Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unwanted parameters in /authorize call #851

Closed
nicosabena opened this issue Feb 1, 2017 · 3 comments · Fixed by #863
Closed

Unwanted parameters in /authorize call #851

nicosabena opened this issue Feb 1, 2017 · 3 comments · Fixed by #863
Assignees
@luisrudge
Labels
bug This points to a verified bug in the code
Milestone
v10.12.0

Comments

@nicosabena
Copy link
Contributor

nicosabena commented Feb 1, 2017
edited
Loading

Lock v10.10.1 (probably after referencing auth0.js 8.1.2 because of PR #324) adds some additional parameters when doing an authorize call, such as popup and popup_options, that seem out of place.

Lock v10.7.0:

https://nico-sabena.auth0.com/authorize
  ?scope=openid
  &response_type=code
  &connection=[...]
  &connection_scope=
  &sso=true
  &state=
  &client_id=[...]
  &redirect_uri=[...]
  &auth0Client=[...]

Lock v10.10.0:

https://nico-sabena.auth0.com/authorize
  ?connection=[...]
  &auth0Client=[...]
  &client_id=[...]
  &response_type=code
  &redirect_uri=[...]
  &scope=openid

v10.10.1 and after:

https://nico-sabena.auth0.com/authorize
?client_id=[...]
  &response_type=code
  &redirect_uri=[...]
  &connection=[...]
  &connection_scope=
  &popup=false
  &popup_options=%5Bobject%20Object%5D
  &sso=true
  &state=nndfasdfasdf
  &scope=openid
  &auth0Client=[...]
@glena
Copy link
Contributor

glena commented Feb 1, 2017

can you share the js code? (auth0.js initialization and the method call)

@nicosabena
Copy link
Contributor Author

You can replicate with:

var lock = new Auth0Lock('BYmE3DvjklkyaOADad2gABf05OplTXFV', 'nico-sabena.auth0.com');
lock.show();

and click on the Google social login.

@glena
Copy link
Contributor

glena commented Feb 1, 2017

I think that the empty connection_scope comes from here https://github.com/auth0/lock/blob/master/src/quick-auth/actions.js#L16 (check if it is adding it in other flows too)

popup and popup_options comes from here https://github.com/auth0/lock/blob/master/src/core/web_api/legacy_api.js#L39-L40 that is being merged into the auth0.js option like here https://github.com/auth0/lock/blob/master/src/core/web_api/legacy_api.js#L55 (this happens in all the calls). The same happen with the other web api implementation.

We should make sure that lock does not sends those params to auth0.js.

@luisrudge luisrudge self-assigned this Feb 2, 2017
@luisrudge luisrudge mentioned this issue Feb 8, 2017
Merged
@hzalaz hzalaz added bug This points to a verified bug in the code P3: Important labels Feb 8, 2017
@hzalaz hzalaz added this to the v10-Next milestone Feb 8, 2017
@hzalaz hzalaz modified the milestones: v10-Next, v10.12.0 Mar 2, 2017
@gene1wood gene1wood mentioned this issue Aug 10, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@luisrudge luisrudge

Labels
bug This points to a verified bug in the code
Projects
None yet
Milestone
v10.12.0
Development

Successfully merging a pull request may close this issue.

Cleaning params sent to auth0js auth0/lock
4 participants
@hzalaz @luisrudge @nicosabena @glena