Redirect from within rule: context.request.body always empty

35c1b1d8 · April 14, 2021, 1:01pm

Hello,

A few months ago I followed your guide to setup a rule that redirects users to an external page, where they are required to perform an additional identity check before being allowed to login.

The rule worked flawlessy up until some days ago, when it suddently stopped working even tho absolutely nothing was changed.

After some debugging I was able to find out that the reason is the context.request.body field in the rule after the redirection to the /continue endpoint is always empty. Of course I verified that the POST request to the endpoint is correct and contains a JWT token in its body, but it seems like Auth0 cannot access the request body anymore.

Does anybody have any idea?

Rule code

function(user, context, callback) {

    const url = require('url@0.10.3');
    const req = context.request;
  
    function createToken(user) {
      const options = {
        expiresIn: "5 minutes",
        notBefore: 0,
        audience: configuration["AUDIENCE"],
        issuer: configuration["ISSUER"],
        algorithm: "HS256"
      };
      return jwt.sign(user, configuration["SECRET"], options);
    }
  
    function verifyToken(token) {
      const options = {
          audience: configuration["ISSUER"],
          issuer: configuration["AUDIENCE"],
          algorithms: ["HS256"]
      };
      const data = jwt.verify(token, configuration["SECRET"], options);
      if (data.jti !== user.jti) return false;
      if (data.sub !== user.user_id) return false;
      if (data.success !== true) return false;
      return true;
    }
  
    if (user.additional_verification_required) {
      if (context.protocol === "redirect-callback") {
        var tokenIsValid = false;
        try {
          // ---> THIS FAILS BECAUSE req.body = {} <--- //
          tokenIsValid = verifyToken(req.body.token);
        } catch (exception) {
          return callback(new UnauthorizedError()); 
        }
        if (tokenIsValid === true) {
          return callback(null, user, context);
        } else {
          return callback(new UnauthorizedError());    
        }  
      } else {
        user.jti = uuid.v4();
        const token = createToken({
            sub: user.user_id,
            email: user.email,
            name: user.name,
            "jti": user.jti
          }
        );
  
        context.redirect = {
          url: `https://example.com/callback?token=${token}`
        };
      }
    }
    
    return callback(null, user, context);
  }

POST request to the /continue endpoint

POST /continue?state=state_token_here HTTP/1.1
Host: domain.eu.auth0.com
Accept-Encoding: deflate, gzip
User-Agent: user_agent_here
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
DNT: 1
Connection: keep-alive
Referer: https://example.com
Cookie: cookies_here
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Pragma: no-cache
Cache-Control: no-cache
TE: Trailers
Content-Length: 367

token=my_jwt_token_here

info40 · April 14, 2021, 7:47pm

I have absolutely the same issue, I have recognized it today, so the same is happening here: nothing is changed in code nor in auth0 setup.
In our case we redirect the new users to a consent page, which then redirects back to /continue page, but since rule is failing to get anything from context.request.body (debugged with Real-time Webtask Logs), the rule is failing, so our new users cannot login at the moment.

kibble · April 15, 2021, 10:02am

Exactly the same issue here. The ‘context.request.body’ is returning empty.

https://auth0.com/docs/rules/context-object#:~:text=the%20body%20of%20the%20POST%20request%20on%20login%20transactions

alex27 · April 15, 2021, 10:13am

Same, issue. It stopped working in our dev tenants that do not have custom domain set up, however same rule still works in prod tenants with custom domains.

Ale · April 15, 2021, 1:13pm

Hi Community,

We are actively looking into this now.

konrad.sopala · April 15, 2021, 1:46pm

We’ll give you updates as soon as we make significant progress in the investigation. Sorry for the inconvenience!

tiffany · April 15, 2021, 3:27pm

Hello Auth0, Any information yet? And will there be an update to the Status pages to understand which regions were/are affected?

konrad.sopala · April 16, 2021, 11:14am

Hey there!

The issue should be fixed for everyone now. Once more sorry for the inconvenience!