Migration - SSO for Regular Web Apps - auth0.js

Hello,

I am in charge of a module used by websites, running on our platform, to handle the authentication using Auth0.
It follows the “Regular Web App” architecture (with authorisation code).
It also uses embedded login, so I am currently working on the migration from

  • Lock 10.5.1 → 11.3.0
  • com.auth0:mvc-auth-commons:0.1.0 → 1.0.0 (To use /userInfo since /tokenInfo is now obsolete)

I now manage to login with new accounts/tenants without the Legacy API.
But I still have a problem with SSO:

Previously I was using the function getSSOData present in the Lock library.
The function has been removed and the documentation says that we should use checkSession instead
The documentation also says that it has been reimplemented in auth0.js v9 but may behave differently
https://auth0.com/docs/libraries/auth0js/v9/migration-v7-v9

Attempt 1: Using ‘getSSOData’

  • The page now includes auth0.js v9.3.2
  • It calls the function auth0.Authentication.getSSOData
    This works perfectly for old accounts/tenants (even when I disable Legacy APIs in the tenant settings).
    But it does not seem to work on new account/tenants no matter how I configure it.

Attempt 2: Using the recommended ‘checkSession’

  • The page now includes auth0.js v9.3.2
  • It calls the function auth0.WebAuth.checkSession
    I made it work using the following parameters:
    • responseType: ‘token’
    • redirect_uri: callbackUrl (My backend callback URL)

But I am confused. I do not understand why I need to specify these two parameters and certainly not with these values.
checkSession complains if responseType is not specified and the authorize call (used by checkSession) complains if the redirect_uri is not specified and not in the list of specified callbacks.

I first thought that it is because, if there is a SSO Session, then the redirect_uri would be called with the parameters (state, …) passed to checkSession. But it is not the case. redirect_uri is never called.

Also about responseType: the documentation says that ‘code’ is a valid value: GitHub - auth0/auth0.js: Auth0 headless browser sdk
But the code of the library sends the following error: responseType can’t be code

Have you looked at our migration guide for Auth0.js? I have a feeling it will answer a lot of these questions for you

https://auth0.com/docs/libraries/auth0js/v9/migration-guide

I encountered the same error: “responseType can’t be code”. This seems to be in direct contradiction to the documentation here, which says that ‘code’ is a valid option.

With help from Auth0 support, I learned that apparently what I’m supposed to do is specify a responseType param of ‘code’ in my call to the Auth0Lock constructor but specify a responseType of ‘token’ in my call to the checkSession method. I don’t really understand why, but I figured I’d mention it in case it’s helpful to you @gri or anybody else.

2 Likes

Hi @jeff.terrell,

Good. That is what I ended up doing.
Thanks for sharing the info :+1: