Hi, I am currently working on implementing a signup process on our company web app. We already use the google social login without any issues. Under the hood we are using the auth0-spa-js library, in particular the loginWithRedirect method.
When we signup we are passing the screen_hint to show the signup page on the universal login. This seems to work, but after we signup and land on the consent screen, we are missing some of the consents, This happens intermittently.
Thank you for getting back to me. I’ll outline the steps we are taking as well as the actual vs expected responses below.
We are using both signup via a connected DB (this is one hosted by yourselves) and the login with google social connection.
When logging in we are redirected to auth0’s domain to where we can select google and are redirected to googles domain to provide email and password. Once google is happy we are sent back to auth0 and are shown a consent screen with the scopes that was passed from our original request.
When using social login this all works as expected. However when we try to signup (using the connected DB) we encounter 2 issues. The first issue is that after entering an email and password we are redirected to the consent screen, and sometimes the consent screen is missing one or more of the scopes we had originally passed in the request.
When we click allow we are sent to the /callback?error=server_error... url on our own domain.
When we try to signup again Auth0 detects that we are already authenticated and sends us straight to the consent screen. This time we see what we expected to see the first attempt. See image below
It seems to me that during the signup process we are losing the scopes that we pass and getting an error and it is unclear what could be causing this issue, As I mentioned in original message, this loss of scopes on the consent screen (after signup) happens intermittently.
The second issue is that when we sign up with an email address and are authenticated. We get a token with with what appears to be an error in the user data. See the following image.
Hi @dan.woda, we are not particularly concerned about showing the consent screen either way.
What we are trying to understand is why the scopes that we pass to the /authorize endpoint are sometimes not showing up when we land on the consent screen as shown in the 2 images I attached.
It seems these scopes are sometimes lost during signup.
Looking at the data in local storage we can see the scopes property does have the correct scopes defined in the value. But this is only after we initially get redirected to the /callback?error=server_error url and then try to signup again. It seems that we authenticated successfully the first time as we do not see the signup page again, instead we go straight to the consent page which displays the correct scopes.
After this everything works as expected. But we obviously cannot have users signup twice.
On a separate note, when we enter the signup page and choose to continue with google. We are returned after providing consent on google’s domain with a token that causes an error with our APIs. This error states that we do not have the correct scope for this endpoint. If we then logout and login again we get get a new token that now works with the same api.
I can see these scopes applied to the user in the dashboard.
It seems on our end that when we signup with email and password we sometimes need to reauthenticate again as the scopes are sometimes lost by the time we get to the consent screen and an error sends us back to our callback?error=server_error url.
As for the Google social login, we don’t even see an auth0 consent screen, and need to reauthenticate with auth auth0 to get a token that has the correct scopes.
Can you please post the code you are using to initialize the request to authenticate? Also, can you please DM me a HAR of transaction that is missing scopes?
To be transparent, it’s difficult to understand what you’re describing. There is a lot going on and I don’t have the same context you do. Screen shots, screen recordings, code snippets, etc. are very helpful. Let’s try to nail down one issue at a time; first, let’s see about this scopes issue.
The first thing I notice here is that you are passing approval_prompt:"force". This is not necessary unless you have a specific requirement for it, and will cause the google and Auth0 consent prompts to show on every authentication.
Do the tokens have the correct scopes? The HAR you sent doesn’t include the whole transaction and I can’t see the tokens.
Thanks for sending those over (It looks like the tokens are still missing in those files ).
Could you please answer this question:
Do the tokens have the correct scopes?
Also, if you are still seeing the auth0 consent prompt, it is because you are developing on localhost, as I mentioned above.
I’m also seeing a Unable to correlate completed consent. error, which occurs when you are prompted to consent again. It looks like we can avoid this by simply not showing the Auth0 consent prompt, which seems to be the main issue here in my opinion.
To confirm: We do not get the correct scopes in the token.
But this only happens with the first token that is returned, If we re-fetch tokens after signup we get the correct tokens.
Also, we have tried without the consent screen and still have the same issues as explained above.
We have implemented a hacky solution for the time being which will automatically send the user back to auth0 if an error is returned from our APIs. But we would like to get to the bottom of this.
I’ll send over some more HARs so you can take a look