Redirect: false option not being respected

[oinkbark]

Details

The callback redirect is still executed even if you set redirect: false in the module options.
It appears to mainly (only?) happen with with authorization_code flow and when directing to pages that the redirect options use as defaults.

I spent awhile diagnosing this issue because of the way my setup works. I have the provider direct back to /login after the code is generated, and my asyncData function was being called twice only when the ?code=xxx query was set.

To fix this issue all I had to do was directly specify the callback property as false. However, this still goes against what the docs clearly state should happen.

Version

auth-module: 5.0.0-1608568767.2fe2217

Nuxt configuration

• universal

auth: {
    token: false,
    cookie: false,
    localStorage: false,
    redirect: false,
    strategies: {
      google: {
          clientId: 'XXX.apps.googleusercontent.com',
          scope: ['openid', 'profile', 'email'],
          redirectUri: 'http://localhost:3000/login',
          logoutRedirectUri: 'http://localhost:3000/logout',
          codeChallengeMethod: '',
          grantType: 'authorization_code',
          responseType: 'code',
          accessType: 'offline',
          token: false,
      }
   }
}

Reproduction

What is expected?

https://auth.nuxtjs.org/api/options
According to the docs for the API options, "you can disable all redirects by setting redirect to false".
Ex:

redirect: false

What is actually happening?

The callback redirect is using its default value of "/login", and not being disabled. You must specifically list it as a property of the redirect object and set it to false.
Ex:

redirect: {
  callback: false
}

Checklist

• I have tested with the latest Nuxt version and the issue still occurs
• I have tested with the latest module version and the issue still occurs
• I have searched the issue tracker and this issue hasn't been reported yet

[bmulholland]

The redirect URL is sent to the OAuth provider, Google in your example, and is a necessary part of that process. Other than it being required by Google, what would happen without it? The user would finish auth on the Google side and then... go where?

[oinkbark]

I was not trying to disable the provider redirect; the library was redirecting again after the OAuth provider.

Basically they would start on the /login page, choose their google account, be directed back to /login by provider, and if the request contained a query parameter then the client would send a fetch request with the oauth code to the site's backend api to have their session cookie set.