Auth0 Home Blog Docs

Unauthorized User after Login with NodeJs v7.8.0 and Lock



I am currently working on authenticating a user. First the user presses a button to request the login screen. Then the user’s browser (Chrome v60.0.3112.113) is directed to the Auth0 login screen. Note: the login redirect URL is listed in the Auth0 Client as an allowed URL redirect address. In the redirect page the hash from the URL is extracted and stored in the browser local storage. Then on the server-side I access the browser local storage to authenticate the user for route specific approval.

However, I am unable to authenticate a user for a specific client. Let’s assume the user in this example has previously signup and is assigned the role of admin. Right now, this admin user is able to be directed to Auth0 Lock login screen. This user uses the Auth0 database login feature. After login, Auth0 redirects the user to the correct URL redirect address. This redirect URL HTML page only processes the URL hash fragment to verify if Auth0 allowed access to this client based on the user requesting access.

The below constructor from the redirect page does process correctly, however, it errors out and give this response:

{error: "unauthorized", errorDescription: "Access denied.", state:"KJH...YTRF"}

When I go into the Auth0 dashbaord > User > Select this admin user > Authorized Clients, there are no clients listed. I suspect this could be why this admin user is being returned by Auth0 as an unauthorized user and then access is denied. The CORS section of the Client, the localhost URL is listed to allow cross origin requests.

Can someone explain why this is happening and how it can be corrected?

Thanks in advance.

HTML for Redirect After Login Attempt

On the redirect page, the html page initializes the following constructor:

var auth0 = new auth0.WebAuth({ 
       domain: "",
       clientID: "ednd.....uhgf"
auth0.parseHash(window.location.hash, function (err, result) {
      console.log("Sending Error Message From HTML Page")
  }else if(!err){
      console.log('no error was given')
      parent.postMessage(err || result, 'http://localhost/redirect2')

Login Page:

  <meta charset="UTF-8">

  <button id="btn-login">
    Log In
  <script src="" integrity="sha256-evf..ghr=" 
  <script src=""></script>
    (function () {
        var webAuth = new auth0.WebAuth({
       domain: '',
       clientID: 'clientId',
       redirectUri: 'http://localhost/redirectUrl',
       responseType: 'id_token',
       scope: 'openid profile'

    var loginBtn = document.getElementById('btn-login');
    loginBtn.addEventListener('click', function (e) {

    function handleAuthentication() {
          webAuth.parseHash(function (err, authResult) {
          if (authResult && authResult.idTokenPayload) {
          window.location.hash = '';
          alert('your user_id is: ' + authResult.idTokenPayload.sub);