Auth0 Home Blog Docs

authResult returned by WebAuth.parseHash is undefined when custom state used


My WebAuth configuration:

const config = {
  domain: "",
  clientID: "mysupersecretclientID",
  audience: "",
  redirectUri: "https://mydomain/handle-auth",
  responseType: "id_token token",
  scope: "openid profile email https://mydomain/roles read:current_user create:current_user_metadata update:current_user_metadata"
const auth = new auth0.WebAuth(config);

Following the webAuth.authorize() documentation, I should be able to add arbitrary data to the state option (in this case I want to pass the URL to which users should be redirected after login). As such, I’ve tried calling the authorize() endpoint as follows:

const opts = { ...config, state: { to: "/path/to/redirect/to/upon/login" } };

Theoretically, this should allow me to recover the values stored in state after the authorization process has completed. However, after successful login, auth0 redirects to https://mydomain/handle-auth and when I make a call to auth.parseHash, the value of authResult is undefined (note, my handler function wraps the parseHash() call in a Promise):

function handleAuth()  {
  return new Promise(
    function(resolve, reject) {
      auth.parseHash(function(err, authResult) {
        err && reject(err);
        console.log(authResult); // undefined!!!

However, if I leave the state option of the authorize() function untouched, then authResult is defined and contains the values the documentation indicates should be there, but then I seem to be losing the redirect URL that I originally wanted to store in the state option.

My best guess right now is that somehow when you specify a custom state option that somehow it prevents auth0 from being able to parse the automatically generated nonce. I’ve confirmed that the nonce is still there (stored in a cookie fwiw) in addition to the other state properties that I added. Since it is not finding the nonce it somehow fails to decode the tokens in the hash and therefore returns undefined from the parseHash() function.

Does this make sense? Am I missing something or doing something wrong?