This topic mainly concern Auth0 Extension API. I hope the category is ok to you.
I just set up the Auth0 Authorization Extension for my client. As I have a SPA & API, I followed the following tutorials:
- SPA API scenario: https://auth0.com/docs/architecture-scenarios/spa-api/part-2
- Django API authorization: https://auth0.com/docs/quickstart/backend/django/01-authorization
The rule “Access token scopes” did not worked for me. I had to change it a bit.
context.accessToken.scope = filteredScopes;
context.accessToken.scope = ‘openid%20profile%20’+filteredScopes;
context.idToken.scope = permissions.join(’ ');
'openid%20profile%20', the token wasn’t in the response (but no errors, the connection went well).
Without the second line, the token did not contain the scope param (even if in Auth0 API Extension > Configuration > Token Contents ; I well activated “Permissions”)
As I had to update the rule to make it work, I would like to know if I did not introduce any security breach?
Another point, the Auth0 Extension automatically creates an application with no type (auth0-authz). To make it work I had to specify Machine To Machine Type to this application. Later I tried to communication with the extension API, but couldn’t. I had to activate Client Credentials in Advanced Settings > Grant Types ; Which is not specified in tutorials.
Same question than before, does these changements could introduce any security breach?
Another point, to access the Auth0 Extension API, I used the following tutorial to request the token:
I’m using Python 3.6. I was well connected to Auth0 when reading the tutorial, variables were filled.
I had to replace the line:
conn = http.client.HTTPSConnection("")
conn = http.client.HTTPSConnection("<MY_TENANT>.<MY_ZONE>.auth0.com")
And the line:
conn.request("POST", "/<MY_TENANT>.<MY_ZONE>.auth0.com/oauth/token", payload, headers)
conn.request("POST", "/oauth/token", payload, headers)
Last point, totally different, I had to create an account on Auth0 Community to send this message, in the name of my client.
The activation email was sent, but we had troubles with our mail box, so we never received it.
At logging, we have the message: “Your account is awaiting activation, use the forgot password link to issue another activation email.”
It is not possible to disconnect in this case, I had to use private navigation.
Then I used the forgot password link, but you cannot issue another activation email via this form. So I reset the password, but it does not change anything.
Then I tried to send it from ma personal account, but I forgot the password and I never received the forgot password email…
Anyway, I am now posting with a new created Auth0 account.