SignIn Widget and scopes

Hi. I am now in the process of upgrading our Okta dependencies. We are going from okta-angular 1.4.0 to okta-angular 3.0.1 and from okta-signin-widget 3.3.0 to okta-sign-in-widget 5.0.0 We are using the implicit flow, We are using the sign in widget and then using a redirect component which uses the OktaAuthService to read the tokens from the redirect and set up authorization. We need to be receiving the groups scope in the token, and our current version does; our authorization server is configured to send it. The configuration object for the signIn widget looks like this:
authParams {
display: ā€œpageā€
issuer: ā€œhttps://XXXXXXXXXXXXXXXXXXXXXXXXXXX/oauth2/defaultā€
pkce: false
responseType: ā€œid_tokenā€
scopes: [ā€œopenidā€, ā€œprofileā€, ā€œemailā€, ā€œgroupsā€]
}

baseUrl: "XXXXXXXXXXXXXXXXXXXXXXXXXXXX"
clientId: "XXXXXXXXXXXXXXX"
features: {
	showPasswordToggleOnSignInPage: true
}

helpLinks: {
	help: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
i18n: {en: {ā€¦}}
idpDisplay: "SECONDARY"
idps: (2) [{ā€¦}, {ā€¦}]
logo: "/assets/images/logo.svg"
redirectUri: "XXXXXXXXXXXXXX/callback"

For some reason, the scopes Iā€™m setting on the authParams is being overwriiten to [ā€˜openidā€™, ā€˜emailā€™], so that is the only data Iā€™m getting back. I need the groups and profile data. How do I make it request this data? The old versions have no problems getting this data.

Ted

Iā€™ve found the answer, and thought Iā€™d share.

Within our LoginComponent, we were calling signIn.renderEl For the upgrade, I replaced it with signIn.showSignInAndRedirect() and assumed without checking that it took the same parameters as renderEl. It can take an options object. Undocumented, the options object can have a scopes property, a string array of the scopes to be requested. Even worse, and also undocumented, is that if no scopes property is passed, it defaults not to the scopes property passed to the constructor, but to ['openid', 'email'].

2 Likes

Hey! Iā€™m glad you were able to get it working as it looks like you ran into a bug with the underlying Auth JS SDK that was fixed in version 4.1.1 and 4.0.4. With a widget bundled with either version of AuthJS, you should only need to set it in the constructor and not redundantly.

Iā€™m told that we will be updating this in this weekā€™s widget release, so you can check out the fix once thatā€™s out.

Andrea,

Iā€™ve updated to v. 5.0.2. Doesnā€™t appear to have fixed it. To be clear, weā€™re using signIn.showSignInAndRedirect() not signIn. showSignInToGetTokens() The docs for signIn.showSignInAndRedirect() still donā€™t indicate you can pass scopes as part of the options object.