Lock11 and Last Time you Logged In As broken

We have upgraded to Lock11 per the migration documentation and now the “Last time you logged in” functionality no longer works. The document states:

"Lock 11 will never show the Last time you logged in with window when using the Authorization Code Flow (that is, when specifying response_type=‘code’). It will always prompt for credentials.

The Last time you logged in with window will also never do a redirect, even when the redirect option is set to true. Lock11 still emits the authenticated event and you should subscribe to that event to get the authentication result.

If you want to avoid showing the Lock dialog when there’s an existing session in the server, you can use Auth0.js’s checkSession() function."

We are not using Auth0.js. Can you give an example of how to use the authenticated event that is referenced above to achieve this same functionality?

1 Like

I’ve got the same problem. I get the successful authentication result but the underlying listeners are not triggered.

It looks like I may be experiencing a similar problem, that broke at the same time. We are using the hosted page login with lock 10.21.1 (same behavior with lock 11.4.0).

#1. This is the the login url:
https://tenant.auth0.com/login/?client=<client_id>&redirect_uri=&response_type=token&scope=openid%20offline_access%20email%20given_name%20family_name%20picture&state=ypfolhnqwpedrxdb&device=myDevice

#2. The response we get from #1 is:
https://tenant.auth0.com/mobile?code=&state=b8RO16JE3L47eoToXZ3ii4AwNoNdOY87#=

#3. The expected response for #1 is:
https://tenant.auth0.com/mobile#access_token=&id_token=&scope=openid%20offline_access%20email%20given_name%20family_name%20picture&expires_in=86400&refresh_token=&token_type=Bearer&state=ypfolhnqwpedrxdb

We have been getting the expected response in #3 for over 1 year. As of March 13, 2018, the response has changed to #2. The authentication is successful, but the response has changed, which breaks my app.

Since the response_type was token in #1, I would not expect #2 to return a code. If I change the response_type to code in #1, the I now then get tokens in the response as expected like #3. If I change the response_type to id_token, I get the expected result in like #3. OIDC compliance is not enabled. Seems like there’s a mix up in how the response_type is being handled.

We have upgraded to Lock11 per the migration documentation and now the “Last time you logged in” functionality no longer works.

@t3central when you say “the functionality no longer works”, what exactly do you mean? Are you handling the authenticated event?

I’ve got the same problem. I get the successful authentication result but the underlying listeners are not triggered.

@chris.daniel can you provide a code snippet of how you are doing this?

@amh that seems like a totally different issue. Would you mind opening a new thread, and including the HLP code you are using? Also, you are not calling the /login endpoint directly, are you? If you are, then that explains the problem. Client applications should use the /authorize endpoint (which in turn will redirect to /login if required), not /login directly.

@nicolas_sabena

Our app was using the (now deprecated) Auth0 .NET library, which looks like it was indeed calling the /login endpoint directly by default.

I see that the library was updated to always use /authorize after we started using it in this commit (Support extra parameters (e.g. for audience) · auth0/Auth0.WinformsWPF@825ffe6 · GitHub).

We’ll update our app, but it is very unfortunate that our current users had to experience this sudden outage. I can create a new thread for further questions. Thanks!

Hi Sabena,

thank you for your attention :-).

The whole situation looks like my mistake, and things should never work in the first place. They have probably worked by the stroke of luck.

I have a wrapper around the Lock. In the constructor, I was setting up a listener:
this.auth0.on('authenticated', this._doAuthentication);

but I also had a login method:

  login() {
    this.auth0.removeAllListeners();
    this.auth0.show({
        allowSignUp : false,
        allowLogin	 : true
    });
}

I have no clue why I have called the removeAllListeners; it might be I was trying to get it working with React & ReactRouter when your examples were not yet created. Anyway, such code was working for users that entered all their credentials but not for those that have selected their Last Time you Logged In action.

I can only hypothesise that a page reload during full login was readding the listener, while in the ‘Last Time’ approach it was not, hence the ‘broken’ functionality.

@nicolas_sabena,

Nicolas, I am so sorry for using your last name, unfortunately I cannot edit that post :-(.

nicolas_sabena by “no longer works” I mean that the Last Time You Logged In is never shown and the user is asked to provide credentials every time

On Lock v10, the “Last time you logged in” feature used to rely on an endpoint that will be deprecated. Because of this, Lock v11 now uses a combination of querying the server silently for a token (with checkSession) and looking up information stored in localStorage about the last-used authentication method once the callback is processed, to be able to provide the “Last time you logged in with” method.

The above flow is only valid for SPA-type applications that use implicit flow, where Lock itself processes the callback. It’s not available for regular web apps, where the callback receives a code and the server communicates with Auth0 through the back channel. Thus, when using regular web apps, you’ll no longer see the “Last time you logged in with …” button.
If you want similar functionality in a regular web app, your best bet is to move to Universal login (i.e. using the /authorize endpoint to request a token). When doing so, the server will show the hosted login page when necessary, and with the “Last time you logged in with…” button, if possible. Even better, with additional work being done in session management, the server might even skip the login page altogether if there’s sufficient session available at Auth0.

1 Like

You wrote:

“Lock v11 now uses a combination of querying the server silently for a token (with checkSession) and looking up information stored in localStorage about the last-used authentication method once the callback is processed, to be able to provide the “Last time you logged in with” method.”

checkSession is part of Auth0.js which we currently do not use. Are you saying we need to use Auth0.js in conjunction with Lock 11 in order to retain the Last Time you Logged in feature? Can you please give an example of how we would need to modify code to do so?

Code snippet below of our current implementation:

<script>
    var lock = new Auth0Lock('[clientidherehere]', '[ourdomainhere].auth0.com', {
        container: 'root',
        loginAfterSignUp: true,
        allowShowPassword: true,
auth: {
    redirectUrl: 'http://localhost:1882/LoginCallback.ashx',
  responseType: 'code',
  params: {
    scope: 'openid email' // Learn about scopes: https://auth0.com/docs/scopes
  }
},
theme: {
    logo: 'http://localhost:1882/Content/Images/T3large.png',
    primaryColor: 'lightblue'
},

rememberLastLogin: true,
languageDictionary: {
    emailInputPlaceholder: "example@example.com",
    title: "Title"

},
additionalSignUpFields: [{
    name: "first_name",
    placeholder: "Enter your first name"
    //, icon: "https://example.com/assests/address_icon.png"
},
{
    name: "last_name",
    placeholder: "Enter your last name"
    //, icon: "https://example.com/assests/address_icon.png"
}]

});
lock.show();

</script>

Did you find a way to make this work? A client of ours only wanted the last time you logged in feature and I noticed any documentation that says this is deprecated. I recall seeing a document mentioning this would work within the last month or so when we upgraded them.

No, I never received any sample code on how to get this to work. We are now using the Hosted Login page instead.

How is that working for you? Do you redirect them every time you need a user to login?

I think we’re looking at making the sso check work instead.

I thought I would update. We ended up using the Universal Hosted Login page as well. It works pretty well, but it was definitely disappointing that we lost the sso with embedded functionality. At the time of the change, their docs did not show this. They even had screenshots showing the “last logged in with” text on Lock.