Consent screen redirect strategy works with database users, but not with social connections

Hi there,

I followed and opted in for “Option 3” to cater for user-password, as well as social logins (Google, Facebook).

When using user/password, everything works flawlessly.

  1. User authenticates
  2. Redirect rule confirmed to be running and redirecting to legal consent page
  3. User agrees with legal terms and hits the /continue endpoint, including state parameter
  4. Redirect rule confirmed to be running and storing consent opt in to database
  5. Callback is happening and user is logged in

When using a social login provider to authenticate step 1-3 is happening as well, including the state parameter being attached to the /continue url parameters. Unfortunately though step 4 fails, as the rule is not running (I have a console.log on line 1 to confirm) and /code?state=xxx returns Unauthorized instead.

Any idea what I’m doing potentially doing wrong here? There’s nothing in the logs when step 4 fails… nothing on the global logs, nor on the rule logs.

Thank you,


Is it possible that you are using the “developer” (i.e. built-in) keys for the social providers?

That’s indeed the case. I was already wondering if that could cause trouble here, but wouldn’t how/why? I only get a warning logged because of that, but no errors. I wanted to put my own credentials soon anyway, but would still be curious to understand why this is causing problems here if you can share :slight_smile:

It’s mostly caused by the different domains involved (your Auth0 domain and a special domain,, used as the recipient for all the dev keys callbacks) and the inability to share sessions. You can find a more complete explanation of what doesn’t work and why at Test Social Connections with Auth0 Developer Keys.

Dev keys makes it easier to get the “A-ha!” moment, but unfortunately have some issues associated with them.

Thanks for the great explanation Nicolas! I’ll change to my own keys next week :slight_smile:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.