Lock does not bubble up authorization error to authorization_error event listener

[rgerstenberger]

Lock version 11.1.1
OSX
Chrome: 64.0.3282.140

Lock call to /authorize results in a 200 OK with an html response. The response contains the error and error code "error":"unauthorized","error_description":"Email address has not been verified." This is from a custom rule to prevent unverified emails.

Lock eats this error and so our application has no way to respond since neither authenticated nor authorization_error events are fired.

It looks like in other cases this error does in fact bubble up: #86

Here are the lock options we're using:

const lockOptions = {
  oidcConformant: true,
  allowShowPassword: true,
  usernameStyle: 'email',
  avatar: null,
  allowSignUp: false,
  allowForgotPassword: false,
  languageDictionary: {
    loginSubmitLabel: "Log In",
  },
  auth: {
    sso: false,
    responseType: "token",
    // Let app handle redirects
    redirect: false,
  },
};

[luisrudge]

Hi @rgerstenberger is this doing just a default username/password login?

[rgerstenberger]

Correct. Email as the username.

…

On Feb 2, 2018, at 4:31 PM, Luís Rudge ***@***.***> wrote: Hi @rgerstenberger is this doing just a default username/password login? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[luisrudge]

Ok cool. Can you paste the Error you're throwing in your rule please? Thanks

[rgerstenberger]

/**
 * Prevents users from logging in if their email is not verified.
 */
function (user, context, callback) {
  if (!user.email_verified) {
    return callback(new UnauthorizedError('Email address has not been verified.'));
  } else {
    return callback(null, user, context);
  }
}

[Hildebrand]

Hi @luisrudge, we're facing the same issue. The event isn't thrown even though we do get an HTTP 200 OK response. Do you have an estimate of when this will be fixed? We're preparing a switch to Lock v11 in order to be compliant with the April 1st breaking changes but hit a wall here regarding error handling.

[luisrudge]

Hi, sorry to keep you all waiting. I'll dig into this and give you an answer until tomorrow.

[luisrudge]

Hi folks. I just found the issue and fixed it here: auth0/auth0.js#668
I'm still wrapping up a few issues, but this fix will be in the next release! Thanks for the patience.

[ghost]

Hi @luisrudge I saw the new release had this commit in it, but I'm still having issues with this. I'm using angular-lock which pulls in the latest (v11) lock and auth0js (v9.2.3).

I've setup the same "Force email verification" rule as rgerstenberger, however the authorization_error event is still not being emitted. The /authorize endpoint returns a 200 OK with HTML that does show the actual error.

Lock options as follows:

var options = {
    _idTokenVerification: false,
    closable: false,
    rememberLastLogin: false,
    container: 'loginbox',
    auth: {
	sso: false,
	redirect: false,
        responseType: 'id_token token',
        params: {
            scope: 'openid username name app_metadata roles'
        }
    }
};

[luisrudge]

@kvarbyte this wasn't released yet

[ghost]

My bad, I completely read it wrong, 2 commits since. Disregard this :)

[luisrudge]

we're aiming for this week, so stay tuned

[andreasvirkus]

Hi, seems this issue is still not released? @luisrudge

[luisrudge]

@andreasvirkus it is

[moelmaghraby]

@luisrudge I'm still facing this issue with lock version 11.12.1
is it still not released?

[luisrudge]

This was released, yeah. Are you using auth0js in your project as well?