gristlabs/grist-core

Prevent auto-creation of user or personal Team

Open

#1905 opened on Oct 28, 2025

View on GitHub
 (0 comments) (3 reactions) (0 assignees)TypeScript (3,613 stars) (168 forks)batch import
good first issue

Description

Describe the problem to be solved

This was initially posted on the community forum, but I was instructed to make a feature request.

I’m setting up self-hosted grist for my company with multiple orgs.

Not all users that are able to log in via OIDC should have access to Grist. However, Grist creates a new user and a “Personal Team” at domain /o/docs-{UserID} for every unrecognized user.

Describe the solution you would like

Either of the following

  1. Users are exclusively created by GRIST_SUPPORT_EMAIL via SCIM APIs. Once user profile info is retrieved from OIDC, if user does not exist, then 403 Forbidden.
  2. Unrecognized User logs in via OIDC and a new user is created, but no personal orgs are created thus user does not belong to any org and is shown the Access Denied screen when landing on /o/docs. It'd also be important to prevent the user from creating new orgs, via UI and API. Users are added to orgs exclusively by GRIST_SUPPORT_EMAIL via API.

Contributor guide

Tech stack
typescriptnodejs
Domain
backendauthenticationauthorization
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
OIDC basicsGrist self hosting setupNode.js
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
55
Research direction
Investigate how Grist creates users and personal teams during OIDC login. Look at the authentication flow and SCIM API endpoints. The issue proposes two solutions: either block user creation via SCIM or prevent personal org creation. Start by understanding the existing user creation logic in the backend (likely in server side TypeScript files related to authentication and organizations).