From 072964e38b23106dbc8f3d947e302b91579c5812 Mon Sep 17 00:00:00 2001
From: TerrifiedBug <admin@terrifiedbug.com>
Date: Sat, 7 Mar 2026 20:21:42 +0000
Subject: [PATCH] fix: set authMethod to OIDC for SCIM-provisioned users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SCIM-provisioned users were created with authMethod defaulting to LOCAL,
which blocked OIDC login ("local account exists" error). Since SCIM
users authenticate via SSO, they must be created as OIDC users.

This also unblocks OIDC group sync — team assignment happens on first
OIDC login via the groups claim, which requires successful sign-in.
---
 src/server/services/scim.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/server/services/scim.ts b/src/server/services/scim.ts
index 82a10f6d..3857a899 100644
--- a/src/server/services/scim.ts
+++ b/src/server/services/scim.ts
@@ -145,6 +145,7 @@ export async function scimCreateUser(scimUser: ScimUser): Promise<{ user: ScimUs
       email,
       name,
       passwordHash,
+      authMethod: "OIDC",
       scimExternalId: scimUser.externalId,
       lockedAt: scimUser.active === false ? new Date() : null,
       lockedBy: scimUser.active === false ? "SCIM" : null,