Closed dinvlad closed 7 years ago
False alarm, it turns out that I checked strict OIDC conformity in my client settings, which led to this behavior (namely returning only a short _accesstoken when I don't specify an audience)
Is it just me or does the documentation on https://auth0.com/docs/client-auth/current/server-side-web#exchange-the-code-for-an-id_token request strict OIDC conformity and yet the example exchange code for e.g. cUrl doesn't specify an audience and hence doesn't retrieve an id_token?
Hi all,
My passwordless Lock suddenly stopped working (without any changes on my part) because the new authentication API apparently returns a short _accesstoken and no _idtoken by default. As a result of that and #130, this change breaks Lock if we rely on the old behavior (incl. using
parseHash()
andgetProfile()
that both expect an _idtoken).Could this Lock be updated according to the new API?
EDIT: this behavior is happening to a stock configuration of Lock. If we specify audience, the return _accesstoken is "fat" but there's no _idtoken in either case (and that one is required by
parseHash()
andgetProfile()
).Thanks