How do I get id_token instead of access_token

imsam67 · December 10, 2018, 8:19pm

I’m implementing Auth0 authentication in a new Expo/React Native app following this example:

The only thing I changed is the scope: 'openid profile' which in the example is scope: 'openid name' though I also tried it with the code in the example.

As you can see in the following screen shot, I’m getting an access_token instead of id_token.

Here’s the code to authenticate with Auth0:

_loginWithAuth0 = async () => {
    const redirectUrl = AuthSession.getRedirectUrl();
    console.log(`Redirect URL (add this to Auth0): ${redirectUrl}`);
    const result = await AuthSession.startAsync({
      authUrl: `${auth0Domain}/authorize` + toQueryString({
        client_id: auth0ClientId,
        response_type: 'token',
        scope: 'openid profile',
        redirect_uri: redirectUrl,
      }),
    });
    console.log(result);
    if (result.type === 'success') {
      this.handleParams(result.params);
    }
  }

I tried changing the response_type to token id_token but throws an error saying configuration error.

How do I get an id_token?

charsleysa · December 11, 2018, 1:36am

Hi @imsam67

To get the id_token as well you need to update the response_type parameter to token id_token.

Hope this helps!

imsam67 · December 11, 2018, 5:20am

Thanks for your response but as I stated in the original post, setting response_type to token id_token throws an error – see below:

charsleysa · December 11, 2018, 5:50am

Hi @imsam67

Sorry, I missed that line.

If you are wanting only the id_token and not an access_token you should be able to use response_type: 'id_token' (relevant docs).

With token id_token not working, your Auth0 logs in the Management dashboard should provide some more insight, most likely you are missing a config in your Application somewhere.

imsam67 · December 11, 2018, 6:33am

Thanks again for your response. Here’s what I’m seeing in the logs:

charsleysa · December 11, 2018, 6:52am

Ah I see, missed the part of the doc that says “It is required for response_type=id_token token .” for the nonce parameter.

If you generate a random string and pass that through in the nonce parameter you should fix your issue.

imsam67 · December 11, 2018, 2:04pm

I found this documentation about how to generate it but not sure how I send it: Mitigate Replay Attacks When Using the Implicit Flow

Does it go as a query string parameter like client_id, response_type, scope, etc.? If so, is the param nonce?

charsleysa · December 11, 2018, 10:14pm

Hi @imsam67

Yes it goes into the query string with the parameter name of nonce.

Just as a side note, the Auth0.js library handles a lot of these details for you. My recommendation is to use that library unless you have a reason not to as Auth0 keeps it up to date and makes authentication easier for the developer.