New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lock v10.9.3 not returning id_token in callback hash #809

Closed
chriswhong opened this Issue Jan 14, 2017 · 22 comments

Comments

Projects
None yet
8 participants
@chriswhong

chriswhong commented Jan 14, 2017

I blew away node_modules in a react router app and v10.4.0 was replaced with v10.9.3 and my authentication broke. I noticed that the callback hash was shorter than usual and figured out that it was sending access_token but not id_token back.

Did the syntax change for using callback mode between 10.4 and 10.9?

I am calling it like this:

    this.lock = new Auth0Lock(clientId, domain, {
      initialScreen: 'signUp',
      closable: false,
      allowSignUp: false,
      auth: {
        redirectUrl: `${document.location.origin}/authsuccess`,
        responseType: 'token',
      },
      theme: {
        logo: '/img/logo_80.png',
      },
      languageDictionary: {
        title: 'Please log in',
      },

    });

nyc_captial_planning_platform

@luisrudge

This comment has been minimized.

Member

luisrudge commented Jan 14, 2017

Can you add this to your auth object and try again?

auth: {
  redirectUrl: `${document.location.origin}/authsuccess`,
  responseType: 'token',
  params: {
    scope: 'openid'
  }
},
@aryo

This comment has been minimized.

aryo commented Jan 15, 2017

Happened to me too, updating to 10.9.2 fixed it (was on 10.9.0)

@hzalaz

This comment has been minimized.

Member

hzalaz commented Jan 16, 2017

@chriswhong any news on this? does setting the scope work? Also do you have the OAuth 2.0 API Authorization flag on?

@ianwalsh

This comment has been minimized.

ianwalsh commented Jan 17, 2017

Same issue here after upgrading from 10.4. Adding the scope made no difference.

@hzalaz

This comment has been minimized.

Member

hzalaz commented Jan 17, 2017

@ianwalsh can you answer these questions #809 (comment)?

@ianwalsh

This comment has been minimized.

ianwalsh commented Jan 17, 2017

Where's the OAuth 2.0 API Authorization flag set?

@hzalaz

This comment has been minimized.

Member

hzalaz commented Jan 17, 2017

https://manage.auth0.com/#/account/advanced but if you don't know its probably off. Can you contact us via https://support.auth0.com so you can send your tenant information and repro steps?

@ianwalsh

This comment has been minimized.

ianwalsh commented Jan 17, 2017

Yeah it was off, but turning it on made no difference. I'll get in touch via support.

@ianwalsh

This comment has been minimized.

ianwalsh commented Jan 17, 2017

OK - seems I have to change responseType option to id_token (was token) to get the id_token parameter sent though

@hzalaz

This comment has been minimized.

Member

hzalaz commented Jan 17, 2017

@ianwalsh just to make sure, does it work with lock 10.4? Also can you provide a HAR?

@ianwalsh

This comment has been minimized.

ianwalsh commented Jan 17, 2017

Nope - 10.4 needs responseType: 'token' - with 'id_token' I get Auth0 error page and "Missing required parameter: nonce" in the logs. Seems I need 10.4 = 'token', 10.9 = 'id_token'

@hzalaz

This comment has been minimized.

Member

hzalaz commented Jan 17, 2017

@ianwalsh so to have this right:

10.4: response_type token returns id_token
10.9: response_type token returns only access_token

If that's right, can you paste how you initialize Lock (contact via support and paste the ticket number here)

@ianwalsh

This comment has been minimized.

ianwalsh commented Jan 17, 2017

Thats correct. Full code posted to support ticket #19192

@chriswhong

This comment has been minimized.

chriswhong commented Jan 17, 2017

@hzalaz Tried the scope you recommended, just like @ianwalsh said it did not change anything.

@luisrudge

This comment has been minimized.

Member

luisrudge commented Jan 18, 2017

Hi @chriswhong! I created a simple repro project to test this scenario and it's working for me.

I copied your configuration from the original issue and used lock version 10.9.2 from the cdn.

source code can be found here.
test url here: https://auth0-repro-809.now.sh

Can you provide a similar sample with your problem?
Thanks!

@luisrudge

This comment has been minimized.

Member

luisrudge commented Jan 18, 2017

@ianwalsh Sorry, I forgot to mention you. 😁

@dmachat

This comment has been minimized.

dmachat commented Jan 20, 2017

I was having a similar issue where I needed access to both accessToken and idToken. idToken to pass to my server to validate signature during authentication, and accessToken for post-authentication client methods like getUserInfo. Undocumented as far as I can tell, but seems you can request both by a using space separated auth.responseType option:

auth: {
  responseType: 'token id_token',
  ...
}
@chriswhong

This comment has been minimized.

chriswhong commented Jan 26, 2017

I just added v10.10.2 to my project and encountered the same error responseType: token did not return id_token as I described in my original posting. I changed it to responseType: id_token and it is working properly.

@glena

This comment has been minimized.

Contributor

glena commented Jan 26, 2017

By default if you use responseType: token and do not set a scope:

{
    auth: {
        responseType: 'token'
    }
}

the scope defaults to openid. This way you will receive the id_token in the response.

If you are setting a scope, you should add the openid scope in order to receive the id_token (since in this scenario you are overriding the default setting).

Following the same example, this

{
    auth: {
        responseType: 'token',
        params: {
            scope: 'name'
        }
    }
}

will not work. The proper way to get the id_token with the extra claims is

{
    auth: {
        responseType: 'token',
        params: {
            scope: 'openid name'
        }
    }
}
@chriswhong

This comment has been minimized.

chriswhong commented Jan 26, 2017

So I am passing in options twice, once when I instantiate the lock:

    // Configure Auth0
    this.lock = new Auth0Lock(clientId, domain, {
      initialScreen: 'login',
      closable: false,
      allowSignUp: false,
      auth: {
        redirectUrl: `${document.location.origin}/authsuccess`,
        responseType: 'id_token',
      },
      theme: {
        logo: '/img/logo_80.png',
      },
      languageDictionary: {
        title: 'Please log in',
      },

    });
    // Add callback for lock `authenticated` event
    this.lock.on('authenticated', this.doAuthentication.bind(this));


and then again when I actually call show():

    this.lock.show({
      auth: {
        params: {
          state: this.requestedURL,
        },
      },
    });

(I have to do it this way so that I can grab the URL the user was trying to reach and redirect to it once the login is complete, and it could be any protected URL)

I assume by setting params, even though I did not specify params.scope, this is what is causing the problem.

@glena

This comment has been minimized.

Contributor

glena commented Jan 26, 2017

Yes, because what you set on show overrides the configuration in the internal state

@shasha-signifai

This comment has been minimized.

shasha-signifai commented Nov 21, 2017

for the responseType, I do

          responseType: 'token id_token'

and it worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment