Lock: Lock v10.9.3 not returning id_token in callback hash

Created on 14 Jan 2017  路  22Comments  路  Source: auth0/lock

I blew away node_modules in a react router app and v10.4.0 was replaced with v10.9.3 and my authentication broke. I noticed that the callback hash was shorter than usual and figured out that it was sending access_token but not id_token back.

Did the syntax change for using callback mode between 10.4 and 10.9?

I am calling it like this:

    this.lock = new Auth0Lock(clientId, domain, {
      initialScreen: 'signUp',
      closable: false,
      allowSignUp: false,
      auth: {
        redirectUrl: `${document.location.origin}/authsuccess`,
        responseType: 'token',
      },
      theme: {
        logo: '/img/logo_80.png',
      },
      languageDictionary: {
        title: 'Please log in',
      },

    });

nyc_captial_planning_platform

Most helpful comment

I was having a similar issue where I needed access to both accessToken and idToken. idToken to pass to my server to validate signature during authentication, and accessToken for post-authentication client methods like getUserInfo. Undocumented as far as I can tell, but seems you can request both by a using space separated auth.responseType option:

auth: {
  responseType: 'token id_token',
  ...
}

All 22 comments

Can you add this to your auth object and try again?

auth: {
  redirectUrl: `${document.location.origin}/authsuccess`,
  responseType: 'token',
  params: {
    scope: 'openid'
  }
},

Happened to me too, updating to 10.9.2 fixed it (was on 10.9.0)

@chriswhong any news on this? does setting the scope work? Also do you have the OAuth 2.0 API Authorization flag on?

Same issue here after upgrading from 10.4. Adding the scope made no difference.

@ianwalsh can you answer these questions https://github.com/auth0/lock/issues/809#issuecomment-272902513?

Where's the OAuth 2.0 API Authorization flag set?

https://manage.auth0.com/#/account/advanced but if you don't know its probably off. Can you contact us via https://support.auth0.com so you can send your tenant information and repro steps?

Yeah it was off, but turning it on made no difference. I'll get in touch via support.

OK - seems I have to change responseType option to id_token (was token) to get the id_token parameter sent though

@ianwalsh just to make sure, does it work with lock 10.4? Also can you provide a HAR?

Nope - 10.4 needs responseType: 'token' - with 'id_token' I get Auth0 error page and "Missing required parameter: nonce" in the logs. Seems I need 10.4 = 'token', 10.9 = 'id_token'

@ianwalsh so to have this right:

10.4: response_type token returns id_token
10.9: response_type token returns only access_token

If that's right, can you paste how you initialize Lock (contact via support and paste the ticket number here)

Thats correct. Full code posted to support ticket #19192

@hzalaz Tried the scope you recommended, just like @ianwalsh said it did not change anything.

Hi @chriswhong! I created a simple repro project to test this scenario and it's working for me.

I copied your configuration from the original issue and used lock version 10.9.2 from the cdn.

source code can be found here.
test url here: https://auth0-repro-809.now.sh

Can you provide a similar sample with your problem?
Thanks!

@ianwalsh Sorry, I forgot to mention you. 馃榿

I was having a similar issue where I needed access to both accessToken and idToken. idToken to pass to my server to validate signature during authentication, and accessToken for post-authentication client methods like getUserInfo. Undocumented as far as I can tell, but seems you can request both by a using space separated auth.responseType option:

auth: {
  responseType: 'token id_token',
  ...
}

I just added v10.10.2 to my project and encountered the same error responseType: token did not return id_token as I described in my original posting. I changed it to responseType: id_token and it is working properly.

By default if you use responseType: token and do not set a scope:

{
    auth: {
        responseType: 'token'
    }
}

the scope defaults to openid. This way you will receive the id_token in the response.

If you are setting a scope, you should add the openid scope in order to receive the id_token (since in this scenario you are overriding the default setting).

Following the same example, this

{
    auth: {
        responseType: 'token',
        params: {
            scope: 'name'
        }
    }
}

will not work. The proper way to get the id_token with the extra claims is

{
    auth: {
        responseType: 'token',
        params: {
            scope: 'openid name'
        }
    }
}

So I am passing in options twice, once when I instantiate the lock:

    // Configure Auth0
    this.lock = new Auth0Lock(clientId, domain, {
      initialScreen: 'login',
      closable: false,
      allowSignUp: false,
      auth: {
        redirectUrl: `${document.location.origin}/authsuccess`,
        responseType: 'id_token',
      },
      theme: {
        logo: '/img/logo_80.png',
      },
      languageDictionary: {
        title: 'Please log in',
      },

    });
    // Add callback for lock `authenticated` event
    this.lock.on('authenticated', this.doAuthentication.bind(this));


and then again when I actually call show():

    this.lock.show({
      auth: {
        params: {
          state: this.requestedURL,
        },
      },
    });

(I have to do it this way so that I can grab the URL the user was trying to reach and redirect to it once the login is complete, and it could be any protected URL)

I assume by setting params, even though I did not specify params.scope, this is what is causing the problem.

Yes, because what you set on show overrides the configuration in the internal state

for the responseType, I do

          responseType: 'token id_token'

and it worked for me

Was this page helpful?
0 / 5 - 0 ratings

Related issues

martsie picture martsie  路  5Comments

mcrawshaw picture mcrawshaw  路  5Comments

benmadany picture benmadany  路  4Comments

kjartanvalur picture kjartanvalur  路  8Comments

virgil-av picture virgil-av  路  5Comments