I’ve implemented the rails Quickstart as shown by Auth0. However the callback in the controller is hardcoded to go to a single location (in this case dashboard). I want to be able to send in the callback a way to select another url. What I want to do is include the Secured concern in another controller so if the user selects a route to that controller before being authenticated that it goes to Auth0 and then once authenticated it returns to that controller and not to a hardcoded page like dashboard (or any other hardcoded page)
class Auth0Controller < ApplicationController
def callback
# OmniAuth stores the information returned from Auth0 and the IdP in request.env['omniauth.auth'].
# In this sample, you will pull the raw_info supplied from the id_token.
# If the id_token is needed, you can get it from session[:userinfo]['credentials']['id_token'].
# Refer to https://github.com/auth0/omniauth-auth0#authentication-hash for complete information on 'omniauth.auth' contents.
puts request.inspect
session[:userinfo] = request.env['omniauth.auth']['extra']['raw_info']
redirect_to '/dashboard'
end
# if user authentication fails on the provider side OmniAuth will redirect to /auth/failure,
# passing the error message in the 'message' request param.
def failure
@error_msg = request.params['message']
end
def logout
reset_session
redirect_to logout_url, allow_other_host: true
end
private
AUTH0_CONFIG = Rails.application.config.auth0
def logout_url
request_params = {
returnTo: root_url,
client_id: Rails.application.config.auth0['auth0_client_id']
}
URI::HTTPS.build(host: AUTH0_CONFIG['auth0_domain'], path: '/v2/logout', query: request_params.to_query).to_s
end
end
I suspect the answer is to send a state parameter with the auth post but when I do the state does not return in the callback. In fact the state seems to be self generated somewhere in the ouauth-auth0 gem. Observe here when I sent the auth with a state of 12. The Gem seems to generate a state of ac44a8e8697d81d096067364db9e79c0ad804363d1bb080c which is in fact returned in the callback.
08:48:33 web.1 | Started POST “/auth/auth0?state=12” for ::1 at 2022-11-18 08:48:33 -0500
08:48:33 web.1 | D, [2022-11-18T08:48:33.014452 #24526] DEBUG – omniauth: (auth0) Request phase initiated.
08:48:50 web.1 | Started GET “/auth/auth0/callback?state=ac44a8e8697d81d096067364db9e79c0ad804363d1bb080c&code=M0qV3Q9_UC-93saObl5_Aqqa45MVL2id5cUyJqNnTG4bP” for ::1 at 2022-11-18 08:48:50 -0500
08:48:50 web.1 | D, [2022-11-18T08:48:50.301559 #24526] DEBUG – omniauth: (auth0) Callback phase initiated.
08:48:50 web.1 | OAuth2::AccessToken.from_hash:hash
contained more than one ‘token’ key ([“access_token”, “id_token”]); using “access_token”.
08:48:50 web.1 | Processing by Auth0Controller#callback as HTML
08:48:50 web.1 | Parameters: {“state”=>“ac44a8e8697d81d096067364db9e79c0ad804363d1bb080c”, “code”=>“M0qV3Q9_UC-93saObl5_Aqqa45MVL2id5cUyJqNnTG4bP”}
08:48:50 web.1 | #<ActionDispatch::Request GET “http://localhost:3001/auth/auth0/callback?state=ac44a8e8697d81d096067364db9e79c0ad804363d1bb080c&code=M0qV3Q9_UC-93saObl5_Aqqa45MVL2id5cUyJqNnTG4bP” for ::1>
08:48:50 web.1 | Redirected to http://localhost:3001/dashboard
08:48:50 web.1 | Completed 302 Found in 0ms (Allocations: 168)
How do I either
- set the state myself to come back to me? or
- access the gem created state so presumably I can store something in the session and get it back on the return?
Also, I have not been able to find where the auth/auth0 route is handled in the omniauth-auth0 gem. I think I would need to intercept the route and save state before it is called so if anyone knows where that lives it would also be help.