Hello,
I’m trying to redirect my users after login/signup in a React app. I’ve been reading about how to do that using a state
param in the authentication request using a nonce
per these docs.
(Redirect Users)
My question is concerning this quote:
As part of the callback processing and response validation
Where is this callback processing done? I have a callback handler but no information is passed to it. So, how do I validate a response? Where is this response data that I can evaluate?
FYI: I am using the react-auth0-spa.js
context provider as described here : Auth0 React SDK Quickstarts: Login
Hi,
auth0-spa-js validates the response automatically so you needn’t concern yourself with this. The library takes care of all of these low-level details.
Regardless, I will explain how this works internally:
When the /authorize
URL is constructed a new transaction is created and associated with a newly generated state
value that will be passed in the URL: auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub
When the user is redirected back to your app you should be calling handleRedirectCallback
. This function retrieves the transaction using the state
value from the query parameters: auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub
It then passes the transaction’s nonce
to _verifyIdToken
(which is just a wrapper around the verify
function) : auth0-spa-js/Auth0Client.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub
In verify
you can then see the nonce
value from the transaction is compared with that of the ID token. If they don’t match then validation fails: auth0-spa-js/jwt.ts at c757764b94cb1561c37b20cf6076c73c7ceef317 · auth0/auth0-spa-js · GitHub
2 Likes
I’m sorry I’m a little lost. Can you walk us through how we can actually do this in auth0-react-js ?
can I just set redirect_uri: `{allowed_callback_url}?betacode=${somenumber}`
when using loginWithRedirect
???
In my use case, the only dynamic part of my redirect uri is the query parameters. Can this work?