AuthZ Extension Switching to Auth0 Core Losing Scope

[jwstrivr]

Checklist

• [X] I have looked into the Readme (WPF/WinForms) and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

With the upcoming deprecation of AuthZ Extension, we're looking to move our WPF Application over to using Auth0 Core/Groups. I've followed along with documentation with a completely barebones, stand-alone WPF app that just contains the Auth0.Oidc.WPF nuget client and I'm able to get a successful authentication of my access token and returned user token with Individual login option, but the moment I switch to Organization the scope seems to be completely missing and I get an unauthenticated error return code (openid profile email are all missing in the logs when I switch to orgs).

Reproduction

Here's a general overview of how I'm setting up the client:

            var auth0Client = new Auth0Client(new Auth0ClientOptions
            {
                Domain = "{my_domain}",
                ClientId = "{my_clientId}",
                Scope = "openid email profile",
            });
            loginResult = await auth0Client.LoginAsync(new { audience = "{my_audience}" });

Again, this works fine for individual login, but fails the moment I switch to orgs, which leaves me scratching my head. I am using the most up-to-date nuget package available, and only have these lines for my entire test app. Any help would be appreciated, thank you!

[frederikprijck]

Can you share the exact error that you retrieve as well as when you retrieve it (e.g. is it thrown when calling login before the redirect or after etc).

Also can you look at your auth0 logs and see what if there are any errors in there as well?

[jwstrivr]

Here are the exact debug properties I receive from the endpoint

From the auth0 logs, I see only success confirmations for the request. From our own log streams, it looks like the requested scope is missing which seems to be consistent with the error since that requires the openid scope. There are no rules that exist to modify the access token ingestion either

[jwstrivr]

@frederikprijck any update on this? Since AuthZ Extension is being deprecated sometime fall of next year I'll need to move my WPF application to use Auth0 Core which seems to be impossible without NuGet package support from Auth0

[frederikprijck]

Apologies, i have missed this.

Does the user belong to the organization?

The error you get, is An error from Auth0 server. This indicates the issue exist on auth0 side such as a configuration issue or the user not beloning to the organization, or there is some info that isnt correctly sent.

You mention it's when u use organizations,but i see not organization in the code. Are you picking organization on the auth0 login page, or how is the organization incorporated?

It does work fine for me when using organizations, so it's hard to help troubleshoot without an actual reproduction. I know you said you only use those 3 lines, yet they work for me. If that's the case, i recommend reaching out to your contact at auth0 to help troubleshoot your tenant configuration.

Thanks.

[jwstrivr]

Correct, I'm picking organizations under Applications > My WPF App under the Organizations tab where I see Types of Users. If I select Individuals, the application works fine, but when I move to Business Users + Prompt for Credentials I am able to select the organization from the Auth0 login flow but receive the error in the screenshot above. Do I need to include organizations somewhere within the code?

Just to be clear, the Individuals option is the one that will be deprecated within the year, correct?

[frederikprijck]

Do I need to include organizations somewhere within the code?

No you shouldnt need to.

Just to be clear, the Individuals option is the one that will be deprecated within the year, correct?

Can you share the information about the deprecation you are talking about?

[jwstrivr]

Here's a link to the article:

https://auth0.com/blog/preparing-for-rules-and-hooks-end-of-life/?utm_medium=email&utm_source=mkto&utm_campaign=2023-05-email-rules-hooks-deprecation&mkt_tok=ODU1LVFBSC02OTkAAAGLxPDEUtB4yr0NQmmHDFLxJ_d8CdorUFgWKDCi3zo5kc3n-9xiUgavkvCIr1M8eeFHMA99tiLkcJeUlALNjErQwP5YgA3PaH7Eh530t6Cc1DPKU9_i