I’m using the Lock UI (not hosted login page) with a SPA. I’m using the Angular 2 quickstart as an example.
It looks like this defaults to using the username-password grant type by default, and not the implicit grant. The reason I say this is when calling lock.show()
and logging in, the request hits /oauth/token
with a grant_type of http://auth0.com/oauth/grant-type/password-realm
. Since this is a SPA (Angular 2), I was anticipating it’d hit the /authorize
endpoint. Is there a way to force the lock UI to know this is an implicit grant flow? Here’s my lock config setup (similar to Angular 2 (SPA) quickstart).
this.lock = new Auth0Lock(auth0SPAConfig.clientID, auth0SPAConfig.domain, {
oidcConformant: true,
autoclose: true,
auth: {
redirectUrl: auth0SPAConfig.redirectUri,
responseType: 'token id_token',
audience: auth0SPAConfig.audience,
params: {
scope: 'openid profile last_password_reset'
}
}
});