Lock v10.9.2 fails on IE 10 Windows 7

[maxlapides]

Steps to reproduce:

1. go to auth0.com/lock in IE 10 on Windows 7
2. try to log in with the demo form
3. see console for errors:

I was also able to reproduce this issue in my own project.

[glena]

hi @maxlapides

this is a security enforcement to avoid CRSF.

Lock attempts to generate the state and validate it later. The thing with IE10 is that it does not support crypto (https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto) to generate cryptographically secure random values.

The thing with IE10 is that it does not support crypto, in that case if your app should be compatible with IE10, you should generate it in your app and send it to lock:

{
      auth: {
        state: "some_random_string"
      }
}

[maxlapides]

@glena thanks so much for this information.

i am very surprised to hear this, though. auth0 lock v10.8 was compatible with IE 10, so this is a major breaking change. there was no information about this breaking change in any changelog and the version bump was minor, indicating that auth0 lock v10.9 is fully backwards-compatible, which it clearly isn't. it is not reasonable at this point to assume that you do not need to support IE 10.

in the future, it is very important that auth0 properly increment version numbers and include information about breaking changes such as this one in changelogs.

for other users experiencing the same issue, here's how i solved this problem. i'm using bowser (https://github.com/ded/bowser) for browser detection:

in my auth0 lock params:

{
    auth: {
        state : (bowser.msie && parseInt(bowser.version) < 11) ? getRandStr(32) : null
    }
}

and then the definition for getRandStr():

function getRandStr(length) {
    var text = '';
    var possible = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    for (var i = 0; i < length; i++) {
        text += possible.charAt(Math.floor(Math.random() * possible.length));
    }
    return text;
}

(modified version of code from http://stackoverflow.com/a/1349426)

[hzalaz]

@maxlapides this something we can fix in a future release.
Besides the error, you should pass a random state on each authentication attempt to protect your site for CSRF. Lock will try it's best to make your app secure by generating a cryptographically random state if none is provided to it.

Since it's relying on Web Crypto API and IE 10 does not support it just waits for the developer to generate one (we didn't want to add a polyfill to increase lock size).

Your implementation is a workaround but is not as secure as we'd like but we can use it as a workaround and warn the developer to provide a better sate by using a polyfill.

[maxlapides]

if you have any better suggestions or if auth0 lock is patched to include a fix, please let me know. in the meantime, i am stuck with this hacky solution.

[hzalaz]

@maxlapides not ATM but I suggest finding a polyfill for webcrypto for a secure random. Also it's not a hacky solution to provide a state on every auth. Will try to come up with a solution for the next release

[hzalaz]

We are going to release v10.10.0 that will not require the state parameter. We strongly suggest to provide a secure random hash.