Consent screen missing some permissions intermittently

Hi, I am currently working on implementing a signup process on our company web app. We already use the google social login without any issues. Under the hood we are using the auth0-spa-js library, in particular the loginWithRedirect method.

When we signup we are passing the screen_hint to show the signup page on the universal login. This seems to work, but after we signup and land on the consent screen, we are missing some of the consents, This happens intermittently.

Can someone assist?

Hi @rk1,

Welcome to the Auth0 Community!

Do you want to show the Auth0 Consent Prompt? Usually, this is only shown if you application is a third party app.

Developing on localhost can also trigger it, but can be avoided by following the steps outlined in this doc:

If you do want to show it, can you please share the request you are making and an example of what is being shown?

Hi Dan

Thank you for getting back to me. I’ll outline the steps we are taking as well as the actual vs expected responses below.

We are using both signup via a connected DB (this is one hosted by yourselves) and the login with google social connection.

When logging in we are redirected to auth0’s domain to where we can select google and are redirected to googles domain to provide email and password. Once google is happy we are sent back to auth0 and are shown a consent screen with the scopes that was passed from our original request.

When using social login this all works as expected. However when we try to signup (using the connected DB) we encounter 2 issues. The first issue is that after entering an email and password we are redirected to the consent screen, and sometimes the consent screen is missing one or more of the scopes we had originally passed in the request.

Screenshot 2022-04-28 at 09.46.10
Scopes passed to the /authorize endpoint


The consent screen we see

When we click allow we are sent to the /callback?error=server_error... url on our own domain.

When we try to signup again Auth0 detects that we are already authenticated and sends us straight to the consent screen. This time we see what we expected to see the first attempt. See image below

It seems to me that during the signup process we are losing the scopes that we pass and getting an error and it is unclear what could be causing this issue, As I mentioned in original message, this loss of scopes on the consent screen (after signup) happens intermittently.

The second issue is that when we sign up with an email address and are authenticated. We get a token with with what appears to be an error in the user data. See the following image.


local storage data

This only happens with users we signup via email. The users with google social authentication work just fine.

Any information or direction here would be greatly appreciated as we are stuck where to go from here or how to debug either of these issues.

An update

We have managed to fix the second issue regarding the error object in the token. this was caused by us.

The first issue regarding the scopes and consent screen is still ongoing

@dan.woda any thoughts? This is currently affecting users on our end

Do you want to show the Auth0 Consent Prompt? Usually, this is only shown if your application is a third-party app.

Hi @dan.woda, we are not particularly concerned about showing the consent screen either way.

What we are trying to understand is why the scopes that we pass to the /authorize endpoint are sometimes not showing up when we land on the consent screen as shown in the 2 images I attached.

It seems these scopes are sometimes lost during signup.

It’s likely unnecessary, unless you explicitly using 3rd party apps. You can disable it via the doc that I linked initially.

Do the tokens you are issued have the correct scopes?

@dan.woda

Looking at the data in local storage we can see the scopes property does have the correct scopes defined in the value. But this is only after we initially get redirected to the /callback?error=server_error url and then try to signup again. It seems that we authenticated successfully the first time as we do not see the signup page again, instead we go straight to the consent page which displays the correct scopes.

After this everything works as expected. But we obviously cannot have users signup twice.


On a separate note, when we enter the signup page and choose to continue with google. We are returned after providing consent on google’s domain with a token that causes an error with our APIs. This error states that we do not have the correct scope for this endpoint. If we then logout and login again we get get a new token that now works with the same api.

I can see these scopes applied to the user in the dashboard.


It seems on our end that when we signup with email and password we sometimes need to reauthenticate again as the scopes are sometimes lost by the time we get to the consent screen and an error sends us back to our callback?error=server_error url.

As for the Google social login, we don’t even see an auth0 consent screen, and need to reauthenticate with auth auth0 to get a token that has the correct scopes.

@rk1,

Can you please post the code you are using to initialize the request to authenticate? Also, can you please DM me a HAR of transaction that is missing scopes?

To be transparent, it’s difficult to understand what you’re describing. There is a lot going on and I don’t have the same context you do. Screen shots, screen recordings, code snippets, etc. are very helpful. Let’s try to nail down one issue at a time; first, let’s see about this scopes issue.

@dan.woda

Thanks for getting back and sorry for the delay (long weekend). I have sent you a DM with the HAR attached.

Please see the code below (we are using redux-saga).

yield call(
 { context: auth0Client, fn: auth0Client.loginWithRedirect },
 {
    appState: {
      targetUrl: "/register/...",
    },
    access_type: "offline",
    approval_prompt: "force",
    connection_scope: "https://www.googleapis.com/auth/drive",
    screen_hint: "signup",
    scope: "openid profile curriculum progress offline_access"
  }
);

@rk1,

The first thing I notice here is that you are passing approval_prompt:"force". This is not necessary unless you have a specific requirement for it, and will cause the google and Auth0 consent prompts to show on every authentication.

Do the tokens have the correct scopes? The HAR you sent doesn’t include the whole transaction and I can’t see the tokens.

@dan.woda

I have removed the approval_prompt and we still have the same issues, I have sent updated HAR for you to take a look at.

@rk1,

Thanks for sending those over (It looks like the tokens are still missing in those files :thinking: ).

Could you please answer this question:

Do the tokens have the correct scopes?

Also, if you are still seeing the auth0 consent prompt, it is because you are developing on localhost, as I mentioned above.

I’m also seeing a Unable to correlate completed consent. error, which occurs when you are prompted to consent again. It looks like we can avoid this by simply not showing the Auth0 consent prompt, which seems to be the main issue here in my opinion.

@dan.woda

To confirm: We do not get the correct scopes in the token.

But this only happens with the first token that is returned, If we re-fetch tokens after signup we get the correct tokens.

Also, we have tried without the consent screen and still have the same issues as explained above.

We have implemented a hacky solution for the time being which will automatically send the user back to auth0 if an error is returned from our APIs. But we would like to get to the bottom of this.

I’ll send over some more HARs so you can take a look

1 Like