Third Party app consent when not logged in

We are testing out auth0 for allowing our users to give third parties access to an api but I’m having some difficulty grasping a few concepts. I followed along this article to get me started: https://auth0.com/docs/protocols/protocol-oauth2

I created an application within our tenant called LionApp, used the API to mark it as 3rd party, and also elevated our database connection to domain-level… a little cumbersome, but so far so good. This is the link to /authorize that LionApp would put on their page for our users to click on:

https://acme-corp.us.auth0.com/authorize?audience=https://acme.com/campaigns&response_type=token&client_id=[lionappclientid]&redirect_uri=https://lionapp.com&scope=read:campaigns%20create:campaigns%20update:campaigns&prompt=consent

If one of our users is logged in and clicks on the link, they get the consent page as expected:

About as expected, although the reference to our “tenant” seems a little inside baseball and confusing for an average user of what exactly that is, and the lack of our company logo/branding is also odd, but I digress.

The main problem happens when the user may not be currently logged in to our application. When following the link the user is presented with this:

Our tenant logo is present, but the 3rd party application name is in the text, it’s not exactly clear what account I am supposed to log in with. Unless I notice the domain name in the browser it seems like a very confusing experience, possibly even suspicious.

I thought I could make it more obvious by customizing the universal login page… But, as soon as I tick the box to customize, and use the default Lock template, now following the link yields this:
Screenshot_1289

What am I missing here?

Hey @svickers - welcome to the Auth0 Community!

Could you please capture a HAR file of the issues you are having when the customize toggle is on, and send it to me via DM? You can find more information on how to get it here: https://toolbox.googleapps.com/apps/har_analyzer/

Thanks!

I figured out the problem in custom login… I was missing this in the lock config:
__useTenantInfo: config.isThirdPartyClient,

1 Like

Any other info on the rest of my post? Still grappling with understanding.

Hey, @svickers,

Without the HAR file I requested, it would be very difficult to diagnose the problems you are experiencing. Send it to me via DM once you have it ready!

Hello, @svickers,

I read your HAR but I don’t see any errors. Could you remind me what is the specific error you are facing now?

Thanks!

I’m trying to figure out if I am creating consent links for third party apps correctly. The biggest question is, when I’m not logged in and follow a link for api consent from a third party, it shows my company logo but the text is the name of the third party app. This seems confusing for users to understand which account they are actually signing in to. Should they login with my company credentials? Or the credentials of the third party?

Hello, @svickers,

In this case, you are using your tenant to log in to a third-party application. This means that you should be using your credentials in order to log in to the third party, which you have been able to set up to accept your authentication requests.

All of the authentication transactions that happen on your tenant should be against your tenant itself, unless you federate using any of our connections (Social, Enterprise). Only, and only in those cases, you can log in to the third party’s credentials. We don’t have any ways of knowing or passing on credentials to a third party otherwise - it would be insecure.

Hopefully this clears up some of the questions you might have.

Maybe i’m not being clear, let me back up. This is about a user giving a 3rd party application consent to access our APIs and not logging in with a 3rd party provider. We have APIs that the user can access from our application, and they can also grant 3rd party applications access to them… I know that the user is supposed to log in with the account on my tenant, but the way the page is presented to the user is less than clear.

Think of it like Calend.ly asking for access to your Google Calendar:


It is clear that I am signing in with my google account, to then give access to Calendly. It mentions “sign in with google”, and below even tells the user what will be shared with Calendly, a straightforward understanding of what is going on.

If this were re-created in auth0 it would look like this:


It is much less clear as a user, should I log in with my google account?.. or my Calendly account?

Boiling this down to 2 questions:

  1. Is this expected behavior?
  2. Is there any way to further customize the login so we can get rid of the application name?

Hello, @svickers,

Thanks for clarifying.

1.- Yes, this is expected behavior.
2.- You can fully customize this part of Lock via the languageDictionary option. You are looking for the title string.

That’s perfect, thanks!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.