Link:
https://github.com/mikearias3/auth0-nodejs-webapp-sample

Description:
Found 9 vulnerabilities after running the npm install command.

I've opened the project in webstorm, and it fails to start.

I'm on windows 10x
using the latest of node, 7.10.x.

I've simply done the following:

npm i
npm start

(AUTH-4083)
Samples using 10.16 version of auth0-lock when up-to-date version is 10.17

Hi,

We we're integrating a NodeJS app and we got stuck for a while because the token being returned by Auth0 wasn't a JWT (and we needed it to be one to call other APIs) and instead an opaque token.

This was only solved when we included in the login passport call (https://github.com/auth0-samples/auth0-nodejs-webapp-sample/blob/master/01-Login/routes/auth.js#L13) the audience of our API.

I believe this should be included in the documentation, but I'm not entirely sure where so I'm opening this ticket to bring this to attention.

In the Package.json files, the dependency express is outdated:

The current version is 4.16.1

AUTH-3368

Hi there. I change the .env file to reflect my client data and when I try to login I get ERR_CONNECTION_REFUSED in my browser console.

What could be going wrong?

Using Nodejs.

On login I get the error described in the the header ( invalid_request (parameter organization is required for this client)).

Here is the stdout:
BadRequestError: invalid_request (parameter organization is required for this client)
at C:\Users\AliceBroadhurst\source\repos\Auth0 test app\node_modules\express-openid-connect\middleware\auth.js:120:31
at processTicksAndRejections (internal/process/task_queues.js:95:5)

I am using an OIDC connection on an organization. The app setting allow only for the organisation (via the connection) to log in. My app works fine when it allows for normal users and org users but fails when it requires the organisation details.

Simply as the title says, non of the links in the readme seem to work.

Could anyone update those? Thank You

The login sample shows the user profile after login, however, it doesn't show how to access ID token, access token and (in case you request offline_access) the refresh token after successful authentication.
Would be good if that could be added to the sample.

I found a similar question on Stackoverflow: https://stackoverflow.com/questions/21942290/passport-node-js-not-returning-refresh-token

Hi!

I would like to ask your help solving the "Token Error" I get when running the app. I have installed everything according to the README. But the moment I click "Login", I get Unauthorized 500 TokenError: Unauthorized. The configuration
setup is also correct. I am googling this issue, but without luck.

Thank you in advance!

Add authentication with multiple authentication sources, either social like Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce, amont others, or enterprise identity systems like Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider.

You might want to write above line like below.

Add authentication with multiple authentication sources, either social like Google, Facebook, Microsoft Account, LinkedIn, GitHub, Twitter, Box, Salesforce, among others, or enterprise identity systems like Windows Azure AD, Google Apps, Active Directory, ADFS or any SAML Identity Provider.

Lock version is outdated on the following sections:

01-login
02-custom-login
04-user-profile
05-linking-accounts
06-rules
07-authorization
09-mfa
10-customizing-lock

In the layout.pug file, as shown on the following image:

Latest version is V10.14

Ticket: AUTH-3368

Hello,

It would be great to see a stateless example in which we use passport-auth0 just to authenticate the user and we then create our own JWT to authenticate towards our own API. I'm using the { state: false } configuration when creating a new strategy but facing the error:

TypeError: Cannot set property 'authParams' of undefined

When removing express-session.

Thank you

I'm using the hosted login page variant and I want to verify I can get the user_metadata. I added user_metadata to the scope in routes/auth.js but they're not showing on the user object. How can I get the user_metadata?

Hi there i am running the sample i have correctly installed node modules and also i have inserted the values in the env file now when ever i open localhost:3000/login then a progress ring is shown and the app does not go forward can anybody tell me that what i am missing?

Maybe to configure dotenv, you should use dotenv.config()?

The state parameter is missing on the callback url. To reproduce:
-Select the login option or go to "/login" route.
-Type the credentials of the account(in case you've logged in before, select "not your account")
-Click login.

If on the seccond step you select the account used to log in before, the state parameter is correctly returned.

I have a fresh installation of the repo. Copied the client ID, domain and client secret from Auth0 application settings. Run using npm start. On clicking login get the following:

Callback URL mismatch.
The provided redirect_uri is not in the list of allowed callback URLs.

I tried changing the allowed callback URL in auth0 settings to http://localhost:3000 same error.

(AUTH-4102)
Samples using auth0.js without audience parameter

When I configure this app against my local vivaldi instance, both sign-up and login flows are interrupted with the following error on callback:

Failed to obtain access token

InternalOAuthError: Failed to obtain access token
    at Strategy.OAuth2Strategy._createOAuthError (/Users/ktraff/workspace/auth0-nodejs-webapp-sample/01-Login/node_modules/passport-oauth2/lib/strategy.js:408:17)
    at /Users/ktraff/workspace/auth0-nodejs-webapp-sample/01-Login/node_modules/passport-oauth2/lib/strategy.js:175:45
    at /Users/ktraff/workspace/auth0-nodejs-webapp-sample/01-Login/node_modules/oauth/lib/oauth2.js:191:18
    at ClientRequest.<anonymous> (/Users/ktraff/workspace/auth0-nodejs-webapp-sample/01-Login/node_modules/oauth/lib/oauth2.js:162:5)
    at ClientRequest.emit (events.js:314:20)
    at TLSSocket.socketErrorListener (_http_client.js:469:9)
    at TLSSocket.emit (events.js:314:20)
    at emitErrorNT (internal/streams/destroy.js:106:8)
    at emitErrorCloseNT (internal/streams/destroy.js:74:3)
    at processTicksAndRejections (internal/process/task_queues.js:80:21)

Using the python quickstart app allows me to login and sign-up successfully.

How to reproduce

• Run 01-Login app
• Click on 'Log In' for login to the app.
• Auth0 login page appears, login as you want.
• The app is redirected to /user, where I can see my avatar.
• Click on the Logout tab
• Unauthenticated page appears with Login tab and button
• Hit browsers back button

Actual

• Authenticated page appears with my avatar!

Expected

• I should login to my avatar (authenticated page)

Sample using outdated version of packages body-parser, cookie-parser, debug, dotenv, express, morgan, passport-auth0 and auth0-lock. (AUTH-3731)

Hi

The example provided doesn't work out of the box. I get the following errors on any browser I try to authenticate from :

On the server :

GET /callback?error=unauthorized&error_description=Access%20denied.&state=STATE

From the auth0 application logs :

{
  "date": "2018-10-22T08:39:18.294Z",
  "type": "f",
  "description": "Access denied.",
  "connection_id": "",
  "client_id": "CLIENT_ID",
  "client_name": "CLIENT_NAME",
  "ip": "217.128.79.75",
  "user_agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko",
  "details": {
    "body": {},
    "qs": {
      "response_type": "code",
      "redirect_uri": "http://localhost:3000/callback",
      "scope": "openid email profile",
      "state": "STATE",
      "client_id": "CLIENT_ID"
    },
    "error": {
      "message": "Access denied.",
      "oauthError": "unauthorized",
      "type": "oauth-authorization"
    }
  },
  "hostname": "HOST_NAME",
  "user_id": "auth0|USER_ID",
  "user_name": "USER_NAME",
  "log_id": "LOG_ID"
}

Can you give me a hint ?