Securing Electron Applications with OpenID Connect and OAuth2

Hey @pantneha47,
Thank you for joining the Auth0 Community and reading the tutorial.
Unfortunately, the image you provided shows no details about the problem raised.
To help you solve your issue, it could be useful to take a look at the messages associated with the Failed Login and Failed Exchange log entries.
Please, can you provide those details?

1 Like

Hi Andrea

This is what happened in the logs when user try to login -> logout -> login again.

When user try to login again from the login screen right after he clicked logout.
I get a message from auth0 api /token route:



The logout function run this:

logout = async () => {
  const { service, account } = this.keytar;
  await createLogoutWindow(`https://${this.auth.domain}/v2/logout?client_id=${this.auth.clientID}`);
  await keytar.deletePassword(service, account);
  storeService.logout();
  this.tokens = {
    accessToken: null,
    profile: null,
    refreshToken: null
  };
  this.userProfile = null; };

The logout window code:
import electron from 'electron';

const { BrowserWindow } = electron.remote;

export function createLogoutWindow(logOutUrl) {
  const logoutWindow = new BrowserWindow({
    show: false,
  });

  logoutWindow.loadURL(logOutUrl);

  logoutWindow.on('ready-to-show', async () => {
    logoutWindow.close();
  });
}

As you can see in the auth0 logs, even when the user have a successful login the /token api route returns 401 unauthorized.

If the user is closing the app opening it again and then try to login the /token route return a 200 OK.

Thanks a lot for your help,
David

Hi @david-blox, at a first look I’m noticing nothing wrong in your code.

The 401 HTTP status code may lead me to think that the value of the client_id parameter is not correct, maybe due to any wrong assignment. I think of this as a remote possibility, but please, check if the value of the client_id parameter is correct when you get the 401 HTTP status code.

Also, is there any special reason you are specifying the client_id parameter in the logout URL?
Have you tried to not provide the client_id parameter?
Have you configured any Allowed Logout URLs in the Auth0 dashboard?
Please, check out this document to get more info about using the client_id parameter.

Let me know if any of these attempts resolve your issue.

1 Like

Hi,

Today google blocks rendering the login page on un-trusted browsers.
How does auth0 solve this issue for electron?

I have 2 electron applications running on my local machine,as per blog i have implemented auth0 in both apps and used same env-variables.json file in both applications.
On logout from my first application it deletes all tokens from my machine , when i open my second application it doesn’t get refresh token and it goes to create auth0 window.
But loadTokens method gets called automatically from webRequest.onBeforeRequest because url contains code query parameter(http://localhost/callback?code=pGgrRpkkMmSKls36). How can i delete all sessions on logout so my second application open auth0 window when there is no refresh token available.

Hi @danielr,
If you are experiencing issues with that Google decision, you should open the login page in the system browser with the shell.openExternal() method instead of using loadURL(), similarly to how it applied here.
However, in desktop applications, this implementation opens a few issues related to usability and integration with the operating system. For this reason, in general, for Electron we are not suggesting this approach.
If you want to learn more, check out the following links:

Hey @Atul, I have a few questions since your scenario is not so clear to me.

  1. The two Electron applications running on your machine are two instances of the same application or two different applications?
  2. When you access the second application, don’t you get the Auth0 login page?

Also, you said:

…when i open my second application it doesn’t get refresh token and it goes to create auth0 window.
But loadTokens method gets called automatically from webRequest.onBeforeRequest because url contains code query parameter

The loadTokens() method is called automatically from webRequest.onBeforeRequest() after authentication, so it is not clear to me if, in your second app, the login page is shown or not.

Please, can you expand these points a bit? Thank you