lashinijay
diff --git a/‎.changeset/plain-oranges-beg.md‎
Lines changed: 6 additions & 0 deletions b/‎.changeset/plain-oranges-beg.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 1 addition & 1 deletion b/‎package.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/react-router/src/components/CallbackRoute.tsx‎
Lines changed: 87 additions & 0 deletions b/‎packages/react-router/src/components/CallbackRoute.tsx‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎packages/react-router/src/index.ts‎
Lines changed: 3 additions & 0 deletions b/‎packages/react-router/src/index.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎packages/react/src/components/auth/Callback/Callback.tsx‎
Lines changed: 179 additions & 0 deletions b/‎packages/react/src/components/auth/Callback/Callback.tsx‎
Lines changed: 179 additions & 0 deletions
@@ -0,0 +1,6 @@
+---
+'@asgardeo/react-router': minor
+'@asgardeo/react': minor
+---
+
+Add oauth callback support for v2
@@ -65,7 +65,7 @@
       "tmp": "0.2.4",
       "min-document": "2.19.1",
       "lodash": "4.17.23",
-      "tar": "7.5.7",
+      "tar": "7.5.8",
       "seroval": "1.4.1",
       "qs": "6.14.1",
       "@vitejs/plugin-vue>vite": "7.1.12",
 
@@ -0,0 +1,87 @@
+/**
+ * Copyright (c) 2026, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import {Callback} from '@asgardeo/react';
+import {FC} from 'react';
+import {useLocation, useNavigate} from 'react-router';
+
+/**
+ * Props for the CallbackRoute component.
+ */
+export interface CallbackRouteProps {
+  /**
+   * Callback function called when an error occurs during OAuth processing.
+   * @param error - The error that occurred
+   */
+  onError?: (error: Error) => void;
+
+  /**
+   * Optional custom navigation handler.
+   * If provided, this will be called instead of the default navigate() behavior.
+   * Useful for apps that need custom navigation logic.
+   * @param path - The path to navigate to
+   */
+  onNavigate?: (path: string) => void;
+}
+
+/**
+ * Handles OAuth callback redirects for React Router applications.
+ * Processes authorization code, validates CSRF state, and navigates back to the original path.
+ * Automatically handles React Router basename when configured.
+ *
+ * @example
+ * ```tsx
+ * <Route path="/callback" element={<CallbackRoute />} />
+ * ```
+ */
+const CallbackRoute: FC<CallbackRouteProps> = ({onError, onNavigate}: CallbackRouteProps) => {
+  const navigate: ReturnType<typeof useNavigate> = useNavigate();
+  const location: ReturnType<typeof useLocation> = useLocation();
+
+  const handleNavigate = (path: string): void => {
+    if (onNavigate) {
+      onNavigate(path);
+      return;
+    }
+
+    const fullPath: string = window.location.pathname;
+    const relativePath: string = location.pathname;
+    const basename: string = fullPath.endsWith(relativePath)
+      ? fullPath.slice(0, -relativePath.length).replace(/\/$/, '')
+      : '';
+
+    const navigationPath: string = basename && path.startsWith(basename) ? path.slice(basename.length) || '/' : path;
+
+    navigate(navigationPath);
+  };
+
+  return (
+    <Callback
+      onNavigate={handleNavigate}
+      onError={
+        onError ||
+        ((error: Error): void => {
+          // eslint-disable-next-line no-console
+          console.error('OAuth callback error:', error);
+        })
+      }
+    />
+  );
+};
+
+export default CallbackRoute;
@@ -18,3 +18,6 @@
 
 export {default as ProtectedRoute} from './components/ProtectedRoute';
 export * from './components/ProtectedRoute';
+
+export {default as CallbackRoute} from './components/CallbackRoute';
+export * from './components/CallbackRoute';
@@ -0,0 +1,179 @@
+/**
+ * Copyright (c) 2026, WSO2 LLC. (https://www.wso2.com).
+ *
+ * WSO2 LLC. licenses this file to you under the Apache License,
+ * Version 2.0 (the "License"); you may not use this file except
+ * in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import {navigate as browserNavigate} from '@asgardeo/browser';
+import {FC, useEffect, useRef} from 'react';
+
+/**
+ * Props for Callback component
+ */
+export interface CallbackProps {
+  /**
+   * Callback function called when an error occurs
+   */
+  onError?: (error: Error) => void;
+
+  /**
+   * Function to navigate to a different path.
+   * If not provided, falls back to the browser navigate utility (SPA navigation via History API for same-origin paths).
+   * Provide this prop to enable framework-specific navigation (e.g., from React Router).
+   */
+  onNavigate?: (path: string) => void;
+}
+
+/**
+ * BaseCallback is a headless component that handles OAuth callback parameter forwarding.
+ * This component extracts OAuth parameters (code, state, error) from the URL and forwards them
+ * to the original component that initiated the OAuth flow.
+ *
+ * Works standalone using the browser navigate utility (History API) for navigation by default.
+ * Pass an onNavigate prop to enable framework-specific navigation (e.g., via React Router).
+ *
+ * Flow: Extract OAuth parameters from URL -> Parse state parameter -> Redirect to original path with parameters
+ *
+ * The original component (SignIn/AcceptInvite) is responsible for:
+ * - Processing the OAuth code via the SDK
+ * - Calling /flow/execute
+ * - Handling the assertion and auth/callback POST
+ * - Managing the authenticated session
+ */
+export const Callback: FC<CallbackProps> = ({onNavigate, onError}: CallbackProps) => {
+  // Prevent double execution in React Strict Mode
+  const processingRef: any = useRef(false);
+
+  // Resolve navigation: use provided onNavigate (router-aware) or fall back to browser navigate utility
+  const navigate = (path: string): void => {
+    if (onNavigate) {
+      onNavigate(path);
+    } else {
+      browserNavigate(path);
+    }
+  };
+
+  useEffect(() => {
+    const processOAuthCallback = (): void => {
+      // Guard against double execution
+      if (processingRef.current) {
+        return;
+      }
+      processingRef.current = true;
+
+      // Declare variables outside try block for use in catch
+      let returnPath: string = '/';
+
+      try {
+        // 1. Extract OAuth parameters from URL
+        const urlParams: URLSearchParams = new URLSearchParams(window.location.search);
+        const code: string | null = urlParams.get('code');
+        const state: string | null = urlParams.get('state');
+        const nonce: string | null = urlParams.get('nonce');
+        const oauthError: string | null = urlParams.get('error');
+        const errorDescription: string | null = urlParams.get('error_description');
+
+        // 2. Validate and retrieve OAuth state from sessionStorage
+        if (!state) {
+          throw new Error('Missing OAuth state parameter - possible security issue');
+        }
+
+        const storedData: string | null = sessionStorage.getItem(`asgardeo_oauth_${state}`);
+        if (!storedData) {
+          // If state not found, might be an error callback - try to handle gracefully
+          if (oauthError) {
+            const errorMsg: string = errorDescription || oauthError || 'OAuth authentication failed';
+            const err: Error = new Error(errorMsg);
+            onError?.(err);
+
+            const params: URLSearchParams = new URLSearchParams();
+            params.set('error', oauthError);
+            if (errorDescription) {
+              params.set('error_description', errorDescription);
+            }
+
+            navigate(`/?${params.toString()}`);
+            return;
+          }
+          throw new Error('Invalid OAuth state - possible CSRF attack');
+        }
+
+        const {path, timestamp} = JSON.parse(storedData);
+        returnPath = path || '/';
+
+        // 3. Validate state freshness
+        const MAX_STATE_AGE: number = 600000; // 10 minutes
+        if (Date.now() - timestamp > MAX_STATE_AGE) {
+          sessionStorage.removeItem(`asgardeo_oauth_${state}`);
+          throw new Error('OAuth state expired - please try again');
+        }
+
+        // 4. Clean up state
+        sessionStorage.removeItem(`asgardeo_oauth_${state}`);
+
+        // 5. Handle OAuth error response
+        if (oauthError) {
+          const errorMsg: string = errorDescription || oauthError || 'OAuth authentication failed';
+          const err: Error = new Error(errorMsg);
+          onError?.(err);
+
+          const params: URLSearchParams = new URLSearchParams();
+          params.set('error', oauthError);
+          if (errorDescription) {
+            params.set('error_description', errorDescription);
+          }
+
+          navigate(`${returnPath}?${params.toString()}`);
+          return;
+        }
+
+        // 6. Validate required parameters
+        if (!code) {
+          throw new Error('Missing OAuth authorization code');
+        }
+
+        // 7. Forward OAuth code to original component
+        // The component (SignIn/AcceptInvite) will retrieve flowId/authId from sessionStorage
+        const params: URLSearchParams = new URLSearchParams();
+        params.set('code', code);
+        if (nonce) {
+          params.set('nonce', nonce);
+        }
+
+        navigate(`${returnPath}?${params.toString()}`);
+      } catch (err) {
+        const errorMessage: string = err instanceof Error ? err.message : 'OAuth callback processing failed';
+        // eslint-disable-next-line no-console
+        console.error('OAuth callback error:', err);
+
+        onError?.(err instanceof Error ? err : new Error(errorMessage));
+
+        // Redirect back with OAuth error format
+        const params: URLSearchParams = new URLSearchParams();
+        params.set('error', 'callback_error');
+        params.set('error_description', errorMessage);
+
+        navigate(`${returnPath}?${params.toString()}`);
+      }
+    };
+
+    processOAuthCallback();
+  }, [onNavigate, onError]);
+
+  // Headless component - no UI, just processing logic
+  return null;
+};
+
+export default Callback;