We are testing out auth0 for allowing our users to give third parties access to an api but I’m having some difficulty grasping a few concepts. I followed along this article to get me started: https://auth0.com/docs/protocols/protocol-oauth2
I created an application within our tenant called LionApp, used the API to mark it as 3rd party, and also elevated our database connection to domain-level… a little cumbersome, but so far so good. This is the link to /authorize that LionApp would put on their page for our users to click on:
If one of our users is logged in and clicks on the link, they get the consent page as expected:
About as expected, although the reference to our “tenant” seems a little inside baseball and confusing for an average user of what exactly that is, and the lack of our company logo/branding is also odd, but I digress.
The main problem happens when the user may not be currently logged in to our application. When following the link the user is presented with this:
Our tenant logo is present, but the 3rd party application name is in the text, it’s not exactly clear what account I am supposed to log in with. Unless I notice the domain name in the browser it seems like a very confusing experience, possibly even suspicious.
I thought I could make it more obvious by customizing the universal login page… But, as soon as I tick the box to customize, and use the default Lock template, now following the link yields this:
What am I missing here?