Lock UI & Implicit Grant

brianra · June 5, 2017, 9:29pm

I’m using the Lock UI (not hosted login page) with a SPA. I’m using the Angular 2 quickstart as an example.

It looks like this defaults to using the username-password grant type by default, and not the implicit grant. The reason I say this is when calling lock.show() and logging in, the request hits /oauth/token with a grant_type of http://auth0.com/oauth/grant-type/password-realm. Since this is a SPA (Angular 2), I was anticipating it’d hit the /authorize endpoint. Is there a way to force the lock UI to know this is an implicit grant flow? Here’s my lock config setup (similar to Angular 2 (SPA) quickstart).

    this.lock = new Auth0Lock(auth0SPAConfig.clientID, auth0SPAConfig.domain, {
      oidcConformant: true,
      autoclose: true,
      auth: {
        redirectUrl: auth0SPAConfig.redirectUri,
        responseType: 'token id_token',
        audience: auth0SPAConfig.audience,
        params: {
          scope: 'openid profile last_password_reset'
        }
      }
    });

jmangelo · June 6, 2017, 4:31pm

At this time the use of Lock in conjunction with API authorization (aka audience parameter) within your own client application is not yet documented so you should not rely on that as it’s subject to changes before being documented.

The supported mechanism at this time to make use of API authorization is to use Auth0.js v8 and go through the hosted login page. As you may have noticed by the fact that Lock already has some undocumented parameters related to API authorization there is work in progress to enable also the scenario you mention, however, this is not yet completed and documented.

brianra · June 6, 2017, 6:58pm

Thanks! I’ll use auth0.js v8 then.