Refactor instance ID handling in authorization flow and update state parameter format

kavindadimuthu · kavindadimuthu · commit 10ca5ed481d7 · 2026-02-16T12:03:12.000+05:30
diff --git a/packages/browser/src/utils/hasCalledForThisInstanceInUrl.ts b/packages/browser/src/utils/hasCalledForThisInstanceInUrl.ts
@@ -24,7 +24,7 @@
  * @return `true` if the URL contains a matching `state` search param, otherwise `false`.
  */
 const hasCalledForThisInstanceInUrl = (instanceId: number, params: string = window.location.search): boolean => {
-  const MATCHER: RegExp = new RegExp(`[?&]state=instance_${instanceId}-[^&]+`);
+  const MATCHER: RegExp = new RegExp(`[?&]state=instance_${instanceId}_[^&]+`);
 
   return MATCHER.test(params);
 };
diff --git a/packages/javascript/src/__legacy__/client.ts b/packages/javascript/src/__legacy__/client.ts
@@ -250,8 +250,6 @@ export class AsgardeoAuthClient<T> {
         authRequestConfig['client_secret'] = configData.clientSecret;
       }
 
-      authRequestConfig['state'] = 'instance_' + this.getInstanceId() + '-' + configData.clientId; 
-
       const authorizeRequestParams: Map<string, string> = getAuthorizeRequestUrlParams(
         {
           clientId: configData.clientId,
@@ -261,6 +259,7 @@ export class AsgardeoAuthClient<T> {
           redirectUri: configData.afterSignInUrl,
           responseMode: configData.responseMode,
           scopes: processOpenIDScopes(configData.scopes),
+          instanceId: this.getInstanceId().toString(),
         },
         {key: pkceKey},
         authRequestConfig,
diff --git a/packages/javascript/src/utils/getAuthorizeRequestUrlParams.ts b/packages/javascript/src/utils/getAuthorizeRequestUrlParams.ts
@@ -59,6 +59,7 @@ const getAuthorizeRequestUrlParams = (
     redirectUri: string;
     responseMode?: string;
     scopes?: string;
+    instanceId?: string;
   } & ExtendedAuthorizeRequestUrlParams,
   pkceOptions: {key: string},
   customParams: Record<string, string | number | boolean>,
@@ -105,6 +106,11 @@ const getAuthorizeRequestUrlParams = (
     });
   }
 
+  if (options.instanceId) {
+    const AUTH_INSTANCE_PREFIX = "instance_";
+    customParams[OIDCRequestConstants.Params.STATE] = AUTH_INSTANCE_PREFIX + options.instanceId;
+  }
+
   authorizeRequestParams.set(
     OIDCRequestConstants.Params.STATE,
     generateStateParamForRequestCorrelation(
