Receive an opaque `access_token` when user comes from DB but jwt if user comes from social (google)

scaredfinger · August 23, 2019, 9:50am

Hello:

I have an application executing authentication using an authorization code via /code/token endpoint. I am receiving a id_token and a access_token.

The flow works perfectly when the user chooses google authentication. In that case I receive a the access_token in jwt format, the token validates properly and all.

The flow fails when the user uses the username/password in the lock screen. In that case I receive the access_token as a opaque string. And everything breaks from that point forward.

My requests for authorize and get tokens are identical for both cases.

Thanks

john.gateley · August 23, 2019, 1:48pm

Hey scaredFinger,

See this:
https://auth0.com/docs/tokens/reference/access-token/access-token-formats

You need to specify an audience for the access token.

John

scaredfinger · August 23, 2019, 2:16pm

Hello John. Thanks so much for your response.

This is the thing. I am sending the audience to the /authorize request. And it’s the same for both use authentications.

My request to authorization is:

    local authorize_uri = string.format(
        "https://%s/login?client=%s" 
            .."&protocol=oauth2" 
            .."&responseMode=query" 
            .."&response_type=code" 
            .."&scope=openid profile" 
            .."&audience=%s" 
            .."&nonce" 
            .."&redirect_uri=%s",
        authorize_domain,
        authorize_client,
        authorize_audience,
        authorize_callback)

My request to get tokens:

    local get_token_request = string.format(
        "https://%s/oauth/token", 
        authorize_domain)

    local payload = {
        grant_type = "authorization_code",
        code = code,
        client_id = authorize_client,
        client_secret = authorize_secret,
        redirect_uri = authorize_callback
    }

And remember: It works for social (google) just fails for database

Chees

scaredfinger · August 26, 2019, 6:06am

Hello John:

I have read all this docs, before starting and now that I am having the problem. I don’t see what I might be missing. I am specifying an audience and still get the opaque token for database users only. I haven’t been able to find any other similar case neither on forums nor google.

Please…I need a little more help here…I am completely stuck.

Thanks

john.gateley · August 26, 2019, 7:06pm

Hi scaredfinger,

Is your application OIDC compliant? Check the advanced settings of your application in the Auth0 Dashboard. If not, that could be the issue.

John

scaredfinger · August 26, 2019, 9:12pm

Thanks John for you response. I have checked. The app wasn’t OICD. But I set it up as such and database now just fails. Social still works.

Starting to think I, for some reason, cannot use database toghether with social. It’s ust social the thing that fails…

I will keep trying…Let me know if you get any more ideas.

Thanks again,
Cheers

scaredfinger · August 27, 2019, 6:26am

I think I found the problem, this is a log entry from the error:

Password login via OIDC-conformant clients with externally-hosted 
login pages is unsupported. Alternatively, login could have been initiated 
from the wrong place (e.g., a bookmark).

The thing now is, I am not entering the user name and password on an externally hosted page, perhaps there is a setting that can help me here.

Thanks a lot