Redirecting Users with State Parameters

Hello,

I’m trying to redirect my users after login/signup in a React app. I’ve been reading about how to do that using a state param in the authentication request using a nonce per these docs.

(Redirect Users)

My question is concerning this quote:

As part of the callback processing and response validation

Where is this callback processing done? I have a callback handler but no information is passed to it. So, how do I validate a response? Where is this response data that I can evaluate?

FYI: I am using the react-auth0-spa.js context provider as described here : Auth0 React SDK Quickstarts: Login

Hi,

auth0-spa-js validates the response automatically so you needn’t concern yourself with this. The library takes care of all of these low-level details.

Regardless, I will explain how this works internally:

When the /authorize URL is constructed a new transaction is created and associated with a newly generated state value that will be passed in the URL: auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub

When the user is redirected back to your app you should be calling handleRedirectCallback. This function retrieves the transaction using the state value from the query parameters: auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub

It then passes the transaction’s nonce to _verifyIdToken (which is just a wrapper around the verify function) : auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub

In verify you can then see the nonce value from the transaction is compared with that of the ID token. If they don’t match then validation fails: auth0-spa-js/jwt.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub

2 Likes

I’m sorry I’m a little lost. Can you walk us through how we can actually do this in auth0-react-js ?

can I just set redirect_uri: `{allowed_callback_url}?betacode=${somenumber}` when using loginWithRedirect ???

In my use case, the only dynamic part of my redirect uri is the query parameters. Can this work?