feat: SSO configuration and auth method management (#2686)

* feat: add SSO configuration, auth method management, and domain-filtered login flows

Add end-to-end SSO support including:
- SSO provider configuration UI (SAML/OIDC via Okta, Entra, etc.)
- Auth method toggles (email-password, Google, per-SSO-provider)
- Domain-filtered method picker on login and invitation pages
- Auto-provisioning with pending-invitation precedence
- Members page extracted from settings with invitation management
- No-org page shows pending invitations for unauthenticated members
- UI guard preventing disabling all auth methods
- Auth lookup API for email-based org/method discovery

Made-with: Cursor

* feedback

* update cypress login

* feedback

* address UX feedback

* add missing tests

* fix test

* adjust sso config

Author: omar-inkeep

.changeset/melted-gray-lynx.md

@@ -0,0 +1,7 @@
+---
+"@inkeep/agents-core": minor
+"@inkeep/agents-api": minor
+"@inkeep/agents-manage-ui": minor
+---
+
+Add SSO configuration, auth method management, and domain-filtered login and invitation flows

.env.example

@@ -88,11 +88,6 @@ SPICEDB_PRESHARED_KEY=dev-secret-key
 # API bypass secret for local development and testing (skips auth)
 INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET=test-bypass-secret-for-ci
 
-# AUTH0_DOMAIN=
-# NEXT_PUBLIC_AUTH0_DOMAIN=
-# AUTH0_CLIENT_ID=
-# AUTH0_CLIENT_SECRET=
-
 # ========== SERVICE TOKENS ================
 # INKEEP_AGENTS_JWT_SIGNING_SECRET=
 

agents-api/__snapshots__/openapi.json

@@ -6193,6 +6193,7 @@
               "forbidden",
               "not_found",
               "conflict",
+              "too_many_requests",
               "internal_server_error",
               "unprocessable_entity"
             ],

agents-api/package.json

@@ -91,7 +91,6 @@
     "jmespath": "^0.16.0",
     "jose": "^6.1.0",
     "llm-info": "^1.0.69",
-    "openid-client": "^6.8.1",
     "pg": "^8.16.3",
     "undici": "^7.22.0",
     "workflow": "^4.2.0-beta.64"

agents-api/src/__tests__/auth.test.ts

@@ -1,9 +1,14 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
 
 // Hoist the mock functions
-const { getPendingInvitationsByEmailMock, listUserInvitationsMock } = vi.hoisted(() => ({
+const {
+  getPendingInvitationsByEmailMock,
+  listUserInvitationsMock,
+  getFilteredAuthMethodsForEmailMock,
+} = vi.hoisted(() => ({
   getPendingInvitationsByEmailMock: vi.fn(),
   listUserInvitationsMock: vi.fn(),
+  getFilteredAuthMethodsForEmailMock: vi.fn().mockResolvedValue([]),
 }));
 
 // Mock @inkeep/agents-core
@@ -12,6 +17,7 @@ vi.mock('@inkeep/agents-core', async (importOriginal) => {
   return {
     ...original,
     getPendingInvitationsByEmail: () => getPendingInvitationsByEmailMock,
+    getFilteredAuthMethodsForEmail: () => getFilteredAuthMethodsForEmailMock,
     createApiError: original.createApiError,
   };
 });

agents-api/src/__tests__/manage/routes/invitations.test.ts

@@ -1,6 +1,7 @@
 import { OpenAPIHono } from '@hono/zod-openapi';
 import { capabilitiesHandler } from '../../routes/capabilities';
 import type { ManageAppVariables } from '../../types/app';
+import authLookupRoutes from './routes/authLookup';
 import availableAgentsRoutes from './routes/availableAgents';
 import cliAuthRoutes from './routes/cliAuth';
 import githubRoutes from './routes/github';
@@ -25,6 +26,9 @@ export function createManageRoutes() {
   app.route('/api/users', usersRoutes);
   app.route('/api/users', userProfileRoutes);
 
+  // Mount auth lookup (email-first login flow)
+  app.route('/api/auth-lookup', authLookupRoutes);
+
   // Mount CLI auth routes - for CLI login flow
   app.route('/api/cli', cliAuthRoutes);
 

agents-api/src/domains/manage/index.ts

@@ -0,0 +1,105 @@
+import { createApiError, getAuthLookupForEmail } from '@inkeep/agents-core';
+import { Hono } from 'hono';
+import { HTTPException } from 'hono/http-exception';
+import runDbClient from '../../../data/db/runDbClient';
+import { getLogger } from '../../../logger';
+import type { ManageAppVariables } from '../../../types/app';
+
+const logger = getLogger('auth-lookup');
+
+const RATE_LIMIT_WINDOW_MS = 60_000;
+const RATE_LIMIT_MAX_REQUESTS = 20;
+const ipRequestTimestamps = new Map<string, number[]>();
+
+setInterval(() => {
+  const cutoff = Date.now() - RATE_LIMIT_WINDOW_MS;
+  for (const [ip, timestamps] of ipRequestTimestamps) {
+    const recent = timestamps.filter((t) => t > cutoff);
+    if (recent.length === 0) {
+      ipRequestTimestamps.delete(ip);
+    } else {
+      ipRequestTimestamps.set(ip, recent);
+    }
+  }
+}, RATE_LIMIT_WINDOW_MS);
+
+function getClientIp(c: { req: { header: (name: string) => string | undefined } }): string {
+  return (
+    c.req.header('x-forwarded-for')?.split(',')[0]?.trim() || c.req.header('x-real-ip') || 'unknown'
+  );
+}
+
+const authLookupRoutes = new Hono<{ Variables: ManageAppVariables }>();
+
+/**
+ * GET /api/auth-lookup?email=user@example.com
+ *
+ * Unauthenticated endpoint for the email-first login flow.
+ * Returns org-aware auth methods:
+ *  1. Checks SSO providers by email domain -> resolves org -> returns org's allowed methods (SSO filtered to domain-matched providers)
+ *  2. Checks existing user account -> resolves org membership -> returns org's allowed methods (SSO filtered to domain-matched providers)
+ *
+ * Returns empty organizations array if no match is found.
+ *
+ * Rate-limited per IP to mitigate email/org enumeration.
+ * organizationSlug is intentionally omitted from the response to minimize info disclosure.
+ */
+authLookupRoutes.get('/', async (c) => {
+  const clientIp = getClientIp(c);
+  const now = Date.now();
+  const timestamps = ipRequestTimestamps.get(clientIp) || [];
+  const recent = timestamps.filter((t) => t > now - RATE_LIMIT_WINDOW_MS);
+
+  if (recent.length >= RATE_LIMIT_MAX_REQUESTS) {
+    logger.warn({ clientIp, count: recent.length }, 'auth-lookup rate limit exceeded');
+    throw createApiError({
+      code: 'too_many_requests',
+      message: 'Too many requests. Please try again later.',
+    });
+  }
+
+  recent.push(now);
+  ipRequestTimestamps.set(clientIp, recent);
+
+  const email = c.req.query('email');
+
+  if (!email) {
+    throw createApiError({
+      code: 'bad_request',
+      message: 'Email parameter is required',
+    });
+  }
+
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  if (!emailRegex.test(email)) {
+    throw createApiError({
+      code: 'bad_request',
+      message: 'Invalid email format',
+    });
+  }
+
+  try {
+    const organizations = await getAuthLookupForEmail(runDbClient)(email);
+
+    const sanitized = organizations.map(({ organizationSlug: _slug, ...rest }) => rest);
+
+    logger.info(
+      { clientIp, emailDomain: email.split('@')[1], orgCount: organizations.length },
+      'auth-lookup completed'
+    );
+
+    return c.json({ organizations: sanitized });
+  } catch (error) {
+    if (error instanceof HTTPException) {
+      throw error;
+    }
+
+    logger.error({ clientIp, error }, 'auth-lookup failed');
+    throw createApiError({
+      code: 'internal_server_error',
+      message: 'Failed to look up authentication method',
+    });
+  }
+});
+
+export default authLookupRoutes;

agents-api/src/domains/manage/routes/authLookup.ts

@@ -1,6 +1,7 @@
 import {
   createApiError,
   getEmailSendStatus,
+  getFilteredAuthMethodsForEmail,
   getPendingInvitationsByEmail,
 } from '@inkeep/agents-core';
 import { Hono } from 'hono';
@@ -53,7 +54,7 @@ invitationsRoutes.get('/verify', async (c) => {
 
     // Find the specific invitation by ID
     const invitation = Array.isArray(invitations)
-      ? invitations.find((inv: { id: string }) => inv.id === invitationId)
+      ? invitations.find((inv) => inv.id === invitationId)
       : null;
 
     if (!invitation) {
@@ -82,7 +83,11 @@ invitationsRoutes.get('/verify', async (c) => {
       });
     }
 
-    // Return limited, safe information
+    const filteredMethods = await getFilteredAuthMethodsForEmail(runDbClient)(
+      invitation.organizationId,
+      email
+    );
+
     return c.json({
       valid: true,
       email: invitation.email,
@@ -91,6 +96,7 @@ invitationsRoutes.get('/verify', async (c) => {
       role: invitation.role,
       expiresAt: invitation.expiresAt,
       authMethod: invitation.authMethod || null,
+      allowedAuthMethods: filteredMethods,
     });
   } catch (error) {
     // Re-throw API errors (HTTPExceptions from createApiError)

agents-api/src/domains/manage/routes/invitations.ts

@@ -45,7 +45,7 @@ passwordResetLinksRoutes.post('/', async (c) => {
     headers: c.req.raw.headers,
   });
 
-  const isMember = result.members.some((m: { user: { email: string } }) => m.user.email === email);
+  const isMember = result.members.some((m) => m.user.email === email);
 
   if (!isMember) {
     throw createApiError({