Hello,
A few months ago I followed your guide to setup a rule that redirects users to an external page, where they are required to perform an additional identity check before being allowed to login.
The rule worked flawlessy up until some days ago, when it suddently stopped working even tho absolutely nothing was changed.
After some debugging I was able to find out that the reason is the context.request.body
field in the rule after the redirection to the /continue
endpoint is always empty. Of course I verified that the POST request to the endpoint is correct and contains a JWT token in its body, but it seems like Auth0 cannot access the request body anymore.
Does anybody have any idea?
Rule code
function(user, context, callback) {
const url = require('url@0.10.3');
const req = context.request;
function createToken(user) {
const options = {
expiresIn: "5 minutes",
notBefore: 0,
audience: configuration["AUDIENCE"],
issuer: configuration["ISSUER"],
algorithm: "HS256"
};
return jwt.sign(user, configuration["SECRET"], options);
}
function verifyToken(token) {
const options = {
audience: configuration["ISSUER"],
issuer: configuration["AUDIENCE"],
algorithms: ["HS256"]
};
const data = jwt.verify(token, configuration["SECRET"], options);
if (data.jti !== user.jti) return false;
if (data.sub !== user.user_id) return false;
if (data.success !== true) return false;
return true;
}
if (user.additional_verification_required) {
if (context.protocol === "redirect-callback") {
var tokenIsValid = false;
try {
// ---> THIS FAILS BECAUSE req.body = {} <--- //
tokenIsValid = verifyToken(req.body.token);
} catch (exception) {
return callback(new UnauthorizedError());
}
if (tokenIsValid === true) {
return callback(null, user, context);
} else {
return callback(new UnauthorizedError());
}
} else {
user.jti = uuid.v4();
const token = createToken({
sub: user.user_id,
email: user.email,
name: user.name,
"jti": user.jti
}
);
context.redirect = {
url: `https://example.com/callback?token=${token}`
};
}
}
return callback(null, user, context);
}
POST request to the /continue endpoint
POST /continue?state=state_token_here HTTP/1.1
Host: domain.eu.auth0.com
Accept-Encoding: deflate, gzip
User-Agent: user_agent_here
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
DNT: 1
Connection: keep-alive
Referer: https://example.com
Cookie: cookies_here
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Pragma: no-cache
Cache-Control: no-cache
TE: Trailers
Content-Length: 367
token=my_jwt_token_here