Timeout error in V8 auth0-js checkSession

xinghengwang · October 24, 2017, 12:30am

background:

I am using Auth0-lock UI for login user, but I am using Auth0-js to refresh the token. I am migrating from Auth0-js V7 (which uses refreshToken method) to Auth0-jv V8 (8.10.1) (which now uses checkSession).

Auth0-lock is also being upgraded from 10.8.1 (which uses v7) to 10.23.1 (which uses v8).
The Auth0-lock works fine for login.

Problem:

In the past, the refreshToken always worked fine, but with V8, whenever I call checkSession, I get an error (after a long time):

{error: “timeout”, error_description: “Timeout during fetching SSO data”}

For reference this is my code in V8:

const webAuth = new auth0js.WebAuth({ domain: config.auth0Domain, clientID: config.auth0ClientId });

webAuth.checkSession({ responseType: 'token' }, (err, authResult) => { if (err) { console.error(err); } });

Also this is my code in V7, which works fine.

const auth0Client = new Auth0({ domain: config.auth0Domain, clientID: config.auth0ClientId, responseType: 'token' });

const storedRefreshToken = localStorage.getItem('refresh_token'); // I manually saved the refreshToken earlier after lock login success. According to V8 checkSession's documentation, I no longer have to do this.

auth0Client.refreshToken(storedRefreshToken, (err, delegationResult) => { if (err) { console.error(err); } });

If someone can tell me why checkSession V8 keep timeout, I would appreciate it.

Thanks

jmangelo · November 15, 2017, 7:48pm

I could not reproduce this situation and the checkSession either returned refreshed tokens or a login_required error if there was no session. If you can reproduce this consistently you should check the HTTP request/response for the call to /authorize that is performed when you invoke the checkSession method; ideally, you should include in your question data for that HTTP request and response pair (you can redact information you deem sensitive).

stephenbinge · December 9, 2017, 5:23pm

If this fires correctly should the Rules fire in the same way as with an explicit login ?

xing · December 13, 2017, 3:55am

Thanks for the response. So does it mean anything when it says timeout during fetching SSO? (Is it because Auth0 Lock isn’t compatible with hosted page?)
For now, I decided to push out the migration until absolutely necessary, given the issues.

jmangelo · December 15, 2017, 10:12pm

Yes, rules should run as part of an authentication request such as this one.

jmangelo · December 15, 2017, 10:19pm

The timeout means something completely unexpected happened; for example, if you’re sending a completely wrong redirect URI or client identifier in the check session. My recommendation would be for you to review what was wrong and continue the migration.

xinghengwang · January 5, 2018, 6:18am

Hm…, I believe the issue is that I am not using Hosted Page, I am using the embedded login method.

The CheckSession seems to expect that I have used Hosted Page way to obtain original token. Thus it is fetching SSO, and times out.

Is there anyway to config CheckSession to work with embedded login?

xinghengwang · January 5, 2018, 6:22am

we already implemented safeguard against the cross origin issues involved with embedded login. And we like the embedded login for its better user experience.

jmangelo · January 9, 2018, 10:46pm

If you perform an embedded login through cross-origin authentication which is currently the available option for a SPA then checkSession should still be possible. How are you performing the login?