Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

error query string param is breaking auth0 #225

Closed
igorbarbashin opened this issue Mar 31, 2021 · 4 comments · Fixed by #231
Closed

error query string param is breaking auth0 #225

igorbarbashin opened this issue Mar 31, 2021 · 4 comments · Fixed by #231
Labels
bug Something isn't working

Comments

@igorbarbashin
Copy link

igorbarbashin commented Mar 31, 2021
edited
Loading

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Provide a clear and concise description of the issue

We just spent 3 days trying to debug the problem when the app enters an infinite loop of getting logged out/logging back in for no apparent reason.

Turns out that the auth0-react package doesn't like when ?error=something query string appears in our app.
We've added a workaround of avoiding error name in the query strings. Had to add an extra redirect that renames error to something more descriptive like loginWithAmazonError. But still, it seems that it would be better if our query string params didn't conflict.

What was the expected behavior?

Auth0 could ignore arbitrary ?error query strings values.
Or use a more namespaced version of the variable name (e.g.auth0error)

Relevant line:
https://github.com/auth0/auth0-react/blob/master/src/utils.tsx#L5

Reproduction

  • Log in
  • Add ?error=123 to the url and hit enter
  • See authentication breaking

Can the behavior be reproduced using the React SDK Playground?

Haven't tried. A bit limited in resources to try
@frederikprijck
Copy link
Member

frederikprijck commented Apr 1, 2021
edited
Loading

Hi @igorbarbashin ,

This can be solved by using the skipRedirectCallback property that is available on the Auth0Provider: https://auth0.github.io/auth0-react/interfaces/auth0_provider.auth0provideroptions.html#skipredirectcallback

This ensures the Auth0 SDK only handles error as well as code query string parameters when the callback is for Auth0, allowing u to use other callback for things like Amazon.

Some additional information here, we are using error as defined in the OAuth specification. Renaming that to auth0error would break that, see https://tools.ietf.org/html/rfc6749#section-4.1.2.1

Let me know if that doesn't help you.

@stevehobbsdev
Copy link
Contributor

stevehobbsdev commented Apr 1, 2021
edited
Loading

I think the actual logic is wrong here though. We should be using (code || error) && state (like what we do in auth0-angular), whereas here we're doing (code && state) || error, which means we'll process any error param when actually we should only process it in conjunction with a state param. Or am I missing some context? Either way, we have a disparity between the two.

@frederikprijck
Copy link
Member

I think that is a fair point yes.

Fixing that would resolve the fact that we do not read every error querystring parameter, but it would still conflict with other providers when both error and state are in the URL simultaneous, unless using skipRedirectCallback.

@adamjmcgrath
Copy link
Contributor

Thanks for raising this @igorbarbashin - I'll go ahead an implement @stevehobbsdev's suggestion in #225 (comment)

@adamjmcgrath adamjmcgrath added the bug Something isn't working label Apr 16, 2021
@adamjmcgrath adamjmcgrath mentioned this issue Apr 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[SDK-2522] Check for state along with error param auth0/auth0-react
4 participants
@stevehobbsdev @adamjmcgrath @igorbarbashin @frederikprijck