auth0-react triggers login flow when redirect_uri is present in query params, even outside authentication context #867
Description
Checklist
- The issue can be reproduced in the auth0-react sample app (or N/A).
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
We observed an unintended login redirection when using the auth0-react library with certain pages that include a redirect_uri parameter in the URL query string, even when those pages are not part of the authentication flow.
Issue Details:
• When a URL contains redirect_uri in its query parameters (e.g., /notion/setup?redirect_uri=...), the library assumes it’s part of an Auth0 authentication flow.
• As a result, it tries to trigger the login flow unnecessarily.
• This causes pages like our internal Notion setup tool, which happens to use redirect_uri for unrelated reasons, to be redirected unexpectedly.
Expected Behavior:
The library should not treat redirect_uri in the URL as a signal to initiate login unless it’s explicitly part of the Auth0 flow (e.g., after a redirect from the Auth0 login screen).
Actual Behavior:
Any URL with a redirect_uri param causes isAuthenticated to start as false, triggering login, and eventually settling back to true.
Environment:
• Library: @auth0/auth0-react
• Version: 2.3.0
• Framework: 18.3.1
• Affected URLs: Any page with redirect_uri in query string
Possible Fix:
Check for more specific signals in the URL before assuming an authentication flow. Or allow configuration to disable this auto-handling behavior.
Reproduction
1. Set up a basic React app using @auth0/auth0-react.
2. Configure Auth0 as per documentation (with a valid Auth0Provider setup).
3. Create a route in your app (e.g., /notion/setup) that does not require authentication.
4. Navigate to this route with a redirect_uri query parameter, for example:
http://localhost:3000/notion/setup?redirect_uri=https://example.com
5. Observe the behavior of useAuth0() inside the app.
Observed Behavior:
• The isAuthenticated value starts as false and transitions to true after some time.
• The app briefly triggers or attempts a login/redirection flow even though the user is already authenticated and the page doesn’t require login. useAuth0 error field has the missing_transaction_state error
Expected Behavior:
• The presence of redirect_uri in the query params should not cause the auth flow to trigger unless it’s truly part of an Auth0 login callback.
Additional context
No response
auth0-react version
2.3.0
React version
18.3.1
Which browsers have you tested in?
Chrome