• If you logout, you will remain logged out until at least 11th August 2019.

    Auth0 have made some changes I was unaware of and it has fundamentally broken login.

    I will fix this but need time to learn what they've done and code a solution.

    I cannot say how much I hate auth0 right now.

    Unfortunately this may remain broken until I can look at it properly over the weekend.

  • Gist is... LFGSS was using a "legacy" way of doing auth, and Google and Facebook have been advocating a new way... and Auth0 were supporting the old way but when I just touched the config they've somehow moved me to the "new" way - breaking this site.

    AFAICT, the old way was "two easy API calls" and the new way is "many API calls and a new dance of API calls".

    I need to go now learn this thing to get it working again!

  • I have no idea what this means but it looks like a good time to say thank you for running a great forum for all the years and dealing with all these things

  • Is it no longer still just a case of simply exchanging an authorization code for an access token, like back when I was a lad?

  • Is it no longer still just a case of simply exchanging an authorization code for an access token, like back when I was a lad?

    It was.

    But now instead of that process returning a token with which you can ask for a profile, i.e. the actual email to determine who just logged in.

    Now the process is that auth0 gives a user object identifier, and than a service-to-service API goes and looks up the information. And that seems to require a different service API credential, which is a JWT, and that has lots of claims and grants that need configuring, the JWT unpacked, and then the contents can be used as another token to another API that will return the user information.

    So it's gone from a couple of simple API calls, to a very complex multi-actor scenario with JWTs thrown in for good measure.

  • This isn’t some preliminary step to enabling Apple authentication is it?

  • Maybe by auth0 it is.

    But not from my perspective.

    All I want to do is ensure there is a highly convenient way to authenticate with your email and my never having a password.

  • I do like that you offload the password responsibility to email rather than have yet another db somewhere with yet another password

  • This experience is almost exactly what I had to go through with Auth0 for a client when I was ranting about it about 18 months ago. I presume as they had a very specific implementation it was the first in line to get these kind of changes foisted upon them and much like you they just changed how the system worked overnight without any kind of thought about backwards compatibility and just turned all the shit off without notice.

  • Good luck DK.

  • Did you get it working? Do you have code snippets?

    Because honestly... their documentation is wildly out of date / conflicting. It looks like it should work, you do it... but nope.

  • Not had any dealings with Auth0 but this looks similar to something I am working on using AWS Cognito as an OIDC provider and embedding tenant context in a custom claim inside the id token.

    Are you going to be issuing JWTs to users or exchanging a user token for a JWT for the backend to talk to Auth0? Remember to validate rather than just unpack/decode the JWTs (although knowing your background I am sure you will be)

  • Oh... it's got worse.

    So the integrated login client is deprecated https://github.com/auth0/lock-passwordle­ss

    Which means the front-end is now out-of-date, and the backend is now all broken.

    As for what I do today... I use Auth0 only to do the email integration bit... once Auth0 presents me with an authenticated session for a given email address, I lookup the email and then issue my own cookie and maintain my own sessions. So everyone with a cookie will remain logged in.

    It was designed this way to ensure we were not so tightly coupled to Auth0 that we couldn't replace them if need be... so long as I can say "you own this email" I'd issue a cookie.

  • I have a temporary workaround :D

    I've changed the config so that it works... but it won't always work. But at least the panic is over.

  • Post a reply
    • Bold
    • Italics
    • Link
    • Image
    • List
    • Quote
    • code
    • Preview

Warning: Do not logout! Auth0 have broken authentication!

Posted by Avatar for Velocio @Velocio