I have have customized my hosted page slightly with the following code:
var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
auth: {
redirectUrl: config.callbackURL,
responseType: 'token',
params: {
"audience": "https://api.<mydomain>.com",
"scope": "openid profile email"
}
},
And the problem I am having is that when I redirect to the hosted page and log in I get this response:
{accessToken: "NeBZE6lBSFQ_xVRL", idToken: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVX…htJBDkuGLCI-IRwixliKk3JaMxl5x1eRlNVIxsPb6ceR-KXFQ", idTokenPayload: Object, appStatus: null, refreshToken: null…}
Rather than a JWT accessToken I just get a short code along with an idToken and idTokenPayload object. Then if I log out, then log in again via clicking the “Last time you logged in with” link I get the expected response:
{accessToken: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVX…ls54ixMbu9qNBdnIvuVnl2YRLs6VU544AeGvZ56P5aE2a6dDg", idToken: null, idTokenPayload: null, appStatus: null, refreshToken: null…}
Then if I log out and log in again but click “Not your account?” and type in the credentials again I once again get the opaque token the first time and then the expected token on subsequent logins via “Last time you logged in with” link. If I disable Remember last login then I always get the opaque token.