How to hide status and code parameters in url

Finally I just implement auth0 login system on my web succesfully, but I have little issue that I do not want to show user state and code params in my url where is page redirected after sucessfull login. I read that there is possible solution to use POSt method by implicit flw for Oauth but it is not safe. I am just wondering how GET method can be more safe the POST method.

But can you please advice me how to show user clear url and keep auth0 working corectly?

I have regular web app and I use PHP implementation.

Thank you

Hey. Thanks for reaching out to community.

As you are using a regular web app which uses Auth code flow, both code and state parameters are fundamental to the flow, hence cannot be hidden.

However it gets cleared once it gets exchanged for the token as you are using a confidential client. Implicit is not only safe but is also not supported for your application type and hence the mentioned idea won’t work.


1 Like

Thank you for answer.

And can you please help me with these three other questions?

  1. And how is it possible that for example on and chatGPT page it is not showed?

  2. I have my own tables where are users identified by user_id, how can I connect user which is loggein via auth0 with his id in my db?

  3. For checking if user is loggedin on pages which are not allowed to visit for not registered users, is it enough to use this logic?

// Check if user is not authenticated
if (!$sdk->isAuthenticated()) {

    // Redirect user to Auth0 login page
	$loginUrl = $sdk->login();
	header("Location: $loginUrl");

Ok, so I finally find out answer for my first and original question 1. And how is it possible that for example on and chatGPT page it is not showed?

Problem was that my callback uri was setted up wrong. I have probably problems with reading comprehension :slight_smile: bcz I think that it can be random url where my page will be redirected after login. Just now I find out that it must be callback.php where user data are processed.

So now I cannot see state and code on my page.

With this is also solved question 3.

Hey. Thanks for your response. I was about to respond in similar lines with regards to Q1 and Q3.

For Q2, you can configure your own db into Auth0 and use the username and password sourced from there. Accordingly, you can modify and implement scripts based on your use case. Please look into Custom Database Connections for more details.

Let me know if you are good.


1 Like

I am here little bit sooner as I expected…

After I implemented callback.php “correctly”, my login process and authentication process are working properly.

But I have problem with my logout process.

I set up my Allowed Callback URLs to ‘https:/’ and redirectUri to ‘https://’ . $_SERVER[‘HTTP_HOST’] . ‘/callback.php’, but when I want to logout then there is used the same returnUri (…logout?returnTo=…callback) as redirectUri and it wrotes me error:

There could be a misconfiguration in the system or a service outage. We track these errors automatically, but if the problem persists feel free to contact us.

My Allowed Logout URLs is https:/

Hi. I would suggest you to check the logs and try removing the returnTo param. As the original questions were answered, I would suggest you to open new post for any follow up questions for easy tracking. Thanks for understanding and have a nice day !!


1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.