Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite loop with custom rule #387

Closed
YassineDM opened this issue Mar 23, 2020 · 5 comments
Closed

Infinite loop with custom rule #387

YassineDM opened this issue Mar 23, 2020 · 5 comments

Comments

@YassineDM
Copy link

YassineDM commented Mar 23, 2020
edited
Loading

Description

I followed the React: Login tutorial for Auth0's SPA SDK and it works fine.
Particularly, a PrivateRoute redirects an unauthenticated user to the Auth0 login page and then back to intended path.

Then I tried to introduce a custom rule to redirect user after signup but while it does redirect to specified url, it keeps on looping (with different states in the url params) until creating the cookie pollution described in #217 and #319.

Reproduction

Here is the custom rule created:

function (user, context, callback) {
  // If first login, i.e. after `signup`.
  if (context.stats.loginsCount === 1) {
    context.redirect = {
        url: "http://localhost:3000/en/onboarding"
    };
  }
  
  return callback(null, user, context);
}

Here are some of the (looping) redirection urls:
http://localhost:3000/en/onboarding?state=g6Fo2SBwTzdsLVBUNmNuNTNkc1g5aWIwbGlLbHliTm5GejlBeqN0aWTZIERNb3Q5blQ5Q1llR3FuTWpqcHFQQVJDNThkREdBOC1Yo2NpZNkgbDhhYmRsVWp3UmdvZThrVXp0VlIzbXdqbXdVR2xjTlE
http://localhost:3000/en/onboarding?state=g6Fo2SBFbEIweHMzRnhPbE85UmNwbUM4S3NYcHpqNFJNM2hZNqN0aWTZIEZnZEJQUHdlSTlPUTN5U1FXczkyNHRkTDJCdWVMbnpJo2NpZNkgbDhhYmRsVWp3UmdvZThrVXp0VlIzbXdqbXdVR2xjTlE
http://localhost:3000/en/onboarding?state=g6Fo2SBlU01sWHVqMjAwZW1DNXpwS1QxT292T0UyRWs0WG5CRKN0aWTZIE41UEphaVVzYll2ZXplcDdLd3lKSHNJZEszR015T2t6o2NpZNkgbDhhYmRsVWp3UmdvZThrVXp0VlIzbXdqbXdVR2xjTlE

Environment

  • Version of this library used: auth0-spa-js version 1.6.4
  • Version of the platform or framework used, if applicable: react version 16.13.0 with react-scripts (Create React App) version 3.4.0
@stevehobbsdev
Copy link
Contributor

@YassineDM Can you share your PrivateRoute implementation? Is it straight out of the React tutorial without modification?

Are you also able to verify that silent authentication works for you (with or without the custom rule)? i.e. are you able to log in, then refresh the page and remain authenticated without having to log in again?

@YassineDM
Copy link
Author

YassineDM commented Mar 23, 2020
edited
Loading

PrivateRoute implementation is exactly the same as in the tutorial and silent authentication works fine too (refreshing the page keeps user authenticated).
Plus, the access token I get with the getTokenSilently function from the auth0 hook is well decoded and verified by my Rails API backend...
And I can even add that I managed to create another rule successfully (adding a custom claim to the id token).

@adamjmcgrath
Copy link
Contributor

adamjmcgrath commented Mar 24, 2020
edited
Loading

Hi @YassineDM

Redirecting users from within rules is for adding additional steps to the authentication flow, like Multi-Factor Authentication, not for overwriting the OAuth redirect_uri

See: https://auth0.com/docs/rules/guides/redirect#start-redirect-and-resume-authentication
"Once all rules have finished executing, Auth0 redirects the user to the URL specified in the context.redirect.url property. Auth0 also passes a state parameter in that URL.... After the redirect, resume authentication by redirecting the user to the /continue endpoint and include the state parameter you received in the URL."

This is why your url is only getting a state param (not a code param):

http://localhost:3000/en/onboarding?state=g6Fo2SBwTzdsLVBUNmNuNTNkc1g5aWIwbGlLbHliTm5GejlBeqN0aWTZIERNb3Q5blQ5Q1llR3FuTWpqcHF

In this case, the callback handler at https://github.com/auth0-samples/auth0-react-samples/blob/master/01-Login/src/react-auth0-spa.js#L25 is never getting a code param, so the user is never authenticated and the PrivateRoute will keep going down the not authenticated path https://github.com/auth0-samples/auth0-react-samples/blob/master/01-Login/src/components/PrivateRoute.js#L14 which is to redirect to login, which starts the loop

You could try adding a custom claim to the id token:

function (user, context, callback) {
  const namespace = 'https://myapp.example.com/';
  context.idToken[namespace + 'is_first_login'] = context.stats.loginsCount === 1;
  callback(null, user, context);
}

then do the redirect on your application:

const { user } = useAuth0();
if (user['https://myapp.example.com/is_first_login']) {
  // redirect to /en/onboarding
}

@adamjmcgrath
Copy link
Contributor

Closing this, feel free to reopen if you want to continue the conversation

@YassineDM
Copy link
Author

Thank you very much for your help, I will try this new approach then...

@adamjmcgrath adamjmcgrath mentioned this issue Apr 29, 2020
Closed
5 tasks
@zachgoll zachgoll mentioned this issue Nov 5, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevehobbsdev @adamjmcgrath @YassineDM