Auth0 Home Blog Docs

oidcConformant breaks redirectUrl?



I’m trying to retrieve a user’s accessToken with the correct audience using the Auth0 Lock. My code is as follows:

import Auth0Lock from 'auth0-lock';

new Auth0Lock(clientId, domain, {
  oidcConformant: true,
  auth: {
    redirectUrl: `${ROOT_URL}/auth/signed-in`,
    responseMode: 'form_post',
    responseType: 'token',
  params: {
    scope: 'openid',

When oidcConformant is true, the Lock seems to disregard the redirectUrl and responseMode fields. Instead, it shows me “Thanks for logging in.” in the modal. Is this an intended behaviour or is this a bug?
Is there another way for me to get the user’s full access token while hiding it from the web client (considering we can only specify an auth.audience if we set oidcConformant to true)?


To my knowledge the oidcConformant flag in Lock is not yet formally documented and as such you should consider that it can change (even breaking changes) without any type of notification; in summary, unless you’re only experimenting this may not be your best choice.

The Auth0.js v8 library already has full support for API authorization features (aka audience parameter) and, for now, should be your preferred choice when using it in web client applications.

Additionally, if you don’t want to expose the tokens to the client-side part of your application (aka browser) then you may also want to consider using the authorization code grant instead.