Problem statement
We have run into unexpected issues in production that are preventing all users from using our application. We’re using auth0-spa-js.
Symptoms
getTokenSilently() with auth0-spa-js sending multiple, simultaneous requests to /oauth/token with the same code after successful /authorize?prompt=none. The first call to /oauth/token succeeds with 200, the others fail with 403.
Cause
The issue was related to configuration within Segment integration. The production Segment source was configured to use two deprecated capabilities : Segment’s Visual Tagger and an older version of the Fullstory destination integration. These capabilities are not configured in our staging Segment source, hence the difference between prod and staging. Both these capabilities are in “maintenance mode” according to Segment’s docs. We disabled Visual Tagger and deleted the Fullstory destination, and everything worked. We previously tried disabling the Fullstory destination, and then disabling the whole Production source in Segment, but that did not solve the problem because the Fullstory Javascript was still being injected. Only once we deleted the Fullstory destination , did the Javascript no longer appear in our app. We then went on to enable the current Fullstory destination integration within Segment, and everything continued to work as expected.
Solution
- Delete Fullstory Destination
- Enabled current, non-deprecated Fullstory destination
- Avoid deprecated Segment capabilities in general