Is your feature request related to a problem? Please describe.
After successful authentication, users see a page that says "you may now close this page." During this, users can observe the localhost URL and the auth code in the browser's address bar. This poses both a security risk and is not an ideal user experience.
Describe the solution you'd like
I propose introducing an option to redirect the user to a custom URL after the auth code is captured. This way, developers can specify a custom, more user-friendly or informative URL for users to be directed to post-authentication, thereby hiding the localhost URL and the auth code from end-users.
Proposed API Changes
Introduce an optional parameter, possibly named postAuthRedirectURL, when initiating the OAuth2 flow. If provided, after the auth code is captured, the package should perform an HTTP 302 redirect to the given URL.
If the postAuthRedirectURL parameter isn't provided, the package should default to its current behavior.
Benefits
Enhances security by hiding the auth code and localhost URL from users.
Provides a better user experience by taking them to a meaningful or brand-consistent page post-authentication.
Gives developers additional control over the authentication flow.
Describe alternatives you've considered
An alternative could be to allow developers to customize the HTML content shown to users after auth code capture. This way, they can better integrate the messaging with their brand, but it still exposes the localhost URL.
Additional context
Hiding sensitive information from users is critical, especially when dealing with authentication flows. This change would be a valuable enhancement.
Is your feature request related to a problem? Please describe. After successful authentication, users see a page that says "you may now close this page." During this, users can observe the localhost URL and the auth code in the browser's address bar. This poses both a security risk and is not an ideal user experience.
Describe the solution you'd like I propose introducing an option to redirect the user to a custom URL after the auth code is captured. This way, developers can specify a custom, more user-friendly or informative URL for users to be directed to post-authentication, thereby hiding the localhost URL and the auth code from end-users.
Proposed API Changes Introduce an optional parameter, possibly named
postAuthRedirectURL
, when initiating the OAuth2 flow. If provided, after the auth code is captured, the package should perform an HTTP 302 redirect to the given URL.If the
postAuthRedirectURL
parameter isn't provided, the package should default to its current behavior.Benefits
Describe alternatives you've considered An alternative could be to allow developers to customize the HTML content shown to users after auth code capture. This way, they can better integrate the messaging with their brand, but it still exposes the localhost URL.
Additional context Hiding sensitive information from users is critical, especially when dealing with authentication flows. This change would be a valuable enhancement.