possible issue with grant-profile and Auth0

[edwardsmarkf]

hello -

we are having trouble with Auth0 and FeathersJs. i am dealing with a family emergency at the moment and i dont have time to test this, but we believe the profile is coming back blank from Auth0 when the Auth social connection "App ID" and "App Secret" are filled in. when both of these values are left blank (and we use the default 'Auth0 dev keys') everything works as expected.

When both values are filled in, everything else appears to work just fine, no error messages from Google & Auth0.

could somebody please test this out? its very easy with Auth0 to add & remove these values.

again, i apologize for not testing this now. i feel this issue probably should be looked at soon.

thank you very much.

https://community.auth0.com/t/using-non-default-app-id-app-secret/38882/4

[edwardsmarkf]

i believe i have confirmed this issue. there seems to be something in grant-profile that is not working as expected.

when i use the DEFAULT Auth0 "Client ID" and "Client Secret" for a Google login (which is to leave them blank), i am indeed getting the full profile which is what i expect to see:

{ "response": { "id_token": { "header": { "alg": "RS256", "kid": "MTU1MTNBMUY3MTM1RDExRjcyQjA3OTVDNDUwMThCM0Q5QjJGQTlBRQ" }, "payload": { "given_name": "Mark", "family_name": "Edwards", blah blah blah blah "exp": 1583814484, "nonce": "61dd1a1d246f3bd20796" }, "signature": "JOXXXXXXXTg" }, "access_token": "Z4C9bLqMIcSGlzjZi_CVu-BhM7fTHTbz", "raw": { "access_token": "Z4C9bLqMIcSGlzjZi_CVu-BhM7fTHTbz", blah blah blah "expires_in": 86400, "token_type": "Bearer" } } }

but when i try using my own Google values for "Client ID" and "Client Secret" this is all i get back:

{ "response": { "access_token": "aXj185Zi_k8rDFrD0ypwAniuR3gMH9qU", "raw": { "access_token": "aXj185Zi_k8rDFrD0ypwAniuR3gMH9qU", "expires_in": 86400, "token_type": "Bearer" } } }

any suggestions?

my test code was from the grant-profile example:

var express = require('express')
var session = require('express-session')
var grant = require('grant-express')
var profile = require('grant-profile').express()
var config = require('./config.json')

express()
  .use(session({secret: 'grant', saveUninitialized: true, resave: true}))
  .use(grant(config))
  .use(profile(config))
  .use('/auth0', (req, res) => {
    var {response, profile} = req.session.grant
    res.end(JSON.stringify({response, profile}, null, 2))
  })
  .listen(3030)

{
  "defaults": {
    "protocol": "http",
    "host": "localhost:3030",
    "transport": "session",
    "state": true,
    "nonce": true,
    "callback": "/proxyPort3030/auth0"
  },
  "google": {"key": "..", "secret": "..", "scope": ["openid", "profile", "email"]},
  "auth0": {
              "key": "ThXXXL",
              "secret": "4vXXXX9R",
              "redirect_uri" : "https://example.website/proxyPort3030/connect/auth0/callback",
              "callback":"/proxyPort3030/auth0",
              "subdomain": "dev-XX8"
        },
  "twitter": {"key": "..", "secret": ".."}
}

[simov]

In order to get the user profile you have to specify at least the openid scope when authenticating with Auth0. In case you want to receive the full profile instead, you have to include the profile and email scopes as well.

I tested the following 3 scenarios, and all of them return the user profile using grant-profile:

1. Authenticating using my Auth0 app as usual
2. Authenticating using custom_params: {connection: 'google-oauth2'} in my Grant configuration, this uses the default OAuth app that Auth0 provides for that social connection
3. Setup my own OAuth app key and secret in the Social Connection popup for Google. This also requires additional redirect_uri for your OAuth app on Google, mine was https://outofindex.eu.auth0.com/login/callback. Then again I sent the custom_params: {connection: 'google-oauth2'} but this time I authenticated using my own OAuth app on Google.

Here is an example configuration:

{
  "auth0": {
    "key": "...",
    "secret": "...",
    "scope": ["openid", "profile", "email"],
    "custom_params": {"connection": "google-oauth2"},
    "subdomain": "outofindex.eu"
  }
}

[edwardsmarkf]

Simov - i owe you a THOUSAND thank-you's for once again helping me. But most importantly, i want to thank you for your wonderful work and efforts creating and supporting grant.

[edwardsmarkf]

EDIT: strangely enough, i had the IDENTICAL problem getting PHP and Facebook working, "scope": ["openid", "profile", "email"], and spent over a month trying to resolve it. in my defense, i had just started using Auth0 at the time, and the example provided by Auth0-PHP was not working for FaceBook. they have since fixed it on my insistence. 😁

[edwardsmarkf]

the Auth0 engineers have also agreed this is an issue:

mathiasconradt Sr. Solutions Engineer, Auth0 Thanks for letting us know. We agree there is an issue and we’re looking into it.

[simov]

Interesting, what's that about? I can't see that ticket.

[edwardsmarkf]

hi - apparently the posting was removed, but i requested the post to be reinstated for you.

personally, i did not observe this behavior, nor do i understand it, but according to David Luche of feathersJS, if you use Postman and do a:

GET https://dev-2a5ae3w8.auth0.com/userinfo

you get back different results depending on if you are using the Auth0 default "Client ID" and "Client Secret" vs. the ones provided by Google.

i am pushing them to reinstate the post since apparently is indeed still relevant.

thank you.

[simov]

Auth0 acts as a proxy for the Social Connections and it always returns the access token for Auth0 that can access the user profile. You won't be able to access the user profile with an access token returned directly from Google.

[edwardsmarkf]

Sorry, i was wrong earlier when i said:

Thanks for letting us know. We agree there is an issue and we’re looking into it.

Apparently that was just an automated reply. Regarding the issue, i am hoping that David Luche (Daffl on slack) will contact Auth0 "mathiasconradt" directly because i am unable to explain the problem that David Luche has raised.

But either way, your solution worked just fine.