Auth0 Home Blog Docs

Universal (hosted) login page defaults to authorization_code flow instead of implicit flow

lock
auth0

#1

When using Auth0 Universal standard Login page built with Lock v.11.2.1, the OpenID Connect authentication flow is automatically changed from “Implicit flow” (as specified by our SPA application) to “Authorization code” flow instead.

When investigating the Login Page I see the following code:

var lock = new Auth0Lock(config.clientID, config.auth0Domain, {
  auth: {
    redirectUrl: config.callbackURL,
    responseType: (config.internalOptions || {}).response_type ||
      config.callbackOnLocationHash ? 'token' : 'code',
    params: config.internalOptions
  },

For some unknown reason, it looks for as responseType is set to ‘code’ as consequence of the following line of code:

config.callbackOnLocationHash ? ‘token’ : ‘code’

What does this line of code do?

About our SPA application
Our Angular-based SPA application is configured in Auth0 as OIDC Conformant with Implicit and Refresh Token grant types (Authorization Code is disabled).

Our SPA application is configured to use Auth0 Universal Login with the standard hosted login page based on Lock v.11.2.1.

Our Angular SPA application is built using Auth0.js v9 SDK and is configured to use Implicit authentication flow, i.e. response_type=token id_token


#2

Hi @ottar

The line

responseType: (config.internalOptions || {}).response_type || config.callbackOnLocationHash ? 'token' : 'code',

means that it will use the response_type specified in the request, but if none was specified then it will default to token or code based on the callbackOnLocationHash config.

Just as a note, when setting the parameter using the Auth0.js SDK you must use camelCase and not snake_case for the property name (e.g. responseType: 'token id_token').

Hope this helps!