Securing Electron Applications with OpenID Connect and OAuth2

Hi all,

I work on a new electron application with Auth0 and followed this guide to make it work:

In general it works pretty good but I have an issue with logout and login again from the same application instance.

When I logged in with a social app provider and then logout everything’s working good, but then when I try to log in again I get 401 Unauthorized when I call to /oauth/token with a code and grant type of authorization_code.

I thinks it’s related to the logout but I’m not sure about it.
When I logout I don’t see the ‘connection’ field in the logs even though I did see it on the first login.

on my logout function I’m clearing all the relevant tokens and data on the application side and also call this url to clear the session on the auth0 side:
https://${auth0.domain}/v2/logout?client_id=${auth0.clientID}

Best regards,
David

2 Likes

Thanks for reporting that. So as to work on that directly in a threat that is related to this blog article I’m moving it here from the separate thread.

1 Like

Hey, David! My teammate who handles Electron is on vacation at the time so I apologize in advance if we have a delayed response :slight_smile: I’ll consult with him when he gets back about the issue that you are experiencing.

1 Like

Hi i tried using twitter with demo it was working fine but the moment my DEV account get verified and copy-paste my API key and Secret API Key, I started getting .catch error

(node:20797) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 2)

[1] (node:20797) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

These are my log image

Hey there @pantneha47!

Thanks for reporting that. We’ll look into that as soon as the article author is back at the “office”

Thanks for the reply @andrea.chiarelli . Sorry I didn’t get an alert so didn’t see you had replied! OK this makes sense. Very useful resources :slight_smile:

1 Like

Glad we were able to help!

Hey @david-blox,
Thank you for reading our tutorial.
Unfortunately, I’m not able to reproduce the error you reported.

I assume you cleared the local authentication data after logging out (see the logout() function in auth-service.js).

Do you get any log entry in your Auth0 dashboard related to the authorization code exchange?

Also, a track of the HTTP messages exchanged between the app and the Auth0 server could help to understand what is happening.

It would be great if you can provide this further information.

Hey @pantneha47,
Thank you for joining the Auth0 Community and reading the tutorial.
Unfortunately, the image you provided shows no details about the problem raised.
To help you solve your issue, it could be useful to take a look at the messages associated with the Failed Login and Failed Exchange log entries.
Please, can you provide those details?

1 Like

Hi Andrea

This is what happened in the logs when user try to login -> logout -> login again.

When user try to login again from the login screen right after he clicked logout.
I get a message from auth0 api /token route:



The logout function run this:

logout = async () => {
  const { service, account } = this.keytar;
  await createLogoutWindow(`https://${this.auth.domain}/v2/logout?client_id=${this.auth.clientID}`);
  await keytar.deletePassword(service, account);
  storeService.logout();
  this.tokens = {
    accessToken: null,
    profile: null,
    refreshToken: null
  };
  this.userProfile = null; };

The logout window code:
import electron from 'electron';

const { BrowserWindow } = electron.remote;

export function createLogoutWindow(logOutUrl) {
  const logoutWindow = new BrowserWindow({
    show: false,
  });

  logoutWindow.loadURL(logOutUrl);

  logoutWindow.on('ready-to-show', async () => {
    logoutWindow.close();
  });
}

As you can see in the auth0 logs, even when the user have a successful login the /token api route returns 401 unauthorized.

If the user is closing the app opening it again and then try to login the /token route return a 200 OK.

Thanks a lot for your help,
David

Hi @david-blox, at a first look I’m noticing nothing wrong in your code.

The 401 HTTP status code may lead me to think that the value of the client_id parameter is not correct, maybe due to any wrong assignment. I think of this as a remote possibility, but please, check if the value of the client_id parameter is correct when you get the 401 HTTP status code.

Also, is there any special reason you are specifying the client_id parameter in the logout URL?
Have you tried to not provide the client_id parameter?
Have you configured any Allowed Logout URLs in the Auth0 dashboard?
Please, check out this document to get more info about using the client_id parameter.

Let me know if any of these attempts resolve your issue.

1 Like

Hi,

Today google blocks rendering the login page on un-trusted browsers.
How does auth0 solve this issue for electron?

I have 2 electron applications running on my local machine,as per blog i have implemented auth0 in both apps and used same env-variables.json file in both applications.
On logout from my first application it deletes all tokens from my machine , when i open my second application it doesn’t get refresh token and it goes to create auth0 window.
But loadTokens method gets called automatically from webRequest.onBeforeRequest because url contains code query parameter(http://localhost/callback?code=pGgrRpkkMmSKls36). How can i delete all sessions on logout so my second application open auth0 window when there is no refresh token available.

Hi @danielr,
If you are experiencing issues with that Google decision, you should open the login page in the system browser with the shell.openExternal() method instead of using loadURL(), similarly to how it applied here.
However, in desktop applications, this implementation opens a few issues related to usability and integration with the operating system. For this reason, in general, for Electron we are not suggesting this approach.
If you want to learn more, check out the following links:

Hey @Atul, I have a few questions since your scenario is not so clear to me.

  1. The two Electron applications running on your machine are two instances of the same application or two different applications?
  2. When you access the second application, don’t you get the Auth0 login page?

Also, you said:

…when i open my second application it doesn’t get refresh token and it goes to create auth0 window.
But loadTokens method gets called automatically from webRequest.onBeforeRequest because url contains code query parameter

The loadTokens() method is called automatically from webRequest.onBeforeRequest() after authentication, so it is not clear to me if, in your second app, the login page is shown or not.

Please, can you expand these points a bit? Thank you

Hi, this article is helpful and works. However, why is it not an official Quickstart in auth0?

Also, why is there no official electron module that we can just npm install? I’m sure loads of people are using auth0 with electron.

1 Like

That’s a good question! I guess you can share it as a feature request by creating a topic in our Feedback category here:

Feedback - Auth0 Community

1 Like

This topic was automatically closed 27 days after the last reply. New replies are no longer allowed.