Docs

Lock Authentication Modes

Versionv11

LockLock can function in two different modes. The default mode is redirect mode. In this mode, your user is redirected to be authenticated, and then is returned to the application. In the second mode, popup mode, a popup window allows the user to authenticate with the identity provider without leaving the application.

Redirect Mode

When you click the IdP button (For example, Facebook) with redirect mode, you are redirected to Facebook momentarily. Redirect mode is the default with Lock v11, and is the recommended mode for almost all use cases. Once you successfully login (to Facebook, in this example), Facebook will redirect you back to your app (through Auth0). The majority of examples or samples in the reference documentation employ redirect mode.

If after you click on the IdP button (Facebook for example), a popup (new tab or window) is opened, it means you are using popup mode. In that popup, you'll see that Facebook page is displayed. Once you successfully login to Facebook, the popup will be closed and your web app will recognize that the user has been authenticated. The web app has never been redirected to any other page.

Implementing Lock with Popup Mode is again a simple change of the redirect option from its default.

OpenID Connect (OIDC)Multi-factor authentication (MFA) is not supported when Lock is in popup mode and embedded in your application.

Popup mode does not work with Access TokenUniversal Login.

Some Auth0 features such as Single Sign-out (SSO) between multiple applications depend on users being redirected to Auth0 to set a cookie on 'YOUR_DOMAIN'.

When using popup mode, a popup window will be displayed in order to set this cookie. If prompts are unnecessary, this popup window will be blank and be in a hidden iframe to minimize disruption. The reason for this is that cross-origin requests sent from your application to Auth0 are not be able to set cookies.

If you do not want to display a popup window and do not need SSO between multiple applications, you can set sso: false when using Lock or auth0.js.

For example: