Skip to content

[Docs] Block direct sign-in flow initiation from browser SPAs#3455

Open
Malith-19 wants to merge 1 commit into
thunder-id:mainfrom
Malith-19:deprecate-native-spa-flows
Open

[Docs] Block direct sign-in flow initiation from browser SPAs#3455
Malith-19 wants to merge 1 commit into
thunder-id:mainfrom
Malith-19:deprecate-native-spa-flows

Conversation

@Malith-19

@Malith-19 Malith-19 commented Jun 22, 2026

Copy link
Copy Markdown
Member

Purpose

Document that browser SPAs must use the redirect-based sign-in flow and cannot initiate a sign-in flow directly via POST /flow/execute.

This is the documentation companion to the SDK change. The JavaScript SDKs were moved out of this monorepo into thunder-id/javascript-sdks (#3456), so the actual SDK code change (the runtime block + JSDoc + README + tests) now lives there: thunder-id/javascript-sdks#3. This PR carries only the docs-site and sample changes that remain in this repo.

Approach

  • :::warning callouts added to the javascript, browser, react and vue SDK overview pages: browser SPAs must sign in via the redirect-based OAuth2 authorization_code + PKCE flow (<SignInButton /> / signIn()); initiating a sign-in flow directly in the browser is not supported and throws at runtime.
  • A notice on the react-vanilla-sample steering browser SPAs to the redirect-based react-sdk-sample.
  • Scoped to sign-in only — Thunder's /authorize initiates authentication only, so registration and recovery have no redirect-based equivalent and remain documented as-is.

Related Issues

Related PRs

Checklist

  • Followed the contribution guidelines.
  • Manual test round performed and verified.
  • Documentation provided.
    • Ran Vale and fixed all errors and warnings
  • Tests provided. (N/A — docs only; tests are in [WIP] Block direct sign-in flow initiation from browser SPAs javascript-sdks#3)
    • Unit Tests
    • Integration Tests
  • Breaking changes. (Fill if applicable)
    • Breaking changes section filled.
    • breaking change label added.

Security checks

  • Followed secure coding standards in WSO2 Secure Coding Guidelines
  • Confirmed that this PR doesn't commit any keys, passwords, tokens, usernames, or other secrets.

Note

[WIP] — paired with thunder-id/javascript-sdks#3; for testing and fine-tuning before review.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Ignore keyword(s) in the title.

⛔ Ignored keywords (2)
  • WIP
  • DO NOT MERGE

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 36d87740-0694-4f50-b531-10d1711bec9a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Bundle Report

Bundle size has no change ✅

@Malith-19 Malith-19 force-pushed the deprecate-native-spa-flows branch from ce6a417 to cc8ac5f Compare June 22, 2026 09:06
@Malith-19 Malith-19 changed the title [WIP] Deprecate direct SPA initiation of embedded flows [WIP] Deprecate direct SPA initiation of sign-in flow Jun 22, 2026
@Malith-19 Malith-19 force-pushed the deprecate-native-spa-flows branch 3 times, most recently from 22d22d3 to a9dbe11 Compare June 22, 2026 09:43
@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@Malith-19 Malith-19 force-pushed the deprecate-native-spa-flows branch from a9dbe11 to 18792bf Compare June 22, 2026 10:10
@Malith-19 Malith-19 changed the title [WIP] Deprecate direct SPA initiation of sign-in flow [WIP] Block direct sign-in flow initiation from browser SPAs Jun 22, 2026
Browser SPAs cannot initiate a sign-in flow directly via POST /flow/execute;
they must use the redirect-based authorization_code + PKCE flow. Document
this in the SDK overview pages and the react-vanilla sample.

- Add callouts to the javascript, browser, react and vue SDK overview docs.
- Add a notice to the react-vanilla sample steering browser SPAs to the
  redirect-based react-sdk-sample.

The SDK code change lives in thunder-id/javascript-sdks (the SDKs were moved
out of this repo in thunder-id#3456).

Refs thunder-id#3217
Refs thunder-id#3219
@Malith-19 Malith-19 force-pushed the deprecate-native-spa-flows branch from 18792bf to aee89c5 Compare June 23, 2026 04:15
@Malith-19 Malith-19 changed the title [WIP] Block direct sign-in flow initiation from browser SPAs [WIP] Docs: browser SPAs must use the redirect-based sign-in flow Jun 23, 2026
@Malith-19 Malith-19 added documentation Improvements or additions to documentation skip-changelog Skip generating changelog for a particular PR and removed Type/Improvement labels Jun 23, 2026
@Malith-19 Malith-19 changed the title [WIP] Docs: browser SPAs must use the redirect-based sign-in flow [WIP][Docs] Block direct sign-in flow initiation from browser SPAs Jun 23, 2026
@Malith-19 Malith-19 changed the title [WIP][Docs] Block direct sign-in flow initiation from browser SPAs [Docs] Block direct sign-in flow initiation from browser SPAs Jun 23, 2026
> `POST /flow/execute` directly from the browser (the "app-native" pattern). Browser single-page
> applications are **not supported** for direct sign-in initiation and must sign in using the
> redirect-based OAuth2 `authorization_code` + PKCE flow — see the
> [`react-sdk-sample`](../react-sdk-sample) for the recommended approach. This sample is kept only

@ThaminduDilshan ThaminduDilshan Jun 23, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not related to this PR, but related to your effort... IMO we shouldn't provide a sample for a non recommended implementation. Instead we should give a nextJS sample maybe.

@darshanasbg @jeradrutnam @brionmario WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation skip-changelog Skip generating changelog for a particular PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants