This commit is contained in:
@@ -57,6 +57,22 @@ export const authConfig: NextAuthConfig = {
|
|||||||
claims["urn:zitadel:iam:org:project:roles"]
|
claims["urn:zitadel:iam:org:project:roles"]
|
||||||
);
|
);
|
||||||
token.accessToken = account.access_token;
|
token.accessToken = account.access_token;
|
||||||
|
// Pin token.sub to the OIDC subject. Auth.js v5 otherwise puts a
|
||||||
|
// freshly generated UUID in token.sub on initial sign-in,
|
||||||
|
// ignoring what profile() returns for `id`. That UUID then
|
||||||
|
// becomes session.user.id everywhere downstream — including
|
||||||
|
// `tenant_user_assignments.assigned_by` and (more importantly)
|
||||||
|
// the WHERE clause used to look up the invited user's
|
||||||
|
// assignments on the dashboard. With a UUID in the session and
|
||||||
|
// a ZITADEL snowflake in the DB, the lookup matches nothing
|
||||||
|
// and assigned tenants never appear (Bug 27).
|
||||||
|
//
|
||||||
|
// Reference: https://github.com/nextauthjs/next-auth/issues/11174
|
||||||
|
// Auth.js respects an explicit token.sub assignment; the
|
||||||
|
// override below is preserved across subsequent jwt() calls.
|
||||||
|
if (typeof profile.sub === "string") {
|
||||||
|
token.sub = profile.sub;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return token;
|
return token;
|
||||||
},
|
},
|
||||||
|
|||||||
Reference in New Issue
Block a user