I have an MVC application setup as a regular web application in my tenant.
This is using standard database email/password for authentication within Auth0.
I am using the UseOpenIdConnectAuthentication and have the RedirectUri for this set to the page I want to direct users to after login/authentication.
If a user requests a page that requires authentication, they are sent to the Auth0 login page but after authentication they continue to the page they originally requested without hitting my callback/redirect url.
Is it possible to prevent this as I want all users to hit the callback/redirect url on login/authentication? Or alternatively force all users (via a rule maybe) to visit the callback/redirect url?
The behavior you want to avoid is frequently the end goal so I believe it’s likely that the configuration you are using is coded in such way to guarantee that the end-user is ultimately redirected to the original page you requested.
The above is usually done by dynamically including that original URL as part of the authentication request state so that when a login is completed that information is available and the application redirects again to the original page.
Given that you are not interested in that behavior you would likely need to remove the logic that dynamically add the original URL or even just hardcode your own URL instead of using a dynamic one. For example, for OWIN MVC sample that behavior is achieved by this line (auth0-aspnet-owin-mvc-samples/AccountController.cs at master · auth0-samples/auth0-aspnet-owin-mvc-samples · GitHub) which uses the return URL parameter to keep track of that original URL being accessed. You should be able to tweak that logic to have the behavior you desire in terms of final redirect.
Can you share a bit more about the configuration you’re using for UseOpenIdConnectAuthentication and ideally, an HAR file (after redacting sensitive information) of a login that ends up in the incorrect page.
I have attached a file containing some of the code that runs on site startup (this is probably almost identical to the code in the starter project you referenced).
For anyone else looking to resolve this I was able to prevent redirection to page requested by user after authentication by adding the following to the Notifications property of the OpenIdConnectAuthenticationOptions:
I believe that this changes the redirect URI at point of authentication to my Auth0 callback URI. So instead of redirecting to page user requested they are redirected to my callback. Note this is in addition to the change @jmangelo already mentioned in the Login function.
So my full code for configuring OpenIdConnectAuthentication is as follows: