Use FAPI for OAuth popup callbacks#9174
Conversation
🦋 Changeset detectedLatest commit: 0b0c9fb The changes in this PR will be included in the next version bump. This PR includes changesets to release 4 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository YAML (base), Repository UI (inherited) Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Comment |
@clerk/astro
@clerk/backend
@clerk/chrome-extension
@clerk/clerk-js
@clerk/electron
@clerk/electron-passkeys
@clerk/eslint-plugin
@clerk/expo
@clerk/expo-passkeys
@clerk/express
@clerk/fastify
@clerk/hono
@clerk/localizations
@clerk/nextjs
@clerk/nuxt
@clerk/react
@clerk/react-router
@clerk/shared
@clerk/tanstack-react-start
@clerk/testing
@clerk/ui
@clerk/upgrade
@clerk/vue
commit: |
OAuth popup flows currently depend on the Account Portal hostname even when an application sends all Frontend API traffic through its own proxy. That leaves a hostname dependency outside the proxy and prevents the popup flow from staying on the application's domain.
This changes Clerk.js to use the new FAPI popup callback route by default for both existing and future SignIn/SignUp flows. Clerk.js generates a random state value before starting the flow and accepts the callback message only when its origin matches the effective FAPI origin, its source is the opened popup, and its state matches. Direct FAPI and proxied FAPI URLs use the same path-building behavior.
Depends on https://github.com/clerk/clerk_go/pull/20467 being deployed before this Clerk.js version is released.