Skip to content

docs(auth): document federated_identity claims in beforeLogin hook#138

Merged
anukiransolur merged 5 commits into
mainfrom
auth-federated-identity
Jun 16, 2026
Merged

docs(auth): document federated_identity claims in beforeLogin hook#138
anukiransolur merged 5 commits into
mainfrom
auth-federated-identity

Conversation

@k1LoW

@k1LoW k1LoW commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Summary

When the Built-in IdP federates a Google or Microsoft login, the upstream provider's profile (such as picture, name, given_name, family_name, locale) is now forwarded to the beforeLogin hook on claims.federated_identity. The SDK types this claim in tailor-platform/sdk#1456. This documents the consumer-facing behavior in the auth guides so app developers know the claim exists and how to use it.

Changes

  • docs/guides/auth/hook.md — add a Federated Identity Claims section under the Before Login Hook guide: the federated_identity shape (provider + claims), per-provider availability (Microsoft issues no picture), a usage example, and notes that the claim is hook-only (not on the app-facing session token) and is populated only on the next federated login with no backfill. Cross-references it from the Handler Arguments table.
  • docs/guides/auth/integration/built-in-idp.md — note in the Google OAuth and Microsoft OAuth sections that the account profile is forwarded to the beforeLogin hook, linking to the new section.

docs/sdk/services/auth.md is intentionally not edited here. It is auto-synced from the SDK repo by the sdk-docs-sync workflow, and the source page was already updated in the SDK PR.

Verification

  • pnpm build ✅ (pages render, internal anchor link resolves, dead-link check passes)
  • Heading rules respected (no level skips, max depth h4)

Note for reviewers

This documents behavior tied to the Built-in IdP Google/Microsoft OAuth feature, which is already marked preview in built-in-idp.md. Kept as a draft until the platform-side rollout lands.

@k1LoW
docs(auth): document federated_identity claims in beforeLogin hook
4a30c60 
The Built-in IdP now forwards the upstream Google/Microsoft profile to
the beforeLogin hook on claims.federated_identity, and the SDK types it
(tailor-platform/sdk#1456). Document the consumer-facing behavior so app
developers know the claim exists, its shape, the per-provider
differences (Microsoft issues no picture), and that it is populated only
on a user's next federated login with no backfill.

docs/sdk/services/auth.md is intentionally left untouched; it is
auto-synced from the SDK repo by the sdk-docs-sync workflow, whose
source page was already updated in the SDK PR.
@k1LoW k1LoW requested a review from Copilot June 16, 2026 05:52

This comment was marked as outdated.

Sign in to view

@k1LoW
docs(auth): add env to beforeLogin Handler Arguments table
0e5170c 
The handler signature is { claims, idpConfigName, env } per the SDK auth
docs, but the guide's Handler Arguments table listed only claims and
idpConfigName, misrepresenting the signature for readers relying on this
page.
@k1LoW k1LoW self-assigned this Jun 16, 2026
@k1LoW k1LoW requested a review from Copilot June 16, 2026 06:30

This comment was marked as outdated.

Sign in to view

@k1LoW
docs(auth): clarify federated_identity scope and sync the flow diagram
c0992cb 
federated_identity is undefined for any non-federated login, not just
password logins, so generalize the guard note to avoid implying it
exists for external IdP flows. Also update the Execution Flow diagram to
the object-shaped beforeLogin({ claims, idpConfigName, env }) so it no
longer disagrees with the Handler Arguments table.
@k1LoW k1LoW requested a review from Copilot June 16, 2026 06:38

This comment was marked as outdated.

Sign in to view

@k1LoW
docs(auth): make federated_identity availability conditional on the hook
704ad56 
The Google/Microsoft OAuth notes read as if the upstream profile is
always forwarded, but federated_identity is only observable when a
beforeLogin hook is configured to receive it. Reword both to state the
condition explicitly so readers do not expect it in tokens or without a
hook.
@k1LoW k1LoW requested a review from Copilot June 16, 2026 06:47
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

@k1LoW
docs(auth): drop the federated_identity backfill warning
7aebdd6 
federated_identity is just another value available in the beforeLogin
hook, and persisting it is the application's responsibility, which the
preceding tip already covers. A dedicated no-backfill warning
over-emphasizes the claim and adds noise.
@k1LoW k1LoW added the documentation Improvements or additions to documentation label Jun 16, 2026
@k1LoW k1LoW marked this pull request as ready for review June 16, 2026 07:11
@k1LoW k1LoW requested a review from a team as a code owner June 16, 2026 07:11
@anukiransolur anukiransolur merged commit 7d26338 into main Jun 16, 2026
3 checks passed
@anukiransolur anukiransolur deleted the auth-federated-identity branch June 16, 2026 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@anukiransolur anukiransolur anukiransolur approved these changes

Assignees

@k1LoW k1LoW

Labels

documentation Improvements or additions to documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@k1LoW @anukiransolur