Using Redirect with Actions to Gather User Info and Increase Conversions

Extending core identity functions to fit your application’s unique needs.
Read more…

:writing_hand:t2: Brought to you by Andrew Whitman

1 Like

What are your thoughts, folks? Share it in the comments!

1 Like

Can this flow be used in a SPA? I’m having trouble with the ‘SECRET’ used to encode the session_token. As I understand it, there is a whole other process (PKCE) made for this scenario but I cannot figure out how it can be used here. Thank you

Thank you for posting your question @Raphaww !
I apologize for the delay in resolving your issue.

Yes :+1:

I believe you’ve assumed that the SECRET value used to encode the session token of the Redirect Action comes form the SPA app configuration available under your Auth0 dashboard → Application ->SPA settings, like below:

But it’s not the case here.
The secret used to encode the session token for this Redirect Action is a separate, random value generated purely for the purpose of this Action.

You can generate this value by running this in your shell:

openssl rand -hex 32

And in your Action code, you would add this secret value as a variable:

And finally, to craft the signed session token, you could use this code snippet (within your “Login flow” Action):

exports.onExecutePostLogin = async (event, api) => {
  const YOUR_AUTH0_DOMAIN = event.secrets.YOUR_AUTH0_DOMAIN || event.request.hostname

  // Craft a signed session token
  const token = api.redirect.encodeToken({
    secret: event.secrets.MY_REDIRECT_SECRET,
    expiresInSeconds: 60, 
    payload: {
      // Custom claims to be added to the token
      externalUserId: 1234,
      continue_uri: `https://${YOUR_AUTH0_DOMAIN}/continue`

  // Send the user to along
  // with a `session_token` query string param including
  // the email.
  api.redirect.sendUserTo("", {
    query: { session_token: token }

I hope that helped! Please let me know if I understood your question correctly!