Empty user when manually using /callback

Performing certain actions on the auth0 nodejs example causes an empty user to be returned.

Steps to reproduce:

  1. Start the express server (npm run start)

  2. Go to the url localhost:3000/login
    2.1 Login with credentials.
    2.2 The browser will redirect to localhost:3000/user (user profile gets displayed with correct information)

  3. Manually go to the url localhost:3000/callback

  4. The browser will redirect to localhost:3000/user
    4.1 The website displays an empty user profile

    { "name": {} }

My problem might be that this is supposed to work like this, but that I don’t understand the bigger picture. While checking the code I came across this section. The login route contains a scope. The callback route doesn’t contain this scope. This might have something to do with it. I hope someone could explain me why this behavior occurs, and maybe a possible solution?

router.get('/login', passport.authenticate('auth0', {
  scope: 'openid email profile'
}), function (req, res) {

// Perform the final stage of authentication and redirect to previously requested URL or '/user'
router.get('/callback', function (req, res, next) {
  passport.authenticate('auth0', function (err, user, info) {
    if (err) { return next(err); }
    if (!user) { return res.redirect('/login'); }
    req.logIn(user, function (err) {
      if (err) { return next(err); }
      const returnTo = req.session.returnTo;
      delete req.session.returnTo;
      res.redirect(returnTo || '/user');
  })(req, res, next);

Hi @Luukth,

curious, why would you call the callback url manually in step 3? It’s not meant to be called manually but is the redirect endpoint for the authorization server (Auth0), which calls it with certain parameters attached, which you are most likely not passing along when calling it.

and maybe a possible solution?

Therefore I don’t see what problem you’re trying to solve (because the callback URL is not meant to be called manually by the user.).

The callback url is called by Auth0 on return, so in step 2.2: Auth0 actually does not directly redirect to localhost:3000/user after step 2.1 but to localhost:3000/callback, which then (the client application) does the redirect to localhost:3000/user.

Thanks for you quick response. I forgot to add an important piece of explanation to my question. What if a user with bad intentions does this and gets acces to the profile page without a proper profile (filled with email, username etc…) Doing this could possibly break the website/application.

In such case, he doesn’t have a proper ID token nor access token, so no worries here if your application and backend properly checks for that.

Also a simple check can easily be implemented in the application/callback method itself. Note that it’s just a sample app. Feel free to extend the callback function, checking for certain values and throwing an error page instead in case of an {} user. Something like:

if (!user || Object.entries(user).length === 0 && user.constructor === Object) 
    { return res.redirect('/login'); }

Ah okay, thanks for your good explanation and the example code. I didn’t think of the ID and access token.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.