We have a use case where we would like to generate a magic link for a user to login to our application, but then redirect immediately to a particular resource. The actual use case is we are a document platform (www.arity.co) and we would like to generate a magic link which, after authentication, redirects immediately to a shared document in our application. I am trying to figure out the proscribed way of doing this.
Can we customize the magic link at all so that the user is redirected to a particular resource (document) in our app? How can this be achieved?
It seems the passwordless API supports “authParams” that allow you to add any query param you want to a generated magic link? Can we add a “redirect” url query param and then redirect the user after the authentication transaction within an Auth0 rule?
Thanks for the suggestion. We are using state to redirect to a specific place if the user hits our login page and is attempting to get to a particular resource. But what I am looking to do is send out a magic link that includes redirect info so the user can click the magic link, be authenticated, then automatically redirected to where (s)he wants to go.
I was thinking of initiating the magic link from my server possibly using an Auth0 API. Our actual use case is this. User A is the “owner” of a document. User A shares the document with User B. At the time of sharing, we wanted to dispatch a magic link to User B that would authenticate User B, then automatically redirect User B to the document after authentication to our app. So, the magic link would act as an authentication mechanism and a redirect.
I was considering using requestMagicLink from the Node SDK and possibly trying to append URL query parameters to the magic link using the authParams parameter. Then I was thinking maybe I would have access to that query parameter in an Auth0 Rule where maybe I can do a redirect to the right resource…
I spoke to some of our field team and they agreed state is probably the best way to do this, esp when compared to using a redirect rule.
You could add something like "documentURL":"https://example.com/documentID" to the state param in authParams, and that will help your app redirect after the callback is handled.
One very important note: In a scenario where user A is initiating the invite to user B, if user a is able to manipulate the redirect URL, they could potentially send user B to a malicious site or forged request. You should validate the URL before accepting it as a redirect.
Thank you! Yes that does make sense. Ok so you can confirm I can pass state into authParams and that will show up in the URL query params? If yes, then that works for me.
My last other question is what if the link is expired? Presumably, my app would get an error notification to that effect and I could programmatically generate another magic link to let the user log in?
To your security point, my server is going to be the only mechanism to issue a link so a user has no way of mucking with the redirect URL at all, that will only be done on my server. So, I think we should be alright.