Why the returned access_token is different in Lock in the remembered last login dialog?

I have a SPA in angular.js using auth0-lock 10.13.0.

I have activated the API functionality, and when I received the access_token, everything works fine. But I have noticed that when I log in with the Lock overlay there is a difference depending on which interface is presented by lock:

  1. When using the ***Last time you logged in with *** (remember last login functionality), the access_token is encoded using RS256.
  2. When using the normal username and password overlay the access_token is encoded in HS256, and an id_token is returned even though I didn’t ask for one (in my configuration I have responseType: "token").

This is so as Lock is still using the legacy mode for username and password login. If you are using Lock > 10.11 you can pass the parameters as following:

new Lock(CLIENT_ID, AUTH0_DOMAIN, {
  oidcConformant: true,
  autoclose: false,
   /* Other params */
}

When using this the authentication occurs using a POST request to /oauth/token endpoint with the password grant. Alternatively, you can use the method webAuth.authorize from Auth0.js library to redirect to the hosted login page and login via the hosted login page.

Besides this, if you use Lock with the flag oidcConformant: true the callback url is not invoked and the state needs to be handled in the lock.on('authenticated', ...) callback. oidcConformant:true uses HTTP post request with the password grant and it is meant to be used only for privileged clients. Since it’s using an HTTP POST we cannot set a cookie. Since silent authentication requires a cookie this makes silent authentication not an option.

Please note that we are currently working on making the process better on both ends. In the future we will be releasing features which will allow better customisation and integrating the hosted page in your application flow as well as supporting a method to persist the session for privileged clients.