I'm trying to use lock on localhost and am unable to log in or sign up. The error on screen after submitting email and password for sign up is WE'RE SORRY, SOMETHING WENT WRONG WHEN ATTEMPTING TO LOG IN.. The console shows this: auth0.min.esm.js:8 Consent Required. Consent can't be skipped on localhost. Read more here: https://auth0.com/docs/api-auth/user-consent#skipping-consent-for-first-party-clients as well as index.js:537 Consent required. When using 'getSSOData', the user has to be authenticated with the following scope: 'openid profile email'.
My lock config looks like this:
const lockOptions = {
avatar: null,
closable: false,
auth: {
redirect: false,
params: {
scope: "openid profile email"
},
audience: "http://dev-api.dynamictype.net"
},
theme: {
primaryColor: "#268bd2"
}
};
I have no issue with the identically configured test and prod tenants which are working fine. They are not on localhost though.
The API that the audience refers to has 'skip consent' turned off, so I am expecting the consent dialog to show rather than this console message, but it never does.
I'm aware of the workaround in the docs re setting a host alias locally, but this is not ideal and I would be happy with just the consent dialog. I think it's a bug that this doesn't show up.
Using the config above, follow the implicit grant flow with a basic "single page app" app and the URLs and callbacks all set up for localhost. There is an API matching the audience, with default settings.
In a React component:
this.lock = new Auth0Lock(auth0clientId, auth0domain, lockOptions);
this.lock.on("authenticated", this.handleAuthentication.bind(this));
this.locak.show();
The handler function is never reached.
I've found that it shows up fine when redirect: true is set instead. If this is intended behaviour, then I think it should be documented somewhere. I only found out through trial and error.
As you mentioned, consent can't be skipped on localhost. The consent dialog can only be shown inside the Authorization Server (Auth0, in this case), there's no way to show it if you don't redirect the user to do the authentication there, which is what we do with redirect:true.
Ah, I see. Showing consent requires redirect: true. In that case the bug is with the docs as I couldn't see this mentioned anywhere.
Most helpful comment
As you mentioned, consent can't be skipped on localhost. The consent dialog can only be shown inside the Authorization Server (Auth0, in this case), there's no way to show it if you don't redirect the user to do the authentication there, which is what we do with
redirect:true.