Closed matecode closed 7 months ago
Hi @matecode, thanks for raising this.
Do you need to specify fewer scopes (downscope) when renewing the tokens? Because if not, there's no need to pass the same scopes as when logging in. Auth0 will use the same scopes by default.
Hi @Widcket! Thanks for your response.
On refreshing the token (Flutter SDK is doing this when calling auth0Web.credentials(...)
and then this is handled on web by getTokenSilently) the "scope" parameter is filtered out by auth0-spa-js SDK. We could see in our logs that there is no scope parameter. We don't need this to change scopes, but we need to submit the scopes on refresh.
I cannot comment on the implementation of auth0 on our side because this a big company with a lot of usecases with auth0. I'm developing a flutter web application using auth0 as the IDP for our customers.
Thats why I would love not to discuss if I need the scope or not, because this is what the Auth0-implementing Team on our side told me to do. I can see that there happens a refresh while the onLoad
method of the flutter sdk where I cannot give the parameters, as I can while calling the credentials
method.
I think this is a missing thing on the api of onLoad
if the same thing happens in background (which exactly means refreshing the token).
If you're not downscoping, you don't need any scope parameter.
This SDK does not support downscoping, hence it does not support passing scopes when renewing.
And we don't have any current plans to add support for downscoping that I'm aware of.
@Widcket I'm really sad to see that you closed this issue that fast, because I didn't ask for descoping or something like that, rather than asking for a missing parameter at the onLoad api of the Auth0 Flutter Web SDK, which is an error. This parameter is also missing if you need it for rules on refreshing.
Maybe @stevehobbsdev can help here.
👋 I'm not Steve, but as one of the maintainers of Auth0-SPA-JS (the underlying SDK used for the Flutter SDK's Web platform), I can see the use-case here and believe that it's a recommended scenario from the SPA-JS side to be able to send any custom parameter when loading the page and calling Auth0.
Sending a custom-scope
parameter is what we recommend for any user that exacly has the need as per the OP: Send the scope to Auth0 when refreshing the token, when descoping is not what they want to achieve.
Just some internal background, when flutter's onLoad
is called, the following happens:
onLoad
calls the platforms initialize
https://github.com/auth0/auth0-flutter/blob/main/auth0_flutter/lib/auth0_flutter_web.dart#L55initialize
calls the proxy's checkSession
: https://github.com/auth0/auth0-flutter/blob/main/auth0_flutter/lib/src/web/auth0_flutter_plugin_real.dart#L45checkSession
calls the real checkSession
: https://github.com/auth0/auth0-flutter/blob/main/auth0_flutter/lib/src/web/auth0_flutter_web_platform_proxy.dart#L17As you can see here, SPA-JS' checkSession takes a parameter of type GetTokenSilentlyOptions
, which allows you to send any arbitrary parameter to Auth0. Important to note here is that often the user isn't calling checkSession
directly. but instead we rely on the globally configured parameters, and then ensure to merge both options here.
That last part is not exposed on the Flutter SDK and can limit scenario's such as the OP as they are unable to pass their custom parameters to Auth0 (which can be any custom parameter they need to have present in their rules/hooks at any time).
The above would be resolved if we can ensure we can pass any arbitrary parameter to onLoad
, and then ensure it get's added here.
@frederikprijck thanks for helping out
That last part is not exposed on the Flutter SDK and can limit scenario's such as the OP as they are unable to pass their custom parameters to Auth0 (which can be any custom parameter they need to have present in their rules/hooks at any time).
@Widcket This is the main part, as this is important for any parameter that is needed during refresh in our custom rule/hook logic.
Thanks @frederikprijck for the clarification. This would qualify as a feature request, and as such, will remain open and tagged as such for future planning and reference.
@Widcket Thanks for reopening
Checklist
Description
Hi Auth0 Team
I'm facing a bug, maybe it is also a feature request.
In our auth0 usecase we need the inital scopes again while refreshing the token. As described in https://github.com/auth0/auth0-spa-js/issues/1083#issuecomment-1446148746 this is not possible with auth0 spa sdk, so we worked around this like proposed in https://github.com/auth0/auth0-spa-js/issues/896#issuecomment-1103647320 with a custom parameter.
To be clear I'm showing the three steps:
This works perfect on a running flutter web application, but now a problem occurs: If a user is logged in but has an expired token and starts the application (which means there is a token saved in local application store, and the browser is opened again) the
onload
method of Auth0Web triggers a refresh. There, i cannot define the needed parameters. And then our "parameters" approach does not work.In conclusion, it would be great if i can set the
parameters
also in theonload
function.Reproduction
Additional context
Thanks for your help in finding a working solution and let me know if you need more information.
auth0_flutter version
1.3.1
Flutter version
3.13.9
Platform
Web
Platform version(s)
No response