Auth0 not returning Access Token

[jawa-the-hutt]

I have a proposed PR to make, but wanted to get feedback here first. The PR should be simple to implement, but will introduce a breaking change to the Auth0 plugin.

The current implementation of the Auth0 integration is not standards compliant to Auth0 specs. What it is essentially doing is getting the Id Token and then naming and saving it as access_token.

aurelia-authentication/src/authLock.js

Line 77 in 06b9e43

access_token: authResponse.idToken

What this essentially means is we are unable to call any of the Auth0 endpoints like /userinfo that require sending back their Access Token as all we really have in our possession at this point is their Id Token.

So, I propose a breaking change to the Auth0 plugin that would replace Line 77 with something like this:

  access_token: authResponse.accessToken
  id_token: authResponse.idToken

With the new getIdTokenPayload() function we can then easily grab the payload of the id_token and use it how we need it within our apps. This change would also require setting the getAccessTokenFromResponse to true in your aurelia-authentication config if you also want the access token.

The access token that gets returned from Auth0 will be opaque and not in JWT format. If you want an Access Token in JWT format that is not opaque and can be used to store/retrieve information in it, then in the Auth0 portion of the your aurelia-authentication config you can also pass something like this:

{
    auth0: {
        lockOptions: {
            auth: {
                audience: 'https://YOUR_AUTH0_URL/api/v2/'
            }
        }
    }
}

The key here is to pass in the audience config so that Auth0 returns the non-opaque access token.

[doktordirk]

Seems necessary, so if it's a breaking change so be it.