checkSession() always returns "login_required" error despite checking everything

I have a SPA that creates an auth0-js object for auth.
The login works well. Params are:

domain: mydomain-staging.eu
clientID: “8fIe87Fz6xuNn1TmkSv6suU3thuH082N”
responseType: “token id_token”
redirectUri: https://www-staging.my2domain.com/callback
scope_ ‘openid profile’
audience: https://api-staging.my2domain.com/graphql

Before the short lived access_token has expired, I’m calling the created auth objects checkSession:

auth.checkSession({}, callback)

Tested in Chrome and FF.

• SSO is enabled in the application
• tenant SSO cookie duration is 7 days
• access_token duration is 130 secs, triggering checkSession 10 secs after receiving tokens.
• client web origins is set to “https://www-staging.mydomain.com”
• network request looks good:

https://mydomain-staging.eu.auth0.com/authorize
?client_id=8fIe87Fz6xuNn1TmkSv6suU3thuH082N
&response_type=token%20id_token
&redirect_uri=https%3A%2F%2Fwww-staging.my2domain.com%2Fcallback
&scope=openid%20profile
&audience=https%3A%2F%2Fapi-staging.my2domain.com%2Fgraphql
&state=
&nonce=
&response_mode=web_message
&prompt=none
&auth0Client=ey…

@bebbi the login_required is returned when the Auth0 session cookie has expired or is not present. So, my first thought is what is happening to the cookie. All the checkSession method does is open an iframe and perform the redirect to /authorize as you show above.

Any chance you can attach a HAR file of the entire initial login and the call the checkSession? How are you initially logging the user in? ARe you using cross-origin or Implicit Grant flow? Without authenticating a user in this way no session will be established. If you are using cross-origin flow then it could be possible the cookie is not being saved due to 3rd party cookies.

@sgmeyer interesting, I hadn’t realized session renew was bound to cookies. Is there a good doc on this?

It’s a statically hosted site using implicit grant flow. OK if I PM you the har file?

@bebbi I am not sure of anything that explicitly says checkSession uses cookies, but we have this community question that provides some docs. The checkSession requires a session and sessions require a cookie so this is a bit more implicit.

Yes, please feel free to send me the HAR in DM. One more question, how are you authenticating your users? Are you using a social connection like google?

@sgmeyer Yes, this is a google connection. I forgot to mention it’s using a google key, not an auth dev key.

@bebbi ok, thanks. I wanted to verify you were no using the dev keys. You will always see login_required when using the dev keys.

@sgmeyer And just tried a DB connection, same behaviour.

So finally this was related to blocking third party cookies in Chrome

image694×76 10.6 KB

It looks like adding a CNAME might make those cookies first party: