Unable to get access token on login

[vampolo]

Hi, I'm using this ruby gem in conjunction with Auth0 lock widget for authentication. Gem is configured as

    provider(
        :auth0,
        auth0_config['client_id'],
        auth0_config['client_secret'],
        auth0_config['domain'],
        {
          callback_path: '/auth/auth0/callback',
          authorize_params: {
            scope: 'openid'
          }
        }
    )

The auth0_config is a hash with the auth0 configuration in my application. Once i successfully log in, from the rails side i can see the omniauth.auth request variable. but this is of the kind of.

I omitted the non relevant pieces. I have an id token, but the access_token, which i believe to be the "token" in the hash is not a jwt token.

How can i get a JWT token i can use for authentication ?

[scooteronce]

Is this related to the base64 encoding change? Because I am having the same issue with Knock and considering switching gems...

[cocojoe]

Sorry for the long delay, picking up on this repo now. We will be going through some updates soon.

[joshcanhelp]

@vampolo - Apologies again for the long delay here.

The access_token there is what's used to get the user profile from the /userinfo endpoint (typically). That ID token also contains profile information that you can use once you're verified and decoded it. I'm not sure what else you're looking for to authenticate but that response should be everything you need.

Closing this for now, feel free to re-open if you have any other questions.

[jpr5]

Hi @joshcanhelp , hello from over in Ballard.

Sorry to tail an old ticket like this, but it's sort of spot on for my situation. Hopefully you'll see this notification and have a spare moment to comment.

Imagine a Sinatra admin dashboard, atop a service that uses Auth0 for auth. So I configure a Dashboard API in Auth0, I make a read:dashboard RBAC/permission, add it to the API and assign it to the relevant users.

Now I need users to be able to login, so I go the omniauth-auth0 route: make a Dashboard Web App in Auth0 to get a client_id and secret, and configure omniauth-auth0 practically just as vampolo did above. I put in all the relevant JWT code, endpoints, before {} etc etc. And users can authorize, everything validates (so long as I use the id_token, not the token as vampolo mentioned), right up to wanting to be able to check for that read:dashboard permission.

And that is the crux of the problem. Perhaps what vampolo might have been trying to get at as well, maybe.

I gather, if I got back an access_token, I'd be getting back that permissions field (array), too. But that token isn't an access_token, and I have scoured the internet far and wide and still haven't been able to figure out how, in this sort of set up. Which could imply that I might be fundamentally misunderstanding how one is supposed to go about doing this in the first place.

Maybe a solution is to use the JS login libs? For the sake of understanding, if it can be done with omniauth-auth0, I'd prefer to keep it that way.

Any suggestions/pointers? What am I not getting?

Cheers.

[jpr5]

You know, I figured it out. Leaving here for anyone else who finds themselves here. Two things:

1. If you ever find yourself looking at an access_token that is clearly not a JWT (too short), it might be something administrative/local to a provider. I found this lovely article from a helpful Auth0 employee that laid out what the short access_tokens are all about. Wasn't the case for me, but super helpful nonetheless.
2. I was missing the !@#$@$ audience key in the authorize_params hash above. GFDMT. Put that in, and presto the access_token took on the form of a JWT, complete with the permissions field. Hooray, and GUH.

Anyway, there you have it. Take it easy y'all.