Auth0-spa-js: Angular Quick Start: oauth/token: access_denied & Unauthorized -- FYI Copy of #454 from May 6th, 2020 this is still an issue

Created on 25 Jul 2020  Â·  11Comments  Â·  Source: auth0/auth0-spa-js

Description
Just using the provided quickstart for Angular, by navigating the the quickstart for the application and following the guide that is there, including downloading and using the sample app:

https://auth0.com/docs/quickstart/spa/angular2?framed=1&sq=1#configure-auth0

I anticipated it working out of the box.

Reproduction
Create Auth0 account
Download sample project (based on Default App)
Run and login (using chrome)
The application runs, the login button prompts for a login on Auth0(after corrected urls in the application settings in Auth0), the login is successful and the user is returned to the sample app.

At this point, the application is calling https://*.auth0.com/oauth/token, and we are receiving {"error":"access_denied","error_description":"Unauthorized"}, in the Auth0 logs we are getting failed exchange.

Environment
Version provided in download link

bug report

Most helpful comment

For my case, using React example, the application type was marked as spa, but the token endpoint authentication method was set to post and grayed out.

If it were not for your comment @stevehobbsdev, I would not have tried to changed it to none.

I did:

  1. change application type to something that remove the disable from the token endpoint authentication method.
  2. change application type back to spa. Got warning about token be deleted or something like that.
  3. after that, the token endpoint authentication method was set to none.

Now it works. Thanks.

  • oidc conformant is on
  • using firefox

All 11 comments

Hi @robwafle-scripd, thanks for the report.

Can you check that you have the "Single Page Application" type set in your Auth0 client and that "Token Endpoint Authentication Mode" is set to "None"?

image

Hi Steve:

This WAS the case when I first got the error. However, due to an article I found how to fix this, I tried machine to machine. It appears I can not switch back to SPA. Is there a way to switch back? Or should I just crate a new application?

Thanks!

Rob
w

From: Steve Hobbs notifications@github.com
Reply-To: auth0/auth0-spa-js reply@reply.github.com
Date: Thursday, July 30, 2020 at 3:46 AM
To: auth0/auth0-spa-js auth0-spa-js@noreply.github.com
Cc: robwafle-scripd rob@scripd.io, Mention mention@noreply.github.com
Subject: Re: [auth0/auth0-spa-js] Angular Quick Start: oauth/token: access_denied & Unauthorized -- FYI Copy of #454 from May 6th, 2020 this is still an issue (#539)

Hi @robwafle-scripdhttps://github.com/robwafle-scripd, thanks for the report.

Can you check that you have the "Single Page Application" type set in your Auth0 client and that "Token Endpoint Authentication Mode" is set to "None"?

[Image removed by sender. image]https://user-images.githubusercontent.com/766403/88901961-6f4d3d80-d249-11ea-8344-a819c9baec1f.png

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/auth0/auth0-spa-js/issues/539#issuecomment-666234258, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AOER7AYXY6RJ2PSAIQMJZUDR6EXNNANCNFSM4PHTIZAQ.

Hi @robwafle-scripd

You'll need to create a new SPA Application. Can you let me know if you're still getting a 401 from oauth/token from the new application when it's set up?

Hi. No, now I am getting warnings regarding SameSite not being set on the cookies. I verified that I have at least v1.10.0 and I have v1.11.0 since the fix to set sameSite='None' and secure was in v1.10.0 ... But, I was still getting the SameSite warnings. I decided to update my local code to use None with a capital N and everything started to work for me. It appears that this is case sensitive on Chrome in osx.

Also, I believe the Angular SPA example needs some updating. I am working through some changes proposed to solve a race condition here: https://community.auth0.com/t/angular-8-isauthenticated-race-condition/37474

Thanks @robwafle-scripd for the report on Angular - we're currently in the process of updating all these samples to something new, which I hope to share with you very shortly.

On the cookie issue, we're continuing to look at changes in this area and will have something to share soon on that as well.

For my case, using React example, the application type was marked as spa, but the token endpoint authentication method was set to post and grayed out.

If it were not for your comment @stevehobbsdev, I would not have tried to changed it to none.

I did:

  1. change application type to something that remove the disable from the token endpoint authentication method.
  2. change application type back to spa. Got warning about token be deleted or something like that.
  3. after that, the token endpoint authentication method was set to none.

Now it works. Thanks.

  • oidc conformant is on
  • using firefox

Thanks @elpdcore. We discovered that a change was made to the Default App a while ago to fix a security issue, but it had a knock-on effect to SPA apps. We can make an immediate change with our guidance in our quickstart docs, but more permanent changes are being made by another team. Glad you managed to solve your issue!

Wonderful! Very happy to see this is moving forward!

On Sat, Sep 5, 2020 at 8:38 AM Steve Hobbs notifications@github.com wrote:

Thanks @elpdcore https://github.com/elpdcore. We discovered that a
change was made to the Default App a while ago to fix a security issue, but
it had a knock-on effect to SPA apps. We can make an immediate change with
our guidance in our quickstart docs, but more permanent changes are being
made by another team. Glad you managed to solve your issue!

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/auth0/auth0-spa-js/issues/539#issuecomment-687612760,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AOER7A34LNHYKRZPBBISFP3SEI5PHANCNFSM4PHTIZAQ
.

@elpdcore That fixed my problem!

Going to close this for now as the issue is no longer related to the SDK, but another team is working on the dashboard aspect. Anyone still affected by this should refer to @elpdcore's comment above.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

hidegh picture hidegh  Â·  5Comments

szilagyikinga picture szilagyikinga  Â·  6Comments

Hopchenko picture Hopchenko  Â·  6Comments

jgbpercy picture jgbpercy  Â·  7Comments

patrickcorrigan picture patrickcorrigan  Â·  3Comments