SAML SSO error redirects ignore redirectTo and always use Site URL #2349
Description
Bug report
- I confirm this is a bug with Supabase, not with my own application.
- I confirm I have searched the Docs, GitHub Discussions, and Discord.
Describe the bug
When using signInWithSSO with a redirectTo parameter, the redirect URL is only respected on successful authentication. On failure, the redirect always goes to the configured SiteURL, completely ignoring redirectTo.
To Reproduce
- Configure Supabase project with:
- Site URL:
https://example.com - Redirect URLs allow list includes:
https://app.example.com/*
- Site URL:
- Call
signInWithSSOwith aredirectToto a different domain:await supabase.auth.signInWithSSO({ domain: 'company.com', options: { redirectTo: 'https://app.example.com/auth/callback', }, });
- Trigger an SSO error (e.g., user already exists with a different auth method)
- Observe redirect goes to
https://example.com(Site URL) instead ofhttps://app.example.com/auth/callback
Expected behavior
Error redirects should respect redirectTo if it's in the allow list, with error details passed as query parameters. Should only fall back to SiteURL if redirectTo is missing or not in the allow list.
Root Cause
In internal/api/samlacs.go lines 48-60, the error path hardcodes the redirect to SiteURL:
func (a *API) SamlAcs(w http.ResponseWriter, r *http.Request) error {
if err := a.handleSamlAcs(w, r); err != nil {
u, uerr := url.Parse(a.config.SiteURL) // ← Always uses SiteURL
// ...
http.Redirect(w, r, u.String(), http.StatusSeeOther)
}
return nil
}The success path (lines 339-341) correctly uses redirectTo from RelayState and only falls back to SiteURL if invalid.
System information
- OS: macOS
- Browser: Chrome
- Version of supabase-js: 2.91.1
- Version of Node.js: 22.x
Additional context
This makes it difficult to test SSO in development/staging environments that use a different domain than production, and prevents applications from handling SSO errors in their intended context.