I have an Angular 4 SPA that needs to call my API.
I set up a client for my SPA, and an API.
I also need to add permissions from the Auth0 authorization extension to my access_token, so I set up the corresponding rule to add the permissions to the token in a unique namespace.
In my Auth0 lock configuration, I added the audience for my API. In the lock.on('authenticated', ...)
callback I extract the id_token and send it to the /tokeninfo endpoint to retrieve some details to display in the SPA.
The main issue:
For users logging via a social media provider (Google, Twitter) I get back the id_token
and the JWT access_token
and everything works as intended. However, a user logging in using the Auth0 username-password just gets back an opaque access_token (no JWT), that can’t be validated on the API side.
I then tried to set oidcConformant: true
on my Auth0 lock options object.
Now, after that, the Auth0 username-password login works. However, now for users logging in via social media providers, the lock.on('authenticated', ...)
callback is not fired.
It seems I can have either Auth0 username-passwords users working, or only social media users, but not both at a time.
What do I need to change for this to work?
I am using Auth0 lock 10.14.0 from the aut0 cdn, and the source code for my authentication service is here: https://github.com/canonn-science/CanonnApi/blob/auth0-api/CanonnApi.Frontend/src/app/services/api/authentication.service.ts
Update: For the social media accounts I get an authorization error, and the message is Nonce does not match.
.
I thought the nonce would be handled by Auth0 lock transparently? Do I have to manage that manually now?
Additional info: The nonce that is sent with the request to the /authorize
endpoint is the same that is returned within the id_token. And it is also the same as the value that Auth0 lock stores in the browsers local storage under the key com.auth0.auth./
.
Update 2: I went on and tried to handle the nonce myself. I created a new nonce and set it to
lockOptions = {
oidcConformant: true,
autoclose: true,
auth: {
responseType: 'id_token token',
params: {
nonce: 'nonce_here',
scope: 'openid',
},
},
};
I can confirm that the nonce I set there is correctly transferred to the /authorize
endpoint, and again it is the same value that is returned in the id_token
, however I still get the message Nonce does not match.
in the error event.