Implicit login with username/password returning JWT Token

Hi,

I’m using Auth0 for the login for my personal App (springboot).

I configured an implicit login
→ redirection on the Auth0 login page

there I gave the choice with social Login (using gmail) or a personal email/password login for a Auth0 user.

The social login works well and I got back a JWT token as expected.

But when I try to login with my valid Auth0 account, the login succeed but the token that I receive is not a JWT token → for example like that “MzvfehUtTqEURShpfEtloPyTCrwfeoeL”

my Question: what do I have to configure/change in Auth0 so that I receive a JWT token, too when I login with my personal Auth0 account (and not via gmail).

I checked the request fired against Auth0 and it looks like that:

POST: https://myApp.eu.auth0.com/usernamepassword/login
body:
{
“client_id”:“KgNOKBH0vl3lRE2nA0p7OuIjxJyzkegk”,
“redirect_uri”:“http://localhost:8080/webjars/springfox-swagger-ui/oauth2-redirect.html”,
“tenant”:“$myTenant”,
“response_type”:“token id_token”,
“scope”:“openid profile email”,
“audience”:“$myAudienceName”,
“state”:“$Some_XY_State”,
“connection”:“$myConnectionName”,
username":"XXX@outlook.com”,
“password”:“XXX”,
“popup_options”:{},
“nonce”:“$XY”,
“sso”:true,
“_intstate”:“deprecated”,
“_csrf”:“JRzdJkgN-wOtIx4nMm433iezlZ26VfnzktAY”,
“type”:“token”
}

Was is missing in order to get a valid JWT token ?

The information provided although relevant is insufficient to provide a full analysis. The ideal information to share would be an HTTP trace that shows all the requests from the initial redirect from the client application until the application callback URL being called again.

There’s instructions at (Generate and Analyze HAR Files), but before sharing an HAR publicly you need to redact possible sensitive information. For example, it would be important for you to redact:

  • passwords - replace them with a placeholder.
  • session cookies - replace them with a placeholder.
  • JWT tokens - if there’s no sensitive information in the payload then ideally redact only the signature component.
  • opaque bearer tokens - replace them with a placeholder.
  • other information you may deem sensitive.

Hi,

so here is the HAR. Let me know if you see where the problem could be or what is wrongly configured in Auth0auth0.har (110.2 KB)

The first request in the shared HAR shows a call to https://myApp.eu.auth0.com/login?[params] which is unexpected in terms that this should not be the first request in an authentication request.

For example, for an authentication request according to OIDC the first call should be made to /authorize endpoint. Can you confirm if the issue was with the capture of the trace or if you’re indeed directly calling /login?

Yes, thanks for your answer.
I was calling directly /login and if I change to /authorize, it works. But I was calling /login because I wanted to display the Auth0 login page even if the user is already logged somewhere in a social platform (for example Gmail).
With /authorize, when I want to login with my personal Auth0 account but in my browser I’m already logged in Gmail, the login page is not displayed. Calling /authorize will bypass the login page and returns me directly the JWT Token that I have from Gmail. I dont have the possibility to use my personal Auth0 account.

Ist there a way to force it to always display the login page ?

Yes, if you include prompt=login as a parameter in the call to the authorization endpoint then even if a session already exists the login page will be shown. This is usually used in scenarios where the application expects a single person to have multiple accounts and offers something like a login with a different account option.

Ok thanks a lot for your help

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.