"nonce option is required" on IE10

intergalena · June 28, 2018, 12:58am

Hi everyone,

I’m getting the “nonce option is required” on IE10.

The packages I’m using are auth0.js v9.6.1 and auth0-lock v11.7.2.

Below is my code:

var options = {
    allowSignUp: false,
    audience: clientDomain+'/userinfo',
    allowShowPassword: true,
    auth: {
        params: {
            scope: 'openid'
        },
        redirectUrl: callbackUrl
    },
    closable: false,
    error: {
        login: {
            'lock.fallback': 'Wrong email or password',
            'lock.invalid_email_password': 'Wrong email or password'
        }
    }
};

var lock = new Auth0Lock(clientId, clientDomain, options);
var auth0 = new auth0.WebAuth({
    domain: clientDomain,
    clientID: clientId,
    redirectUri: callbackUrl,
    responseType: 'token'
});

auth0.checkSession({}, function(err, ssoData) {
    if (!err && ssoData) {
        auth0.authorize({
            scope: 'openid',
            responseType: 'code',
            redirectUri: callbackUrl
        });
    } else {
        lock.on('signin ready', function () {
            var link = $('<button class="auth0-lock-social-button auth0-lock-social-small-button" data-provider="windowslive" type="button">' +
                    '<div class="auth0-lock-social-button-icon"></div>' +
                    '<div class="auth0-lock-social-button-text">Log in with Internal Account</div>' +
                    '</button>');

            link.on('click', function () {
	        auth0.authorize({
	            connection: enterpriseConnection,
                    scope: 'openid',
                    responseType: 'code',
                    redirectUri: callbackUrl
                });
            });
            
            $('.auth0-lock-social-buttons-container').append(link);
            lock.show();
        });
    }
});

What’s happening now is that the getSSOData is being triggered in auth0-lock, and the checkSession method in there is using a predefined set of options where “token id_token” is set as its response type. The condition that’s currently triggering the error message is:

o.responseType.indexOf('code') === -1 && o.responseType.indexOf('id_token') !== -1

Is there a way where I can get auth0 working for IE10?

kimcodes · June 29, 2018, 5:51pm

@intergalena I see there is a support ticket open and is currently being worked on to resolve the situationl but I am inputting the response here in case others come across this situation. There seems to be a case with IE 10 as it does not have a secure way to generate a cryptographically secure value to be used in the nonce. The feedback has been given to our Lock/Auth0.js team. Are there many users trying to use your application with IE 10? One way could be to detect the situation in the browser and redirect users to use a more secure browser.

intergalena · July 1, 2018, 9:30pm

Hi @kimcodes, thanks for passing the feedback onto the Lock/Auth0.js team. Much appreciated. At this point in time, moving our users to use another browser is not an option. I’ll see what I can do on my end. Cheers!

johnarmstrong · August 23, 2018, 8:07pm

Big issue for us now as well. Hoping a fix can be developed. Our users can’t upgrade either.

system · September 22, 2018, 8:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.