When logging into our site, our users sometimes hit our callback page from Auth0 and don’t get redirected onwards. On closer inspection of why this could be happening, the code looks as follows:
if (
window.location.pathname == callbackPath &&
window.location.search.includes('code=') &&
window.location.search.includes('state=')
) {
// Call handleRedirectCallback() and forward user to desired page
}
else if (window.location.search.includes('error=')) {
// Forward user to error page
}
This code generally works well and does not have an else case present.
However, sometimes Auth0 redirects the user back to https://oursite.com/callback?code=JXLEAMf9pBVzWq2L
Notice that the state parameter is missing. We have no idea why this could be happening or if this is a legitimate case that we should be handling.
Any insights would be appreciated.
Further background and setup information below:
- We use Authorization code with PKCE flow
- We use Auth0 SPA JS library and calls to login are done using
loginWithRedirect () - The login is actually successful and can be confirmed in the Auth0 logs
- We use a custom domain
- We have confirmed at least 1 case where this happened with a user using Google social login