Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

When adding Spotify as provider the first request for code finishes successfully, but the next request for actually retrieving the token uses different redirect_url than for the initial request, thus failing the spotify requirements.

Reproduction

Fill out the form with applicable spotify data, save, check - test request should fail.

Environment

• Version of this library used: Most current version available on auth0

Only the user creating the connection get the option to toggle which apps are enabled for a connection.

We are multiple developers, and it's not fortunate that only the one who set it up first is allowed to change this.

The underlying oauth2 strategy supports a customHeaders value for the options, where you can specify custom headers to be send in the OAuth HTTP interactions. customHeaders is a hash, with header names and values:

    "options": {
      "client_id": "xxxxx",
      "client_secret": "xxxxx",
      "authorizationURL": "xxxx",
      "tokenURL": "xxxx",
      "scope": "",
      "customHeaders": {
          "Header1": "Value2"
          "Header2": "Value2"
      },
      "scripts": {
        "fetchUserProfile": "xxxx"
      }

It would be nice if the extension allowed for providing this custom headers.
Being able to set customHeaders in a custom connection enables special use cases such as OAuth identity providers that require credentials as HTTP Basic authentication (in a Authorization header).

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

I'd like to see things like console.log, what libraries I can include, and generally anything to help me debug getting a profile.

Reproduction

Try and create any custom social provider.

Environment

Any custom social provider using this plugin.

Saving a custom social connection overwrites existing custom attributes (e.g. upstream_params) that were added via API v2.

1. Create a custom social connection via the extension
2. Update Connection via API v2, with upstream_params, e.g:

{
  "options": {
   ...//existing attributes
   ...
    "upstream_params": {
      "login_options": {
        "alias": "display"
      }
    }
  }
}

3. Reload the extension. The GET /connection/{conn_id} contains the new upstream_params in the options.
4. Click Save without modifying anything. The PATCH call doesn't contain the upstream_params, hence this is lost.

Expected behaviour is for the PATCH call to preserve the existing upstream_params.

Would be nice to being able to configure an icon for the custom social connection that should appear on the login button.

Are there any publically-available release notes covering this extension ?

Getting several tickets in ZenDesk all expressing an interest in Bitbucket connection integration out of the box. Would you consider adding as another widget on main screen of this app?

https://auth0.zendesk.com/agent/tickets/5963

Here, I set it up using the New Connection button instead (minor styling issue when name exceeds expected size):

Describe the problem you'd like to have solved

I am trying to add GroupMe as an authentication provider in Auth0.

Describe the ideal solution

I would like to add GroupMe to authenticate using Auth0

Alternatives and current work-arounds

I am not sure it is currently possible.

Additional context

GroupMe details how to use their oauth here https://dev.groupme.com/tutorials/oauth, I tried setting this up using custom social connections but it does not work. I'm not that familiar with oauth, but GroupMe uses Implicit Grant, which I'm not sure Auth0/custom-social-connections supports.

In addition to #12, it would be good to directly support the authParamsMap options in the connection definition.

The authParamsMap provides a way to map parameters received in the authentication call into the authorization call sent to the external identity provider. For example:

{
  "options" : { 
    "authParamsMap" : {
      "foo": "bar"
    }
}      

Now if I do tenant.auth0.com/authorize?....&bar=something, the value will be mapped into a call like idp.com/authorize?....&foo=something.

can set Basic Authentication follow this:
https://auth0.com/docs/extensions/custom-social-extensions#optional-set-up-basic-authentication

but what is the custom connections token request's url's query string format? and how to add custom parameter to it?
because authorization server not support including the client credentials in the request-body , i have to set it in the parameter string.

This works in Chrome, but not Firefox ;-)

May or may not be related:

unreachable code after return statement[Learn More]
browser.min.js:37:6409
uncaught exception: Error loading https://connect.facebook.net/en_US/fbevents.js

Switching Firefox's user-agent to Chrome fixes the issue... ;-)

Describe the problem you'd like to have solved

The ability to allow newly added applications to be toggled off by default for all existing custom social connections.

Describe the ideal solution

Currently, new applications are toggled on by default for all existing social connections. If we could have a toggle somewhere within the "Custom Social Connections" homepage where we could change this default setting, our problem would be solved.

Alternatives and current work-arounds

Currently, whenever we add a new Application within Auth0, we have to go into all existing custom social connections, click on each of the connections' "Apps" tab, and toggle off this new Application from the social connection, as we do not want to display "Login with Client A" on Client B's new hosted login page. This in itself is not a problem if we only have a handful of applications, but if we are talking dozens and potentially hundreds of applications, it can become error prone.

Additional context

The system we work on currently has an (almost) 1-to-1 match between Auth0 applications and a corresponding custom social connection. This is due to the fact that we want to provide different client IdPs access to the same Auth0 tenant, but only show the client-specific
"Login with Client X" login buttons for each client, without showing all the other custom social connections. So when you visit client-a.example.com, the "Sign in with Client A" Auth0 hosted page is shown, and identical logic when client-b.example.com is visited, we display only the "Sign in With Client B" button.

I created an issue within the auth0 bitbucket extension but to be honest I am not sure if it is the right place.

Would love if it were possible to set everything within my auth0 account, including the fetch user profile scripts under version control.

It seems the two can be used similarly..Auth with one credentials and get access to another set.

Is social connections basically saying Authenticate with these additional social providers and get access to those delegated apis.

Since social connections can be customized, can custom delegations be created?

Thx!

Hi,,,

I'm using custom-social-connections extension for adding Intercom.
I created a new connection and set it up.

When I added the new app to Intercom I needed to supply a REDIRECT URL - so I gave it:
https://<my-subdomain>.auth0.com/callback and when i test the new connection I get:
https://<my-subdomain>.auth0.com/callback?code=<some-code>&state=zJVRzviB7eof5bIksLKSd9mm
What am I doing wrong?
What should be the link that I use in the client side to authenticate the user with the new custom connection I've created?

Add support for logout in the UI. oauth2 connections support two options for logout:

• logoutUrl that holds a string value with a fixed logout URL to redirect the user to when a federated logout is requested.
• getLogoutUrl, a script that can generate a logout URL dynamically based on the request query. The script format is like this:

function(query, callback) {
  var logoutUrl = "...";
  callback(null, logoutUrl);
}

It should go to https://manage.auth0.com/#/extensions rather than https://manage.auth0.com/extensions.

Just ran into an issue where everything was failing because of a trailing space in the client secret :)

For example, Azure B2C requires you to set a policy in the querystring, like:

/oauth2/v2.0/authorize?p=B2C_1_signin

This is already supported in the connection, I can set this:

{
  "options": {
    ...
    "authParams": { "p": "B2C_1_signin" }
  },
  "strategy": "oauth2",
  "name": "AzureAD-B2C",
  "enabled_clients": [
    ...
  ]
}

But the UI should make it easy to specify the authParams

This application is not currently available via the Auth0 dashboard.

I'm trying to use this extension as boilerplate for developing my own but there seem to be a step or two missing with the dev getting started.

I've cloned the repo > npm install > npm start. When I open localhost:3000 though I'm greeted with an error:

TypeError: Cannot read property 'data' of undefined
   at /Users/.....snip....../custom-social-connections/dist/custom-social-connections.js:1:773

I was expecting to see the custom social ui with all the toggles.

Is it possible to test locally or is pushing to wt a requirement?

can i use custom display name for this?, as you now Name is readonly and space etc. cant be used, so displayName could be better.

Hello,

There are typically two ways of authenticating for the token endpoint - Either passing the client ID and client secret in via the post body or by passing them in using a basic Authorization header.

The Auth0 Custom Social Connection extension only directly supports authenticating via the post body and Authorization header support is only supported via custom headers. (Which ends up duplicating configuration from the client ID / client security fields)

It would be nice to have some radio buttons to change between header and form data authentication.

If you'd like to add Eventbrite to the default list of providers? Here's the config for it

{
"name": "eventbrite",
"strategy": "oauth2",
"options": {
"authorizationURL": "https://www.eventbrite.com/oauth/authorize",
"tokenURL": "https://www.eventbrite.com/oauth/token",
"scope": "openid email",
"scripts": {
"fetchUserProfile": "function(accessToken, ctx, cb) {\n request.get(\n "https://www.eventbriteapi.com/v3/users/me/", {\n headers: {\n Authorization: "Bearer " + accessToken,\n "User-Agent": "Auth0",\n Accept: "application/json"\n }\n },\n function(e, r, b) {\n if (e) {\n return cb(e);\n }\n if (r.statusCode !== 200) {\n return cb(new Error("StatusCode:" + r.statusCode + " Body: " + b));\n }\n const profile = JSON.parse(b);\n if (profile.emails && profile.emails.length > 0) {\n const emails = profile.emails.filter(p => p.primary);\n const email = emails.length > 0 ? emails[0] : profile.emails[0];\n profile.email = email.email;\n profile.email_verified = email.verified;\n delete profile.emails;\n }\n cb(null, profile);\n }\n );\n}"
}
}
}

Description

When configuring a "Custom Social Connection" for Slack, using oauth.v2 URLs brings in the end the following error (Slack side):

Invalid permissions requested
Invalid scopes: identity.basic, identity.email

As noticed elsewhere (e.g. https://stackoverflow.com/questions/61150208/sign-in-with-slack-invalid-scopes-identity-basic-identity-avatar), scope parameter should be passed under the user_scope name (see also https://api.slack.com/docs/sign-in-with-slack#sign-in-with-slack__details__set-up-your-sign-in-with-slack-button - where the example is correct but the table is not!)

Would it be possible to customize the name of this parameter from the UI?

Reproduction

Set a "Custom Social Connection" with the following elements:

Clicking on "Sign in with Slack" on the login page ends up with the following error:

Environment

The one directly available via the Extensions in Auth0.

I'm having an issue with the callbacks when the connection I am trying to implement calls

https://MY-DOMAIN/login/callback?code=CODE&state=STATE (GET method)

It redirects to
https://manage.auth0.com/tester/callback?connection=AAF&error=invalid_request&error_description=access_token%20is%20not%20defined
Without attempting to excahnge the code for a token (I am using the connection tester). Am I doing something wrong?

• https://github.com/auth0/custom-social-connections/blob/master/src/public/react/components/Try.react.jsx#L29
• https://github.com/auth0/custom-social-connections/blob/master/src/public/react/components/ConnectionModal.react.jsx

This is working only in cloud environment, we should replace https://manage.auth0.com with something like req.webtaskContext.data.AUTH0_MANAGE_URL.

kstrongholte-onboarding.us8.webtask.io.har.zip