IDP initiated SAML Login returns NextAuth `profile` as `undefined` about jackson HOT 12 CLOSED

@steven-tey That is a good point and a valid use case. We do know the tenant and should add that to requested attribute along with an indication that it came via idp login. We'll make the changes, cc: @niwsa

from jackson.

@deepakprabhakara can confirm that "@boxyhq/saml-jackson": "^1.11.3" fixes this issue! Thank you so much 🙏

from jackson.

Thanks @steven-tey, we are sorting it out at #1481 and I'll ping you as soon as it is merged and released.

from jackson.

@steven-tey Fixed in https://github.com/boxyhq/jackson/releases/tag/v1.11.3

from jackson.

@steven-tey Thanks for reporting this issue. We are looking into this and will let you know soon.

from jackson.

For the IdP login, since we depend on the Credentials Provider there is no separate profile being passed in from NextAuth. Instead, you can set the profile inside the user object returned from provider.authorize. This can then be accessed via user object inside signIn.

        // Fetch user info
        const userInfo = await oauthController.userInfo(access_token);

        if (!userInfo) {
          return null;
        }

        if (userInfo?.id && userInfo?.email) {
          return {
            id: userInfo.id,
            email: userInfo.email,
            name: [userInfo.firstName, userInfo.lastName].filter(Boolean).join(' '),
            image: null,
            profile: userInfo, // <--- Set profile here
          };
        }
  ...
       callbacks: {
          signIn: async ({ user, account, profile }) => {
                      const _profile = profile ?? user.profile
                      ...
                      })
   
        }
  ...

from jackson.

oh nice, that worked! however, the userInfo object returns the Profile object, with requested: null (when it should be returning requested: { tenant: string }). Is that intentional as well?

from jackson.

@steven-tey In the case of IdP there is nothing that was requested since the login is initiated from the Identity Provider. This is why we leave the requested attribute as null

from jackson.

@deepakprabhakara Got it, that makes sense! Does that mean that other than configuring SCIM directory sync, there is no way to make sure that the user gets linked to their respective team if they login directly from their Identity Provider for their first login?

from jackson.

@deepakprabhakara Awesome! LMK when it's ready – happy to test it out! :)

from jackson.