From d720c0500f3b654546a044654b38f942fba7085a Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Sun, 26 Apr 2026 12:06:39 +0200
Subject: [PATCH] fix: force fresh OIDC sign-in after onboarding to pick up new
 org membership
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After creating a tenant, the existing Logto tokens don't include the new
org membership/scopes. A hard page reload reused stale tokens, causing
the SDK to either lose auth state (redirect loop to login) or fail to
resolve org scopes (falling through to server UI instead of tenant UI).

Replace window.location.href with signIn() to trigger a fresh OIDC flow.
The existing Logto session cookie means auto-approval — no login form.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ui/src/pages/OnboardingPage.tsx | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/ui/src/pages/OnboardingPage.tsx b/ui/src/pages/OnboardingPage.tsx
index 930165c..8337228 100644
--- a/ui/src/pages/OnboardingPage.tsx
+++ b/ui/src/pages/OnboardingPage.tsx
@@ -1,4 +1,5 @@
 import { useState, useEffect, useRef } from 'react';
+import { useLogto } from '@logto/react';
 import { Card, Input, Button, FormField, Alert } from '@cameleer/design-system';
 import cameleerLogo from '@cameleer/design-system/assets/cameleer-logo.svg';
 import { api } from '../api/client';
@@ -13,6 +14,7 @@ interface TenantResponse {
 }
 
 export function OnboardingPage() {
+  const { signIn } = useLogto();
   const [name, setName] = useState('');
   const [loading, setLoading] = useState(false);
   const [error, setError] = useState<string | null>(null);
@@ -48,9 +50,11 @@ export function OnboardingPage() {
     setLoading(true);
     try {
       await api.post<TenantResponse>('/onboarding/tenant', { name, slug });
-      // Tenant created — force a full page reload so the Logto SDK
-      // picks up the new org membership and scopes on the next token refresh.
-      window.location.href = '/platform/';
+      // Tenant created — force a fresh OIDC sign-in so the Logto SDK gets
+      // new tokens that include the org membership just created. The existing
+      // Logto session cookie means the user won't see a login form — Logto
+      // auto-approves and redirects back with fresh tokens.
+      await signIn(`${window.location.origin}/platform/callback`);
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
       if (msg.includes('409')) {