Add custom OAuth consent security guide#3413
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6ae5e884d1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
jescalan
force-pushed
the
je/docs-oauth-custom-consent-page-stack
branch
from
6ae5e88 to
7beb713
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7beb713efd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
wobsoriano
left a comment
wobsoriano
left a comment
There was a problem hiding this comment.
this looks good on my end 👍🏼
jescalan
force-pushed
the
je/docs-oauth-custom-consent-page-stack
branch
from
7beb713 to
0bf3843
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0bf3843f32
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@coderabbitai review |
jescalan
force-pushed
the
je/docs-oauth-custom-consent-page-stack
branch
from
0bf3843 to
e0e89bf
Compare
|
@codex review |
|
Codex Review: Didn't find any major issues. Already looking forward to the next diff. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
|
|
||
| These examples display the full redirect hostname and an expandable full URL. For a production custom flow, use a public-suffix-aware approach for root-domain summaries, handle IP addresses and localhost explicitly, and test long redirect URIs to make sure the real destination remains visible. | ||
|
|
||
| These examples also do not implement organization selection. If an OAuth application can request `user:org:read`, use `<OAuthConsent />` or add an organization selector that submits the selected `organization_id` with the allow action. |
There was a problem hiding this comment.
How can we remember to update this bit when <OrgSelect /> is made generally available? 🤔
There was a problem hiding this comment.
Addressed in 18e9ae2 by making the limitation explicit and searchable: the guide now says to use <OAuthConsent /> or a custom organization selector until Clerk exposes a public organization selector for OAuth consent flows. That should give us a clear breadcrumb to update this section when a public selector is available.
~ 🤖
jescalan
force-pushed
the
je/docs-oauth-custom-consent-page-stack
branch
from
e0e89bf to
824e683
Compare
|
I was just testing these docs with an agent and it failed to hide the navbar. We definitely need some language to remind implementors that the consent dialog should be the only thing on the page-- no other nav like sign-in/out or user button. Any other navigation will break the OAuth flow. @jescalan |
jescalan
force-pushed
the
je/docs-oauth-custom-consent-page-stack
branch
from
824e683 to
d341a8e
Compare
Good call. Revised the skill a little bit - should fix this |
|
@jescalan @jfoshee have left a bunch of comments and questions (sorry!) and pushed a minor docs review doing the following:
I still need to test some of this so will do that while waiting for responses. |
jescalan
force-pushed
the
je/docs-oauth-custom-consent-page-stack
branch
from
f838911 to
10bc5f0
Compare
|
@SarahSoutoul ty! addressed the feedback here - if you want to take another look feel free, if you feel like it's all set that's great! |
| @@ -0,0 +1,154 @@ | |||
| --- | |||
| title: Set up a custom OAuth consent page | |||
There was a problem hiding this comment.
@jescalan @jfoshee Question - is this only possible in the following SDKs:
astro, nextjs, nuxt, react, react-router, tanstack-react-start, vue
Asking cause if so, we should scope this guide to these SDKs, and then use components rather than for the code examples. I can make those changes, but wanna double check first.
Also, what about the custom flow? Right now, there are code examples for Next.js, React, React Router and Tanstack only? But not for Astro, Nuxt and Vue - that's on purpose?
Also, what about JavaScript - component is supported in js-frontend SDK, so would this guide apply to it or not?
There was a problem hiding this comment.
Nvm about the second question. Just saw this.
There was a problem hiding this comment.
Addressed in 7546f9e by scoping the custom consent guide to the SDKs that support the prebuilt <OAuthConsent /> component, converting the guide examples from tabs to SDK-filtered <If> blocks, and adding the js-frontend mount example. The low-level custom-flow examples remain limited to the React-based SDKs where useOAuthConsent() is exposed, with the existing note directing Astro, Vue, Nuxt, and JavaScript users toward the prebuilt component unless they intentionally build against ClerkJS.
~ 🤖
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7546f9e857
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
@jescalan have just pushed a docs review pt2 with quite a few wording / structure changes. Could you take a look, and then I'd be happy to merge this into Rob's branch? |
jescalan
left a comment
jescalan
left a comment
There was a problem hiding this comment.
@SarahSoutoul thanks for the rewrite here, only a couple little comments
Okay have applied changes from the feedback here + approved the PR. This is good to go if you're happy with the changes I made @jescalan. As a heads up to you and @wobsoriano, once this is merged, I will review the mother PR once again all together to be sure everything looks good. |
4 participants
Summary
Stacks on #3315. Adds a security-focused guide for configuring a custom OAuth consent page, with a strong recommendation to use the Account Portal or the prebuilt
<OAuthConsent />component instead of a fully custom flow.The guide covers consent phishing risk, required consent-screen content, redirect URI presentation, route configuration, safer appearance-based customization, and low-level custom-flow responsibilities.
Changes in this repo
Customize the OAuth consent pageto the OAuth guide section.<OAuthConsent />examples for Next.js, React, React Router, TanStack React Start, Astro, Vue, and Nuxt.Preview links
New pages:
Changed sections:
<OAuthConsent />component referenceuseOAuthConsent()hook referenceParent PR
Validation
rtk pnpm -C clerk-docs buildrtk pnpm -C clerk-docs lintrtk git -C clerk-docs diff --check