Redirect Actions for Partners

When a user is logging in or signing up, a Redirect Action lets you redirect them to an external page (such as a consent form) and then then back to Auth0 to complete their login or signup. You can redirect users to access an external application that prompts them to:

  • Take an action, like ID proofing

  • Provide information, like progressive profiling

  • Agree to something, like consent or terms of service

Diagram of Redirect Action on Post Login trigger: The Customer Application redirects the user to Auth0 to log in.  If the login is successful, all Actions in the Post Login trigger execute (this happens before MFA, if it is active). If an Action triggers a redirect, the user is sent to the designated URL along with a state parameter. This URL must be hosted by your service or the customer. The user is redirected or POSTed back to Auth0 at a specific path on their domain, along with the original state value, and the Action runs any code that exists in onContinuePostLogin. The user is sent back to the application with their identity or, if something failed, an error message.

This process occurs in a Redirect Action:

  1. The Customer Application redirects the user to Auth0 to log in.

  2. If the login is successful, all Actions in the Post Login trigger execute (this happens before MFA, if it is active).

  3. If an Action triggers a redirect, the user is sent to the designated URL along with a state parameter. This URL must be hosted by your service or the customer.

  4. The user is redirected or POSTed back to Auth0 at a specific path on their domain, along with the original state value, and the Action runs any code that exists in onContinuePostLogin.

  5. The user is sent back to the application with their identity or, if something failed, an error message.

Once you’re ready to tie your service into the process, there are important elements to consider:

  • How do you determine when to redirect out of Auth0?

  • How do you handle existing user profile data that should be verified? (This data could be user-provided or from a federated identity source, such as Google, Facebook, or Azure AD.)

  • What data do you need from Auth0 in your service and how do you get it there securely?

  • How do you persist the state value from Auth0 in your service?

  • How do you get and persist the /continue URL to which you want to POST/redirect?

  • What do you send back to Auth0 and how do you accomplish this securely?

  • How do you indicate that ID proofing is complete and pass status?

  • How do you store necessary information in the user’s app_metadata or the normalized user profile

  • Be mindful of rate limits and update only when necessary

  • How do you send information back to the requesting application using custom token claims?

To help answer all of these questions and more, read Redirect with Actions. When you're ready to submit your Action Integration, follow steps 4-6 in Action Integrations for Partners.