Redirect with actions vs rules - prompt=none - access token still being available

veroca · November 18, 2021, 4:30am

The doc for redirect for actions and rules match on some aspects and one is what happens if in the middle of a redirection, there is an /authorize call with prompt=none.

According to the doc, we should get an error saying error=interaction_required but I’m seeing only that behaviour with rules and not with actions. When calling /authorize after being redirected by an action, I can still get a valid code to exchange it for an access token & id token.

This is the action I’m testing with:

trigger: post-login
code:

/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => { 
  api.redirect.sendUserTo("http://localhost:4200");
};


/**
* Handler that will be invoked when this action is resuming after an external redirect. If your
* onExecutePostLogin function does not perform a redirect, this function can be safely ignored.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onContinuePostLogin = async (event, api) => {
};

Then, from http://localhost:4200, I’m able to get a code for an access token by calling https://[AUTH)_TENANT]/authorize?client_id=...&prompt=none...

And the code for the rule is:

function (user, context, callback) {
  if (context.protocol !== "redirect-callback") {
    context.redirect = { url: "http://localhost:4200" };
  } 
  
  return callback(null, user, context);
}

And same /authorize call than for action (with a new nonce and state of course).

Also, for my testing I’m using either redirecting with an action or a rule. I’m not using both at the same time of course.

Is this a bug or am I missing something?

john.gateley · November 18, 2021, 2:17pm

HI @veroca

The docs are covering some complex scenarios. The short version:

When you start this flow, the user authenticates with their credentials. This creates and Auth0 session
Then the redirect triggers and they are redirected.
At this point, whether triggered through a rule or an action, the redirect app can do silent auth.
This is because the Auth0 session already exists.

You must take care with your rules to make sure that there is no backdoor to the original flow getting completed before the redirect is done.

John

veroca · November 18, 2021, 10:57pm

Hi John, thanks for the quick reply

Ok, so, that would mean that the behaviour I’m seeing with the action is expected but not with the rule. Are you then confirming I shouldn’t be getting the error interaction_required when doing the silent auth after redirecting with the rule?

I’ve created the rule in the simplest way and, as mentioned, I’m doing the silent auth in the exact same way for both scenarios (redirecting with action and redirecting with rule).

Then, what is wrong in my config?

john.gateley · November 19, 2021, 3:15pm

Hi @veroca

Yes, your rule should behave in the same way as the action. Take a look at your tenant logs and grab the entries for the action silent-auth and the rule silent-auth and compare them. That should give you an idea what is different.

John

veroca · November 21, 2021, 9:18pm

Hi John,

I’ve compared the logs. I cannot see anything that indicates what the problem could be.

Are you sure there is not currently a bug in the way the rule behaves?

As mentioned, I’m doing the silent auth the exact same way, after logging in with the exact same user in the exact same app. There are not any other actions or rules in the flow. I make sure of only having the action OR the rule enabled for my testing. And I’ve already provided the code behind the rule and the action.

I can provide the logs if that helps.

Logs from executing silent auth after the redirect action, which succeeds:

{
  "date": "2021-11-21T21:10:49.647Z",
  "type": "ssa",
  "client_id": "0a2JJVKKwbn***",
  "client_name": "Default App",
  "ip": "***",
  "user_agent": "Chrome 95.0.4638 / Mac OS X 10.15.7",
  "details": {
    "prompts": [],
    "completedAt": 1637529049646,
    "elapsedTime": null,
    "actions": {
      "executions": [
        "_Hyl-tNoQ8q2esJGbr2J0jIwM***"
      ]
    },
    "session_id": "lLvCL8eUOUjs0vjvOdzSH***"
  },
  "hostname": "dev-***.au.auth0.com",
  "session_connection": "Username-Password-Authentication",
  "user_id": "auth0|6177576***",
  "user_name": "***@***.com",
  "auth0_client": {
    "name": "@auth0/auth0-angular",
    "version": "1.8.0"
  },
  "log_id": "900202111212***",
  "_id": "9002021112121***",
  "isMobile": false,
  "description": "Successful silent authentication"
}

Logs from executing silent auth after the redirect rule, which fails:

{
  "date": "2021-11-21T21:08:38.791Z",
  "type": "fsa",
  "description": "External interaction required",
  "client_id": "0a2JJV***",
  "client_name": "Default App",
  "ip": "***",
  "user_agent": "Chrome 95.0.4638 / Mac OS X 10.15.7",
  "details": {
    "body": {},
    "qs": {
      "redirect_uri": "http://localhost:4200",
      "client_id": "0a2JJ***",
      "audience": "https://***api.com",
      "errorPath": "/error",
      "scope": "openid profile email",
      "response_type": "code",
      "response_mode": "web_message",
      "state": "dHp3VDZKT***",
      "nonce": "YXZIUFBubWpOdz***",
      "code_challenge": "zmDK5uXM***",
      "code_challenge_method": "S256",
      "prompt": "none",
      "auth0Client": "eyJuYW1lIjoiQGF1dG***"
    },
    "connection": null,
    "error": {
      "message": "External interaction required",
      "oauthError": "interaction_required",
      "type": "oauth-authorization"
    },
    "session_id": "PlXpaSQCm***",
    "session_connection": "Username-Password-Authentication"
  },
  "hostname": "dev***.au.auth0.com",
  "user_id": "auth0|61775766***",
  "user_name": "***@***.com",
  "audience": "https://***api.com",
  "scope": [
    "openid",
    "profile",
    "email"
  ],
  "auth0_client": {
    "name": "@auth0/auth0-angular",
    "version": "1.8.0"
  },
  "log_id": "90020211121***",
  "_id": "900202111***",
  "isMobile": false
}

Thank you.

veroca · November 28, 2021, 11:09pm

Can anyone help me on this please? I’m still having this issue.

I’d really appreciate it.

veroca · December 14, 2021, 7:21am

I found what was missing.

Essentially the rule does not behave exactly the same way as an action.

When there is a rule redirect and prompt=none, the rule returns an error indicating “interaction_required”, but the action just silently logs an error in Auth0 but still returns a valid code so it can be exchanged for an access token.

So, the way of getting an access token from the redirect app through silent auth is by having a condition in the redirect rule where it will only redirect if the client id is not the one used from the redirect app. Something like this:

function (user, context, callback) {
  if (context.protocol !== "redirect-callback" && context.clientID !== REDIRECT_APP_CLIENT_ID) {
    context.redirect = { url: "http://localhost:4200" };
  } 
  
  return callback(null, user, context);
}

It would be good if the documentation is updated regarding how an action redirect behaves when prompt=none. The doc seems to indicate it should return an error, like the redirect rule, but it doesn’t. See Redirect with Actions

I hope someone else finds this useful.

Cheers!

john.gateley · December 14, 2021, 2:12pm

Thank you! Yes, this is very useful.

John

konrad.sopala · December 15, 2021, 1:46pm

Thanks for sharing that with the rest of community!