fix(sso): redact oidc client secret in providers response, add self-hosted org admin guard

Author: waleedlatif1

apps/sim/app/api/auth/sso/providers/route.ts

@@ -3,6 +3,7 @@ import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { REDACTED_MARKER } from '@/lib/core/security/redaction'
 
 const logger = createLogger('SSOProvidersRoute')
 
@@ -50,10 +51,21 @@ export async function GET(request: NextRequest) {
         .from(ssoProvider)
         .where(whereClause)
 
-      providers = results.map((provider) => ({
-        ...provider,
-        providerType: (provider.samlConfig ? 'saml' : 'oidc') as 'oidc' | 'saml',
-      }))
+      providers = results.map((provider) => {
+        let oidcConfig = provider.oidcConfig
+        if (oidcConfig) {
+          try {
+            const parsed = JSON.parse(oidcConfig)
+            parsed.clientSecret = REDACTED_MARKER
+            oidcConfig = JSON.stringify(parsed)
+          } catch {}
+        }
+        return {
+          ...provider,
+          oidcConfig,
+          providerType: (provider.samlConfig ? 'saml' : 'oidc') as 'oidc' | 'saml',
+        }
+      })
     } else {
       const results = await db
         .select({

apps/sim/app/api/auth/sso/register/route.ts

@@ -1,4 +1,4 @@
-import { db, member } from '@sim/db'
+import { db, member, ssoProvider } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
@@ -144,7 +144,7 @@ export async function POST(request: NextRequest) {
     if (providerType === 'oidc') {
       const {
         clientId,
-        clientSecret,
+        clientSecret: rawClientSecret,
         scopes,
         pkce,
         authorizationEndpoint,
@@ -153,6 +153,31 @@ export async function POST(request: NextRequest) {
         jwksEndpoint,
       } = body
 
+      let clientSecret = rawClientSecret
+      if (rawClientSecret === REDACTED_MARKER) {
+        const [existing] = await db
+          .select({ oidcConfig: ssoProvider.oidcConfig })
+          .from(ssoProvider)
+          .where(eq(ssoProvider.providerId, providerId))
+          .limit(1)
+        if (!existing?.oidcConfig) {
+          return NextResponse.json(
+            { error: 'Cannot update: existing provider not found. Re-enter your client secret.' },
+            { status: 400 }
+          )
+        }
+        try {
+          clientSecret = JSON.parse(existing.oidcConfig).clientSecret
+        } catch {
+          return NextResponse.json(
+            {
+              error: 'Cannot update: failed to read existing secret. Re-enter your client secret.',
+            },
+            { status: 400 }
+          )
+        }
+      }
+
       const oidcConfig: any = {
         clientId,
         clientSecret,

apps/sim/ee/sso/components/sso-settings.tsx

@@ -133,6 +133,13 @@ export function SSO() {
       )
     }
   } else {
+    if (activeOrganization && !canManageSSO) {
+      return (
+        <div className='flex h-full items-center justify-center text-[var(--text-muted)] text-small'>
+          Only organization owners and admins can configure Single Sign-On settings.
+        </div>
+      )
+    }
     if (
       !activeOrganization &&
       !isLoadingProviders &&