What should redirectUri be for checkSession()?

When calling checkSession(), what should I use for the value of redirectUri?

If I leave it blank, then the call to /authorize in the hidden iframe gets rejected with the error “invalid_request: The specified redirect_uri ‘undefined’ does not have a registered origin.”

If I give it a value then checkSession() works, but it appears to not be loading that redirectUri page.

I don’t want checkSession() to be loading the same redirectUri as I use for the calls to authorize(), because that will load my entire SPA, which I don’t want to be doing in an iframe which is already inside my SPA.

So if I don’t provide a redirectUri it fails, but I don’t want to use the same redirectUri as authorize(), so what value should I use?

Hi @martin.pain, checkSession accesses the authorization server from inside an iframe. It uses the redirectUri to apply the new token fetched inside that iframe to the session on your own application, before closing the iframe.

What is the concern about loading it inside the iframe?

Hi Luke,

My concern is that my SPA is a fairly large page & script to load. Hopefully it’ll be cached in the browser by this point, but still: loading it unnecessarily seems… unnecessary.

Also, when the SPA first loads it checks to see if it has been called as the callback from an authorize() call. However, my understanding is that when using checkSession() it executes some Auth0 code that uses HTML5 Post Message to send the tokens back to the tab/window that is the parent of the iframe. Therefore if there is a chance that my code to handle the callback from the authorize() call gets executed as well as the Auth0 Post Message call (and calling the callback I passed to checkSession()) I’m not certain if there will be any negative side-effects of that.

If my understanding is correct that checkSession() receives the tokens via HTML5 Post Message, then where is the code that sends that Post Message? Is it an Auth0 page that’s loading inside the iframe? If that is the case, does it use the redirectUri at all? If it is being sent by something in my code that I have to do when the redirectUri callback page is loaded, why does the checkSession() documentation not say that I need to run something when that redirectUri callback page is loaded?


P.S. My code is:
let webAuth = new auth0.WebAuth({
domain: AUTH0_DOMAIN,
responseType: ‘token id_token’,
redirectUri: UI_URL,
scope: ‘openid’

webAuth.checkSession({}, (err, authResult)=> {
if(err) {

return callback();
if(authResult) {

return callback(null, authResult.authToken);

So, I’ve just got some clarification. The redirectUri is parsed and validated, it must be in your accepted redirects. But it is not used and the token is passed back to the parent with JavaScript. The SPA isn’t loaded again :slight_smile: Sorry for the confusion!

1 Like