Adding okta and related multi-tenant modifications and docs #24
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
heskew
force-pushed
the
okta
branch
15 times, most recently
from
90ef15e to
f3b8d2a
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds comprehensive multi-tenant SSO support with Okta as the primary use case, enabling B2B SaaS applications to support multiple enterprise customers with their own identity providers.
Key Changes:
- Adds Okta provider with domain-based configuration and security validation
- Implements TenantManager for multi-tenant OAuth configuration
- Introduces
onResolveProviderhook for dynamic provider resolution - Adds security validation utilities (SSRF protection, injection prevention)
- Comprehensive test coverage for new features
Reviewed changes
Copilot reviewed 26 out of 28 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| src/lib/tenantManager.ts | Core multi-tenant management with tenant registration, email domain routing, and provider configuration |
| src/lib/providers/okta.ts | Okta OAuth provider with domain validation and SSRF protection |
| src/lib/providers/validation.ts | Security validation utilities for domain safety, email domains, tenant IDs, and XSS prevention |
| src/lib/providers/azure.ts | Adds Azure tenant ID validation using new validation utilities |
| src/lib/providers/auth0.ts | Adds domain validation and allowlist checking for Auth0 |
| src/lib/hookManager.ts | Adds onResolveProvider hook for dynamic provider resolution |
| src/lib/resource.ts | Implements dynamic provider resolution with validation and error handling |
| src/lib/config.ts | Adds Okta to provider configuration switch statement |
| src/lib/providers/index.ts | Registers Okta and generic providers |
| src/types.ts | Documents onResolveProvider hook with security requirements and examples |
| src/index.ts | Exports TenantManager, validation utilities, and provider utilities |
| test/lib/tenantManager.test.js | Comprehensive tests for tenant management including validation, bulk operations, and security |
| test/lib/providers/validation.test.js | Security-focused tests for SSRF protection, injection prevention, and validation |
| test/lib/providers/okta.test.js | Tests for Okta provider configuration and domain validation |
| test/lib/providers/azure.test.js | Updates tests to use valid GUID format for Azure tenant IDs |
| test/lib/config.test.js | Updates tests to use valid Azure tenant ID format |
| docs/multi-tenant-sso.md | Complete guide for multi-tenant SSO setup with examples and security considerations |
| docs/providers.md | Okta setup documentation with group-based role mapping instructions |
| docs/lifecycle-hooks.md | Documents onResolveProvider hook with comprehensive security requirements |
| docs/getting-started.md | Clarifies that built-in providers are templates requiring configuration |
| examples/okta-multi-tenant.js | Example showing multi-tenant Okta configuration |
| package.json | Moves harperdb to devDependencies, adds test scripts |
| .bun/preload.js | Bun test environment setup with HarperDB mocking |
| bunfig.toml | Updates preload path to .bun directory |
| assets/test.html | Adds Okta button styling |
| README.md | Updates provider list and clarifies built-in vs active providers |
| .github/workflows/pr-checks.yml | Adds Node 20-specific test script |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
kriszyp
reviewed
Jan 7, 2026
Member
kriszyp
left a comment
kriszyp
left a comment
There was a problem hiding this comment.
This looks great, comprehensive, nice work. One note about the example admin endpoint.
docs/multi-tenant-sso.md
Outdated
| Create an admin endpoint to add tenants dynamically: | ||
|
|
||
| ```typescript | ||
| scope.resources.set('admin/tenants', { |
Member
There was a problem hiding this comment.
How would you access scope outside creating your own plugin? I think we would want to describe a standard exported Resource.
Member
Author
There was a problem hiding this comment.
Yeah...that's a bad partial example. Working on refining this doc right now - it's currently not super useful.
…to ensure the plugin is good.
heskew
force-pushed
the
okta
branch
4 times, most recently
from
c6e52e8 to
e0227c5
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.