fix(expo): migrate useSSO to core-3 and fix browser dismissal for OAuth/SSO flows

[chriscanin]

Summary

Fixes the SSO/OAuth flow in useSSO and useOAuth for Expo:

• Migrates useSSO from legacy to core-3 API — replaces useSignIn/useSignUp from @clerk/react/legacy with useClerk/useSignIn from @clerk/react
• Fixes browser not dismissing — wraps openAuthSessionAsync in try/finally with await dismissBrowser() to prevent the in-app browser from lingering in the background after auth completes, which caused subsequent SSO attempts to fail or appear frozen (reported by community user Erwin)
• Handles stale session recovery — catches session_exists / "already signed in" errors from signIn.create() by clearing the stale JWT from SecureStore and retrying, so users don't get stuck after sign-out → sign-in cycles
• Simplifies return type — the hook now handles session activation internally via clerk.setActive(), callers no longer need to call setActive themselves

Before (app code)

const { createdSessionId, setActive } = await startSSOFlow({
  strategy: 'oauth_google',
  redirectUrl: AuthSession.makeRedirectUri({ scheme: 'myapp', path: 'sso-callback' }),
})
if (createdSessionId && setActive) {
  await setActive({ session: createdSessionId })
}

After (app code)

const { createdSessionId } = await startSSOFlow({
  strategy: 'oauth_google',
})

Test plan

• Sign in with Google OAuth — session activates, navigates to authenticated screen
• Sign out → sign in again — works without "session_exists" error
• Sign out → sign in with different account — works, switches accounts
• Browser dismissed properly after auth on iOS

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes & Improvements
  • Improved OAuth/SSO session cleanup to prevent in-app browser sessions from persisting.
  • Added automatic recovery for stale or inconsistent authentication states during sign-in.
  • More reliable OAuth callback processing to ensure sessions activate correctly after external auth.
  • Reduced rare sign-in failures by retrying recovery steps when appropriate.

[changeset-bot]

🦋 Changeset detected

Latest commit: 3c0d4a5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@clerk/expo	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	Mar 23, 2026 5:12pm

[pkg-pr-new]

Open in StackBlitz

@clerk/agent-toolkit

npm i https://pkg.pr.new/@clerk/agent-toolkit@8140

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8140

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8140

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8140

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8140

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8140

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8140

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8140

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8140

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8140

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8140

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8140

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8140

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8140

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8140

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8140

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8140

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8140

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8140

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8140

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8140

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8140

commit: 3c0d4a5

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: e25c32a5-2a64-460a-8a03-0e2996cdc99c

📥 Commits

Reviewing files that changed from the base of the PR and between a1c71d3 and 3c0d4a5.

📒 Files selected for processing (1)

• .changeset/fix-expo-sso-core3.md

---

📝 Walkthrough

Walkthrough

In useOAuth.ts: WebBrowserModule.openAuthSessionAsync(...) is wrapped in a try/finally that calls WebBrowserModule.dismissBrowser() (errors from dismissal are ignored); authSessionResult is explicitly typed; a comment clarifies that url exists on the success result. In useSSO.ts: legacy SSO hooks replaced with useClerk + useSignIn; runtime availability checks replace isLoaded flags; StartSSOFlowReturnType no longer includes setActive, signIn, or signUp. SecureStore-based recovery clears CLERK_CLIENT_JWT_KEY and retries signIn.create on session-related errors. OAuth callback handling now parses created_session_id and rotating_token_nonce, calls clerk.client.signIn.reload(...), and conditionally calls clerk.setActive(...). openAuthSessionAsync is wrapped in try/finally to dismiss the browser.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 25.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: migration to core-3 API and browser dismissal fixes for OAuth/SSO flows, matching the changeset content.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/expo/src/hooks/useSSO.ts`:
- Around line 70-85: Replace the incorrect post-call error-checking of
signIn.create (which uses createResult.error) with a try/catch around the await
signIn.create(createParams) call: call signIn.create inside try, and in catch
inspect the thrown error (using isClerkAPIResponseError(error) and checking
error.errors.some(e => e.code === 'session_exists') or
error.message?.includes('already signed in')); if it's a session_exists /
already-signed-in case, call SecureStore.deleteItemAsync(CLERK_CLIENT_JWT_KEY)
and retry signIn.create(createParams), otherwise rethrow the error; if the retry
fails, rethrow that error as well. Ensure you update any references to
createResult to work with the try/catch flow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: f7ab895d-0578-4bb7-92d4-aa44d8e84c89

📥 Commits

Reviewing files that changed from the base of the PR and between adc7718 and 43442ba.

📒 Files selected for processing (2)

• packages/expo/src/hooks/useOAuth.ts
• packages/expo/src/hooks/useSSO.ts