Reading state value in rules with hosted login

I’m using auth0.js v9.0.2 with the hosted login page. I am passing a custom state value and having it returned to me after login as expected, however, I don’t know how to access this value in the rules. The state value seems to be overwritten by the hosted login so when I attempt to access context.request.state it’s a different value but it’s apparently still aware of the original state value as it’s being plugged in to the return url.

Is there a way to access the state value in the rules in a hosted login environment?

1 Like

We’re seeing this behaviour, and it forces us to use a different parameter instead of state to pass data round the authentication loop, which isn’t ideal. Auth0 respects the OAuth contract by ensuring the state we add to the authorize request is included in the redirectUrl, but the behaviour is highly unexpected.

Here’s what happens:

  1. Redirect user to /authorize with ?state=123
  2. User logs in
  3. Rule reads state, gets state=ABC
  4. Redirect back to /callback with ?state=123

I’d love to know where the ABC comes from, and what data it contains? Why does Auth0 overwrite the state during rule processing, but restore it afterwards? Is there any way we can prevent this from happening?

1 Like

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?