401 Unauthorized error when calling /continue endpoint after a redirect from the rules


We currently have an Auth0 rule that redirects the users to the terms of service page using context.redirect and it works for existing applications without issue. We recently created a new Auth0 application that is a traditional web application. After a user authenticates, they are redirected to the same terms of service page and then sent to /continue just like the existing applications. The only difference is that we have yet to have a successful response from the /continue redirect. Each time we receive a 401 Unauthorized. We’ve analyzed the logs but have not determined why this is occurring.


Let me share a couple of scenarios where the redirect rule may fail with HTTP 401 Unauthorized error. If none of them helps, sharing a HAR file can help us investigate further. For this particular scenario, item-5 below is the likely reason as it is happening only for one of the apps consistently, and for the other apps, it works as expected.

1- The user’s session is terminated while the user is on the redirected page (While approving the terms of service):

a-) The tenant’s session time-out setting may be configured to a short period ( like 1 minute). If the user waits a relatively long time on the redirected page, their session on Auth0 will be cleared before the /continue endpoint is called.

b-) Users’ email, password, email_verified fields are patched with the management API. Even patching with the same value for these fields will invalidate the user’s session.

c-) User is deleted with the management API.

2- The state parameter sent to the redirected page isn’t passed back correctly on the /continue endpoint.

3- /continue endpoint is called more than once. For example, this may happen due to a JS code on the external page triggering multiple calls to this endpoint.

4- The browser removes the first-party cookies while making the /continue call.

5- The login starts with the canonical domain (e.g., your-tenant.auth0.com/authorize), and then the redirect happens to the Custom Domain (e.g., login.my-company-domain.com/continue) or vise versa. The domains for /authorize and /continue endpoints should match.