search

workos / authkit-nextjs

The WorkOS library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js.
MIT License
57 stars 14 forks source link

Wildcards in redirect URI do not work as expected #24

Closed tschumwalleye closed 6 days ago

tschumwalleye commented 6 months ago

I have branch URLs from Vercel preview deployments.

My WORKOS_REDIRECT_URI is configured as a wildcard in my dashboard following the guidelines here: WorkOS Docs.

After migrating to authkit-nextjs, redirected users land on a url where the * is replaced with %2A.

https://*.example.com -> https://%2A.example.com

I would be able to pass in the URL at run-time if that was an option, which is how I handled this behavior before migrating. I would take advantage of the VERCEL_URL environment variable when calling the getAuthorizationUrl method.

PaulAsjes commented 6 months ago

Thanks for reporting this, that's definitely unintentional. We'll look into this and get back to you!

benoitgrelard commented 6 months ago

@tschumwalleye I'd like to ask a few questions to make sure I understand the issue:

I feel like the issue is that you are unable to pass in the actual URL (one that would match the wildcard scheme) at runtime. Is that correct?

If so, I think we just need to add an option to the getSignInUrl so it can be passed at runtime.

tschumwalleye commented 6 months ago

@benoitgrelard That is correct, being able to pass in the value at runtime would solve this problem.

The same goes for the signOut call, adding an option for a url, an option for a path, or an option to disable the redirect so that it can be left to the developer to handle would solve this same issue.

benoitgrelard commented 6 months ago

I think signOut is different though, the URL it redirects to is configured in the dashboard.

CleanShot 2024-04-05 at 14 18 15@2x
tschumwalleye commented 6 months ago

That is correct, this leaves me with the same issue of being unable to pass in an accurate URL for preview deployments. I can bypass using the signOut function by calling cookies().delete("wos-session") myself, then redirecting. My concerns with this are:

ijxy commented 3 months ago

@PaulAsjes I have exactly the same issue.

Have tried many workarounds:

But none of these work due to how Vercel/Next handles environment variables on the edge/middleware runtime.

I think what I'd like to see here is a solution that allows for all the config to be passed in at runtime to create an object, from which everything else can be imported (analogous to how NextAuth works), e.g.

export const { authkitMiddleware, signOut, getUser, ... } = AuthKit({
  redirectUri: ...,
  cookieSecret: ...,
  clientId: ...,
  clientSecret: ...,
});

You can do more complicated things, but I think it makes the library harder to understand and use.

For example, AWS Amplify has some exports directly from the package and some that you have to instantiate using a builder function like NextAuth--in both cases, though, the config is a separate concern, either Amplify.configure(config) on the client or as an input to the builder function for server-side.

PaulAsjes commented 6 days ago

Fixed in v0.11.0.