In Angular4 app, I’m trying to invoke the social provider login by the follwing way
let url = 'https:///authorize?response_type=token&client_id=' + Config.auth0ClientID +
'&redirect_uri=' + document.location + '&connection=' + providerType + '&state=rmo-social-auth-csrf-token';
window.location.href = url;
when the login is succesful, I get back access_token in the hash fragment. I need to update the user_metadata for this user later. When I call the auth0 API, it expects Bearer token which is id_token
. I have tried response_type=token%20id_token
, but auth0 error page was thrown it did not take me to the social provider login page. I need the id_token
for the logged in user.
Appreciate your help.
What was the error thrown when you tried the different response type?
I was just in a very similar situation hitting the /authorize
endpoint in the Authentication API, and was able to get the id_token to appear by adding what seems to be an undocumented scope=openid profile
query string param to the /authorize
request. To be concrete, this request did not return an id_token
in the callback:
https://MY_DOMAIN.auth0.com/authorize?response_type=token&client_id=MY_CLIENT_ID&connection=google-oauth2&redirect_uri=https://localhost:8080/login
But this request did:
https://MY_DOMAIN.auth0.com/authorize?scope=openid%20profile&response_type=token&client_id=MY_CLIENT_ID&connection=google-oauth2&redirect_uri=https://localhost:8080/login
The documentation for /authorize
says in its remarks:
If response_type=token, after the user
authenticates on the provider, it will
redirect to your application callback
URL passing the access_token and
id_token in the address location.hash.
But this only appears to be true if you pass the scope
param as stated above.
@jmangelo could this be added to the Request Parameters section of the docs for /authorize
? It seems to be missing.
The authentication API docs are indeed a bit confusing because (in my opinion) the line between legacy and latest methods are not that clear. In particular, if you check the authorize client section of the docs then it does show the complete set of parameters (scope included) for calls to /authorize
depending on the grant you use. However, the login section at the top which also refers to usage of /authorize
seems to be more applicable to legacy flows only.
I have tried the https://MY_DOMAIN.auth0.com/authorize?scope=openid%20profile&response_type=token&client_id=MY_CLIENT_ID&connection=google-oauth2&redirect_uri=CALLBACK_URL endpoint, and it is only returning:
access_token
expires_in=7200
token_type=Bearer
Is there something else I need to configure?
Hmmm… I am really having trouble understanding how to get this id_token from social login.
I have tried two methods:
Method I
I am using this API endpoint with response_type=token
https://ndveyedev.au.auth0.com/authorize?scope=openid%20profile&response_type=token&client_id=XJm60hJQ_i7wKV0wOs1Hpkpffzv0POD6&connection=Username-Password-Authentication&redirect_uri=https://auth.expo.io/@theranjali/expo-auth0
I am getting access_token, and it seems that there is no way to get id_token from that. Is that right?
Method II
I am using this API endpoint
https://ndveyedev.au.auth0.com/authorize?scope=openid%20profile&response_type=token&client_id=XJm60hJQ_i7wKV0wOs1Hpkpffzv0POD6&connection=google-oauth2&redirect_uri=https://auth.expo.io/@theranjali/expo-auth0
It is returning a code ANJJmUmQh0TLeYoH#.
I am trying to use this code with Postman:
https://{{auth0_domain}}/oauth/token
{
"client_id": "CLIENT_ID",
"client_secret": "SECRET",
"connection": "google-oauth2",
"scope": "openid profile email user_id",
"grant_type": "authorization_code",
"code": "ANJJmUmQh0TLeYoH#",
"redirect_uri":"https://auth.expo.io/@theranjali/expo-auth0"
}
This returns:
{
"error": "invalid_grant",
"error_description": "Invalid authorization code"
}
Funnily, it works if I replace the connection from “google-oauth2” to “Username-Password-Authentication”.
Is there a reason why it only works with database connection? How do I get the id_token?