Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Setting "code" query parameter breaks auth0 state

See original GitHub issue

If you’re logged in to my site, and then add “?code=blah” to the href, auth0 now thinks I’m not logged in. I realize this has something to do with the oauth redirect flow, but the problem is that I need to use that query parameter (stripe uses it for their oauth flow: https://stripe.com/docs/connect/collect-then-transfer-guide).

Proposed change: if code param fails to change the auth0 state, auth0-react should fall back on whatever it would have the state be if that code were excluded (instead of just saying there’s no user).

Issue Analytics

State:
Created 3 years ago
Reactions:1
Comments:16 (6 by maintainers)

Top GitHub Comments

2reactions

adamjmcgrathcommented, Sep 3, 2020

Hey @martinrojas - I am waiting on an upstream dependency before I do another release - should be 1 week - 2 max

2reactions

adamjmcgrathcommented, Aug 25, 2020

Hi @dutsik @asktree

I have a branch (https://github.com/auth0/auth0-react/compare/skip-redirect-callback) where I’ve added the config option skipRedirectCallback, if true this will ignore the code/state parameters. You can apply this setting to be true on callback routes for other OAuth providers where you know the SDK doesn’t need to handle the callback params. Or conversely, you can set it to true, unless you know the route to be the auth0 callback path, eg

<Auth0Provider
  domain={domain}
  clientId={clientId}
  redirectUri={`${window.location.origin}/auth0-callback`}
  skipRedirectCallback={window.location.pathname !== '/auth0-callback'}>

Can you try it out and let me know if it meets your needs?