auth0-react: Setting "code" query parameter breaks auth0 state

If you’re logged in to my site, and then add “?code=blah” to the href, auth0 now thinks I’m not logged in. I realize this has something to do with the oauth redirect flow, but the problem is that I need to use that query parameter (stripe uses it for their oauth flow: https://stripe.com/docs/connect/collect-then-transfer-guide).

Proposed change: if code param fails to change the auth0 state, auth0-react should fall back on whatever it would have the state be if that code were excluded (instead of just saying there’s no user).

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 2
  • Comments: 17 (7 by maintainers)

Most upvoted comments

Hey @martinrojas - I am waiting on an upstream dependency before I do another release - should be 1 week - 2 max

+2
adamjmcgrath on Sep 3, 2020

Hi @dutsik @asktree

I have a branch (https://github.com/auth0/auth0-react/compare/skip-redirect-callback) where I’ve added the config option skipRedirectCallback, if true this will ignore the code/state parameters. You can apply this setting to be true on callback routes for other OAuth providers where you know the SDK doesn’t need to handle the callback params. Or conversely, you can set it to true, unless you know the route to be the auth0 callback path, eg

<Auth0Provider
  domain={domain}
  clientId={clientId}
  redirectUri={`${window.location.origin}/auth0-callback`}
  skipRedirectCallback={window.location.pathname !== '/auth0-callback'}>

Can you try it out and let me know if it meets your needs?

+2
adamjmcgrath on Aug 25, 2020

@adamjmcgrath no specific feedback from me, it has solved my issues with the stripe oauth workflow so I’m very happy with your changes!

+1
kcarra on Jun 16, 2021
Read more comments on GitHub
← auth0-react: Race condition between isAuthenticated and isLoading (redirects) (react-router-v6)
auth0-spa-js: Always "Invalid state" in v1.2 →