Hi, I have a problem using redirect rules in combination with client-generated state parameters.
My client adds a state parameter to the auth request. This is altered by Auth0 during a redirect by an Auth0 rule that enforces MFA, so that the resulting response to my client has a different state than the original one requested and thus fails.
Is there any way to keep (or manually set) the original state value during redirect rules?
Help really appreciated!
-
Original client auth request: https://xxx.eu.auth0.com/authorize?[...]&state=OriginalRandomState
Rule debug: context.request.query.state=OriginalRandomState -
Redirect rule:
context.redirect = {
url: https://xxx.eu.auth0.com/authorize?[...]&mfaparameter=2 }; -
Resulting Auth0 redirect request:
Rule debug: context.request.query.state=NewAuth0GeneratedRandomState
So the redirect alters the state (OriginalRandomState != NewAuth0GeneratedRandomState), and thus the client match fails. Also adding a manual state parameter to the request url doesn’t allow me to set the state parameter manually (like following code snippet).
authorizationURL=‘https://xxx.eu.auth0.com/authorize?[...]&mfaparameter=2&state=’ + context.request.query.state; //add original query state manuall to new redirect URL
context.redirect = {
url: authorizationURL };