Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Recommended approach for returning the user to the page they came from #148

Open
5 tasks done
luontola opened this issue Oct 12, 2024 · 0 comments
Open
5 tasks done

Recommended approach for returning the user to the page they came from #148

luontola opened this issue Oct 12, 2024 · 0 comments

Comments

@luontola
Copy link

Checklist

  • I have looked into the Readme and the Examples, and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

When an anonymous opens an URL which requires authentication, I want to redirect them back to that URL after they've authenticated.

Storing the return URL in session is not good, because the user may have more than one open tab where their session has expired. If the return URL were stored in session, the tabs would all redirect to the same page, instead of the page which was open in that tab previously. So I'd prefer the return URL as a query parameter which the login callback handler can read.

Describe the ideal solution

What is the recommended approach for redirecting the user back to the page where they came from? What security considerations are there? An example or documentation on how to handle that use case with AuthenticationController would be helpful.

Alternatives and current workarounds

I'm currently adding the return URL to the callback URL as a query parameter like this:

String callbackUrl = publicUrl + "/login-callback";
if (returnToUrl != null) {
    callbackUrl += urlEncode("?return-to-url=" + urlEncode(returnToUrl));
}
return authenticationController.buildAuthorizeUrl(request, response, callbackUrl).build();

This feels hacky because of having to URL encode it twice.

The double URL-encoding is needed, or "/path?foo=bar&gazonk" would be truncated to "/path?foo=bar" after returning from Auth0. Likely this is because the com.auth0.client.auth.AuthorizeUrlBuilder constructor uses addEncodedQueryParameter instead of addQueryParameter for redirect_uri. However, if I try to URL-encode the whole URL instead of just the query string, AuthorizeUrl wouldn't accept it as a valid URL.

Additional context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@luontola