Skip to content

Add OIDC authentication with per-user conversations (single-user fallback) #1269

New issue
New issue
Open
Open
Add OIDC authentication with per-user conversations (single-user fallback)#1269
@rowan-stein

Description

@rowan-stein
rowan-stein
opened on Jan 27, 2026

User request

Add OIDC IdP support so different users can sign in and have their own conversations. Without a configured IdP, the system should continue working in single-user mode as it does today.

Specification

Current state (repo findings)

  • Backend: packages/platform-server (NestJS) with Prisma/Postgres (AGENTS_DATABASE_URL).
  • Conversations are persisted as Thread records in Prisma schema; currently no user ownership fields exist, so all threads are global.
  • UserProfile table/service is singleton (id=1) and is not a real per-user identity.

Goals

  1. Support AUTH_MODE=oidc to enable OIDC sign-in (Authorization Code + PKCE).
  2. Support AUTH_MODE=single_user (default) to preserve current behavior with a default local user.
  3. Ensure thread/conversation isolation: users can only see/manage their own threads.

Backend work

  • Add AUTH_MODE config and OIDC config env vars (OIDC_ISSUER_URL, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET if needed, OIDC_REDIRECT_URI, scopes).
  • Add Auth module with endpoints:
    • GET /auth/login
    • GET /auth/callback
    • POST /auth/logout
    • GET /auth/me
  • Add session-based auth (cookie + server-side session store). Session stores principal: { mode, userId, issuer, subject }.
  • Add auth guard that:
    • in single_user always injects default principal
    • in oidc requires session else 401

Persistence / Prisma

  • Add models:
    • User
    • AuthIdentity with unique (provider, issuer, subject) referencing User
  • Add Thread.ownerUserId FK to User plus indexes.
  • Migration/backfill:
    • create default local user with constant UUID
    • backfill existing threads to that user
    • make ownerUserId NOT NULL

Thread API scoping

  • Update all thread queries/mutations to filter by ownerUserId = principal.userId (e.g., AgentsPersistenceService.listThreads() and any get/update endpoints).
  • Add tests to prevent regressions (user A cannot access user B threads).

Frontend work

  • In OIDC mode, boot via GET /auth/me; if 401 redirect to /auth/login.
  • Add sign in/out UI (minimal).

Risks

  • Data leakage if any thread query lacks owner scoping: must be addressed systematically + tested.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions