Hi out production app logs show we are getting “Failed Silent Auth” error 50+ times per minute. Anyone know what’s going on? I read some articles about how this can happen if you are using the Auth0 Test Google Developer Key but we are not using Social sign on.
Cheers,
Hi @maxhodges,
Are you still seeing this? There should be more info in the log. Could you post an example log with any sensitive data removed?
how do I know what’s sensitive?
We are getting like 50+ errors every minute!
Hi @dan.woda, here is an example of one of the errors (I replaced anything that looked sensitive, if that stops you from being able to troubleshoot please let us know).
{
"date": "2022-10-27T23:10:20.221Z",
"type": "fsa",
"description": "Login required",
"client_id": "QzAysdTw8aSrxJ7eHAagkmfRQa1zRDa4",
"client_name": "Our Website",
"ip": "173.225.320.88",
"user_agent": "Chrome 103.0.0 / Mac OS X 10.12.6",
"details": {
"body": {},
"qs": {
"client_id": "QzAysdTw8aSrxJ7eHAagkmfRQa1zRDa4",
"audience": "app.ourwebsite.com",
"redirect_uri": "https://app.ourwebsite.com/login",
"scope": "openid profile email offline_access",
"response_type": "code",
"response_mode": "web_message",
"state": "clBlakJjLkdmdEZxVzFZRmh+RjdzTW1aOPEIU2VaRGFhMlZ3WD6SUmJ2Ng==",
"nonce": "cW43SDieu09DM0VmWVpCb1IUHGluNmRTZDNTdFZGb1BvelNGbnNvMptiuP==",
"code_challenge": "xWbOJ7lEM8L8nNKfx4poOEIUDYW1xKDm5RneUzVei6w",
"code_challenge_method": "S256",
"prompt": "none",
"auth0Client": "eyJuYW1lIjoiYXV0aDAtc3UiPOpzIiwidmVyc2lvbiI6IjEuMjIuOID9"
},
"connection": null,
"error": {
"message": "Login required",
"oauthError": "login_required",
"type": "oauth-authorization"
},
"riskAssessment": null
},
"hostname": "ourwebsite.us.auth0.com",
"audience": "app.ourwebsite.com",
"scope": [
"openid",
"profile",
"email",
"offline_access"
],
"auth0_client": {
"name": "auth0-spa-js",
"version": "1.22.1"
},
"log_id": "90020221027231023320309716095044678167100918345888694306",
"_id": "90020221027231023320309716095044678167100918345888694306",
"isMobile": false,
"id": "90020221027231023320309716095044678167100918345888694306"
}
@pablorocha,
Thanks for the additional data.
This error occurs when the existing session cannot be refreshed. There are a few different things that could be causing it.
Can you tell us more about your implementation? What SDK are you using? Could you please provide a snippet of your code too?
@dan.woda
Using @auth0/auth0-spa-js": “^1.22.1”
Here is some of our code that calls auth0 functions. Maybe you can see some red flags. Let me know if you need something else:
// Methods of Auth0 Client that are overriden with custom logic.
const methods = {
async isAuthenticated() {
state.isLoggedIn = await client.isAuthenticated()
return state.isLoggedIn
},
async forceRefreshToken() {
try {
return await client.getTokenSilently({ ignoreCache: true })
} catch (error) {
// eslint-disable-next-line no-console
console.log(error)
return client.logout()
}
},
async checkSession() {
await client.checkSession()
if (!state.user && (await methods.isAuthenticated())) {
await apolloOnLogin()
const userLoaded = defer()
const claims = await client.getIdTokenClaims()
const customClaims = claims['https://ourapp.com'] || {}
const impersonateAsId = customClaims['impersonate-as-id']
const impersonateById = customClaims['impersonate-by-id']
apolloClient
.subscribe(
impersonateAsId
? {
query: CurrentUserImpersonated,
variables: { impersonate_as_id: impersonateAsId },
}
: {
query: CurrentUser,
variables: { auth_id: claims.sub },
}
)
.subscribe({
next: async ({ data: { users } } = {}) => {
const [user] = users as User[]
if (!user) {
if (userLoaded.status === 'pending') {
userLoaded.reject('User not found')
}
return null
}
debugLog('Self user refresh', user)
if (state.user && state.user.role !== user.role) {
// Force reload token when role changes
await methods.forceRefreshToken()
}
state.user = camelCaseObject(user) as User
state.user.isStaff = isStaff(state.user)
state.user.impersonatedById = impersonateById
if (userLoaded.status === 'pending') {
userLoaded.resolve(user)
}
},
error: (error) => {
if (userLoaded.status === 'pending') {
userLoaded.reject(error)
} else {
// eslint-disable-next-line no-console
console.error('subscription:error', error)
}
},
})
try {
await userLoaded.promise
} catch (error) {
// eslint-disable-next-line no-console
console.error('Could not get self user:', error)
}
}
state.loading = false
return state.user
},
async loginWithPopup(
options?: PopupLoginOptions,
config?: PopupConfigOptions
) {
state.popupOpen = true
try {
await client.loginWithPopup(options, config)
await methods.isAuthenticated()
state.error = null
} catch (error) {
state.error = error
} finally {
state.popupOpen = false
}
},
async handleRedirectCallback(url?: string) {
state.loading = true
try {
await client.handleRedirectCallback(url)
state.isLoggedIn = true
state.error = null
} catch (error) {
state.error = error
} finally {
state.loading = false
}
},
async logout(options: LogoutOptions | undefined) {
await apolloOnLogout()
client.logout(options)
},
getCachedSession() {
return localStorage.getItem(SESSION_CACHE_KEY)
},
setSession(session: string) {
return localStorage.setItem(SESSION_CACHE_KEY, session)
},
}
Thanks for the added context. Here are a few more questions:
- Does every user cause a failed silent auth error/s?
- When you log in with a test user are you seeing these errors?
It may be helpful to provide a HAR file of the transaction (you can send it to me in a DM).
@dan.woda thank you for the follow up!
- This does not happen with every user
- I am not able to replicate with a test user
I sent the HAR file to you, although it was not generated when the issue occurs.
Can you match the IP of the failed silent auth requests to the request of a specific user?
Hi Dan,
Sorry for the late reply. There is no way to tie the user to the IP address. It seems that the user might not even be signed up yet.
We noticed that within a certain time period the requests come from the same IP address. There are many every second. Eventually the IP address changes.
We do have Suspicious IP Throttling and Brute-force Protection enabled. Shouldn’t those block an IP that fails to login repeatedly?
Edit: oh we also updated to use the 2.0 SPA SDK a couple days ago. From 1.22.1. These failed login attempts are still using 1.22.1, so that seems fishy.