Failed Silent Auth: login required

RJJ · January 25, 2021, 3:24pm

Hi dear community:

When I use auth0/auth0-spa-js library for browser sign up and login flow. I found the following:

Right after user signup, it is redirecting to my home page and correctly asking user to login without going to the username/pwd screen. On a few browsers, the login failed and if user click login again, it does not show username/pwd entering screen at all, instead it just silently attempts to login in again which keeps failing. Basically, the new users are not able to login on a few browsers.

It works well on the following browsers as far as i see: 1. chrome (Mac) 2. firefox (Mac)

It doesn’t work on 1. Safari (Mac) 2. Chrome (Iphone) 3. Safari(Iphone)

I noticed from a few posts that there are few work-around:

disable browser prevent cross-site tracking (for Mac Safari) → it worked for me, but only solved one platform issue.
set rotate token = true, and use the following code to create auth0client:
createAuth0Client({
domain: xxx
client_id: xxx
audience: xxx
redirect_uri: xxx
useRefreshTokens: true
})

according to this: Auth0 Single Page App SDK
→ however it didn’t work for me either. Please see the error listed above from mobile chrome workflow.

Question:

is there a way to force show login screen again so that login is not relying on cookie session info.
is there any configuration issue which caused the error even when I set rotate token=true?

Appreciate your help.
XJ

{
“date”: “2021-01-25T15:04:14.757Z”,
“type”: “fsa”,
“description”: “Login required”,
“client_id”: “”,
“client_name”: “”,
“ip”: “217.169.19.14”,
“user_agent”: “Chrome Mobile iOS 87.0.4280 / iOS 14.3.0”,
“details”: {
“body”: {},
“qs”: {
“client_id”: “”,
“audience”: “”,
“redirect_uri”: “”,
“scope”: “openid profile email offline_access”,
“response_type”: “code”,
“response_mode”: “web_message”,
“state”: “xxx”,
“nonce”: “xxx”,
“code_challenge”: “xxx”,
“code_challenge_method”: “S256”,
“prompt”: “none”,
“auth0Client”: “xxx”
},
“connection”: null,
“error”: {
“message”: “Login required”,
“oauthError”: “login_required”,
“type”: “oauth-authorization”
},
“riskAssessment”: null
},
“hostname”: “”,
“audience”: “”,
“scope”: [
“openid”,
“profile”,
“email”,
“offline_access”
],
“auth0_client”: {
“name”: “auth0-spa-js”,
“version”: “1.12.0”
},
“log_id”: “90020210125150420610005775599721818011453075753948676130”,
“_id”: “90020210125150420610005775599721818011453075753948676130”,
“isMobile”: true
}

dan.woda · January 25, 2021, 8:36pm

Hi @RJJ,

Can you try using localstorage as your cache location?

cacheLocation: 'localstorage'

RJJ · January 25, 2021, 9:43pm

Hi @dan.woda , thank you very much for the speedy reply.

I tried the setting metioned in the post. However, still seems to hit the issue in both Mac Safari and IOS Chrome.

Here is the code:
this.webClient$ = (from(
createAuth0Client({
domain: ,
client_id: ,
audience: ,
redirect_uri: `,
cacheLocation: ‘localstorage’
})

It seems the cacheLocation setting is not effective for some reason. Is there a way to confirm this setting is applied?

Thank you again.

dan.woda · January 25, 2021, 10:04pm

Can you try both?

useRefreshTokens: true
cacheLocation: ‘localstorage’

RJJ · January 26, 2021, 1:30pm

hi @dan.woda , I tried both settings:
createAuth0Client({
domain:
client_id: ,
audience: ,
redirect_uri:
useRefreshTokens: true,
cacheLocation: ‘localstorage’

But still hit the same problems as before.

Here are the events for signup-> signin flow which I got from logs:
Success Signup → Success Login → Failed Silent Auth

You can see initially we get successful login, but later on silent auth failed.
And by the way, once I disable Mac Safari prevent cross-site tracking, I managed to login. So it still seems to me the localstorage setting is not applied, auth0 server is still relying on cookie which is blocked by browser.

Is it possible to help me investigate further?

Regards
XJ

RJJ · January 26, 2021, 1:51pm

@dan.woda

update: it works fine now after I upgrade @auth0/auth0-spa-js from 1.12.0 version to the latest. 1.13.6. Tested the work flow in Mac Safari and Mobile chrome browser with success.

Can I understand the consequence of setting cacheLocation: ‘localstorage’? And is it a recommended way ?

Regards
XJ

dan.woda · January 26, 2021, 9:22pm

Hi @RJJ,

Great, I will mark this as resolved. The issue was an outdated SDK.

As for the consequences of using localstorage as the cache, I will repeat this warning from out docs:

Storing tokens in browser local storage provides persistence across page refreshes and browser tabs. However, if an attacker can achieve running JavaScript in the SPA using a cross-site scripting (XSS) attack, they can retrieve the tokens stored in local storage. A vulnerability leading to a successful XSS attack can be either in the SPA source code or in any third-party JavaScript code (such as bootstrap, jQuery, or Google Analytics) included in the SPA.

https://auth0.com/docs/libraries/auth0-single-page-app-sdk#change-storage-options

You can try just using refresh token rotation without the localstorage cache and see if that solves you problem.

RJJ · February 1, 2021, 1:57pm

Hi @dan.woda

Very strangely, the working settings and library stopped working today again on Mac Safari and IOS Chrome.

The setting I used:
“@auth0/auth0-spa-js”: “^1.13.6”

API createAuth0Client(
useRefreshTokens: true,
cacheLocation: ‘localstorage’
)

Very puzzled why it stopped working. Is there a way to investigate further?

dan.woda · February 1, 2021, 8:31pm

Can you give more detail? Errors? logs?

RJJ · February 1, 2021, 9:16pm

Sure. It is basically the same error as before.

{
“date”: “2021-02-01T15:22:45.332Z”,
“type”: “fsa”,
“description”: “Login required”,
“client_id”: “”,
“client_name”: “”,
“ip”: “”,
“user_agent”: “Chrome Mobile iOS 87.0.4280 / iOS 14.3.0”,
“details”: {
“body”: {},
“qs”: {
“client_id”: “”,
“audience”: “”,
“redirect_uri”: “”,
“scope”: “openid profile email offline_access”,
“response_type”: “code”,
“response_mode”: “web_message”,
“state”: “”,
“nonce”: "S,
“code_challenge”: “”,
“code_challenge_method”: “S256”,
“prompt”: “none”,
“auth0Client”: “”
},
“connection”: null,
“error”: {
“message”: “Login required”,
“oauthError”: “login_required”,
“type”: “oauth-authorization”
},
“riskAssessment”: null
},
“hostname”: “”,
“audience”: “”,
“scope”: [
“openid”,
“profile”,
“email”,
“offline_access”
],

It seems to me the same error as before, but suddenly the fix was broken again.

Appreciate your guidance. thank you!

dan.woda · February 2, 2021, 5:41pm

Did anything change that would break it? Also, can you DM me a HAR?

viraj · February 8, 2021, 10:00pm

This broke for me on Firefox 85.0 + MacOS 10.15 too – it’s working on Chrome + MacOS 10.15 though. The error manifests as the user not remaining logged in, and needing to re-auth in each new session/tab.

RJJ · February 9, 2021, 1:40pm

Hello! thanks for commenting on this.

However, even I force to try login again by calling loginRedirect(), it still keep coming back with the same error. loginWithPopup() works better although the popup window is not ideal.

Have you managed to re-auth correctly?

thanks!

system · February 24, 2021, 1:40pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot Complete Silent Auth on Mobile Device: `login_required` Help jwt , access_token , mobile , silent-auth , auth0-spa-js	3	4247	May 21, 2021
Failed Silent Auth in Chrome Help login	24	4066	February 2, 2023
Failed Silent auth (Chrome v80) Help	11	6904	May 6, 2020
Silent Authorization not working after login/signup Help auth0	7	11708	January 7, 2021
Failed Silent Auth - Login required Help	40	40132	January 3, 2020

Failed Silent Auth: login required

Related Topics