possible issue with grant-profile and Auth0 about grant-profile HOT 9 CLOSED

In order to get the user profile you have to specify at least the openid scope when authenticating with Auth0. In case you want to receive the full profile instead, you have to include the profile and email scopes as well.

I tested the following 3 scenarios, and all of them return the user profile using grant-profile:

1. Authenticating using my Auth0 app as usual
2. Authenticating using custom_params: {connection: 'google-oauth2'} in my Grant configuration, this uses the default OAuth app that Auth0 provides for that social connection
3. Setup my own OAuth app key and secret in the Social Connection popup for Google. This also requires additional redirect_uri for your OAuth app on Google, mine was https://outofindex.eu.auth0.com/login/callback. Then again I sent the custom_params: {connection: 'google-oauth2'} but this time I authenticated using my own OAuth app on Google.

Here is an example configuration:

{
  "auth0": {
    "key": "...",
    "secret": "...",
    "scope": ["openid", "profile", "email"],
    "custom_params": {"connection": "google-oauth2"},
    "subdomain": "outofindex.eu"
  }
}

from grant-profile.

Simov - i owe you a THOUSAND thank-you's for once again helping me. But most importantly, i want to thank you for your wonderful work and efforts creating and supporting grant.

from grant-profile.

i believe i have confirmed this issue. there seems to be something in grant-profile that is not working as expected.

when i use the DEFAULT Auth0 "Client ID" and "Client Secret" for a Google login (which is to leave them blank), i am indeed getting the full profile which is what i expect to see:

{
"response": {
"id_token": {
"header": {
"alg": "RS256",
"kid": "MTU1MTNBMUY3MTM1RDExRjcyQjA3OTVDNDUwMThCM0Q5QjJGQTlBRQ"
},
"payload": {
"given_name": "Mark",
"family_name": "Edwards",
blah blah blah blah
"exp": 1583814484,
"nonce": "61dd1a1d246f3bd20796"
},
"signature": "JOXXXXXXXTg"
},
"access_token": "Z4C9bLqMIcSGlzjZi_CVu-BhM7fTHTbz",
"raw": {
"access_token": "Z4C9bLqMIcSGlzjZi_CVu-BhM7fTHTbz",
blah blah blah
"expires_in": 86400,
"token_type": "Bearer"
}
}
}

but when i try using my own Google values for "Client ID" and "Client Secret" this is all i get back:

{
"response": {
"access_token": "aXj185Zi_k8rDFrD0ypwAniuR3gMH9qU",
"raw": {
"access_token": "aXj185Zi_k8rDFrD0ypwAniuR3gMH9qU",
"expires_in": 86400,
"token_type": "Bearer"
}
}
}

any suggestions?

my test code was from the grant-profile example:

var express = require('express')
var session = require('express-session')
var grant = require('grant-express')
var profile = require('grant-profile').express()
var config = require('./config.json')

express()
  .use(session({secret: 'grant', saveUninitialized: true, resave: true}))
  .use(grant(config))
  .use(profile(config))
  .use('/auth0', (req, res) => {
    var {response, profile} = req.session.grant
    res.end(JSON.stringify({response, profile}, null, 2))
  })
  .listen(3030)

{
  "defaults": {
    "protocol": "http",
    "host": "localhost:3030",
    "transport": "session",
    "state": true,
    "nonce": true,
    "callback": "/proxyPort3030/auth0"
  },
  "google": {"key": "..", "secret": "..", "scope": ["openid", "profile", "email"]},
  "auth0": {
              "key": "ThXXXL",
              "secret": "4vXXXX9R",
              "redirect_uri" : "https://example.website/proxyPort3030/connect/auth0/callback",
              "callback":"/proxyPort3030/auth0",
              "subdomain": "dev-XX8"
        },
  "twitter": {"key": "..", "secret": ".."}
}

from grant-profile.

EDIT: strangely enough, i had the IDENTICAL problem getting PHP and Facebook working,
"scope": ["openid", "profile", "email"],
and spent over a month trying to resolve it. in my defense, i had just started using Auth0 at the time, and the example provided by Auth0-PHP was not working for FaceBook. they have since fixed it on my insistence. 😁

from grant-profile.

the Auth0 engineers have also agreed this is an issue:

mathiasconradt Sr. Solutions Engineer, Auth0
Thanks for letting us know. We agree there is an issue and we’re looking into it.

from grant-profile.

Interesting, what's that about? I can't see that ticket.

from grant-profile.

hi - apparently the posting was removed, but i requested the post to be reinstated for you.

personally, i did not observe this behavior, nor do i understand it, but according to David Luche of feathersJS, if you use Postman and do a:

GET https://dev-2a5ae3w8.auth0.com/userinfo

you get back different results depending on if you are using the Auth0 default "Client ID" and "Client Secret" vs. the ones provided by Google.

i am pushing them to reinstate the post since apparently is indeed still relevant.

thank you.

from grant-profile.

Auth0 acts as a proxy for the Social Connections and it always returns the access token for Auth0 that can access the user profile. You won't be able to access the user profile with an access token returned directly from Google.

from grant-profile.

Sorry, i was wrong earlier when i said:

Thanks for letting us know. We agree there is an issue and we’re looking into it.

Apparently that was just an automated reply. Regarding the issue, i am hoping that David Luche (Daffl on slack) will contact Auth0 "mathiasconradt" directly because i am unable to explain the problem that David Luche has raised.

But either way, your solution worked just fine.

from grant-profile.