Allow for session to be associated with the specific account that was used

[kyle-at-stacks]

Goals

1. Be able to associate which account was used to create a particular session
2. Support environments in which account linking enables multiple simultaneous sessions for multiple accounts, on a single user
3. For the database session strategy

Non-Goals

No response

Background

My team currently has an AuthJS setup with the following characteristics:

• Uses the database session strategy in order to have full control over user logins / sessions, implemented with Postgres and Redis
• Allows for accountLinking since our user login flow can typically involve multiple different authentication methods
• Has multiple providers enabled, including Google, Microsoft, and now BoxyHQSaml to enable SSO

We are moving towards a multi-tenant SSO setup, which will mean that each company (internally) will have a specific SSO connection associated with it.

When a user signs in, we want to be able to know: "is the account that the user has signed in with from the same SSO connection that is configured for a company"?

This is needed in order to restrict access to a certain company based on the current login method, and vice versa.

The simplest extension to enable this with AuthJS would be to be able to know which account was used for a given session, so we can pass the accountId into our backend functions to determine which company a user has access to (or for any other reason).

This situation is of course unique to database sessions which allow for account linking, since we can't simply store which account is used on the user (due to multiple possible sessions).

I was not able to identify another way to make this work nicely given the existing setup, other than saving the accountId in a cookie, and setting it in the session callback.

Proposal

Allow an option in the NextAuth config (or enable by default) the createSession to accept the accountId in it's constructor. It is known at the time of the createSession (according to the handleLoginOrRegister function), and is not sensitive.

Alternative suggestions or solutions gladly appreciated. I would be willing to contribute if needed.