I have recently purchased an authentication plan from Auth0 as that initial step in developing a web application in which the customers for my organization will eventually be able to place and view their orders. At this point I have created a very primitive web app that uses Node and Express to serve the client a couple of very preliminary webpages as I wanted to tackle user authentication as the first stage of my application’s development.
For my application, I decided to use Auth0’s hosted Log In page as this was supposed to be:
“the most secure way to easily authenticate users for your applications.”
The application is currently structured so that when started it serves a temporary Home page where potential users have access to a Log In button. This Log In button then takes the user to:
https://adfoam.auth0.com/login?client=Oy40QSA74pvo765skJ4F53LAnoHF8hod
which has been identified as the “LogIn URL” when viewing the Preview tab of Auth0’s documentation about their Hosted Pages. The documentation that I am talking about can be found in the following link:
https://manage.auth0.com/#/login_page
At this point in this process, when I attempt to sign in using the email address and password that I use when logging on to my Auth0 account all works well. However, whenever I try to sign up with a new user I receive an “Oops, something went wrong” webpage from this url:
https://adfoam.auth0.com/login/callback
The webpage states that:
There could be a misconfiguration in the system or a service outage. We track these errors automatically, but if the problem persists feel free to contact us. Please try again.
When the “Technical Details” tab of this page is clicked it provides us with the following information:
access_denied: Password login is disabled for clients using externally hosted login pages with oidc_conformant flag set. TRACKING ID: 2fd21e96f189bf2c6111
Because of this I went visited Auth0’s “Client Settings” page for our application:
https://manage.auth0.com/#/clients/Oy40QSA74pvo765skJ4F53LAnoHF8hod/settings
Once on this page, I opened the “OAuth” tab in “Advanced Settings” and toggled the “OIDC Conformant” button off. I then tried to Sign Up for my application with a previously unused Username and Password, and all was well. I was able to Log In to the part of the application that I was unable to visit previously under any username and password other than the one with which I had created the account.
To ensure that I wasn’t compromising the security or usability of the site I then read up on Auth0’s documentation on OIDC Conformance and it became clear to me that:
Any new Auth0 features, examples and documentation moving forward will target only the OIDC-conformant pipeline. All Auth0 SDK versions that depend on the legacy pipeline are deprecated and will not receive updates for new features or non-critical security issues, and will eventually be discontinued.
Because I would like to future-proof how my users Sign Up for and Log In to my application I want to be able to integrate this OIDC conformance in the simplest and most secure way possible using the “Hosted Log In” page as previously discussed. How do I do this as I can find no clear way of how to resolve this issue when navigating Auth0’s site?