Hi community,
I have some internal APIs which I need to access through OAuth using authorization code flow to fetch a bearer token for the user. These are secured by Auth0. I've read through Stefan Weber's helpful post on how to accomplish this in Outsystems: https://itnext.io/acquire-and-link-multiple-oauth-tokens-to-outsystems-users-for-delegated-access-b2ba74ca78a0.
My problem is that when I attempt to call Auth0's authorize API endpoint, nothing happens. It's not redirecting to my callback URL or showing any activity in the Auth0 logs. When I try to do so with silent auth, I get an error message "login required". Per Auth0 support, it seems that the issue may be that the action isn't occurring in the browser - see message below:
In that case, how can I trigger an action to be browser based? I initially created this as a server action, then switched to calling the authorize endpoint from a client action, but when I analyze my HAR file, there is no activity in the browser after calling the client action, so it appears that the client action isn't happening in the browser either. Any tips would be much appreciated, thanks!
I got the silent authentication working and am able to fetch the authorization code now. Turns out that I misread the Auth0 documentation and thought that the authorize endpoint was a REST API, but it's just a URL. All I needed to do was redirect to the URL. Stefan, thanks for your time trying to assist!
Hi Nels,
thanks for the feedback. Iam not sure what you mean with "call to the authorize endpoint".
Your application needs to redirect the user (the browser) to the authorize endpoint.
1. User wants to start your application but is not loggedin
2. User browser gets redirected to the authorize endpoint. The auth0 url looks like this
https://{yourDomain}/authorize? response_type=code& client_id={yourClientId}& redirect_uri={https://yourApp/callback}& scope={scope}& state={state}
The callback must be registered in your Auth0 account as valid callback url
3. User logs in
4. User gets redirected to the callback url and the authorization code is part of the url
5. Your backend exchanges the authorization code for an access token
6. You backend uses the access token to consume the external resource servers resources.
Best
Stefan
Thanks Stefan! I realize now I missed some context. We're integrated with Auth0 via SAML for authentication, so the user is already logged in to the platform when I need to initiate the authorization code flow. I was trying to call the authorize endpoint from within the application. Is that a non-starter? It sounded from the Auth0 documentation like that was a valid use case when performing silent authentication.
Sorry, I can't tell as I have never worked with Auth0. But SAML and OAuth are two different protocols. I know that some Idp have an exchange token endpoint like Microsoft Entra where you can exchange a SAML token for an OAuth access token.....
Hi, @Nels Yehnert ,
I was trying to use Auth0 for authentication of my OS application. Somehow, when the Authentication successfully login I got an error "Message": "The requested resource does not support http method 'POST' . I got this in json format in the page of my OS application instead of going to the home page of the app? I use the callback URL for Auth0 using the home URL of my application. Am I missing something here.
Please help. Thank you!
Hi Allan, just to confirm, are you attempting SAML integration between Auth0 and Outsystems?