@auth0/nextjs-auth0 not sending all authorizationParams to Auth0

azc · January 3, 2024, 6:21pm

Hi,

I want to use an “invite code” to allow users to signup to my application as long as they have an invite code.

I am using @auth0/nextjs-auth0 package, and in my [...auth0].ts file I’m overriding the handleAuth function like so:


export default handleAuth({
  callback: async (req: NextApiRequest, res: NextApiResponse) => {
    try {
      await handleCallback(req, res, { afterCallback });
    } catch (error: any) {
      res.status(error.status || 500).end();
    }
  },
  login: async (req, res) => {
    try {
      const cookies = parse(req.headers.cookie ?? "");
      const { inviteCode } = req.query;

      await handleLogin(req, res, {
        returnTo: req.cookies.returnTo
          ? req.cookies.returnTo
          : process.env.AUTH0_BASE_URL,
        authorizationParams: {
          screen_hint: "signup",
          response_type: "code",
          scope: `openid profile email invite:${req.cookies.inviteCode}`,
          inviteCode: inviteCode,
        },
      });
    } catch (error: any) {
      res.status(error.status || 500).end();
    }
  },
});

I have a problem with handleLogin because I’m expecting to see the inviteCode param in my Action/Hook, but that information never actually gets over to Auth0 Actions or Hooks.

I have a workaround by adding the inviteCode to the scope property, which I know I shouldn’t be using for that purpose, but that’s the only property that I can mutate, and I can send the invite code.

Am I doing something wrong, or is there something wrong with the package? or is this not the appropriate flow to use?

Thanks

pratyush.pandey · January 5, 2024, 9:21am

Based on your code, it seems that you are passing the inviteCode as a query parameter in the authorizationParams object. However, query parameters are not passed to Auth0 Actions or Hooks by default.

To pass the inviteCode to Auth0 Actions or Hooks, you can consider using the state parameter instead. The state parameter allows you to include additional information that will be returned to your application after authentication.

Here’s an example of how you can modify your code to use the state parameter:

login: async (req, res) => {
  try {
    const cookies = parse(req.headers.cookie ?? "");
    const { inviteCode } = req.query;

    await handleLogin(req, res, {
      returnTo: req.cookies.returnTo
        ? req.cookies.returnTo
        : process.env.AUTH0_BASE_URL,
      authorizationParams: {
        screen_hint: "signup",
        response_type: "code",
        state: JSON.stringify({ inviteCode }), // Pass inviteCode in the state parameter
      },
    });
  } catch (error: any) {
    res.status(error.status || 500).end();
  }
},

Then, in your Auth0 Actions or Hooks, you can access the inviteCode from the state parameter. Make sure to parse the JSON string back into an object.

By using the state parameter, you can pass the inviteCode securely and correctly to Auth0 Actions or Hooks without relying on the scope parameter.