Auth0 Integration with native facebook app

[mgonto]

Hey,

I didn't know where to comment this, so I just created an issue :). I'm a Developer Advocate at Auth0. I saw this sample, it's incredible :). I really like the idea of having a list of movies to watch and Tinder effect is just so much fun!

I also saw the problem you're getting when using the native Facebook app for logging the user in. The problem is that it uses an Android Intent to send the request to Facebook and gets the response back in another Intent as well, which Auth0-angular isn't expecting. Therefore, it doesn't work well since auth0-angular is expecting a Popup URL change on the launched browser. I think this might be related to not having the InAppBrowser plugin correctly installed. If it's installed correctly, all links should be open in an inner browser instead of asking you which app to use. Can you please check that? If that's not it, then we can try to debug it and fix it in our end.

Thanks!

[mgonto]

Maybe, you can check if the seed project from here works for you as bad or not as well.

We'll test it out in our end as well.

Thanks again!

[brentvatne]

Hi @mgonto - thanks for checking out the project!

I also saw the problem you're getting when using the native Facebook app for logging the user in. The problem is that it uses an Android Intent to send the request to Facebook and gets the response back in another Intent as well, which Auth0-angular isn't expecting. Therefore, it doesn't work well since auth0-angular is expecting a Popup URL change on the launched browser. I think this might be related to not having the InAppBrowser plugin correctly installed.

The issue doesn't occur when I use it from an app within the webview thankfully, it actually only happens when I access http://flix.brentvatne.ca through Chrome manually on my Nexus 5, and then try to log in with Facebook and choose the Facebook app to handle the click, rather than Chrome. I'm not sure if this was an intended use case for Auth0 - if not, and it's not feasible to fix, I will just remove Facebook login from the web version.

Maybe, you can check if the seed project from here works for you as bad or not as well.

Will do, thanks!

[mgonto]

Seed project won't work either then from the Web.

The issue doesn't occur when I use it from an app within the webview thankfully, it actually only happens when I access http://flix.brentvatne.ca through Chrome manually on my Nexus 5, and then try to log in with Facebook and choose the Facebook app to handle the click, rather than Chrome. I'm not sure if this was an intended use case for Auth0 - if not, and it's not feasible to fix, I will just remove Facebook login from the web version.

That's what I thought. The inner WebView version works because of Cordova's InAppBrowser plugin. Unfortunately, there's no way to install it for Chrome and that's why you're getting that error on Chrome on Android (won't happen on iOS).

Let me dig some information to see if somebody has fixed this problem or how we can fix it. I'll get back to you.

Thanks!

[brentvatne]

@mgonto - yup, I tried it on the seed app and had the same issue, I went ahead and recorded a video of it so I might as well post it here in case anyone else would find it useful, even though you've already reproduced it 👍

Screen recording of the issue:
http://url.brentvatne.ca/1iXpe

Thanks for looking into this! <3

[mgonto]

Thanks @brentvatne :).

I'll get back to you tomorrow with more info and tell you if we can fix it or not.

BTW, do you have any feedback on Auth0's impl for Ionic? Something you hated, something you liked, something you'd change? All feedback is welcomed :)

[brentvatne]

@mgonto - I like Auth0 a lot, happy to provide some feedback!

• My main issue is that the in app browser is a bit ugly, and it may give users the impression that the app isn't quite the same as other apps or somehow lower quality. It would also annoy users to have to type in their Facebook username and password again, and the more security conscious user may be concerned that it's a phishing attempt. It would be neat to have a cordova extension that would integrate with Facebook/Google/Twitter apps natively.
• It isn't clear to me how to customize what is packaged in the JWT token - it would be useful to be able to add arbitrary data to it. This is probably possible I just didn't quickly see how.
• Set up was very easy, could be even easier if there were server side gems available eg: auth0-rails that would do all of that setup for you and expose hooks for customization.
• It's not clear why in the pricing there's a distinction between active social users and active users with password - I would personally prefer it was just based off of number of active users, social or otherwise. I'd like to see a plan between team and pro, and/or a pay-per-active-user option.

1. Lock interface is beautiful! As is the dashboard.

👍 for auth0

[mgonto]

Hey @brentvatne,

Very good feedback! Thanks!

Let me answer them:

My main issue is that the in app browser is a bit ugly, and it may give users the impression that the app isn't quite the same as other apps or somehow lower quality. It would also annoy users to have to type in their Facebook username and password again, and the more security conscious user may be concerned that it's a phishing attempt. It would be neat to have a cordova extension that would integrate with Facebook/Google/Twitter apps natively.

I agree completely with this. I've created an issue to track this auth0/auth0-cordova#1

It isn't clear to me how to customize what is packaged in the JWT token - it would be useful to be able to add arbitrary data to it. This is probably possible I just didn't quickly see how.

This is indeed possible. Maybe as you're saying it's not clear how you can customize the JWT, I'll write a doc about that in the after login section.

However, the basic idea is the following. When calling .signin, in the authParams you can send the scope. That scope says what fields you want in the JWT. If you way openid it'll just grab the basic ones. If you say openid profile it'll have the entire profile. If you want some particular fields, you can say openid email myField. Then, if you want to add some custom fields to the JWT based on some login (besides the one from the profile), you can do that with a Rule. Everything you add to a user in a Rule, you can actually add it to the JWT. This is the simplest example of how you can accomplish that. In this case, the field hello will get added to the JWT BUT NOT to the user. If you want to also save it in the DB to the user, you can do user.persistent.hello = 'world'. That way, it'll be both in the JWT (if you asked for openid hello or openid profile) and in the user if you request it using the API. Does that make sense?

Set up was very easy, could be even easier if there were server side gems available eg: auth0-rails that would do all of that setup for you and expose hooks for customization.

I understand this point, but I don't think we'll be doing this for now. It's a massive amount of work to do that for every platform and with the seed sample and guided docs with your keys I think it's easy enough. Did you have any particular part that was more difficult?

It's not clear why in the pricing there's a distinction between active social users and active users with password - I would personally prefer it was just based off of number of active users, social or otherwise. I'd like to see a plan between team and pro, and/or a pay-per-active-user option.

This is something we've been asked regularly. Pricing is always a tough one and we're working on improving it to work for both individual people, startups and enterprise apps. We're actually in the process of updating all of our plans and pricing model and website. You can get a sneakpeak of what's coming here. Do you think that's better? Do you have any feedback based on that?

[mgonto]

We've looked into the issue. It seems that newer version of Chromes shows the IntentChooser when trying to open a popup for a URL Scheme that's registered by an app installed in your phone (Facebook for example registers Facebook Authentication URL) :D.

The solution for now would then be to use Redirect (not popup) when showing the app in Android on Chrome and not using Cordova. Otherwise, use popup mode.

We're looking into ways of fixing this for the future, but it won't happen before 2015 hahaha. You can follow the progress by watching this issue. Also, in that issue, you'll have the pseudo code of a proposed solution.

This bug is because of a Winchan problem when it's openning the Popup. You can see a bug filled on Mozilla's project as well: mozilla/winchan#6

Let me know if that works out for you.

Sorry for the too long comments :D

[brentvatne]

[JWT customization details ...] Does that make sense?

Yup, thanks for that!

I understand this point, but I don't think we'll be doing this for now. It's a massive amount of work to do that for every platform and with the seed sample and guided docs with your keys I think it's easy enough. Did you have any particular part that was more difficult?

This seems like something that the community could take care of. I agree it's easy enough, and I did not think any particular part was difficult. If I find the time maybe I'll throw together an auth0-rails gem that depends on jwt and packages validate_token and auth_token methods inside of a module.

We're actually in the process of updating all of our plans and pricing model and website. You can get a sneakpeak of what's coming here. Do you think that's better? Do you have any feedback based on that?

That looks great, although I'd personally like to see an option between 1,000 and 5,000 users on the scale - I think there would be a desire for a bit more granularity at a user base of that size.

The solution for now would then be to use Redirect (not popup) when showing the app in Android on Chrome and not using Cordova. Otherwise, use popup mode.

Sounds good to me, gracias!

[mgonto]

Hey @brentvatne if you're up to doing the package, that'd be great :). We're always open to that :).

Thanks for the feedback :)