Use actions to detect user is not longer compliant on token refresh and force login

Help
#1

Hi Team, I have a use case where I am using Auth0 Redirect Actions to build a T&C screen. Basically after login we check something in the app_metadata and redirect the user to a custom page where it has to accept the new terms in order to continue.

This works great, the problem is, for already logged in users, when the SDK attempts to get a new access token I am getting this error Redirection is not available on /oauth/token endpoint.. This makes sense since refresh token flow can’t redirect the user.

My question is, what is the best way in this case to deal with this user (assuming there are new T&C and the already logged in user needs to accept them in order to continue). I can use api.access.deny(reason) to return an error (not sure how the SDK will handle that for Refresh token flow).

I was also reading this: Redirect with Actions and I find it quite confusing. Its not clear for me in that text what should we do with refresh tokens in actions… just ignore the flow with api.redirect.canRedirect()?

Cheers!

Cheers!

#2

For future devs out there. Once the access token expires, the SDK will try to get a new access token using the refresh token via silent mode. This will fail (because the action will detect the T&C are not valid in the app_metadata). If you leave it like that it just fails because silent refresh of the token can’t do a redirect (via action redirect) since there is no interaction from the user.

In my case I could solve it using something like

  //if its a flow that doesn't allow redirect we return an error so the user needs to login again
  if (!api.redirect.canRedirect()) {
    api.access.deny(
      "Terms and Conditions have changed. Please login again in order to accept them"
    );
  }

In my scenario, my frontend will catch this and try to restart the login flow. Because there is still a valid session (cookie) in the Universal Login page the user doesn’t have to login and its automatically redirected via actions to the T&C consent page.

Hope it makes sense