Auth0 Home Blog Docs

Auth0-spa-ja: validation of "Allowed web origins" does not support wildcards for silent authentication

I am upgrading from auth0.js to auth0-spa-js v1.2.3.

My app was working fine on localhost, but then after deployment; the first authentication would succeed, but any subsequent refresh or opening of a new tab it would exhibit the “pause for 1 minute, then fail to login” behavior similar to this thread:
https://community.auth0.com/t/authentication-breaks-when-client-refreshes-browser

I was able to workaround the problem by clearing the “auth0.is.authenticated” cookie.
I’m assuming this is related to “silent authentication”, because of this: https://github.com/auth0/auth0-spa-js/issues/95

One thing I noted was the the Auth0 side logs showed “Failed Silent Auth: The specified redirect_uri ‘https://app.example.com’ does not have a registered origin”.
Yet I had “https://*.example.com” in the “Allowed web origins” field, not to mention the first login (with no cookie present) works fine.

So I added “https://app.example.com” to the “Allowed web origins” field and the app started working properly.

I think Auth0 needs to unify the validation logic between initial login and silent auth. This problem was made much harder to diagnose because the initial login worked and only silent-auth fails. Either wildcards should be allowed for both calls, or neither.

Personally, I’d prefer you allowed wildcards. If the reasoning for not allowing wildcards is “because security”, then doesn’t that imply the initial login logic has a security hole in it, since it allows the login via a wildcard?

If you decide that wildcard origins are not supported, please add that to the FAQ - since it seems to work fine with the auth0.js library that my app currently uses (including silent authentication). Some folks will need to know about this when porting - it might save them a lot of wasted effort if they need wildcards.

You probably should think about better error handling and feedback with auth0-spa-js client too. The observed behavior (pause for one minute when creating the auth0 client object, then silent return) is not terribly helpful, though I can see how it might be hard to provide good feedback without security repercussions.

In re-reading this post - it sounds kind of negative.
So I thought I should add I think you’ve done a great job with the new library - it makes my app more light-weight and I get to remove a bunch of code that is now being taken card of by Auth0.