Guys, I am spending almost two days trying to figure this out.
I am having a SPA application and Popup Lock control:
lock = new Auth0Lock(AUTH_CONFIG.clientID, AUTH_CONFIG.domain, {
oidcConformant: true,
autoclose: true,
auth: {
redirectUrl: AUTH_CONFIG.callbackURL,
responseType: 'token id_token',
audience: `https://${AUTH_CONFIG.domain}/userinfo`,
params: {
scope: 'openid'
}
},
socialButtonStyle: 'small',
theme: {
primaryColor: '#31324F'
},
languageDictionary: {
emailInputPlaceholder: "something@youremail.com",
title: "Digital Dealers"
}
});
I getting a response when using Google option:
![alt text][1]
I don’t understand, why:
- accessToken is so small
- aud is showing some weird thing, rather than
https://${AUTH_CONFIG.domain}/userinfo
If I try to use that token with my .Net Core web api, it returns that aud is invalid.
Please help!!!
Thanks
Nick
There are a couple of things worth noting here. Technically, the possibility to use Lock from within your own application for the purpose of API Authorization is not yet fully documented. Although the latest version of Lock has support at the code level, given that the documentation is not yet available I would be more comfortable in referring you to the fully supported and documented way of using API Authorization with Auth0.js version 8.
Even more important than the above is that there are multiple tokens in play here; the ID token is always a JWT (the spec mandates this) and is meant to be issued to the client application so the aud value will be the client application identifier. In addition, we have the access token which is used to call the resource server (aka API) for which it was issued to.
Given you specify an audience of https://${account}/userinfo you get an access token suitable to call that API; have in mind, that this API is also associated with your account so the access token does not need to be a JWT as the API has a direct relationship with the authorization server that issued it and can use an opaque access token for efficiency purposes.
When an access token is issued to your own API it uses the JWT format as that will allow your own API to validate it without an external call each time the token is received.
In conclusion, it seems you should be requesting an audience specific to your own API (requires configuring it as such in Auth0) and use the issued access token instead of an ID token as the token that gets sent to the API. However, trying to do this with Lock within your own application may be more complex due to documentation not being fully available yet. The recommended approach would be to use Auth0.js authorize method and redirect to the hosted login page (where Lock is used by default, so it would give a similar experience).