GDPR: Track Consent with Lock Problem

I am trying to implement Version 3 of “Track Consent with Lock” as described in:

https://auth0.com/docs/compliance/gdpr/features-aiding-compliance/user-consent/track-consent-with-lock

Version 3 uses Redirect rules and is meant to work also with social login. I used exactly the rule specified there:

  function redirectToConsentForm (user, context, callback) {
  var consentGiven = user.user_metadata && user.user_metadata.consentGiven;

  // redirect to consent form if user has not yet consented
  if (!consentGiven && context.protocol !== 'redirect-callback') {
    var auth0Domain = auth0.baseUrl.match(/([^:]*:\/\/)?([^\/]+\.[^\/]+)/)[2];

    context.redirect = {
      url: configuration.CONSENT_FORM_URL +
        (configuration.CONSENT_FORM_URL.indexOf('?') === -1 ? '?' : '&') +
        'auth0_domain=' + encodeURIComponent(auth0Domain)
    };
  }

  // if user clicked 'I agree' on the consent form, persist it to their profile
  // so they don't get prompted again
  if (context.protocol === 'redirect-callback') {
    if (context.request.body.confirm === 'yes') {
      user.user_metadata = user.user_metadata || {};
      user.user_metadata.consentGiven = true;
      user.user_metadata.consentTimestamp = Date.now();

      auth0.users.updateUserMetadata(user.user_id, user.user_metadata)
        .then(function(){
          callback(null, user, context);
        })
        .catch(function(err){
          callback(err);
        });
    } else {
      callback(new UnauthorizedError('User did not consent!'));
    }
  }

  callback(null, user, context);
}

and defined CONSENT_FORM_URL as https://wt-peter-auth0_com-0.run.webtask.io/simple-redirect-rule-consent-form

However, when using e.g. google login I get the error message:

I can see that the above function is called with reasonable values for user and context.

What could be the problem?

Solved: I was able to get around the problem by creating my own webtask as proposed in

Fantastic work, Thanks for sharing the solution!

It seems that I cheered a bit too early. For social logins via facebook and google everything works fine now (consent tracking such, that consent needs only to be given once as intended). However, for database login I now get an “Failed cross origin authentication” error (see below) and I can neither register nor login that way. If I disable the redirect-rule, database login works again, but then I have no more consent tracking.

Perhaps someone can spot the problem in my log message (IDs edited)

{
  "date": "2018-12-17T18:25:17.526Z",
  "type": "fcoa",
  "description": "External interaction required",
  "connection_id": "",
  "client_id": "xxxxxxLkzJQ3F7bUfEL0ZpL2",
  "client_name": "myapp",
  "ip": "62.143.219.000",
  "user_agent": "Firefox 64.0.0 / Ubuntu 0.0.0",
  "details": {
    "body": {},
    "qs": {
      "client_id": "xxxxxxx",
      "response_type": "token",
      "redirect_uri": "https://p.myapp.de/home",
      "scope": "openid profile email",
      "state": "xxxxx",
      "realm": "Username-Password-Authentication",
      "login_ticket": "xxxxx",
      "response_mode": "web_message",
      "prompt": "none",
      "auth0Client": "xxxxx"
    },
    "connection": "Username-Password-Authentication",
    "error": {
      "message": "External interaction required",
      "oauthError": "interaction_required",
      "type": "oauth-authorization"
    },
    "session_connection": "Username-Password-Authentication"
  },
  "hostname": "myapp.auth0.com",
  "user_id": "auth0|xxxxxxxx",
  "user_name": "xx@power.ms",
  "audience": "https://myapp.auth0.com/userinfo",
  "scope": [
    "openid",
    "profile",
    "email"
  ],
  "log_id": "xxxxxxxxx",
  "isMobile": false
}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.