Hi @dan.woda ,
let me explain step by step.
For example, we have a user in Auth0 with the user_id “auth|12345”. This user has a role, user_metadata, and permissions.
We have a react app, that uses Auth0 for authentification. With the JWT token the app receives from Auth0 there also comes additional information like user_metadata, roles, etc. to the app.
As the users do have a Salesforce account but have no idea about Auth0 credentials we want them to have the possibility to login via Salesforce.
So we created a SAML connection between Auth0 and Salesforce, where Salesforce is the identity provider.
So this user logs in for the first time in Auth0 a SAML user (identity) is created with the user_id “samlp|SFSAML|12345”. To merge this identity with the real user I created an action and added it to the login flow:
exports.onExecutePostLogin = async (event, api) => {
if (event.connection.name.includes('SFSAML') && event.user.user_id.includes("samlp|SFSAML")){
const axios = require('axios');
const ManagementClient = require('auth0').ManagementClient
var AuthenticationClient = require('auth0').AuthenticationClient;
var request = require('request');
const management = new ManagementClient({
domain: event.secrets.domain,
clientId: event.secrets.client_id,
clientSecret: event.secrets.client_secret,
});
try{
let user_id = event.user.user_id;
let spl = user_id.split("|");
let last_piece = spl[spl.length-1];
let res = await management.users.get({ id: 'auth0|'+last_piece }, { headers: { 'bar': 'applied to this request' } });
const linkUrl = event.secrets.domain+`/api/v2/users/${res.data.user_id}/identities`;
//Get token
const response = await axios.post( event.secrets.domain+"/oauth/token", {
grant_type: "client_credentials",
audience: event.secrets.domain+"/api/v2/",
client_id : event.secrets.client_id,
client_secret : event.secrets.client_secret
}, {
headers: {
}
});
let access_token = response.data.access_token;
const link_response = await axios.post(linkUrl, {
provider: "samlp",
user_id : user_id
}, {
headers: {
Authorization: `Bearer ${access_token}` // Replace with your actual token
}
});
}
catch(err){
console.error(err)
}
}
};
After the action, we add some parameters to the accessToken and idToken with api.accessToken.setCustomClaim
in another action that comes after the link action.
The problem is, at the very first login from the user, where the SAML user gets created, the react app receives the SAML user (samlp|SFSAML|12345) without permissions and user_medata. But the user is linked to the user "auth|12345”. So the user gets an error message. If the user logs in again, it works as expected.
The first idea to fix this was to redirect the user again to the starting point (url of the react app) after the first login with api.redirect.sendUserTo
but I don’t know how to get the url of the starting point, including parameters. I already tried event.transaction.redirect_uri
.
When I hard-code the starting point, it works as expected. But as the starting point is always different I need another solution here.
Or maybe there is a complete other solution.
Thanks for your help,
Marc