loginWithRedirect behaving different between dev and prod with nextjs

Question

loginWithRedirect behaving different between dev and prod with nextjs

ian-weir opened this issue 9 months ago · 8 comments

Checklist

The issue can be reproduced in the auth0-react sample app (or N/A).
I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
I have looked into the API documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Description

I'm working on a NextJS app that is completely being rendered statically by way of NextJS's Automatic Static Optimization feature. Using the next dev and next build + static export or next start has different behaviour when using LoginWithRedirect.

In dev mode it behaves as expected passing redirect_uri, organization and invitation in the authorization parameters.

When running in production mode the organization and invitation parameters are not respected in the resulting url used for redirection.

Reproduction

Use a nextjs project but only with front end functionality, nothing server side
Conditionally pass organization & invitation parameters when present.
Redirect url doesn't contain either of those parameters

Additional context

Using Next 13.3.2

Query params in production mode also have a series of strange parameters at the beginning:

https://{DOMAIN}.us.auth0.com/authorize?0=d&1=2&2=5&3=m&4=V&5=V&6=R&7=Z&8=d&9=H&10=B&11=C&12=Q&13=T&14=h&15=k&16=c&17=X&18=R&19=P&20=Y&21=k&22=x&23=Y&24=d&25=m&26=s&27=w&28=S&29=m&30=J&31=J&32=T&33=E&34=t&35=R&36=b&37=2&38=1&39=V&40=b&41=E&42=V&43=W&44=a&45=k&46=h&47=C&48=Z&49=W&50=J&51=x&52=S&53=T&54=J&55=p&56=a&57=w&58=%3D&59=%3D&client_id={CLIENT_ID}&scope=openid+profile+email+offline_access&audience={AUDIENCE}&response_type=code&response_mode=query&state={STATE}&nonce=cGQ3X35mTjNTZWpRNWNxYVZMQ0YwWFI5LnhrMUMtX0hSV3BXbER5SGZjLg%3D%3D&redirect_uri={REDIRECT_URI}&code_challenge=CfuO2VKa_FGNvb9Ol_1CK04zu2QugavZyOg3_InNUmI&code_challenge_method=S256&auth0Client={AUTH0_CLIENT}

Redirect url in dev mode looks like:
https://dev-ws8z8uiswqyyrcam.us.auth0.com/authorize?client_id={CLIENT_ID}&scope=openid+profile+email+offline_access&audience={AUDIENCE}&organization={ORGANIZATION}&redirect_uri={REDIRECT_URI}&response_type=code&response_mode=query&state=RkdiTjVHSldqUTlRbGY1anJfTDJNWDM0NWFLZ0l5NVZZfm9nWnBoTWdqZw%3D%3D&nonce=UlRrbnRpOFFZcXJHVllIOH5VNk1sTUUtTEpOM0F0RXg4Y2VRaEN2d0JjUg%3D%3D&code_challenge=03VHmwHDV56Tz7Wpe8qQtZEb_y692NueGqhmSyeJ4Ls&code_challenge_method=S256&auth0Client={AUTH0_CLIENT}

Note: I have not tested with the sample app at this point in time

auth0-react version

2.2.1

React version

18.2

Which browsers have you tested in?

Chrome, Other

Answer 1 · 2023-11-23T17:16:15.000Z

Hi @ian-weir

It looks like you're passing an array as your authorizationParams in prod

new URLSearchParams({ client_id: 'foo', ...'foobar'.split('') }).toString();
// '0=f&1=o&2=o&3=b&4=a&5=r&client_id=foo'

I'd need to see some code that reproduces the issue if you want me to debug it for you

Answer 2 · 2023-11-23T18:13:18.000Z

Hi @adamjmcgrath as far as I can tell, I'm not passing an array anywhere.

Here's the snippet that handles the loginWithRedirect for invitations

const authorizationParams: AppState  = {
    organization: params.get('organization'),
    redirect_uri: `${baseUrl.current}/callback`
}

if(params.get('invitation')) {
  authorizationParams.invitation = params.get('invitation')
}

await loginWithRedirect({
  authorizationParams,
  appState: {
    returnTo: '/users/user/get-current-user-id/dashboard'
  }
})

and here's the one that handles when the user clicks our login button:

const organizationInHostname = hostname.current.split('.')[0]
const authorizationParams: AppState = {
  redirect_uri: `${baseUrl.current}/callback`,
}

if(organizationInHostname !== 'login') {
  authorizationParams.organization = organizationInHostname
}

await loginWithRedirect({
  authorizationParams,
  appState: {
    returnTo: '/users/user/get-current-user-id/dashboard'
  }
})

While this is the Provider

<Auth0Provider
  domain={domain}
  clientId={clientId}
  authorizationParams={{
    audience
  }}
  onRedirectCallback={onRedirectCallback}
  useRefreshTokens={true}
  cookieDomain={cookieDomain.current}
  cacheLocation="localstorage"
>

Answer 3 · 2023-11-23T20:04:28.000Z

Just an update I was able to work around this by manually appending the query params in the openUrl method

Answer 4 · 2023-11-24T12:23:02.000Z

Hi @ian-weir

Could you log authorizationParams before you call loginWithRedirect in production mode and share the result?

Answer 5 · 2023-11-24T21:21:43.000Z

Sure thing: {invitation: "foo", organization: "bar", redirect_uri: "http://localhost:3000/callback"}

Here's the resulting URL: https://dev-ws8z8uiswqyyrcam.us.auth0.com/authorize?0=U&1=z&2=l&3=V&4=Z&5=E&6=R&7=Y&8=V&9=W&10=M&11=t&12=V&13=0&14=F&15=l&16=Q&17=m&18=R&19=u&20=T&21=m&22=p&23=y&24=T&25=k&26=F&27=P&28=S&29=k&30=9&31=v&32=V&33=W&34=Z&35=o&36=Q&37=m&38=8&39=4&40=S&41=m&42=t&43=o&44=N&45=1&46=9&47=Y&48=X&49=0&50=Q&51=0&52=R&53=2&54=1&55=W&56=U&57=w&58=%3D&59=%3D&client_id={CLIENT_ID}&scope=openid+profile+email+offline_access&audience={AUDIENCE}&response_type=code&response_mode=query&state=UzlVZERYVWMtV0FlQmRuTmpyTkFPSk9vVWZoQm84SmtoN19YX0Q0R21WUw%3D%3D&nonce=MzI2YzF2VWdmM2tNZDFYZWthbGo4YUJUcWU5SE9VRV80MnMwV1pMNWdBeA%3D%3D&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&code_challenge=rfTPyK0X8mO9g1nXL-KQ70spNRLq95vsaDSgZ51QZHw&code_challenge_method=S256&auth0Client={AUTH0_CLIENT}

Answer 6 · 2023-12-04T11:18:26.000Z

Hi @ian-weir - thanks for sharing those

When I call

await loginWithRedirect({
  authorizationParams: {invitation: "foo", organization: "bar", redirect_uri: "http://localhost:3000/callback"}
})

I get redirected to .../authorize?redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&invitation=foo&organization=bar&response_type=code&...

So can't reproduce your issue.

In order to help you - I'll need a repo or a link that demonstrates the issue.

Answer 7 · 2023-12-13T08:44:21.000Z

Closing because no more information was provided. Feel free to provide a reproduction if you need further assistance and we can reopen as needed.

Answer 8 · 2023-12-13T20:19:55.000Z

Sorry, spaced on this thread. Unfortunately I can't give a repo as it's for work and we're not open source. As for link I can't do that for now either as we haven't launched yet. @adamjmcgrath Out of curiosity what version of React, Next, & auth0-react were you using?

For me:

auth0-react version - 2.2.1
React version - 18.2
Next version - 13.3.2