Skip to content
This repository was archived by the owner on Feb 21, 2020. It is now read-only.

Update Auth0 API requirements #9

Closed
fabien0102 wants to merge 5 commits into from
Closed

Update Auth0 API requirements #9

fabien0102 wants to merge 5 commits into from

Conversation

@fabien0102
Copy link

@fabien0102 fabien0102 commented Sep 21, 2017

ref #6

Hello everybody,
the Auth0 API seams to have changed since this example (no more id_token in the basic response), so this is my fixes after some researches and tests.

Please note that I've fixed the context of the handler, I can make another PR for this if needed 😉

Auth0 doc ref:
https://auth0.com/docs/api-auth/intro#implicit-grant

@fabien0102
Fix auth0 API requirements
45e3945
@fabien0102
Fix context into _handleAuth0Redirect
887db9b 
`this.setState` can't work without the component context
@anp anp requested a review from charlesvinette September 28, 2017 17:47
ice-chillios
ice-chillios reviewed Oct 3, 2017
View reviewed changes
Copy link

@ice-chillios ice-chillios left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fabien0102 Thanks for updating :) I've gone into native solution at the end because nobody was responding...

main.js Outdated
client_id: auth0ClientId,
response_type: 'token',
response_type: 'id_token',
nonce: 'alongrandomstringtopreventtokenreplayattacks',
Copy link

@ice-chillios ice-chillios Oct 3, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe this should be handled by exactly random string? :) Auth0 example seems to be handling this in nicer way :)

Copy link
Author

@fabien0102 fabien0102 Oct 3, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wanted to keep this PR simple, but yeah a random string store into asyncStorage is better for production requirements ;) So as you want, I can add this security part or not

@fabien0102
Copy link
Author

fabien0102 commented Oct 4, 2017

Normally now it's working and it's really secured!

I let @charlesvinette make the real integration test (it's his account on this example)

ice-chillios
ice-chillios reviewed Oct 4, 2017
View reviewed changes
main.js Outdated
}

_loginWithAuth0 = async () => {
async _loginWithAuth0() {
Copy link

@ice-chillios ice-chillios Oct 4, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why You've changed arrow functions into normal ones? When you are changing this from arrow you do not have a this context. That's why you have to .bind(this) at the top in this._handleAuth0Redirect call :)

Copy link
Author

@fabien0102 fabien0102 Oct 4, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to know, I just would to uniformise all functions style ^^ So back to arrow functions!

charlesvinette
charlesvinette reviewed Oct 4, 2017
View reviewed changes
Copy link
Contributor

@charlesvinette charlesvinette left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello guys!

Thanks for helping out with the example. With the recent release of Expo SDK 21, we released a new module called AuthSession (https://docs.expo.io/versions/latest/sdk/auth-session.html) to facilitate Auth flow with Webbrowsers, such as Auth0. From now on, I would suggest using this approach, as seen in this PR that I am about to review -> #10. Once again, thanks for your involvement and let me know what you think of the new module!

@fabien0102
Copy link
Author

fabien0102 commented Oct 4, 2017

Nice! I have just finished to test this pattern into my own playground app ^^ I will try this new expo module tomorrow! BTW, I close this PR 😉

@fabien0102 fabien0102 closed this Oct 4, 2017
@charlesvinette
Copy link
Contributor

charlesvinette commented Oct 4, 2017

@fabien0102 Glad to hear it! Have a good day and let me know if I can be of any help

@fabien0102
Copy link
Author

fabien0102 commented Oct 5, 2017

@charlesvinette
Results of the testing with the expo AuthSession:

  • We need to add the nonce to be compliante with the last security requirements.
  • And I have this warning screen before auth0 page… How can I skip it?

image
image

@fabien0102 fabien0102 mentioned this pull request Oct 5, 2017
Open
@charlesvinette
Copy link
Contributor

charlesvinette commented Oct 5, 2017

Hey @fabien0102 ! Can you share your code where you initiate the AuthSession? And for your second question, this prompt will present itself when the redirect URL does not match the published or standalone slug of your application, you can read more about why here -> https://docs.expo.io/versions/latest/sdk/auth-session.html#it-makes-redirect-url-whitelists-easier-to-manage-for-development-and-working-in-teams

@fabien0102
Copy link
Author

fabien0102 commented Oct 5, 2017

@charlesvinette Thanks for this point. I made a PR ( #11 ) to add the missing nonce (and my local is exactly the same as this example for this part, it's not yet public but soon 😉 ).

I think it can works with turning on the OIDC part without nonce (but I'm really not sure and I prefer not play with this button ^^)

image

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@charlesvinette charlesvinette charlesvinette left review comments

@ice-chillios ice-chillios ice-chillios left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fabien0102 @charlesvinette @ice-chillios