Execute an Authorization Code Grant Flow with PKCE

Redirect Users After Login

To make your login process as easy-to-use and seamless as possible, you'll need to keep track of where you want to route users inside your application once Auth0 redirects users back to your application after authentication. There are two types of URLs:

  • Callback URLs: During a user's authentication, the redirect_uri request parameter is used as a callback URL. This is where your application will receive and process the response from Auth0, and is often the URL that users will be redirected to once the authentication is complete.

    For more information on how the redirect_uri works, see OAuth 2.0.

    Because callback URLs can be manipulated by unauthorized parties, Auth0 recognizes only whitelisted URLs set in the Allowed Callback URLs field of an Application's Settings as valid.

    However, the callback URL is not necessarily the same URL to which you want users redirected after authentication.

  • Non-callback URLs: To redirect authenticated users to a URL that is not the callback URL, you can store the desired URL using the following methods:

    • For regular web apps, use a cookie or session
    • For a single-page app, use local storage in the browser
    • For a native app, use memory or local storage

    You can then create the necessary logic in your application to retrieve the stored URL and redirect your users where you want. Lock and the Auth0 SDKs also include support for redirect URLs.

You can redirect users from rules or you can redirect users with state parameters. Choose the option that works best for your application type and the flow you are using.

1. Create a Code Verifier

Keep reading