First of all, your documentation has improved a lot over the years. Thank you for that.
My questions are about the state parameter and the redirection once logged in (not the callback from Auth0).
Classic use case:
- A client tries to access to a forbidden page “/page” that throws the equivalent of a 401.
- The client gets redirected to Auth0
- Once authenticated in Auth0, the clients gets redirected to the redirectUrl with the code.
- The server communicates with Auth0 and validates the token, etc.
- But now I want to redirect the user to the original page “/page”
So from the current documentation:
Link 1: https://auth0.com/docs/protocols/oauth2/oauth-state
tells us to use the state parameter. In this state, put a nonce and the returnUrl value.
Link 2: https://auth0.com/docs/tutorials/redirecting-users
does not mention state. Instead it tells us to store the returnUrl to be used after the authentication.
Link 3: https://github.com/auth0-samples/auth0-servlet-sso-sample
Seems to be an implementation following Link 1.
Here the code generates a state containing a nonce and the returnUrl.
It stores it as a session attribute before redirecting to Auth0 with the parameter state.
On the callback from Auth0 there is a validation of the nonce received against the one store, a validation of the URL (if it is in a whitelist from the configuration) and it finally redirects the client.
Question 1: So is the Link3 the recommended solution?
Question 2: In the Link 3, why do we need the pass the state actually. We already use the session attributes. Why not store the returnUrl directly and use it on callback?
Question 3: If I am the one generating and storing this returnUrl, I guess I do not need this whitelist. The nonce validation should be enough no?