Login to one application redirects me to another after converting my login rule to an action

sandT · May 18, 2023, 9:17pm

I currently have 2 applications in auth0. the applications are integrated in each other. I am currently converting my rule to actions but when logging into app X it redirects me to app Y. but not such redirect option is stated in my code.
here is a snippet:

exports.onExecutePostLogin = async (event, api) => {
  const ManagementClient = require('auth0').ManagementClient;

  const management = new ManagementClient({
      domain: event.secrets.Domain,
      clientId: event.secrets.ClientID,
      clientSecret: event.secrets.ClientSecret,
  });

  management.users.getUserOrganizations({ id: event.user.user_id }, function (err, orgs) {
    if (err) {
      return api.access.deny(`An internal error (${err.statusCode}) occured. Try again later. If you have any questions, please contact your Client Success Coordinator.`);
    }

    if (!orgs || orgs.length === 0) {
      return api.access.deny("User is not assigned to an organization. If you have any questions, please contact your Client Success Coordinator.");
    }

    if (orgs.length > 1) {
      return api.access.deny("User cannot belong to multiple organizations. If you have any questions, please contact your Client Success Coordinator.");
    }

    event.user.rule_sx= orgs[0].metadata.org_sx;
    event.user.rule_ar = orgs[0].metadata.org_ar;
      
    if (orgs[0].metadata.disableMFA) {
        api.multifactor.enable("none")
    };
    
    if (orgs[0].metadata.everydayMFA) {
        api.multifactor.enable("any",{ "allowRememberBrowser": false })
    };

    if (orgs[0].metadata.DISABLE) {
      return api.access.deny("Organization Account Disabled. If you have any questions, please contact your Client Success Coordinator.");
    }

    if (event.user.rule_ar === undefined || event.user.rule_ar === null || event.user.rule_ar.trim() === "") {
      return api.access.deny("Organization arrow_account undefined. If you have any questions, please contact your Client Success Coordinator.");
    }

    management.users.getRoles({ id: event.user.user_id }, function (err, roles) {
      if (err) {
        return api.access.deny(`An internal error (${err.statusCode}) occured. Try again later. If you have any questions, please contact your Client Success Coordinator.`);
      }

      if (!roles || roles.length === 0) {
        return api.access.deny("User is not assigned a role. If you have any questions, please contact your Client Success Coordinator.");
      }

      if (roles.length > 2) {
        return api.access.deny("User cannot have more than two roles. If you have any questions, please contact your Client Success Coordinator.");
      }

      for (let i = 0; i < roles.length; i++) {
        if (roles[i].name.startsWith("Ar")) {
          event.user.rule_ar = roles[i].name.split(":")[1];
        } else if (roles[i].name.startsWith("Sx:")) {
          event.user.rule_sx = roles[i].name.split(":")[1];
        }
      }  
    
      var expiration_days = 90;
      if (orgs[0].metadata.password_expiration_days) {
        expiration_days = orgs[0].metadata.password_expiration_days;
      }

      function daydiff(first, second) {
        return (second - first) / (1000 * 60 * 60 * 24);
      }

      const last_password_change = event.user.last_password_reset || event.user.created_at;

      if (daydiff(new Date(last_password_change), new Date()) > expiration_days) {
        return api.access.deny("Your password has expired. Login with the link below and click on 'Forgot Password' to reset your password. If you have any questions, please contact your Client Success Coordinator.");
      }

      return;
    });
  });
};

please any idea of what I am doing wrong?

rueben.tiow · May 19, 2023, 1:45am

Hi @sandT,

Thanks for reaching out to the Auth0 Community!

After looking closely at your Post Login Action script, there does not seem to be anything that stands out which would justify the redirect behavior you have observed.

In this situation, could you please try testing the Action script in the debugging interface depicted by the play icon and see how this behaves?

If the issue persists, could you please capture your login events in a HAR file and send them to me to investigate further?

Thanks,
Rueben

sandT · May 19, 2023, 1:45pm

here is the response I have from the test.

Everything seems to be working as expected

sandT · May 19, 2023, 2:51pm

I sent you the HAR file directly through message if you can provide any help?

Thank you.

rueben.tiow · May 19, 2023, 6:06pm

Hi @sandT,

Thank you for your responses and for sending me the HAR file to investigate.

I have just reviewed the HAR file carefully and found no indications that your Action script is responsible for the redirect behavior you observed.

Looking deeper, I noticed that your application has the SAML2 Web App Addon enabled.

In the Addon settings, I found the Application Callback URL matching the URL of your redirect behavior.

This matches the logs in the HAR file where I see an attempt to perform SAML SSO to your second application.

With that, I can conclude that the behavior is coming from your Application’s SAML 2 Webapp Addon and not from your Action script.

I hope this helps!

Please let me know if you have any additional questions.

Thanks,
Rueben

sandT · May 22, 2023, 8:08pm

Hey Rueben,

As the current SAML 2 Webapp Addon settings “mapping” I currently have was working for the rule is there any alternative or another way to do the mapping that will work for the Action?
Any example maybe because we first use Rule because Actions were not supporting the SAML2 Addons.

system · June 5, 2023, 8:09pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.