Lock: Lock on localhost does not show consent popup when `redirect: false` is set

Created on 8 Jun 2019  路  3Comments  路  Source: auth0/lock

Description

I'm trying to use lock on localhost and am unable to log in or sign up. The error on screen after submitting email and password for sign up is WE'RE SORRY, SOMETHING WENT WRONG WHEN ATTEMPTING TO LOG IN.. The console shows this: auth0.min.esm.js:8 Consent Required. Consent can't be skipped on localhost. Read more here: https://auth0.com/docs/api-auth/user-consent#skipping-consent-for-first-party-clients as well as index.js:537 Consent required. When using 'getSSOData', the user has to be authenticated with the following scope: 'openid profile email'.

My lock config looks like this:

const lockOptions = {
        avatar: null,
        closable: false,
        auth: {
          redirect: false,
          params: {
            scope: "openid profile email"
          },
          audience: "http://dev-api.dynamictype.net"
        },
        theme: {
          primaryColor: "#268bd2"
        }
      };

I have no issue with the identically configured test and prod tenants which are working fine. They are not on localhost though.

The API that the audience refers to has 'skip consent' turned off, so I am expecting the consent dialog to show rather than this console message, but it never does.

I'm aware of the workaround in the docs re setting a host alias locally, but this is not ideal and I would be happy with just the consent dialog. I think it's a bug that this doesn't show up.

Prerequisites

Environment

  • Lock version: 11.16.0
  • Browser version: Chrome 75.0.3770.80
  • OS: MacOS Mojave
  • Additional extensions/libraries that might be affecting your instance: None. Tried in incognito mode and it's the same.

Reproduction

Using the config above, follow the implicit grant flow with a basic "single page app" app and the URLs and callbacks all set up for localhost. There is an API matching the audience, with default settings.

In a React component:

      this.lock = new Auth0Lock(auth0clientId, auth0domain, lockOptions);
      this.lock.on("authenticated", this.handleAuthentication.bind(this));
      this.locak.show();

The handler function is never reached.

Most helpful comment

As you mentioned, consent can't be skipped on localhost. The consent dialog can only be shown inside the Authorization Server (Auth0, in this case), there's no way to show it if you don't redirect the user to do the authentication there, which is what we do with redirect:true.

All 3 comments

I've found that it shows up fine when redirect: true is set instead. If this is intended behaviour, then I think it should be documented somewhere. I only found out through trial and error.

As you mentioned, consent can't be skipped on localhost. The consent dialog can only be shown inside the Authorization Server (Auth0, in this case), there's no way to show it if you don't redirect the user to do the authentication there, which is what we do with redirect:true.

Ah, I see. Showing consent requires redirect: true. In that case the bug is with the docs as I couldn't see this mentioned anywhere.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

sandrinodimattia picture sandrinodimattia  路  6Comments

virgil-av picture virgil-av  路  5Comments

juhaelee picture juhaelee  路  3Comments

maxlapides picture maxlapides  路  5Comments

kjartanvalur picture kjartanvalur  路  8Comments