Skip to content

[codex] preserve OAuth authorization redirect after login#278

Merged
Rabithua merged 3 commits into
developfrom
codex/oauth-login-redirect
Jul 3, 2026
Merged

[codex] preserve OAuth authorization redirect after login#278
Rabithua merged 3 commits into
developfrom
codex/oauth-login-redirect

Conversation

@Rabithua

@Rabithua Rabithua commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • Centralize safe login redirect parsing and login URL generation.
  • Return unauthenticated HTTP MCP authorization users to /oauth/authorize?requestId=... after password/passkey/OAuth login instead of /home.
  • Return users to the authorization page after registration when the login page has an OAuth authorization redirect target, and avoid interrupting that flow with the optional passkey setup prompt.
  • Keep the normal optional passkey setup prompt for ordinary registration redirects such as /home or /profile.
  • Preserve redirect context when protected routes send users to login and when third-party OAuth login fails or is cancelled.

Why

When an HTTP MCP OAuth authorization starts while the user is logged out, the frontend sends them to /login?redirect=.... Some login and registration paths could still lose that target, fall back to the app home page, or pause on optional setup UI, preventing the consent screen from appearing.

OAuth provider error and cancel callbacks also need to restore the login URL stored in the signed state token so the nested authorization redirect survives unsuccessful third-party login attempts.

Validation

  • cd server && bun run lint
  • cd server && bun run build
  • cd web && bun run lint
  • cd web && bun run build
  • Browser smoke on local backend/frontend: unauthenticated /oauth/authorize?requestId=... redirected to /login?redirect=...; after login it returned to /oauth/authorize?requestId=... and displayed 拒绝 / 允许.
  • Browser smoke on local backend/frontend: unauthenticated authorization flow opened the registration tab; after registration it returned directly to /oauth/authorize?requestId=... and displayed 拒绝 / 允许 without showing the optional passkey setup prompt.

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@Rabithua Rabithua merged commit be2da02 into develop Jul 3, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant