Auth0 Home Blog Docs

GDPR: Track Consent with Lock Problem



I am trying to implement Version 3 of “Track Consent with Lock” as described in:

Version 3 uses Redirect rules and is meant to work also with social login. I used exactly the rule specified there:

  function redirectToConsentForm (user, context, callback) {
  var consentGiven = user.user_metadata && user.user_metadata.consentGiven;

  // redirect to consent form if user has not yet consented
  if (!consentGiven && context.protocol !== 'redirect-callback') {
    var auth0Domain = auth0.baseUrl.match(/([^:]*:\/\/)?([^\/]+\.[^\/]+)/)[2];

    context.redirect = {
      url: configuration.CONSENT_FORM_URL +
        (configuration.CONSENT_FORM_URL.indexOf('?') === -1 ? '?' : '&') +
        'auth0_domain=' + encodeURIComponent(auth0Domain)

  // if user clicked 'I agree' on the consent form, persist it to their profile
  // so they don't get prompted again
  if (context.protocol === 'redirect-callback') {
    if (context.request.body.confirm === 'yes') {
      user.user_metadata = user.user_metadata || {};
      user.user_metadata.consentGiven = true;
      user.user_metadata.consentTimestamp =;

      auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
          callback(null, user, context);
    } else {
      callback(new UnauthorizedError('User did not consent!'));

  callback(null, user, context);

and defined CONSENT_FORM_URL as

However, when using e.g. google login I get the error message:

code 404
message “unable to resolve jtn to webtask token”
req_id “1545052806097.334079”

I can see that the above function is called with reasonable values for user and context.

What could be the problem?


Solved: I was able to get around the problem by creating my own webtask as proposed in


Fantastic work, Thanks for sharing the solution!


It seems that I cheered a bit too early. For social logins via facebook and google everything works fine now (consent tracking such, that consent needs only to be given once as intended). However, for database login I now get an “Failed cross origin authentication” error (see below) and I can neither register nor login that way. If I disable the redirect-rule, database login works again, but then I have no more consent tracking.

Perhaps someone can spot the problem in my log message (IDs edited)

Occurred a few seconds agoat 2018-12-17 18:25:17.526 UTC
Type Failed cross origin authentication
Description External interaction required
Application myappQxxxkMQzk-leW-LkzJQ3F7bUfEL0ZpL2
  "date": "2018-12-17T18:25:17.526Z",
  "type": "fcoa",
  "description": "External interaction required",
  "connection_id": "",
  "client_id": "xxxxxxLkzJQ3F7bUfEL0ZpL2",
  "client_name": "myapp",
  "ip": "",
  "user_agent": "Firefox 64.0.0 / Ubuntu 0.0.0",
  "details": {
    "body": {},
    "qs": {
      "client_id": "xxxxxxx",
      "response_type": "token",
      "redirect_uri": "",
      "scope": "openid profile email",
      "state": "xxxxx",
      "realm": "Username-Password-Authentication",
      "login_ticket": "xxxxx",
      "response_mode": "web_message",
      "prompt": "none",
      "auth0Client": "xxxxx"
    "connection": "Username-Password-Authentication",
    "error": {
      "message": "External interaction required",
      "oauthError": "interaction_required",
      "type": "oauth-authorization"
    "session_connection": "Username-Password-Authentication"
  "hostname": "",
  "user_id": "auth0|xxxxxxxx",
  "user_name": "",
  "audience": "",
  "scope": [
  "log_id": "xxxxxxxxx",
  "isMobile": false


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.