Skip to content

Recommended approach for returning the user to the page they came from #148

New issue
New issue
Open
Open
Recommended approach for returning the user to the page they came from#148
@luontola

Description

@luontola
luontola
opened on Oct 12, 2024

Checklist

  • I have looked into the Readme and the Examples, and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

When an anonymous opens an URL which requires authentication, I want to redirect them back to that URL after they've authenticated.

Storing the return URL in session is not good, because the user may have more than one open tab where their session has expired. If the return URL were stored in session, the tabs would all redirect to the same page, instead of the page which was open in that tab previously. So I'd prefer the return URL as a query parameter which the login callback handler can read.

Describe the ideal solution

What is the recommended approach for redirecting the user back to the page where they came from? What security considerations are there? An example or documentation on how to handle that use case with AuthenticationController would be helpful.

Alternatives and current workarounds

I'm currently adding the return URL to the callback URL as a query parameter like this:

String callbackUrl = publicUrl + "/login-callback";
if (returnToUrl != null) {
    callbackUrl += urlEncode("?return-to-url=" + urlEncode(returnToUrl));
}
return authenticationController.buildAuthorizeUrl(request, response, callbackUrl).build();

This feels hacky because of having to URL encode it twice.

The double URL-encoding is needed, or "/path?foo=bar&gazonk" would be truncated to "/path?foo=bar" after returning from Auth0. Likely this is because the com.auth0.client.auth.AuthorizeUrlBuilder constructor uses addEncodedQueryParameter instead of addQueryParameter for redirect_uri. However, if I try to URL-encode the whole URL instead of just the query string, AuthorizeUrl wouldn't accept it as a valid URL.

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions