chore(js,ui,shared): Correctly display OAuth consent redirect root domains

[wobsoriano]

Description

The OAuth consent page was computing the display domain client-side by splitting the hostname on dots, which breaks for ccTLDs like .co.uk and hosting platforms like github.io. This is a security concern since users make trust decisions based on that domain.

The backend already has full PSL support, so this PR threads redirect_uri through to GET /v1/me/oauth/consent/{clientID} and uses the resolved redirectDomain from the response instead. The client-side heuristic is kept as a fallback for IPs, localhost, and older FAPI versions.

Part of USER-5440

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Jun 1, 2026 5:59pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 5254d8c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 20 packages

Name	Type
@clerk/ui	Patch
@clerk/clerk-js	Patch
@clerk/shared	Patch
@clerk/astro	Patch
@clerk/chrome-extension	Patch
@clerk/react	Patch
@clerk/vue	Patch
@clerk/expo	Patch
@clerk/backend	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/hono	Patch
@clerk/localizations	Patch
@clerk/msw	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8700

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8700

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8700

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8700

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8700

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8700

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8700

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8700

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8700

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8700

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8700

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8700

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8700

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8700

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8700

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8700

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8700

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8700

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8700

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8700

commit: 5254d8c

[github-actions]

API Changes Report

Generated by snapi on 2026-05-30T02:49:31.353Z

Summary

Metric	Count
Packages analyzed	6
Packages with changes	1
🔴 Breaking changes	3
🟡 Non-breaking changes	0
🟢 Additions	0

Warning
3 breaking change(s) detected - Major version bump required

---

@clerk/shared

Current version: 4.14.0
Recommended bump: MAJOR → 5.0.0

Subpath ./react

🔴 Breaking Changes (1)

Changed: UseOAuthConsentParams

- type UseOAuthConsentParams = Pick<GetOAuthConsentInfoParams, 'oauthClientId' | 'scope'> & {
+ type UseOAuthConsentParams = Pick<GetOAuthConsentInfoParams, 'oauthClientId' | 'scope' | 'redirectUri'> & {
    keepPreviousData?: boolean;
    enabled?: boolean;
  };

Breaking change in type alias UseOAuthConsentParams: Type changed: Pick<GetOAuthConsentInfoParams,'oauthClientId'|'scope'>&{keepPreviousData?:boolean;enabled?:boolean;} → Pick<GetOAuthConsentInfoParams,'oauthClientId'|'scope'|'redirectUri'>&{keepPreviousData?:boolean;enabled?:boolean;}

Subpath ./types

🔴 Breaking Changes (2)

Changed: GetOAuthConsentInfoParams

  type GetOAuthConsentInfoParams = {
    oauthClientId: string;
    scope?: string;
+   redirectUri?: string;
  };

Breaking change in type alias GetOAuthConsentInfoParams: Type changed: {oauthClientId:string;scope?:string;} → {oauthClientId:string;scope?:string;redirectUri?:string;}

Changed: OAuthConsentInfo

// ... 3 unchanged lines elided ...
    oauthApplicationUrl: string;
    clientId: string;
    state: string;
+   redirectDomain: string | null;
    scopes: OAuthConsentScope[];
  };

Breaking change in type alias OAuthConsentInfo: Type changed: {oauthApplicationName:string;oauthApplicationLogoUrl:string;oauthApplicationUrl:string;clientId:string;state:string;sco… → {oauthApplicationName:string;oauthApplicationLogoUrl:string;oauthApplicationUrl:string;clientId:string;state:string;red…

---

Report generated by snapi

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: bd841a87-2889-45ff-b77a-137633eccdb2

📥 Commits

Reviewing files that changed from the base of the PR and between f54230a and dfa4c1f.

📒 Files selected for processing (1)

• .changeset/quiet-terms-drum.md

✅ Files skipped from review due to trivial changes (1)

• .changeset/quiet-terms-drum.md

---

📝 Walkthrough

Walkthrough

This PR threads an optional redirectUri through the OAuth consent flow and surfaces a backend-resolved redirectDomain. Changes include type updates (adding redirectUri/redirectDomain), OAuthApplication.getConsentInfo accepting and sending redirect_uri and returning redirectDomain, propagating redirectUri into useOAuthConsent cache keys and fetch logic, deriving/passing redirectUri from the OAuthConsent component and preferring data.redirectDomain for display, and test updates plus a changeset releasing the fix.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding support for correctly displaying OAuth consent redirect root domains using the backend-resolved redirectDomain instead of client-side heuristics.
Description check	✅ Passed	The description is directly related to the changeset, explaining the security concern with client-side domain extraction, the solution using the backend PSL support, and the fallback strategy.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/ui/src/components/OAuthConsent/__tests__/OAuthConsent.test.tsx (1)

185-210: ⚡ Quick win

Add a regression test for redirectUrl override precedence.

Please add one public-path override test that sets redirectUrl via context props and asserts getConsentInfo receives that value as redirectUri. This protects the redirect-domain trust text path from source mismatch regressions.

As per coding guidelines: **/*.{test,spec}.{ts,tsx}: "Unit tests are required for all new functionality" and "Verify proper error handling and edge cases."

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/ui/src/components/OAuthConsent/__tests__/OAuthConsent.test.tsx`
around lines 185 - 210, Add a regression test in the existing
OAuthConsent.test.tsx case that verifies public-path override precedence for
redirectUrl: reuse createFixtures/props.setProps (the same pattern used for
oauthClientId and scope overrides), set props.setProps({ componentName:
'OAuthConsent', redirectUrl: 'https://override.example/callback', oauthClientId:
'override_id', scope: 'openid email' }) and then mock getConsentInfo via
mockOAuthApplication(fixtures.clerk, { getConsentInfo }) and assert that
getConsentInfo was called with redirectUri: 'https://override.example/callback'
(i.e., expect(getConsentInfo).toHaveBeenCalledWith({ ..., redirectUri:
'https://override.example/callback' })), ensuring the test mirrors the existing
override test structure.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/ui/src/components/OAuthConsent/OAuthConsent.tsx`:
- Around line 53-57: The code uses getRedirectUriFromSearch() for the consent
fetch (passed into useOAuthConsent as redirectUri) but allows a different
redirectUrl to be shown in the UI, causing a mismatch; compute a single
resolvedRedirectUri once (e.g., const resolvedRedirectUri =
contextProvidedRedirectUrl ?? getRedirectUriFromSearch() ?? undefined) and use
that same resolvedRedirectUri when calling useOAuthConsent and when
rendering/displaying the redirect URL so both backend fetch and UI display use
the exact same value; update references to redirectUri/redirectUrl in
OAuthConsent (including the call site of useOAuthConsent and the display logic)
to use resolvedRedirectUri.

---

Nitpick comments:
In `@packages/ui/src/components/OAuthConsent/__tests__/OAuthConsent.test.tsx`:
- Around line 185-210: Add a regression test in the existing
OAuthConsent.test.tsx case that verifies public-path override precedence for
redirectUrl: reuse createFixtures/props.setProps (the same pattern used for
oauthClientId and scope overrides), set props.setProps({ componentName:
'OAuthConsent', redirectUrl: 'https://override.example/callback', oauthClientId:
'override_id', scope: 'openid email' }) and then mock getConsentInfo via
mockOAuthApplication(fixtures.clerk, { getConsentInfo }) and assert that
getConsentInfo was called with redirectUri: 'https://override.example/callback'
(i.e., expect(getConsentInfo).toHaveBeenCalledWith({ ..., redirectUri:
'https://override.example/callback' })), ensuring the test mirrors the existing
override test structure.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 61fb867e-80a7-4bfa-907a-c08e6c73b422

📥 Commits

Reviewing files that changed from the base of the PR and between b09788e and f5732df.

📒 Files selected for processing (8)

• .changeset/quiet-terms-drum.md
• packages/clerk-js/src/core/modules/oauthApplication/index.ts
• packages/shared/src/react/hooks/useOAuthConsent.shared.ts
• packages/shared/src/react/hooks/useOAuthConsent.tsx
• packages/shared/src/react/hooks/useOAuthConsent.types.ts
• packages/shared/src/types/oauthApplication.ts
• packages/ui/src/components/OAuthConsent/OAuthConsent.tsx
• packages/ui/src/components/OAuthConsent/__tests__/OAuthConsent.test.tsx

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use one redirect URI source for both consent fetch and display.

Line 57 always sends URL-derived redirectUri, while Line 74 allows context to override displayed redirectUrl. If those differ, domainAction can reflect backend resolution for a different URI than the one intended by context.

Suggested fix

-  const redirectUri = getRedirectUriFromSearch();
+  const redirectUri = ctx.redirectUrl ?? getRedirectUriFromSearch();
   const { data, isLoading, error } = useOAuthConsent({
     oauthClientId,
     scope,
     redirectUri: redirectUri || undefined,
     // TODO: Remove this once account portal is refactored to use this component
     enabled: !hasContextCallbacks,
   });
@@
-  const redirectUrl = ctx.redirectUrl ?? redirectUri;
+  const redirectUrl = redirectUri;

Also applies to: 74-74, 90-90

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/ui/src/components/OAuthConsent/OAuthConsent.tsx` around lines 53 -
57, The code uses getRedirectUriFromSearch() for the consent fetch (passed into
useOAuthConsent as redirectUri) but allows a different redirectUrl to be shown
in the UI, causing a mismatch; compute a single resolvedRedirectUri once (e.g.,
const resolvedRedirectUri = contextProvidedRedirectUrl ??
getRedirectUriFromSearch() ?? undefined) and use that same resolvedRedirectUri
when calling useOAuthConsent and when rendering/displaying the redirect URL so
both backend fetch and UI display use the exact same value; update references to
redirectUri/redirectUrl in OAuthConsent (including the call site of
useOAuthConsent and the display logic) to use resolvedRedirectUri.

[jfoshee]

Is ctx just used for testing?

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find where useOAuthConsentContext is defined and how ctx is populated
rg -n "useOAuthConsentContext|OAuthConsentContext|OAuthConsentCtx" --type=ts --type=tsx -A 5

Length of output: 447

---

🏁 Script executed:

#!/bin/bash
rg -rn "useOAuthConsentContext\|OAuthConsentContext" -A 5

Length of output: 312

---

🏁 Script executed:

#!/bin/bash
rg -rn "useOAuthConsentContext" -A 5
rg -rn "OAuthConsentContext" -A 5

Length of output: 5573

---

🏁 Script executed:

#!/bin/bash
# Get the full provider value and OAuthConsentCtx type
cat packages/ui/src/contexts/components/OAuthConsent.ts
rg -n "oauthClientId\|onAllow\|onDeny\|redirectUrl\|OAuthConsentCtx" packages/ui/src/contexts/ClerkUIComponentsContext.tsx -A 3

Length of output: 937

---

🏁 Script executed:

#!/bin/bash
rg -rn "OAuthConsentCtx" -A 15
rg -n "oauthClientId\|onAllow\|onDeny\|redirectUrl" packages/ui/src/contexts/ClerkUIComponentsContext.tsx -B 2 -A 3

Length of output: 2748

---

🏁 Script executed:

#!/bin/bash
# Get the full OAuthConsentCtx type from types.ts
rg -n "componentName: 'OAuthConsent'" packages/ui/src/types.ts -A 50 | head -60

Length of output: 1934

---

---

@jfoshee No — ctx is a production integration point, not a test mechanism. According to the type definitions in packages/ui/src/types.ts, it represents the accounts portal path: a separate accounts portal service pre-populates all data (scopes, oauthApplicationName, redirectUrl, etc.) and provides onAllow/onDeny callbacks via context.

This also invalidates my earlier review comment. The mismatch I described can't occur in practice because:

• ctx.redirectUrl is only populated on the accounts portal path, which always sets onAllow/onDeny.
• The useOAuthConsent hook has enabled: !hasContextCallbacks, so it is disabled on the accounts portal path entirely.
• Therefore, in the only path where the hook actually runs (the public path), ctx.redirectUrl is always undefined, and both redirectUri and redirectUrl consistently resolve to getRedirectUriFromSearch().

My original concern was a false positive — the current code is correct as-is. Sorry for the noise.

---

🧠 Learnings used

Learnt from: alexcarpenter
Repo: clerk/javascript PR: 8593
File: packages/ui/src/elements/ClipboardInput.tsx:0-0
Timestamp: 2026-05-19T17:58:25.594Z
Learning: When styling native HTML `<input type="text">` (or other single-line text inputs), applying `textOverflow: 'ellipsis'` by itself is sufficient—native single-line input behavior provides implicit single-line/overflow handling, so you generally do not need to also set `overflow: 'hidden'` or `whiteSpace: 'nowrap'`. Conversely, if you’re applying ellipsis to non-input/block-level elements (e.g., `<div>`, `<span>`, or other elements), ensure `whiteSpace: 'nowrap'` and `overflow: 'hidden'` are included alongside `textOverflow: 'ellipsis'` so the ellipsis can render.

[jfoshee]

Did you test w/ AP locally? You should be able to test it locally now using make up/local-js

[jacekradko]

Need to update the changeset

[jacekradko]

Looks like this also touches shared and clerk-js

[wobsoriano]

thanks! will update after some more local testing later

[github-actions]

API Changes Report

Generated by Break Check on 2026-06-01T18:03:40.522Z

Summary

Metric	Count
Packages analyzed	19
Packages with changes	1
🔴 Breaking changes	3
🟡 Non-breaking changes	3
🟢 Additions	2

Warning
3 breaking change(s) detected - Major version bump required

🤖 This report was reviewed by claude-sonnet-4-6.

Note
Break Check could not snapshot 3 subpaths; the diff below excludes them.

• @clerk/astro ./env: Internal Error: Unable to determine module for: /home/runner/_work/javascript/javascript/packages/astro/env.d.ts You have encountered a software defect. Please consider reporting the issue to the maintainers of this application.
• @clerk/shared ./cookie: Internal Error: Unable to follow symbol for "Cookies" You have encountered a software defect. Please consider reporting the issue to the maintainers of this application.
• @clerk/testing ./cypress: Symbol not found for identifier: Cypress

---

@clerk/shared

Current version: 4.14.0
Recommended bump: MAJOR → 5.0.0

Subpath ./apiUrlFromPublishableKey

🟡 Non-breaking Changes (1)

Modified: apiUrlFromPublishableKey

- apiUrlFromPublishableKey: (publishableKey: string) => "https://api.lclclerk.com" | "https://api.clerkstage.dev" | "https://api.clerk.com"
+ apiUrlFromPublishableKey: (publishableKey: string) => "https://api.clerk.com" | "https://api.lclclerk.com" | "https://api.clerkstage.dev"

Static analyzer: Breaking change in function apiUrlFromPublishableKey: Return type changed: "https://api.lclclerk.com"|"https://api.clerkstage.dev"|"https://api.clerk.com" → "https://api.clerk.com"|"https://api.lclclerk.com"|"https://api.clerkstage.dev"

🤖 AI review (reclassified as non-breaking) (95%): The return type is a union of the exact same three string literal members — only their order in the union has changed. TypeScript union types are order-independent structurally, so any well-typed consumer code that accepted or narrowed against this union will continue to compile and run correctly.

Subpath ./index-BNZ1yViR

🟢 Additions (1)

Added: ./index-BNZ1yViR

New subpath export ./index-BNZ1yViR (2781 exported members)

Subpath ./index-ZibUt-Ji

🔴 Breaking Changes (1)

Changed: ./index-ZibUt-Ji

Subpath export ./index-ZibUt-Ji was removed

Subpath ./react

🟡 Non-breaking Changes (1)

Modified: UseOAuthConsentParams

- type UseOAuthConsentParams = Pick<GetOAuthConsentInfoParams, 'oauthClientId' | 'scope'> & {
+ type UseOAuthConsentParams = Pick<GetOAuthConsentInfoParams, 'oauthClientId' | 'scope' | 'redirectUri'> & {
    keepPreviousData?: boolean;
    enabled?: boolean;
  };

Static analyzer: Breaking change in type alias UseOAuthConsentParams: Type changed: !Pick:type<import("@clerk/shared").~GetOAuthConsentInfoParams,'oauthClientId'|'scope'>&{keepPreviousData?:boolean;enabl… → !Pick:type<import("@clerk/shared").~GetOAuthConsentInfoParams,'oauthClientId'|'scope'|'redirectUri'>&{keepPreviousData?…

🤖 AI review (reclassified as non-breaking) (80%): The change adds 'redirectUri' to the Pick keys, meaning UseOAuthConsentParams now includes an additional optional property from GetOAuthConsentInfoParams. Since redirectUri comes from GetOAuthConsentInfoParams (an input type), adding it as an optional field widens what callers can pass — existing call sites that don't pass redirectUri remain valid. The type is used as a parameter to useOAuthConsent, so consumers passing objects without redirectUri are unaffected. This is a non-breaking addition of an optional input field.

Subpath ./types

🔴 Breaking Changes (1)

Changed: OAuthConsentInfo

// ... 3 unchanged lines elided ...
    oauthApplicationUrl: string;
    clientId: string;
    state: string;
+   redirectDomain: string | null;
    scopes: OAuthConsentScope[];
  };

Static analyzer: Breaking change in type alias OAuthConsentInfo: Type changed: {oauthApplicationName:string;oauthApplicationLogoUrl:string;oauthApplicationUrl:string;clientId:string;state:string;sco… → {oauthApplicationName:string;oauthApplicationLogoUrl:string;oauthApplicationUrl:string;clientId:string;state:string;red…

🤖 AI review (confirmed) (95%): A new required field redirectDomain: string | null is added to the OAuthConsentInfo output type. Code that constructs or destructures this type (e.g. implementing it or pattern-matching all fields) must now handle the new required property, breaking consumers who produce or exhaustively read this type.

Migration: Update any code that constructs or reads OAuthConsentInfo to include the new redirectDomain: string | null field.

🟡 Non-breaking Changes (1)

Modified: GetOAuthConsentInfoParams

  type GetOAuthConsentInfoParams = {
    oauthClientId: string;
    scope?: string;
+   redirectUri?: string;
  };

Static analyzer: Breaking change in type alias GetOAuthConsentInfoParams: Type changed: {oauthClientId:string;scope?:string;} → {oauthClientId:string;scope?:string;redirectUri?:string;}

🤖 AI review (reclassified as non-breaking) (95%): The change adds an optional redirectUri? field to GetOAuthConsentInfoParams. Since this is an input type (callers pass values of this type), adding an optional property is non-breaking — existing callers don't need to supply it and their existing objects still satisfy the new type.

Subpath ./url-Dvy3tJz6

🔴 Breaking Changes (1)

Changed: ./url-Dvy3tJz6

Subpath export ./url-Dvy3tJz6 was removed

Subpath ./url-rBRb2mp2

🟢 Additions (1)

Added: ./url-rBRb2mp2

New subpath export ./url-rBRb2mp2 (24 exported members)

---

Report generated by Break Check

[wobsoriano]

Did you test w/ AP locally? You should be able to test it locally now using make up/local-js

I tested via pnpm dev:sandbox since the backend change is live and can confirm it strips correct root domain 👍🏼

[wobsoriano]

@jacekradko thoughts on the API changes report here #8700 (comment) ?

The OAuthConsentInfo update is backwards compat