We’re seeing this behaviour, and it forces us to use a different parameter instead of state to pass data round the authentication loop, which isn’t ideal. Auth0 respects the OAuth contract by ensuring the state we add to the authorize request is included in the redirectUrl, but the behaviour is highly unexpected.
Here’s what happens:
- Redirect user to /authorize with ?state=123
- User logs in
- Rule reads state, gets state=ABC
- Redirect back to /callback with ?state=123
I’d love to know where the ABC comes from, and what data it contains? Why does Auth0 overwrite the state during rule processing, but restore it afterwards? Is there any way we can prevent this from happening?