I’m trying to force Lock to use the /authorize endpoint with an API declared in the dashboard section, specifying its audience, but can’t make it work, i.e. the resulting token’s audience and signature credentials are those of the client. Is this scenario supported or only auth0.js supports it?
Thanks!
How are you forcing the lock to use /authorize endpoint?
Is there a configuration for that?
I am managed to get the access token using the lock.on('authenticated') to call the /authorize endpoint & then extracting it from the response on the callback.
In fact it is not working. It seems to use /authorize only after repeating a login, asking me if I am the same user. But I suspect Lock does not work with API Authorization at all…
Did you figure this out?
No. I’ve understood that /authorize does not make any authorization at all, it simply redirects the user agent to a login page depending on its parameters. So Lock is a bit out of context here. At the moment I am using auth0.js sdk which redirects my browser to a hosted login page (on Auth0). That page uses lock, but it does not use /authorize itself again, what it does depends on the connection used.