Auth0 JWT as access token comes in only on second login -


i have issue , i'm not sure whether "bug" or fault somewhere.

all of sap on asp.net core angular accessing auth0 on hosted page.

i have updated hosted page auth0lock object on hosted page inculde params object specified audience

var lock = new auth0lock(config.clientid, config.auth0domain, {   auth: {     redirecturl: config.callbackurl,     responsetype: 'token',     params: {       "audience": "https://api.webatom.com"     }   },   assetsurl:  config.assetsurl,   allowedconnections: connection ? [connection] : null,   rememberlastlogin: !prompt,   language: language,   languagedictionary: languagedictionary,   theme: {     //logo:            'your logo here',     //primarycolor:    'green'   },   prefill: loginhint ? { email: loginhint, username: loginhint } : null,   closable: false,   // uncomment if want small buttons social providers   // socialbuttonstyle: 'small' });

during first login usual auth result receive jwt id_token , short string access token , don't message in auth0 account access request.

during second , other logins want. message , jwt access token , id_token null.

how second result start, right first login? bug or doing wrong?

thank you.

ps: don't have rules or hooks implemented @ moment.

as first step: add https://jwt.io allowed callback client, revert auth0 hosted login page default (ie. remove changes made), modify url below own settings, , paste browser url , hit return.

https://{{your_tenant}}.auth0.com/login?client={{your_client_id}}&redirecturl=https://jwt.io&responsetype=token&connection={{your_connection_name}}&audience=https://api.webatom.com&scope=openid

all going well, should return jwt access token , auto-populate jwt.io text-area.

next, try - using auth0's authorize url instead. again, use auth0 default hosted login page, not 1 modified.

https://{{your_tenant}}.auth0.com/authorize?client_id={{your_client_id}}&protocol=oauth2&redirect_uri=https://jwt.io&response_type=token&scope=openid profile&audience=https://api.webatom.com&nonce=123&state=xyz

should same result. , presumably want every time?

if want id token, modify responsetype / response_type token id_token.

so recommend not modify auth0 hosted login page settings lock directly (authentication related params..), instead send through parameters want request per /authorize endpoint above. if have client application using auth0.js example, can set @ client , send through when user authenticates.

sample snippet auth0.js library config might be:

  auth0 = new auth0.webauth({     domain: auth_config.domain,     clientid: auth_config.clientid,     redirecturi: auth_config.callbackurl,     audience: "https://webapi.com",     responsetype: 'token id_token', // use token if don't need id token     scope: 'openid profile read:book' // read:book scope defined api     });

Comments

Post a Comment

Popular posts from this blog

Is there a better way to structure post methods in Class Based Views -

i'm using class based views in django , never specify url in ajax calls , omit action parameter in form because know these requests go through post method of class based view. notice view - profile page make many requests depending on user updating on page - post method become convoluted , if/else mess example: def post(self, request, *args, **kwargs): # handle user changing available date if request.post.get('availabledate') != none: self.updateavailabledate(request) return jsonresponse({'result':'success'}) if request.post.get('newprojectname') != none: creative_user = creativeuserprofile.objects.get(id = request.user.id) project = project.create_project(creative_user, request.post['newprojectname']) project.save() return jsonresponse({'projectid': project.id }) if request.post.get('projectimage') != none , request.files['file']: proj...
Read more

performance - Why is XCHG reg, reg a 3 micro-op instruction on modern Intel architectures? -

i'm doing micro-optimization on performance critical part of code , came across sequence of instructions (in at&t syntax): add %rax, %rbx mov %rdx, %rax mov %rbx, %rdx i thought had use case xchg allow me shave instruction , write: add %rbx, %rax xchg %rax, %rdx however, dimay found agner fog's instruction tables , xchg 3 micro-op instruction 2 cycle latency on sandy bridge, ivy bridge, broadwell, haswell , skylake. 3 whole micro-ops , 2 cycles of latency! 3 micro-ops throws off 4-1-1-1 cadence , 2 cycle latency makes worse original in best case since last 2 instructions in original might execute in parallel. now... cpu might breaking instruction micro-ops equivalent to: mov %rax, %tmp mov %rdx, %rax mov %tmp, %rdx where tmp anonymous internal register , suppose last 2 micro-ops run in parallel latency 2 cycles. given register renaming occurs on these micro-architectures, though, doesn't make sense me done way. why wouldn't register renamer ...
Read more

c# - Asp.net web api : redirect unauthorized requst to forbidden page -

im trying redirect unauthorized request forbidden page instead i'm getting forbidden page in response body , how can fix ? here's startup class : app.createperowincontext(storecontext.create); app.createperowincontext<applicationusermanager>(applicationusermanager.create); app.createperowincontext<applicationsigninmanager>(applicationsigninmanager.create); app.usecookieauthentication(new cookieauthenticationoptions { authenticationtype = defaultauthenticationtypes.applicationcookie, expiretimespan = timespan.fromdays(30), }); app.useexternalsignincookie(defaultauthenticationtypes.externalcookie); app.usetwofactorsignincookie(defaultauthenticationtypes.twofactorcookie, timespan.fromminutes(5)); app.usetwofactorrememberbrowsercookie(defaultauthenticationtypes.twofactorrememberbrowsercookie); the method im trying reach : [httpget] [authorize(roles = "admin")] public string getcurrentusername() { return userman...
Read more