New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auth0 not returning Access Token #397

jawa-the-hutt opened this Issue Jul 15, 2018 · 1 comment


None yet
2 participants

jawa-the-hutt commented Jul 15, 2018

I have a proposed PR to make, but wanted to get feedback here first. The PR should be simple to implement, but will introduce a breaking change to the Auth0 plugin.

The current implementation of the Auth0 integration is not standards compliant to Auth0 specs. What it is essentially doing is getting the Id Token and then naming and saving it as access_token.

access_token: authResponse.idToken

What this essentially means is we are unable to call any of the Auth0 endpoints like /userinfo that require sending back their Access Token as all we really have in our possession at this point is their Id Token.

So, I propose a breaking change to the Auth0 plugin that would replace Line 77 with something like this:

  access_token: authResponse.accessToken
  id_token: authResponse.idToken

With the new getIdTokenPayload() function we can then easily grab the payload of the id_token and use it how we need it within our apps. This change would also require setting the getAccessTokenFromResponse to true in your aurelia-authentication config if you also want the access token.

The access token that gets returned from Auth0 will be opaque and not in JWT format. If you want an Access Token in JWT format that is not opaque and can be used to store/retrieve information in it, then in the Auth0 portion of the your aurelia-authentication config you can also pass something like this:

    auth0: {
        lockOptions: {
            auth: {
                audience: 'https://YOUR_AUTH0_URL/api/v2/'

The key here is to pass in the audience config so that Auth0 returns the non-opaque access token.


This comment has been minimized.


doktordirk commented Jul 16, 2018

Seems necessary, so if it's a breaking change so be it.

jawa-the-hutt added a commit to jawa-the-hutt/aurelia-authentication that referenced this issue Jul 16, 2018

fix(auth0): fix access and id token assignments
Current Auth0 plugin assigns the Auth0 id_token to the access_token
object. This fixes that and now you get the Auth0 access_token &
id_token correctly assigned.

This is breaking change, see issue SpoonX#397
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment