • api/ee/src/services/commoners.py

Frontend (OSS)

  • New or updated auth pages: email-first, OTP, social, email/password flows, and callback handling changes.
  • New organization settings UI, org lists in sidebar, org/project switching UX updates.
  • Updated auth/session hooks and API layers to support discovery and access checks.
  • New auth upgrade modal and settings page for organization-level policies.

Key files:

  • web/oss/src/pages/auth/[[...path]].tsx
  • web/oss/src/pages/auth/callback/[[...callback]].tsx
  • web/oss/src/components/pages/settings/Organization/index.tsx
  • web/oss/src/components/Sidebar/components/ListOfOrgs.tsx
  • web/oss/src/components/Sidebar/components/AuthUpgradeModal.tsx
  • web/oss/src/services/organization/api/index.ts

Docs and test assets

  • New design documents in docs/designs/advanced-auth.
  • Manual auth test suites and quick-start guides.
  • Updates to self-host docs and env examples.

Key files:

  • docs/designs/advanced-auth/*
  • api/ee/tests/manual/auth/*
  • docs/docs/self-host/01-quick-start.mdx
  • docs/docs/self-host/02-configuration.mdx
  • hosting/docker-compose/*/env.*.example

Behavior and policy changes

  • Auth discovery determines available methods per user email and org policy.
  • SSO enforcement requires both a verified domain and an active provider.
  • Session payloads now accumulate identity proofs for policy checks.
  • Organizations can restrict access by method and verified domains, with explicit error codes returned to the client when policy checks fail.

Risks and migration considerations

  • Multiple large schema/data migrations touch organizations, secrets, identities, and scoping. Migration order and data integrity are critical.
  • Auth behavior changes are broad (middleware, session payloads, and routing). Expect potential regressions for existing auth flows if configuration is incomplete.
  • New environment variables and docker examples need to be reflected in deployment tooling and runtime configs.
  • EE/OSS boundaries are more explicit; policy differences may surface in shared codepaths.

Suggested validation

  • Follow the manual auth test plans in api/ee/tests/manual/auth/README.md.
  • Validate discovery + access enforcement for mixed org memberships.
  • Verify domain verification and SSO login in EE with at least one provider.
  • Check org switching and settings UI for upgrade prompts and policy enforcement.

@jp-agenta
initial commit WIP
40a0c70
@jp-agenta
update lock
e330e69
@jp-agenta
fix cachetools
61267b4
@jp-agenta
ruff format and minor fixes
f720c46
@jp-agenta
fix migrations tree
244eb5c
@jp-agenta
clean up dependencies, add taskiq, remove celery
ff389fd
@jp-agenta
Fix spin up and sign up ongoing
1a26b4c
@jp-agenta
fixing default progress, overall still ongoing
e536872
@jp-agenta
with sperating auth methods and oss/ee constraints
45b743d
@jp-agenta
url invites when no transactional emails
2d9b2f8
@jp-agenta
fix anchor calculation in usage
c476998
@jp-agenta
Merge branch 'chore/batch-otlp' into chore/offline-agenta
51d59e6
@jp-agenta
apply ruff and fix env vars
2d1d0e0
@jp-agenta
apply ruff again
02bef8c
@jp-agenta
fix copy
1d3369a
@jp-agenta
initial PoC WIP
6107299
@jp-agenta
fixing social alone
68ba5b5
@jp-agenta
Merge branch 'release/v0.69.2' into chore/offline-agenta
fb56278
@jp-agenta
Merge branch 'chore/offline-agenta' into feat/sso-oidc
9249f2b
@jp-agenta
Merge branch 'chore/check-daytona-code-evaluator' into chore/offline-…
66f659b 
…agenta
@jp-agenta
Merge branch 'chore/offline-agenta' into feat/sso-oidc
302311f
@jp-agenta
WIP
e45eb17
@jp-agenta
Fixing fallbacks
bc51c35
@jp-agenta
fixing discovery, high level
11169f3
@jp-agenta
minor fixes to invites
e924b23
@jp-agenta
Extend OIDC to all SuperTokens built-in providers
db9ab10
@jp-agenta
fix sendgrid enabled conditions
627df12
@jp-agenta
try and simplify env files
9b45552
@jp-agenta
minor env example fix
3d6ead7
@jp-agenta
Merge branch 'chore/check-daytona-code-evaluator' into chore/offline-…
6a3ee5c 
…agenta
@mmabrouk
fix(frontend): fix auth upgrade flow regression and improve UI
319c781 
- Fix regression where auth methods were hidden during auth upgrade
- Show social auth buttons when auth upgrade is required
- Hide email-based flows during auth upgrade (user needs social/SSO)
- Move org switch and sign out options to bottom with cleaner layout
- Change 'workspace' to 'organization' in copy
- Fix unused variable lint error in SendOTP component
@mmabrouk mmabrouk force-pushed the feat/add-multi-orgs-domains-and-sso branch from 03d1686 to bb37034 Compare January 15, 2026 19:30
mmabrouk and others added 4 commits January 15, 2026 20:36
@mmabrouk
fix: resolve lint and prettier formatting issues
b8312bf
@mmabrouk
fix(api): invalidate entitlements cache on plan switch
2072758 
When a subscription plan is changed, the entitlements cache was not being
invalidated, causing the old plan's entitlements to remain in effect until
the cache expired or was manually cleared.

This fix adds cache invalidation for the 'entitlements:subscription' namespace
after any subscription event is processed, ensuring that plan changes take
effect immediately.
@jp-agenta
Merge pull request #3450 from Agenta-AI/fix/auth-upgrade-flow-regression
4556e5c 
fix(frontend): fix auth upgrade flow regression and improve UI
@jp-agenta
Merge pull request #3454 from Agenta-AI/fix/invalidate-entitlements-c…
abcb394 
…ache-on-plan-switch

fix(api): invalidate entitlements cache on plan switch
@jp-agenta jp-agenta merged commit 6ecdec5 into release/v0.78.0 Jan 16, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmabrouk mmabrouk mmabrouk approved these changes

@ardaerzin ardaerzin Awaiting requested review from ardaerzin

@ashrafchowdury ashrafchowdury Awaiting requested review from ashrafchowdury

Assignees

No one assigned

Labels

Backend feature lgtm This PR has been approved by a maintainer size:XXL This PR changes 1000+ lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jp-agenta @mmabrouk