ENG-2331: Pass state parameter in OIDC callback

[tvandort]

Ticket ENG-2331

Description Of Changes

Pass state parameter in OIDC callback

Steps to Confirm

1. Configure Okta SSO on an instance of fides without this change
2. attempt to login, see that it fails
3. check out this branch
4. attempt to login, see that it succeeds

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
fides-plus-nightly	Ready	Preview, Comment	Jan 13, 2026 3:47pm

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
fides-privacy-center	Ignored		Jan 13, 2026 3:47pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR fixes a critical OIDC authentication bug by adding the state parameter to the callback flow. The OIDC state parameter is essential for preventing CSRF attacks in OAuth 2.0/OIDC flows - it ensures that the authorization response corresponds to the original authorization request.

Changes Made

Type Definition: Added state: string field to LoginWithOIDCRequest interface to match the expected query parameters from the OIDC provider callback.

Backend Request: Updated the OIDC callback endpoint in auth.slice.ts with two key improvements:

1. Added the state parameter to the request payload
2. Refactored from manual query string construction to RTK Query's params field for proper URL encoding
3. Added encodeURIComponent() to the provider parameter in the URL path for safety

Frontend Extraction: Modified the login provider page to extract the state parameter from the query string and validate its presence before proceeding with the login request.

Error Handling: Changed error message from displaying backend error details to a generic user-friendly message with console logging for debugging.

Impact

Without this change, OIDC login flows would fail because the backend expects the state parameter for security validation but the frontend wasn't passing it. This fix restores OIDC authentication functionality.

Confidence Score: 5/5

• Safe to merge - fixes critical OIDC authentication bug with proper implementation
• The PR correctly implements the missing state parameter in the OIDC callback flow, which is essential for security and functionality. The changes are minimal, focused, and follow existing patterns in the codebase. The refactoring to use RTK Query's params field is a positive improvement. There's a minor style issue with the error message change, but it doesn't affect correctness.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
changelog/7213-fix-oidc-login.yaml	5/5	Simple changelog entry documenting the state parameter fix
clients/admin-ui/src/features/auth/types.ts	5/5	Adds required state field to LoginWithOIDCRequest interface
clients/admin-ui/src/features/auth/auth.slice.ts	5/5	Updates OIDC callback API call with state parameter and proper URL encoding
clients/admin-ui/src/pages/login/[provider].tsx	4/5	Extracts and passes state parameter from query string; changes error message to generic text

[greptile-apps]

_{3 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[tvandort]

@greptile pls rereview

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[tvandort]

@greptile pls rereview

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}