Expired Token when requesting a new token

We tried different browsers, Chrome and IE, so even if there were plugins installed on Chrome, it should have worked on IE.

Also just this afternoon, we have one more user complaining about the exact same issue. So its beginning to scare me now, if more users start seeing this issue.

@James.Morrison I will PM you this new user’s email address. This is a username-pwd authentication. I removed his account from my management console, and got him to create that again and he is still facing that same issue.

Can I please request to have some urgency on this, as 2 of our users can’t login to the system at all because of this issue ?

100%.

Is there an anti-virus or shared software between the two PCs that could interfere with the process? In the past we’ve seen this with Avast.

A close as possible timestamp for this would be great so it can help narrow down things in the logs as we began to investigate. Thanks!

The two users mentioned are in two different physical locations and on different network / machine setup all together, and are not linked to each other in any way

Im checking what Antivirus they have on their machines (if any)

The logs should be recent enough, as they keep trying to login in an attempt to get through

Thanks !!

@James.Morrison one the customer is using ESET antivirus

I worked with one of our engineers this afternoon and saw the cause of failure in our logs as a result of invalid_user_password for both users.

As mentioned I had deleted their accounts and got them to create again, for both of them. They were able to login with their passwords so assuming it was all correct.

The real reason for the failure here is that when making this call to parse hash after auth0 authenticates and sends me back to my app url

this.angularAuth0.parseHash((err, authResult) => {      
  if (authResult && authResult.accessToken && authResult.idToken) {        
    //do my app login stuff
  }
  else{
   //something went wrong during login .... check the err object
  }

the **err** object returns an error with the following information 
{
errorCode: 'invalid_token'
errorDescription: 'Expired token'
}

If they were using wrong passwords they should not have reached this stage, dont you think ?

@James.Morrison any more insights on the issue ?

I’m currently working on gathering feedback @huzefa.yousuf, I will share as more details become available. Thank you for your patience

I heard a suggestion from another engineer that Is it possible the time is off on their machines @huzefa.yousuf ?

In macOS they can do date -u in the terminal then Google “utc time” and check that the results match.

Windows: time /T

I will check with them tomorrow morning as its out of business hours right now.

@James.Morrison we checked the date time settings on end users’ machines and it looked in order, they havent messed up anything there.

Also, this has now started happening to a 3rd user.

Its really beginning to worry us now that this bug is spreading and we dont know the resolution as yet

Hi @huzefa.yousuf,

Jim is OOF for the day, but I can help as this is time sensitive.

Can you get a HAR file from the third user as well and DM it to me.

Thanks,
Dan

@dan.woda thanks for assisting, unfortunately I dont have access to that user’s machine to get you a HAR file. However the HAR attached in this threard should be good enough I guess ?

Good morning @huzefa.yousuf, It would be helpful to have a separate HAR file from the initial user so we can compare and contrast what may be going in each scenario.

Also can you share the third user’s email with me in a direct message? Thanks!

@James.Morrison I have an update from my end. As mentioned earlier I was using the Auth0-Angular library for authentication. I tried to use the Rest APIs directly and it seems to work no issues.

This leads me to believe that there is something wrong with the client library ?

Would you be able to share the code change of how you previously implemented it vs how it’s setup now so I can share it with the team @huzefa.yousuf?

sure thing, hopefully that helps in resolving this

Solution NOT working for some clients

//intialize Auth0 
    angularAuth0Provider.init({
      clientID: 'YOUR_CLIENT_ID',
      domain: 'YOUR_DOMAIN',
      responseType: 'token id_token',
      redirectUri: 'YOUR_REDIRECT_URI',
      scope: 'openid email profile'
    });

//Then on my login page, do this
this.angularAuth0.authorize();

//This will take to Auth0 login page, once user's logged in, Auth0 will redirect back to the callback page where I do this
    this.angularAuth0.parseHash((err, authResult) => {      

      if (authResult && authResult.accessToken && authResult.idToken) {        
//everything good ... redirect to home page
      }
      else{
//something went wrong
      }

Proposed solution if this is not resolved

const redirectUri = location.protocol + '//' + location.host + '/login';      
const auth0SigninUri = `https://YOUR_AUTH0_DOMAIN/authorize?response_type=token&client_id=YOUR_AUTH0_CLIENTID&connection=&redirect_uri=${redirectUri}&scope=openid profile email`
window.location = auth0SigninUri;

//once this is returned, its returns an access_token in callback url’s hash, which I then send to /userinfo endpoint to get logged in user’s details

@James.Morrison does it make sense ?

I believe so. Let me pass this along to the team and see what I can get as feedback. Thanks for working with me on this!