Auth0 Home Blog Docs

"nonce option is required" on IE10



Hi everyone,

I’m getting the “nonce option is required” on IE10.

The packages I’m using are auth0.js v9.6.1 and auth0-lock v11.7.2.

Below is my code:

var options = {
    allowSignUp: false,
    audience: clientDomain+'/userinfo',
    allowShowPassword: true,
    auth: {
        params: {
            scope: 'openid'
        redirectUrl: callbackUrl
    closable: false,
    error: {
        login: {
            'lock.fallback': 'Wrong email or password',
            'lock.invalid_email_password': 'Wrong email or password'

var lock = new Auth0Lock(clientId, clientDomain, options);
var auth0 = new auth0.WebAuth({
    domain: clientDomain,
    clientID: clientId,
    redirectUri: callbackUrl,
    responseType: 'token'

auth0.checkSession({}, function(err, ssoData) {
    if (!err && ssoData) {
            scope: 'openid',
            responseType: 'code',
            redirectUri: callbackUrl
    } else {
        lock.on('signin ready', function () {
            var link = $('<button class="auth0-lock-social-button auth0-lock-social-small-button" data-provider="windowslive" type="button">' +
                    '<div class="auth0-lock-social-button-icon"></div>' +
                    '<div class="auth0-lock-social-button-text">Log in with Internal Account</div>' +

            link.on('click', function () {
	            connection: enterpriseConnection,
                    scope: 'openid',
                    responseType: 'code',
                    redirectUri: callbackUrl

What’s happening now is that the getSSOData is being triggered in auth0-lock, and the checkSession method in there is using a predefined set of options where “token id_token” is set as its response type. The condition that’s currently triggering the error message is:

o.responseType.indexOf('code') === -1 && o.responseType.indexOf('id_token') !== -1

Is there a way where I can get auth0 working for IE10?


:wave: @intergalena I see there is a support ticket open and is currently being worked on to resolve the situationl but I am inputting the response here in case others come across this situation. There seems to be a case with IE 10 as it does not have a secure way to generate a cryptographically secure value to be used in the nonce. The feedback has been given to our Lock/Auth0.js team. Are there many users trying to use your application with IE 10? One way could be to detect the situation in the browser and redirect users to use a more secure browser.


Hi @kim.noel, thanks for passing the feedback onto the Lock/Auth0.js team. Much appreciated. At this point in time, moving our users to use another browser is not an option. I’ll see what I can do on my end. Cheers!