Auth0 authorize_redirect not working

harry6 · April 27, 2022, 10:21am

Hi. I am attempting to force a re login when a session expires. My application is written in dash and uses flask as well as auth0 for authorisation.

I have set the session expiry time in both Auth0 and flask. When an action is taken and the session has expired I attempt an auth0.authorize_redirect().

My issues is that when I try to redirect to another page I receive a 302 and the page itself doesn’t load. I have read that a 302 is expected, however, I’m not sure why the login page doesn’t refresh?

Please let me know if need any more information.
Thanks in advance
Harry

Which SDK this is regarding: authlib
SDK Version: 0.15.2
Platform Version: running locally on my machine using flask. version 1.1.2
Code Snippets:

After login and authorisation a callback is triggered setting session variables locally:

@app.route('/callback', )
def callback_handling():
    """
    Stores user information after login then redirects. If first login,
    redirect to password change page, otherwise go straight to dashboard.

    Returns
    -------
    Response
        Redirects to specified URL
    """
    # Auth0 returns changed state due to multiple logins
    try:
        auth0.authorize_access_token()
        logging.info('Session is active...')
    except MismatchingStateError:
        logging.info(
            f'State mismatch redirecting to force Auth0 state update')
        last_active = _get_last_active()
        logging.info(
            f'SESSION END: {session["profile"]["email"]}: {last_active}')
        session.clear()
        return redirect('/login')

    resp = auth0.get('userinfo')
    user_info = resp.json()

    # Store the user information in flask session.
    session['jwt_payload'] = user_info
    user_id = user_info['sub']
    session['profile'] = {
        'user_id': user_id,
        'name': user_info['name'],
        'email': user_info['email']
    }

    session.permanent = True
    app.permanent_session_lifetime = dt.timedelta(minutes=1)

    start_time = dt.datetime.utcnow()
    logging.info(
        f'SESSION START: {session["profile"]["email"]}: {start_time}')

    session['permissions'] = get_user_commodity_permissions(user_id)
    session['licensed_features'] = get_licensed_features(
        session['permissions'])
    return redirect(_get_login_redirect_url(user_id))

All application functions are wrapped in a ‘requires_auth’ decorator which checks session is still valid

def requires_auth(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        if 'profile' not in session or 'permissions' not in session:
            return auth0.authorize_redirect(
                redirect_uri=app.config.get('AUTH0_CALLBACK_URL')
            )
        return f(*args, **kwargs)

    return decorated

dan.woda · April 27, 2022, 5:37pm

Hi @harry6,

Welcome back to the Auth0 Community!

Can you please fill in the information that was requested when you created the post (Which SDK, version, etc.)?

You’ll notice there is a bunch of stuff at the bottom of your post indicating you are using auth0-node version 2.29.0, and it sounds like that might not actually be the case.

Also, a code snippet of your request and how it’s being handled would be great. Thank you!

harry6 · April 28, 2022, 11:00am

Hi Dan. Sorry for the vague question - I have updated it with the details you requested.
Thanks
H

harry6 · May 4, 2022, 9:07am

Hi @dan.woda - any update on this?
Thanks
H

dan.woda · May 6, 2022, 6:02pm

Thanks for the extra context. Would you please DM me with a HAR file of the transaction?