Expired Token when requesting a new token


Is there an anti-virus or shared software between the two PCs that could interfere with the process? In the past we’ve seen this with Avast.

A close as possible timestamp for this would be great so it can help narrow down things in the logs as we began to investigate. Thanks!

The two users mentioned are in two different physical locations and on different network / machine setup all together, and are not linked to each other in any way

Im checking what Antivirus they have on their machines (if any)

The logs should be recent enough, as they keep trying to login in an attempt to get through

Thanks !!

1 Like

@James.Morrison one the customer is using ESET antivirus

I worked with one of our engineers this afternoon and saw the cause of failure in our logs as a result of invalid_user_password for both users.

As mentioned I had deleted their accounts and got them to create again, for both of them. They were able to login with their passwords so assuming it was all correct.

The real reason for the failure here is that when making this call to parse hash after auth0 authenticates and sends me back to my app url

this.angularAuth0.parseHash((err, authResult) => {      
  if (authResult && authResult.accessToken && authResult.idToken) {        
    //do my app login stuff
   //something went wrong during login .... check the err object

the **err** object returns an error with the following information 
errorCode: 'invalid_token'
errorDescription: 'Expired token'

If they were using wrong passwords they should not have reached this stage, dont you think ?

@James.Morrison any more insights on the issue ?

I’m currently working on gathering feedback @huzefa.yousuf, I will share as more details become available. Thank you for your patience :pray:

I heard a suggestion from another engineer that Is it possible the time is off on their machines @huzefa.yousuf ?

In macOS they can do date -u in the terminal then Google “utc time” and check that the results match.

Windows: time /T

I will check with them tomorrow morning as its out of business hours right now.

@James.Morrison we checked the date time settings on end users’ machines and it looked in order, they havent messed up anything there.

Also, this has now started happening to a 3rd user.

Its really beginning to worry us now that this bug is spreading and we dont know the resolution as yet

Hi @huzefa.yousuf,

Jim is OOF for the day, but I can help as this is time sensitive.

Can you get a HAR file from the third user as well and DM it to me.


@dan.woda thanks for assisting, unfortunately I dont have access to that user’s machine to get you a HAR file. However the HAR attached in this threard should be good enough I guess ?

Good morning @huzefa.yousuf, It would be helpful to have a separate HAR file from the initial user so we can compare and contrast what may be going in each scenario.

Also can you share the third user’s email with me in a direct message? Thanks!

@James.Morrison I have an update from my end. As mentioned earlier I was using the Auth0-Angular library for authentication. I tried to use the Rest APIs directly and it seems to work no issues.

This leads me to believe that there is something wrong with the client library ?

Would you be able to share the code change of how you previously implemented it vs how it’s setup now so I can share it with the team @huzefa.yousuf?

sure thing, hopefully that helps in resolving this

Solution NOT working for some clients

//intialize Auth0 
      clientID: 'YOUR_CLIENT_ID',
      domain: 'YOUR_DOMAIN',
      responseType: 'token id_token',
      redirectUri: 'YOUR_REDIRECT_URI',
      scope: 'openid email profile'

//Then on my login page, do this

//This will take to Auth0 login page, once user's logged in, Auth0 will redirect back to the callback page where I do this
    this.angularAuth0.parseHash((err, authResult) => {      

      if (authResult && authResult.accessToken && authResult.idToken) {        
//everything good ... redirect to home page
//something went wrong

Proposed solution if this is not resolved

const redirectUri = location.protocol + '//' + location.host + '/login';      
const auth0SigninUri = `https://YOUR_AUTH0_DOMAIN/authorize?response_type=token&client_id=YOUR_AUTH0_CLIENTID&connection=&redirect_uri=${redirectUri}&scope=openid profile email`
window.location = auth0SigninUri;

//once this is returned, its returns an access_token in callback url’s hash, which I then send to /userinfo endpoint to get logged in user’s details

@James.Morrison does it make sense ?

I believe so. Let me pass this along to the team and see what I can get as feedback. Thanks for working with me on this!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.