fix(expo): migrate useSSO to core-3 and fix browser dismissal for OAuth/SSO flows

[chriscanin]

Summary

Fixes the SSO/OAuth flow in useSSO and useOAuth for Expo:

• Migrates useSSO from legacy to core-3 API — replaces useSignIn/useSignUp from @clerk/react/legacy with useClerk/useSignIn from @clerk/react
• Fixes browser not dismissing — wraps openAuthSessionAsync in try/finally with await dismissBrowser() to prevent the in-app browser from lingering in the background after auth completes, which caused subsequent SSO attempts to fail or appear frozen (reported by community user Erwin)
• Handles stale session recovery — catches session_exists / "already signed in" errors from signIn.create() by clearing the stale JWT from SecureStore and retrying, so users don't get stuck after sign-out → sign-in cycles
• Simplifies return type — the hook now handles session activation internally via clerk.setActive(), callers no longer need to call setActive themselves

Before (app code)

const { createdSessionId, setActive } = await startSSOFlow({
  strategy: 'oauth_google',
  redirectUrl: AuthSession.makeRedirectUri({ scheme: 'myapp', path: 'sso-callback' }),
})
if (createdSessionId && setActive) {
  await setActive({ session: createdSessionId })
}

After (app code)

const { createdSessionId } = await startSSOFlow({
  strategy: 'oauth_google',
})

Test plan

• Sign in with Google OAuth — session activates, navigates to authenticated screen
• Sign out → sign in again — works without "session_exists" error
• Sign out → sign in with different account — works, switches accounts
• Browser dismissed properly after auth on iOS

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes & Improvements
  • Improved OAuth and SSO session handling with more reliable cleanup to avoid hanging browser sessions.
  • Added automatic recovery for stale or inconsistent authentication states during sign-in flows.
  • More robust OAuth callback processing to ensure sessions activate correctly after external auth.
  • Reduced rare errors during sign-in by retrying recovery steps where appropriate.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 43442ba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 20, 2026 4:10pm

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8140

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8140

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8140

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8140

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8140

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8140

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8140

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8140

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8140

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8140

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8140

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8140

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8140

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8140

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8140

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8140

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8140

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8140

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8140

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8140

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8140

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8140

commit: a1c71d3

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 57b4f1b9-be6d-4d25-b928-ac698073b074

📥 Commits

Reviewing files that changed from the base of the PR and between 43442ba and a1c71d3.

📒 Files selected for processing (1)

• packages/expo/src/hooks/useSSO.ts

---

📝 Walkthrough

Walkthrough

In useOAuth.ts: WebBrowserModule.openAuthSessionAsync(...) is wrapped in a try/finally that calls WebBrowserModule.dismissBrowser() (errors from dismissal are ignored); authSessionResult is explicitly typed; a comment clarifies that url exists on the success result.

In useSSO.ts: legacy Clerk SSO hooks were replaced with useClerk + useSignIn; runtime availability checks replace isLoaded flags; StartSSOFlowReturnType no longer includes setActive, signIn, or signUp. A SecureStore-based recovery deletes CLERK_CLIENT_JWT_KEY and retries signIn.create on session-related errors. OAuth callback handling now parses created_session_id and rotating_token_nonce from the callback URL, calls clerk.client.signIn.reload(...), and conditionally calls clerk.setActive(...). openAuthSessionAsync is also wrapped in try/finally to dismiss the browser.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes both main changes: migration to core-3 API and browser dismissal fix for OAuth/SSO flows.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can customize the high-level summary generated by CodeRabbit.

Configure the reviews.high_level_summary_instructions setting to provide custom instructions for generating the high-level summary.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/expo/src/hooks/useSSO.ts`:
- Around line 70-85: Replace the incorrect post-call error-checking of
signIn.create (which uses createResult.error) with a try/catch around the await
signIn.create(createParams) call: call signIn.create inside try, and in catch
inspect the thrown error (using isClerkAPIResponseError(error) and checking
error.errors.some(e => e.code === 'session_exists') or
error.message?.includes('already signed in')); if it's a session_exists /
already-signed-in case, call SecureStore.deleteItemAsync(CLERK_CLIENT_JWT_KEY)
and retry signIn.create(createParams), otherwise rethrow the error; if the retry
fails, rethrow that error as well. Ensure you update any references to
createResult to work with the try/catch flow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: f7ab895d-0578-4bb7-92d4-aa44d8e84c89

📥 Commits

Reviewing files that changed from the base of the PR and between adc7718 and 43442ba.

📒 Files selected for processing (2)

• packages/expo/src/hooks/useOAuth.ts
• packages/expo/src/hooks/useSSO.ts