checkSession() returns login_required just after login() was successful

@James.Morrison Here’s the error message

{
    error: "login_required",
    error_description: "Login required"
}

For ease of debugging, I have got two version of applications running now.

  1. Working checkSession at https://d1c.emailyard.com
  2. Broken checkSession at https://d2c.emailyard.com

The code and methods used to build and deploy are exactly the same. The only difference is the following constants in dot env files. I will share it below

For D1 environment,

REACT_APP_AUTH0_DOMAIN=emailyard.auth0.com
REACT_APP_AUTH0_EY_CLIENT_ID=N_Q62V2zXoiF5WZIPa7GDAHYZNB9T2T2

For D2 environment

REACT_APP_AUTH0_DOMAIN=eylocalhost.auth0.com
REACT_APP_AUTH0_EY_CLIENT_ID=Ud6laYTVmNWTrNmjwPnh673Tgu7tAOHW

Steps to replicate

  1. Open D2 Link and make sure you have debug console open with preserve log enabled
  2. It will take you to sign up on Auth0’s Universal Login page. Use any method to login.
  3. You will be redirected back and few seconds later, amidst various debug statements you will find the error starting with message checkSession error-ed out. It also logs Auth0’s configuration options and response data with it for further investigation.

If you are trying out both environments, D1 and D2, make sure you are using two separate email address.

Key Findings

There are two network errors that stand out from Auth0’s side of things. When you are trying to log in via the hosting login page for D2, you see the following errors. These are not visible in the logs of hosted login page for D1’s tenant. Also, note the errors are on Hosted Login page and not on this application page.

  1. SSO Data 404

    client.js:772 GET https://eylocalhost.auth0.com/user/ssodata 404
    
  2. Google’s /accounts/SetSID:8 errors out with 404

On top of that, user is asked to login again for D2’s tenant within minutes of login.
If the application sends the user to login again on the hosted login page, (for e.g. when the token is expired or deleted from localstorage), D1’s tenant immediately redirects the user back to the callback URL. Although, D2’s tenant shows login prompt to the user.

My Theory

  1. For D2’s tenant, persistent cookies aren’t being set at Auth0’s end and hence it doesn’t recognize a returning user. This results in
    • failing checkSession
    • login prompt shown again to a user who logged in just a few minutes ago.
  2. There is some configuration mismatch between D1’s and D2’s tenant for my end. This is unlikely as I have tried creating multiple tenants and application with the same configuration and even creating different application within D1’s tenant and error still remains the same. Please help me figure out what I might be missing.

@sjoerdvisscher

I’m facing the issue on Chrome 69.0.3497 and Safari 1.0.13604. Have tried only these two yet.

Let me know if you need more details from my side.