I am trying to use Lock with an ExpressJS Web Application. Initially I was not using OIDC compliance, but now I am trying to. After trying to work the problem for many hours; Googling, experimentation and reading threads in this forum, I just seem to be chasing my tail. My general requirements are to be able to access an API after login, and also obtain a refresh token.
I thought I had everything working OK until I started testing with users other than my test account. At that point I starting seeing the problem described here (https://community.auth0.com/questions/8564/help-with-oidc-complicance-on-hosted-log-in-page). I followed the advice to start using the “/authorize” end-point which wound up looking something like this:
https://hsl-sop.auth0.com/authorize?client_id=4cKmQU8j6ltruCjcStEwePID4N2p18Si&scope=openid profile user_metadata offline_access&audience=https://restapi.sop.heavensentlegal.com&response_type=code
Using this method I now have two problem.
- Lock displays as expected, and I can login (with test account), however, after a successful login Lock displays again and from what I can tell my redirect end-point is not called. I login the second time and this time it calls my redirect end-point. But, this leads to problem 2.
- No refresh token is returned.