I wanted to show the policy statement that comes from our application when a user logins in using Auth0

I wanted to show the policy statement that comes from our application when a user logins in using Auth0 aking for consent. How do i acheive it.

The user has accepted and the consent is stored. I also want to show this again when ever there is a change in policy. How can i achieve this using auth0

At least one possible options would be to use redirect rules (https://auth0.com/docs/rules/redirect-users). This would also allow to trigger the redirect conditionally based on if the user already consented and to which version they consented by storing such information/flags in the user profile (app_metadata) which is available in the context of rules.

Is there a sample example where i can use to display the custom privacy policy to the users and retrigger the consent again?

The only thing I’m aware would be this (https://auth0.com/docs/compliance/gdpr/gdpr-track-consent-with-custom-ui#option-4-redirect-to-another-page).

Is there any example that i can use from github? The example that was given as part of the above link : https://github.com/auth0/rules/tree/master/redirect-rules/simple#trusted-callback-urls looks old and may not work?

Also is it possible to create application specific rules?

And when i redirect to continue url, its saying unauthorized error

You can create an application specific rule by adding a condition that effectively forces the logic within to only execute for a specific client application. In particular, the rules context will have the client identifier for which the rules are being executed so you can do the condition based on that value and the identifier of the application you want to target.

In relation to the error, you should confirm you’re calling continue with the same state value you received in the URL that was the target of the redirect. At first glance that state value does not seem correct.

Could you please let me know on how to retrieve that state value ?

If you configure a redirect rule to point to the following target URL:

context.redirect = {
    url: "https://example.com/foo"
  };

when the redirect (rule) is triggered an HTTP request to https://example.com/foo will be performed and as part of that request a state query string parameter will be included. In the server you have handling that request URL you should parse the query string and retrieve the value of the state parameter. It’s that value that you then need to use.

Thanks João, will try implementing and get back to u

Hi ,

Its also mentioned below about the redirect rules:

Trusted Callback URL’s

Our sample rule and webtask make one security compromise for the sake of convenience: the rule passes the Auth0 domain (i.e. your-tenant.auth0.com ) to the form website and the form uses that to construct a callback URL (i.e. https://your-tenant.auth0.com/continue ) for returning back to the rule. This is essentially an open redirect and should not be used in production scenarios.

You can lock this down by configuring your form website implementation to only return to a specific URL (i.e. just your Auth0 tenant) instead of one that’s generated from a query param. You can then simplify the rule too so it no longer passes the Auth0 domain.

what does the bolded paragraph above mean?