Auth0 Home Blog Docs

Auth0 and adherence to OAuth2 standard for authentication

auth0
no-redirect
auth0-lock

#1

My question is related to https://auth0.com/forum/t/ember-auth0-lock-always-popup-mode-never-redirect/5635 .
In that topic, BenjaminH explains the following about the lock widget:

The lock-widget will always appear as something looking like a pop-up over your application. Only when submitting the login data it’s submitting it directly to auth0 and then redirecting back to your application’s callback url.

Now, using the lock widget seems like the incorrect approach to me. The user does not know that he/she is redirected to a trusted third-party STS. The user just sees the lock widget, but should NOT be entering credentials there. The OAuth standard clearly requires a redirect to a trustable login screen. It is not encouraged to train users to enter their credentials in just any widget window.

How can I configure the widget (or should I then not use the widget?) to do a full redirect to Auth0, so the user can authenticate on that page, before redirecting back to my app?


#2

Good point. You can simply redirect to auth0 (https://your_account.auth0.com/authorize…). And then use the hosted login page: https://manage.auth0.com/#/login_page


#3