Auth0 Home Blog Docs

Bug? User is logged in immediately upon call to WebAuth's authorize


#1

I’m calling auth0-js’ WebAuth’s authorize function. The user (who has previously logged in successfully) is being immediately logged in without the Auth0 hosted lock login page displaying. Auth0 is immediately directing to my callback with valid data in the callback URL though, including a valid ID token and Access Token. This issue only seems to occur with a user registered directly with Auth0. Identity providers are working fine. Once this occurs, I have no way to log in as a different user since the login page won’t display.

I’m using the uncustomized lock login. Is this a bug? Here’s a video showing my setup and the behavior: https://www.dropbox.com/s/00ekmr1f5aj2y7k/auth0bug.mp4?dl=0


#2

I think I am misunderstanding your ask but what you are describing sounds normal to me. If you are already logged in, the hosted login page should just send you on your way, at least until your session expires, either by timeout or explicit logout.


#3

That’s indeed logical. However, how can I login as a different user? Do I have to wait for my session to timeout before I can do so? To me, Auth0 Lock should always present a login screen so I have the option to login as someone else.


#4

You may be able to force that behaviour if you customize the hosted login page, though the details of doing so are beyond me. Auth0 folks or an experience Auth0 dev could answer that.

Otherwise, yes , you would have to wait for the session to expire, or do an explicit logout. Mind you logout is not a great solution either as it only invalidates the JWT for the current client. After “logging out” your session tokens for other clients would still be valid (until they time out).

You can also shorter the lifetime of the associated tokens.


#5

Ah! If I call WebAuth logout that indeed allows me to login again. But it’s odd to me that the Auth0 React examples don’t call logout. It seems to me that calling logout is critical given Lock’s behavior here. Since Lock merely returns the user’s existing JWT if their session hasn’t timed out, deleting the user’s credentials from localStorage/cookies isn’t sufficient to actually log them out.

Thanks for the replies Mark!


#6

Just to pitch in a bit more about the behavior you’re seeing: recently, Auth0 recently enabled Seamless SSO, meaning that if a user has an active Auth0 session and an Authorize call is made, they’re not prompted to login again.

As the behavior is new, a lot of the examples haven’t been updated to reflect that yet.