Phase 4c: Soft SSO login nudge (access token hook)

Author: GregorShear

supabase/config.toml

@@ -45,6 +45,10 @@ jwt_expiry = 604800
 # Allow/disallow new user signups to your project.
 enable_signup = true
 
+[auth.hook.custom_access_token]
+enabled = true
+uri = "pg-functions://postgres/public/custom_access_token_hook"
+
 [auth.email]
 # Allow/disallow new user signups via email to your project.
 enable_signup = true

supabase/migrations/20260320120000_sso_access_token_hook.sql

@@ -0,0 +1,68 @@
+-- Add a customize_access_token hook that embeds SSO provider IDs into the JWT
+-- when a non-SSO user has grants on tenants with SSO configured.
+--
+-- The dashboard reads the `sso_not_satisfied` claim on login/refresh and can show
+-- an interstitial prompting the user to re-authenticate via SSO.
+-- Only provider UUIDs are included — no tenant names — to avoid leaking
+-- which tenants the user has grants on.
+--
+-- Keyed on sso_provider_id IS NOT NULL (not enforce_sso) so users get nudged
+-- as soon as SSO is configured, giving them runway before hard enforcement.
+
+begin;
+
+create or replace function public.custom_access_token_hook(event jsonb)
+returns jsonb
+language plpgsql
+stable
+security definer
+set search_path to ''
+as $$
+declare
+  claims         jsonb;
+  target_user_id uuid;
+  provider_id    uuid;
+begin
+  target_user_id = (event->>'user_id')::uuid;
+  claims = event->'claims';
+
+  -- Find the SSO provider for the tenant where this user has grants but
+  -- lacks the matching SSO identity. We expect at most one SSO-enabled
+  -- tenant per user; LIMIT 1 makes that assumption explicit.
+  select t.sso_provider_id
+    into provider_id
+    from public.user_grants ug
+    join public.tenants t on ug.object_role ^@ t.tenant
+    where ug.user_id = target_user_id
+      and t.sso_provider_id is not null
+      and not exists (
+        select 1 from auth.identities ai
+        where ai.user_id = target_user_id
+          and ai.provider = 'sso:' || t.sso_provider_id::text
+      )
+    limit 1;
+
+  if provider_id is not null then
+    claims = jsonb_set(claims, '{sso_not_satisfied}', to_jsonb(provider_id));
+  else
+    claims = claims - 'sso_not_satisfied';
+  end if;
+
+  event = jsonb_set(event, '{claims}', claims);
+  return event;
+end;
+$$;
+
+-- The hook is invoked by GoTrue as the supabase_auth_admin role.
+grant usage on schema public to supabase_auth_admin;
+grant execute on function public.custom_access_token_hook(jsonb) to supabase_auth_admin;
+
+-- The function reads from these tables.
+grant select on public.user_grants to supabase_auth_admin;
+grant select on public.tenants to supabase_auth_admin;
+grant select on auth.identities to supabase_auth_admin;
+
+-- Revoke from anon/authenticated — this is not a user-callable function.
+revoke execute on function public.custom_access_token_hook(jsonb) from authenticated, anon;
+
+commit;

supabase/tests/sso_access_token_hook.test.sql

@@ -0,0 +1,92 @@
+-- Tests for the custom_access_token_hook that adds sso_not_satisfied claim.
+create function tests.test_sso_access_token_hook()
+returns setof text as $$
+declare
+  provider_acme uuid = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
+  alice_id uuid = '11111111-1111-1111-1111-111111111111';
+  result jsonb;
+begin
+  -- Setup: test user.
+  insert into auth.users (id, email) values
+    (alice_id, 'alice@example.com')
+  on conflict do nothing;
+
+  -- Setup: SSO provider for acmeCo.
+  insert into auth.sso_providers (id) values (provider_acme)
+    on conflict do nothing;
+
+  -- Tenants: acmeCo has SSO configured, openCo does not.
+  delete from tenants;
+  insert into tenants (tenant, sso_provider_id) values
+    ('acmeCo/', provider_acme),
+    ('openCo/', null);
+
+  -- Alice has grants on both tenants, no SSO identity yet.
+  delete from user_grants;
+  insert into user_grants (user_id, object_role, capability) values
+    (alice_id, 'acmeCo/', 'admin'),
+    (alice_id, 'openCo/', 'admin');
+
+  delete from auth.identities where user_id = alice_id;
+
+  -- No SSO identity — should get sso_not_satisfied with acmeCo's provider.
+  select public.custom_access_token_hook(jsonb_build_object(
+    'user_id', alice_id,
+    'claims', jsonb_build_object('sub', alice_id)
+  )) into result;
+
+  return next is(
+    result->'claims'->'sso_not_satisfied',
+    to_jsonb(provider_acme),
+    'Non-SSO user on SSO tenant gets sso_not_satisfied'
+  );
+
+  -- Add SSO identity — sso_not_satisfied should disappear.
+  insert into auth.identities (user_id, provider, provider_id, identity_data) values
+    (alice_id, 'sso:' || provider_acme::text, provider_acme::text, '{}'::jsonb);
+
+  select public.custom_access_token_hook(jsonb_build_object(
+    'user_id', alice_id,
+    'claims', jsonb_build_object('sub', alice_id)
+  )) into result;
+
+  return next ok(
+    result->'claims'->'sso_not_satisfied' is null,
+    'SSO user on own tenant has no sso_not_satisfied claim'
+  );
+
+  -- Only open-tenant grants: no sso_not_satisfied.
+  delete from user_grants where user_id = alice_id;
+  delete from auth.identities where user_id = alice_id;
+  insert into user_grants (user_id, object_role, capability) values
+    (alice_id, 'openCo/', 'admin');
+
+  select public.custom_access_token_hook(jsonb_build_object(
+    'user_id', alice_id,
+    'claims', jsonb_build_object('sub', alice_id)
+  )) into result;
+
+  return next ok(
+    result->'claims'->'sso_not_satisfied' is null,
+    'User with only open-tenant grants has no sso_not_satisfied claim'
+  );
+
+  -- Sub-prefix grant on acmeCo/reports/ should still trigger sso_not_satisfied.
+  delete from user_grants where user_id = alice_id;
+  insert into user_grants (user_id, object_role, capability) values
+    (alice_id, 'acmeCo/reports/', 'read');
+
+  select public.custom_access_token_hook(jsonb_build_object(
+    'user_id', alice_id,
+    'claims', jsonb_build_object('sub', alice_id)
+  )) into result;
+
+  return next is(
+    result->'claims'->'sso_not_satisfied',
+    to_jsonb(provider_acme),
+    'Sub-prefix grant on acmeCo/reports/ triggers sso_not_satisfied'
+  );
+
+  return;
+end
+$$ language plpgsql;