feat(react-oidc): enforce uniqueness of redirect_uri and silent_redirect_uri (#1606) (release)

u0xaa55 · jmraxa · web-flow · commit b9656c255999 · 2025-09-17T10:59:34.000+02:00
Co-authored-by: Jean-Marc Rakotoarisoa &lt;jeanmarc.rakotoarisoa@axa.fr&gt;
diff --git a/packages/react-oidc/README.md b/packages/react-oidc/README.md
@@ -182,6 +182,9 @@ const App = () => (
 render(<App />, document.getElementById('root'));
 ```
 
+> [!WARNING]
+> If you have both `redirect_uri` and `silent_redirect_uri` configured, their value must be different.
+
 ```javascript
 const configuration = {
   loadingComponent: ReactComponent, // you can inject your own loading component
diff --git a/packages/react-oidc/src/OidcProvider.tsx b/packages/react-oidc/src/OidcProvider.tsx
@@ -102,6 +102,12 @@ export const OidcProvider: FC<PropsWithChildren<OidcProviderProps>> = ({
   getFetch = null,
   location = null,
 }) => {
+  if (configuration && configuration.redirect_uri && configuration.silent_redirect_uri) {
+    if (configuration.redirect_uri === configuration.silent_redirect_uri) {
+      throw new Error('redirect_uri and silent_redirect_uri must be different');
+    }
+  }
+
   const getOidc = (configurationName = 'default') => {
     return OidcClient.getOrCreate(getFetch ?? getFetchDefault, location ?? new OidcLocation())(
       configuration,
