284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
2.1 KiB
2.1 KiB
Microsoft Email Hosted OAuth Fallback
Problem
Microsoft 365 inbound email OAuth currently requires a tenant Microsoft profile bound to the email consumer. Tenants that only configure or revoke MSP SSO login domains cannot use the included Nine Minds hosted Microsoft OAuth application, even though inbound email historically supported hosted/app-level credentials.
Goals
- Restore the hosted Nine Minds Microsoft OAuth path for inbound email when no explicit Email Microsoft profile binding exists.
- Preserve explicit tenant-owned Microsoft email bindings when configured and ready.
- Keep MSP SSO login-domain claim state independent from inbound email OAuth behavior.
- Avoid falling back silently when an explicit Email binding exists but points to an invalid or incomplete profile.
Non-goals
- Add/delete UI for MSP SSO login-domain claims.
- Change MSP SSO discovery behavior.
- Change calendar or Teams Microsoft profile resolution.
- Migrate existing Microsoft profiles or consumer bindings.
Desired Behavior
- Microsoft inbound email OAuth resolves credentials from the tenant's ready
emailMicrosoft profile binding when present. - If no
emailbinding exists, the resolver uses app-level hosted Microsoft email credentials fromMICROSOFT_CLIENT_ID,MICROSOFT_CLIENT_SECRET, and optionalMICROSOFT_TENANT_IDapp secrets or environment variables. - If an explicit binding exists but is invalid/archived/missing required secrets, the resolver fails with the binding error instead of hiding the misconfiguration.
- Existing OAuth initiation, callback token exchange, and refresh-token flows all use the same resolver behavior.
Acceptance Criteria
- A tenant without an Email Microsoft profile binding can initiate Microsoft inbound email OAuth when app-level hosted credentials are configured.
- A tenant with a ready Email Microsoft profile binding still uses that bound profile.
- A tenant with an invalid Email binding gets an invalid-profile error rather than fallback.
- Existing contract tests continue to prove runtime callers use the shared resolver and do not read Microsoft env vars directly.