Securing Electron Applications with OpenID Connect and OAuth2

Learn how to secure your Electron applications using standards like OpenID Connect and OAuth 2.0.
Read on :hammer_and_wrench:

This is an updated version of the original published post. The prior thread where difficulties with integrating Auth0 with Electron v7+ were discussed is still available.

This new blog post has been streamlined and trimmed to make it easier and faster to answer the question “How to secure an Electron app with user authentication?”. As such, the API step has been replaced with cloning the demo API.

If you have any struggles or thoughts about the article let us know here in the thread!

Tried three different ways…“Sign in with Google” freezes the electron app…Console shows: auth0.min.esm.js:8 Following parameters are not allowed on the /authorize endpoint: [is_submitting,sso]

Other errors: when logging in and title of the Electron said a russian word: Переадресация…

Other errors:

(node:6808) UnhandledPromiseRejectionWarning: Error: Request failed with status code 400
at createError (C:\NewFolders\electron-openid-oauth-master\electron-openid-oauthTry3\frontend\node_modules\axios\lib\core\createError.js:16:15)
at settle (C:\NewFolders\electron-openid-oauth-master\electron-openid-oauthTry3\frontend\node_modules\axios\lib\core\settle.js:17:12)
at IncomingMessage.handleStreamEnd (C:\NewFolders\electron-openid-oauth-master\electron-openid-oauthTry3\frontend\node_modules\axios\lib\adapters\http.js:236:11)
at IncomingMessage.emit (events.js:228:7)
at endReadableNT (_stream_readable.js:1185:12)
at processTicksAndRejections (internal/process/task_queues.js:81:21)
(node:6808) UnhandledPromiseRejectionWarning: Error: Request failed with status code 400
at createError (C:\NewFolders\electron-openid-oauth-master\electron-openid-oauthTry3\frontend\node_modules\axios\lib\core\createError.js:16:15)
at settle (C:\NewFolders\electron-openid-oauth-master\electron-openid-oauthTry3\frontend\node_modules\axios\lib\core\settle.js:17:12)
at IncomingMessage.handleStreamEnd (C:\NewFolders\electron-openid-oauth-master\electron-openid-oauthTry3\frontend\node_modules\axios\lib\adapters\http.js:236:11)
at IncomingMessage.emit (events.js:228:7)
at endReadableNT (_stream_readable.js:1185:12)
at processTicksAndRejections (internal/process/task_queues.js:81:21)
(node:6808) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing
inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 2)
(node:6808) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing
inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 2)
(node:6808) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
(node:6808) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

Trying Windows and the git repo as-is (Electron 9, followed all directions for Auth0 configs: apiIdentifier, auth0Domain, clientId)

Hey @mfeldman143,
I’m not able to reproduce your issue. I need additional info to understand what is happening.

  • Do you get this error just with Google sign in or also with username and password?
  • Please, can you check if you have any error messages in the logs of your Auth0 Dashboard?
    You can access them from the Logs menu item on the left. You should see a screen like the following:

Please, provide me with this additional info. I will check it with our engineering team.
Thanks

Thanks for quick reply!
I managed to get it working after creating new Auth0 account and starting over.

Not sure which configuration is throwing it off. FYI: snapshot:

2 Likes

Perfect! Glad to hear that!

Hey @mfeldman143, happy to hear you resolved the issue, even if we didn’t actually understand what happened.
At a high level, the snapshot you sent seems to highlight some issues on the Google connection. If you want to try to better understand, you can expand the Failed Exchange and Failed Login items to get more info.

1 Like

Sorry. I had whitelist rules. That was the interference.

Regarding the Russian letters from Electron…I am getting that again this time from another scenario…my guess, something about the Electron npm packages.

Sorry. I had whitelist rules. That was the interference.

Thank you for sharing. Al least we have a reason for the error :smiley:

Regarding the Russian letters from Electron…I am getting that again this time from another scenario…my guess, something about the Electron npm packages.

It’s possible

1 Like

Hi. I’m quite new to OAuth/OpenId connect, so apologies if this is an obvious question.

What grant/flow is this example using? It looks like it is the Authorization Code flow, but as far as I can tell, you don’t pass a client secret.

Unless I’m missing something, according to the docs on the Auth0 Authentication API, it shouldn’t be possible to call the /oauth/token endpoint without either a client_secret (if using normal authorization code flow), or a code_verifier (if using Authorization code with PKCE)

To clarify, this is the call I’m confused about

 const exchangeOptions = {
    grant_type: "authorization_code",
    client_id: clientId,
    code: query.code,
    redirect_uri: redirectUri,
  };

  const options = {
    method: "POST",
    url: `https://${auth0Domain}/oauth/token`,
    headers: {
      "content-type": "application/json",
    },
    data: JSON.stringify(exchangeOptions),
  };

  try {
    const response = await axios(options);

Hi @robt1019,
Welcome to the Auth0 Community and thanks for reading the blog post.

Regarding your question, your concerns are legitimate.
OAuth2 best practices suggest using the Authorization code with PKCE flow when using an external browser. However, for desktop applications (like Electron ones), there are a few issues in using the system browser mostly related to the user experience.

To learn more about this, please read the following thread and/or watch this video.

2 Likes

Hi all,

I work on a new electron application with Auth0 and followed this guide to make it work:

In general it works pretty good but I have an issue with logout and login again from the same application instance.

When I logged in with a social app provider and then logout everything’s working good, but then when I try to log in again I get 401 Unauthorized when I call to /oauth/token with a code and grant type of authorization_code.

I thinks it’s related to the logout but I’m not sure about it.
When I logout I don’t see the ‘connection’ field in the logs even though I did see it on the first login.

on my logout function I’m clearing all the relevant tokens and data on the application side and also call this url to clear the session on the auth0 side:
https://${auth0.domain}/v2/logout?client_id=${auth0.clientID}

Best regards,
David

1 Like

Thanks for reporting that. So as to work on that directly in a threat that is related to this blog article I’m moving it here from the separate thread.

1 Like

Hey, David! My teammate who handles Electron is on vacation at the time so I apologize in advance if we have a delayed response :slight_smile: I’ll consult with him when he gets back about the issue that you are experiencing.

1 Like

Hi i tried using twitter with demo it was working fine but the moment my DEV account get verified and copy-paste my API key and Secret API Key, I started getting .catch error

(node:20797) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 2)

[1] (node:20797) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

These are my log image

Hey there @pantneha47!

Thanks for reporting that. We’ll look into that as soon as the article author is back at the “office”

Thanks for the reply @andrea.chiarelli . Sorry I didn’t get an alert so didn’t see you had replied! OK this makes sense. Very useful resources :slight_smile:

1 Like

Glad we were able to help!

Hey @david-blox,
Thank you for reading our tutorial.
Unfortunately, I’m not able to reproduce the error you reported.

I assume you cleared the local authentication data after logging out (see the logout() function in auth-service.js).

Do you get any log entry in your Auth0 dashboard related to the authorization code exchange?

Also, a track of the HTTP messages exchanged between the app and the Auth0 server could help to understand what is happening.

It would be great if you can provide this further information.