Lock v11.26.3 Unauthorized after Social Account Create redirect

Hey there,

We are using Lock v11.26.3 in an Angular app to implement a styled user interface. We are required to collect additional user information when a user signs up. We are using a redirect rule to trigger this additional user information form.

The workflow works as intended when using Username-Password-Authentication. The issue arises when trying to sign up/create account using Google.

When using Google to sign up the workflow goes like this

  • /login page presents lock screen
  • user signs up with Google and an account is created
  • user is redirected to /create-account page to collect additional information
  • user submits additional information and they are redirected to http://${environment.auth0.domain}/continue?state=${state}
  • auth0 presents an unauthorized 401 response.

The same workflow succeeds when using the Username-Password-Authentication. This leads me to believe it doesn’t have to do with allowed callback urls, or allowed web origins. I should also mention that the social account is successfully created in auth0 and can be used to sign on. It’s just that the unauthorized 401 stops the user from getting into the app. I am at a loss for what to try next to make the account creation for a social account work after a redirect.

Here is the har file from the failed /continue?state=123
auth0-social-redirect.har (159.7 KB)

Here are the option configuration that I’m currently using.

 auth0Options = {
    auth: {
      responseType: 'token',
      redirectUrl: environment.auth0.callbackURL,
      redirect: true,
      allowedConnections: ['Username-Password-Authentication', 'google-oauth2'],
      connectionScopes: {
        google: ['openid', 'profile', 'email'],
      },
      params: {
        scope: 'openid profile',
      },
    },
  };

I would start by ensuring that you redirect from your application to continue endpoint directly with HTTPS instead of HTTP. Now, if this works for DB connection this would not be the real root cause although you should still do it.

Given the trace only contains the last leg of the process I would confirm that you’re NOT using Google connection with developer keys (https://auth0.com/docs/connections/social/devkeys). These can be used for very simple login tests through the dashboard just to understand the feel of how Auth0 would work with social connections, but my recommendation would be to avoid them as soon as you start doing anything else.

If you are not using developer keys the plot thickens in which case an HTTP trace with the full process could be helpful, but for that one you would need to redact a lot of stuff as it could contain sensitive data.

1 Like

@jmangelo Thanks for the reply. I have changed the http request to https. You were right that it wasn’t the root cause. I don’t believe that I’m using google connection with developer keys.

I have generated a HAR file and redacted sensitive info. Let me know if there’s anything I can do to provide more context.

auth0-social-redirect.har (1.4 MB)

In the HAR file at the unauthorized 401 error I am seeing the following, which doesn’t look quite right. :woman_shrugging: But I’m not sure what to expect for a “scope” value either.

        {
          "name": "scope",
          "value": "email%20profile%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile%20openid"
        },

From the trace it does seem the Google social connection in your tenant is configured to use development keys so you should check the Google social connection settings and configure it with your own client identifier information you will need to obtain from Google.

1 Like

I was still using the development keys. After implementing the keys it worked as intended.

Thanks for your help and patience @jmangelo.

1 Like

We are here for you!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.