fix: add OKTA and KEYCLOAK to tenant seeding allowlist#6249
Merged
Conversation
OKTA and KEYCLOAK auth types were missing from the allowlist in on_starting(), causing the tenant table to remain empty on fresh database deployments. This resulted in an infinite redirect loop between /signin and /incidents after successful SSO authentication. Also adds both types to excluded_from_default_user since users authenticate through the external IdP. Fixes keephq#6246
dosubot
Bot
added
the
size:XS
Contributor
Author
|
I have read the CLA Document and I hereby sign the CLA |
|
|
Contributor
|
Thanks for contributing @QuinnClaw . this PR seems to be a duplication of #6247. |
Contributor
|
🔥 Fantastic work @QuinnClaw! Your very first PR to keep has been merged! 🎉🥳 You've just taken your first step into open-source, and we couldn't be happier to have you onboard. 🙌 For any support, feel free to reach out on the community: https://slack.keephq.dev. Happy coding! 👩💻👨💻 |
wsimon1982
pushed a commit
to wsimon1982/keep
that referenced
this pull request
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #6246
OKTA and KEYCLOAK auth types were missing from the tenant seeding allowlist in
on_starting()(keep/api/config.py), causing thetenanttable to remain empty on fresh database deployments. Users experienced an infinite redirect loop between/signinand/incidentsafter successful SSO login because no tenant row existed.Changes
IdentityManagerTypes.KEYCLOAK.valueandIdentityManagerTypes.OKTA.valueto the auth type allowlist that gatestry_create_single_tenant()excluded_from_default_usersince users authenticate through the external IdP (consistent with OAUTH2PROXY and ONELOGIN behavior)Root Cause
The allowlist in
on_starting()only included DB, NOAUTH, OAUTH2PROXY, and ONELOGIN. OKTA and KEYCLOAK were missing despite being valid single-tenant auth types in theIdentityManagerTypesenum.Testing
IdentityManagerTypesenum includes both KEYCLOAK and OKTANote
Low Risk
Low risk, additive change to startup tenant seeding logic; main impact is ensuring fresh deployments using Okta/Keycloak create the expected tenant row and avoid redirect loops.
Overview
Ensures single-tenant seeding runs when
AUTH_TYPEiskeycloakoroktaby adding both to the allowlist gatingtry_create_single_tenant().Also excludes these auth types from default-user creation (matching
oauth2proxy/oneloginbehavior) since users authenticate via the external IdP.Reviewed by Cursor Bugbot for commit 6eec7d7. Bugbot is set up for automated code reviews on this repo. Configure here.