Remove condition to always send redirect_url for SSO with after-auth (#6498)

Author: LauraBeatris

.changeset/mighty-ducks-occur.md

@@ -0,0 +1,5 @@
+---
+'@clerk/clerk-js': patch
+---
+
+Remove sending `redirect_url_complete` as `redirect_url` for SSO with after-auth flows

integration/tests/session-tasks-sign-up.test.ts

@@ -1,19 +1,28 @@
+import { createClerkClient } from '@clerk/backend';
 import { expect, test } from '@playwright/test';
 
 import { appConfigs } from '../presets';
+import { instanceKeys } from '../presets/envs';
 import type { FakeUser } from '../testUtils';
 import { createTestUtils, testAgainstRunningApps } from '../testUtils';
+import { createUserService } from '../testUtils/usersService';
 
 testAgainstRunningApps({ withEnv: [appConfigs.envs.withSessionTasks] })(
   'session tasks after sign-up flow @nextjs',
   ({ app }) => {
     test.describe.configure({ mode: 'serial' });
 
-    let fakeUser: FakeUser;
+    let regularFakeUser: FakeUser;
+    let fakeUserForOAuth: FakeUser;
 
     test.beforeEach(() => {
       const u = createTestUtils({ app });
-      fakeUser = u.services.users.createFakeUser({
+      regularFakeUser = u.services.users.createFakeUser({
+        fictionalEmail: true,
+        withPhoneNumber: true,
+        withUsername: true,
+      });
+      fakeUserForOAuth = u.services.users.createFakeUser({
         fictionalEmail: true,
         withPhoneNumber: true,
         withUsername: true,
@@ -23,10 +32,18 @@ testAgainstRunningApps({ withEnv: [appConfigs.envs.withSessionTasks] })(
     test.afterAll(async () => {
       const u = createTestUtils({ app });
       await u.services.organizations.deleteAll();
-      // Delete the user on the OAuth provider instance.
-      await fakeUser.deleteIfExists();
-      // Delete the user on the app instance.
-      await u.services.users.deleteIfExists({ email: fakeUser.email });
+      await regularFakeUser.deleteIfExists();
+
+      // Delete user from OAuth provider instance
+      const client = createClerkClient({
+        secretKey: instanceKeys.get('oauth-provider').sk,
+        publishableKey: instanceKeys.get('oauth-provider').pk,
+      });
+      const users = createUserService(client);
+      await users.deleteIfExists({ email: fakeUserForOAuth.email });
+      // Delete OAuth user from `with-session-tasks` instance
+      await u.services.users.deleteIfExists({ email: fakeUserForOAuth.email });
+
       await app.teardown();
     });
 
@@ -41,8 +58,8 @@ testAgainstRunningApps({ withEnv: [appConfigs.envs.withSessionTasks] })(
       const u = createTestUtils({ app, page, context });
       await u.po.signUp.goTo();
       await u.po.signUp.signUpWithEmailAndPassword({
-        email: fakeUser.email,
-        password: fakeUser.password,
+        email: regularFakeUser.email,
+        password: regularFakeUser.password,
       });
       await u.po.expect.toBeSignedIn();
 
@@ -71,7 +88,7 @@ testAgainstRunningApps({ withEnv: [appConfigs.envs.withSessionTasks] })(
       await u.po.signIn.getGoToSignUp().click();
 
       await u.po.signUp.waitForMounted();
-      await u.po.signUp.setEmailAddress(fakeUser.email);
+      await u.po.signUp.setEmailAddress(fakeUserForOAuth.email);
       await u.po.signUp.continue();
       await u.po.signUp.enterTestOtpCode();
 

packages/clerk-js/src/core/resources/SignIn.ts

@@ -43,7 +43,6 @@ import type {
 } from '@clerk/types';
 
 import {
-  buildURL,
   generateSignatureWithCoinbaseWallet,
   generateSignatureWithMetamask,
   generateSignatureWithOKXWallet,
@@ -251,24 +250,13 @@ export class SignIn extends BaseResource implements SignInResource {
     navigateCallback: (url: URL | string) => void,
   ): Promise<void> => {
     const { strategy, redirectUrl, redirectUrlComplete, identifier, oidcPrompt, continueSignIn } = params || {};
-
-    const redirectUrlWithAuthToken = SignIn.clerk.buildUrlWithAuth(redirectUrl);
-
-    // When after-auth is enabled, redirect to SSO callback route.
-    // This ensures organization selection tasks are displayed after sign-in,
-    // rather than redirecting to potentially unprotected pages while the session is pending.
-    const actionCompleteRedirectUrl = SignIn.clerk.__internal_hasAfterAuthFlows
-      ? buildURL({
-          base: redirectUrlWithAuthToken,
-          search: `?redirect_url=${redirectUrlComplete}`,
-        }).toString()
-      : redirectUrlComplete;
+    const actionCompleteRedirectUrl = redirectUrlComplete;
 
     if (!this.id || !continueSignIn) {
       await this.create({
         strategy,
         identifier,
-        redirectUrl: redirectUrlWithAuthToken,
+        redirectUrl,
         actionCompleteRedirectUrl,
       });
     }

packages/clerk-js/src/core/resources/SignUp.ts

@@ -290,18 +290,11 @@ export class SignUp extends BaseResource implements SignUpResource {
 
     const redirectUrlWithAuthToken = SignUp.clerk.buildUrlWithAuth(redirectUrl);
 
-    // When force after-auth is enabled, redirect to SSO callback route.
-    // This ensures organization selection tasks are displayed after sign-up,
-    // rather than redirecting to potentially unprotected pages while the session is pending.
-    const actionCompleteRedirectUrl = SignUp.clerk.__internal_hasAfterAuthFlows
-      ? redirectUrlWithAuthToken
-      : redirectUrlComplete;
-
     const authenticateFn = () => {
       const authParams = {
         strategy,
         redirectUrl: redirectUrlWithAuthToken,
-        actionCompleteRedirectUrl,
+        actionCompleteRedirectUrl: redirectUrlComplete,
         unsafeMetadata,
         emailAddress,
         legalAccepted,