-
Notifications
You must be signed in to change notification settings - Fork 402
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
handleCallback and organizations using multiple (sub)domains #398
Comments
Hi @mrksbnch - thanks for raising this I don't see a simple solution for the use case where you don't know the organization or callback url upfront. Could you redirect back to If you do want to use the Auth0 pre login organization prompt, you should also look at https://auth0.com/docs/organizations/using-tokens#validating-tokens (The |
Not out of the box with the Next.js SDK as it (as far as I can see) automatically sets the session cookie (which includes the access token, refresh token, etc.) on the callback domain, so https://example.com. If I were to redirect to https://ORG.example.com after the callback, I wouldn't have access to the session token. However, if there was an easy way to get the session cookie value in
Wouldn't it be possible (for such use cases) to set the https://example.com -> https://example.auth0.com/... (organization prompt) -> https://example.auth0.com/... (organization login page) -> https://ORG.example.com/api/auth/callback ... the callback fails as ORG.example.com can't access the |
Are you sure you can do that? See https://community.auth0.com/t/context-request-query-redirect-url-does-not-seem-to-be-overridable-in-a-rule/11764/2 Could you redirect a user from a rule (eg https://auth0.com/docs/rules/redirect-users) to start the login process from the correct sub domain on your app after you know the origanisation? https://example.com -> https://example.auth0.com/... (organization prompt) -> https://example.auth0.com/... (organization login page) -> https://ORG.example.com/api/auth/login (rule redirects back to start login from correct ORG) -> https://example.auth0.com/... (organization login page - you already have a session) -> https://ORG.example.com/api/auth/callback |
Sorry for the delay in response, I had to verify and test some of these points. See answers below.
The method mentioned in this thread doesn't work for me either. But it "works" with
Not as far as I can see. There doesn't seem to be a way (within a rule) to redirect the user after the login process (this is something that has to be done in the callback). Within a rule, you can only redirect the user to another page but then need to continue the authorization to establish a session (see link above for Rules or this link for Actions). That being said, I think the only option would be to redirect in the callback. The most promising approach seems to be as follows: In the callback, I check if I'm already on the correct domain, e.g. "ORG.example.com". If I'm not, then I get the
However, there's one catch: What would be the best way to find out the organisation that the user picked on the Auth0 login page? Can I somehow add the organisation to the state in a rule or similar and then check the state in the callback? Also, would it make sense for this SDK to allow setting the domain for the state and nonce cookies separately via e.g. AUTH0_STATE_COOKIE_DOMAIN (similar to |
Hi @mrksbnch - since you can't manipulate the
Could you redirect to the correct org subdomain's login (eg |
Thanks, that's similar to the other possible solution above. I've looked at this again because I originally thought that this solution won't work due to the auth session not being established if you redirect from an action/rule. However, it turns out that the main issue was related to the In my initial tests this solution only works if you provide an absolute URL in the I'm currently trying to figure out what the best way is to "remember" the return path for the second login (so the one after the action/rule redirect). It seems like I can't access the Also, is it problematic that the |
Yes, this is expected - you would need to provide a custom
You can pass custom parameters to
You are correct, this is not an issue |
Thanks for the help and suggestion, that seems to work fine. For everybody else with a similar use-case, here is some very barebones code to make that work:
|
Thanks @mrksbnch! |
@adamjmcgrath is what @mrksbnch posted above still the suggested approach to handling subdomains? |
@ci-vamp While I can't say if this is the suggested approach, it's (from what I can tell) still the only reliable way to make this work. The alternative is to write your own auth library for Next.js to work around some of the cookie restrictions. Recently, Auth0 made a change to allow you to pass the organization name instead of the organization ID to the authorization endpoint. This allows you to get rid of the "getOrgId" function in the code above. |
@mrksbnch Thanks man. Actually we are not using organizations yet. Currently we have the "classic" universal login and we separate our tenants into their own A0 Application + Connection. Each tenant has their own subdomain which informs us which Application config to use during authentication (by checking their subdomain). No user ever logs in on our bare domain - only through their subdomain host. We had this all working on a SPA but recently have begun work on moving to nextjs. I have been trying to figure out how to consolidate under 1 A0 Application + individual Connections per tenant. However, I am not able to get the subdomains to work (at least locally). They are configured under the Callback/Logout URLs of the Application yet it always redirects me back to the bare I think I've read every issue related to subdomain handling and I see a lot of mixed information. Some threads say you need individual A0 instances ( Then I found your approach which looks sound but I believe may not be applicable to our use case since we never have base domain logins nor Organizations. |
Without knowing all the details, this actually sounds somewhat similar to the use-case we were trying to solve. The only major difference is that you are using multiple Auth0 Applications (and Auth0 Connections) instead of Auth0 Organisations. The work around mentioned in this ticket is only applicable if you use Auth0 Organisations.
Before we switched to Auth0 Organisations, we also used separate Auth0 Applications and Auth0 Connections for all of our tenants. If you are only using one Next.js application for all your tenants, then you need to use Auth0 Organisations make this a little easier because you only need one Auth0 Application and one Auth0 Connection for all your tenants. The only issue we ran into when we migrated to Auth0 Organisations was that we wanted to have one page (at the "base" domain) where tenants could enter their tenant name to get redirected to their tenant specific login page (we need separate login pages because every tenant has the possibility to "Continue with ..." their own identity provider). We could have build this overview page ourselves (and probably will in the future) but at least until now we successfully use the work-around that I described above. |
Describe the problem you'd like to have solved
If you are using the organisations feature in Auth0 and use different domains for every organisation, e.g. https://ORG.exmaple.com, you may want to support the following two use-cases:
organization
andredirect_uri
attributes in theauthorizationParams
property for thehandleLogin
method. After successful authentication, the user is redirect back to the tenant specific URL, e.g. https://ORG.exmaple.com. To circumventunauthorized_client
errors in the callback, you can use theredirectUri
property (doesn't seem to be documented yet) in thehandleCallback
method (as per Allow setting redirect_uri at runtime on the callback handler just like it's allowed on the login handler #298).organization
attribute empty and use the "Display Organization Prompt" functionality that will prompt users to enter their organization name before logging in. After logging in, you want to redirect the user to https://ORG.exmaple.com and—more importantly—set the cookie for this domain.While the first use-case can already be covered using the configuration options mentioned above, the second use-case doesn't seem to be supported yet for the following reasons:
redirect_uri
ororganization
attribute (unless you build your own organisation prompt and don't use the Auth0 organisation prompt).context.redirect.url = URL
), thehandleCallback
will fail because the state is not set for the domain https://ORG.example.com. The state is only set for https://example.com in that specific scenario.Describe the ideal solution
Add a configuration option to allow setting the
state
andnonce
cookies on the parent domain, e.g..example.com
in this example. The actual session cookie should still be set on a specific URL, e.g. https://org.exmaple.com. So, the workflow would then looks as follows:handleLogin
method (without passing anyorganisation
orredirect_uri
attributes) which will in return set thestate
andnonce
cookies for.example.com
state
andnonce
cookies are accessibleAlternatives and current work-arounds
The text was updated successfully, but these errors were encountered: