Auth0 Home Blog Docs

expires_at and id_token undefined (Lock 10 authentication)



I have followed the examples and successfully used Lock 10 with the following configuration:

const options = {
  closable: false,
  theme: {
    logo: 'xx',
    primaryColor: 'xx',
  languageDictionary: {
    title: 'xx',
  auth: {
    params: {
      scope: 'openid profile email',
      audience: ``,
  responseType: 'token',

const lock = new Auth0Lock(

when .on("authenticated") fires, the authResult does not have an expires_at or id_token, which I need to check whether or not a user is authenticated (or expired) next time they return to the site.


There are a couple of things worth mentioning here, to my knowledge, the audience parameter in Lock 10 latest also requires oidcConformant to be set to true. Given the latter is only formally supported in Lock 10.22 then if you really need this you need to ensure to use that version.

Having said that the audience parameter is also documented to be at the root of the auth object and not within the params object so technically that configuration even if updated with the OIDC toggle would not be correct.

In addition, to be according to the OIDC specification if you want an ID token to be returned as part of an implicit grant then you need to include id_token as a response type. At one point in time (aka the legacy flows) you could get away with just including token and an ID token would still get returned, however, you should not be depending on that.

In conclusion, if you want to use Lock embedded in your own client application instead of using the hosted login page (which is the ultimate recommended approach) then you need to read on the use of the oidcConformant option in Lock and cross-origin authentication. Having done that don’t forget to also use responseType: "token id_token".