We configured the Google Social Oauth Provider for our web applications. However, when people log in with Google the Google consent form displays “auth0.com wants to…” rather than our application logo and name.
How do we get our logo and name to display on the google consent form rather than Auth0?
Update: The information below although not very old is already outdated because Google changed the way they convene information from the application that is asking for user authentication. It now seems to be based on the configured redirect URL (hostname) so the configured application name/logo may not have an impact.
The behavior you described will happen if you enabled the Google social connection and did not configure your own client information. By default the connection will use Auth0 developer keys for testing purposes and this will mean the information that will be shown will be Auth0 related.
When using the Auth0 developer keys, the consent screen for the various Identity Providers will display Auth0’s logo and information to your users.
You can follow the instruction at the following link to configure your own set of keys:
I have followed the detailed instructions above, but still see the same information on the Google consent form…
“Choose an account to continue to auth0.com”
Any idea why this would be the case if everything is filled out exactly as in the link above?
I have followed the detailed instructions above, but still see the same information on the Google consent form…
“Choose an account to continue to auth0.com”
Any idea why this would be the case if everything is filled out exactly as in the link above?
@admin6 this seems to have been a recent change from Google where it chose to show information based on the configured redirect URL instead of user provided information like the application name/logo.
Do you have a google link or any documentation I can take a look at for this? Are you saying that there is a work around for this issue using a redirect, or are you saying that is it not possible to change this now that Google is using a different technique?
The configured redirect URL needs to be the one associated with the Auth0 account so I was not suggesting a possible workaround, only explaning why you see what you see on that screen.
For more information and links to Google blog posts relevant to this change see this other answer: http://community.auth0.com/answers/3788/view
Is it possible to setup a redirect on your own website which then redirects to auth0.com to trick Google into thinking the name is correct?
Is it possible to setup a redirect on your own website which then redirects to auth0.com to trick Google into displaying your name?
E.g., configure Google to send the callbacks to mydomain.com which then replies with a 302 to auth0?
I’m not sure if Ouath is allowed to follow redirects though.
I’m not sure the single redirect would resolve this; you need Auth0 to redirect to the IdP so that the authentication transaction is initialized; this means Auth0 will send a redirect URL to the IdP (Google) that has an Auth0 domain. Although you could configure Google to accept a redirect to your own application, the authentication started through Auth0 would always provide the one with the Auth0 domain. Technically, it might be possible with more than one redirect and a custom OAuth2 connection (targeting Google) that would replace the default Google one, but don’t quote me on this.
OK thanks for the info. I’ll leave that for now.
Does Auth0 have an official plan/response for this Google change?
I have to say that the user experience is now terrible because Google users will now see “Auth0” mentioned instead of the “real” company.
Could Auth0 speak to Google to see if an exception can be made since Auth0 is clearly a trusted party?
John
According to an answer “from” Google they are working on allowing exceptions to this behavior by having probably some sort of verification steps. However, they are still working on the infrastructure for that. At this time to my knowledge there’s no action on Auth0 side as most likely any exception would still require the outstanding work from Google and when that’s available you could request it yourself for your application.
Any update on this? The answer from Google mentioned “many months from now” and now it is “many months from now”. Surely the Auth0 is on top of this, since it basically renders all consent screens completely separated from our actual applications. Users don’t know what “auth0.com” and are afraid to authorize access to that domain when they asked to log in / authorize with our services.
As a workaround, could Auth0 provide an ability to set a custom domain via CNAME for hosted pages so that our own domain can be shown?
Any update on this? The answer from Google mentioned “many months from now” and now it is “many months from now”. Surely the Auth0 is on top of this, since it basically renders all consent screens completely separated from our actual applications. Users don’t know what “auth0.com” and are afraid to authorize access to that domain when they asked to log in / authorize with our services.
As a workaround, could Auth0 provide an ability to set a custom domain via CNAME for hosted pages so that our own domain can be shown?
From our side since we can’t change Google decision on this we are working on making this a non-issue by considering supporting the alternative that you mentioned (the ability to use your own domain to refer to the Auth0 service). However, there’s no concrete information about how/when would that be available. For now besides the possible convoluted hack with custom OAuth2 connections mentioned in another comment I don’t think there is any workaround.