Hi, I’m having some trouble working with Auth0.js and I’m hoping someone can help clear a few things up for me.
I currently have a SPA where I want the user to be able to log in and out. I’m using Lock.js for the login/logout UI and auth0.js for functions like checkSession(), which I call first thing when the app loads so that the user is signed in silently if they had already been logged in recently. I also have a Node API backend, and I want to use auth0 access tokens to authorize access to those endpoints.
Right now what I’m doing is that I have the audience parameter in my auth0.webAuth set to https://myauth0domain/userInfo, which successfully overrides the pesky consent_required error that I kept getting (I understand that that is a side effect of developing locally). But this means that when I authenticate, I get a short, non-JWT string as my access token. I read on a different forum post that I have to set the audience parameter as my API audience (the one listed on the auth0 dashboard for the custom API I set up).
So here are my questions:
- what are some general solutions for this kind of setup?
- do I need to make separate requests for authenticating the user into my SPA and getting access tokens?
- is it just a matter of correctly configuring my hosts file so that I no longer get the consent_required error?
- I am familiar with the consent popup that comes up when you try to log in, using Lock.js for example, and the app asks the user to give consent to perform certain actions as specified in the scopes. Is this different from the consent_required error that I keep getting in my console for silent auth? I tried to handle the consent_required error by displaying the login UI whenever that error came up and made the user log in, but the error loops through — even after I try to log in through the Lock UI, I still get the consent_required error.
Thanks for any and all help.