Hi,
After spending a long time debugging an app I recently created and added authentication based on Auth0 using github.com / Swizec / useAuth (A react library which eases using auth0-js) I realised that in Chrome I was losing the session after reload.
The library specifically warns about this: github com / Swizec / useAuth#persisting-login-after-refresh
but I double checked all auth0 configuration and the fact that it is working fine in Chrome makes me suspect recent security features in later versions of Chrome.
This issue is happening in my app in Chrome (and in incognito mode so it doesn’t appear to be any plugins), but not FF (neither in private window mode).
So I tried the example app (useAuth):
https gatsby-useauth-example . now . sh
It works and retains the session in Safari v13.1 (14609.1.20.111.8) but session is lost in Chrome v80.0.3987.163 (and weirdly and in opposition to experience with my in FF v68.5.0esr) upon reloading after logging in.
In the auth0 logs, it is very clear the issue is due to slient auth failure:
Here is an example of the failure in chrome:
{
“date”: “2020-04-10T06:40:30.707Z”,
“type”: “fsa”,
“description”: “Login required”,
“client_id”: “77jh2jfcpuYdRkdbnYPAh44DZgWsmCiw”,
“client_name”: “Xorodia”,
“ip”: “84.76.183.234”,
“user_agent”: “Chrome 80.0.3987 / Mac OS X 10.14.6”,
“details”: {
“body”: {},
“qs”: {
“client_id”: “77jh2jfcpuYdRkdbnYPAh44DZgWsmCiw”,
“response_type”: “token id_token”,
“redirect_uri”: “http : / / localhost:8910 / auth0_callback”,
“scope”: “openid profile email”,
“audience”: “https : // dev-8pnznm20 . eu . auth0 . com / api / v2/”,
“state”: “nCEeyZN6U2dVN8RwQ6VAJmtYNyT7G7gh”,
“nonce”: “HOjsQIlu-Bfa8ge~Idg_g76~QEU2RmOK”,
“response_mode”: “web_message”,
“prompt”: “none”,
“auth0Client”: “eyJuYW1lIjoiYXV0aDAuanMiLCJ2ZXJzaW9uIjoiOS4xMy4xIn0=”
},
“connection”: null,
“error”: {
“message”: “Login required”,
“oauthError”: “login_required”,
“type”: “oauth-authorization”
}
},
“hostname”: “dev-8pnznm20.eu.auth0.com”,
“audience”: “https : / / dev-8pnznm20 . eu . auth0 . com / api / v2 /”,
“scope”: [
“openid”,
“profile”,
“email”
],
“auth0_client”: {
“name”: “auth0.js”,
“version”: “9.13.1”
},
“log_id”: “90020200410064032150004638802037372954393785399917936674”,
“_id”: “90020200410064032150004638802037372954393785399917936674”,
“isMobile”: false
}
and of success in FF:
{
“date”: “2020-04-10T06:48:14.632Z”,
“type”: “ssa”,
“client_id”: “77jh2jfcpuYdRkdbnYPAh44DZgWsmCiw”,
“client_name”: “Xorodia”,
“ip”: “84.76.183.234”,
“user_agent”: “Firefox 68.0.0 / Mac OS X 10.14.0”,
“details”: {
“prompts”: ,
“completedAt”: 1586501294631,
“elapsedTime”: null,
“session_id”: “ZKw2yX6wTx1lTlZ1w4yVYrU22Dj-ZUe5”,
“device_id”: “v0:3c27a9a0-79e7-11ea-97b9-a7a5d5759cd7”
},
“hostname”: “dev-8pnznm20 . eu . auth0 . com”,
“session_connection”: “Username-Password-Authentication”,
“user_id”: “auth0|5e8e4ea863116d0c00a75368”,
“user_name”: “saimonmoore @ gmail.com”,
“auth0_client”: {
“name”: “auth0.js”,
“version”: “9.13.1”
},
“log_id”: “90020200410064816216000729706101051814883897568581910546”,
“_id”: “90020200410064816216000729706101051814883897568581910546”,
“isMobile”: false,
“description”: “Successful silent authentication”
}
I’m on (OSX Mojave 10.14.6)
When I compare the cookies you can see a different set of cookies in each browser:
Chrome:
FF:
I also generated HAR files both for the example app and my own:
xorodiaChromev80.har (5.6 MB) xorodiaFirefoxv67.har (170.1 KB) gatsby-useauth-example.now.shFirefoxv67.har (213.4 KB) gatsby-useauth-example.now.shChromev80.har (7.7 MB)