-
Notifications
You must be signed in to change notification settings - Fork 215
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth0::exchange() assumes a valid id_token #317
Comments
@macdaddyaz - You're correct, this should definitely be more careful about that call. Happy to put through a PR and release to fix that. That said, this works fine for a default setup. Can you provide me with the code you're using to generate a token response without an ID token? |
Well, that's a different matter entirely 😁 I'm using an auth code that is getting pushed to my app after an IdP-initiated SAML handshake. I actually have an open ticket to find out why that code is not associated with any scopes (including However, I could see someone legitimately needing a pure access token, like if they are only trying to invoke some API on the user's behalf. In that case, they might invoke |
OK, that makes sense. I wanted to see what your specific case is but we can recreate it with exactly what you explained in your second paragraph: // login.php
$auth0 = new Auth0( [
'domain' => AUTH0_DOMAIN,
'client_id' => AUTH0_CLIENT_ID,
'client_secret' => AUTH0_CLIENT_SECRET,
'redirect_uri' => 'https://localhost/callback.php',
'audience' => 'https://api.identifier',
'scope' => 'read:messages',
] );
$auth0->login();
// callback.php
$auth0 = new Auth0( [
'domain' => AUTH0_DOMAIN,
'client_id' => AUTH0_CLIENT_ID,
'client_secret' => AUTH0_CLIENT_SECRET,
] );
$auth0->getUser(); ... throws:
Thanks again for the report, I'll get a PR in for that ASAP. |
Fixed in |
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
I am running into an error from the
Auth0\SDK\Auth0::exchange()
method. In the following snippet, it attempts to pull theid_token
out of thecode_exchange
response:If there is no
id_token
, then the$idToken
variable is just left with the valuefalse
. It then passes that value directly to thesetIdToken
method, which is not prepared to handle a non-JWT value. This results in the script throwing an exception:It seems that the fix could be as simple as:
The text was updated successfully, but these errors were encountered: