From 2ad5cf141fd95e28d14c61968df16524b7f93aef Mon Sep 17 00:00:00 2001
From: Max Peintner <max@caos.ch>
Date: Tue, 21 Oct 2025 10:56:34 +0200
Subject: [PATCH] fix(login): Add Organization Scoping to IDP Auto-Linking
 (#10931)

This PR fixes an issue in the IDP auto-linking feature where user
searches were performed globally instead of being scoped to the current
organization context. This could result in IDP links being created for
users in unintended organizations.

# Which Problems Are Solved

When IDP auto-linking was enabled (by email or username), the system
would search for existing users across all organizations instead of
restricting the search to the current organization context.

# How the Problems Are Solved

Added organization scoping to all three auto-linking code paths
---
 .../app/(login)/idp/[provider]/success/page.tsx   | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
index 7723c21f6a0..8c0e9280562 100644
--- a/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
+++ b/apps/login/src/app/(login)/idp/[provider]/success/page.tsx
@@ -179,22 +179,21 @@ export default async function Page(props: {
     const email = addHumanUser?.email?.email;
 
     if (options.autoLinking === AutoLinkingOption.EMAIL && email) {
-      foundUser = await listUsers({ serviceUrl, email }).then((response) => {
+      foundUser = await listUsers({ serviceUrl, email, organizationId: organization }).then((response) => {
         return response.result ? response.result[0] : null;
       });
     } else if (options.autoLinking === AutoLinkingOption.USERNAME) {
-      foundUser = await listUsers(
-        options.autoLinking === AutoLinkingOption.USERNAME
-          ? { serviceUrl, userName: idpInformation.userName }
-          : { serviceUrl, email },
-      ).then((response) => {
-        return response.result ? response.result[0] : null;
-      });
+      foundUser = await listUsers({ serviceUrl, userName: idpInformation.userName, organizationId: organization }).then(
+        (response) => {
+          return response.result ? response.result[0] : null;
+        },
+      );
     } else {
       foundUser = await listUsers({
         serviceUrl,
         userName: idpInformation.userName,
         email,
+        organizationId: organization,
       }).then((response) => {
         return response.result ? response.result[0] : null;
       });