feat(platform): add organization parameter to OAuth authorization redirect#550
feat(platform): add organization parameter to OAuth authorization redirect#550
Conversation
…irect Add optional `AIGNOSTICS_ORGANIZATION` environment variable that, when set, includes the `organization` parameter in the OAuth 2.0 PKCE authorization URL. This enables Auth0 organization-specific login flows in development and staging. - Add `organization: str | None` field to `Settings` - Conditionally include `organization` in `session.authorization_url()` params - Add unit test verifying the parameter is passed through the PKCE flow
santi698
requested review from
a team and
helmut-hoffer-von-ankershoffen
as code owners
There was a problem hiding this comment.
Pull request overview
Adds support for Auth0 organization-scoped interactive OAuth login by introducing an optional organization setting (via AIGNOSTICS_ORGANIZATION) and conditionally appending it to the PKCE authorization URL.
Changes:
- Add
organization: str | Noneto platform settings (env-backed via the existingAIGNOSTICS_prefix). - Update PKCE authorization URL construction to include
organizationwhen configured. - Add a unit test asserting the
organizationkwarg is passed toOAuth2Session.authorization_url.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/aignostics/platform/_settings.py |
Introduces optional organization setting to control Auth0 org login behavior. |
src/aignostics/platform/_authentication.py |
Conditionally includes organization in the authorization URL parameters for PKCE. |
tests/aignostics/platform/authentication_test.py |
Adds coverage ensuring organization propagates into the authorization URL call. |
Codecov Report✅ All modified and coverable lines are covered by tests.
|
|
Thanks for the PR, some thoughts:
|
I think you mean SPEC_PLATFORM_SERVICE.md |
You're right, seems like SPEC-APPLICATION-SERVICE only covers what happens once the token is acquired. So platform is the one 👍 |
|
santi698
force-pushed
the
feat/oauth-organization-parameter
branch
from
289fe59 to
c214653
Compare
| | `api_root` | str | `https://platform.aignostics.com` | Base URL of Aignostics API | Yes | | ||
| | `audience` | str | Environment-specific | OAuth audience claim | Yes | | ||
| | `scope` | str | `offline_access` | OAuth scopes required | Yes | | ||
| | `organization` | str | None | Auth0 organization for OAuth| No | | ||
| | `cache_dir` | str | User cache directory | Directory for token storage | No | |
There was a problem hiding this comment.
In the configuration parameters table, organization is documented as type str but the default is None and the code defines it as optional (str | None). Please update the table to reflect the optional type (and consider formatting None/spacing consistently) so the spec doesn’t mislead users.
…fication Add AIGNOSTICS_ORGANIZATION to the platform service specification: - Add organization parameter to Configuration Parameters (section 6.1) - Add AIGNOSTICS_ORGANIZATION environment variable (section 6.2) - Update PKCE Flow description to document organization parameter usage
santi698
force-pushed
the
feat/oauth-organization-parameter
branch
from
c214653 to
ee93e37
Compare
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| organization_id: Annotated[ | ||
| str | None, Field(description="Optional Auth0 organization ID parameter for the /authorize OAuth endpoint") | ||
| ] = None |
There was a problem hiding this comment.
Bug: The organization_id setting expects the AIGNOSTICS_ORGANIZATION_ID environment variable, but documentation specifies AIGNOSTICS_ORGANIZATION, causing the feature to silently fail.
Severity: CRITICAL
Suggested Fix
Align the code and documentation. Either rename the organization_id field to organization, or add a validation_alias to the Field definition to accept AIGNOSTICS_ORGANIZATION. For example: Field(..., validation_alias='AIGNOSTICS_ORGANIZATION'). Ensure all documentation is updated to reflect the final variable name.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.
Location: src/aignostics/platform/_settings.py#L209-L211
Potential issue: The Pydantic `Settings` class defines a field `organization_id`, which
by default maps to the environment variable `AIGNOSTICS_ORGANIZATION_ID` due to the
`AIGNOSTICS_` prefix. However, the documentation instructs users to set
`AIGNOSTICS_ORGANIZATION`. When users follow the documentation, the `organization_id`
setting will default to `None` because the expected environment variable is not found.
This causes the organization-specific login feature to silently fail, as the
`organization` parameter is never added to the OAuth authorization request.
Also affects:
specifications/SPEC_PLATFORM_SERVICE.md:433~439
Did we get this right? 👍 / 👎 to inform future reviews.
|
Summary
Add support for Auth0 organization-specific login flows via a new
AIGNOSTICS_ORGANIZATIONenvironment variable.When set, the
organizationparameter is included in the OAuth 2.0 PKCE authorization URL, enabling users to authenticate into a specific Auth0 organization (useful in development and staging environments).Changes
_settings.py: Addedorganization: str | Nonefield, configurable viaAIGNOSTICS_ORGANIZATIONenv var_authentication.py:_perform_authorization_code_with_pkce_flow()now conditionally addsorganizationto the authorization URL parametersauthentication_test.py: Added unit test verifying the organization parameter is correctly passed through the full PKCE flowUsage
export AIGNOSTICS_ORGANIZATION=my-org uv run aignostics user loginOr via
.env:AIGNOSTICS_ORGANIZATION=my-org