Add external OAuth callback support for V2

[thiva-k]

This pull request introduces a new, robust OAuth callback handling flow for both the React and React Router packages, improving reliability and maintainability of authentication flows. The main changes include the addition of a headless BaseCallback component for OAuth parameter processing, a new Callback component for React Router, and the refactoring of OAuth code handling in the SignIn and AcceptInvite flows to use a shared useOAuthCallback hook. This results in more secure state management, better error handling, and a cleaner separation of concerns between framework-agnostic logic and framework-specific navigation.

Admin initiated user invite flow using the new Callback Component:

Screen.Recording.2026-02-17.at.15.07.41.mov

OAuth Callback Handling Infrastructure:

• Added a new headless BaseCallback component in react that extracts and validates OAuth parameters from the URL, handles state management and errors, and redirects to the original path. This component is framework-agnostic and intended to be wrapped by framework-specific components.
• Introduced a new Callback component in react-router that wraps BaseCallback and integrates with React Router's navigation, providing a drop-in solution for OAuth callback routes.
• Exported the new Callback component from the react-router package for use in applications.

Refactoring and Integration in Authentication Flows:

• Refactored the SignIn and AcceptInvite flows to use the shared useOAuthCallback hook for processing OAuth callback parameters, replacing previous inline and duplicated logic. This improves consistency and reliability of OAuth code handling. [1] [2] [3] [4]
• Updated the OAuth redirect initiation logic in both SignIn and AcceptInvite flows to use the new initiateOAuthRedirect utility, ensuring secure state management and consistent redirect behavior. [1] [2]

Security and Robustness Improvements:

• Enhanced validation of OAuth state and error handling in the callback flow, including checks for missing or expired state, and improved error reporting and redirection on failure.
• Ensured that the flowId is stored in sessionStorage when initiating OAuth flows, so it can be reliably retrieved during the callback phase.

Minor Improvements and Cleanups:

• Improved type definitions and documentation for callback-related components and props. [1] [2]
• Cleaned up redundant or outdated code in the SignIn flow, such as the resolveFlowId function and previous OAuth code handling effect. [1] [2]
• Added support for an optional redirectURL in the normalized flow response for more flexible redirection handling.
• Improved invite token validation logic and error handling in the AcceptInvite flow.

These changes collectively modernize and harden the OAuth authentication flow across the codebase, making it easier to maintain and extend in the future.

[asgardeo-github-bot]

⚠️ No Changeset found

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go.

If these changes should result in a version bump, you need to add a changeset.

Refer Release Documentation to learn how to add a changeset.