Issue with lock checkSession

I am having an issue with implementing lock on my SPA.

I am able to instantiate Auth0Lock(), show lock and get a valid access_token.

  "iss": "",
  "sub": "google-oauth2|xxxxx,
  "aud": [
  "iat": 1537462353,
  "exp": 1537469553,
  "azp": "wN6thaUwraH6wZrprSt3ICCxA8kxc2UU",
  "scope": "openid profile email"

With this token I’m able to call getUserInfo() and get the user profile properly.

The problem is when I call checkSession with no options (so it should use the same options) to refresh the token, I’m getting back a token, but that token has has an incomplete audience and no scope

  "iss": "",
  "sub": "google-oauth2|xxxxx",
  "aud": "xxxxx.auth0", <---- one value instead of two
  "iat": 1537462355,
  "exp": 1537469555,
  "azp": "wN6thaUwraH6wZrprSt3ICCxA8kxc2UU",
  "scope": "" <---- missing scope

With this token I’m not able to call getUserInfo() because of the missing aud and scope.

Any ideas?

Got it working.

Turns out that by passing in the empty object into checkSession, the call was not inheriting the audience and scope from the instantiated instance of lock. Once I passed in an object and defined audience and scope the same as the instance of lock, it returned me a valid token.

No sure if that is a bug, not documented properly, or I did something else wrong, but it seems to be working for me now.


So authorize() and checkSession() both accept options that can override options set when you create the instance. By passing it an empty JSON object, you were overriding all the options with blanks. I’m not sure it’s a bug, as there are cases where options will differ between either the instance or the two functions.

Just to check, are you using auth0-js or auth0-lock for your SPA?

I’m using auth0-lock, I was initially using auth0-js but switched to lock, do you recommend one over the other for an SPA?

I get that the options were being overridden but the documentation says if you don’t pass in any overrides it will use the the options set when you create the instance. So if you can’t pass in { } to get the defaults what are you supposed to pass in as the first argument?

Good question! I’ll double check with the team that maintains that library.

It appears the bug is fixed in a PR waiting to be merged. Follow the PR here so you know when it goes live: Fix different scope in checkSession by luisrudge · Pull Request #1486 · auth0/lock · GitHub

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.