Failed Silent Auth - Login required, when login page left open for a long time


I use auth0-lock 11.20.2 for my react app SPA. I display lock in a container and has only enabled login with facebook. Regular login is fine, whether it’s silent auth when I’ve already logged in with facebook or first time login when there is no session available. From time to time, I got a Failed Silent Auth error. This happens only if I’ve left the form open for a long time. I redirect user to login form when I’ve found jwt has expired. When I’m redirected to login when jwt has expired, most of the time I’m able to login by clicking the enabled facebook button. But rare times, I’ve experienced the Failed Silent Auth error. The log is something like this:

  "date": "2020-02-28T23:01:47.973Z",
  "type": "fsa",
  "description": "Login required",
  "client_id": "foo",
  "client_name": "chess-tour-ui",
  "ip": "",
  "user_agent": "Chrome 80.0.3987 / Windows 10.0.0",
  "details": {
    "body": {},
    "qs": {
      "client_id": "foo",
      "response_type": "token id_token",
      "redirect_uri": "http://localhost:4000/callback",
      "scope": "openid profile email",
      "audience": "",
      "connection": "facebook",
      "state": "yQyO.q7f4wxnMIiL454BXtGUT8ic9TCX",
      "nonce": "G6LAGU3IFMm7LcgGIcmkmkcjfgBTbK9J",
      "response_mode": "web_message",
      "prompt": "none",
      "auth0Client": "eyJuYW1lIjoibG9jay5qcyIsInZlcnNpb24iOiIxMS4yMC4yIiwiZW52Ijp7ImF1dGgwLmpzIjoiOS4xMi4yIn19"
    "connection": null,
    "error": {
      "message": "Login required",
      "oauthError": "login_required",
      "type": "oauth-authorization"
  "hostname": "",
  "audience": "",
  "scope": [
  "auth0_client": {
    "name": "lock.js",
    "version": "11.20.2",
    "env": {
      "auth0.js": "9.12.2"
  "log_id": "90020200228230149518000964059419034716564949017093472386",
  "_id": "90020200228230149518000964059419034716564949017093472386",
  "isMobile": false

And the summary looks like this:

When this happens, each time I click the facebook login button I got a similar error like this. I check console but there is no relevant logs. All logs (like the same-site one) are the same as when login is successful. The issue is gone once I refresh (F5) the page. Anyone has any ideas?

After posting this, I made an attempt to reproduce this issue. It’s based on a guess that I had for a long time but have never tried, so today I materialized it and it’s proved to be relevant. This is how I was able to reproduce this:

  1. set a very short jwt expiry time in custom API settings like this:
  2. Login
  3. Wait for 10 seconds and click a protected resource so I’m redirected to the login page, where lock is displayed
  4. Find all auth0 cookies in Chrome. In particularly, the one related to my SPA
  5. Delete the 4 cookies by clicking the delete button.
  6. Go back to the login page and click login with facebook:
  7. Check log, yes, got the exactly the same error as I described above

Now that I know it’s something to do with the cookie, could any insiders point me to the right direction as to how to handle this error? Thank you in advance!