Add custom OAuth consent security guide#3413
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6ae5e884d1
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
6ae5e88 to
7beb713
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7beb713efd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
wobsoriano
left a comment
There was a problem hiding this comment.
this looks good on my end 👍🏼
7beb713 to
0bf3843
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0bf3843f32
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
@coderabbitai review |
0bf3843 to
e0e89bf
Compare
|
@codex review |
|
Codex Review: Didn't find any major issues. Already looking forward to the next diff. ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
There was a problem hiding this comment.
Love how simple these are. We have a separate issue to investigate alleviating the need for setting the referrer. We will circle back to these docs when we figure that out.
|
|
||
| These examples display the full redirect hostname and an expandable full URL. For a production custom flow, use a public-suffix-aware approach for root-domain summaries, handle IP addresses and localhost explicitly, and test long redirect URIs to make sure the real destination remains visible. | ||
|
|
||
| These examples also do not implement organization selection. If an OAuth application can request `user:org:read`, use `<OAuthConsent />` or add an organization selector that submits the selected `organization_id` with the allow action. |
There was a problem hiding this comment.
How can we remember to update this bit when <OrgSelect /> is made generally available? 🤔
e0e89bf to
824e683
Compare
|
I was just testing these docs with an agent and it failed to hide the navbar. We definitely need some language to remind implementors that the consent dialog should be the only thing on the page-- no other nav like sign-in/out or user button. Any other navigation will break the OAuth flow. @jescalan |
824e683 to
d341a8e
Compare
Good call. Revised the skill a little bit - should fix this |
| </If> | ||
|
|
||
| <If sdk="vue"> | ||
| ```vue {{ filename: 'oauth-consent.vue' }} |
| ```vue {{ filename: 'pages/oauth-consent.vue' }} | ||
| <script setup lang="ts"> | ||
| // Components are automatically imported | ||
| import { OAuthConsent } from '@clerk/nuxt/components' |
| <Tab> | ||
| ```vue {{ filename: 'src/pages/OAuthConsentPage.vue' }} | ||
| <script setup lang="ts"> | ||
| import { OAuthConsent, Show } from '@clerk/vue' | ||
| </script> | ||
|
|
||
| <template> | ||
| <Show when="signed-in"> | ||
| <OAuthConsent /> | ||
| </Show> | ||
| </template> | ||
| ``` | ||
|
|
||
| ```html {{ filename: 'index.html' }} | ||
| <meta name="referrer" content="strict-origin-when-cross-origin" /> | ||
| ``` | ||
| </Tab> |
| > [!IMPORTANT] | ||
| > Enabling the consent screen for all OAuth apps is **strongly recommended**. Without a consent screen, any logged-in user who visits an OAuth authorization URL automatically grants access to any requested scopes. The consent screen acts as a critical security checkpoint, preventing malicious apps from silently gaining access to user accounts. | ||
| > | ||
| > If you need to host the consent page on your own application domain, see [Customize the OAuth consent page](/docs/guides/configure/auth-strategies/oauth/custom-consent-page). Clerk strongly recommends using the default [Account Portal](/docs/guides/account-portal/overview) consent page unless you have a specific product requirement that it cannot satisfy. |
There was a problem hiding this comment.
We have slightly different wording for the scoped-access page -> If you need to host the consent page on your own application domain VS If you need to host the consent page yourself
Is that on purpose? If not, think it would be good to make the wording consistent across those two places. @jescalan @jfoshee
| ```tsx {{ filename: 'app/oauth-consent/page.tsx' }} | ||
| import { OAuthConsent, Show } from '@clerk/nextjs' | ||
|
|
||
| export const metadata = { |
| @@ -0,0 +1,154 @@ | |||
| --- | |||
| title: Customize the OAuth consent page | |||
There was a problem hiding this comment.
I have a slight preference for Set up a custom OAuth consent page as the title. I think it matches the content a bit better, since this guide is about creating and configuring a custom consent route and flow, not just visually customizing an existing page. Customize the OAuth consent page reads a little more like appearance/styling, while Set up... feels closer to the actual task the guide walks through. @jescalan @jfoshee
|
@jescalan @jfoshee have left a bunch of comments and questions (sorry!) and pushed a minor docs review doing the following:
I still need to test some of this so will do that while waiting for responses. |
Summary
Stacks on #3315. Adds a security-focused guide for configuring a custom OAuth consent page, with a strong recommendation to use the Account Portal or the prebuilt
<OAuthConsent />component instead of a fully custom flow.The guide covers consent phishing risk, required consent-screen content, redirect URI presentation, route configuration, safer appearance-based customization, and low-level custom-flow responsibilities.
Changes in this repo
Customize the OAuth consent pageto the OAuth guide section.<OAuthConsent />examples for Next.js, React, React Router, TanStack React Start, Astro, Vue, and Nuxt.Preview links
New pages:
Changed sections:
<OAuthConsent />component referenceuseOAuthConsent()hook referenceParent PR
Validation
rtk pnpm -C clerk-docs buildrtk pnpm -C clerk-docs lintrtk git -C clerk-docs diff --check