I have a web application running on NextJs using the auth0 package, and a react-native application running the react-native-auth0 package.
The mobile app is already configured to do primary factor email deep link authentication and require sms multi-factor authentication.
Now, I would like to configure the web application to use the device authorization flow however it’s a bit different from what is demonstrated in Auth0’s docs.
- Web App generates a device code with Auth0
- Web App requests authorization via QR Code on the browser
- User opens their authenticated mobile app, and scans the QR Code which includes the user_code
- (missing step) Mobile app uses its currently authenticated session in conjunction with the user_code
- Web App polls Auth0 with device code to receive the access token.
N.B. On the documentation it seems to be that the user is always expected to use the Auth0 web interface to authenticate to authorize the device code using the user code.
tl;dr I want to implement device authorization to authorize a web app using the authentication session present on the mobile app, only using api calls and without using any additional web experiences.
Hi @wasteofintel,
Welcome to the Auth0 Community!
You’ve identified correctly the step that is missing from this type of configuration, since the Device Authorization Flow requires user interaction with the browser, so unfortunately this implementation is not yet possible using this flow, as mentioned in a previous community post on the same matter.
Kind regards,
Remus
1 Like
@remus.ivan
Update 1 of 2:
Thank you for linking to a reference of the same issue. I understand that the flow is not yet possible using Auth0’s out of the box configuration.
I have already begun attempting constructing the flow in custom code as desired, and would appreciate then insight into how important stage of this flow would be achieved:
- Web App generates a device code
- Web App requests authorization via QR Code on the browser (this creates an expiring session)
- User opens their authenticated mobile app, and scans the QR Code which includes the user_code
- User posts the QR Code with authorization to the API managing the expiring session
- API Acknowledges the authorization and uses M2M API to exchange the token on behalf of the user.
Specifically in Step 5 is where the challenge lies. Being able to generate a JWT Bearer token from the M2M application which would be required to finalize this custom Device Authorization Login implementation.
Update 2 of 2:
I’ve located the Custom Token Exchange feature
https://auth0.com/docs/authenticate/custom-token-exchange#custom-token-exchange-profile
However in trying to enable it:
- Generate Management API Access Token
- PATCH Update a Client (targeting the M2M Application) with
{
"token_exchange": {
"allow_any_profile_of_type": ["custom_authentication"]
}
}
- Receive the following error:
{
"statusCode": 403,
"error": "Forbidden",
"message": "The token exchange feature is not enabled for this tenant.",
"errorCode": "feature_not_enabled"
}
Is there a step I am missing in order to begin implementing the custom token exchange on my M2M application?
Hi @wasteofintel,
Thanks for the information and the update provided!
The message below is expected, as this feature has to be requested and enabled for your tenant.
This is mentioned in our documentation as well:
Custom Token Exchange is currently in Early Access for Enterprise customers only. Reach out to your Auth0 contact to request access.
Best regards,
Remus