We created an SPA with our own look and feel for the login part (NOT based on Lock as we needed more customization than that), we wanted OIDC conformance (because it is future proof) and the ability to renew tokens (for security purpose, our tokens have a short life time, so we have to renew them)
In order to be able to renew tokens, we had to split our SPA code to be served for the login part on Auth0 server, by injecting part of our code (CSS, JS) in a Custom Hosted Login Page (HLP). We get the config from a global we create from
@@config@@we then inject the relevant part of it in our original Auth0.js code. This part, serving our own page in a Custom HLP, works as expected
We at first used the
webAuth.client.login on the HLP in order to login, but we would not get back the needed cookies to have the token renewal to work. Reverse engineering the default custom HLP (which allows us to login, renew tokens and logout properly with the exact same configuration, just not our own custom HLP yet) showed us that we needed to hit a different endpoint.
After a process of trials and errors, we saw that the call to actually send is
webauth.redirect.loginWithCredentials, plus we were pretty sure, and still are, that it was the good API to call, because it is quite explicitly written in the documentation:
webauth.redirect.loginWithCredentialsis the correct choice for use in the Hosted Login Page, and is the only way to have SSO cookies set for your users who login using the Hosted Login Page.
We don’t use (yet) the SSO cookies for a real SSO, but we assume this is what allows us to renew the tokens using the default custom HLP
At this point we then got the:
access_denied: Password login is disabled for clients using externally hosted login pages with oidc_conformant flag set.
Having read somewhere in the docs that the auth0/lock lib available on the HLP is a little bit different, we changed our webpack config to just wrap the lib served from the auth0 CDN, to load it the same way it is done in the default Custom hosted login page template.
However, we still had the same error
According to https://community.auth0.com/questions/8324/cant-login-using-emailpassword, this is probably a configuration issue (yet we do NOT use Lock and do NOT want to use it), but we are stuck now, what should we do?