Migration - SSO for Regular Web Apps - auth0.js

gri · March 7, 2018, 2:57pm

Hello,

I am in charge of a module used by websites, running on our platform, to handle the authentication using Auth0.
It follows the “Regular Web App” architecture (with authorisation code).
It also uses embedded login, so I am currently working on the migration from

Lock 10.5.1 → 11.3.0
com.auth0:mvc-auth-commons:0.1.0 → 1.0.0 (To use /userInfo since /tokenInfo is now obsolete)

I now manage to login with new accounts/tenants without the Legacy API.
But I still have a problem with SSO:

Previously I was using the function getSSOData present in the Lock library.
The function has been removed and the documentation says that we should use checkSession instead
The documentation also says that it has been reimplemented in auth0.js v9 but may behave differently
https://auth0.com/docs/libraries/auth0js/v9/migration-v7-v9

Attempt 1: Using ‘getSSOData’

The page now includes auth0.js v9.3.2
It calls the function auth0.Authentication.getSSOData
This works perfectly for old accounts/tenants (even when I disable Legacy APIs in the tenant settings).
But it does not seem to work on new account/tenants no matter how I configure it.

Attempt 2: Using the recommended ‘checkSession’

The page now includes auth0.js v9.3.2
It calls the function auth0.WebAuth.checkSession
I made it work using the following parameters:
- responseType: ‘token’
- redirect_uri: callbackUrl (My backend callback URL)

But I am confused. I do not understand why I need to specify these two parameters and certainly not with these values.
checkSession complains if responseType is not specified and the authorize call (used by checkSession) complains if the redirect_uri is not specified and not in the list of specified callbacks.

I first thought that it is because, if there is a SSO Session, then the redirect_uri would be called with the parameters (state, …) passed to checkSession. But it is not the case. redirect_uri is never called.

Also about responseType: the documentation says that ‘code’ is a valid value: GitHub - auth0/auth0.js: Auth0 headless browser sdk
But the code of the library sends the following error: responseType can’t be code

jerdog · March 30, 2018, 2:55pm

Have you looked at our migration guide for Auth0.js? I have a feeling it will answer a lot of these questions for you

https://auth0.com/docs/libraries/auth0js/v9/migration-guide

jeff.terrell · April 6, 2018, 1:28am

I encountered the same error: “responseType can’t be code”. This seems to be in direct contradiction to the documentation here, which says that ‘code’ is a valid option.

With help from Auth0 support, I learned that apparently what I’m supposed to do is specify a responseType param of ‘code’ in my call to the Auth0Lock constructor but specify a responseType of ‘token’ in my call to the checkSession method. I don’t really understand why, but I figured I’d mention it in case it’s helpful to you @gri or anybody else.

gri · April 6, 2018, 8:12am

Hi @jeff.terrell,

Good. That is what I ended up doing.
Thanks for sharing the info

Topic		Replies	Views
redirectUri in checkSession? Help sso-integration , redirecturi	2	3924	December 17, 2018
How do I correctly implement and detect SSO sessions with the new API Authorization features? Help sso , session , auth0js	2	5661	March 2, 2018
checkSession call is returning 400 with HTML response Help checksession	7	3879	April 21, 2020
Session not maintained when redirecting from callback URL to redirect URL Help session , login , redirect	2	9546	August 29, 2019
Auth0 with custom login Help login-experience , new-universal-login-experience	2	1064	June 9, 2023

Migration - SSO for Regular Web Apps - auth0.js

Related topics