Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

redirect_uri overrides AUTH0_BASE_URL but returnTo does not #1211

Closed
6 tasks done
pricealexandra opened this issue May 17, 2023 · 3 comments
Closed
6 tasks done

redirect_uri overrides AUTH0_BASE_URL but returnTo does not #1211

pricealexandra opened this issue May 17, 2023 · 3 comments
Labels
question Further information is requested

Comments

@pricealexandra
Copy link

pricealexandra commented May 17, 2023

Checklist

Description

My team is using redirect_uri within the handleLogin authorizationParams in order to make sure that users end up on the right page post-login in different environments that our app is deployed in. I found the info on how to do that here. See exact code in the Reproduction section of the issue.

However, within a support ticket a while back about overriding AUTH0_BASE_URL I was told that using that redirect_uri was not the documented way to do this, and I should use the returnTo property of the LoginOptions object instead. I want to use the documented "correct" way to do this. Unfortunately, returnTo does not appear to be overriding the behavior of AUTH0_BASE_URL. In deployed environments we get redirected to the url in AUTH0_BASE_URL instead of the one in returnTo.

This seems like a bug to me, but maybe the difference in behavior between redirect_uri and returnTo is intentional and this is more of a documentation issue. Or I'm just using one or both of them incorrectly! Thanks very much in advance for taking the time to look at this, let me know what other information I can provide!

Reproduction

I cannot share the whole repo since it's not open source but here is our current [...auth0].ts:

import {
  handleAuth,
  handleCallback,
  handleLogin,
  handleLogout,
} from '@auth0/nextjs-auth0';
import getConfig from 'next/config';

const { domain } = getConfig().publicRuntimeConfig;
export default handleAuth({
  login: handleLogin({
    authorizationParams: {
      audience: 'private stuff',
      redirect_uri:
        domain === 'localhost'
          ? 'http://localhost:3000/api/auth/callback'
          : `https://${domain}/api/auth/callback`,
    },
  }),
  callback: handleCallback({
    redirectUri:
      domain === 'localhost'
        ? 'http://localhost:3000/api/auth/callback'
        : `https://${domain}/api/auth/callback`,
  }),
  logout: handleLogout({
    returnTo:
      domain === 'localhost' ? 'http://localhost:3000' : `https://${domain}`,
  }),
});

This configuration is working for us in all environments. The following configuration is not:

const { domain } = getConfig().publicRuntimeConfig;
export default handleAuth({
  login: handleLogin({
    authorizationParams: {
      audience: 'private stuff',
    },
    returnTo:
      domain === 'localhost' ? 'http://localhost:3000' : `https://${domain}`,
  }),
  callback: handleCallback({
    redirectUri:
      domain === 'localhost'
        ? 'http://localhost:3000/api/auth/callback'
        : `https://${domain}/api/auth/callback`,
  }),
  logout: handleLogout({
    returnTo:
      domain === 'localhost' ? 'http://localhost:3000' : `https://${domain}`,
  }),
});

When we use that version, returnTo does not seem like it's respected -- our staging environment login redirects users back to our test environment instead (that's the value in AUTH0_BASE_URL). The advice in a similar issue here to not use a fully qualified URL didn't seem to make a difference for me.

Additional context

No response

nextjs-auth0 version

v2.2.2

Next.js version

v12.3.2

Node.js version

v14.17.0

@adamjmcgrath
Copy link
Contributor

Hi @pricealexandra - thanks for raising this

Your second code snippet looks good, except you should should set authorizationParams .redirect_uri to match the domain of the returnTo (as you've done in the first code snippet)

The general rule of thumb is:

redirect_uri - registered on the AS, we can trust it - but you're limited to how many urls you can register
returnTo - provided by the user, we can't trust it - you can link to whatever url you like, as long as it matches the domain of the redirect_uri

@adamjmcgrath adamjmcgrath added the question Further information is requested label May 18, 2023
@pricealexandra
Copy link
Author

I think I finally understand, thank you so much @adamjmcgrath !
So it sounds like we can use returnTo if needed to generate urls with different paths on the fly (i.e. to different pages in the app), but we would use it in conjunction with redirect_uri not as a replacement.

Is this documented somewhere that I can link to in our codebase? If not, if you can point me toward where it should be I'd be happy to help with a PR!

Thanks again.

@adamjmcgrath
Copy link
Contributor

Hi @pricealexandra

We have some docs on redirecting users here https://auth0.com/docs/authenticate/login/redirect-users-after-login

Closing as I think we've answered your question

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants