Securing post-registration redirect


We’re implementing Auth0 and I’m trying to figure out user onboarding. The way I picture this flow working is that we create a rule where if loginCount === 1 then we redirect to our URL with query params like ?state=${stateFromAuth0}&token=${tokenGeneratedInRule}. The state we save to hit the /continue endpoint and the token is verified by the service and from the token comes the user id which we use to then kick off a bunch of things on our end.

If I don’t specify ?token=${token} in context.redirect.url then it sends the state. If I do specify the token, it only sends the token.

Am I missing something or can I send them both? How do I access that state prop?


You may want to consider using a specific flag in app_metadata like onboarding_completed instead of overloading the semantics of loginCount; it’s cleaner and more robust.

In relation to the state it should be possible to send both your token and the state so it’s likely something is going on. You should check the flow at the network level (HTTP) in order to understand if this is indeed a case of state not being sent at all or a case of the receiving end failing to recognise that state was sent possibly due to an issue with how it was sent.

For example, one thing to consider with ?token=${token} is that token needs to be URL-encoded value.

That’s a great idea. I believe that the URL encoding was the issue in fact and all seems to be well now. Appreciate the heads up on that.

Regarding the app_metadata I like that idea, but also want to make sure I’m understanding where to set that. I assume this is something that I would see persisted in our user DB?

The flag could be set as part of the user metadata in Auth0 user profile; you would set it using Management API ( when the user completes the onboarding.

The above would allow the rule to check that flag to see if the user should be redirected or not; user metadata is available by default in rules through the user variable.