Hello auth0, I’m working on the account linking logic and when linking is done using my own linking service I want to redirect the user back to the onContinuePostLogin
action together with session_token
, however, session_token I send is considered as invalid one for some reason…
Here is my continue
state sent from the auth0 action to the linking service:
hKFo2SBaWnhWQnhWVm5faHAwNEh5dnBVdjkyRFFfNWc3a3Q5daFuqHJlZGlyZWN0o3RpZNkgenZRX1lJMVozNjFHa0R5UjMtQjhvMmJZYXVlWlVjTEKjY2lk2SA3eTZ5Q2h2dmFMV0NkNGZqQzZhdFhVZ2x0R0JQajA4Rw
Here is my session_token sent to my linking service:
eyJhbGciOiJIUzI1NiIsInR...[OBFUSCATED]
So the action context as you can see is:
"iat": 1714979365, "iss": "[MYTENANT].eu.auth0.com", "sub": "google-oauth2|100824245565501739142",
now, after account linking I want to send data back to auth0, so I create a session token myself and sign it with the same secret with HS256 alg.
so here is URL that I send user to https://[MYTENANT].eu.auth0.com/continue?state=hKFo2SBaWnhWQnhWVm5faHAwNEh5dnBVdjkyRFFfNWc3a3Q5daFuqHJlZGlyZWN0o3RpZNkgenZRX1lJMVozNjFHa0R5UjMtQjhvMmJZYXVlWlVjTEKjY2lk2SA3eTZ5Q2h2dmFMV0NkNGZqQzZhdFhVZ2x0R0JQajA4Rw&session_token=eyJhbGciOiJIUzI1NiIsInR5c..[OBFUSCATED]
where as you can see state is:
KFo2SBaWnhWQnhWVm5faHAwNEh5dnBVdjkyRFFfNWc3a3Q5daFuqHJlZGlyZWN0o3RpZNkgenZRX1lJMVozNjFHa0R5UjMtQjhvMmJZYXVlWlVjTEKjY2lk2SA3eTZ5Q2h2dmFMV0NkNGZqQzZhdFhVZ2x0R0JQajA4Rw
(same as above one)
and session token is:
eyJhbGciOiJIUzI1NiIsInR5c..[OBFUSCATED]
or with decoded claims:
{ "iss": "[MYTENANT].eu.auth0.com", "sub": "google-oauth2|100824245565501739142", "state": "hKFo2SBaWnhWQnhWVm5faHAwNEh5dnBVdjkyRFFfNWc3a3Q5daFuqHJlZGlyZWN0o3RpZNkgenZRX1lJMVozNjFHa0R5UjMtQjhvMmJZYXVlWlVjTEKjY2lk2SA3eTZ5Q2h2dmFMV0NkNGZqQzZhdFhVZ2x0R0JQajA4Rw", "user_id": "auth0|6638820ef54520ecca12593a", "iat": 1714979386, "exp": 1714979406 }
note that: [MYTENANT] isn’t really sensitive but I replaced it here, it’s still can be found in JWT
as you can see “iss” is here, “sub” is also equal to the sub from onExecutePostLogin
action, “state” is also the same and present.
So I’m really confused and can’t figure it out. I also tried to request /continue
using POST request as the docs say, but the outcome is the same: “The session token is invalid: State in the token does not match the /continue state.”, but you can clearly see that it does match…
It makes me think that docs are either incorrect or it never worked… Please advice.