Auth0 Home Blog Docs

Redirect rule continue returns unauthorized

I’ve written a redirect rule which will redirect to a page to collect some extra data and then call the continue url with the state parameter included.

When testing the rules with a specific connection which triggers the redirect I get redirected, fill in some data and submit the form to the continue endpoint and I get an unauthorized page and the continuation code is not called in the rule.

1 Like

What page do you get exactly as a result? URL and meaningful content would help, a .HAR file would be even better to help troubleshoot.

Okay I’ve got the HAR files uploaded to the request

  1. redirected-page.har (337.4 KB)

  2. continue.har (337.4 KB)

so the first is the HAR that of my custom page after redirection from the rule and the second is the result of my custom page posting to the continue endpoint

The /continue endpoint should be a GET, usually a 302 redirect result from your server after the user finished whatever action was supposed to happen in the redirection. Can you try that instead of doing a POST?

I also see that there were no cookies sent in the POST request, probably the browser blocking them from the different originating site. When the session cookie is not present, Auth0 can’t associate the state provided with an ongoing authorization transaction. This will likely be fixed after moving to a GET.

Let me know how it goes. If the issue persists, please generate an updated .HAR.

No still the same here is the HAR

with-GET.har (283.8 KB)

I first tought it was with Brave browser’s shield feature which might be to restrictive so I tried with chrome and I get the same result…

Hi again. Just noticed what’s wrong here: you are using the social connection with the “developer keys” (the built-in ones provided by Auth0). These don’t work with redirect rules, as mentioned in Limitations of Developer Keys:

Redirecting users from Rules will not function properly. This is because redirect rules are resumed on the endpoint https://YOUR_AUTH0_DOMAIN/continue . When using Auth0’s developer keys, the session is established on a special endpoint that is generic and tenant agnostic, and calling /continue will not find your previous session, resulting in an error.

This also explains why the auth0 cookie was not being sent in the request (the cookie set when using the developer keys comes from a different domain). Try configuring your own keys and things should work properly.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.