Redirect users to callback URLs on the AllowList
Because callback URLs can be manipulated by unauthorized parties, Auth0 recognizes only URLs on the AllowList set in the Allowed Callback URLs field of an Application’s Settings as valid. To return users to callback URLs on the AllowList, it is necessary for your application to know how to continue the user on their journey. There are two methods for doing this:- Using cookies and browser sessions
- Using
stateparameters
redirect_uri request parameter is used as a callback URL. This is where your application receives and processes the response from Auth0, and is often the URL to which users are redirected once the authentication is complete. To learn more about how the redirect_uri works, see OAuth 2.0 Authorization Framework.
You can use a cookie or the browser session to store a return URL value. This is a simple solution to implement, however, it can cause issues in cases where a cookie does not persist. There are two separate user sessions initiated in this situation. Each serves a separate purpose and requires some consideration to achieve the desired user experience.
-
Auth0-provided SSO Session: Auth0 provides a session for enabling Single Sign On (SSO) to allow your user to maintain an authentication session without being prompted for credentials more than once. This session is maintained by Auth0 and referenced as a cookie bound to your tenant domain (or
CNAME). There are two tenant settings that determine the length of the Auth0 Session:- The
idle_session_lifetimeis how long the session will remain alive without interaction. - The
session_lifetimeis the maximum duration that the session is allowed to remain alive.
- The
- Application Session: Your application must also maintain a concept of a session. Throughout the user session, your application may need to request additional tokens or renew expired ones. You should store these tokens in your application and reference them using an identifier passed back to the browser using a secure cookie.