Prerequisites
Describe the issue
Summary
exchangeAuthCode posts redirect_uri: redirectURL (raw) to /oauth2/token,
while mapLoginMethodParamsForUrl posts redirect_uri: sanitizeUrl(redirectURL)
to /oauth2/authorize. sanitizeUrl strips trailing slashes. When a
consumer's configured redirectURL has a trailing slash
(e.g. https://app.example.com/), the two requests disagree and the
token exchange fails:
POST /oauth2/token → 400 {"error":"invalid_grant", "error_description":"The 'redirect_uri' from this request does not match the one from the authorize request.”}
End users see a redirect loop after returning from Kinde.
Reproduce
Use the React SDK (@kinde-oss/kinde-auth-react) with a redirectUri ending
in /. Login succeeds at /oauth2/authorize but /oauth2/token returns
invalid_grant.
Source pointers
lib/utils/mapLoginMethodParamsForUrl.ts:14-19 — uses sanitizeUrl(options.redirectURL).lib/utils/exchangeAuthCode.ts:143-148 — uses raw redirectURL.lib/utils/sanitizeUrl.ts:31-45 — strips trailing slash unless URL is /.
Suggested fix
Apply sanitizeUrl(redirectURL) in exchangeAuthCode so both calls send
identical values regardless of how the consumer formats the configured URL.
Environment
@kinde/js-utils 0.29.0@kinde-oss/kinde-auth-react 5.10.1- SPA + PKCE flow with custom domain
Library URL
https://github.com/kinde-oss/kinde-auth-react
Library version
5.10.1
Operating system(s)
Other (see “Further environment details”)
Operating system version(s)
Amazon Linux 2023 for AWS CodeBuild on Lambda
Further environment details
Built for Tanstack Router using Bun 1.3.13+bf2e2cecf
Reproducible test case URL
No response
Additional information
No response
Prerequisites
Describe the issue
Summary
exchangeAuthCodepostsredirect_uri: redirectURL(raw) to/oauth2/token,while
mapLoginMethodParamsForUrlpostsredirect_uri: sanitizeUrl(redirectURL)to
/oauth2/authorize.sanitizeUrlstrips trailing slashes. When aconsumer's configured
redirectURLhas a trailing slash(e.g.
https://app.example.com/), the two requests disagree and thetoken exchange fails:
POST /oauth2/token → 400 {"error":"invalid_grant", "error_description":"The 'redirect_uri' from this request does not match the one from the authorize request.”}End users see a redirect loop after returning from Kinde.
Reproduce
Use the React SDK (
@kinde-oss/kinde-auth-react) with aredirectUriendingin
/. Login succeeds at/oauth2/authorizebut/oauth2/tokenreturnsinvalid_grant.Source pointers
lib/utils/mapLoginMethodParamsForUrl.ts:14-19— usessanitizeUrl(options.redirectURL).lib/utils/exchangeAuthCode.ts:143-148— uses rawredirectURL.lib/utils/sanitizeUrl.ts:31-45— strips trailing slash unless URL is/.Suggested fix
Apply
sanitizeUrl(redirectURL)inexchangeAuthCodeso both calls sendidentical values regardless of how the consumer formats the configured URL.
Environment
@kinde/js-utils0.29.0@kinde-oss/kinde-auth-react5.10.1Library URL
https://github.com/kinde-oss/kinde-auth-react
Library version
5.10.1
Operating system(s)
Other (see “Further environment details”)
Operating system version(s)
Amazon Linux 2023 for AWS CodeBuild on Lambda
Further environment details
Built for Tanstack Router using Bun 1.3.13+bf2e2cecf
Reproducible test case URL
No response
Additional information
No response