Scope signing user picker to team for multi-tenant SaaS (#6583)

This commit is contained in:
Anthony Stirling
2026-06-15 13:44:34 +01:00
committed by GitHub
parent 2a905c01c3
commit 9d7467cf90
6 changed files with 234 additions and 7 deletions
@@ -64,3 +64,8 @@ supabase.url=https://${app.supabase.project-ref}.supabase.co
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=https://${app.supabase.project-ref}.supabase.co/auth/v1/.well-known/jwks.json
spring.security.oauth2.resourceserver.jwt.audiences=${app.supabase.expected-aud}
# ---------- Multi-tenant scoping ----------
# Restrict the signing user picker to the caller's team; SaaS must be 'team'
# or unrelated tenants leak emails to each other.
storage.signing.userListScope=team