feat(webapp): Directory Sync (SCIM) for Identity & Access#4148
Conversation
🦋 Changeset detectedLatest commit: eae6a92 The changes in this PR will be included in the next version bump. This PR includes changesets to release 28 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughThis PR adds WorkOS Directory Sync (SCIM) support to the SSO plugin contract and webapp. New directory sync types and controller methods are added, fallback and lazy controller implementations are extended, and webhook processing now returns host membership effects. The webapp applies those effects, blocks manual membership changes when directory-managed membership is enforced, and adds Directory Sync configuration controls to the SSO settings page. 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
4a57f15 to
3cba6af
Compare
@trigger.dev/build
trigger.dev
@trigger.dev/core
@trigger.dev/python
@trigger.dev/react-hooks
@trigger.dev/redis-worker
@trigger.dev/rsc
@trigger.dev/schema-to-json
@trigger.dev/sdk
commit: |
3cba6af to
0043359
Compare
0043359 to
c485cab
Compare
3571991 to
99c84ab
Compare
99c84ab to
395c60b
Compare
Extend the SSO plugin contract for directory sync and apply membership effects from the accounts webhook worker: provision users in mapped groups (role from group mapping, else the org default role), deprovision on removal, and keep a sticky-removal tombstone so JIT never silently re-adds a removed user. JIT and Directory Sync coexist; roles default to Developer (the JIT default-role picker has no 'None'). Changing a group's role in the dashboard re-applies it to that group's current members immediately. The Directory Sync settings section (group→role mapping, external-domain + manual-membership policy, deferred Save) appears once a domain is verified — independent of SSO — gated by the hasSso flag. The settings page polls the whole page while entitled with override-aware drafts so in-progress edits are never clobbered.
395c60b to
eae6a92
Compare
Extend the SSO plugin contract for directory sync and apply membership effects
from the accounts webhook worker: provision users in mapped groups (role from
group mapping, else the org default role), deprovision on removal, and keep a
sticky-removal tombstone so JIT never silently re-adds a removed user. JIT and
Directory Sync coexist; roles default to Developer (the JIT default-role picker
has no 'None'). Changing a group's role in the dashboard re-applies it to that
group's current members immediately. The Directory Sync settings section
(group→role mapping, external-domain + manual-membership policy, deferred Save)
appears once a domain is verified — independent of SSO — gated by the hasSso
flag. The settings page polls the whole page while entitled with override-aware
drafts so in-progress edits are never clobbered.