feat(clerk-js): Authenticate with popup

[dstaley]

Description

This PR implements the ability to authenticate with a popup instead of a redirect for external connections. This is useful in environments like Loveable and Bolt where we're unable to render pages like Google inside of an iframe.

It accomplishes this by adding a new prop to SignIn and SignUp called oauthFlow, with the values "redirect" | "popup" | "auto". The "auto" value uses a new utility, originPrefersPopup, to determine whether the given origin is one that likely needs to use the popup flow. This means that generative AI coding tools do not need to make any specific changes to their code for OAuth flows to work as expected. Users are, of course, able to opt into the "popup" flow specifically if they desire, however we maintain that the "redirect" option is a better UX.

Checklist

• pnpm test runs as expected.
• pnpm build runs as expected.
• (If applicable) JSDoc comments have been added or updated for any package exports
• (If applicable) Documentation has been updated

Type of change

• 🐛 Bug fix
• 🌟 New feature
• 🔨 Breaking change
• 📖 Refactoring / dependency upgrade / documentation
• other:

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
clerk-js-sandbox	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Mar 25, 2025 9:30pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 367577b

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 22 packages

Name	Type
@clerk/clerk-js	Minor
@clerk/types	Minor
@clerk/chrome-extension	Patch
@clerk/clerk-expo	Patch
@clerk/agent-toolkit	Patch
@clerk/astro	Patch
@clerk/backend	Patch
@clerk/elements	Patch
@clerk/expo-passkeys	Patch
@clerk/express	Patch
@clerk/fastify	Patch
@clerk/localizations	Patch
@clerk/nextjs	Patch
@clerk/nuxt	Patch
@clerk/react-router	Patch
@clerk/clerk-react	Patch
@clerk/remix	Patch
@clerk/shared	Patch
@clerk/tanstack-react-start	Patch
@clerk/testing	Patch
@clerk/themes	Patch
@clerk/vue	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[jacekradko]

[nit] we are already checking for existence of this.client on L1856 so no need for the optional chaining here

[panteliselef]

I think it's because this is an async function that can run with delay which may result to this.client not being defined.

[panteliselef]

Is there a significant reason to leave the logs ?

[panteliselef]

✅

[panteliselef]

I think it's because this is an async function that can run with delay which may result to this.client not being defined.

[panteliselef]

Is this another attempt to recover if stale ?

[dstaley]

Yup, I noticed in a few instances we were receiving a session ID that wasn't in the return value from this.client.session.

[panteliselef]

Is it on purpose that we existingSession may not exist, but we are still calling set active with the event data that was provided ?

[panteliselef]

potentially something that could be fetched from /environment, but this feels ok as well.

[mwickett]

Your suggesting we set the POPUP_PREFERRED_DOMAINS on the backend? (if so, I do kind of like that doing it from there would give us the ability to modify without releasing - I guess our hotloading kind of gives us the same capability though)

[panteliselef]

Agreed, that's why I don't feel strongly about it. Only someone with a pinned version would not benefit from hotloading, but I assume users of these tools won't have a reason to do that.

[dstaley]

Yup, Bryce and I discussed this. Ultimately we also concurred that it's likely not that big of a deal where this logic lives. There was some hesitancy from my side on whether it's easier to cut a clerk-js release versus updating the return value from a FAPI endpoint.

[mwickett]

We're also maintaining a very similar list of origins for AP frame ancestors.

Not blocking for this PR, but I'll capture the "store and reference in a central place" as an enhancement.

[jacekradko]

Curious why we are exporting a function with a leading _ ?

[dstaley]

In our SignIn and SignUp resources, we have a public authenticateWithPopup method available at signIn.authenticateWithPopup. These methods share code, so that's pulled out into the shared _authenticateWithPopup method. I would love a better name if you have any suggestions, but the underscore is to distinguish it from the actual public method.

[jacekradko]

No major concerns