Auth0 Home Blog Docs

Auth0 Lock v11 Seems to log in automatically

lock-11

#1

We upgraded to Lock 11 yesterday. Now we have a problem.
We have a rule written to check for expired passwords.
When we load a page with Auth0 Lock into the browser, that rule immediately fires, even before the user has logged in or even typed anything in the username or password box. The act of loading the page seems to cause Lock to try to authenticate, as if the browser is ‘filling in’ and submitting the login box without the user taking any action. Any idea why this is happening and how do I stop it?


#2

@aalderman Can you share a snippet of your authentication code from Lock 11?


#3

Based on the support ticket you have also filed (replying also here for more visibility), the rules will be run on any authentication request, which could be a user’s login or a [successful silent authentication] (https://auth0.com/docs/api-auth/tutorials/silent-authentication), which appears to be the case (authentication with prompt=none). Turning off SSO in the configuration options for Lock should solve the issue. Please note that failing to set this to true will result in multifactor authentication not working correctly.

var options = {
  auth: {
    sso: false
  }
};

If you’re planing on using MFA, you can bypass any rule for silent authentication with this simple logic:

function (user, context, callback) {

 // bypass if silent auth
 if (context.request.query && context.request.query.prompt === 'none') {
  return callback(null, user, context);
 }  

 ..... Rest of the code logic goes here ...

 return callback(null, user, context);
}

#4

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.