I’ve been using a popup login dialog, in a SPA Angular 1 app, for a while.
The code has been a bit like this:
lockProvider.init({
clientID : AUTH0_CLIENT_ID,
domain : AUTH0_DOMAIN,
options : {
oidcConformant : true,
autoclose : true,
auth : {
responseType: 'token id_token',
audience: AUTH0_AUDIENCE,
redirectUrl: AUTH0_CALLBACK_URL,
After accidentally updating to lock v10.22.0 (My bower.json file was set to allow minor updates) this broke for all my users.
There isn’t any mention in the release page, but I’ve seen a response in github to someone else who had the same problem. Essentially, from 10.22.0 the behaviour was changed to forbid the config I’d been using.
This sort of surprise unannounced change is hugely frustrating and disruptive.
(Yes, I know I screwed up by allowing a minor update without realising, but still… this sort of major behaviour change - making what was a working login page into a completely broken login page - doesn’t seem to be a reasonable expectation for an update from v10.21.1 to v10.22.0)
I’ve pinned my dependency to use a pre-v.10.22.0 version for now, until I have time to figure out the new way to implement this.
In the meantime, it might be helpful to update the documentation at Applications in Auth0
Specifically:
The “OIDC Conformant” flag will force
all of these changes at the same time
for a given client, but it’s not the
only option to gradually transition to
the OIDC-conformant authentication
pipeline. Any authentication requests
made with an audience parameter will
use the new pipeline, and all other
requests will continue to work as
usual.
As far as I can see, it’s no longer possible to use the audience
parameter if you don’t set oidcConformant to true
. If you try you get this error:
It is not possible to use the
auth.audience
option when theoidcConformant
flag is set to false