[Bug]: Hosted backend API doesn't return `app.idt` cookie and `/app/me` is not available (in strict mode) when the `openid` scope is requested

[RichardJECooke]

What happened?

I wrote the simplest web page to test the API at https://fusionauth.io/docs/apis/hosted-backend, but despite using the openid scope in my request, the app.idt cookie isn't returned as expected.

I then tried making a fetch request to the /app/me endpoint, as the app.at was correctly returned, but this endpoint doesn't exist.

To reproduce:

• Download the repository at https://github.com/ritza-co/fusionauth-example-docker-compose/tree/main/light, cd into the light folder, and docker compose up.
• Create the file index.html with the content below:

<!DOCTYPE html>
<html>
<head><title>Hosted backend app</title></head>
<body><a href="#" id="loginLink">Log in</a></body>
<script>
  const AUTH_URL="http://localhost:9011/app/login/E9FDB985-9173-4E01-9D73-AC2D60D1DC8E";
  const AUTH_CALLBACK_URL="http://localhost:3000/auth/callback"

  function setupLogin() {
    const state = Math.random().toString(36).substring(2, 15);
    localStorage.setItem('auth_state', state);
    const authorizeUrl = AUTH_URL + `?redirect_uri=${encodeURIComponent(AUTH_CALLBACK_URL)}&state=${state}&scope=openid`;
    document.getElementById('loginLink').addEventListener('click', function(event) {
      event.preventDefault();
      window.location.href = authorizeUrl;
    });
  }

  async function handleCallback() {
    const urlParams = new URLSearchParams(window.location.search);
    const callbackState = urlParams.get('state');
    const storedState = localStorage.getItem('auth_state');
    localStorage.removeItem('auth_state');
    if (callbackState != storedState)
      return alert("State check returned from authentication server does not match saved state");
    // ERROR - app.idt cookie missing, despite requesting openid scope - https://fusionauth.io/docs/apis/hosted-backend#request
    const response = await fetch('http://fa:9011/app/me');
    // ERROR /app/me url not found, despite being in docs - https://fusionauth.io/docs/apis/hosted-backend#me
    const data = await response.json();
    console.log(data);
    window.location.href = 'http://localhost:3000';
  }

  if (window.location.pathname != '/auth/callback')
    setupLogin();
  else
    handleCallback();
</script>
</html>

• Run the app with docker run --init -it --rm --name "app" -v ".:/app" -w "/app" -p 3000:3000 --network faNetwork node:23-alpine3.19 sh -c "npm install http-server && npx http-server -d false -a 0.0.0.0 -p 3000 --proxy http://localhost:3000?" and browse to http://localhost:3000
• Log in to FA with the log in link and richard@example.com and password.
• Notice in your browser dev tools that the app.idt token wasn't returned and the fetch call to /app/me failed.

Version

1.57.0

Affects Versions

No response

Alternatives / Workarounds

None. This completely blocks a serverless app from finding the username of the logged in user, as the app.at cookie is HttpOnly.

[mooreds]

@RichardJECooke if you turn on debugging, add a id token lambda, and add a console.log statement in there, do you see anything in the event log?

I'm wondering if the id token is even being sent. If not, it's probably a scope issue (might need profile or email in there).

If it is being sent but not set correctly, that is a hosted backend issue.

[RichardJECooke]

@mooreds thanks. I tried making a lambda for Client credentials JWT populate, External JWT,JWT populate,OpenID connect reconcile, and Userinfo populate, but none are selectable in Applications - Example App - Select - Edit - JWT tab - Id token populate lambda. Where do I find the Id token populate lambda please?

And where do I need to put email in my request string?

[mooreds]

Ah, sorry. You use can use the populate JWT lambda for both access token and id token manipulation.

email would be another scope to add, space separated, next to openid. So https://local.fusionauth.io/oauth2/authorize?client_id={client_id}&redirect_uri={redirect_uri}&response_type=code&tenantId={tenantId}&scope=openid%20email%20profie

More details about scope handling here: https://fusionauth.io/docs/lifecycle/authenticate-users/oauth/scopes

[RichardJECooke]

Well this is bizarre. The app.idt token suddenly appeared today - though I didn't change any code or FA version. Maybe restarting the FA docker container fixed something.

However, even after changing the line to include email:

const authorizeUrl = AUTH_URL + `?redirect_uri=${encodeURIComponent(AUTH_CALLBACK_URL)}&state=${state}&scope=openid%20email`;

the email address still didn't appear.

I had to change Applications - Example App - Select - Edit - Scopes tab - Scope handling policy - Compatilibity (not strict). Then the email address was in the token. Perhaps the format of my URL is not quite right?

[mooreds]

hmmm. Are you looking in the id token or the access token for the email?

In strict mode we'll never put the email address in the access token, only in the id token.

[RichardJECooke]

The id token, app.idt, as listed here - https://fusionauth.io/docs/apis/hosted-backend#response-2. The access token is httponly, so I couldn't get it from JS even if I wanted to.

[RichardJECooke]

Update HTML code that works as long as server is in JWT compatibility mode:

<!DOCTYPE html>
<html>
<head><title>Hosted backend app</title></head>
<body><a href="#" id="loginLink">Log in</a></body>
<script src="https://cdn.jsdelivr.net/npm/jwt-decode@3.1.2/build/jwt-decode.min.js"></script>
<script>
  const AUTH_URL="http://localhost:9011/app/login/E9FDB985-9173-4E01-9D73-AC2D60D1DC8E";
  const AUTH_CALLBACK_URL="http://localhost:3000/auth/callback"

  function setupLogin() {
    const state = Math.random().toString(36).substring(2, 15);
    localStorage.setItem('auth_state', state);
    const authorizeUrl = AUTH_URL + `?redirect_uri=${encodeURIComponent(AUTH_CALLBACK_URL)}&state=${state}&scope=openid%20email`;
    document.getElementById('loginLink').addEventListener('click', function(event) {
      event.preventDefault();
      window.location.href = authorizeUrl;
    });
  }

  async function handleCallback() {
    if (window.location.pathname != '/auth/callback') return;
    const urlParams = new URLSearchParams(window.location.search);
    const callbackState = urlParams.get('state');
    const storedState = localStorage.getItem('auth_state');
    localStorage.removeItem('auth_state');
    if (callbackState != storedState)
      return alert("State check returned from authentication server does not match saved state");
    if (!getToken())
      return alert("app.idt cookie not found");
    window.location.href = 'http://localhost:3000';
  }

  function displayEmail() {
    const jwt = getToken();
    if (!jwt) return;
    const email = jwt_decode(jwt).email;
    document.body.appendChild(Object.assign(document.createElement('p'), { textContent: `Logged in as: ${email}` }));
  }

  function getToken() {
    const cookies = document.cookie.split(';');
    let jwt = null;
    for(let i = 0; i < cookies.length && !jwt; i++)
      if (cookies[i].trim().startsWith('app.idt='))
        jwt = cookies[i].trim().substring('app.idt='.length + 1);
    return jwt;
  }

  displayEmail();
  if (window.location.pathname == '/auth/callback')
    handleCallback();
  else
    setupLogin();
</script>
</html>

[RichardJECooke]

Actually, the docs are correct in that only openid scope is required, not email, I tested it. All that is needed to return email in the idt cookie is compatibility mode to be turned on. I'm not sure what this mode is, but we could fix this bug by updating the hosted backend docs to tell readers to switch on that mode?

[mooreds]

No, we want to encourage folks to use strict mode, which is more compatible with OIDC.

[robotdan]

@RichardJECooke or @mooreds can we update this issue with a summary of what we want to be changed if we are going to keep the bug tag?

Are we just indicating that we want to document the email scope is required if you need the email claim in the Identity Token? Or perhaps better document what strict or compatibility mode means in context of this use case and the pros and cons?

The title is misleading as it stands, unless we are literally never writing the app.idt cookie? when scopes are set to strict?

[mooreds]

@RichardJECooke are the repro steps you initially listed still applicable or are they superseded by the comment here?

[RichardJECooke]

@robotdan I think the bug title should be changed to [Bug]: Hosted backend API doesn't return email address in app.idt cookie in strict mode, and /app/me is not available.

When using compatibility mode and requesting the openid scope, the email address is returned.

Instructions to reproduce are in the first comment, but using the improved html in the later comment.

---

Are we just indicating that we want to document the email scope is required if you need the email claim in the Identity Token?

The email scope didn't make a difference in my experiments. I think either we should document that compatibility mode is required if you need a user's email, or make changes to the code to return email address in strict mode if it's supposed to work.

This also needs to be investigated by a programmer: I then tried making a fetch request to the /app/me endpoint, as the app.at was correctly returned, but this endpoint doesn't exist..

Or perhaps better document what strict or compatibility mode means in context of this use case and the pros and cons?

That's for @mooreds . I don't know the differences.

The title is misleading as it stands, unless we are literally never writing the app.idt cookie? when scopes are set to strict?

At first the cookie wasn't returned, but then later it was after restarting my services. I have no idea how that happened, but I think it can probably be ignored as a glitch in something I did.