Add SSO connection routing for org-scoped login and pc target re-auth#86
Add SSO connection routing for org-scoped login and pc target re-auth#86austin-denoble wants to merge 1 commit intomainfrom
Conversation
When authenticating into an organization that has SSO enforced, the CLI now passes the Auth0 connection name as a connection= parameter to the authorization endpoint, routing the browser directly to the org's identity provider rather than the generic login page. Both pc login and pc auth login accept a new --org flag to scope the login to a specific organization. pc target already passes the org ID implicitly. In all cases the SSO connection is resolved by calling the dashboard organizations API with the user's existing token; the lookup is best-effort and non-fatal — if it fails the flow falls back to the standard login page transparently.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 3 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit befaf31. Configure here.
| if conn != "" { | ||
| ssoConnection = &conn | ||
| } | ||
| } |
There was a problem hiding this comment.
SSO lookup always fails because token is unavailable
High Severity
FetchSSOConnection calls oauth.Token(ctx) to authenticate the dashboard API request, but it's only ever invoked when a new login is needed — meaning the token is either missing, expired, or was just cleared by oauth.Logout(). For the pc target re-auth flow, oauth.Logout() explicitly clears the token immediately before GetAndSetAccessToken is called, so the SSO lookup always gets an empty token and silently skips. For pc login --org, either no token exists (fresh login), the session is expired (token fetch errors), or the user is already authenticated (the "already logged in" guard returns before the SSO code is reached). The SSO connection routing feature can never activate in any code path.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit befaf31. Configure here.
| if conn != "" { | ||
| ssoConnection = &conn | ||
| } | ||
| } |
There was a problem hiding this comment.
Duplicated SSO lookup blocks across two functions
Low Severity
The SSO connection lookup logic (nil-check orgId, call FetchSSOConnection, wrap result in pointer) is duplicated identically in getAndSetAccessTokenJSON and getAndSetAccessTokenInteractive. Extracting this into a small helper would reduce the maintenance surface and ensure any future fix to the lookup logic is applied in one place.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit befaf31. Configure here.
| // OrgId pins the login flow to a specific organization. When set, the SSO | ||
| // connection for that org is looked up and passed to Auth0, routing the | ||
| // browser directly to the org's identity provider if SSO is enforced. | ||
| OrgId *string |
There was a problem hiding this comment.
Early-resume JSON path ignores org flag
Medium Severity
In Run(), the early-resume path for JSON mode at line 69 passes nil as orgId to getAndSetAccessTokenJSON, while the main path at line 106 correctly passes opts.OrgId. This means when a user runs pc login --org org-B --json and a pending session for a different org already exists, the org-mismatch guard inside getAndSetAccessTokenJSON (which checks orgId != nil) is bypassed, and the stale session for the wrong org is silently resumed instead of being rejected or cleaned up.
Reviewed by Cursor Bugbot for commit befaf31. Configure here.
1 participant
Problem
We currently do not support SSO in the CLI, and need to enable this for customers using this.
Solution
When authenticating into an organization that has SSO enforced, the CLI now passes the Auth0 connection name as a connection= parameter to the authorization endpoint, routing the browser directly to the org's identity provider rather than the generic login page.
Both pc login and pc auth login accept a new --org flag to scope the login to a specific organization. pc target already passes the org ID implicitly. In all cases the SSO connection is resolved by calling the dashboard organizations API with the user's existing token; the lookup is best-effort and non-fatal — if it fails the flow falls back to the
standard login page transparently.
Type of Change
Test Plan
Note
Medium Risk
Changes the OAuth login URL construction and adds a best-effort dashboard API call to influence SSO routing; failures should fall back, but regressions could impact authentication flows for org-scoped login and
pc targetre-auth.Overview
Adds
--orgtopc loginandpc auth login, passing an optionalOrgIdthrough the login flow to scope authentication to an organization.When an org ID is provided, the login flow now optionally looks up the org’s Auth0 SSO connection via the dashboard organizations API and, if SSO is enforced, appends
connection=<name>to the Auth0 authorize URL (best-effort with transparent fallback).Updates
oauth.Auth.GetAuthURLto accept the new connection parameter and extends tests to cover SSO connection lookup and URL parameterization.Reviewed by Cursor Bugbot for commit befaf31. Bugbot is set up for automated code reviews on this repo. Configure here.