To revert: in this commit, I added a pretty elaborate system of automatically signing out accounts when oauth scopes change. The system is pretty fragile, so I'm going to take the safer approach and just add document this as a known issue.

Author: brendan-kellam

packages/backend/src/gitlab.ts

@@ -324,7 +324,6 @@ export const getProjectsForAuthenticatedUser = async (visibility: 'private' | 'i
 export const getOAuthScopesForAuthenticatedUser = async (api: InstanceType<typeof Gitlab>) => {
     try {
         const response = await api.requester.get('/oauth/token/info');
-        console.log('response', response);
         if (
             response &&
             typeof response.body === 'object' &&

packages/web/src/app/components/authMethodSelector.tsx

@@ -29,7 +29,6 @@ export const AuthMethodSelector = ({
         // Call the optional analytics callback first
         onProviderClick?.(provider);
 
-        // @nocheckin
         signIn(
             provider,
             {
@@ -40,7 +39,6 @@ export const AuthMethodSelector = ({
             // @see: https://next-auth.js.org/getting-started/client#additional-parameters
             {
                 prompt: 'consent',
-                scope: 'read:user user:email repo'
             }
         );
     }, [callbackUrl, onProviderClick]);

packages/web/src/auth.ts

@@ -19,6 +19,7 @@ import { onCreateUser } from '@/lib/authUtils';
 import { getAuditService } from '@/ee/features/audit/factory';
 import { SINGLE_TENANT_ORG_ID } from './lib/constants';
 import { refreshLinkedAccountTokens } from '@/ee/features/permissionSyncing/tokenRefresh';
+import { getRequiredScopes, normalizeScopes } from './lib/oauthScopes';
 
 const auditService = getAuditService();
 const eeIdentityProviders = hasEntitlement("sso") ? await getEEIdentityProviders() : [];
@@ -52,6 +53,8 @@ declare module 'next-auth' {
 declare module 'next-auth/jwt' {
     interface JWT {
         userId: string;
+        providerAccountId: string;
+        provider: string;
         linkedAccountTokens?: LinkedAccountTokensMap;
     }
 }
@@ -164,7 +167,7 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
             // Explicitly update the Account record with the OAuth token details.
             // This is necessary to update the access token when the user
             // re-authenticates.
-            if (account && account.provider && account.providerAccountId) {
+            if (account && account.provider && account.provider !== 'credentials' && account.providerAccountId) {
                 await prisma.account.update({
                     where: {
                         provider_providerAccountId: {
@@ -217,14 +220,60 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         }
     },
     callbacks: {
-        async jwt({ token, user: _user, account }) {
-            const user = _user as User | undefined;
+        async jwt({ token, user: _user, account: _account }) {
             // @note: `user` will be available on signUp or signIn triggers.
             // Cache the userId in the JWT for later use.
-            if (user) {
+            if (_user) {
+                const user = _user as User;
                 token.userId = user.id;
             }
 
+            if (_account) {
+                token.providerAccountId = _account.providerAccountId;
+                token.provider = _account.provider;
+            }
+
+            const account = await prisma.account.findUnique({
+                where: {
+                    provider_providerAccountId: {
+                        provider: token.provider,
+                        providerAccountId: token.providerAccountId,
+                    },
+                },
+            });
+
+            if (!account) {
+                return null;
+            }
+
+            const currentScopes = normalizeScopes(account.scope);
+            const requiredScopes = getRequiredScopes(account.provider);
+
+            if (currentScopes !== requiredScopes) {
+                const doesAccountExist = await prisma.account.findUnique({
+                    where: {
+                        provider_providerAccountId: {
+                            provider: account.provider,
+                            providerAccountId: account.providerAccountId,
+                        },
+                    },
+                });
+
+                if (doesAccountExist) {
+                    await prisma.account.delete({
+                        where: {
+                            provider_providerAccountId: {
+                                provider: account.provider,
+                                providerAccountId: account.providerAccountId,
+                            },
+                        },
+                    });
+                    console.log(`Deleted account ${account.providerAccountId} for provider ${account.provider} because it did not have the required scopes.`);
+                }
+
+                return null;
+            }
+
             if (hasEntitlement('permission-syncing')) {
                 if (account && account.access_token && account.refresh_token && account.expires_at) {
                     token.linkedAccountTokens = token.linkedAccountTokens || {};
@@ -273,4 +322,4 @@ export const { handlers, signIn, signOut, auth } = NextAuth({
         // We set redirect to false in signInOptions so we can pass the email is as a param
         // verifyRequest: "/login/verify",
     }
-});
+});

packages/web/src/ee/features/permissionSyncing/components/linkButton.tsx

@@ -12,7 +12,7 @@ interface LinkButtonProps {
 export const LinkButton = ({ provider, callbackUrl }: LinkButtonProps) => {
     const handleLink = () => {
         signIn(provider, {
-            redirectTo: callbackUrl
+            redirectTo: callbackUrl,
         });
     };
 

packages/web/src/ee/features/sso/sso.ts

@@ -1,8 +1,9 @@
 import type { IdentityProvider } from "@/auth";
 import { onCreateUser } from "@/lib/authUtils";
+import { getRequiredScopes } from "@/lib/oauthScopes";
 import { prisma } from "@/prisma";
 import { AuthentikIdentityProviderConfig, GCPIAPIdentityProviderConfig, GitHubIdentityProviderConfig, GitLabIdentityProviderConfig, GoogleIdentityProviderConfig, KeycloakIdentityProviderConfig, MicrosoftEntraIDIdentityProviderConfig, OktaIdentityProviderConfig } from "@sourcebot/schemas/v3/index.type";
-import { createLogger, env, getTokenFromConfig, hasEntitlement, loadConfig } from "@sourcebot/shared";
+import { createLogger, env, getTokenFromConfig, loadConfig } from "@sourcebot/shared";
 import { OAuth2Client } from "google-auth-library";
 import type { User as AuthJsUser } from "next-auth";
 import type { Provider } from "next-auth/providers";
@@ -126,19 +127,10 @@ const createGitHubProvider = (clientId: string, clientSecret: string, baseUrl?:
         ...(hostname === GITHUB_CLOUD_HOSTNAME ? { enterprise: { baseUrl: baseUrl } } : {}), // if this is set the provider expects GHE so we need this check
         authorization: {
             params: {
-                scope: [
-                    'read:user',
-                    'user:email',
-                    // Permission syncing requires the `repo` scope in order to fetch repositories
-                    // for the authenticated user.
-                    // @see: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repositories-for-the-authenticated-user
-                    ...(env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing') ?
-                        ['repo'] :
-                        []
-                    ),
-                ].join(' '),
+                scope: getRequiredScopes('github'),
             },
         },
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -150,16 +142,7 @@ const createGitLabProvider = (clientId: string, clientSecret: string, baseUrl?:
         authorization: {
             url: `${url}/oauth/authorize`,
             params: {
-                scope: [
-                    "read_user",
-                    // Permission syncing requires the `read_api` scope in order to fetch projects
-                    // for the authenticated user and project members.
-                    // @see: https://docs.gitlab.com/ee/api/projects.html#list-all-projects
-                    ...(env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing') ?
-                        ['read_api'] :
-                        []
-                    ),
-                ].join(' '),
+                scope: getRequiredScopes('gitlab'),
             },
         },
         token: {
@@ -168,13 +151,15 @@ const createGitLabProvider = (clientId: string, clientSecret: string, baseUrl?:
         userinfo: {
             url: `${url}/api/v4/user`,
         },
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
 const createGoogleProvider = (clientId: string, clientSecret: string): Provider => {
     return Google({
         clientId: clientId,
         clientSecret: clientSecret,
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -183,6 +168,7 @@ const createOktaProvider = (clientId: string, clientSecret: string, issuer: stri
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -191,6 +177,7 @@ const createKeycloakProvider = (clientId: string, clientSecret: string, issuer:
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -199,6 +186,7 @@ const createMicrosoftEntraIDProvider = (clientId: string, clientSecret: string,
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
+        allowDangerousEmailAccountLinking: true,
     });
 }
 
@@ -283,5 +271,6 @@ export const createAuthentikProvider = (clientId: string, clientSecret: string,
         clientId: clientId,
         clientSecret: clientSecret,
         issuer: issuer,
+        allowDangerousEmailAccountLinking: true,
     });
 }

packages/web/src/lib/oauthScopes.ts

@@ -0,0 +1,48 @@
+import { env, hasEntitlement } from "@sourcebot/shared";
+
+/**
+ * Normalize scope strings for consistent comparison.
+ * Handles different delimiters and ordering.
+ */
+export function normalizeScopes(scopeString: string | null | undefined): string {
+    if (!scopeString) return '';
+    return scopeString.split(/[\s,]+/).filter(Boolean).sort().join(' ');
+}
+
+/**
+ * Calculate the required OAuth scopes for a given provider based on current configuration.
+ * Returns a normalized, sorted scope string.
+ */
+export function getRequiredScopes(provider: string): string {
+    const scopes: string[] = [];
+
+    switch (provider) {
+        case 'github':
+            scopes.push('read:user', 'user:email');
+            // Permission syncing requires the `repo` scope in order to fetch repositories
+            // for the authenticated user.
+            // @see: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-repositories-for-the-authenticated-user
+            if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing')) {
+                scopes.push('repo');
+            }
+
+            break;
+
+        case 'gitlab':
+            scopes.push('read_user');
+            // Permission syncing requires the `read_api` scope in order to fetch projects
+            // for the authenticated user and project members.
+            // @see: https://docs.gitlab.com/ee/api/projects.html#list-all-projects
+            if (env.EXPERIMENT_EE_PERMISSION_SYNC_ENABLED === 'true' && hasEntitlement('permission-syncing')) {
+                scopes.push('read_api');
+            }
+            break;
+
+        default:
+            // Other providers (Google, Okta, etc.) don't have dynamic scope requirements
+            return '';
+    }
+
+    return normalizeScopes(scopes.join(' '));
+}
+