How to instruct Social Connection context request to use Accept header

bpkennedy · August 31, 2023, 1:37pm

Hello!

I have a Custom Social Connection configured like this: https://i.imgur.com/sheXeoX.png.

When testing I see and accept the Grant page of the third party, and then I am getting to the Fetch User Profile Script. Mine looks like this:

function(accessToken, ctx, cb) {

    return cb(new Error(JSON.stringify(ctx))) // return early to debug object
		
    const profile = {};
      // Call OAuth2 API with the accessToken and create the profile
    request.get(
      {
        url: `https://www.swcombine.com/ws/v2.0/character/Testing%20Character?access_token=${accessToken}`,
      },
      (err, resp, body) => {
        if (err) {
          return cb(err);
        }
        if (resp.statusCode !== 200) {
          return cb(new Error(body));
        }
        let bodyParsed;
        try {
          bodyParsed = JSON.parse(body);
        } catch (jsonError) {
          return cb(new Error(body));
        }
        const profile = {
          user_id: bodyParsed.account.uuid,
          email: bodyParsed.account.email
        };
        cb(null, profile);
      }
    );
  }

I tried logging the accessToken parameter and it appears to be undefined. However when I log the ctx object I see that there is xml instead of json, and on the auth0 test screen the error message is:

{
  "error": "invalid_request",
  "error_description": "{\"<?xml version\":\"\\\"1.0\\\" encoding=\\\"UTF-8\\\"?>\\n<OAuth><access_token>b9ae1d4a6cdb6d8364a0643ce58f7655</access_token><expires_in>3600</expires_in><scope>character_read</scope></OAuth>\\n\",\"options\":{\"scope\":\"character_read\",\"tokenURL\":\"https://www.swcombine.com/ws/oauth2/token/\",\"client_id\":\"e5c1500bf34c3cec3761f3049cbc947e1299c7d8\",\"client_secret\":\"061e0d225e7bb6056901233ae43d37e707dac25e\",\"authorizationURL\":\"https://www.swcombine.com/ws/oauth2/auth/\",\"set_user_root_attributes\":\"on_first_login\",\"store\":{}}}"
}

It seems what is happening is that the third party provider is returning xml instead of json. However, it supports returning json if the Accept header specifies Accept: ‘application/json’. I tried creating a Rule (even if decprecated) to modify the ctx.request.headers[‘Accept’] but I’m not sure that is effective or possible as when I ran the rule test there wasn’t a ‘header’ property on the ctx.request object.

How can I make the request header accept json, or if not how can I convert the xml response to json? The auth0 sandbox doesn’t allow access to window or DOMParser.

Thanks for your time.

marcelina.barycka · September 1, 2023, 10:12am

Hey there and welcome @bpkennedy !

One thing that you can check is if you include the audience parameter in your /authorize request.

audience parameter takes a value of the API identifier you have set in your Auth0 tenant, that you request access to (this way you should get the jwt token instead of an opaque token).

Also, just in case you missed it - the app registered in Auth0 that is calling the API resources should be allowed for this API (for the API in question, please go to the Machine to Machine Applications tab and toggle the Authorized button for the app in question).

Hope this helps - let us know!

bpkennedy · September 2, 2023, 12:09am

Hello, and thank you @marcelina.barycka ! Well, I created this auth0 application as a “Regular Web Application” and not as a “Machine to Machine”. The web application is a Next.js type application. I do not have a separate auth0 API created - only the regular web application.

I’ve also used this nextjs-auth0 package to setup the authentication routes in the Next app. GitHub - auth0/nextjs-auth0: Next.js SDK for signing in with Auth0

bpkennedy · September 2, 2023, 12:58am

Also is it truly an opaque token? The xml response has inside of it:

<access_token>alphaNum</access_token>

That seems like an access token, plain and simple, which I could use to make request for a resource from the third party provider, like:

https://www.swcombine.com/ws/v2.0/character/Testing%20Character?access_token=${accessToken}`

marcelina.barycka · September 4, 2023, 11:43am

Thanks for following up!
In terms of your direct question (adding a custom request header), you should find the below section under your Custom connection → Settings:

https://auth0.com/docs/authenticate/identity-providers/social-identity-providers/oauth2#pass-static-parameters

Let us please know how it goes! Thanks!

bpkennedy · September 5, 2023, 1:47pm

That worked for me! Thank you for your time and help!

system · September 19, 2023, 1:48pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.