I’ve written a redirect rule which will redirect to a page to collect some extra data and then call the continue url with the state parameter included.
When testing the rules with a specific connection which triggers the redirect I get redirected, fill in some data and submit the form to the continue endpoint and I get an unauthorized page and the continuation code is not called in the rule.
so the first is the HAR that of my custom page after redirection from the rule and the second is the result of my custom page posting to the continue endpoint
The /continue endpoint should be a GET, usually a 302 redirect result from your server after the user finished whatever action was supposed to happen in the redirection. Can you try that instead of doing a POST?
I also see that there were no cookies sent in the POST request, probably the browser blocking them from the different originating site. When the session cookie is not present, Auth0 can’t associate the state provided with an ongoing authorization transaction. This will likely be fixed after moving to a GET.
Let me know how it goes. If the issue persists, please generate an updated .HAR.
Hi again. Just noticed what’s wrong here: you are using the social connection with the “developer keys” (the built-in ones provided by Auth0). These don’t work with redirect rules, as mentioned in Limitations of Developer Keys:
Redirecting users from Rules will not function properly. This is because redirect rules are resumed on the endpoint https://YOUR_AUTH0_DOMAIN/continue . When using Auth0’s developer keys, the session is established on a special endpoint that is generic and tenant agnostic, and calling /continue will not find your previous session, resulting in an error.
This also explains why the auth0 cookie was not being sent in the request (the cookie set when using the developer keys comes from a different domain). Try configuring your own keys and things should work properly.