Redirects to auth0 are not being handled correctly

Hello everyone,

So currently I have to design a performance test for a website that is a login portal that is responsible for handling user login and authentication, through auth0. I am currently trying to write a script for a simple login user journey, so just entering the user and password for an already created user. In the webpage when you go to the login endpoint exp. “//exampleSite/web/ProtectedWithPassport”, it goes through two redirects.

The first one is “//exampleSite/authorize?response_type=code&scope=openid%20email%20profile&client_id={clientIdValue}&redirect_uri={redirectURI}&nonce={nonceValue}&state=0”.

From this endpoint it redirects to the second endpoint exp. “//exampleSite/login?state={stateValue}&client={clientId}&protocol=oauth2&response_type=code&scope=openid%20email%20profile&redirect_uri={redirectURI}&nonce={nonceValue}

The purpose of these redirects is to go to a login page that uses auth0 for user authentication

The problem is that I should be able to just make a get request for the first endpoint, stop it at the second redirect and get the dynamic values that it returns so that i can use them for the following login request

let response = http.get(
{ redirects: 2}

I have removed the https from the links

The issue is that when i run the command above it goes to the first redirect, and once it, makes the request for the second redirect it return a 400 error. With the body saying that I am missing the clientId, but the clientId is clearly in the body of the request(the clientId is received automatically from the auth0 webpage it redirects to). I have tried multiple things like stopping the request at the first redirect, adding the clinetId and nonce values manualy and continuing to the second redirect, I have check the request headers thoroughly, I’ve even run the endpoints manually with postman, where they work, but the same does not work on k6. I am still new to k6, so at the moment I do not have any ideas left. Help would be greatly appreciated.

Hi @visarmarku, welcome to the community forum!

How do you see that the body has the client id? Did you use --http-debug=full ? If not you should try it.

I also did not understand why you want to stop. Is there are third redirect? As with redirects:2 or with redirects:5 (the default) the result will be the same otherwise.

Hope this helps you and please paste the output of the --http-debug=full if there are more questions.
You should probably anonymize some data from it as well.


I found what the issue was. Before I make the request with the first redirect, I need to encode the url.
So I had to do something like this

let encodedUrl = encodeURI(//exampleSite/authorize?response_type=code&scope=openid%20email%20profile&client_id={clientIdValue}&redirect_uri={redirectURI}&nonce={nonceValue}&state=0);

response = http.get(encodedUrl, {
redirects: 0,

Now it works it goes to the second redirect.
Thank you for replying.

1 Like