Failed Silent Auth: login required

Hi dear community:

When I use auth0/auth0-spa-js library for browser sign up and login flow. I found the following:

Right after user signup, it is redirecting to my home page and correctly asking user to login without going to the username/pwd screen. On a few browsers, the login failed and if user click login again, it does not show username/pwd entering screen at all, instead it just silently attempts to login in again which keeps failing. Basically, the new users are not able to login on a few browsers.

It works well on the following browsers as far as i see: 1. chrome (Mac) 2. firefox (Mac)

It doesn’t work on 1. Safari (Mac) 2. Chrome (Iphone) 3. Safari(Iphone)

I noticed from a few posts that there are few work-around:

  1. disable browser prevent cross-site tracking (for Mac Safari) -> it worked for me, but only solved one platform issue.
  2. set rotate token = true, and use the following code to create auth0client:
    createAuth0Client({
    domain: xxx
    client_id: xxx
    audience: xxx
    redirect_uri: xxx
    useRefreshTokens: true
    })

according to this: https://auth0.com/docs/libraries/auth0-single-page-app-sdk
–> however it didn’t work for me either. Please see the error listed above from mobile chrome workflow.

Question:

  1. is there a way to force show login screen again so that login is not relying on cookie session info.
  2. is there any configuration issue which caused the error even when I set rotate token=true?

Appreciate your help.
XJ

{
“date”: “2021-01-25T15:04:14.757Z”,
“type”: “fsa”,
“description”: “Login required”,
“client_id”: “”,
“client_name”: “”,
“ip”: “217.169.19.14”,
“user_agent”: “Chrome Mobile iOS 87.0.4280 / iOS 14.3.0”,
“details”: {
“body”: {},
“qs”: {
“client_id”: “”,
“audience”: “”,
“redirect_uri”: “”,
“scope”: “openid profile email offline_access”,
“response_type”: “code”,
“response_mode”: “web_message”,
“state”: “xxx”,
“nonce”: “xxx”,
“code_challenge”: “xxx”,
“code_challenge_method”: “S256”,
“prompt”: “none”,
“auth0Client”: “xxx”
},
“connection”: null,
“error”: {
“message”: “Login required”,
“oauthError”: “login_required”,
“type”: “oauth-authorization”
},
“riskAssessment”: null
},
“hostname”: “”,
“audience”: “”,
“scope”: [
“openid”,
“profile”,
“email”,
“offline_access”
],
“auth0_client”: {
“name”: “auth0-spa-js”,
“version”: “1.12.0”
},
“log_id”: “90020210125150420610005775599721818011453075753948676130”,
“_id”: “90020210125150420610005775599721818011453075753948676130”,
“isMobile”: true
}

Hi @RJJ,

Can you try using localstorage as your cache location?

cacheLocation: 'localstorage'

Hi @dan.woda , thank you very much for the speedy reply.

I tried the setting metioned in the post. However, still seems to hit the issue in both Mac Safari and IOS Chrome.

Here is the code:
this.webClient$ = (from(
createAuth0Client({
domain: ,
client_id: ,
audience: ,
redirect_uri: `,
cacheLocation: ‘localstorage’
})

It seems the cacheLocation setting is not effective for some reason. Is there a way to confirm this setting is applied?

Thank you again.

Can you try both?

useRefreshTokens: true
cacheLocation: ‘localstorage’

hi @dan.woda , I tried both settings:
createAuth0Client({
domain:
client_id: ,
audience: ,
redirect_uri:
useRefreshTokens: true,
cacheLocation: ‘localstorage’

But still hit the same problems as before.

Here are the events for signup-> signin flow which I got from logs:
Success Signup -> Success Login -> Failed Silent Auth

You can see initially we get successful login, but later on silent auth failed.
And by the way, once I disable Mac Safari prevent cross-site tracking, I managed to login. So it still seems to me the localstorage setting is not applied, auth0 server is still relying on cookie which is blocked by browser.

Is it possible to help me investigate further?

Regards
XJ

@dan.woda

update: it works fine now after I upgrade @auth0/auth0-spa-js from 1.12.0 version to the latest. 1.13.6. Tested the work flow in Mac Safari and Mobile chrome browser with success.

Can I understand the consequence of setting cacheLocation: ‘localstorage’? And is it a recommended way ?

Regards
XJ

Hi @RJJ,

Great, I will mark this as resolved. The issue was an outdated SDK.

As for the consequences of using localstorage as the cache, I will repeat this warning from out docs:

Storing tokens in browser local storage provides persistence across page refreshes and browser tabs. However, if an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage. A vulnerability leading to a successful XSS attack can be either in the SPA source code or in any third-party JavaScript code (such as bootstrap, jQuery, or Google Analytics) included in the SPA.

You can try just using refresh token rotation without the localstorage cache and see if that solves you problem.

Hi @dan.woda

Very strangely, the working settings and library stopped working today again on Mac Safari and IOS Chrome.

The setting I used:
@auth0/auth0-spa-js”: “^1.13.6”

API createAuth0Client(
useRefreshTokens: true,
cacheLocation: ‘localstorage’
)

Very puzzled why it stopped working. Is there a way to investigate further?

Can you give more detail? Errors? logs?

Sure. It is basically the same error as before.

{
“date”: “2021-02-01T15:22:45.332Z”,
“type”: “fsa”,
“description”: “Login required”,
“client_id”: “”,
“client_name”: “”,
“ip”: “”,
“user_agent”: “Chrome Mobile iOS 87.0.4280 / iOS 14.3.0”,
“details”: {
“body”: {},
“qs”: {
“client_id”: “”,
“audience”: “”,
“redirect_uri”: “”,
“scope”: “openid profile email offline_access”,
“response_type”: “code”,
“response_mode”: “web_message”,
“state”: “”,
“nonce”: "S,
“code_challenge”: “”,
“code_challenge_method”: “S256”,
“prompt”: “none”,
“auth0Client”: “”
},
“connection”: null,
“error”: {
“message”: “Login required”,
“oauthError”: “login_required”,
“type”: “oauth-authorization”
},
“riskAssessment”: null
},
“hostname”: “”,
“audience”: “”,
“scope”: [
“openid”,
“profile”,
“email”,
“offline_access”
],

It seems to me the same error as before, but suddenly the fix was broken again.

Appreciate your guidance. thank you!

Did anything change that would break it? Also, can you DM me a HAR?

This broke for me on Firefox 85.0 + MacOS 10.15 too – it’s working on Chrome + MacOS 10.15 though. The error manifests as the user not remaining logged in, and needing to re-auth in each new session/tab.

Hello! thanks for commenting on this.

However, even I force to try login again by calling loginRedirect(), it still keep coming back with the same error. loginWithPopup() works better although the popup window is not ideal.

Have you managed to re-auth correctly?

thanks!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.