We’re using axios to POST a JWT back to the /continue endpoint, with all the keys that the docs indicates are required (including state), but this results in a 400 Bad Request.
If instead we redirect with a GET putting the session_token and the state as query params, everything works, but this is counter to the recommendation in the docs which (maybe?) indicate that POSTing is necessary ‘to avoid replay attacks’.
Is there something missing from the docs regarding what needs to be included/configured for a POST to the /continue endpoint. Is a GET request a security concern/not recommended?
Can you please share a code snippet of the POST request you are making? Additionally, can you share the full error message? Usually there is some more info about why the request failed.
The state claim is part of the jwt (newToken) i.e. you can see it if you decode the below at jwt.io. Although I had already tried what you suggest, and the error remains the sameedit: the error is then a 401 (here’s a gist of that error).
Really appreciate your help on this. Just wondering if you’re able to help further with this issue? A redirect to /continue with state works but an axios POST to /continue with state doesn’t work (David shared the error above).
The documents don’t make it super clear, should a POST work?
Many thanks for the help, after a few days of debugging and trawling documents any light you can shed or help you can offer would be very much appreciated.
I’d previously pursued that line of enquiry but had concluded it wasn’t the root of the issue. I’ve had another bash this morning, sending all the cookies along with the POST, but still getting a 401.
I’d love to get to the bottom of this for 1. anyone else who encounters this issue and 2. my own sanity. But in the meantime we’re going to resort to using the management API and circumvent the requirement to do it this way.
I couldn’t see any immediately relevant-looking cookies (hence why I sent them all along). Do you know which one/ones we should be looking for?
I’ll probably keep tinkering away at it to see what I’m missing.
Hi @davidpmccormick,
Were you able to resolve this one? even we are trying to implement the same but only a GET request is working and POST is failing.
@dan.woda , could you please help us with concrete resolution, Also, as per the document it says state should be passed within the token.
I’m afraid we never did @jamie.9 – we ended up opting for a different approach off the front channel. IIRC our suspicion was that the issue was likely to do with cookies not being set, though.
As this topic is related to Actions and Rules & Hooks are being deprecated soon in favor of Actions, I’m excited to let you know about our next Ask me Anything session in the Forum on Thursday, January 18 with the Rules, Hooks and Actions team on Rules & Hooks and why Actions matter! Submit your questions in the thread above and our esteemed product experts will provide written answers on January 18. Find out more about Rules & Hooks and why Actions matter! Can’t wait to see you there!