Code Exchange removes query parameters from redirect URL

greg.dennis · October 6, 2020, 9:41pm

Authentication works fine, but it seems that the query parameters are removed from the redirect URL during login. Once logged in we can deep-link without issue.

For example:

When unauthenticated, a user navigates to https://mysite.com/admin?param1=something.
The site recognizes that the user is unauthenticated and redirects to Auth0.
User signs in.
Auth0 redirects to site with code parameter. Along with this request, Auth0 sets a cookie a0.spajs.txs.[base64 text] that contains a JSON blob with two key pieces of information:
- redirect_uri which is just the scheme (https) and host (mysite.com)
- targetUrl which is the path without any query parameters.
The site exchanges the code for a JWT.
(I’m guessing) The Auth0 package assembles the redirect_uri and targetUrl from the cookie and redirects the user there, thereby removing the query parameters from the original request.

For further deep-link requests, the site doesn’t have to perform the code exchange anymore, so the navigation works fine.

marcus.baker · October 6, 2020, 10:55pm

Hi!

You are correct that Auth0 will not pass back parameters to the /callback of your application during a code exchange.

Have you considered handling the deep linking with the state parameter?

When you send a state to the /authorize endpoint, you’ll get that state back when auth0 redirects to your /callback endpoint.

Regards,

greg.dennis · October 6, 2020, 11:45pm

We are using the state, but we didn’t consider that query params would be removed.

konrad.sopala · October 7, 2020, 10:56am

Let us know if that approach works for you!

system · October 22, 2020, 10:56am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.