I’m struggling with a redirect loop issue using WeWeb + Auth0. I am trying to build a custom onboarding flow and could use some expert eyes on the “handshake” process.
The Workflow
Custom Onboarding: The user fills out a WeWeb form (Email, Name, Company, Tier).
The Redirect: On submit, I use a custom script to send them to Auth0.
The Goal: I am using screen_hint=signup and login_hint=USER_EMAIL in the URL.
Expectation: User sets password –> Returns to app –> Automatically logged in.
Reality: User sets password –> Returns to app –> Bounced to Login page (Invalid Handshake).
The Technical Hurdle
It seems that by using a manual window.location.href to force the login_hint, I am breaking the WeWeb Auth Plugin’s internal listener. When the user returns with the code and state, the plugin doesn’t recognize the session and treats them as unauthenticated.
My Questions
Is there a way to use the built-in “Signup” action but pass a login_hint? I want the email value from my WeWeb variable to auto-populate the Auth0 signup field.
If I must use a custom script, how do I “prime” the WeWeb Auth Plugin? How can I make the plugin expect the user’s return so the handshake doesn’t fail?
Handshake Fix: Has anyone successfully used localStorage to manually set the a0.spajs.txs transaction key to match the incoming state?
What I’ve Tried
Direct browser redirects to the /authorize endpoint.
Manually constructing the state to match the transaction key.
Confirmed in Auth0 logs that the user is created successfully; the issue is strictly the “return flight” to WeWeb.
I want the user to only have to worry about their password. Any advice on keeping the Auth plugin “in the loop” while passing these custom parameters would be a lifesaver!
Mmm I think there might be a native way to do this with the plugin but haven’t used it in a while so not 100% sure. Let me check with the team and get back to you on this one.
Ah ok, thanks for clarifying! These two passages got me confused:
Using only Auth0 makes a lot more sense
Re your questions:
Is there a way to use the built-in “Signup” action but pass alogin_hint? I want the email value from my WeWeb variable to auto-populate the Auth0 signup field.
Not to my knowledge. The current Auth0 plugin doesn’t expose a way to pass custom authorization parameters like login_hint. But we’re currently working on a revamp of the Auth0 integration. I’ll make the improvement suggestion to the product team so they have it in mind
If I must use a custom script, how do I “prime” the WeWeb Auth Plugin? How can I make the plugin expect the user’s return so the handshake doesn’t fail?
I’m not 100% sure. From what I understand, the manual window.location.href redirect bypasses the Auth0 SPA SDK transaction setup, so when you come back with code + state, the SDK (and therefore the WeWeb Auth0 plugin built on top of it) can’t find the matching transaction in storage and treats it as an invalid/unknown auth response.
In theory**,** one could load the Auth0 SPA SDK manually, create a client instance in a custom JS action, and initiate the redirect using loginWithRedirect, including extra parameters such as login_hint, for example:
This should at least ensure the transaction is properly created before redirecting. However, mixing a custom Auth0 SDK setup with our Auth0 plugin isn’t something we officially support or recommend because it may lead to unexpected behavior depending on configuration.
So if you need that level of customization today, the safer approach is probably to handle the Auth0 flow fully on your side (with custom code or a no-code backend integration) rather than trying to keep the WeWeb plugin “in the loop”.
Sorry I can’t provide a more hands-on solution here Hopefully this at least helps clarify why the handshake breaks and what the trade-offs are.
Hopefully this at least helps clarify why the handshake breaks and what the trade-offs are.