From 7f2777ae80d33c6f7f7ca266d7f245676fc0d77a Mon Sep 17 00:00:00 2001 From: Peter Kazazes Date: Sun, 9 Sep 2018 07:12:37 -0400 Subject: [PATCH 1/2] remove default auth0 audience As of June 8th, the jwt-bearer grant isn't available to new applications. Therefore, any new app cannot get a token without a specified audience (#176). This is a breaking change from upstream. The audience *must* match the API's audience. However, audience can be omited if a default audience is specified in the tenent's settings. https://auth0.com/docs/tokens/id-token#validate-the-claims --- docs/providers/auth0.md | 11 ++++++++--- lib/providers/auth0.js | 5 ++--- lib/schemes/oauth2.js | 7 +++++-- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/docs/providers/auth0.md b/docs/providers/auth0.md index 172e5f8e5..7f4a7dd09 100644 --- a/docs/providers/auth0.md +++ b/docs/providers/auth0.md @@ -11,7 +11,8 @@ auth: { strategies: { auth0: { domain: 'domain.auth0.com', - client_id: '....' + client_id: '....', + audience: 'https://mydomain.com/' } } } @@ -30,8 +31,12 @@ User will be redirected to a page like this: 💁 This provider is based on [oauth2 scheme](../schemes/oauth2.md) and supports all scheme options. -### Obtaining `client_id` and **`domain`** +### Obtaining `client_id`, **`domain`**, and `audience` -This options are **REQUIRED**. Your application needs some details about this client to communicate with Auth0. You can get these details from the Settings section for your client in the [Auth0 dashboard](https://manage.auth0.com). +`client_id` and `domain` are **REQUIRED**. Your application needs some details about this client to communicate with Auth0. + +`audience` is required _unless_ you've explicitly set a default audience [on your Auth0 tenent](https://manage.auth0.com/#/tenant). + +You can get your `client_id` and `domain` the Settings section for your client in the [Auth0 API dashboard](https://manage.auth0.com/#/applications). Your audience is defined on your [client's API](https://manage.auth0.com/#/apis). diff --git a/lib/providers/auth0.js b/lib/providers/auth0.js index 7d333946d..efb2db36e 100644 --- a/lib/providers/auth0.js +++ b/lib/providers/auth0.js @@ -6,6 +6,5 @@ module.exports = function auth0 (strategy) { authorization_endpoint: `https://${strategy.domain}/authorize`, userinfo_endpoint: `https://${strategy.domain}/userinfo`, scope: ['openid', 'profile', 'email'], - audience: strategy.domain - }) -} + }); +}; diff --git a/lib/schemes/oauth2.js b/lib/schemes/oauth2.js index 114a895e1..de39e010b 100644 --- a/lib/schemes/oauth2.js +++ b/lib/schemes/oauth2.js @@ -70,8 +70,11 @@ export default class Oauth2Scheme { client_id: this.options.client_id, redirect_uri: this._redirectURI, scope: this._scope, - audience: this.options.audience, - state: randomString() + state: randomString(), + }; + + if (this.options.audience) { + opts.audience = this.options.audience; } this.$auth.$storage.setLocalStorage(this.name + '.state', opts.state) From 67f944847ceda14a56a62415e6735cba90e6f4c3 Mon Sep 17 00:00:00 2001 From: Peter Kazazes Date: Sun, 9 Sep 2018 07:35:32 -0400 Subject: [PATCH 2/2] specify api, not domain, as url --- docs/providers/auth0.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/providers/auth0.md b/docs/providers/auth0.md index 7f4a7dd09..f9427add0 100644 --- a/docs/providers/auth0.md +++ b/docs/providers/auth0.md @@ -12,7 +12,7 @@ auth: { auth0: { domain: 'domain.auth0.com', client_id: '....', - audience: 'https://mydomain.com/' + audience: 'https://my-api-domain.com/' } } } @@ -31,7 +31,7 @@ User will be redirected to a page like this: 💁 This provider is based on [oauth2 scheme](../schemes/oauth2.md) and supports all scheme options. -### Obtaining `client_id`, **`domain`**, and `audience` +### Obtaining `client_id`, `domain`, and `audience` `client_id` and `domain` are **REQUIRED**. Your application needs some details about this client to communicate with Auth0.