Specify response type

[Catscratch]

He guys.

Is there a way to specify response type for an Auth0Client? As I can see response type is not part of Auth0ClientOptions.

[stevehobbsdev]

@Catscratch Not currently, as the SDK is designed to follow a very specific protocol. What's your requirement?

[Catscratch]

I wanna the queryparam response_type=token id_token instead of =code.

My Auth0 provider doesn't allow code.

[stevehobbsdev]

@Catscratch In that case you would need to use auth0-js which will allow you to configure the response type as you need.

[luisrudge]

My Auth0 provider doesn't allow code.

Can you explain what that means? Thanks!

I'll close the issue to keep the repo clean, but feel free to continue the conversation in this issue.

[lk-jeffpeck]

This should be stated somewhere.

I am implementing the Auth0 implicit flow and was using the vanillajs quickstart example that uses the auth0-js-spa and could not find where to set response_type to token until I found it hardcoded to code in the source.

[AnneAlbert]

Please state this indeed, especially on the page where you talk about implicit flows and SPAs, where the suggestion is that it is possible to set response_type. It would probably save many people some frustration and quite some time.

[stevehobbsdev]

Thanks for raising this. I've raised it internally to get the documentation updated to more clearly reflect our current state with the SPA SDK.

[cstephe]

@Catscratch In that case you would need to use auth0-js which will allow you to configure the response type as you need.

Is there a reason why this isn't in the SPA lib? This seems like a pretty big thing to not allow and I'd think there would have to be a very good reason to not accept this in the config?

[frederikprijck]

@cstephe auth0-spa-js is designed to follow best practises for securing Single Page Applications. Security best practises discourage using response_type=token (Implicit flow). Instead, Authorization Code with PKCE should be used.

See https://tools.ietf.org/html/draft-ietf-oauth-security-topics-11, 2.1.2. Implicit Grant:

In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or any other response type issuing access tokens in the authorization response, such as "token id_token" and "code token id_token", unless the issued access tokens are sender-constrained and access token injection in the authorization response is prevented.

[iamdhrooov]

@frederikprijck Using the auth0-spa-js in a chrome-extension where i was trying to getAccessTokenSilently but it by default goes with response_type=code and response_mode=web_message. This is causing issue in extension as it tries to postMessage on parent which is any domain like mail.google.com which we cannot pass in redirectURI in Auth0 applications.

How do we silently fetch token in extensions as they run on all domains?

[stevehobbsdev]

@iamdhrooov you might want to investigate using refresh tokens in that case, as it will not use web_message and an iFrame but instead call the token endpoint directly. Please see the Refresh Tokens section in the readme for more details.