Search code examples
auth0wolkenkit

wolkenkit redirects to Auth0 even when user is logged in

I just tried to test wolkenkit’s authentication with the chat template following the wolkenkit docs. User login seems to work, but the user is redirected to Auth0 even when they're already logged in (without the client calling the auth.login method).

Here’s a code snippet from the client:

wolkenkit.connect({
    host: 'local.wolkenkit.io',
    port: 3000,
    authentication: new wolkenkit.authentication.OpenIdConnect({
        identityProviderUrl: 'https://<myIdentity>.eu.auth0.com/authorize',
        clientId: '<myClientID>',
        strictMode: false
    })
}).
    then(chat => {
        console.log("chat.auth.isLoggedIn() = " + chat.auth.isLoggedIn());
        console.log(chat.auth.getProfile());
        if (!chat.auth.isLoggedIn()) {
            return chat.auth.login();
        }
    });

In package.json, the identity provider is configured as followed:

"wolkenkit": {
    "environments": {
      "default": {
        "identityProvider": {
          "name": "https://<myIdentity>.eu.auth0.com/",
          "certificate": "/server/keys/<myIdentity>.eu.auth0.com"
        },...

Browser log after clearing cookies (I censored the provider identity and the object returned by chat.auth.getProfile()):

Navigated to http://local.wolkenkit.io:8080/
index.js:14 chat.auth.isLoggedIn() = false
index.js:15 undefined
Navigated to https://<myIdentity>.eu.auth0.com/login?client=<clientID>...

Navigated to http://local.wolkenkit.io:8080/
index.js:14 chat.auth.isLoggedIn() = true
index.js:15 {iss: "https://<myIdentity>.eu.auth0.com/", sub: "auth0|...", aud: "...", iat: ..., exp: ..., …}
Navigated to https://<myIdentity>.eu.auth0.com/login?client=<clientID>...
Solution

  • Being redirected although you configured authentication typically means that there is an error in the way the authentication is configured.

    You might want to check these settings:

    • The token must be signed using RS256, not HS256 (which, for some accounts, seems to be the default of Auth0). To find out which signature algorithm is being used, get the token from the browser's local storage and paste it into the JWT debugger. Then you can see how the token was signed. If you need to change the signature algorithm, you can find this in the Advanced Settings of your client in Auth0.
    • Using the very same debugger you can also verify whether the token and the certificate you are using match each other. If they don't, you probably have copied the wrong certificate, or you have configured the path to point to a wrong certificate.
    • The certificate file must be named certificate.pem. If it has another name, or the path in package.json is incorrect, wolkenkit should not even start the application, but to be sure double-check that the file is named correctly.
    • In the package.json, besides the path to the certificate, you also have to provide the name of the identity provider you use, in your case this is https://<myIdentity>.eu.auth0.com/. Please note that this must exactly match the iss claim within the token. Often the claim in the token contains a trailing slash, while the value in package.json does not. If they differ, use the token's value in package.json.

    Once you have made your changes, make sure to empty local storage, and to restart your wolkenkit application using the following command (otherwise your changes won't become effective):

    $ wolkenkit restart

    Hope this helps :-)