Dropdown dependency on Hosted UI Universal Login Page

Vandit · March 25, 2020, 7:45am

I have created 2 additional Select fields in Hosted Login page of Universal Login, called Client and Project. Both of these are populated from API calls, written in jQuery. When I select a particular value in Client field, I need to repopulate Project field options with new API call based on value selected in Client.

I am able to populate Project initially, but it’s not repopulating automatically when options associated with it are changed.

Below is the custom jQuery code:

$(document).ready(function(){
//Bind Click event when Log In is flipped to Sign Up
      $('.auth0-lock-content-wrapper').click(function() { 
          $('#1-Project').unbind('click');
          $('#1-Project').click(function() {
            
            ClientName = $('#1-Client').val();
            if (ClientName == 'Choose your Client') {
              ClientName='All';
            }
           //Need to rebind Projects - Projectoptions variable is rebound but select list if not
            ApiCallProject(URL)
          });
   		});
    });
    
//Bind Client Dropdown - Working
    function ApiCallClient(ActionUrl) {
      var data = '';
    	$.ajax({
          	async:false,
            type: 'get',
            url: ActionUrl,
       			contentType: "application/json",
            dataType: 'json',
          	success: function (result) {
                    data = result;
            }
      })
      return data;
    }
    
//Bind Projects. Works perfectly on initial binding
    function ApiCallProject(ActionUrl) {
      var data = '';
    	$.ajax({
          	async:false,
            type: 'get',
            url: ActionUrl + "&ClientName=" + ClientName,
       			contentType: "application/json",
            dataType: 'json',
          	success: function (result) {
                    Projectoptions = result;
            }
      })
    }

Additional Options in Universal Login:

{
      type: "select",
      name: "Client",
      placeholder: "Choose your Client",
      options: function (cb) {
        var options = ApiCallClient(URL)
        cb(null,options);
      },
      icon: "https://i.ibb.co/Z6wKb4L/Proj-Client.png",
      prefill: "",
      validator: function(address) {
        return {
          valid: address.length >=1,
          hint: "Please select Client Name"
          };
      }
    },
    {                        
      type: "select",
      name: "Project",
      placeholder: "Choose your Project",
      options: function (cb) {
          ApiCallProject(URL)
        cb(null,Projectoptions); //When Projectoptions change. I need this to be re-bound
      },
      icon: "https://i.ibb.co/Z6wKb4L/Proj-Client.png",
      prefill: "",
      validator: function(address) {
        return {
          valid: address.length >=1,
          hint: "Please select Project Name"
          };
      }

mathiasconradt · March 25, 2020, 11:07am

That sounds more like a generic Javascript / JQuery question about event listener handling that should go on Stackoverflow.com.

But one thing sticks out in your posting:

Both of these are populated from API calls, written in jQuery.

It sounds that this isn’t a secured API, since you call it in the Hosted ULP and that’s all client-side code. Or, in case you’re using an API key of some sort, that isn’t secure in client-side JS code.
So, anybody that can access the login page will be able to see the entire list of all your clients and all the projects. Is that intentional? Smells like data privacy issues.

Vandit · March 25, 2020, 4:15pm

My basic requirement is that I want all the users who get to the sign up page, to select their client and project from 2 dropdowns along with standard Username and Password provided. The complete list of clients and projects is stored in my database, on a server. When the user selects a client, I want the list of Projects to be refreshed with Projects that are associated with selected client (again the same database). Should this be done in another way? I am pretty new to Auth0 and didn’t find anything and hence went with client-side coding.

I complete agree that the question definitely pertains to general jQuery but I am able to refresh my ProjectOptions list (in the original question code). The ProjectOptions list that has been passed on Projects in cb(null,ProjectOptions) doesn’t get updated though…

mathiasconradt · March 25, 2020, 4:23pm

No problem, and yes, I already understood the requirements.

Should this be done in another way?

I would say so. Otherwise, as mentioned in my previous reply, it would expose the entire client and project list to anybody in public.

There was a similar question, but it refers to the login rather than the signup, where I described 4 different options.

What’s not 100% clear: is that signup entirely open for anybody, so anybody can signup for any client and/or project?
And why does the user need to choose client/project at signup in the first place? If a user signs up for multiple clients/projects, does that require a separate signup with different credentials, or can he re-use the same for all clients/projects?

Maybe the linked thread above already answers the question or gives you an idea of another approach.

Vandit · March 25, 2020, 4:39pm

Thanks for the link! I will go through it.

The reason I need Client and Project:
We have 5 applications that will user Auth0 as SSO. Based on Client, Project, and User Role assigned to user the user will or will not have access to an application.
So, when the user signs up, he selects the Client and Project he belongs to (these are all internal applications). With this, in combination with the role that an admin assigns to him, he may have access to Application 1 but not to Application 2, which would be handled through Rules.

The Rules part is not completely ready yet though and have a query there as well which I have posted in another question

mathiasconradt · March 25, 2020, 4:43pm

With this, in combination with the role that an admin assigns to him

When does the admin assign the role to the user, and how? Within Auth0 via RBAC, or externally? Does the assignment happen after or before the signup?

Vandit · March 25, 2020, 4:49pm

Role assignment is not part of Signup. User doesn’t select his role, he gets one assigned (based on his email ID).

About how the role gets assigned, I don’t have a complete answer as of now as we are not finalized on a approach but it could with rules or Management API or straight away assigning from Roles tab in User and Roles section or maybe a combination of all of these. In all of these cases though, Roles basically mean Role in User & Roles section and would be accessed through context.authorization.Roles in Rules.

mathiasconradt · March 26, 2020, 7:14am

From all the descriptions above, I don’t think this client/project selection belongs into the signup but more the signin process.

That’s a typical scenario that can be handled well by Rules alone. The best approach for this is as described in that other linked thread.