Bug report

• I confirm this is a bug with Supabase, not with my own application.
• I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When using signInWithSSO with a redirectTo parameter, the redirect URL is only respected on successful authentication. On failure, the redirect always goes to the configured SiteURL, completely ignoring redirectTo.

To Reproduce

1. Configure Supabase project with:
   • Site URL: https://example.com
   • Redirect URLs allow list includes: https://app.example.com/*
2. Call signInWithSSO with a redirectTo to a different domain:

   await supabase.auth.signInWithSSO({
     domain: 'company.com',
     options: {
       redirectTo: 'https://app.example.com/auth/callback',
     },
   });

3. Trigger an SSO error (e.g., user already exists with a different auth method)
4. Observe redirect goes to https://example.com (Site URL) instead of https://app.example.com/auth/callback

Expected behavior

Error redirects should respect redirectTo if it's in the allow list, with error details passed as query parameters. Should only fall back to SiteURL if redirectTo is missing or not in the allow list.

Root Cause

In internal/api/samlacs.go lines 48-60, the error path hardcodes the redirect to SiteURL:

func (a *API) SamlAcs(w http.ResponseWriter, r *http.Request) error {
	if err := a.handleSamlAcs(w, r); err != nil {
		u, uerr := url.Parse(a.config.SiteURL)  // ← Always uses SiteURL
		// ...
		http.Redirect(w, r, u.String(), http.StatusSeeOther)
	}
	return nil
}

The success path (lines 339-341) correctly uses redirectTo from RelayState and only falls back to SiteURL if invalid.

System information

• OS: macOS
• Browser: Chrome
• Version of supabase-js: 2.91.1
• Version of Node.js: 22.x

Additional context

This makes it difficult to test SSO in development/staging environments that use a different domain than production, and prevents applications from handling SSO errors in their intended context.