feat(platform): add organization parameter to OAuth authorization redirect#550
Open
feat(platform): add organization parameter to OAuth authorization redirect#550
Conversation
…irect Add optional `AIGNOSTICS_ORGANIZATION` environment variable that, when set, includes the `organization` parameter in the OAuth 2.0 PKCE authorization URL. This enables Auth0 organization-specific login flows in development and staging. - Add `organization: str | None` field to `Settings` - Conditionally include `organization` in `session.authorization_url()` params - Add unit test verifying the parameter is passed through the PKCE flow
santi698
requested review from
a team and
helmut-hoffer-von-ankershoffen
as code owners
There was a problem hiding this comment.
Pull request overview
Adds support for Auth0 organization-scoped interactive OAuth login by introducing an optional organization setting (via AIGNOSTICS_ORGANIZATION) and conditionally appending it to the PKCE authorization URL.
Changes:
- Add
organization: str | Noneto platform settings (env-backed via the existingAIGNOSTICS_prefix). - Update PKCE authorization URL construction to include
organizationwhen configured. - Add a unit test asserting the
organizationkwarg is passed toOAuth2Session.authorization_url.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/aignostics/platform/_settings.py |
Introduces optional organization setting to control Auth0 org login behavior. |
src/aignostics/platform/_authentication.py |
Conditionally includes organization in the authorization URL parameters for PKCE. |
tests/aignostics/platform/authentication_test.py |
Adds coverage ensuring organization propagates into the authorization URL call. |
Codecov Report✅ All modified and coverable lines are covered by tests.
|
Collaborator
|
Thanks for the PR, some thoughts:
|
Collaborator
Author
I think you mean SPEC_PLATFORM_SERVICE.md |
Collaborator
You're right, seems like SPEC-APPLICATION-SERVICE only covers what happens once the token is acquired. So platform is the one 👍 |
Collaborator
Author
|
santi698
force-pushed
the
feat/oauth-organization-parameter
branch
from
289fe59 to
c214653
Compare
santi698
force-pushed
the
feat/oauth-organization-parameter
branch
from
c214653 to
ee93e37
Compare
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
santi698
force-pushed
the
feat/oauth-organization-parameter
branch
from
ee93e37 to
a7dbf3a
Compare
…fication Add AIGNOSTICS_ORGANIZATION to the platform service specification: - Add organization parameter to Configuration Parameters (section 6.1) - Add AIGNOSTICS_ORGANIZATION environment variable (section 6.2) - Update PKCE Flow description to document organization parameter usage
santi698
force-pushed
the
feat/oauth-organization-parameter
branch
from
a7dbf3a to
8c5a494
Compare
olivermeyer
reviewed
Apr 21, 2026
Co-authored-by: Oliver Meyer <42039965+olivermeyer@users.noreply.github.com>
olivermeyer
approved these changes
Apr 21, 2026
|
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
Comments suppressed due to low confidence (1)
tests/aignostics/platform/authentication_test.py:372
- In
_run_pkce_flow,AuthenticationResultis mocked withtokenpre-set to a non-None value. That means the success-path tests can pass even if the callback handler/server never sets the token (orhandle_request()is never called), which weakens the test and can mask regressions in the PKCE flow. Consider initializingmock_auth_result.tokentoNoneand having thehandle_requestside effect set it (mirroring what the realOAuthCallbackHandlerdoes), and/or assertingmock_server.handle_requestwas called.
mock_auth_result = MagicMock()
mock_auth_result.token = "pkce.token" # noqa: S105 - Test credential
mock_auth_result.error = None
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add support for Auth0 organization-specific login flows via a new
AIGNOSTICS_ORGANIZATION_IDenvironment variable.When set, the
organizationparameter is included in the OAuth 2.0 PKCE authorization URL, enabling users to authenticate into a specific Auth0 organization (useful in development and staging environments).Changes
_settings.py: Addedorganization: str | Nonefield, configurable viaAIGNOSTICS_ORGANIZATION_IDenv var_authentication.py:_perform_authorization_code_with_pkce_flow()now conditionally addsorganizationto the authorization URL parametersauthentication_test.py: Added unit test verifying the organization parameter is correctly passed through the full PKCE flowUsage
Or via
.env:AIGNOSTICS_ORGANIZATION=my-org