Expired Token when requesting a new token

Hi there
One of my clients can’t login to my app. I have tried everything including clearing cache, incognito, deleting and adding his account again but at the point of authorize it keeps telling me that the token is expired.

Im using auth0Angular client in an Angular 1.5+ app. All other users have no issues. It seems something wrong with his machine, because I can’t login from his machine through my own account

Any ideas ???

Hey there @huzefa.yousuf, welcome to the Auth0 Community!

Are you seeing anything within the Dashboard logs associated with the user? You could also ask the user for a HAR file capture of their login attempt and walk through it there. I would be willing to peek at the HAR file as well to see if I see anything. This may be able to get you closer to the source of the issue. Thanks!

Hi @James.Morrison
Attached is the HAR file after the error was replicated again.

Its something wrong only with that machine that I cant really explain. Somehow looks like the IP or something is blocked by Auth0 for some reason. If I use his machine to login, none of my Auth0 accounts can get past, with all giving me the same error that invalid_token and expired_token as error code and error description

the code looks like this, which i borrowed from the samples and works great for everybody else and not this dude

this.angularAuth0.parseHash((err, authResult) => {      
  if (authResult && authResult.accessToken && authResult.idToken) {        
    //do my app login stuff
   //something went wrong during login .... check the err object

debug.har (6.3 MB)

First let me say I am sorry for the delay in getting back to you, I have been out of the office.

After inspection of the HAR file I don’t see anything that could be causing it to go awry on our end. What type of device is the user using? Any idea on browser or plugins that could be interfering? If the user logs in on a separate device do they experience the same thing? Thanks in advance!

Thanks for getting back @James.Morrison

The user was using Win7 and a version of Chrome. I could not find details from Auth0 of the useragent as it only stores logs for two days. I am not sure about any plugins on his machine though.

The user can use his account from a different machine no problem and also on his machine, nobody can login using my Auth0 authentication. It used to work fine till 2 weeks ago and something has changed since then, which nobody is sure of.

Is it possible if I provide their email address you guys can help check the logs on your end, see if you find anything funny ?

Can we find out if they have any plugins enabled so we can cross reference those to see if they could generate an issue? This is definitely interesting being a single machine instance issue.

Definitely! Can you get a timestamp for us when the user attempts the sign in process? With that I will review the logs on our side to see if anything looks abnormal.

We tried different browsers, Chrome and IE, so even if there were plugins installed on Chrome, it should have worked on IE.

Also just this afternoon, we have one more user complaining about the exact same issue. So its beginning to scare me now, if more users start seeing this issue.

@James.Morrison I will PM you this new user’s email address. This is a username-pwd authentication. I removed his account from my management console, and got him to create that again and he is still facing that same issue.

Can I please request to have some urgency on this, as 2 of our users can’t login to the system at all because of this issue ?


Is there an anti-virus or shared software between the two PCs that could interfere with the process? In the past we’ve seen this with Avast.

A close as possible timestamp for this would be great so it can help narrow down things in the logs as we began to investigate. Thanks!

The two users mentioned are in two different physical locations and on different network / machine setup all together, and are not linked to each other in any way

Im checking what Antivirus they have on their machines (if any)

The logs should be recent enough, as they keep trying to login in an attempt to get through

Thanks !!

1 Like

@James.Morrison one the customer is using ESET antivirus

I worked with one of our engineers this afternoon and saw the cause of failure in our logs as a result of invalid_user_password for both users.

As mentioned I had deleted their accounts and got them to create again, for both of them. They were able to login with their passwords so assuming it was all correct.

The real reason for the failure here is that when making this call to parse hash after auth0 authenticates and sends me back to my app url

this.angularAuth0.parseHash((err, authResult) => {      
  if (authResult && authResult.accessToken && authResult.idToken) {        
    //do my app login stuff
   //something went wrong during login .... check the err object

the **err** object returns an error with the following information 
errorCode: 'invalid_token'
errorDescription: 'Expired token'

If they were using wrong passwords they should not have reached this stage, dont you think ?

@James.Morrison any more insights on the issue ?

I’m currently working on gathering feedback @huzefa.yousuf, I will share as more details become available. Thank you for your patience :pray:

I heard a suggestion from another engineer that Is it possible the time is off on their machines @huzefa.yousuf ?

In macOS they can do date -u in the terminal then Google “utc time” and check that the results match.

Windows: time /T

I will check with them tomorrow morning as its out of business hours right now.

@James.Morrison we checked the date time settings on end users’ machines and it looked in order, they havent messed up anything there.

Also, this has now started happening to a 3rd user.

Its really beginning to worry us now that this bug is spreading and we dont know the resolution as yet

Hi @huzefa.yousuf,

Jim is OOF for the day, but I can help as this is time sensitive.

Can you get a HAR file from the third user as well and DM it to me.


@dan.woda thanks for assisting, unfortunately I dont have access to that user’s machine to get you a HAR file. However the HAR attached in this threard should be good enough I guess ?