Redirect callback

Callbacks.Redirect sanitizes URLs after sign-in, sign-out, or errors. Default: same-origin only.

Signature

Redirect: func(ctx context.Context, url, baseURL string) (string, error) {
    return url, nil
},

Param	Meaning
`url`	Requested redirect (from `callbackUrl` param/cookie)
`baseURL`	Canonical origin (`Config.URL` or derived)

Example: allowlist (simple)

Redirect: func(ctx context.Context, target, base string) (string, error) {
    allowed := []string{
        base + "/dashboard",
        base + "/onboarding",
        "https://app.example.com/welcome",
    }
    for _, a := range allowed {
        if target == a {
            return target, nil
        }
    }
    return base + "/dashboard", nil
},

Example: open redirect protection (advanced)

Redirect: func(ctx context.Context, target, base string) (string, error) {
    u, err := url.Parse(target)
    if err != nil {
        return base, nil
    }
    baseU, _ := url.Parse(base)
    if u.Host != "" && u.Host != baseU.Host {
        return base, nil // block external hosts
    }
    return target, nil
},

Token flow

When X-Auth-Flow: token is set, redirects are skipped — JSON is returned instead. Redirect does not apply.

Tokens.CallbackPage handles browser OAuth completion for token storage.

Signature​

Example: allowlist (simple)​

Example: open redirect protection (advanced)​

Token flow​

Signature

Example: allowlist (simple)

Example: open redirect protection (advanced)

Token flow