Auth0 Home Blog Docs

Access token is very small when log in first time auth0lock

spa
login
access-token

#1

Hi
I have a jquery SPI client.
Here is Auth0lock settings i have in place

var options = {
  allowSignUp: true,
  //rememberLastLogin: false,
  auth: {
    allowSignUp: false,
    params:
    {
      scope: 'openid profile email read:api read:api2 read:api23',
      audience: 'audience',

    }

  }
};

var lock = new Auth0Lock(AUTH0_CLIENT_ID, AUTH0_DOMAIN, options);

I am using this to obtain an access token to access secure resources on a different API (that API is also client of my auth0 domain).

When i log in first time with a new user, the access token received is very small , and when i sent it in header to access api, API returns with 401 (unauthorized error).

But when i sign out and since Auth0 login popup remembers the account i used to login in,
when I log in again with same account, it returns with large access token and my call to API also works fine.

What can be the issue for first time log in ?


#2

As far as I’m aware, at this time the library that is formally documented to support API Authorization features (aka audience parameter) for use in web client applications is Auth0.js v8; the support for Auth0 Lock is not yet documented and although there’s already been updates to the library in order to support the functionality you may not want to rely on it. The reason is that since it’s not documented it may change before being formally supported.

Currently, I would recommend you to make use of Auth0.js v8 if you’re going to make use of API authorization features.


#3

I have analyzed the request pattern.

When i am getting correct access token, Autholock makes request to https://testart.auth0.com/authorize?client_id.

But when the access token is not correct for accessing API, request being made to https://testart.auth0.com/usernamepassword/login.

I have not configured anything for it to follow.

What can be the reason there ?


#4

I have analyzed the request pattern.

When i am getting correct access token, Autholock makes request to https://testart.auth0.com/authorize?client_id.

But when the access token is not correct for accessing API, request being made to https://testart.auth0.com/usernamepassword/login.

I have not configured anything for it to follow.

What can be the reason there ?


#5

Like I mentioned in the answer support for audience in Lock is not yet final/documented; for now, you can make use of Auth0.js v8 if you want to use that functionality.


#6

Thanks
I will use Auth0.js and let you know if i have things to ask

Thanks


#7