Redirect from within rule: context.request.body always empty

Hello,

A few months ago I followed your guide to setup a rule that redirects users to an external page, where they are required to perform an additional identity check before being allowed to login.

The rule worked flawlessy up until some days ago, when it suddently stopped working even tho absolutely nothing was changed.

After some debugging I was able to find out that the reason is the context.request.body field in the rule after the redirection to the /continue endpoint is always empty. Of course I verified that the POST request to the endpoint is correct and contains a JWT token in its body, but it seems like Auth0 cannot access the request body anymore.

Does anybody have any idea?

Rule code
function(user, context, callback) {

    const url = require('url@0.10.3');
    const req = context.request;
  
    function createToken(user) {
      const options = {
        expiresIn: "5 minutes",
        notBefore: 0,
        audience: configuration["AUDIENCE"],
        issuer: configuration["ISSUER"],
        algorithm: "HS256"
      };
      return jwt.sign(user, configuration["SECRET"], options);
    }
  
    function verifyToken(token) {
      const options = {
          audience: configuration["ISSUER"],
          issuer: configuration["AUDIENCE"],
          algorithms: ["HS256"]
      };
      const data = jwt.verify(token, configuration["SECRET"], options);
      if (data.jti !== user.jti) return false;
      if (data.sub !== user.user_id) return false;
      if (data.success !== true) return false;
      return true;
    }
  
    if (user.additional_verification_required) {
      if (context.protocol === "redirect-callback") {
        var tokenIsValid = false;
        try {
          // ---> THIS FAILS BECAUSE req.body = {} <--- //
          tokenIsValid = verifyToken(req.body.token);
        } catch (exception) {
          return callback(new UnauthorizedError()); 
        }
        if (tokenIsValid === true) {
          return callback(null, user, context);
        } else {
          return callback(new UnauthorizedError());    
        }  
      } else {
        user.jti = uuid.v4();
        const token = createToken({
            sub: user.user_id,
            email: user.email,
            name: user.name,
            "jti": user.jti
          }
        );
  
        context.redirect = {
          url: `https://example.com/callback?token=${token}`
        };
      }
    }
    
    return callback(null, user, context);
  }
POST request to the /continue endpoint
POST /continue?state=state_token_here HTTP/1.1
Host: domain.eu.auth0.com
Accept-Encoding: deflate, gzip
User-Agent: user_agent_here
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
Origin: https://example.com
DNT: 1
Connection: keep-alive
Referer: https://example.com
Cookie: cookies_here
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Pragma: no-cache
Cache-Control: no-cache
TE: Trailers
Content-Length: 367

token=my_jwt_token_here
2 Likes

I have absolutely the same issue, I have recognized it today, so the same is happening here: nothing is changed in code nor in auth0 setup.
In our case we redirect the new users to a consent page, which then redirects back to /continue page, but since rule is failing to get anything from context.request.body (debugged with Real-time Webtask Logs), the rule is failing, so our new users cannot login at the moment.

Exactly the same issue here. The ‘context.request.body’ is returning empty.

https://auth0.com/docs/rules/context-object#:~:text=the%20body%20of%20the%20POST%20request%20on%20login%20transactions

Same, issue. It stopped working in our dev tenants that do not have custom domain set up, however same rule still works in prod tenants with custom domains.

Hi Community,

We are actively looking into this now.

1 Like

We’ll give you updates as soon as we make significant progress in the investigation. Sorry for the inconvenience!

1 Like

Hello Auth0, Any information yet? And will there be an update to the Status pages to understand which regions were/are affected?

Hey there!

The issue should be fixed for everyone now. Once more sorry for the inconvenience!

1 Like