Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Ensure Auth0 profile is availabe in all cases #374
This is a bugfix for Auth0’s “Last time you logged in with” flow. Previously, if a user clicked on their existing session instead of the "Not your account?" link, then
This PR fixes the problem by explicitly requesting all of the scopes necessary for
So normally you don't need these scopes unless you come on the login page while logged in and you try to log in with the current session?
I don't know Auth0's api but if you say this is a no-op for other situations then this one I will gladly merge this :D
I have a slight suspicion that it has to do with OIDC conformance, which Auth0 has been slowly moving towards over the past year, but I can't easily prove that. I just remember it working prior to some of their OIDC changes. Also, their scopes documentation seems to indicate these scopes are required to return the profile and email. But for some reason, in practice, it isn't necessary when creating a new session. Maybe someone made a mistake while trying to maintain backwards compatibility.
I will also note that the Okta provider uses these scopes, which seems relevant, since their product has a similar architecture.
It definitely doesn't adversely affect anything. Did lots of testing with and without it. Should be semver patch.