Classlink Custom Social Connection

I am using Auth0 to create a SSO on a WordPress website as a B2C model to provide students access to private content course materials, the application that students use is Classlink.

Classlink is an educational application that provides ease of access to applications without creating accounts, more information can be found at www.classlink.com and the developer’s section is found here

I tried following the instructions in the documentation to make a connection to Classlink and it seems to be not making a proper connection.

I will show the steps I did, and hopefully with the community’s help, we can find what I am missing to complete the connection for a custom social connection.

  1. I filled in the required fields for the custom social extension extension for a new connection. I also used the following code.

alt text

function(accessToken, ctx, cb) {
  request.get(' https://nodeapi.classlink.com/v2/my/info', {
    headers: {
      'Authorization': 'Bearer ' + accessToken
    }
  }, function(e, r, b) {
    if (e) return cb(e);
    if (r.statusCode !== 200) 
    return cb(new Error('StatusCode: ' + r.statusCode));
    var profile = JSON.parse(b);
    cb(null, {
      user_id: profile.UserId,
      family_name: profile.name_details.LastName,
      given_name: profile.name_details.FirstName,
      email: profile.Email
    });
  });
}
  1. I tried the test connection but it says:

    {
    “error”: “access_denied”,
    “error_description”: “invalid redirect url”
    }

  2. I also followed the procedure to add the callback URL on the classlink developer’s page, along with the callback url from the dashboard. The Authorization URI send me to an error page provided in the screenshot below. Is Auth0.js required for this or no? I am reading the documentation about this step at the moment.

alt text
Inline image 4
alt text

The test account we used on Classlink to test the connection is also provided in a screenshot, this is a Classlink student account example of adding a website to connect to with a profile.

alt text

Hopefully this will help find what we need to complete the connection with the auth0 plugin on our wordpress website.

If additional details are needed, I am happy to provide as needed.

According to this ClassLink documentation they seem to use a not so common method as part of their redirect URI validation. In general, redirect URI’s are validated by doing a string comparison against a predefined list of URL’s provided by the developer. However, from the linked documentation:

Before you can start using OAuth2, you must verify your domain.
(…)
After you add your domain, you will need to verify ownership by downloading a small file and upload it to the root of your web server.

The issue is that the method of verification requires making a file available at the root path of the domain and you won’t be able to do that for the domain associated with the redirect URI that you need to use https://[account].auth0.com/login/callback. As mentioned before, the ClassLink approach is uncommon and you could even argue that is not recommended, because unless they are also then doing another validation that does a full match of the redirect URI against a predefined list then it’s somewhat unsecure because any path on the verified domain could be used and this increases the chance of finding an open redirector that could be leveraged for an attack.

Assuming that the domain verification step is something that is unavoidable from ClassLink then if this indeed is the root cause of the problem you could consider verifying your own domain and implementing an endpoint in that domain that performs another redirect to the Auth0 callback URL.

jmangelo, thanks for taking the time to look at this.

What you said actually makes sense, and I verified the website domain by doing the file upload to the web server. Since the Auth0 plugin has its own domain, and from your recommendation to redirect Classlink from my webpage to the Auth0 callback URL, do I just need to make a page and set up a redirect?

Or is it setting up an API call that carries over the exchange during the redirect? I am learning all this as I go along so I will appreciate any clarifications on what exactly the redirect needs to do if it’s more than a simple redirect.