Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unwanted parameters in /authorize call #851

Closed
nicosabena opened this issue Feb 1, 2017 · 3 comments · Fixed by #863
Closed

Unwanted parameters in /authorize call #851

nicosabena opened this issue Feb 1, 2017 · 3 comments · Fixed by #863
Assignees
Labels
bug This points to a verified bug in the code
Milestone

Comments

@nicosabena
Copy link
Contributor

nicosabena commented Feb 1, 2017

Lock v10.10.1 (probably after referencing auth0.js 8.1.2 because of PR #324) adds some additional parameters when doing an authorize call, such as popup and popup_options, that seem out of place.

Lock v10.7.0:

https://nico-sabena.auth0.com/authorize
  ?scope=openid
  &response_type=code
  &connection=[...]
  &connection_scope=
  &sso=true
  &state=
  &client_id=[...]
  &redirect_uri=[...]
  &auth0Client=[...]

Lock v10.10.0:

https://nico-sabena.auth0.com/authorize
  ?connection=[...]
  &auth0Client=[...]
  &client_id=[...]
  &response_type=code
  &redirect_uri=[...]
  &scope=openid

v10.10.1 and after:

https://nico-sabena.auth0.com/authorize
?client_id=[...]
  &response_type=code
  &redirect_uri=[...]
  &connection=[...]
  &connection_scope=
  &popup=false
  &popup_options=%5Bobject%20Object%5D
  &sso=true
  &state=nndfasdfasdf
  &scope=openid
  &auth0Client=[...]
@glena
Copy link
Contributor

glena commented Feb 1, 2017

can you share the js code? (auth0.js initialization and the method call)

@nicosabena
Copy link
Contributor Author

You can replicate with:

var lock = new Auth0Lock('BYmE3DvjklkyaOADad2gABf05OplTXFV', 'nico-sabena.auth0.com');
lock.show();

and click on the Google social login.

@glena
Copy link
Contributor

glena commented Feb 1, 2017

I think that the empty connection_scope comes from here https://github.com/auth0/lock/blob/master/src/quick-auth/actions.js#L16 (check if it is adding it in other flows too)

popup and popup_options comes from here https://github.com/auth0/lock/blob/master/src/core/web_api/legacy_api.js#L39-L40 that is being merged into the auth0.js option like here https://github.com/auth0/lock/blob/master/src/core/web_api/legacy_api.js#L55 (this happens in all the calls). The same happen with the other web api implementation.

We should make sure that lock does not sends those params to auth0.js.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This points to a verified bug in the code
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants