Creating auth0Client calls /authorize, but redirect rule does not work in this case

I’m seeing all of my rules being run twice on page refresh. Rules are only run once if the user logs out first.

This is in an Angular application set up following these 2 quickstarts:


but with a few additions.

For one, I have a redirect to gather additional information for certain users as part of the login flow, and it it is for only these users that the double rules issue occurs. Before you ask - no it’s not the initial pre-redirect and post-continue that I’m talking about. The rules run twice pre-redirect, then twice again post-continue.

I also have the guard set on all application pages (except the page redirected to in login flow and and the callback page which calls the /continue after gathering additional info) so there’s no login button.

If the user is logged out before hitting the application, then the guard gets hit, the auth0Client gets created, the isAuthenticated() gets called, which causes the guard to get a false, which causes the guard to call login(), which shows the page where a user can select a connection, which causes the redirect to the page that gathers more information, which calls the /continue endpoint with the state and the additional info, which directs the user back to the application fully logged in. Good so far.

If the still-logged-in user refreshes the page, however, the rules get run apparently as part of createAuth0Client({…}) and no redirect occurs to the page that gathers additional info, even though that code in that rule is run and the redirect is set. Then the guard is hit, isAuthenticated is false, login() is called, which runs the rules again and this time the redirect actually happens. After the additional information is gathered and /continue called, the rules are run again with context.protocol as “redirect-callback”. handleAuthCallback() detects that code= and state= are in the params, so it starts to do it’s thing… Then -again - apparently as part of createAuth0Client({…}), the rules are run again, with context.protocol as “oidc-basic-profile” and the redirect-to-gather-more-information is set, but the redirect doesn’t happen.

So it seems that just creating the auth0Client (with @auth0/auth0-spa-js) causes a call to /authorize before login() is ever called on it, but only when the user hasn’t logged out. However it does this in a way that doesn’t actually work with a redirect rule. How can I fix this so that only one call to /authorize has to be made? Either the redirect should happen when creating the client calls /authorize, or creating the client shouldn’t call /authorize at all.