From e538dc97559129d977afe68f55fc728fa8f6d62b Mon Sep 17 00:00:00 2001
From: "Garen J. Torikian" <gjtorikian@users.noreply.github.com>
Date: Thu, 28 May 2026 10:58:19 -0400
Subject: [PATCH] fix(sdk): omit defaulted screen_hint from auth URLs

---
 lib/Service/UserManagement.php        |  6 +++---
 tests/Service/RuntimeBehaviorTest.php | 17 +++++++++++++++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/lib/Service/UserManagement.php b/lib/Service/UserManagement.php
index 5fb767f1..df33f897 100644
--- a/lib/Service/UserManagement.php
+++ b/lib/Service/UserManagement.php
@@ -371,7 +371,7 @@ public function authenticateWithDeviceCode(
      * @param array<string, string>|null $providerQueryParams Key/value pairs of query parameters to pass to the OAuth provider.
      * @param array<string>|null $providerScopes Additional OAuth scopes to request from the identity provider.
      * @param string|null $invitationToken A token representing a user invitation to redeem during authentication.
-     * @param \WorkOS\Resource\RadarStandaloneAssessRequestAction $screenHint Used to specify which screen to display when the provider is `authkit`. Defaults to "sign-in".
+     * @param \WorkOS\Resource\RadarStandaloneAssessRequestAction|null $screenHint Used to specify which screen to display when the provider is `authkit`. Defaults to "sign-in".
      * @param string|null $loginHint A hint to the authorization server about the login identifier the user might use.
      * @param \WorkOS\Resource\UserManagementAuthenticationProvider|null $provider The OAuth provider to authenticate with (e.g., GoogleOAuth, MicrosoftOAuth, GitHubOAuth).
      * @param string|null $prompt Controls the authentication flow behavior for the user.
@@ -390,7 +390,7 @@ public function getAuthorizationUrl(
         ?array $providerQueryParams = null,
         ?array $providerScopes = null,
         ?string $invitationToken = null,
-        \WorkOS\Resource\RadarStandaloneAssessRequestAction $screenHint = \WorkOS\Resource\RadarStandaloneAssessRequestAction::SignIn,
+        ?\WorkOS\Resource\RadarStandaloneAssessRequestAction $screenHint = null,
         ?string $loginHint = null,
         ?\WorkOS\Resource\UserManagementAuthenticationProvider $provider = null,
         ?string $prompt = null,
@@ -406,7 +406,7 @@ public function getAuthorizationUrl(
             'provider_query_params' => $providerQueryParams,
             'provider_scopes' => $providerScopes,
             'invitation_token' => $invitationToken,
-            'screen_hint' => $screenHint->value,
+            'screen_hint' => $screenHint?->value,
             'login_hint' => $loginHint,
             'provider' => $provider?->value,
             'prompt' => $prompt,
diff --git a/tests/Service/RuntimeBehaviorTest.php b/tests/Service/RuntimeBehaviorTest.php
index f8496aa4..1e71d40f 100644
--- a/tests/Service/RuntimeBehaviorTest.php
+++ b/tests/Service/RuntimeBehaviorTest.php
@@ -103,6 +103,23 @@ public function testWrapperMethodsUseInstanceScopedCredentials(): void
         $this->assertSame('api_key_b', $requestBodyB['client_secret']);
     }
 
+    public function testAuthorizationUrlOmitsScreenHintUnlessProvided(): void
+    {
+        $client = $this->createMockClient([]);
+
+        $url = $client->userManagement()->getAuthorizationUrl(
+            redirectUri: 'https://example.com/callback',
+            provider: \WorkOS\Resource\UserManagementAuthenticationProvider::GoogleOAuth,
+            state: 'abc',
+        );
+
+        parse_str(parse_url($url, PHP_URL_QUERY) ?? '', $query);
+
+        $this->assertSame('GoogleOAuth', $query['provider']);
+        $this->assertSame('abc', $query['state']);
+        $this->assertArrayNotHasKey('screen_hint', $query);
+    }
+
     public function testAuthenticationErrorsAreMapped(): void
     {
         $client = $this->createMockClient([