I have an app that is using Auth0 to SSO in via Gsuite. After I sign into the app, I am removing the app from GSuite consented app lists.
After doing this I am calling the silent auth API, with the following parameters
https://xyz.auth0.com/authorize?
audience=https://xyz.auth0.com/userinfo &
client_id=clientid &
connection=connectionname &
redirect_uri=myappslogin endpoint &
response_type=token &
nonce=123445667 &
scope=read:current_user &
prompt=none &
state=state
When I run silent auth it returns with no error and in fact with no parameters at all to the call back URL.
I have tested with the user logged in the auth0 session and GSuite and it works fine. I have also tested with the user signed out of the auth0 session and it returns the login_required error fine.
What am I missing here? Any help is appreciated.
Thanks,
Rishi
In that flow, you need to have in mind that there’s authentication sessions (mostly independent) both at the Auth0 tenant and at the Google service. In addition, there’s also the concept of consent at the same two locations.
For Google you have consent in terms of letting a specific client application rely on your user identity; that client application represents the Auth0 tenant.
In the case of Auth0 consent is associated with the audience of the authentication request; in your case the audience is just user information endpoint so there’s no explicit consent required. In other words, no consent step is triggered for that audience.
Upon completing a login though Auth0 and Google you are left with valid session in those two places; given that a prompt=none request targeting Auth0 service currently means that a response will be provided taking solely in consideration the Auth0 session then the fact you remove the consent authorization in Google does not have any impact.
However, in a subsequent flow that starts with Auth0, but then needs to go to Google again then the removal of that consent would have a visible impact.
In conclusion, a silent authentication request targeting returns a response based on Auth0 concepts so removing consent at an upstream identity provider won’t impact this particular flow. If you had a request for a custom API that requires consent and then remove consent (in Auth0 itself) then the silent authentication would indeed return consent required.