Extending core identity functions to fit your application’s unique needs.
Read more…
Brought to you by Andrew Whitman
Extending core identity functions to fit your application’s unique needs.
Read more…
Brought to you by Andrew Whitman
What are your thoughts, folks? Share it in the comments!
Can this flow be used in a SPA? I’m having trouble with the ‘SECRET’ used to encode the session_token. As I understand it, there is a whole other process (PKCE) made for this scenario but I cannot figure out how it can be used here. Thank you
Thank you for posting your question @Raphaww !
I apologize for the delay in resolving your issue.
Yes
I believe you’ve assumed that the SECRET
value used to encode the session token of the Redirect Action comes form the SPA app configuration available under your Auth0 dashboard → Application ->SPA settings, like below:
But it’s not the case here.
The secret used to encode the session token for this Redirect Action is a separate, random value generated purely for the purpose of this Action.
You can generate this value by running this in your shell:
openssl rand -hex 32
And in your Action code, you would add this secret value as a variable:
And finally, to craft the signed session token, you could use this code snippet (within your “Login flow” Action):
exports.onExecutePostLogin = async (event, api) => {
const YOUR_AUTH0_DOMAIN = event.secrets.YOUR_AUTH0_DOMAIN || event.request.hostname
// Craft a signed session token
const token = api.redirect.encodeToken({
secret: event.secrets.MY_REDIRECT_SECRET,
expiresInSeconds: 60,
payload: {
// Custom claims to be added to the token
email: event.user.email,
externalUserId: 1234,
continue_uri: `https://${YOUR_AUTH0_DOMAIN}/continue`
},
});
// Send the user to https://my-app.exampleco.com along
// with a `session_token` query string param including
// the email.
api.redirect.sendUserTo("https://my-app.exampleco.com", {
query: { session_token: token }
});
}
I hope that helped! Please let me know if I understood your question correctly!