401 Unauthorized error when calling /continue endpoint after a redirect from the rules

Question:

We currently have an Auth0 rule that redirects the users to the terms of service page using context.redirect and it works for existing applications without issue. We recently created a new Auth0 application that is a traditional web application. After a user authenticates, they are redirected to the same terms of service page and then sent to /continue just like the existing applications. The only difference is that we have yet to have a successful response from the /continue redirect. Each time we receive a 401 Unauthorized. We’ve analyzed the logs but have not determined why this is occurring.

Answer:

Let me share a couple of scenarios where the redirect rule may fail with HTTP 401 Unauthorized error. If none of them helps, sharing a HAR file can help us investigate further. For this particular scenario, item-5 below is the likely reason as it is happening only for one of the apps consistently, and for the other apps, it works as expected.

1- The user’s session is terminated while the user is on the redirected page (While approving the terms of service):

a-) The tenant’s session time-out setting may be configured to a short period ( like 1 minute). If the user waits a relatively long time on the redirected page, their session on Auth0 will be cleared before the /continue endpoint is called.

b-) Users’ email, password, email_verified fields are patched with the management API. Even patching with the same value for these fields will invalidate the user’s session.

c-) User is deleted with the management API.

2- The state parameter sent to the redirected page isn’t passed back correctly on the /continue endpoint.

3- /continue endpoint is called more than once. For example, this may happen due to a JS code on the external page triggering multiple calls to this endpoint.

4- The browser removes the first-party cookies while making the /continue call.

5- The login starts with the canonical domain (e.g., your-tenant.auth0.com/authorize), and then the redirect happens to the Custom Domain (e.g., login.my-company-domain.com/continue) or vise versa. The domains for /authorize and /continue endpoints should match.

2 Likes