ENG-2519: Additional SSO Configuration

[tvandort]

Ticket ENG-2519

Description Of Changes

Allows further SSO configuration including scopes, fields, verification toggle.

Steps to Confirm

1. Good question! I don't know since I don't have a good example SSO to use this against.

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Feb 12, 2026 8:56pm
fides-privacy-center	Ignored		Feb 12, 2026 8:56pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds additional SSO configuration options for custom OpenID providers, including scopes, email field mappings, and email verification settings.

Key Changes:

• Added four new columns to openid_provider table: scopes, email_field, verify_email, and verify_email_field
• Frontend form now supports configuring these fields for custom SSO providers
• verify_email defaults to true to require verified emails by default

Issues Found:

• Backend model missing server_default="t" for verify_email column (should match migration)
• TypeScript types incorrectly mark verify_email as nullable when backend has nullable=False

Confidence Score: 3/5

• This PR has minor issues that should be fixed before merging to avoid runtime errors
• The migration and frontend form implementation are solid, but there's a mismatch between the model definition and migration (server_default missing), and the auto-generated TypeScript types incorrectly mark verify_email as nullable when the database column is non-nullable. These issues could cause runtime errors.
• Pay close attention to src/fides/api/models/openid_provider.py and the API schema generation that produces the TypeScript types

Important Files Changed

Filename	Overview
src/fides/api/models/openid_provider.py	Added new SSO configuration fields (scopes, email_field, verify_email, verify_email_field), but model is missing server_default="t" for verify_email column to match the migration
src/fides/api/alembic/migrations/versions/xx_2026_02_10_1850_4d64174f422e_additional_sso_configurations.py	Migration correctly adds four new columns with proper nullable settings and server_default="t" for boolean column
clients/admin-ui/src/types/api/models/OpenIDProvider.ts	Auto-generated TypeScript types add new fields but incorrectly define verify_email as nullable when backend model has nullable=False
clients/admin-ui/src/features/openid-authentication/SSOProviderForm.tsx	Added new form fields for scopes, email configuration, and email verification with proper conditional rendering. verify_email defaults to true correctly

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

clients/admin-ui/src/features/openid-authentication/SSOProviderForm.tsx
TypeScript types for OpenIDProviderCreate and OpenIDProvider are missing the new fields added to the backend model (scopes, email_field, verify_email, verify_email_field). Need to regenerate types by running npm run openapi:generate after updating backend Pydantic schemas, or manually add these fields to the type definitions.

[tvandort]

@greptileai pls rereview

[greptile-apps]

_{7 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[tvandort]

@greptileai pls rereview

[greptile-apps]

_{7 files reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Type mismatch: verify_email is defined as nullable here but the backend model has nullable=False. This could cause runtime errors if the frontend sends null. Since these are auto-generated files, check the backend API schema generation to ensure it correctly reflects nullable=False.

[tvandort]

I'll try it but this should be fine given that the database has a default value.

[lucanovera]

Code changes look good. Form generally looks good, but I was very confused when looking at this state:

I get now that this is meant to support an array of multiple string values, but I don't think that is communicated correctly. Could we change that something that looks like this?

[lucanovera]

Tested UI with the new array interface, add/edit/save works correctly. approved

[lucanovera]

@tvandort I noticed when you edit a provider, the client id and secret fields are empty but marked as required so you can't save until you enter those again. I'm not sure if the api supports partial updates or not, in any case it can be a followup improvement

[thabofletcher]

Migration/BE model looks good - I have not tested.

[tvandort]

@tvandort I noticed when you edit a provider, the client id and secret fields are empty but marked as required so you can't save until you enter those again. I'm not sure if the api supports partial updates or not, in any case it can be a followup improvement

@lucanovera I didn't see this before but I believe this is by design. If you were able to change the authorization endpoint without re-entering the client id and client secret you a malicious administrator could redirect the auth flow to a malicious server and receive the id and secret.

Could be wrong but it reads to me like a feature not a bug.