Cannot verify passwordless code: Missing required property: client_id

[seanaye]

Describe the problem

There appears to be a problem with this library sending to the /passwordless/verify endpoint.
This library will not send the client_id to the endpoint even though it is defined on the class at initialization. The client_id is also properly sent on the request to passwordless/start
I am using the current Auth0 template for passwordless login from the dashboard at the time of writing

What was the expected behavior?

Since the clientID is correctly defined on class, this library should correctly send the client_id to passwordless/verify

Reproduction

• Use the current auth0 passwordless template and log the config

<!DOCTYPE html>
<html>
<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
  <title>Sign In with Auth0</title>
  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
</head>
<body>

  <!--[if IE 8]>
  <script src="//cdnjs.cloudflare.com/ajax/libs/ie8/0.2.5/ie8.js"></script>
  <![endif]-->

  <!--[if lte IE 9]>
  <script src="https://cdn.auth0.com/js/base64.js"></script>
  <script src="https://cdn.auth0.com/js/es5-shim.min.js"></script>
  <![endif]-->

  <script src="https://cdn.auth0.com/js/lock/11.30/lock.min.js"></script>
  <script>
    // Decode utf8 characters properly
    var config = JSON.parse(decodeURIComponent(escape(window.atob('@@config@@'))));
    config.extraParams = config.extraParams || {};
    var connection = config.connection;
    var prompt = config.prompt;
    var languageDictionary;
    var language;

    if (config.dict && config.dict.signin && config.dict.signin.title) {
      languageDictionary = { title: config.dict.signin.title };
    } else if (typeof config.dict === 'string') {
      language = config.dict;
    }
    var loginHint = config.extraParams.login_hint;

   console.log(config)
    var lock = new Auth0LockPasswordless(config.clientID, config.auth0Domain, {
      auth: {
        redirectUrl: config.callbackURL,
        responseType: (config.internalOptions || {}).response_type ||
          (config.callbackOnLocationHash ? 'token' : 'code'),
        params: config.internalOptions
      },
      configurationBaseUrl: config.clientConfigurationBaseUrl,
      overrides: {
        __tenant: config.auth0Tenant,
        __token_issuer: config.authorizationServer.issuer
      },
      assetsUrl:  config.assetsUrl,
      allowedConnections: connection ? [connection] : null,
      rememberLastLogin: !prompt,
      language: language,
      languageBaseUrl: config.languageBaseUrl,
      languageDictionary: languageDictionary,
      theme: {
        //logo:            'YOUR LOGO HERE',
        //primaryColor:    'green'
      },
      closable: false
    });

    lock.show();
  </script>
</body>
</html>

• Open in browser and see that the config object has the correct clientID defined on the constructor. There are no errors in console
• Try to perform passwordless authentication. I receive the code in my email as expected.
• Enter the code and click submit
• Error 400: Missing required property: client_id

Environment

Screenshots with sensitive information redacted to show what happens when above template code runs. Note that the clientId is defined on the config object, even though I have redacted most of it for privacy reasons

• Version of this library used: 11.30.4
• Which framework are you using, if applicable: N/A
• Other modules/plugins/libraries that might be involved: N/A
• Any other relevant information you think would be useful: N/A

[stevehobbsdev]

@seanaye sounds odd - I will debug it this week and see what I can see.

[seanaye]

@stevehobbsdev thanks very much, this is a blocker for us. I have started a fork to fix, but would prefer a "real" resolution

[stevehobbsdev]

It sounds odd; I would have expected to hear more about this if there is actually a problem in the SDK.

A potential fix would probably reside in Auth0.js as that's what Lock uses to interact with the auth API.

[seanaye]

I suspect it might have something to do with the environment the code is running in. Its a loginWithRedirect in an electron window. What's stumping me is that the passwordless/start call actually has the client_id defined properly in the request body but the subsequent passwordless/verify does not. Either way this is not intended behaviour. I will open an issue in Auth0.js as well

[stevehobbsdev]

Don't worry about the auth0.js issue, I'd rather not have duplicate issues dotted around as it makes investigation harder.

Let me have a look this week - but this is running inside Electron? Where does loginWithRedirect come into play?

[seanaye]

loginWithRedirect is a function call from the actual react app, from the auth0-react library. AFAIK his function just loads the universal login window with the correct url parameters. Will follow up with repro link of the issue.

[stevehobbsdev]

A repro would be great, thanks.

[seanaye]

https://github.com/seanaye/auth0-passwordless-repro

Usage:

1. clone
2. yarn
3. yarn start

[seanaye]

You were right the issue is in the auth0.js package, my fork has fixed the issue with the following line of code https://github.com/coparse-inc/auth0.js/blob/27507bffc6d7514cb39b43fddc7b111113160ab4/src/authentication/passwordless-authentication.js#L205

[stevehobbsdev]

Makes sense 👍🏻 feel free to raise a PR against auth0.js and we'll get it in.

Thanks