I’ve built a mobile app using Ionic & Capacitor. I’ve resorted to building my own Auth UI, as unfortunately, I find the UX of using the Auth0 SDK to not fit my requirements. It opens a safari window, then logs the user in and then bounces them back to the app, often sometimes doing 2 bounces back and forth before actually logging the user in. I instead want the user to stay in the app, and only leave for doing social logins such as Google ,Facebook or Apple.
Apple and facebook are pretty straight forward, you have guides for those on using the urn:ietf:params:oauth:grant-type:token-exchange grant to exchange the social artefact for an auth0 issued access token. However, there is nothing on there for google, and when I search the forums I can see that you’ve mentioned to other people that this feature isn’t possible. I’ve also seen on another topic someone managed to get it working using a different endpoint, and the support person in question stated that the subject_token_type wasn’t required for google , despite it showing as “required” on the API documentation.
I find it strange (and disappointing if true) that this is currently impossible via auth0, particularly when the endpoint reference for Token Exchange for Native Social shows no particular bias to google or facebook and suggests that any trusted provider can be used. Additionally your implementation documentation also clearly states that generic oAuth 2 servers can be connected to auth0 (Connect Apps to Generic OAuth2 Authorization Servers), so I fail to understand why this would not be possible.
If someone can advise on this that would be greatly appreciated.
After investigating Postman, I’ve discovered that there is a subject token type for Google, although it is not mentioned in your documentation. This token type allows the exchange of Google ID tokens for Auth0 access tokens.
However, it seems intentionally disabled with no option to enable it.
"error_description": "Grant type urn:ietf:params:oauth:grant-type:token-exchange with subject_token_type http://auth0.com/oauth/token-type/google-id-token is not enabled for this client"
I know this is legitimate because if I incorrectly spell the subject token type, I get the following error instead:
This indicates that the subject token type does indeed exist.
Can someone please just enable this feature? I’ve encountered numerous users requesting the same support, and it’s evident that the functionality is present in your code.
If this is yet another limitation of Auth0 that prevents optimal UX for my users, I will consider leaving Auth0 across all my accounts and startups, some of which we pay Okta a substantial amount each month. I am willing to swallow the pill that is the migration work required for my developers.
I apologize for the direct and frustrated tone of this message, but my experience with Auth0 has been a series of frustrations involving basic functionality limitations, poor support responses, and conflicting or outdated documentation and SDKs.
After writing the last reply, I then submitted a support request but received no response. When I finally reached out to the sales team, I promptly heard back from a representative who promised to obtain an answer from the engineering team.
I explained our situation: one of our startups has recently secured significant investment and is set to transition into scale up status. Our decision to either scale with Auth0 or migrate to a competitor/proprietary solution hinges on receiving a satisfactory response to our inquiry.
We’re hesitant to commit long-term to a company that will eventually charge us 50k-100k+ monthly while neglecting our basic needs.
Nearly two weeks have passed since this conversation, and I’ve yet to hear back from the salesman. Auth0’s apparent eagerness to respond to sales inquiries but not support requests is concerning, especially as we consider relying on them for our authentication needs.
We’ve set September 1st as our decision deadline. If we don’t receive a response by then, I’ll initiate the process of withdrawing the three companies I work with from Auth0. We cannot justify rewarding poor service.
It turns out the google-id-token is a hidden feature, referred to by the support team as “early access only”.
They basically outright refused to enable it for me, despite the fact I pay for several accounts with Auth0 and despite the fact I offered to provide. testing feedback to assist them.
So there you have it, another slap in the face, another limitation, another hindrance. I’ve imposed the deadline of 1st September, if it’s not enabled. I’m moving all our accounts away and we’ll either opt for proprietary or a competitor, as at this point using Auth0 is more limiting than anything else.
As I said above, bad customer service cannot and will not be rewarded.