search

auth0 / lock-passwordless

Auth0 Lock Passwordless [DEPRECATED]
MIT License
90 stars 29 forks source link

Lock passwordless ignoring authParams scope #102

Open yvonnewilson opened 8 years ago

yvonnewilson commented 8 years ago

Cross reference customer reported issue: 6766 JWT generated by passwordless authentication (email link) doesn't include email Set up passwordless connection with all default values for Settings screen and set Authentication Parameters to {'scope':'openid email'} (also tried 'openid profile' - same thing Logged in with magic link, but JWT returned does not include email.

Used try button in passwordless connection to send email. Clicked on magic link button in email and was apparently logged in. Dashboard -> Users shows a login for the email address used in TRY screen with connection 'email'. User Details screen shows email address for user has a value. Logs screen shows successful login via connection 'email' as well.

screen shot 2016-03-25 at 9 01 34 pm

Used jwt.io as callback for application and to display JWT resulting from authentication.

yvonnewilson commented 8 years ago

What is the correct syntax for the Authentication Parameter? I tried both 'scope' (with quote) and scope (without quote) The default value on this screen for Auth Parameters shows 'scope':'openid profile' e.g. with quote marks around the "scope" however, our docs pages show scope parameter without quote marks around scope. https://auth0.com/docs/libraries/lock/sending-authentication-parameters#supported-parameters

Resulting JWT only includes the default properties - iss, sub, aud, exp and iat

arcseldon commented 8 years ago

@yvonnewilson - re. quotes versus no quotes for scope object attribute name - this is down to a peculiarity of JavaScript, in that Object keys resolve to Strings. eg.

△  node
> var a = { scope: 'openid email'}
{ scope: 'openid email' }

> var b = { 'scope': 'openid email'}
{ scope: 'openid email' }

Basically equivalent syntax. Agreed, docs should be consistent to avoid confusion.

gnandretta commented 8 years ago

@yvonnewilson I can't reproduce this, I always get the email when I provide the scope "openid email" or "openid profile".

Also, I've created a separate issue for the options syntax.

yvonnewilson commented 8 years ago

Note - in playground, response type was set to token but it behaved as if it was set to code. Had to set response type to code and then back to token. Gabriel said when you change callback url, it may reset response type to code, but UI doesn't get updated to reflect that?

gnandretta commented 8 years ago

we already have #70 for the issue @yvonnewilson described in the last comment