Missing "parameters" field in onLoad method of Auth0Web

[matecode]

Checklist

• [X] The issue can be reproduced in the auth0_flutter sample app (or N/A).
• [X] I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
• [X] I have looked into the API documentation and have not found a suitable solution or answer.
• [X] I have searched the issues and have not found a suitable solution or answer.
• [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• [X] I agree to the terms within the Auth0 Code of Conduct.

Description

Hi Auth0 Team

I'm facing a bug, maybe it is also a feature request.

In our auth0 usecase we need the inital scopes again while refreshing the token. As described in https://github.com/auth0/auth0-spa-js/issues/1083#issuecomment-1446148746 this is not possible with auth0 spa sdk, so we worked around this like proposed in https://github.com/auth0/auth0-spa-js/issues/896#issuecomment-1103647320 with a custom parameter.

To be clear I'm showing the three steps:

1. loading of Auth0Web implementation:

auth0Web.onLoad(
        cacheLocation: CacheLocation.localStorage,
        useRefreshTokens: true,
        audience: Config.auth0Audience,
        scopes: Config.auth0Scope,
      );

2. Login

   auth0Web.loginWithPopup(
       audience: Config.auth0Audience,
       scopes: Config.auth0Scope,
     );

3. Get a token if needed (here we set the parameters so refreshing is done with an additional parameter)

   auth0Web.credentials(
     audience: Config.auth0Audience,
     scopes: Config.auth0Scope, //ignored on web Auth0 SPA JS SDK
     parameters: {
       'custom_scope': Config.auth0Scope.join(' '),
     },

This works perfect on a running flutter web application, but now a problem occurs: If a user is logged in but has an expired token and starts the application (which means there is a token saved in local application store, and the browser is opened again) the onload method of Auth0Web triggers a refresh. There, i cannot define the needed parameters. And then our "parameters" approach does not work.

In conclusion, it would be great if i can set the parameters also in the onload function.

Reproduction

1. Start Flutter Web Application, login with scopes
2. Login a user
3. Wait until access token expires
4. End application
5. Start application (onLoad refreshes token)

Additional context

Thanks for your help in finding a working solution and let me know if you need more information.

auth0_flutter version

1.3.1

Flutter version

3.13.9

Platform

Web

Platform version(s)

No response

[Widcket]

Hi @matecode, thanks for raising this.

Do you need to specify fewer scopes (downscope) when renewing the tokens? Because if not, there's no need to pass the same scopes as when logging in. Auth0 will use the same scopes by default.

[matecode]

Hi @Widcket! Thanks for your response.

On refreshing the token (Flutter SDK is doing this when calling auth0Web.credentials(...) and then this is handled on web by getTokenSilently) the "scope" parameter is filtered out by auth0-spa-js SDK. We could see in our logs that there is no scope parameter. We don't need this to change scopes, but we need to submit the scopes on refresh.

I cannot comment on the implementation of auth0 on our side because this a big company with a lot of usecases with auth0. I'm developing a flutter web application using auth0 as the IDP for our customers.

Thats why I would love not to discuss if I need the scope or not, because this is what the Auth0-implementing Team on our side told me to do. I can see that there happens a refresh while the onLoad method of the flutter sdk where I cannot give the parameters, as I can while calling the credentials method.

I think this is a missing thing on the api of onLoad if the same thing happens in background (which exactly means refreshing the token).

[Widcket]

If you're not downscoping, you don't need any scope parameter.

This SDK does not support downscoping, hence it does not support passing scopes when renewing.

[Widcket]

And we don't have any current plans to add support for downscoping that I'm aware of.

[matecode]

@Widcket I'm really sad to see that you closed this issue that fast, because I didn't ask for descoping or something like that, rather than asking for a missing parameter at the onLoad api of the Auth0 Flutter Web SDK, which is an error. This parameter is also missing if you need it for rules on refreshing.

Maybe @stevehobbsdev can help here.

[frederikprijck]

👋 I'm not Steve, but as one of the maintainers of Auth0-SPA-JS (the underlying SDK used for the Flutter SDK's Web platform), I can see the use-case here and believe that it's a recommended scenario from the SPA-JS side to be able to send any custom parameter when loading the page and calling Auth0.

Sending a custom-scope parameter is what we recommend for any user that exacly has the need as per the OP: Send the scope to Auth0 when refreshing the token, when descoping is not what they want to achieve.

Just some internal background, when flutter's onLoad is called, the following happens:

• onLoad calls the platforms initialize https://github.com/auth0/auth0-flutter/blob/main/auth0_flutter/lib/auth0_flutter_web.dart#L55
• initialize calls the proxy's checkSession: https://github.com/auth0/auth0-flutter/blob/main/auth0_flutter/lib/src/web/auth0_flutter_plugin_real.dart#L45
• the proxy's checkSession calls the real checkSession: https://github.com/auth0/auth0-flutter/blob/main/auth0_flutter/lib/src/web/auth0_flutter_web_platform_proxy.dart#L17

As you can see here, SPA-JS' checkSession takes a parameter of type GetTokenSilentlyOptions, which allows you to send any arbitrary parameter to Auth0. Important to note here is that often the user isn't calling checkSession directly. but instead we rely on the globally configured parameters, and then ensure to merge both options here.

That last part is not exposed on the Flutter SDK and can limit scenario's such as the OP as they are unable to pass their custom parameters to Auth0 (which can be any custom parameter they need to have present in their rules/hooks at any time).

The above would be resolved if we can ensure we can pass any arbitrary parameter to onLoad, and then ensure it get's added here.

[matecode]

@frederikprijck thanks for helping out

That last part is not exposed on the Flutter SDK and can limit scenario's such as the OP as they are unable to pass their custom parameters to Auth0 (which can be any custom parameter they need to have present in their rules/hooks at any time).

@Widcket This is the main part, as this is important for any parameter that is needed during refresh in our custom rule/hook logic.

[Widcket]

Thanks @frederikprijck for the clarification. This would qualify as a feature request, and as such, will remain open and tagged as such for future planning and reference.

[matecode]

@Widcket Thanks for reopening