From 5fbeacae8c5c79917f532916e2e3853e5b7c35b8 Mon Sep 17 00:00:00 2001
From: rust <jrf0110@gmail.com>
Date: Sat, 14 Feb 2026 16:55:25 -0600
Subject: [PATCH] fix(auth): support IDP-initiated SSO by disabling OAuth state
 check for WorkOS

WorkOS validates SAML assertions and manages the OAuth code exchange securely,
so NextAuth's state check is unnecessary and breaks IDP-initiated SSO flows
where no state param or cookie exists.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/lib/user.server.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/lib/user.server.ts b/src/lib/user.server.ts
index 58776727d..5653a55a6 100644
--- a/src/lib/user.server.ts
+++ b/src/lib/user.server.ts
@@ -323,6 +323,7 @@ const authOptions: NextAuthOptions = {
       client: {
         token_endpoint_auth_method: 'client_secret_post',
       },
+      checks: [],
     }),
     // Email provider for magic link authentication using CredentialsProvider
     // We use CredentialsProvider because EmailProvider requires a database adapter,