fix: make code_verifier optional to support SAML authentication flows

[faramos]

Description

SAML authentication flows return authorization codes but do not use PKCE (Proof Key for Code Exchange). Previously, the library required a code_verifier for all code exchanges, causing SAML authentication to fail with "Invalid code verifier" error in v0.15.0+.

This PR makes the code_verifier parameter optional and only includes it in the request when present (OAuth flows), allowing SAML flows to work correctly.

Changes

• Make codeVerifier parameter optional in HttpClient.authenticateWithCode()
• Only include code_verifier in request body when it exists (OAuth flows)
• Remove error for missing code_verifier in callback handler to allow SAML
• Update test to verify SAML flows work without code_verifier

Testing

• ✅ All existing tests pass (81/81)
• ✅ New test verifies SAML flows work without code_verifier
• ✅ Existing test confirms OAuth flows still send code_verifier
• ✅ TypeScript compilation succeeds
• ✅ Build succeeds for ESM, CJS, and type definitions

Backward Compatibility

This change is fully backward compatible:

• OAuth flows continue to work exactly as before (with PKCE)
• SAML flows now work correctly (without PKCE)
• No breaking changes to public API

Fixes

Fixes workos/authkit-react#82

Related

This fix resolves SAML authentication failures reported in authkit-react v0.15.0+ when users authenticate via SAML SSO (Entra ID, Okta, etc.). Once merged and published, authkit-react will need to update its dependency to the new version.

[cmatheson]

Hi @faramos, thanks for the contribution. The code_verifier is not optional. You need to set up a Sign-in endpoint as described in our getting started guide. This will ensure your app is able to set up the code_verifier.

[faramos]

Hi @faramos, thanks for the contribution. The code_verifier is not optional. You need to set up a Sign-in endpoint as described in our getting started guide. This will ensure your app is able to set up the code_verifier.

Thanks for the clarification. I’ve already tried setting up the Sign-in endpoint as described in the guide, and that does change the behavior, but I’m still running into issues.

With @workos-inc/authkit-react@^0.14.0, the flow only works for me when the Sign-in endpoint URL exactly matches the current environment (e.g. http://localhost). If I configure the Sign-in endpoint to the production URL (which is what the dashboard expects), local development breaks. Also, with this setup I’m not receiving any roles in the user object.

I still need to debug this further, but at the moment the only way I can get the expected behavior (working locally and roles being populated) is by using the previous versions.

So: configuring the Sign-in endpoint does change the situation, but the behavior is not equivalent to the previous versions and introduces these environment-mismatch and roles issues.