Error: redirected you too many times

Auth0 is logging a successful login, but in my app, req.user is still undefined. When auth0 redirects to my callback link, which is a secured page, that page does not register that the user is logged in, so it redirects back to the login page. This repeats until I get this error message.

As I mentioned, auth0 has a successful log:

  "date": "2019-05-26T17:43:06.729Z",
  "type": "s",
  "connection_id": "",
  "client_id": <my-project-id>,
  "client_name": <my-project>,
  "ip": <ip>,
  "user_agent": "Chrome 74.0.3729 / Windows 10.0.0",
  "details": {
    "prompts": [],
    "completedAt": 1558892586728,
    "elapsedTime": null,
    "session_id": "XCfou1cXNYFqULps8KHGEWZa7wTyeISu"
  "hostname": <my-auth0-url>,
  "user_id": "auth0|<user-id>",
  "user_name": <username>,
  "log_id": "90020190526174306729524310616829972800980158286508589138",
  "isMobile": false

The user is redirected to my callback URL (/dashboard):

router.get('/dashboard', secured(), function (req, res, next) {
	const { _raw, _json, ...userProfile } = req.user;

This runs my secured middleware:

module.exports = function () {
  return function secured (req, res, next) {
    if (req.user) {  console.log('successfully authenticated'); return next();}
	console.log('failed authentication');
    req.session.returnTo = req.originalUrl;

Yielding the following logs:

GET /login 302 5.512 ms - 0
failed authentication
GET /dashboard?code=UDY7WYrXdtAWspnN&state=gGFkqbi9BlxDizGwO6hS9aaj 302 11.138 ms - 56
GET /login 302 1.675 ms - 0
failed authentication
GET /dashboard?code=mcGKEI4SmmyMfUJW&state=U8jOr7GsoXtQNyxVyKwbfA6e 302 6.735 ms - 56
GET /login 302 1.398 ms - 0
failed authentication
GET /dashboard?code=9Evpigv7JMFqxrfM&state=YkQLHvCuTLn8RZNN8bfAAMdU 302 5.207 ms - 56


Here is my express setup:

var express = require('express');

var createError = require('http-errors');
var path = require('path');
var logger = require('morgan');

var dotenv = require('dotenv');

var session = require("cookie-session");
var sess = {
	secret: <secret>,
var passport = require('passport');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');
var Auth0Strategy = require('passport-auth0');


var strategy = new Auth0Strategy(
    domain: process.env.AUTH0_DOMAIN,
    clientID: process.env.AUTH0_CLIENT_ID,
    clientSecret: process.env.AUTH0_CLIENT_SECRET,
      process.env.AUTH0_CALLBACK_URL || 'http://localhost:8080/dashboard'
  function (accessToken, refreshToken, extraParams, profile, done) {
    // accessToken is the token to call Auth0 API (not needed in the most cases)
    // extraParams.id_token has the JSON Web Token
    // profile has all the information from the user
    return done(null, profile);


passport.serializeUser(function (user, done) {
  done(null, user);

passport.deserializeUser(function (user, done) {
  done(null, user);

var app = module.exports = express();

app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser(<secret (same as express-session secret)>));

if (app.get('env') === 'production') { = true; // serve secure cookies, requires https



app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');
app.use(express.static(path.join(__dirname, 'public')));

var userInViews = require('./node_modules/userInViews');
var authRouter = require('./routes/auth');
var indexRouter = require('./routes/public');
var usersRouter = require('./routes/users');

app.use('/', authRouter);
app.use('/', indexRouter);
app.use('/', usersRouter);

I’ve also attached the HAR file recorded from this authentication (with the sensitive info removed).

testobfuscated.har (468.3 KB)

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?