[Bug] Unauthenticated access to protected routes redirects to Hosted AuthKit app #305
Description
Describe the bug
When an unauthenticated user tries to access a protected route, instead of being redirected to my app’s homepage or login page, they are redirected to the Hosted WorkOS AuthKit app.
I would expect the library to give me control here: unauthenticated users should be redirected to a page in my app (e.g. / or /login) rather than being forced into the Hosted AuthKit app flow, which I don’t want to use.
To Reproduce
Steps to reproduce the behavior:
- Set up authkitMiddleware in middleware.ts to protect /dashboard and other routes.
- Navigate to /dashboard while unauthenticated.
- Instead of being redirected to / (homepage) or /login, the user is redirected to the Hosted AuthKit app.
Expected behavior
If an unauthenticated user accesses a protected route, they should be redirected to my app’s homepage or login page (a route I can configure).
The Hosted AuthKit app should only be used if I explicitly opt in.
Screenshots
If applicable, add screenshots to help explain your problem.
Desktop (please complete the following information):
- OS: MacOS
- Browser Chrome
- authkit-nextjs version 2.7.0
- Next.js version 15
Additional context
- My callback route is implemented at /app/auth/callback/route.ts using handleAuth().
- Redirect URIs in the WorkOS dashboard and environment variables match exactly.
- I excluded /auth/callback from the middleware matcher and tested baseURL, but that doesn’t solve this.
- I've explicitly disabled AuthKit in my app
Key question:
- Is there a way to opt out of the Hosted AuthKit app redirection so I can handle unauthenticated redirects myself (to / or /login)?
- Or, if this is not supported, should I be using the lower-level @workos-inc/node library instead for this behavior?