Auth0 Home Blog Docs

How to autoforward from a login server to correct site and prevent unauthorized client from snooping on a site that they don't belong to



Hi everyone,
I am trying to set up the following: An express server serves as the sign on for the user. Once they sign on, we redirect them to a particular subdomain based on a value in their So if they work for company1 we direct them to

At the same time someone with company2 would be redirected to if they weren’t logged in and redirected to their site even if they directly typed in if they were part of company 2.

I’m trying to figure out how to best set this up, I can see that I have access to my profile in the callback of Auth0Strategy, but the callbackURL is set in the input parameters while I don’t have access to my profile until the callback. How can I perform this autoforwarding from my to the correct webserver and autoforwarding from a webserver back to the server if the user tries to access a site other than their own?

I’m pretty sure that I need to modify this, but I am not quite sure how:

var strategy = new Auth0Strategy({
    domain:       process.env.AUTH0_DOMAIN,
    clientID:     process.env.AUTH0_CLIENT_ID,
    clientSecret: process.env.AUTH0_CLIENT_SECRET,
    callbackURL:  process.env.AUTH0_CALLBACK_URL || 'http://localhost:3000/callback'   }, function(accessToken, refreshToken, extraParams, profile, done) {

    // accessToken is the token to call Auth0 API (not needed in the most cases)
    // extraParams.id_token has the JSON Web Token
    // profile has all the information from the user
    return done(null, profile);   });



I would consider the following approach:

  1. You configure your passport strategy in the way you included in your question; you only use the callback in the strategy itself if you want to enrich/translate the user profile.
  2. You implement a route that is protected with the above strategy; this route will be the redirect/callback URL for your client application.
  3. You use a session storage that is accessible both to and express servers.
  4. You configure the session for all express servers to use the shared session storage.
  5. You configure the express session to write the session cookie at the parent domain so that the cookie is also available to sub-domains.
  6. You ensure that passport uses sessions.

The route will be something like:

router.get('/', function (req, res, next) {
  passport.authenticate('auth0', function (err, user, info) {
    if (err) { return next(err); }

    if (!user) { return res.redirect('/'); }

    // We got a user authenticated with success; so persist a session
    req.logIn(user, function (err) {
      if (err) { return next(err); }

      // Redirect the user to the sub-domain they belong
      return res.redirect(`https://${}`);
  })(req, res, next);

The routes for will be something like:

router.get('/index', function (req, res, next) {
  if (!req.user) {
    // No user authenticated; redirect to login
    return res.redirect("");

  if ( !== "[CompanyX]") {
    // User is from a different company than the one
    // associated with the current site
    return res.redirect(`https://${}`);

  // provide response

The previous logic could be extracted to a common middleware and easily run for all routes.

This assumes that you use a cookie based session to keep the notion of authenticated user available to all domains and that even though there are different sub-domains being used the underlying application is the same and as such shares a common passport configuration that allows the authenticated user to be automatically detected.