Issue with grant types when using Lock configured for Phonegap

simonwatt · June 13, 2017, 12:14pm

I’m new to Auth0 so forgive me if I am misunderstanding anything obvious. I’ve been trying to follow the quickstarts to get a simple example working. No matter what I do (e.g client type of Native, or Single Page App, and various options in Lock) I can’t get a login to work via Lock… I always get the error "Grant type 'http://auth0.com/oauth/legacy/grant-type/ro' not allowed for the client." showing up in the server logs and 403 forbidden returned to the client.

I’ve mainly been trying in Popup mode as eventually I’ll be using via PhoneGap (which the PhoneGap quickstart says will work only in Popup mode) . I’ve tried in browser and via PhoneGap app and both have the same problem.

I granted access to the client via the management API to the following grant types:

{
"grant_types": 
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
   "http://auth0.com/oauth/grant-type/password-realm"
  ]
}

However if i try to grant access to http://auth0.com/oauth/legacy/grant-type/ro I get an error saying that isn’t allowed, based on the documentation it looks like this grant type is depreciated, in which case I assume part of my Lock configuration is wrong and it shouldn’t be using it?

At this stage I’m very confused about how Lock fits in with everything and how the options on it relate to the grant type and flow that it decides to use. For example can I force it to use PKCE?

I’m initializing lock (JavaScript v10.16.0) like so:

  var lock = new Auth0Lock(      
         [clientid],
         [namespace],
        {
             auth: {        
              redirect: false,
              sso: false,
            }
       });

It launches fine via lock.show(), but after I try and login with an existing user it fails. Server error (with sensitive data removed) log is as follows:

{
  "body": {
    "client_id": "xyz...",
    "username": "removed@xyz.com",
    "password": "*****",
    "scope": "openid",
    "connection": "Username-Password-Authentication",
    "grant_type": "password"
  },
  "qs": {},
  "connection": "Username-Password-Authentication",
  "error": {
    "message": "Grant type 'http://auth0.com/oauth/legacy/grant-type/ro' not allowed for the client.",
    "oauthError": "unauthorized_client",
    "type": "oauth-authorization"
  }
}

jmangelo · June 13, 2017, 4:15pm

There are a couple of things in play here that are worth pointing out. More specifically, like you mentioned the grant type http://auth0.com/oauth/legacy/grant-type/ro is considered legacy and new accounts are not allowed to use it. The replacement grants to use are the ones you also mentioned (password and http://auth0.com/oauth/grant-type/password-realm), but depending on your situation you may be better using something completely different altogether, like PKCE (more on this below).

In relation to Lock, there are two modes in which it can be used, directly in your application or through the hosted login page. Using it embedded in your application is only aimed at very specific scenarios and at this time not all the features available in the authentication/authorization API surface are supported in embedded Lock.

Another important point is that the Phonegap quickstarts are community maintained and as such may not be completely up to date. For example, they seem to still be using the InAppBrowser plugin which means the use of WebView’s in mobile platforms. This may cause issues with some providers, like Google, that do not allow authentication to be performed from within a WebView.

If you’re starting out I would suggest you to consider the use of Lock within your hosted login page and not directly embedded in your application. You could then use the Auth0.js library in association with the auth0-cordova library to implement the authentication in accordance with the PKCE flow (aka authorization_code grant type). The issue is that there isn’t a quickstart specific to Phonegap and using these libraries, however, it may be helpful to check the Ionic2 quickstart which already uses those libraries and implements authentication through the hosted login page.

simonwatt · June 14, 2017, 4:08am

It seems like the (community maintained) PhoneGap quickstart is out of date as using {redirect: false} (popup mode) on embedded lock requires a grant type that is no longer supported.

Note, I also get the error in browser as a SPA, so it’s not just a PhoneGap thing. {redirect: true} is working fine in browser but if I try {redirect: false} it fails.

I’ll have a look at the auth0-cordova package and the Ionic2+ quickstart. I was hoping for a JS only solution (no Cordova plugins) but it looks like that wont be an option now that embedded lock (with redirect: false) is no longer working.

simonwatt · June 14, 2017, 9:51am

After many hours I’ve got PKCE working with PhoneGap. At least on Android 4.4, I haven’t tested on iOS yet. I can signup/login via hosted login and get a success callback with access token back to the App without losing any state.

I used auth0-cordova library and the Ionic 2+ Quickstart as a guide I adapted it to my project (which is a SPA built with ReactJS and compiled using PhoneGap).

Thanks for the help @jmangelo it pointed me in the direction I wish I had gone from the start (using auth0-cordova, rather than embed lock in popup mode which is the path on the PhoneGap quickstart).

simonwatt · June 14, 2017, 4:08am