Username-Password-Authentication fails after lock update to 10.17

Have an angular2 app trying to fetch a token from auth0.
Using the following lock config object:

`oidcConformant: true,
closable: false,
container: "auth-lock",
rememberLastLogin: false,
allowSignUp: false,
auth: {
    redirect: true,
    redirectUrl: environment.host,
    params: {
        audience: api.schools,
        scope: 'openid profile email'
    },
    responseType: "token"
}`

After lock update to 10.17 user login
(‘auth0’ provider and ‘Username-Password-Authentication’ connection)
will fail and return a status code of 401 and the message:

`{
  "error": "unauthorized_client",
  "error_description": "Cross origin login not allowed."
}`

Ensure that you are calling the endpoint from a domain that is in the Allowed Callback URLs of your client settings, otherwise add the URL to the Allowed Origins (CORS).

same here. Already added localhost:5000 to the CORS of the application.

Getting the same issue, wasted a whole day on it. Any updates?

I am also getting the same issue. Even with my domain (testing on localhost) added on allowed callback urls and on the allowed origins, am still having this issue.

When using lock version 10.11 the entire login/signup procedure is different. For login, the lock will simply go to …/auth0.com/oauth/token and obtain a proper bearer token. For signup the lock will go to …/auth0.com/dbconnections/signup, and then …/auth0.com/oauth/token to obtain the bearer token.

10.17 version goes to the authorize endpoint (…/auth0.com/co/authenticate) and then fails with the cross origin not allowed.

These are my options on 10.17 for the lock:
var lockOptions = {
oidcConformant: true,
autoClose: true,
auth: {
//redirect: true,
//redirectUrl: REDIRECT_URI,
params: {
audience: AUTH0_AUDIENCE,
scope: “openid email”
}
}

It works if you use lock 10.16, but for some reason it doesn’t redirect after a login or signup to the redirectUrl.

I’m also having a problem. The callback url is already authorized in the client configuration, but the error continues.

same here. Already added localhost:5000 to the CORS of the application.

I’m also having a problem. The callback url is already authorized in the client configuration, but the error continues.

It works if you use lock 10.16, but for some reason it doesn’t redirect after a login or signup to the redirectUrl.

The underlying reason for the behavior you’re experiencing is that, at the time this post was written, the oidcConformant toggle which you’re enabling is not formally documented.

(UPDATE it is now supported in Lock 10.22+)

This means that the behavior triggered by that toggle is also not documented nor supported and as such there might be changes (even what could possibly be considered breaking ones if this was part of a documented feature set) until the final version is reached and documented. We may consider reverting the observed behavior in 10.17.0 that was introduced under that toggle and which is significantly different than the previous one, however, even if that happens have in mind that you’re using undocumented features which is fine if you’re just experimenting, but not so recommended for anything else.

If you want to use API Authorization and/or OIDC conformance (which kind of go hand in hand), the current recommended approach for web applications would be to use Auth0.js version 8, in particular, the authorize method which would redirect to the hosted login page.

@jmangelo For me the working version is auth0-lock@10.18.0 but auth0-lock@10.22.0is not working. Possibly it’s due to new Auth0Lock(..., ..., { oidcConformant: true, ... }).

How do you combine auth0.js#authorize() with the lock then? Auth0 should give us seamless integration and not make us study how integrate authorize() with lock.

It was already being discussed here: Audience with embedded Lock as Popup - Auth0 Community

Check it out please.

Auth0.js authorize is meant to use the hosted login page (HLP) which provides a centralized authentication experience (all client apps can authenticate through the HLP). Lock can be used to provide an embedded login experience where each client app has its own authentication UI (formal support for this is available in Lock 10.22). In general, you won’t combine the authorize method with Lock embedded.

I wish I understood this.
I have an embedded lock which was working yesterday.
When I set up the embedded lock I copied the code directly from the sample in the Quickstart.
It had oidcConformant: true so I left it there. I just tried taking it out and I got an error:

access_denied: Password login is disabled for clients using externally hosted login pages with oidc_conformant flag set.

You say oidcConformant is undocumented and is only ok for experimenting but it seems it is required.

The only way I could get this working again was to go back to auth0-lock@10.18.0

@chris5 I am just interested what tutorial it was. Can you please share the reference?

@chris5 it is not supported in Lock 10.17 or 10.18 although the toggle was available. It is now formally supported in Lock 10.22 and the documentation now includes the oidcConformant option which is required under certain conditions (for example, to make use of the new authentication functionalities like API authorization).

@jmangelo I have tried to the oidcConformant: true according to Lock Configuration Options I also enabled CORS. I have tried agains Lock 10.22.0 but it didn’t work.

Have in mind that are some limitation to it, for example, popup mode is not supported. Besides that oidcConformant should work in Lock 10.22+ assuming the necessary configuration was also performed in the client settings.