Unexpected Response from Hosted Page

4rrow88 · June 7, 2017, 12:14pm

I have have customized my hosted page slightly with the following code:

var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
      auth: {
        redirectUrl: config.callbackURL,
        responseType: 'token',
        params: {
          "audience": "https://api.<mydomain>.com",
          "scope": "openid profile email"
        }
      },

And the problem I am having is that when I redirect to the hosted page and log in I get this response:

  {accessToken: "NeBZE6lBSFQ_xVRL", idToken: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVX…htJBDkuGLCI-IRwixliKk3JaMxl5x1eRlNVIxsPb6ceR-KXFQ", idTokenPayload: Object, appStatus: null, refreshToken: null…}

Rather than a JWT accessToken I just get a short code along with an idToken and idTokenPayload object. Then if I log out, then log in again via clicking the “Last time you logged in with” link I get the expected response:

{accessToken: "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVX…ls54ixMbu9qNBdnIvuVnl2YRLs6VU544AeGvZ56P5aE2a6dDg", idToken: null, idTokenPayload: null, appStatus: null, refreshToken: null…}

Then if I log out and log in again but click “Not your account?” and type in the credentials again I once again get the opaque token the first time and then the expected token on subsequent logins via “Last time you logged in with” link. If I disable Remember last login then I always get the opaque token.

bragma · June 7, 2017, 1:52pm

Are you sure you are not changing anything in your auth.js options between logout and login? The first access token seems a jwt from the new flow, while the second one is an opaque token. Maybe you messed/missed your client id?

4rrow88 · June 7, 2017, 6:37pm

Pretty sure nothing is being changed, the options are configured in the hosted page script all I’m doing on the client is redirecting to the hosted page when the user clicks the login link and when they click logout the token is removed from local storage. I have updated my question above to try and more accurately describe what is happening.

bragma · June 7, 2017, 6:51pm

The difference in the accessToken is important. The first one is the “old flow” access token, while the second one is the new one. There are different factors that determine which flow you are using.
May I suggest you to log out the “config” object and Auth0Lock 3rd argument, i.e. { auth: … } just to be sure they are not changing due to the way you access the hosted page? A simple “console.log” is enough.

4rrow88 · June 8, 2017, 3:39am

Looks like I’ve fixed my issues by reverting the hosted page code to standard and instead configuring my options on the client and logging in via the auth0.authorize() method instead of just a link to the hosted page. I was following a guide that must have been based on the “old flow” as well as reading docs based on the “new flow” so must have got my wires crossed, thanks for your help.

Topic		Replies	Views
Hosted login page not redirecting with an id_token Help hosted-login-page	8	4097	August 29, 2019
If you are using Auth0 Lock and trying to get a JWT token returned JWT.io lock , jwt , id_token , auth0-lock	2	5859	September 6, 2018
Opaque token returned for hosted lock with audience param Help access-token , api-authorization	3	4400	August 27, 2019
No receiving IDToken Help	3	2378	July 8, 2020
Hosted login - select_account breaks state Help bug , hosted-login-page	7	4834	January 13, 2019

Unexpected Response from Hosted Page

Related Topics