Extending core identity functions to fit your application’s unique needs.
Read more…
Brought to you by Andrew Whitman
1 Like
What are your thoughts, folks? Share it in the comments!
1 Like
Can this flow be used in a SPA? I’m having trouble with the ‘SECRET’ used to encode the session_token. As I understand it, there is a whole other process (PKCE) made for this scenario but I cannot figure out how it can be used here. Thank you
Thank you for posting your question @Raphaww !
I apologize for the delay in resolving your issue.
Yes 
I believe you’ve assumed that the SECRET value used to encode the session token of the Redirect Action comes form the SPA app configuration available under your Auth0 dashboard → Application ->SPA settings, like below:
But it’s not the case here.
The secret used to encode the session token for this Redirect Action is a separate, random value generated purely for the purpose of this Action.
You can generate this value by running this in your shell:
openssl rand -hex 32
And in your Action code, you would add this secret value as a variable:
And finally, to craft the signed session token, you could use this code snippet (within your “Login flow” Action):
exports.onExecutePostLogin = async (event, api) => {
const YOUR_AUTH0_DOMAIN = event.secrets.YOUR_AUTH0_DOMAIN || event.request.hostname
// Craft a signed session token
const token = api.redirect.encodeToken({
secret: event.secrets.MY_REDIRECT_SECRET,
expiresInSeconds: 60,
payload: {
// Custom claims to be added to the token
email: event.user.email,
externalUserId: 1234,
continue_uri: `https://${YOUR_AUTH0_DOMAIN}/continue`
},
});
// Send the user to https://my-app.exampleco.com along
// with a `session_token` query string param including
// the email.
api.redirect.sendUserTo("https://my-app.exampleco.com", {
query: { session_token: token }
});
}
I hope that helped! Please let me know if I understood your question correctly!
2 Likes