auth0 / auth0.js Goto Github PK

There are some odd behaviors reported with IE11 not working as expected.

Seems to be some rare bug with uglify and ascii: true.

Redirect will be the default from now on. Popup is optional,

Usage will be:

var auth0 = new Auth0({
  clientID: 'xxx',
  clientSecret: 'yyy',
  callbackOnLocationHash: true,
  //etc
});

//handle login success
widget.on('success', function (profile, id_token, access_token) {
  alert('welcome ' + profile.name);
});

//handle errors
widget.on('error', function (err) {
  alert('error' + err.message);
});

document.getElementById('login-button').onclick = function () {
  //trigger login
  widget.signin({ conenction: 'google-oauth2' });
};

When you send a callback to auth0.js with less or equal than 1 parameter (just the error), redirect mode is used to log the user in.

However, when there's an error logging the user in, instead of actually doing a redirect as well and returning the error there, it's returning the error after the requests finishes which is not consistent.

This brings some consistency errors like auth0/auth0-angular#118

Tell James Strope

https://auth0.groovehq.com/groove_client/mailboxes/5383/filters/56249/tickets/2308265

Hi All,

I have had to build a custom logon form in my current app and signing in or changing password is no problem but I can't figure out how I would trigger a forgot password mail to be sent, is there a way to trigger this?

Thanks for the help and auth0 has been great so far, nice and easy to implement compared to some other implementations for auth I've tried.

Thanks

For those of us who like to build "universal" (a.k.a. isomorphic) apps, this causes issues when doing require('auth0-js') in node.

Not saying everything has to work, but it'd be cool if it didn't error, something like this:

if (typeof window !== 'undefined') {
  // here you can safely reference `window`
}

Also, would suggested testing in both browserify and webpack as they're slightly different and webpack keeps growing in popularity.

we should add a popup mode (window.open)
something like: https://github.com/oauth-io/oauth-js/blob/master/oauth.js#L139

• does document.location.href work on ie8+ ?

Steps to reproduce:

1. Setup auth0.js to use popup mode and a social provider.
2. Disconnect
3. Call the signin method with the social provider.

What should happen? It should detect that the browser is offline using navigator.onLine and don't launch the popup. Show an error message instead.

What happens instead? It launches a popup that displays a browser error page as its disconnected. After closing the popup, a message appears that the user closed it.

We need to bring back support for CORS on IE9 (i.e. not using jsonp to send user/pass).

I need only id_token after Login (user + pass and trough social networks)
without additional requests to get profile info

https://github.com/auth0/auth0.js/blob/master/lib/index.js#L910

From any winchan.open callback we should expect an err from winchan and a result.error

That is not happening here:

That is a typo unless there is any edge case I'm missing.

@pose Would you mind confirm this? You were the last one to modify those error handlers
https://github.com/auth0/auth0.js/blame/master/index.js#L1051
Thanks!

I use webpack, and the fact you're using packageify makes me unable to require auth0-js.

would you consider publishing a built version on npm?

Can this be published as a Bower component?

Right now I'm grabbing it with bower using the repo address, but then I still have to cd into the local dir and do an npm install to get all dependencies so that browserify will work correctly on "standalone.js"

When upgrading from one version to another, it happened to me twice that I had to delete persistent cookies to make the auth0 libraries (angular and this one) not crash.

The libraries should be robust against corrupt cookies or changes in cookie format between versions. Website developers can't expect their end-users to clear cookies and neither should developers have knowledge about and need to write code to delete invalid cookie data.

In the last occurrence, the cookie idToken contained the value "undefined" (string) which causes auth0.js to crash here: https://github.com/auth0/auth0.js/blob/master/build/auth0.js#L53

The cookies seem to get set to "undefined" when _serialize in auth0-angular gets called with this._serialize(undefined, undefined, undefined); (https://github.com/auth0/auth0-angular/blob/master/build/auth0-angular.js#L172). That's probably a bug by itself, yet auth0 should not crash. (It might not even be related to auth0-angular, but to my version of angular, but again, auth0 should just disregard such cookies.)

When loading s3 assets, it would be great if we can cache the content and only update on change. On that way, we can improve user experience.

When doing a refresh of a token, by default, it should send the same scope as used to get the id_token the first time.

@siacomuzzi is this implemented in the server now?

When running "usemin" and "rev:dist" tasks with a common options (i.e. includes = */.js), Grunt builds fail due to this module being named "auth0.js" (it tries to open it as a JS file). Not strictly your fault, but the nonstandard naming convention makes it impossible for me to use bower to manage the auth0 dependency at this point since I need to rename it and rewire my local dependencies manually. I haven't run into any other packages that do this.

I would recommend publishing as "auth0-js" or just "auth0" and switching to that as the default package for your other dependencies (auth0-angular, etc).

implement single sign on for database connections

After registration (and login after that) I have {email_verified: false}

After verification of email this method returns the same value (email_verified: false)

• getProfile() or /tokeninfo

even after renewIdToken or refreshToken

only re-login helps to obtain actual value: (email_verified: true)

Is there any possibility to obtain it without re-login?

here is a list of events to start with:

http://jsfiddle.net/LU6rE/24/

having a few problems trying to complete a bower install on heroku with the "auth0.js": "latest" dependency getting the error...

package.json

"scripts": {
    "start": "node node_modules/grunt-cli/bin/grunt",
    "postinstall": "node node_modules/bower/bin/bower install"
  },

error

bower Base64#* ECMDERR Failed to execute "git checkout 277e9adeecce7c376692b772aec60baf63114592", exit code of #128
Additional error details: fatal: Not a git repository: '.'

bower.json

{
    "name": "myApp",
    "version": "0.1.0",
    "dependencies": {
        "angular": "latest",
        "angular-bootstrap": "0.10.0",
        "angular-cookies": "latest",
        "angular-ui-router": "#master",
        "auth0.js": "latest",
        "auth0-angular": "latest",
        "bootstrap": "3.0.3"
    }
}

Once i remove "auth0.js": "latest" from bower.json the heroku build completes successfully.

As documented here: https://auth0.com/docs/logout

A federated parameter or similar should be added as well.

There're inconsistencies when using redirect and popup mode after the login has succeeded or failed.

Let's see how they work now:

Popup mode

Code

auth0.login({}, function(err, token, profile) {
  // first check for errors when authenticating or when getting the profile
  if (err) {
     // do something
  } 

  // save profile and token
  window.token = token;
  window.profile = profile
})

Advantages

• Error for both Authentication and getting a profile is in a single point
• We don't have nested callbacks
• We can save the token and profile together

Disadvantages

• The profile is fetched for us and we don't know/understand how.

Redirect mode

// login.js
auth.signin({});

// boot.js
var authHash = auth.parseHash(window.location.hash);
if (authHash && authHash.id_token) {
  window.token = authHash.id_token;
  auth.getProfile(authHash.id_token, function(err, profile) {
    // Check profile fetch errors
    if (err) {
      // do sth
    } 
    window.profile = profile;
  });
}
if (authHash && authHash.error) {
  // Handle authentication errors here
}

Advantages

• We know everything that's going on. We know how the profile is fetched and when.

Disadvantages

• We have nested callbacks
• We do error handling twice in 2 different places
• It requires much more code which doesn't add value to us

Proposal

My proposal is to make popup and redirect mode consistent by making the redirect mode also return a callback with the profile and default to check window.location.hash.

Code for redirect

auth.processAuthenticationHash(function(err, token, profile) {
  // first check for errors when authenticating or when getting the profile
  if (err) {
     // do something
  } 

  // save profile and token
  window.token = token;
  window.profile = profile
});

Important parts

• Internally the processAuthenticationHash function will check if there's a hash or search. If there's not, it just won't call the callback
• It'll do error handling for both authentication part as well as profile fetching

Thoughts?

@woloski @jfromaniello @cristiandouce

Right now, Auth0.js code to check if I sent a callback to do /ro for Username & password does the following:

if (callback && callback.length > 1) {

This means my callback HAS to have 2 parameters to be considered a "callback".

Therefore, the following code we have on auth0-angular doesn't work:

var applied = function(fn) {
        return function () {
          var argsCall = arguments;
          safeApply(function() {
            fn.apply(null, argsCall);
          });

        };
      };

signIn(options, applied(onSignInCallback));

As you can see I always forward all arguemnts. To make this work, I had to add 2 arguments that I don't use.

I just wanted to know WHY it checks for the amount of args of the function and if it can be changed.

Thanks!

/cc @jfromaniello

This will allow auth0/lock and other libs to abort the request if it's no longer needed (like hidden the lock or removed from DOM manually

When we use popup mode we get the full profile in the callback.

However, when we do redirect, we get the JWT info only in profile. We should make this consistent

We have right now 3 Authentication modes:

• Popup
• Redirect
• Post to /ro

Not all the calls can be made in all devices.

For example, redirect cannot be used in Cordova and Phonegap.

We should add a mechanism in auth0.js to detect in what platform / app we're currently and if we're asked to perform an Authentication mode that we cannot do, we should throw a specific error for that.

Firebase is doing something similar.

Auth0 itself uses Lock/auth0.js in the /login route i.e. when doing /authorize with a Db connection or an LDAP connection.

We want to avoid using CORS when issuing the requests to the same domain.

auth0.6.1.0.js is not handling "Connection Timeout" and "Connection Refused" exceptions.

There was a recent fix to handle "Internet Disconnected" [commit 68aea5d], but the fix does not cover the situation when the browser can't connect to Auth0 (for example: Auth0 service is down or some network issues). The error reported is "invalid_password" which may be confusing to users.

Right now if CORS is not supported in the browser auth0.js fallbacks to JSONP.

This is not a good security practice since it sends passwords in urls.

We want to provide the ability to disable this fallback.

Call the parseHash function, if the profile returned just have the user_id (it means that the scope was just openid) call GET /api/users/:id with the jwt in auth header or qs for jsonp.

Make sure it works with JSONP.

In our client application, we want to be able to set apart the case where the user does not have an internet connection and display a message accordingly on the login screen.

It seems to me though that the error status code for the "no connection" error is transformed into a 401 because of this line that fixes an IE 10 error, judging from the code comment.

Is there a way to distinguish the "no connection" error from other errors and have everything also work under IE10?

1. Put wrong email/password and click SignIn
2. Widget displays "Wrong email or password" error message.
3. Click SignUp button. The message is still there but it does not make sense on that screen. It should be hidden on Signup page.

Right now, we show the World Domination message when the callback is missing and the user is trying a Social IdP. However, if the user tries to do a regular Username/Password Auth, a CORS error is thrown.

We should parse the s3 information to see if theres a callbackURL. If there's not and no callback is set to handle the success of the login, then we should show a message sayingPlease add currentURL as a CallbackURL on your application settings`.

Thanks!

Create a token storage so we don't need to be retrieving from server non-expired tokens.

Hi,
Found during working on auth0/lock#142
I was wondering why it's not possible to pass extra fields in the signUp method? I presume internally it's similar to /users/create api which allows to pass extra fields.

.bind() doesn't work for login requests to /ro

http://jsfiddle.net/IvanRave/rmbxvsk2/

and it's really strange behavior in a callback:

• if null or one param - redirect
• it two or more params - post to /ro

please add some other method for redirection
or some special option for this
or good docs for this behavior