Skip to content

Non-Arcade Users + User Source flow falling back to "Arcade Social Sign In" for tool authorization #856

Description

@jericksontsg

We configured a "Non-Arcade Users → User Source" gateway with a custom OIDC User Source (Microsoft Entra). Gateway sign-in works correctly. However, when an end user calls a Microsoft tool through the gateway for the first time, the authorization link in Claude Desktop sends them to your generic sign-in page (auth.arcade.dev/...) which then triggers OAuth against your "Arcade Social Sign In" Azure app — not through our configured User Source, and not through the OAuth Provider we set as the override for Microsoft tool calls.

Expected behavior: tool-authorization OAuth should route through our project's OAuth Provider override (which uses our TSG-owned Azure app), or at minimum reuse the User Source identity already established at gateway sign-in.

Actual behavior: each new user triggers admin consent requests for two additional Arcade-owned Azure apps in our tenant (Arcade.dev and Arcade Social Sign In), then sees the broad-scope Arcade.dev consent dialog instead of our narrow TSG-owned 7-scope app.

Our setup:

Org: jericksontsg's org, Default project
OAuth Provider: erickson-microsoft-connector (Microsoft type, marked overriding default in Global OAuth list)
User Source: TSG Microsoft Entra (OIDC, issuer https://login.microsoftonline.com//v2.0, subject claim email)
Gateway: TSG Shared MCP Gateway (Non-Arcade Users → User Source = TSG Microsoft Entra)
Is there a configuration setting to make tool-authorization flows reuse the User Source identity? Or is this a known limitation of Non-Arcade Users mode?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions