Lock Authentication Parameters
You can send parameters when starting a login by adding them to the options object. The example below adds a
state parameter with a value equal to
The following parameters are supported:
There are different values supported for scope. Keep in mind that JWTs are sent on every API request, so it is desirable to keep them as small as possible.
scope value in Lock v11 is
openid profile email. This minimum scope value is required to make the Last time you logged in with feature work correctly.
Running Lock Locally
If you don't specify at least the above scope when initializing Lock, and you are running your website from
http://127.0.0.1, you will get the following error in the browser console:
Consent required. When using getSSOData, the user has to be authenticated with the following scope: openid profile email
That will not happen when you run your application in production or if you specify the
openid profile email scope. You can read more about this in the User consent and third-party applications document.
For more information about scopes, see the scopes documentation page.
Example: retrieve a token
In Lock v11, if you wish to receive a token with the ability to fetch the user's profile data, you should add the
state parameter is an arbitrary state value that will be maintained across redirects. It is useful to mitigate XSRF attacks and for any contextual information, such as a return url that you might need after the authentication process is finished. If a custom state parameter is not provided, Lock will automatically generate one. For more information, see State Parameter.
nonce parameter is used to help prevent replay attacks, and will be automatically generated by Lock if a custom value is not provided.
device parameter sets the name of the device or browser requesting authentication.