fix(clerk-js,types): Fix stale SignIn on authenticateWithRedirect for enterprise_sso

[LauraBeatris]

Description

This PR introduces a fix specifically for custom flows with enterprise_sso

Currently, authenticateWithRedirect always uses the existing client SignIn for saml or enterprise_sso strategy, even if the identifier gets changed by the user in a custom flow, which leads to an issue where FAPI queries the wrong enterprise connection:

CleanShot.2025-02-10.at.16.20.39.mp4

Our SignInStart component always creates a new SignIn; therefore, the flow above works smoothly:

javascript/packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx

Lines 299 to 312 in e182055

	const res = await safePasswordSignInForEnterpriseSSOInstance(signIn.create(buildSignInParams(fields)), fields);
	switch (res.status) {
	case 'needs_identifier':
	// Check if we need to initiate an enterprise sso flow
	if (res.supportedFirstFactors?.some(ff => ff.strategy === 'saml' || ff.strategy === 'enterprise_sso')) {
	await authenticateWithEnterpriseSSO();
	}
	break;
	case 'needs_first_factor':
	if (res.supportedFirstFactors?.every(ff => ff.strategy === 'enterprise_sso')) {
	await authenticateWithEnterpriseSSO();
	break;
	}

With fix

This PR introduces a new continueSignIn option for signIn.authenticateWithRedirect, which defaults to false, therefore it'll create a new SignIn object on every call.

Within SignInStart, we pass continueSignIn as false in order to reuse the current SignIn created, and call /prepare-first-factor after.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

Summary by CodeRabbit

• Bug Fixes
  • Resolved an issue where users were redirected to the wrong identity provider during SAML and enterprise SSO sign-in flows.
• New Features
  • Enhanced authentication flow to properly refresh the connection identifier on each sign-in attempt for SAML and enterprise SSO.
  • Added an option to continue an existing sign-in session during authentication redirects.
• Tests
  • Updated tests to verify the improved SSO authentication behavior.

[changeset-bot]

🦋 Changeset detected

Latest commit: b41e0fa

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 22 packages

Name	Type
@clerk/clerk-js	Patch
@clerk/types	Patch
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/elements	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/localizations	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/clerk-react	Patch
@clerk/remix	Patch
@clerk/shared	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/themes	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 24, 2025 3:31pm

[LauraBeatris]

I found a PR comment a while ago (going to track it again to paste here) that the reasoning for not creating within here was to avoid issues if we created sign-in from AIOs.

My changes tackle exactly for this case, where SignIn provides continueSignIn as true

[panteliselef]

Is the issue only saml and enterprise_sso ?
I think adding a new property just makes things more complicated for the caller. My understanding is that now developers would need to pass both identifier and continueSignIn.

Can we get around this by checking if identifiers match ?

[LauraBeatris]

enterprise_sso and saml since those rely on the identifier to query for the SSO connection.

They wouldn't have to pass continueSignIn to authenticateWithRedirect since it defaults to false, but it's being passed from SignInStart since it always creates a fresh sign-in:

javascript/packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx

Lines 299 to 312 in e182055

	const res = await safePasswordSignInForEnterpriseSSOInstance(signIn.create(buildSignInParams(fields)), fields);
	switch (res.status) {
	case 'needs_identifier':
	// Check if we need to initiate an enterprise sso flow
	if (res.supportedFirstFactors?.some(ff => ff.strategy === 'saml' || ff.strategy === 'enterprise_sso')) {
	await authenticateWithEnterpriseSSO();
	}
	break;
	case 'needs_first_factor':
	if (res.supportedFirstFactors?.every(ff => ff.strategy === 'enterprise_sso')) {
	await authenticateWithEnterpriseSSO();
	break;
	}

[LauraBeatris]

Can we get around this by checking if identifiers match ?

I guess this will work 🤔 but we still have the problem where SignInStart calls authenticateWithRedirect, so we cannot place this logic there otherwise it'd create two sign-ins.

[panteliselef]

I see, is that because on needs_identifier we want to call prepare instead of create ?

[LauraBeatris]

I see, is that because on needs_identifier we want to call prepare instead of create ?

Yeah, exactly, so SignInStart needs to handle the progressive flow. Custom flows also need to do so, so it's fair to also always create a fresh sign-in.

[coderabbitai]

📝 Walkthrough

## Walkthrough

This change addresses an issue in the authentication flow for SAML and Enterprise SSO strategies within the `@clerk/clerk-js` package. The main update ensures that the connection identifier is refreshed or updated with each call to `authenticateWithRedirect`, preventing redirection to the wrong identity provider. The implementation involves refactoring the `authenticateWithRedirectOrPopup` method to adjust the sequence of creating or preparing the sign-in factors, adding a new optional `continueSignIn` property to the `AuthenticateWithRedirectParams` type, and updating both the `SignInStart` component and its tests to include this new property in relevant authentication flows. No exported or public API signatures were otherwise altered.

## Suggested reviewers

- aeliox

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/grumpy-lamps-study.md (1)

8-8: Fix minor grammar issue in the changeset description.

The sentence could benefit from improved punctuation for clarity.

Apply this diff to improve readability:

-Previously, the same connection identifier would be used on every `authenticateWithRedirect` call leading to redirecting to the wrong identity provider
+Previously, the same connection identifier would be used on every `authenticateWithRedirect` call, leading to redirecting to the wrong identity provider

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 545999c and 0607b66.

📒 Files selected for processing (5)

• .changeset/grumpy-lamps-study.md (1 hunks)
• packages/clerk-js/src/core/resources/SignIn.ts (1 hunks)
• packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx (1 hunks)
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx (2 hunks)
• packages/types/src/redirects.ts (1 hunks)

🧰 Additional context used

🪛 LanguageTool

.changeset/grumpy-lamps-study.md

[uncategorized] ~8-~8: Possible missing comma found.
Context: ...sed on every authenticateWithRedirect call leading to redirecting to the wrong ide...

(AI_HYDRA_LEO_MISSING_COMMA)

🔇 Additional comments (6)

packages/types/src/redirects.ts (1)

64-67: LGTM! Well-documented type addition.

The new continueSignIn property follows the same pattern as the existing continueSignUp property and is properly documented. The optional nature ensures backward compatibility.

packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx (1)

408-408: Correct implementation of the continueSignIn flag.

Setting continueSignIn: true in the SignInStart component ensures that the existing SignIn object is reused, preventing the stale connection identifier issue described in the PR objectives.

packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx (2)

294-294: Test correctly updated for SAML flow.

The test now properly expects continueSignIn: true in the authenticateWithRedirect call, validating the updated behavior in the SignInStart component.

---

318-318: Test correctly updated for Enterprise SSO flow.

The test now properly expects continueSignIn: true in the authenticateWithRedirect call, ensuring the component behavior is properly validated.

packages/clerk-js/src/core/resources/SignIn.ts (2)

235-254: Excellent refactoring that addresses the core issue.

The conditional logic properly handles the continueSignIn flag:

• When continueSignIn is true and a SignIn already exists (this.id), it skips creating a new SignIn object
• For SAML/Enterprise SSO strategies, it always calls prepareFirstFactor to ensure proper setup
• This prevents the stale connection identifier issue by reusing existing SignIn objects when appropriate

The separation of concerns between create and prepareFirstFactor makes the flow clearer and more maintainable.

---

255-255: Correct access pattern for verification state.

Accessing this.firstFactorVerification directly is appropriate here since we're using the internal state that was updated by the previous prepareFirstFactor call, rather than relying on destructured response values.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.changeset/grumpy-lamps-study.md (1)

6-8: Polish wording and include the new continueSignIn flag

Using the imperative voice is preferred in changesets (Fix vs. Fixes).
A comma is needed after call, and it’s helpful to explicitly mention the newly-added continueSignIn option so downstream consumers immediately see the API addition.

-Fixes stale `SignIn` object on `authenticateWithRedirect` for `saml` and `enterprise_sso` custom flows
-
-Previously, the same connection identifier would be used on every `authenticateWithRedirect` call leading to redirecting to the wrong identity provider
+Fix stale `SignIn` object when calling `authenticateWithRedirect` in `saml` and `enterprise_sso` custom flows.
+
+Previously, the same connection identifier was reused on every `authenticateWithRedirect` call, leading to redirection to the wrong identity provider.
+
+This patch also introduces an optional `continueSignIn` flag (default `false`) that lets you explicitly reuse the current `SignIn` instance when desired.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0607b66 and e18281a.

📒 Files selected for processing (5)

• .changeset/grumpy-lamps-study.md (1 hunks)
• packages/clerk-js/src/core/resources/SignIn.ts (1 hunks)
• packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx (1 hunks)
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx (2 hunks)
• packages/types/src/redirects.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/types/src/redirects.ts
• packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx
• packages/clerk-js/src/ui/components/SignIn/tests/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/SignIn.ts

🧰 Additional context used

🪛 LanguageTool

.changeset/grumpy-lamps-study.md

[uncategorized] ~8-~8: Possible missing comma found.
Context: ...sed on every authenticateWithRedirect call leading to redirecting to the wrong ide...

(AI_HYDRA_LEO_MISSING_COMMA)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@6160

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@6160

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@6160

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@6160

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@6160

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@6160

@clerk/elements

npm i https://pkg.pr.new/@clerk/elements@6160

@clerk/clerk-expo

npm i https://pkg.pr.new/@clerk/clerk-expo@6160

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@6160

@clerk/express

npm i https://pkg.pr.new/@clerk/express@6160

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@6160

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@6160

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@6160

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@6160

@clerk/clerk-react

npm i https://pkg.pr.new/@clerk/clerk-react@6160

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@6160

@clerk/remix

npm i https://pkg.pr.new/@clerk/remix@6160

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@6160

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@6160

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@6160

@clerk/themes

npm i https://pkg.pr.new/@clerk/themes@6160

@clerk/types

npm i https://pkg.pr.new/@clerk/types@6160

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@6160

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@6160

commit: b41e0fa

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

.changeset/grumpy-lamps-study.md (2)

6-9: Add comma for readability and fix run-on sentence

The sentence is currently hard to parse. Insert a comma after “call” (or break it into two sentences) to eliminate the run-on and match the LanguageTool hint.

-Previously, the same connection identifier would be used on every `authenticateWithRedirect` call leading to redirecting to the wrong identity provider
+Previously, the same connection identifier would be used on every `authenticateWithRedirect` call, leading to redirection to the wrong identity provider.

---

6-6: Mention the new continueSignIn flag in the summary

The changeset headline explains what was fixed but omits the newly-added continueSignIn option that developers must be aware of. Explicitly calling this out will make the release notes clearer.

-Fixes stale `SignIn` object on `authenticateWithRedirect` for `saml` and `enterprise_sso` custom flows
+Adds `continueSignIn` flag and fixes stale `SignIn` object on `authenticateWithRedirect` for `saml` and `enterprise_sso` custom flows

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e18281a and b41e0fa.

📒 Files selected for processing (5)

• .changeset/grumpy-lamps-study.md (1 hunks)
• packages/clerk-js/src/core/resources/SignIn.ts (1 hunks)
• packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx (1 hunks)
• packages/clerk-js/src/ui/components/SignIn/__tests__/SignInStart.test.tsx (2 hunks)
• packages/types/src/redirects.ts (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/types/src/redirects.ts
• packages/clerk-js/src/ui/components/SignIn/SignInStart.tsx
• packages/clerk-js/src/ui/components/SignIn/tests/SignInStart.test.tsx
• packages/clerk-js/src/core/resources/SignIn.ts

🧰 Additional context used

🪛 LanguageTool

.changeset/grumpy-lamps-study.md

[uncategorized] ~8-~8: Possible missing comma found.
Context: ...sed on every authenticateWithRedirect call leading to redirecting to the wrong ide...

(AI_HYDRA_LEO_MISSING_COMMA)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: semgrep-cloud-platform/scan
• GitHub Check: Formatting | Dedupe | Changeset
• GitHub Check: Build Packages
• GitHub Check: semgrep/ci
• GitHub Check: Analyze (javascript-typescript)