Skip to content

RI-7793 Fix SSO login by adding Sm-Id-Token header #5320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dantovska merged 3 commits into from
Dec 12, 2025
Merged

RI-7793 Fix SSO login by adding Sm-Id-Token header #5320

dantovska merged 3 commits into from
Dec 12, 2025

Conversation

@dantovska
Copy link
Contributor

@dantovska dantovska commented Dec 8, 2025
edited by cursor bot
Loading

What

Fix SSO login issue where users cannot log in to Redis Cloud using SSO authentication. The login request was returning a 400 error because the required "Sm-Id-Token" header was missing.

  • Add idToken field to CloudSession model and ICloudApiCredentials interface
  • Store id_token from OAuth/Okta token response in session after authentication
  • Persist idToken in session during token renewal to ensure header continues to work after token refresh
  • Add "Sm-Id-Token" header to all API requests when idToken is present
  • Header is automatically included for all auth types (Google, GitHub, SSO) when idToken exists
  • Header logic moved to centralized getHeaders method for consistency

Testing

  1. SSO Login Flow:

    • Initiate SSO login from Redis Insight
    • Complete Okta authentication
    • Verify login succeeds without 400 error
    • Verify "Sm-Id-Token" header is included in login request

  2. Token Renewal:

    • Verify idToken is persisted in session when token is renewed
    • Verify "Sm-Id-Token" header continues to work after token refresh
    • Test with renewal response that includes id_token (should update session)
    • Test with renewal response that doesn't include id_token (should handle gracefully)

  3. Other Auth Types (Regression):

    • Test Google OAuth login (should work with or without idToken)
    • Test GitHub OAuth login (should work with or without idToken)
    • Verify existing authentication flows continue to work

  4. Edge Cases:

    • Test with missing id_token in OAuth response (should handle gracefully)
    • Verify header is only added when idToken is present

Technical Details

Implementation:

  • idToken is stored in encrypted session after OAuth token exchange
  • idToken is persisted during token renewal (overwritten from renewal response if present)
  • "Sm-Id-Token" header is added in CloudApiProvider.getHeaders() method
  • Header is included automatically for all API requests that use credentials with idToken
  • All changes are backward compatible (optional fields)

Files Changed:

  • cloud-session.ts: Added idToken field to model
  • api.interface.ts: Added idToken field to interface
  • cloud-auth.service.ts: Store id_token from token response and persist during renewal
  • cloud.api.provider.ts: Add "Sm-Id-Token" header when idToken exists
  • Test files: Updated mocks and added test cases for callback and token renewal

Closes #RI-7793

Note

Adds idToken handling and Sm-Id-Token header to fix SSO login, persisting idToken across token renewals.

  • Auth/Session:
    • Store id_token from OAuth callback and during token renewal in session (cloud-auth.service.ts), tolerating missing id_token.
    • Extend models to include idToken (CloudSession, ICloudApiCredentials).
  • API Provider:
    • Add Sm-Id-Token header when idToken is present (cloud.api.provider.ts).
  • Tests/Mocks:
    • Update mocks and add cases for idToken storage, renewal, and header generation (cloud-auth.service.spec.ts, cloud.api.provider.spec.ts, __mocks__).

Written by Cursor Bugbot for commit ab4eaab. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Dec 8, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Token renewal does not update idToken for SSO

The renewTokens method stores the new accessToken and refreshToken from the OAuth response but does not include idToken from data.id_token. The initial callback method was correctly updated to store idToken, but renewTokens was missed. When tokens are renewed, if the OAuth provider returns a new id_token, it gets discarded. Since the Sm-Id-Token header requires the idToken for SSO authentication, this could cause SSO login failures after token renewal when the original idToken expires.

redisinsight/api/src/modules/cloud/auth/cloud-auth.service.ts#L344-L351

RedisInsight/redisinsight/api/src/modules/cloud/auth/cloud-auth.service.ts

Lines 344 to 351 in a55870d

await this.sessionService.updateSessionData(sessionMetadata.sessionId, {
accessToken: data.access_token,
refreshToken: data.refresh_token,
idpType,
csrf: null,
apiSessionId: null,
});

Fix in Cursor Fix in Web

@github-actions
Copy link
Contributor

github-actions bot commented Dec 8, 2025
edited
Loading

Code Coverage - Integration Tests

Status Category Percentage Covered / Total
🟢 Statements 81.5% 16343/20051
🟡 Branches 64.55% 7379/11430
🟡 Functions 70.4% 2289/3251
🟢 Lines 81.14% 15377/18950

@github-actions
Copy link
Contributor

github-actions bot commented Dec 8, 2025
edited
Loading

Code Coverage - Backend unit tests

St.
 Category Percentage Covered / Total
🟢 Statements 92.33% 13970/15131
🟡 Branches 74.09% 4216/5690
🟢 Functions 85.89% 2148/2501
🟢 Lines 92.14% 13357/14497

Test suite run success

3009 tests passing in 287 suites.

Report generated by 🧪jest coverage report action from ab4eaab

pd-redis
pd-redis previously approved these changes Dec 9, 2025
View reviewed changes
KrumTy
KrumTy previously approved these changes Dec 9, 2025
View reviewed changes
@dantovska dantovska dismissed stale reviews from KrumTy and pd-redis via 282cd93 December 11, 2025 12:46
@CLAassistant
Copy link

CLAassistant commented Dec 11, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 11, 2025

Images automagically compressed by Calibre's image-actions

Compression reduced images by 5.8%, saving 20.0 KB.

Filename Before After Improvement Visual comparison
.github/screenshots/Redis-Insight-SlowLog.png 75.2 KB 70.2 KB 6.6% View diff
.github/screenshots/Redis-Insight-Workbench.png 74.1 KB 69.5 KB 6.3% View diff
.github/screenshots/Redis-Insight-CLI.png 70.8 KB 66.9 KB 5.5% View diff
.github/screenshots/Redis-Insight-Analysis.png 69.2 KB 65.6 KB 5.2% View diff
.github/screenshots/Redis-Insight-Browser.png 57.0 KB 54.1 KB 5.1% View diff

@dantovska
feat(api): add idToken support for cloud authentication
862eb6c 
- Add idToken field to CloudSession model and ICloudApiCredentials interface
- Store id_token from OAuth token response in session after authentication
- Add Sm-Id-Token header to all API requests when idToken is present
- Header is automatically included for all auth types (Google, GitHub, SSO)

Fixes #RI-7793
@dantovska
test(api): add tests for idToken authentication support
80db138 
- Add idToken to mock data (cloud-session, cloud-auth, cloud-user)
- Add test cases for Sm-Id-Token header in getHeaders method
- Add tests to verify idToken is stored in session after OAuth callback
- Add test to verify graceful handling of missing idToken
- Update mock headers to include Sm-Id-Token header

References: #RI-7793
@dantovska
feat(api): persist idToken in session during token renewal
ab4eaab 
Update renewTokens method to include idToken from renewal response in session data, ensuring Sm-Id-Token header continues to work after token refresh.

- Add idToken to session update in renewTokens method
- Add tests to verify idToken is stored when present in renewal response
- Add test to verify graceful handling when idToken is missing

References: #RI-7793
@dantovska dantovska force-pushed the be/bugfix/RI-7793/cloud-auth-sso-id-token-header branch from eadf3d8 to ab4eaab Compare December 11, 2025 12:48
@dantovska dantovska self-assigned this Dec 11, 2025
cursor[bot]
cursor bot reviewed Dec 11, 2025
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Token renewal may lose idToken when missing from refresh response

When the OAuth token refresh response doesn't include id_token (common behavior for many OAuth providers), data.id_token evaluates to undefined. Passing idToken: undefined to updateSessionData causes the existing idToken value in the session to be overwritten with undefined due to object spread behavior. This would break SSO functionality after token refresh because the Sm-Id-Token header would no longer be sent. The PR description states that idToken should be "persisted during token renewal to ensure header continues to work after token refresh," but the current implementation doesn't preserve the existing value when the refresh response lacks id_token.

redisinsight/api/src/modules/cloud/auth/cloud-auth.service.ts#L344-L352

RedisInsight/redisinsight/api/src/modules/cloud/auth/cloud-auth.service.ts

Lines 344 to 352 in ab4eaab

await this.sessionService.updateSessionData(sessionMetadata.sessionId, {
accessToken: data.access_token,
refreshToken: data.refresh_token,
idToken: data.id_token,
idpType,
csrf: null,
apiSessionId: null,
});

redisinsight/api/src/modules/cloud/auth/cloud-auth.service.ts#L222-L231

RedisInsight/redisinsight/api/src/modules/cloud/auth/cloud-auth.service.ts

Lines 222 to 231 in ab4eaab

await this.sessionService.updateSessionData(
authRequest.sessionMetadata.sessionId,
{
accessToken: tokens.access_token,
refreshToken: tokens.refresh_token,
idToken: tokens.id_token,
idpType: authRequest.idpType,
},
);

Fix in Cursor Fix in Web

ArtemHoruzhenko
ArtemHoruzhenko approved these changes Dec 12, 2025
View reviewed changes
Copy link
Contributor

@ArtemHoruzhenko ArtemHoruzhenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dantovska dantovska merged commit b4948c9 into main Dec 12, 2025
41 checks passed
@dantovska dantovska deleted the be/bugfix/RI-7793/cloud-auth-sso-id-token-header branch December 12, 2025 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@valkirilov valkirilov valkirilov approved these changes

@ArtemHoruzhenko ArtemHoruzhenko ArtemHoruzhenko approved these changes

@KrumTy KrumTy KrumTy left review comments

@pd-redis pd-redis pd-redis left review comments

@pawelangelow pawelangelow Awaiting requested review from pawelangelow pawelangelow is a code owner

@DimoHG DimoHG Awaiting requested review from DimoHG DimoHG is a code owner

@tptodorov tptodorov Awaiting requested review from tptodorov tptodorov is a code owner

Assignees

@dantovska dantovska

Labels

AI-Made

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@dantovska @CLAassistant @valkirilov @KrumTy @ArtemHoruzhenko @pd-redis