In the new v11 of the Auth0 Lock control, the documentation now states:
The state parameter is an arbitrary state value that will be mantained across redirects. It is useful to mitigate XSRF attacks and for any contextual information, such as a return url, that you might need after the authentication process is finished. If a custom state parameter is not provided, Lock will automatically generate one.
The bolded sentence is new for V11, but this causes issues with our code. Currently, if we need a redirect URL once a user is authenticated, we URLEncode the URL, then Base64 encode it (per the docs). Upon the authentication callback, we check for the ‘state’ query parameter and if it exists, base64 decode the value to get the URL. In Lock V10, if we did not add a state parameter, there is not a state parameter returned, and all is fine. In V11, if we do not include a redirect URL in the state parameter (essentially no state), Auth0, per the docs above generates one. However the value of the state parameter is NOT a valid Base64 encoded string, which causes an exception when we try to decode the string. (for example: code=u2pieSEWOI9XHSLz&state=syZ6wQa9eG-jrtv5TRQgBrsetJU666NU Note that the state parameter is INVALID Base64)
What do we need to do to correct this, sort of attempting to decode, and if it fails, ignore it (hacky workaround)