The following documentation link:
Says this about rules redirection:
Once redirected, your own hosted user interface executes in a user authenticated context, and obtains authenticity artifacts by the virtue of Auth0 SSO. Obtaining these artifacts—e.g., an ID Token in OpenID Connect (OIDC), and/or an Access Token in OAuth 2.0—is achieved by using a context.clientID context that is not the one which triggered redirect. To do this, redirect to the /authorize endpoint. In the case of a SPA for example, use silent authentication. This creates a new pipeline that causes all rules to execute again, and you can use the context object within a rule to perform conditional processing.
- Redirection to your own hosted user interface is performed before a pipeline completes and can be triggered once per
context.clientIDcontext. Redirection should only use HTTPS when executed in a production environment, and additional parameters should be kept to a minimum to help mitigate common security threats. Preferably, the Auth0-suppliedstateis the only parameter supplied.
The following link:
The application is going to redirect the user back to the Auth0 tenant, so any data related to the user can be gathered through the ID token that is returned to the application. However, you may want to ensure that the application is logging into the same user that is being redirected from to ensure that there is no tampering of any sort in-between. Therefore you will likely want to send a token along with the request.
Which option should we use?