checkSession() returns login_required after login()

I am trying to add ‘keep me logged in’ functionality to my auth0 authentication flow in my SPA. I have an embedded page at Login - where the user enters their credentials. When they hit the sign-in button, the app calls the login() method from auth.js, passing in the username and password. If they checked the box, a permission cookie is set to true.

When the user launches the page later, after the token expires, a router guard calls auth0.js’s checkSession() method to get a new token. At this point, checkSession returns a login_required error even after the user logged in with auth0.js’s login() method. If I instead call the authorize() method and have the user log in on the hosted page, checkSession succeeds and does not return a login_required error.

Why does calling the login() method from the embedded page not fulfill the login_required requirement that authorize() fulfills? I suspect this is because checkSession() is meant to work with SSO, and the login() method does not use SSO. However, I want to get this ‘keep me signed in’ functionality working without ever redirecting the user to the hosted auth0 page, is this possible?


I am having the same problem as well. I am using Lock 11.5.2 in a SPA React App. My lock instance looks like:

const lock = new Auth0Lock(
    auth: {
      redirectUrl: document.location.origin + "/callback",
      responseType: "id_token",
      autoParseHash: false
    autoclose: true

Calling checkSession always returns a “login_required” error, even if I do it immediately after completing a login through lock.

Strangely, this only seems to happen on production. When working on localhost, checkSession seems to function as expected.

I’d love some insight as to why this is. Thanks!

Also, I noticed that this behavior only happens in Chrome 65 on Mac OS. Even things to work as expected in Safari.
Chrome 65 was released just a few days ago, so maybe there is a regression here. I seem to remember it was working OK last week.

I tried with Lock in Chrome 65 as the settings used for Lock case were available so I would be a bit more closer to what was used (although there’s still a lot of other settings that can influence this) and I could not reproduce the issue.

The cross origin authentication approach used by both Lock when embedded in the client application or through a custom UI and Auth0.js login method have some limitations (see Cross-Origin Authentication). However, I believe the checkSession method should work correctly as my tests indicate if the authentication also happened with success.

If you can consistently reproduce this you may want to consider sharing an HTTP trace (redact sensitive information like passwords, PII and token signatures or payload). Ideally don’t redact client identifiers as technically this is not confidential information (SPA’s have this available in source code) and that would allow to cross-check the full settings of the client application.

Thanks @jmangelo. I’m no longer seeing this issue. My hunch is that the release of Chrome 65 caused a breakage somewhere, and then someone at Auth0 released a patch that fixed it. Thanks for looking into it!

I ran into the same issue and solved it by tracing all the network requests. Our site is hosted on Netlify with SSL. I believe they redirect HTTP to HTTPS if SSL is configured. Turns out if I requested the site without specifying HTTPS (e.g., vs., the initial checkSession request would come from HTTP before the redirect to HTTPS. This would cause it to fail with the error “login_required” every time in production. It still worked locally, because all the requests were HTTP. I fixed it by enabling the “Force HTTPS” setting on Netlify.

Kind of a silly problem/solution, but figured I’d post in case someone else comes across the same thing.

Having MFA enabled (Tested: SMS, Google Authenticator) triggers checkSession to always return login required

I have the same issue and in my case it’s Chrome 66 on MacOS but it fails the same way in Safari. I wonder if I am doing something not intended? My client is React and I can log the user in with lock v11 and fetch the user profile just fine. My lock options do not use an audience. Now what I want to do is go back to auth0 with an API audience to get an access token for my API. It doesn’t work and always responds with login_required. Is this even possible?

Same issue with Chrome (67.0.3396.99) on Linux (Debian)
I’m using ‘auth0-js’ version 9

Still happens in Chrome 68. It works well in Firefox and Safari. I have tried with the latest version of both auth0-js and auth0-lock with the same result. My configuration looks like this.

Any ideas?

Hi I’m also still experiencing this issue I have a React app and checkSession always returns login_required.
auth0-lock: 11.12.1
Chrome: 71.0.3578.98

also happens in Firefox.

Please let me know about any information you need to resolve this issue. I really need to figure this out.

same happens to me on MacOS across all browsers using an SPA with Lock11.12.1 and embedded Login.

1 Like

Guys, any update about this issue?

Hey there @chuck and @nolbuk, if you can reproduce this error can you please recreate the workflow while capturing a HAR file and DM it over to me so we can take a deeper look at what may be occurring? Thanks in advance!

I wanted to touch base on this one @chuck and @nolbuk and see if when you get a chance can you recreate the error in your workflow while capturing a HAR file and send it in DM to me? This will allow me to take a deeper look at the situation. Thanks in advance,

I am having the same problem too. Only in production… I will send a HAR file ASAP

Thanks @justinglibert, I’ll keep an eye out for it!

Hey there @justinglibert, I wanted to follow up on that HAR file you were going to send over. Please let me know if you have any questions that I can help with on this front.

Hey @James.Morrison, I have an hard time reproducing the issue. It seems that it happens not consistently on Windows machines with Chrome. I can see in my frontend error logs that I get a “Login required” error from Auth0.js when trying to get a new token just before the old one expires. I’ll come back to you if I successfully reproduce it :slight_smile:

1 Like

Sounds great @justinglibert, I’ll keep this topic open for a week just in case you are able to reproduce the error. Please keep us posted if you have any questions in the future!