oidc-spa 8.2.2 → 8.2.4

package/src/angular.ts

@@ -19,6 +19,7 @@ import { Router, type CanActivateFn } from "@angular/router";
 import type { ValueOrAsyncGetter } from "./tools/ValueOrAsyncGetter";
 import { getBaseHref } from "./tools/getBaseHref";
 import type { ConcreteClass } from "./tools/ConcreteClass";
+import { setDesiredPostLoginRedirectUrl } from "./core/desiredPostLoginRedirectUrl";
 
 export type ParamsOfProvide = {
     issuerUri: string;
@@ -96,11 +97,34 @@ export type ParamsOfProvide = {
     autoLogin?: boolean;
 
     /**
-     * Default: false
+     * Determines how session restoration is handled.
+     * Session restoration allows users to stay logged in between visits
+     * without needing to explicitly sign in each time.
      *
-     * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+     * Options:
+     *
+     * - **"auto" (default)**:
+     *   Automatically selects the best method.
+     *   If the app’s domain shares a common parent domain with the authorization endpoint,
+     *   an iframe is used for silent session restoration.
+     *   Otherwise, a full-page redirect is used.
+     *
+     * - **"full page redirect"**:
+     *   Forces full-page reloads for session restoration.
+     *   Use this if your application is served with a restrictive CSP
+     *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+     *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+     *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+     *   store tokens in `localStorage` if multiple OIDC clients are used
+     *   (e.g., your app communicates with several APIs).
+     *
+     * - **"iframe"**:
+     *   Forces iframe-based session restoration.
+     *   In development, if you go in your browser setting and allow your auth server’s domain
+     *   to set third-party cookies this value will let you test your app
+     *   with the local dev server as it will behave in production.
      */
-    noIframe?: boolean;
+    sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
 
     debugLogs?: boolean;
 
@@ -150,7 +174,10 @@ export type ParamsOfProvide = {
 assert<
     Equals<
         Omit<ParamsOfProvide, "autoLogoutWarningDurationSeconds">,
-        Omit<ParamsOfCreateOidc<any, boolean>, "homeUrl" | "BASE_URL" | "decodedIdTokenSchema">
+        Omit<
+            ParamsOfCreateOidc<any, boolean>,
+            "homeUrl" | "BASE_URL" | "noIframe" | "decodedIdTokenSchema"
+        >
     >
 >;
 
@@ -454,28 +481,55 @@ export abstract class AbstractOidcService<
 
             await instance.prInitialized;
 
-            const oidc = instance.#getOidc({ callerName: "enforceLoginGuard" });
+            const redirectUrl = router.serializeUrl(
+                router.createUrlTree(
+                    route.url.map(u => u.path),
+                    {
+                        queryParams: route.queryParams,
+                        fragment: route.fragment ?? undefined
+                    }
+                )
+            );
 
-            if (!oidc.isUserLoggedIn) {
-                const redirectUrl = router.serializeUrl(
-                    router.createUrlTree(
-                        route.url.map(u => u.path),
-                        {
-                            queryParams: route.queryParams,
-                            fragment: route.fragment ?? undefined
-                        }
-                    )
-                );
+            const oidc = instance.#getOidc({ callerName: "enforceLoginGuard" });
 
-                const doesCurrentHrefRequiresAuth =
-                    location.href.replace(/\/$/, "") === redirectUrl.replace(/\/$/, "");
+            const isUrlAlreadyReplaced =
+                window.location.href.replace(/\/$/, "") === redirectUrl.replace(/\/$/, "");
 
+            if (!oidc.isUserLoggedIn) {
                 await oidc.login({
-                    doesCurrentHrefRequiresAuth,
+                    doesCurrentHrefRequiresAuth: isUrlAlreadyReplaced,
                     redirectUrl
                 });
             }
 
+            define_temporary_postLoginRedirectUrl: {
+                if (isUrlAlreadyReplaced) {
+                    break define_temporary_postLoginRedirectUrl;
+                }
+
+                setDesiredPostLoginRedirectUrl({ postLoginRedirectUrl: redirectUrl });
+
+                const history_pushState = history.pushState;
+                const history_replaceState = history.replaceState;
+
+                const onNavigated = () => {
+                    history.pushState = history_pushState;
+                    history.replaceState = history_replaceState;
+                    setDesiredPostLoginRedirectUrl({ postLoginRedirectUrl: undefined });
+                };
+
+                history.pushState = function pushState(...args) {
+                    onNavigated();
+                    return history_pushState.call(history, ...args);
+                };
+
+                history.replaceState = function replaceState(...args) {
+                    onNavigated();
+                    return history_replaceState.call(history, ...args);
+                };
+            }
+
             return true;
         }) satisfies CanActivateFn;
         return canActivateFn;
@@ -569,6 +623,10 @@ export abstract class AbstractOidcService<
         return this.#getOidc({ callerName: "clientId" }).params.clientId;
     }
 
+    get validRedirectUri() {
+        return this.#getOidc({ callerName: "validRedirectUri" }).params.validRedirectUri;
+    }
+
     #isUserLoggedIn_override: boolean | undefined = undefined;
 
     get isUserLoggedIn() {

package/src/core/Oidc.ts

@@ -9,6 +9,7 @@ export declare namespace Oidc {
         params: {
             issuerUri: string;
             clientId: string;
+            validRedirectUri: string;
         };
     };
 

package/src/core/createOidc.ts

@@ -45,13 +45,14 @@ import { getIsOnline } from "../tools/getIsOnline";
 import { isKeycloak } from "../keycloak/isKeycloak";
 import { INFINITY_TIME } from "../tools/INFINITY_TIME";
 import { prShouldLoadApp } from "./prShouldLoadApp";
-import { getBASE_URL } from "./BASE_URL";
 import { getIsLikelyDevServer } from "../tools/isLikelyDevServer";
 import { createObjectThatThrowsIfAccessed } from "../tools/createObjectThatThrowsIfAccessed";
 import {
     evtIsThereMoreThanOneInstanceThatCantUserIframes,
     notifyNewInstanceThatCantUseIframes
 } from "./instancesThatCantUseIframes";
+import { getDesiredPostLoginRedirectUrl } from "./desiredPostLoginRedirectUrl";
+import { getHomeAndRedirectUri } from "./homeAndRedirectUri";
 
 // NOTE: Replaced at build time
 const VERSION = "{{OIDC_SPA_VERSION}}";
@@ -106,21 +107,6 @@ export type ParamsOfCreateOidc<
      *          extraTokenParams: { selectedCustomer: "xxx" }
      */
     extraTokenParams?: Record<string, string | undefined> | (() => Record<string, string | undefined>);
-    /**
-     * @deprecated: Use login({ redirectUrl: "..." }) instead.
-     *
-     * Usage discouraged, it's here because we don't want to assume too much on your
-     * usecase but I can't think of a scenario where you would want anything
-     * other than the current page.
-     *
-     * Where to redirect after successful login.
-     * Default: window.location.href (here)
-     *
-     * It does not need to include the origin, eg: "/dashboard"
-     *
-     * This parameter can also be passed to login() directly as `redirectUrl`.
-     */
-    postLoginRedirectUrl?: string;
 
     decodedIdTokenSchema?: {
         parse: (decodedIdToken_original: Oidc.Tokens.DecodedIdToken_OidcCoreSpec) => DecodedIdToken;
@@ -150,9 +136,43 @@ export type ParamsOfCreateOidc<
     autoLogin?: AutoLogin;
 
     /**
+     * Determines how session restoration is handled.
+     * Session restoration allows users to stay logged in between visits
+     * without needing to explicitly sign in each time.
+     *
+     * Options:
+     *
+     * - **"auto" (default)**:
+     *   Automatically selects the best method.
+     *   If the app’s domain shares a common parent domain with the authorization endpoint,
+     *   an iframe is used for silent session restoration.
+     *   Otherwise, a full-page redirect is used.
+     *
+     * - **"full page redirect"**:
+     *   Forces full-page reloads for session restoration.
+     *   Use this if your application is served with a restrictive CSP
+     *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+     *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+     *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+     *   store tokens in `localStorage` if multiple OIDC clients are used
+     *   (e.g., your app communicates with several APIs).
+     *
+     * - **"iframe"**:
+     *   Forces iframe-based session restoration.
+     *   In development, if you go in your browser setting and allow your auth server’s domain
+     *   to set third-party cookies this value will let you test your app
+     *   with the local dev server as it will behave in production.
+     *
+     *  See: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration
+     */
+    sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
+
+    /**
+     * @deprecated Use `sessionRestorationMethod: "full page redirect"` instead.
+     *
      * Default: false
      *
-     * See: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues
+     * See: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration
      */
     noIframe?: boolean;
 
@@ -205,6 +225,21 @@ export type ParamsOfCreateOidc<
 
     /** @deprecated: Use BASE_URL (same thing, just renamed). */
     homeUrl?: string;
+
+    /**
+     * This parameter is irrelevant in most usecases.
+     * It tells where to redirect after a successful login or autoLogin.
+     *
+     * If you are not in autoLogin mode there is absolutely no reason to use
+     * this parameter since you can pass `login({ redirectUrl: "..." })`.
+     *
+     * It can only be useful in some edge case with `autoLogin: true`
+     * When you want to precisely redirect somewhere after login.
+     *
+     * This can make sense if you have multiple clients to talk with different
+     * API and no iframe capabilities.
+     */
+    postLoginRedirectUrl?: string;
 };
 
 const globalContext = {
@@ -338,8 +373,8 @@ export async function createOidc_nonMemoized<
         __unsafe_clientSecret,
         __unsafe_useIdTokenAsAccessToken = false,
         __metadata,
-        noIframe = false,
-        scopes = ["openid", "profile"]
+        scopes = ["openid", "profile"],
+        sessionRestorationMethod = params.autoLogin === true ? "full page redirect" : "auto"
     } = params;
 
     const BASE_URL_params = params.BASE_URL ?? params.homeUrl;
@@ -370,33 +405,7 @@ export async function createOidc_nonMemoized<
         return extraTokenParamsOrGetter;
     })();
 
-    const homeUrlAndRedirectUri = toFullyQualifiedUrl({
-        urlish: (() => {
-            if (BASE_URL_params !== undefined) {
-                return BASE_URL_params;
-            }
-
-            const BASE_URL = getBASE_URL();
-
-            if (BASE_URL === undefined) {
-                throw new Error(
-                    [
-                        "oidc-spa: If you do not use the oidc-spa Vite plugin",
-                        "you must provide the BASE_URL to the earlyInit() examples:",
-                        "oidcSpaEarlyInit({ BASE_URL: import.meta.env.BASE_URL })",
-                        "oidcSpaEarlyInit({ BASE_URL: '/' })",
-                        "",
-                        "You can also pass this parameter to createOidc({ BASE_URL: '...' })",
-                        "or bootstrapOidc({ BASE_URL: '...' })"
-                    ].join("\n")
-                );
-            }
-
-            return BASE_URL;
-        })(),
-        doAssertNoQueryParams: true,
-        doOutputWithTrailingSlash: true
-    });
+    const { homeUrlAndRedirectUri } = getHomeAndRedirectUri({ BASE_URL_params });
 
     log?.(
         `Calling createOidc v${VERSION} ${JSON.stringify(
@@ -404,7 +413,7 @@ export async function createOidc_nonMemoized<
                 issuerUri,
                 clientId,
                 scopes,
-                oidcRedirectUri: homeUrlAndRedirectUri
+                validRedirectUri: homeUrlAndRedirectUri
             },
             null,
             2
@@ -416,8 +425,15 @@ export async function createOidc_nonMemoized<
     const oidcMetadata = __metadata ?? (await fetchOidcMetadata({ issuerUri }));
 
     const canUseIframe = (() => {
-        if (noIframe) {
-            return false;
+        switch (sessionRestorationMethod) {
+            case "auto":
+                break;
+            case "full page redirect":
+                return false;
+            case "iframe":
+                return true;
+            default:
+                assert<Equals<typeof sessionRestorationMethod, never>>;
         }
 
         third_party_cookies: {
@@ -525,7 +541,7 @@ export async function createOidc_nonMemoized<
                             ];
                         })(),
                         "\n\nMore info:",
-                        "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                        "https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
                     ].join(" ")
                 );
             } else {
@@ -555,7 +571,7 @@ export async function createOidc_nonMemoized<
                             ];
                         })(),
                         "\nMore info:",
-                        "https://docs.oidc-spa.dev/v/v8/resources/end-of-third-party-cookies#when-are-cookies-considered-third-party"
+                        "https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
                     ].join(" ")
                 );
             }
@@ -599,7 +615,7 @@ export async function createOidc_nonMemoized<
                               return new InMemoryWebStorage();
                           }
 
-                          const storage = createLazySessionStorage();
+                          const storage = createLazySessionStorage({ storageId: configId });
 
                           if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
                               storage.persistCurrentStateAndSubsequentChanges();
@@ -896,7 +912,7 @@ export async function createOidc_nonMemoized<
                         redirectUri: homeUrlAndRedirectUri,
                         clientId,
                         issuerUri,
-                        noIframe
+                        canUseIframe
                     });
                 }
 
@@ -957,11 +973,15 @@ export async function createOidc_nonMemoized<
                         action: "login",
                         doForceReloadOnBfCache: true,
                         redirectUrl: (() => {
-                            if (evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
-                                return window.location.href;
+                            if (postLoginRedirectUrl_default) {
+                                return postLoginRedirectUrl_default;
+                            }
+
+                            if (!evtIsThereMoreThanOneInstanceThatCantUserIframes.current) {
+                                return getRootRelativeOriginalLocationHref();
                             }
 
-                            return getRootRelativeOriginalLocationHref();
+                            return getDesiredPostLoginRedirectUrl() ?? window.location.href;
                         })(),
                         // NOTE: Wether or not it's the preferred behavior, pushing to history
                         // only works on user interaction so it have to be false
@@ -1020,7 +1040,8 @@ export async function createOidc_nonMemoized<
     const oidc_common: Oidc.Common = {
         params: {
             issuerUri,
-            clientId
+            clientId,
+            validRedirectUri: homeUrlAndRedirectUri
         }
     };
 

package/src/core/desiredPostLoginRedirectUrl.ts

@@ -0,0 +1,9 @@
+let postLoginRedirectUrl: string | undefined;
+
+export function setDesiredPostLoginRedirectUrl(params: { postLoginRedirectUrl: string | undefined }) {
+    postLoginRedirectUrl = params.postLoginRedirectUrl;
+}
+
+export function getDesiredPostLoginRedirectUrl() {
+    return postLoginRedirectUrl;
+}

package/src/core/diagnostic.ts

@@ -90,9 +90,9 @@ export async function createIframeTimeoutInitializationError(params: {
     redirectUri: string;
     issuerUri: string;
     clientId: string;
-    noIframe: boolean;
+    canUseIframe: boolean;
 }): Promise<OidcInitializationError> {
-    const { redirectUri, issuerUri, clientId, noIframe } = params;
+    const { redirectUri, issuerUri, clientId, canUseIframe } = params;
 
     check_if_well_known_endpoint_is_reachable: {
         const isValid = await getIsValidRemoteJson(`${issuerUri}${WELL_KNOWN_PATH}`);
@@ -105,7 +105,7 @@ export async function createIframeTimeoutInitializationError(params: {
     }
 
     iframe_blocked: {
-        if (noIframe) {
+        if (!canUseIframe) {
             break iframe_blocked;
         }
 
@@ -189,7 +189,7 @@ export async function createIframeTimeoutInitializationError(params: {
             messageOrCause: [
                 `${redirectUri} is currently served by your web server with the HTTP header \`${key_problem}: ${headers[key_problem]}\`.\n`,
                 "This header prevents the silent sign-in process from working.\n",
-                "Refer to this documentation page to fix this issue: https://docs.oidc-spa.dev/v/v8/resources/iframe-related-issues"
+                "Refer to this documentation page to fix this issue: https://docs.oidc-spa.dev/v/v8/resources/third-party-cookies-and-session-restoration"
             ].join(" ")
         });
     }

package/src/core/homeAndRedirectUri.ts

@@ -0,0 +1,36 @@
+import { toFullyQualifiedUrl } from "../tools/toFullyQualifiedUrl";
+import { getBASE_URL } from "./BASE_URL";
+
+export function getHomeAndRedirectUri(params: { BASE_URL_params: string | undefined }) {
+    const { BASE_URL_params } = params;
+
+    const homeUrlAndRedirectUri = toFullyQualifiedUrl({
+        urlish: (() => {
+            if (BASE_URL_params !== undefined) {
+                return BASE_URL_params;
+            }
+
+            const BASE_URL = getBASE_URL();
+
+            if (BASE_URL === undefined) {
+                throw new Error(
+                    [
+                        "oidc-spa: If you do not use the oidc-spa Vite plugin",
+                        "you must provide the BASE_URL to the earlyInit() examples:",
+                        "oidcSpaEarlyInit({ BASE_URL: import.meta.env.BASE_URL })",
+                        "oidcSpaEarlyInit({ BASE_URL: '/' })",
+                        "",
+                        "You can also pass this parameter to createOidc({ BASE_URL: '...' })",
+                        "or bootstrapOidc({ BASE_URL: '...' })"
+                    ].join("\n")
+                );
+            }
+
+            return BASE_URL;
+        })(),
+        doAssertNoQueryParams: true,
+        doOutputWithTrailingSlash: true
+    });
+
+    return { homeUrlAndRedirectUri };
+}

package/src/keycloak/keycloak-js/Keycloak.ts

@@ -21,9 +21,51 @@ import { type KeycloakUtils, createKeycloakUtils } from "../keycloakUtils";
 import { workerTimers } from "../../vendor/frontend/worker-timers";
 import { type StatefulEvt, createStatefulEvt } from "../../tools/StatefulEvt";
 import { readExpirationTimeInJwt } from "../../tools/readExpirationTimeInJwt";
+import { getHomeAndRedirectUri } from "../../core/homeAndRedirectUri";
 
 type ConstructorParams = KeycloakServerConfig & {
+    /**
+     * NOTE: This parameter is optional if you use the Vite plugin.
+     *
+     * This parameter let's you overwrite the value provided in
+     * oidcEarlyInit({ BASE_URL: xxx });
+     *
+     * What should you put in this parameter?
+     *   - Vite project:             `BASE_URL: import.meta.env.BASE_URL`
+     *   - Create React App project: `BASE_URL: process.env.PUBLIC_URL`
+     *   - Other:                    `BASE_URL: "/"` (Usually, or `/dashboard` if your app is not at the root of the domain)
+     */
     BASE_URL?: string;
+
+    /**
+     * Determines how session restoration is handled.
+     * Session restoration allows users to stay logged in between visits
+     * without needing to explicitly sign in each time.
+     *
+     * Options:
+     *
+     * - **"auto" (default)**:
+     *   Automatically selects the best method.
+     *   If the app’s domain shares a common parent domain with the authorization endpoint,
+     *   an iframe is used for silent session restoration.
+     *   Otherwise, a full-page redirect is used.
+     *
+     * - **"full page redirect"**:
+     *   Forces full-page reloads for session restoration.
+     *   Use this if your application is served with a restrictive CSP
+     *   (e.g., `Content-Security-Policy: frame-ancestors "none"`)
+     *   or `X-Frame-Options: DENY`, and you cannot modify those headers.
+     *   This mode provides a slightly less seamless UX and will lead oidc-spa to
+     *   store tokens in `localStorage` if multiple OIDC clients are used
+     *   (e.g., your app communicates with several APIs).
+     *
+     * - **"iframe"**:
+     *   Forces iframe-based session restoration.
+     *   In development, if you go in your browser setting and allow your auth server’s domain
+     *   to set third-party cookies this value will let you test your app
+     *   with the local dev server as it will behave in production.
+     */
+    sessionRestorationMethod?: "iframe" | "full page redirect" | "auto";
 };
 
 /**
@@ -99,7 +141,8 @@ export class Keycloak {
         let hasCreateResolved = false;
 
         const oidcOrError = await createOidc({
-            homeUrl: constructorParams.BASE_URL,
+            BASE_URL: constructorParams.BASE_URL,
+            sessionRestorationMethod: constructorParams.sessionRestorationMethod,
             issuerUri,
             clientId: this.#state.constructorParams.clientId,
             autoLogin,
@@ -892,11 +935,21 @@ export class Keycloak {
     createAccountUrl(options?: KeycloakAccountOptions & { locale?: string }): string {
         const { locale, redirectUri } = options ?? {};
 
-        const { keycloakUtils } = this.#state;
+        const { keycloakUtils, constructorParams } = this.#state;
 
         return keycloakUtils.getAccountUrl({
             clientId: this.clientId,
-            backToAppFromAccountUrl: redirectUri ?? location.href,
+            validRedirectUri: (() => {
+                if (redirectUri !== undefined) {
+                    return redirectUri;
+                }
+
+                const { homeUrlAndRedirectUri } = getHomeAndRedirectUri({
+                    BASE_URL_params: constructorParams.BASE_URL
+                });
+
+                return homeUrlAndRedirectUri;
+            })(),
             locale
         });
     }

package/src/keycloak/keycloakUtils.ts

@@ -1,5 +1,6 @@
 import { toFullyQualifiedUrl } from "../tools/toFullyQualifiedUrl";
 import { type KeycloakIssuerUriParsed, parseKeycloakIssuerUri } from "./keycloakIssuerUriParsed";
+import { assert } from "../tools/tsafe/assert";
 
 export type KeycloakUtils = {
     issuerUriParsed: KeycloakIssuerUriParsed;
@@ -7,7 +8,9 @@ export type KeycloakUtils = {
     adminConsoleUrl_master: string;
     getAccountUrl: (params: {
         clientId: string;
-        backToAppFromAccountUrl: string;
+        validRedirectUri?: string;
+        /** @deprecated: Use validRedirectUri */
+        backToAppFromAccountUrl?: string;
         locale?: string;
     }) => string;
     fetchUserProfile: (params: { accessToken: string }) => Promise<KeycloakProfile>;
@@ -49,17 +52,46 @@ export function createKeycloakUtils(params: { issuerUri: string }): KeycloakUtil
         issuerUriParsed,
         adminConsoleUrl: getAdminConsoleUrl(issuerUriParsed.realm),
         adminConsoleUrl_master: getAdminConsoleUrl("master"),
-        getAccountUrl: ({ clientId, backToAppFromAccountUrl, locale }) => {
+        getAccountUrl: ({ clientId, locale, ...rest }) => {
+            const validRedirectUri = (() => {
+                const { validRedirectUri, backToAppFromAccountUrl } = rest;
+
+                if (validRedirectUri !== undefined) {
+                    assert(
+                        backToAppFromAccountUrl === undefined,
+                        "getAccountUrl: backToAppFromAccountUrl is deprecated"
+                    );
+                    return validRedirectUri;
+                }
+
+                assert(
+                    backToAppFromAccountUrl !== undefined,
+                    "getAccountUrl: Must provide validRedirectUri"
+                );
+
+                return backToAppFromAccountUrl;
+            })();
+
             const accountUrlObj = new URL(
                 `${keycloakServerUrl}/realms/${issuerUriParsed.realm}/account`
             );
             accountUrlObj.searchParams.set("referrer", clientId);
             accountUrlObj.searchParams.set(
                 "referrer_uri",
-                toFullyQualifiedUrl({
-                    urlish: backToAppFromAccountUrl,
-                    doAssertNoQueryParams: false
-                })
+                (() => {
+                    try {
+                        return toFullyQualifiedUrl({
+                            urlish: validRedirectUri,
+                            doAssertNoQueryParams: true,
+                            doOutputWithTrailingSlash: true
+                        });
+                    } catch {
+                        return toFullyQualifiedUrl({
+                            urlish: validRedirectUri,
+                            doAssertNoQueryParams: false
+                        });
+                    }
+                })()
             );
             if (locale !== undefined) {
                 accountUrlObj.searchParams.set("kc_locale", locale);

package/src/mock/oidc.ts

@@ -96,7 +96,8 @@ export async function createMockOidc<
     const common: Oidc.Common = {
         params: {
             clientId: mockedParams.clientId ?? "mymockclient",
-            issuerUri: mockedParams.issuerUri ?? "https://my-mock-oidc-server.net/realms/mymockrealm"
+            issuerUri: mockedParams.issuerUri ?? "https://my-mock-oidc-server.net/realms/mymockrealm",
+            validRedirectUri: homeUrl
         }
     };