renewAuth Timeout err (Silent Auth) to custom page

Keep getting a timeout on err using renewAuth. The logic I am going for is to check if the user is currently login, if so, hash the token/get user info else redirect to custom login page (on error).

What am I missing? I have the callback URL set up and am able to get user info if I force feed it a valid token via hash.

index.html

window.addEventListener('load', function () {
    var webAuth = new auth0.WebAuth({
        domain: AUTH0_DOMAIN,
        clientID: AUTH0_CLIENT_ID,
        redirectUri: 'http://localhost:56517',
        responseType: 'token id_token',
        scope: 'openid'
    });

    function checkUser() {
        webAuth.parseHash(function (err, authResult) {
            if (authResult && authResult.accessToken && authResult.idToken) {
                //Get User info function
            } else {
                debugger;
                webAuth.renewAuth({
                    redirectUri: '/silent-callback.html',
                    usePostMessage: true
                }, function (err, authResult) {
                    debugger;
                    if (err) {
                        //redirect to custom login page
                    }
                    else {
                        window.location.hash = authResult.idToken;
                        //Get User info function
                    }
                });
            }
        });
    }
    checkUser();
})`

silent-callback.html

<script src="https://cdn.auth0.com/js/auth0/8.0.4/auth0.min.js"></script>
<script type="text/javascript">
  var webAuth = new auth0.WebAuth({
    domain: AUTH0_DOMAIN,
    clientID: AUTH0_CLIENT_ID
  });
    var result = webAuth.parseHash(window.location.hash, function (err, data) {
        parent.postMessage(err || data, "http://localhost:56517/index.html");
  });
</script>

Could not reproduce your exact error in a test harness containing the exact sample code you provided so there may be an issue outside of what you have shown.

However, there’s an error (incompleteness) in the logic you presented that may or may not be the cause of the overall issues you’re seeing, but needs to be fixed nonethless.

The section:

if (err) {
  // redirect to custom login page
} else { /* ... */ }

should instead be:

// authResult.error could mean the user does not have an active session
// so it should also require a redirect to the login page
if (err || authResult.error) {
  // redirect to custom login page
} else { /* ... */ }

Thank you for the additional error catching. Are there any settings that you suggest looking at that is associated that may be missing? I have set Callback URL and CORS.

At first glance I would say no, besides the situation already pointed out I used your sample code without issues and also only had to ensure the proper callback URL’s were in place.

Realize that line 17, redirecturi, need the full address to work correctly. Now for renewAuth, I am always getting login_required. Found a github using the similar logic that I am at: https://github.com/rochdev/auth0-nonce-bug

They have a comment of the following: “Configure an identity provider with a client ID and client secret in Auth0 (otherwise you will always get login_required)”

Seems like it’s possible that I do not have this step set up correctly. What does this statement actually mean?

The login_required is an expected situation that means there was no previously authenticated session for the user. In order for silent authentication to succeed the user must have previously authenticated in a way that generated an authenticated session; if the user went through the hosted login page then it’s highly likely that the session was generated so renewing auth using the same browser would be able to leverage that session and succeed. In relation to the sentence in the linked repo, I’m honestly not sure what they wanted to mean with that.

Did you get this working? I am having a very difficult time getting this to work in an Ionic 2 application. Everybody in the forums seems to understand perfectly how to set the redirect Uri properly – “all I had to do was set the redirect Uri properly” – but that’s the part that is tripping me up. I have tried “http://localhost/silent-callback.html”, “http://localhost/pages/silent-callback/silent-callback.html”, etc. But can’t find the right Uri. Any thoughts?

And how do you generate a proper callback URL? My silent-callback page is in src/pages/silent-callback/silent-callback.html, but I can’t get it to fire.

Thanks,
Marc